0G/40G Top-of-Rack Switches AS5700-54X AS6700-32X Software Release v1.1.166.154 CLI Reference Guide www.edge-core.
CLI Reference Guide AS5700-54X 54-Port 10G Ethernet Switch with 48 10GBASE SFP+ Ports, 6 40GBASE QSFP Ports, 2 Power Supply Units, and 4 Fan Trays (4 Fans – F2B and B2F Airflow) AS6700-32X 32-Port 40G Data Center Switch with 20 40G QSFP+ Ports, 2 40G Expansion Slots, 2 Power Supply Units, and 5 Fan Trays (5 Fans – F2B or B2F Airflow) E032016/ST-R02 149100000198A
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
Contents Section I How to Use This Guide 3 Contents 5 Figures 43 Tables 45 Getting Started 53 1 Initial Switch Configuration Connecting to the Switch 55 55 Configuration Options 55 Connecting to the Console Port 56 Selecting Legacy or Hybrid Operation Mode 57 Logging Onto the Command Line Interface 57 Setting Passwords 58 Remote Connections (Network Interface or Craft Port) 58 Obtaining and Installing a License for the Network Ports 59 Configuring the Switch for Remote Management
Contents Setting the System Clock Section II 77 Setting the Time Manually 78 Configuring SNTP 78 Configuring NTP 79 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 81 83 83 Console Connection 83 Telnet Connection 83 Entering Commands 85 Keywords and Arguments 85 Minimum Abbreviation 85 Command Completion 85 Getting Help on Commands 86 Partial Keyword Lookup 87 Negating the Effect of Commands 88 Using Command History 88 Understanding Command Modes
Contents end 101 exit 101 4 System Management Commands Device Designation 103 103 hostname 104 Banner Information 104 banner configure 105 banner configure company 106 banner configure dc-power-info 107 banner configure department 108 banner configure equipment-info 108 banner configure equipment-location 109 banner configure ip-lan 110 banner configure lp-number 110 banner configure manager-info 111 banner configure mux 112 banner configure note 112 show banner 113 System
Contents fan-speed force-full Frame Size 125 125 jumbo frame 126 File Management 126 General Commands 128 boot system 128 copy 129 delete 132 dir 133 onie 134 umount usbdisk 136 whichboot 136 Automatic Code Upgrade Commands 137 upgrade opcode auto 137 upgrade opcode path 138 upgrade opcode reload 139 show upgrade 140 TFTP Configuration Commands 140 ip tftp retry 140 ip tftp timeout 141 show ip tftp 141 Line 142 line 142 databits 143 exec-timeout 144 login 144
Contents show line 152 Event Logging 153 logging facility 153 logging history 154 logging host 155 logging on 155 logging trap 156 clear log 157 show log 157 show logging 158 SMTP Alerts 159 logging sendmail 160 logging sendmail host 160 logging sendmail level 161 logging sendmail destination-email 162 logging sendmail source-email 162 show logging sendmail 163 Time 163 SNTP Commands 164 sntp client 164 sntp poll 165 sntp server 166 show sntp 166 NTP Commands
Contents calendar set 176 show calendar 177 Time Range 177 time-range 178 absolute 178 periodic 179 show time-range 180 5 SNMP Commands 181 General SNMP Commands 182 snmp-server 182 snmp-server community 183 snmp-server contact 184 snmp-server location 184 show snmp 185 SNMP Target Host Commands 186 snmp-server enable traps 186 snmp-server host 187 snmp-server enable port-traps mac-notification 189 show snmp-server enable port-traps 190 SNMPv3 Commands 190 snmp-serve
Contents Additional Trap Commands 201 memory 201 process cpu 202 6 Remote Monitoring Commands 203 rmon alarm 204 rmon event 205 rmon collection history 206 rmon collection rmon1 207 show rmon alarms 208 show rmon events 208 show rmon history 209 show rmon statistics 209 7 Authentication Commands User Accounts 211 212 enable password 212 username 213 Authentication Sequence 214 authentication enable 214 authentication login 215 RADIUS Client 216 radius-server acct-port
Contents Web Server 224 ip http port 225 ip http server 225 ip http secure-port 226 ip http secure-server 226 Telnet Server 228 ip telnet max-sessions 228 ip telnet port 229 ip telnet server 229 show ip telnet 229 Secure Shell 230 ip ssh authentication-retries 233 ip ssh server 233 ip ssh server-key size 234 ip ssh timeout 235 delete public-key 235 ip ssh crypto host-key generate 236 ip ssh crypto zeroize 237 ip ssh save host-key 237 show ip ssh 238 show public-key
Contents dot1x timeout re-authperiod 247 dot1x timeout supp-timeout 247 dot1x timeout tx-period 248 dot1x re-authenticate 249 Information Display Commands 249 show dot1x 249 Management IP Filter 252 management 252 show management 253 8 General Security Measures Port Security 255 256 mac-learning 256 port security 257 show port security 259 Network Access (MAC Address Authentication) 261 network-access aging 262 network-access mac-filter 263 mac-authentication reauth-time 26
Contents Web Authentication 274 web-auth login-attempts 275 web-auth quiet-period 276 web-auth session-timeout 276 web-auth system-auth-control 277 web-auth 277 web-auth re-authenticate (Port) 278 web-auth re-authenticate (IP) 278 show web-auth 279 show web-auth interface 279 show web-auth summary 280 DHCPv4 Snooping 280 ip dhcp snooping 281 ip dhcp snooping information option 283 ip dhcp snooping information option encode no-subtype 284 ip dhcp snooping information option rem
Contents clear ipv6 dhcp snooping statistics 301 show ipv6 dhcp snooping 301 show ipv6 dhcp snooping binding 301 show ipv6 dhcp snooping statistics 302 IPv4 Source Guard 302 ip source-guard binding 303 ip source-guard 305 ip source-guard max-binding 306 ip source-guard mode 307 clear ip source-guard binding blocked 308 show ip source-guard 308 show ip source-guard binding 309 IPv6 Source Guard 310 ipv6 source-guard binding 310 ipv6 source-guard 312 ipv6 source-guard max-bindin
Contents show ip arp inspection statistics 329 show ip arp inspection vlan 329 Port-based Traffic Segmentation 330 traffic-segmentation 330 traffic-segmentation session 332 traffic-segmentation uplink/downlink 332 traffic-segmentation uplink-to-uplink 333 show traffic-segmentation 334 9 Access Control Lists 335 IPv4 ACLs 335 access-list ip 336 permit, deny (Standard IP ACL) 337 permit, deny (Extended IPv4 ACL) 338 ip access-group 340 show ip access-group 341 show ip access-lis
Contents ACL Information 355 clear access-list hardware counters 355 show access-group 356 show access-list 356 10 Interface Commands 359 Interface Configuration 360 interface 360 alias 361 description 362 flowcontrol 362 history 363 media-type 364 shutdown 364 switchport mtu 365 clear counters 366 hardware profile portmode 367 show hardware profile portmode 368 show interfaces brief 369 show interfaces counters 369 show interfaces history 373 show interfaces status
Contents show loop internal 11 Link Aggregation Commands 387 389 Manual Configuration Commands 391 port channel load-balance 391 channel-group 392 Dynamic Configuration Commands 393 lacp 393 lacp admin-key (Ethernet Interface) 394 lacp port-priority 395 lacp system-priority 396 lacp admin-key (Port Channel) 397 lacp timeout 398 Trunk Status Display Commands 399 show lacp 399 show port-channel load-balance 403 MLAG Commands 403 mlag 404 mlag peer-link 405 mlag group membe
Contents rate-limit 420 Storm Control Commands 421 switchport packet-rate 14 Loopback Detection Commands 421 423 loopback-detection 424 loopback-detection action 424 loopback-detection recover-time 425 loopback-detection transmit-interval 426 loopback detection trap 426 loopback-detection release 427 show loopback-detection 428 15 UniDirectional Link Detection Commands 429 udld detection-interval 429 udld message-interval 430 udld recovery 431 udld recovery-interval 431 udld
Contents spanning-tree priority 449 spanning-tree mst configuration 449 spanning-tree system-bpdu-flooding 450 spanning-tree transmission-limit 450 max-hops 451 mst priority 451 mst vlan 452 name 453 revision 454 spanning-tree bpdu-filter 454 spanning-tree bpdu-guard 455 spanning-tree cost 456 spanning-tree edge-port 457 spanning-tree link-type 458 spanning-tree mst cost 459 spanning-tree mst port-priority 460 spanning-tree port-priority 461 spanning-tree root-guard 461
Contents interface vlan 474 switchport acceptable-frame-types 475 switchport allowed vlan 476 switchport forbidden vlan 477 switchport ingress-filtering 478 switchport mode 479 switchport native vlan 480 vlan-trunking 480 Displaying VLAN Information 482 show vlan 482 Configuring IEEE 802.
Contents Priority Commands (Layer 2) 507 queue mode 508 queue weight 509 switchport priority default 510 show queue mode 511 show queue weight 511 Priority Commands (Layer 3 and 4) 512 qos map phb-queue 513 qos map cos-dscp 513 qos map default-drop-precedence 515 qos map dscp-cos 516 qos map dscp-mutation 517 qos map ip-port-dscp 518 qos map ip-prec-dscp 519 qos map trust-mode 520 show qos map cos-dscp 521 show map default-drop-precedence 521 show map dscp-cos 522 show q
Contents set phb 540 service-policy 541 show class-map 541 show policy-map 542 show policy-map interface 543 21 Data Center Bridging Commands DCB Exchange Commands 545 546 dcbx 546 dcbx mode 547 show dcbx 548 Priority-based Flow Control Commands 549 pfc mode 550 pfc priority 551 clear pfc statistics 552 show pfc 552 show pfc statistics 553 Enhanced Transmission Selection Commands 554 ets mode 555 traffic-class algo 555 traffic-class map 556 traffic-class weight 557 s
Contents Openflow Commands 570 of-agent controller 572 of-agent datapath-desc 573 clear of-agent 573 show of-agent controller 573 show of-agent flow 574 show of-agent group 578 22 Multicast Filtering Commands IGMP Snooping 581 582 ip igmp snooping 583 ip igmp snooping priority 584 ip igmp snooping proxy-reporting 585 ip igmp snooping querier 585 ip igmp snooping router-alert-option-check 586 ip igmp snooping router-port-expire-time 587 ip igmp snooping tcn-flood 587 ip igmp sn
Contents show ip igmp snooping mrouter 602 show ip igmp snooping statistics 602 Static Multicast Routing 605 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 605 606 ip igmp filter (Global Configuration) 607 ip igmp profile 608 permit, deny 608 range 609 ip igmp authentication 609 ip igmp filter (Interface Configuration) 611 ip igmp max-groups 612 ip igmp max-groups action 612 ip igmp query-drop 613 show ip igmp authentication 613 show ip igmp filter 614 show ip igm
Contents show ipv6 mld snooping group source-list 627 show ipv6 mld snooping mrouter 627 IGMP (Layer 3) 628 ip igmp 628 ip igmp last-member-query-interval 629 ip igmp max-resp-interval 630 ip igmp query-interval 631 ip igmp robustval 632 ip igmp static-group 632 ip igmp version 633 clear ip igmp group 634 show ip igmp groups 635 show ip igmp interface 637 IGMP Proxy Routing 638 ip igmp proxy 638 ip igmp proxy unsolicited-report-interval 640 MLD (Layer 3) 640 ipv6 mld 641
Contents lldp notification-interval 657 lldp refresh-interval 657 lldp reinit-delay 658 lldp tx-delay 658 lldp admin-status 659 lldp basic-tlv management-ip-address 659 lldp basic-tlv port-description 660 lldp basic-tlv system-capabilities 661 lldp basic-tlv system-description 661 lldp basic-tlv system-name 662 lldp dcbx-tlv ets-config 662 lldp dcbx-tlv ets-recommend 663 lldp dcbx-tlv pfc-config 664 lldp dot1-tlv proto-ident 664 lldp dot1-tlv proto-vid 665 lldp dot1-tlv pvid
Contents ethernet cfm ais ma 685 ethernet cfm ais period 686 ethernet cfm ais suppress alarm 686 ethernet cfm domain 687 ethernet cfm enable 689 ma index name 690 ma index name-format 691 ethernet cfm mep 692 ethernet cfm port-enable 693 clear ethernet cfm ais mpid 693 show ethernet cfm configuration 694 show ethernet cfm md 696 show ethernet cfm ma 696 show ethernet cfm maintenance-points local 697 show ethernet cfm maintenance-points local detail mep 698 show ethernet cfm ma
Contents clear ethernet cfm linktrace-cache 714 show ethernet cfm linktrace-cache 714 Loopback Operations 715 ethernet cfm loopback Fault Generator Operations 715 716 mep fault-notify alarm-time 716 mep fault-notify lowest-priority 717 mep fault-notify reset-time 718 show ethernet cfm fault-notify-generator 719 Delay Measure Operations ethernet cfm delay-measure two-way 25 Domain Name Service Commands 720 720 723 ip domain-list 724 ip domain-lookup 725 ip domain-name 725 ip host
Contents show ipv6 dhcp relay destination 27 IP Interface Commands IPv4 Interface 740 741 741 Basic IPv4 Configuration 742 ip address 742 ip default-gateway 746 show ip interface 747 show ip traffic 747 traceroute 748 ping 750 ARP Configuration 751 arp 751 arp timeout 752 clear arp-cache 753 show arp 753 IPv6 Interface 754 Interface Address Configuration and Utilities 755 ipv6 default-gateway 755 ipv6 address 756 ipv6 address eui-64 757 ipv6 address link-local 759 ip
Contents ipv6 nd reachable-time 777 ipv6 neighbor 778 clear ipv6 neighbors 779 show ipv6 nd raguard 779 show ipv6 neighbors 780 ND Snooping 781 ipv6 nd snooping 782 ipv6 nd snooping auto-detect 784 ipv6 nd snooping auto-detect retransmit count 784 ipv6 nd snooping auto-detect retransmit interval 785 ipv6 nd snooping prefix timeout 785 ipv6 nd snooping max-binding 786 ipv6 nd snooping trust 787 clear ipv6 nd snooping binding 787 clear ipv6 nd snooping prefix 788 show ipv6 nd sn
Contents show ip route 805 show ip route database 806 show ip route summary 807 show ip traffic 807 ECMP Commands 808 ecmp load-balance 808 hash-selection list 809 maximum-paths 810 dst-mac (MAC Hash) 810 ethertype (MAC Hash) 810 src-mac (MAC Hash) 811 vlan (MAC Hash) 811 dst-ip (IPv4 Hash) 811 dst-l4-port (IPv4 Hash) 812 protocol-id (IPv4 Hash) 812 src-ip (IPv4 Hash) 812 src-l4-port (IPv4 Hash) 813 vlan (IPv4 Hash) 813 collapsed-dst-ip (IPv6 Hash) 813 collapsed-src-ip
Contents neighbor 824 network 825 passive-interface 826 redistribute 826 timers basic 828 version 829 ip rip authentication mode 830 ip rip authentication string 831 ip rip receive version 831 ip rip receive-packet 832 ip rip send version 833 ip rip send-packet 834 ip rip split-horizon 835 clear ip rip route 835 show ip protocols rip 836 show ip rip 837 Open Shortest Path First (OSPFv2) 838 General Configuration 839 router ospf 839 compatible rfc1583 840 default-info
Contents area virtual-link 854 network area 856 Interface Configuration 857 ip ospf authentication 857 ip ospf authentication-key 859 ip ospf cost 860 ip ospf dead-interval 861 ip ospf hello-interval 861 ip ospf message-digest-key 862 ip ospf priority 863 ip ospf retransmit-interval 864 ip ospf transmit-delay 865 passive-interface 866 Display Information 866 show ip ospf 866 show ip ospf border-routers 868 show ip ospf database 869 show ip ospf interface 875 show ip ospf
Contents Area Configuration 890 area stub 890 area virtual-link 891 ipv6 router ospf area 893 ipv6 router ospf tag area 894 Interface Configuration 895 ipv6 ospf cost 895 ipv6 ospf dead-interval 896 ipv6 ospf hello-interval 897 ipv6 ospf priority 897 ipv6 ospf retransmit-interval 898 ipv6 ospf transmit-delay 899 passive-interface 900 Display Information 900 show ipv6 ospf 900 show ipv6 ospf database 902 show ipv6 ospf interface 903 show ipv6 ospf neighbor 904 show ipv6 o
Contents bgp cluster-id 932 bgp confederation identifier 933 bgp confederation peer 934 bgp dampening 935 bgp enforce-first-as 936 bgp fast-external-failover 936 bgp log-neighbor-changes 937 bgp network import-check 937 bgp router-id 938 bgp scan-time 938 network 939 redistribute 940 timers bgp 941 clear ip bgp 942 clear ip bgp dampening 943 Route Metrics and Selection 944 bgp always-compare-med 944 bgp bestpath as-path ignore 944 bgp bestpath compare-confed-aspath 945
Contents neighbor dont-capability-negotiate 956 neighbor ebgp-multihop 957 neighbor enforce-multihop 957 neighbor filter-list 958 neighbor interface 959 neighbor maximum-prefix 959 neighbor next-hop-self 960 neighbor override-capability 961 neighbor passive 962 neighbor password 962 neighbor peer-group (Creating) 963 neighbor peer-group (Group Members) 964 neighbor port 964 neighbor prefix-list 965 neighbor remote-as 966 neighbor remove-private-as 966 neighbor route-map 967
Contents show ip bgp dampening 980 show ip bgp filter-list 982 show ip bgp neighbors 982 show ip bgp paths 984 show ip bgp prefix-list 985 show ip bgp regexp 985 show ip bgp route-map 986 show ip bgp scan 986 show ip bgp summary 986 show ip community-list 987 show ip extcommunity-list 987 show ip prefix-list 988 show ip prefix-list detail 989 show ip prefix-list summary 989 show ip protocols bgp 990 Policy-based Routing for BGP 991 route-map 993 call 994 continue 995 d
Contents set community 1005 set extcommunity 1006 set ip next-hop 1007 set local-preference 1008 set metric 1008 set origin 1009 set originator-id 1010 set pathlimit ttl 1010 set weight 1011 show route-map 1011 30 Multicast Routing Commands General Multicast Routing IPv4 Commands 1013 1013 1013 ip multicast-routing 1013 show ip mroute 1014 IPv6 Commands 1016 ipv6 multicast-routing 1016 show ipv6 mroute 1017 Static Multicast Routing 1019 ip igmp snooping vlan mrouter Static
Contents ip pim trigger-hello-delay 1030 show ip pim interface 1030 show ip pim neighbor 1031 PIM-DM Commands 1032 ip pim graft-retry-interval 1032 ip pim max-graft-retries 1032 ip pim state-refresh origination-interval 1033 PIM-SM Commands 1034 ip pim bsr-candidate 1034 ip pim register-rate-limit 1035 ip pim register-source 1036 ip pim rp-address 1036 ip pim rp-candidate 1038 ip pim spt-threshold 1039 ip pim ssm range 1040 ip pim dr-priority 1042 ip pim join-prune-interval
Contents PIM6-DM Commands 1056 ipv6 pim graft-retry-interval 1056 ipv6 pim max-graft-retries 1057 ipv6 pim state-refresh origination-interval 1058 PIM6-SM Commands Section III 1058 ipv6 pim bsr-candidate 1058 ipv6 pim register-rate-limit 1060 ipv6 pim register-source 1060 ipv6 pim rp-address 1061 ipv6 pim rp-candidate 1062 ipv6 pim spt-threshold 1064 ipv6 pim dr-priority 1065 ipv6 pim join-prune-interval 1066 clear ipv6 pim bsr rp-set 1067 show ipv6 pim bsr-router 1068 show i
Contents – 42 –
Figures Figure 1: MLAG Domain Topology 403 Figure 2: MLAG Peer Operation 407 Figure 3: Configuring VLAN Trunking 481 Figure 4: Mapping QinQ Service VLAN to Customer VLAN 489 Figure 5: Openflow Process 571 Figure 6: Connections for Internal and External BGP 908 Figure 7: Connections for Single Route Reflector 914 Figure 8: Connections for Multiple Route Reflectors 914 Figure 9: Connections for BGP Confederation 916 Figure 10: Connections for Route Server – 43 – 917
Figures – 44 –
Tables Table 1: Revision History 4 Table 2: Options 60, 66 and 67 Statements 76 Table 3: Options 55 and 124 Statements 76 Table 4: General Command Modes 88 Table 5: Configuration Command Modes 90 Table 6: Keystroke Commands 92 Table 7: Command Group Index 93 Table 8: General Commands 95 Table 9: System Management Commands 103 Table 10: Device Designation Commands 103 Table 11: Banner Commands 104 Table 12: System Status Commands 113 Table 13: show access-list tcam-utilization - disp
Tables Table 30: show snmp engine-id - display description 196 Table 31: show snmp group - display description 197 Table 32: show snmp user - display description 198 Table 33: show snmp view - display description 198 Table 34: RMON Commands 203 Table 35: Authentication Commands 211 Table 36: User Access Commands 212 Table 37: Default Login Settings 213 Table 38: Authentication Sequence Commands 214 Table 39: RADIUS Client Commands 216 Table 40: TACACS+ Client Commands 221 Table 41: We
Tables Table 65: IPv6 ACL Commands 342 Table 66: MAC ACL Commands 347 Table 67: ARP ACL Commands 352 Table 68: ACL Information Commands 355 Table 69: Interface Commands 359 Table 70: show interfaces counters - display description 370 Table 71: show interfaces switchport - display description 378 Table 72: Link Aggregation Commands 389 Table 73: show lacp counters - display description 399 Table 74: show lacp internal - display description 400 Table 75: show lacp neighbors - display desc
Tables Table 100: Priority Commands (Layer 3 and 4) 512 Table 101: Mapping Internal Per-hop Behavior to Hardware Queues 513 Table 102: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 514 Table 103: Mapping Per-hop Behavior to Drop Precedence 515 Table 104: Mapping Internal PHB/Drop Precedence to CoS/CFI Values 516 Table 105: Default Mapping of DSCP Values to Internal PHB/Drop Values 517 Table 106: Default Mapping of IP Precedence to Internal PHB/Drop Values 519 Table 107: Quality o
Tables Table 135: show ethernet cfm maintenance-points local detail mep - display 699 Table 136: show ethernet cfm maintenance-points remote detail - display 700 Table 137: show ethernet cfm errors - display description 706 Table 138: show ethernet cfm linktrace-cache - display description 714 Table 139: Remote MEP Priority Levels 718 Table 140: MEP Defect Descriptions 718 Table 141: show fault-notify-generator - display description 719 Table 142: Address Table Commands 723 Table 143: show
Tables Table 170: show ip ospf database summary - display description 871 Table 171: show ip ospf database external - display description 872 Table 172: show ip ospf database network - display description 873 Table 173: show ip ospf database router - display description 874 Table 174: show ip ospf database summary - display description 875 Table 175: show ip ospf interface - display description 876 Table 176: show ip ospf neighbor - display description 877 Table 177: show ip ospf virtual-link
Tables Table 205: PIM-DM and PIM-SM Multicast Routing Commands 1047 Table 206: show ipv6 pim neighbor - display description 1056 Table 207: show ip pim bsr-router - display description 1068 Table 208: show ip pim rp mapping - display description 1069 Table 209: show ip pim rp-hash - display description 1070 Table 210: Legacy and Hybrid Operating Mode Feature Set Differences 1073 Table 211: Troubleshooting Chart 1077 – 51 –
Tables – 52 –
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 54 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Selecting Legacy or The switch supports two operating modes: Hybrid Operation Mode ◆ Legacy Mode – Basic feature set, accessible via CLI, web interface, or SNMP. ◆ Hybrid Mode – Provides OpenFlow agent and OF-Data Plane Abstraction flow tables, switch configuration from OpenFlow controller, and partial legacy feature set.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Setting Passwords If this is your first time to log into the CLI program, you should define new passwords for both default user names using the “username” command, record them and put them in a safe place. Passwords can consist of up to 32 alphanumeric characters and are case sensitive. To prevent unauthorized access to the switch, set the passwords as follows: 1.
Chapter 1 | Initial Switch Configuration Connecting to the Switch An IPv4 address for the primary network interface is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see “Setting an IP Address” on page 62. After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Current Status: Link Status Link Down Reason Operation Speed-duplex Flow Control Type Max Frame Size MAC Learning Status : : : : : : Down Invalid License or Trial License 10G full None 1522 bytes (1522 bytes for tagged frames) Enabled To order a licence, you must provide the following information to your distributor: ◆ Switch model number (AOS5700-54X or AOS6700-32X) ◆ System MAC address.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Flash programming started. Flash programming completed. Success. To display information on the installed file, enter the “show license file” command. Console#show license file aos-license/1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: ◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management ff02::1:ff11:6700 ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): 2001:db8:2222:7272::/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff11:6700 ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 3. Type “end” to return to the Privileged Exec mode. Press . 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press .
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access ND ND ND ND advertised retransmit interval is 0 milliseconds reachable time is 30000 milliseconds advertised reachable time is 0 milliseconds advertised router lifetime is 1800 seconds Console# Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmpserver community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2.
Chapter 1 | Initial Switch Configuration Managing System Files another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.
Chapter 1 | Initial Switch Configuration Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 2 GB of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files Saving or Restoring Configuration commands only modify the running configuration file and are not Configuration saved when the switch is rebooted. To save all your configuration changes in Settings nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command. New startup configuration files must have a name specified.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings the upgrade file is stored as AOS5700-54X.BIX (or even Aos5700-54x.bix) on a case-sensitive server, then the switch (requesting AOS5700-54X.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# 2.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Client Identifier Access Control (MAC) Address or a unique client identifier.
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings ◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests. ◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute.
Chapter 1 | Initial Switch Configuration Setting the System Clock log-facility local7; server-name "Server1"; Server-identifier 192.168.255.250; #option 66, 67 option space dynamicProvision code width 1 length 1 hash size 2; option dynamicProvision.tftp-server-name code 66 = text; option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command. Manually Console#calendar set 14 11 36 1 April 2013 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Chapter 1 | Initial Switch Configuration Setting the System Clock – 80 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Class of Service Commands” on page 507 ◆ “Quality of Service Commands” on page 527 ◆ “Multicast Filtering Commands” on page 581 ◆ “LLDP Commands” on page 653 ◆ “CFM Commands” on page 681 ◆ “DHCP Commands” on page 733 ◆ “IP Interface Commands” on page 741 ◆ “VRRP Commands” on page 791 ◆ “IP Routing Commands” on page 801 ◆ “Multicast Routing Commands” on page 1013 – 82 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands radius-server reload rmon route-map rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config system tacacs-server tech-support traffic-segmentation udld upgrade users version vlan vrrp vxlan watchdog web-auth Console#show RADIUS server information Shows the reload settings Remote Monitoring Protocol Shows route-map Display status of the current RSPAN configuration Information on the running configuration Shows the sflo
Chapter 2 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel Commands the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Chapter 2 | Using the Command Line Interface Entering Commands commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.
Chapter 2 | Using the Command Line Interface Entering Commands ◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. ◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. ◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
Chapter 2 | Using the Command Line Interface Entering Commands Table 5: Configuration Command Modes (Continued) Mode Command Prompt Page MSTP spanning-tree mst-configuration Console(config-mstp) 449 Policy Map policy-map Console(config-pmap) 531 Route Map route-map Console(config-route-map) 993 Router router { bgp | ipv6 ospf | ospf } pim } pim6 | rip Console(config-router) 908 882 839 1022 1047 820 Time Range time-range Console(config-time-range) 178 VLAN Console(config-vlan) 472
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 7: Command Group Index (Continued) Command Group Description Page Quality of Service Configures Differentiated Services 527 Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router 581 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neighbor devices 653 Domain Name Service Configures DNS services.
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 129).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (100) enable password (212) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 88. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 102 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 11: Banner Commands (Continued) Command Function Mode banner configure department Configures the Department information that is displayed by banner GC banner configure equipment-info Configures the Equipment information that is displayed by GC banner banner configure equipment-location Configures the Equipment Location information that is displayed by banner banner configure ip-lan Configures the IP and LAN information that is displ
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure Company: Edgecore Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the department banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure department dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask ip-lan information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands System Status unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information.
Chapter 4 | System Management Commands System Status Table 12: System Status Commands (Continued) Command Function Mode show license file Shows information on the installed license file required for PE the network ports show location-led status Shows if location LED function is enabled or not PE show memory Shows memory utilization parameters NE, PE show process cpu Shows CPU utilization parameters NE, PE show running-config Displays the configuration data currently in use PE show startup-
Chapter 4 | System Management Commands System Status show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Chapter 4 | System Management Commands System Status Table 13: show access-list tcam-utilization - display description (Continued) Field Description Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features. Total The maximum number of policy control entries allocated to the each pool. Used The number of policy control entries used by the operating system. Free The number of policy control entries available for use.
Chapter 4 | System Management Commands System Status show location-led This command shows if location LED function is enabled or not. status Command Mode Privileged Exec Example Console#show location-led status Location Led Status:On Console# show memory This command shows memory utilization parameters, and alarm thresholds.
Chapter 4 | System Management Commands System Status CPU Utilization in the past 60 seconds Average Utilization : 8% Maximum Utilization : 9% Alarm Status Current Alarm Status : Off Last Alarm Start Time : Jun 9 15:10:09 2011 Last Alarm Duration Time : 10 seconds Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands process cpu (202) show running-config This command displays the configuration information currently in use.
Chapter 4 | System Management Commands System Status Example Console#show running-config Building startup configuration. Please wait...
Chapter 4 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 4 | System Management Commands System Status ◆ There are two thermal detectors in the switch The first detector is near the air flow intake vents. The second detector is near the switch ASIC and CPU. Example Console#show system System Description : AOS5700-54X System OID String : 1.3.6.1.4.1.259.12.1.
Chapter 4 | System Management Commands System Status Table 14: show system – display description (Continued) Parameter Description Jumbo Frame Shows if jumbo frames are enabled or disabled. System Fan Shows if forced full-speed mode is enabled. System Temperature Temperature at specified thermal detection point. Main Power Status Displays the status of the internal power supply. Redundant Power Status Displays the status of the redundant power supply.
Chapter 4 | System Management Commands System Status show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Operation Code Version : 1.0.102.152 Console# Table 15: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. EPLD Version Version number of Erasable Programmable Logic Device. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Chapter 4 | System Management Commands Fan Control Example Console#watchdog Console# Fan Control This section describes the command used to force fan speed. Table 16: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed GC show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed.
Chapter 4 | System Management Commands File Management jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This switch provides more efficient throughput for large sequential data transfers by supporting Layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks of up to 12288 bytes.
Chapter 4 | System Management Commands File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file. Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required. Default Setting None Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server.
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file Destination configuration file name: startup Flash programming started. Flash programming completed. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
Chapter 4 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config; 2. opcode; 3. license: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete This command deletes a file or image. Syntax delete file name filename file name - System file in switch memory. filename - Name of configuration file or code image.
Chapter 4 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir {boot-rom: | config: | opcode: | usbdisk:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. usbdisk - System file on a USB memory stick or disk. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Chapter 4 | System Management Commands File Management onie This command configures the switch to install, rescue or update runtime code under the open network installation environment (ONIE). Syntax onie {install | rescue | upgrade} install - Installs a new operating system. This option will reboot the switch and the ONIE install process will run again. rescue - Boots into the ONIE environment for troubleshooting.
Chapter 4 | System Management Commands File Management Hash value: 185b962f Verifying Hash Integrity ... crc32+ OK .... pci 0000:00:00.0: ignoring class b20 (doesn't match header type 01) Info: Mounting kernel filesystems... done. Info: Using eth0 MAC address: 00:11:22:33:44:55 Info: eth0: Checking link... scsi 0:0:0:0: Direct-Access USB DISK 2.0 PMAP PQ: 0 ANSI: 0 CCS sd 0:0:0:0: [sda] 3911680 512-byte logical blocks: (2.00 GB/1.
Chapter 4 | System Management Commands File Management EXT3-fs (sda1): warning: checktime reached, running e2fsck is recommended filemapping file write OK!! FS_GenFilemappingFile OK Updating U-Boot environment variables ONIE:/ # umount: can't remount rootfs read-only The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL toRestarting system. umount usbdisk This command prepares the USB memory device to be safely removed from the switch.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: AOS5700-54X_V1.0.102.152.swi startup1.
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.
Chapter 4 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection.
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : aos5700-54x.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Chapter 4 | System Management Commands Line Related Commands parity (145) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Default Setting login local Command Mode Line Configuration Command Usage ◆ There are three authentication modes provided by the switch itself at login: ◆ ■ login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. ■ login local selects authentication via the user name and password specified by the username command (i.e.
Chapter 4 | System Management Commands Line Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# password This command specifies the password for a line. Use the no form to remove the password.
Chapter 4 | System Management Commands Line Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (144) password-thresh (147) password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts.
Chapter 4 | System Management Commands Line silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response.
Chapter 4 | System Management Commands Line Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte.
Chapter 4 | System Management Commands Line Default Setting 300 seconds Command Mode Line Configuration Command Usage ◆ If a login attempt is not detected within the timeout interval, the connection is terminated for the session. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
Chapter 4 | System Management Commands Line terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. Syntax terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs | vt-100 | vt-102} | width width} escape-character - The keyboard character used to escape from current line input.
Chapter 4 | System Management Commands Line show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
Chapter 4 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - The UDP port number used by the remote server.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging on Console(config)# Related Commands logging history (154) logging trap (156) clear log (157) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (157) show log This command displays the log messages stored in local memory.
Chapter 4 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
Chapter 4 | System Management Commands SMTP Alerts Table 23: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
Chapter 4 | System Management Commands SMTP Alerts Table 25: Event Logging Commands (Continued) Command Function Mode logging sendmail sourceemail Email address used for “From” field of alert messages GC show logging sendmail Displays SMTP event handler settings NE, PE logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
Chapter 4 | System Management Commands SMTP Alerts ◆ To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again. If it still fails, the system will repeat the process at a periodic interval. (A trap will be triggered if the switch cannot successfully open a connection.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages.
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.
Chapter 4 | System Management Commands Time Table 26: Time Commands (Continued) Command Function Mode ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE Manual Configuration Commands clock summer-time date Configures summer time* for the switch’s internal clock GC clock summer-time predefined Configures summer time for the switch’s internal clock G
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time : Mar 12 02:33:00 2013 Poll Interval : 60 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 10.1.0.19 Current Server : 137.92.140.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4/v6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
Chapter 4 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time relative to the configured time zone.
Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin. (Range: 0-59 minutes) e-week - The week of the month when summer time will end. (Range: 1-5) e-day - The day of the week summer time will end.
Chapter 4 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
Chapter 4 | System Management Commands Time city - Select the city associated with the chosen GMT offset. After the offset has been entered, use the tab-complete function to display the available city options.
Chapter 4 | System Management Commands Time Range Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2011. Console#calendar set 15 12 34 1 February 2011 Console# show calendar This command displays the system clock.
Chapter 4 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Global Configuration Command Usage This command sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e.
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands General SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
Chapter 5 | SNMP Commands General SNMP Commands show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Target Host Commands snmp-server enable This command enables this device to send Simple Network Management Protocol traps traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | ethernet cfm | mac-notification [interval seconds]] authentication - Keyword to issue authentication failure notifications. ethernet cfm - Connectivity Fault Management traps.
Chapter 5 | SNMP Commands SNMP Target Host Commands Related Commands snmp-server host (187) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage ◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the snmpserver user command. Otherwise, an SNMPv3 group will be automatically created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view. Example Console(config)#snmp-server host 10.1.19.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp-server This command shows if SNMP traps are enabled or disabled for the specified enable port-traps interfaces. Syntax show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Usage ◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. ◆ A remote engine ID is required when using SNMPv3 informs. (See the snmpserver host command.
Chapter 5 | SNMP Commands SNMPv3 Commands auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. readview - Defines the view for read access. (1-32 characters) writeview - Defines the view for write access. (1-32 characters) notifyview - Defines the view for notifications.
Chapter 5 | SNMP Commands SNMPv3 Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
Chapter 5 | SNMP Commands SNMPv3 Commands included - Defines an included view. excluded - Defines an excluded view. Default Setting defaultview (includes access to the entire MIB tree) Command Mode Global Configuration Command Usage ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.
Chapter 5 | SNMP Commands SNMPv3 Commands Remote SNMP EngineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 30: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
Chapter 5 | SNMP Commands SNMPv3 Commands Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 31: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 32: show snmp user - display description Field Description SNMP remote user A user associated with an SNMP engine on a remote device. Engine ID String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Group Name Name of an SNMP group. Security Model Shows the SNMP version 1, 2c or 3. Security Level Shows if authentication or privacy is used. Authentication Protocol The authentication protocol used with SNMPv3.
Chapter 5 | SNMP Commands Notification Log Commands Notification Log Commands nlm This command enables or disables the specified notification log. Syntax [no] nlm filter-name filter-name - Notification log name. (Range: 1-32 characters) Default Setting Enabled Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (117) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 210 –
7 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods.
Chapter 7 | Authentication Commands User Accounts User Accounts The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 142), and user authentication via a remote authentication server (page 211).
Chapter 7 | Authentication Commands User Accounts Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (97) authentication enable (214) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Chapter 7 | Authentication Commands Authentication Sequence Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how the set the access level and password for a user.
Chapter 7 | Authentication Commands Authentication Sequence Command Usage ◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
Chapter 7 | Authentication Commands RADIUS Client ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first.
Chapter 7 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port for accounting messages. Use acct-port the no form to restore the default. Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages.
Chapter 7 | Authentication Commands RADIUS Client radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values. Syntax [no] radius-server index host host-ip-address [acct-port acct-port] [auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout] index - Allows you to specify up to five servers.
Chapter 7 | Authentication Commands RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
Chapter 7 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 7 | Authentication Commands TACACS+ Client RADIUS Server Group: Group Name Member Index ------------------------- ------------radius 1 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Chapter 7 | Authentication Commands TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
Chapter 7 | Authentication Commands TACACS+ Client Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 7 | Authentication Commands Web Server Example Console(config)#tacacs-server timeout 10 Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 7 | Authentication Commands Web Server Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds. ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 7 | Authentication Commands Web Server Related Commands ip http port (225) show system (120) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port-number no ip http secure-port port-number – The TCP port used for HTTPS.
Chapter 7 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 7 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 7 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 7 | Authentication Commands Secure Shell Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Chapter 7 | Authentication Commands Secure Shell Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command.
Chapter 7 | Authentication Commands Secure Shell Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed. Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file.
Chapter 7 | Authentication Commands Secure Shell Note: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch. ip ssh authentication- This command configures the number of times the SSH server attempts to retries reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Chapter 7 | Authentication Commands Secure Shell ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. ◆ You must generate DSA and RSA host keys before enabling the SSH server.
Chapter 7 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
Chapter 7 | Authentication Commands Secure Shell Example Console#delete public-key admin dsa Console# ip ssh crypto host-key This command generates the host key pair (i.e., public and private). generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.
Chapter 7 | Authentication Commands Secure Shell ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
Chapter 7 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (236) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
Chapter 7 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7
Chapter 7 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 46: 802.
Chapter 7 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state through when dot1x is globally disabled. Use the no form to restore the default.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Usage ◆ When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
Chapter 7 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 7 | Authentication Commands 802.1X Port Authentication mac-based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. Default Single-host Command Mode Interface Configuration Command Usage ◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x This command enables periodic re-authentication for a specified port. Use the no re-authentication form to disable re-authentication.
Chapter 7 | Authentication Commands 802.1X Port Authentication Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout This command sets the time period after which a connected client must be rere-authperiod authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Command Usage This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Usage This command displays the following information: ◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 242). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 241). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine ■ ■ ■ ◆ State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Chapter 7 | Authentication Commands Management IP Filter Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 7 | Authentication Commands Management IP Filter Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Chapter 7 | Authentication Commands Management IP Filter Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
8 General Security Measures This switch provides port-based traffic segmentation to segregate traffic for clients attached to each of the data ports. Table 48: General Security Commands Command Group Function Port Security* Configures secure addresses for a port 802.1X Port Authentication* Configures host authentication on specific ports using 802.
Chapter 8 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 8 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
Chapter 8 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 8 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (376) shutdown (364) mac-address-table static (438) show port security This command displays port security status and the secure address count.
Chapter 8 | General Security Measures Port Security Table 50: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆ Shutdown – Port is shut down due to a response to a port security violation. ◆ Intrusion Action The configured intrusion response.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : Disabled : 00-10-22-00-00-01 : 2010/7/29 15:13:03 Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Table 51: Network Access Commands (Continued) Command Function Mode show network-access macaddress-table Displays information for entries in the secure MAC address table PE show network-access mac-filter Displays information for entries in the MAC filter tables PE network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this mac-filter command to remove the specified MAC address. Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table. (Range: 1-64) mac-address - Specifies a MAC address entry.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ The reauthentication time is a global setting and applies to all ports. ◆ When the reauthentication time expires for a secure MAC address it is removed by the switch from the secure MAC table, and the switch will only perform the authentication process the next time it receives the MAC address packet.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table. Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)# network-access Use this command to assign all traffic on a port to a guest VLAN when 802.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable link detection for the selected port. Use the no form of link-detection this command to restore the default.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-up events. When detected, the switch can shut detection link-up down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-up action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. ◆ On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Mode ◆ Entries in the MAC address filter table can be configured with the networkaccess mac-filter command. ◆ Only one filter table can be assigned to a port.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Default Setting Displays the settings for all interfaces.
Chapter 8 | General Security Measures Web Authentication Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out.
Chapter 8 | General Security Measures Web Authentication name and password authentication via RADIUS. Once authentication is successful, the web browser is forwarded on to the originally requested web page. Successful authentication is valid for all hosts connected to the port. Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 214). Note: Web authentication cannot be configured on trunk ports.
Chapter 8 | General Security Measures Web Authentication Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Chapter 8 | General Security Measures Web Authentication Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default.
Chapter 8 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters.
Chapter 8 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 8 | General Security Measures DHCPv4 Snooping Table 54: DHCP Snooping Commands (Continued) Command Function Mode clear ip dhcp snooping binding Clears DHCP snooping binding table entries from RAM PE clear ip dhcp snooping database flash Removes all dynamically learned snooping entries from flash memory.
Chapter 8 | General Security Measures DHCPv4 Snooping ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 8 | General Security Measures DHCPv4 Snooping Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (288) ip dhcp snooping trust (290) ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 8 | General Security Measures DHCPv4 Snooping compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients. ◆ When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Chapter 8 | General Security Measures DHCPv4 Snooping Command Usage See the Command Usage section under the ip dhcp snooping information option circuit-id command for a description of how these fields are included in TR-101 syntax. EXAMPLE This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID).
Chapter 8 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP client information policy packets that include Option 82 information. Use the no form to restore the default setting. Syntax ip dhcp snooping information policy {drop | keep | replace} no ip dhcp snooping information policy drop - Drops the client’s request packet instead of relaying it.
Chapter 8 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Example This example sets the DHCP snooping rate limit to 100 packets per second. Console(config)#ip dhcp snooping limit rate 100 Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header. Use the no form to disable this function.
Chapter 8 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCPv4 Snooping Default Setting VLAN-Unit-Port Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Chapter 8 | General Security Measures DHCPv4 Snooping Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (281) ip dhcp snooping vlan (288) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) vlan-id - ID of a configured VLAN.
Chapter 8 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 8 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 8 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
Chapter 8 | General Security Measures DHCPv6 Snooping DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: A. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. B.
Chapter 8 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (298) ipv6 dhcp snooping trust (299) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 8 | General Security Measures DHCPv6 Snooping ◆ ■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command. ■ If an incoming packet is a DHCPv6 request packet without option 37 information, enabling the DHCPv6 snooping information option will add option 37 information to the packet.
Chapter 8 | General Security Measures DHCPv6 Snooping Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form vlan to restore the default setting. Syntax [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN.
Chapter 8 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 8 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which it submits a client request to the DHCPv6 server must be configured as trusted.
Chapter 8 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 8 | General Security Measures IPv4 Source Guard Link-layer Address: 00-12-cf-01-02-03 IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 8 | General Security Measures IPv4 Source Guard Table 57: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 8 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 8 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 8 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 8 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 8 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 8 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 8 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 293).
Chapter 8 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, lease time, entry type (Static-IP-SG-Binding, Dynamic-ND-Snooping, DynamicDHCPv6-Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 8 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (293) ipv6 dhcp snooping vlan (298) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 8 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 8 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 8 | General Security Measures IPv6 Source Guard . . . show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 293) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 8 | General Security Measures IPv6 Source Guard ipv6 source-guard This command adds a static address to the source-guard binding table. Use the no binding form to remove a static entry. Syntax ipv6 source-guard binding mac-address vlan vlan-id ipv6-address interface interface no ipv6 source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ipv6-address - Corresponding IPv6 address.
Chapter 8 | General Security Measures IPv6 Source Guard ◆ Static bindings are processed as follows: ■ If there is no entry with same and MAC address and IPv6 address, a new entry is added to binding table using static IPv6 source guard binding. ■ If there is an entry with same MAC address and IPv6 address, and the type of entry is static IPv6 source guard binding, then the new entry will replace the old one.
Chapter 8 | General Security Measures IPv6 Source Guard ◆ This command checks the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table. Use the no ipv6 source guard command to disable this function on the selected port. ◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all IPv6 traffic received on that interface, except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping.
Chapter 8 | General Security Measures IPv6 Source Guard Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard sip Console(config-if)# Related Commands ipv6 source-guard binding (310) ipv6 dhcp snooping (293) ipv6 dhcp snooping vlan (298) ipv6 source-guard This command sets the maximum number of entries that can be bound to an max-binding interface. Use the no form to restore the default setting.
Chapter 8 | General Security Measures IPv6 Source Guard binding table reaches the newly configured maximum number of allowed bindings. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard max-binding 1 Console(config-if)# show ipv6 source- This command shows whether IPv6 source guard is enabled or disabled on each guard interface, and the maximum allowed bindings.
Chapter 8 | General Security Measures ARP Inspection Example Console#show ipv6 source-guard binding MAC Address IPv6 Address VLAN Interface Type -------------- --------------------------------------- ---- --------- ---00AB-11CD-2345 2001::1 1 Eth 1/5 STA Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 8 | General Security Measures ARP Inspection Table 60: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection statistics Shows statistics about the number of ARP packets processed, or dropped for various reasons PE show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is completed PE ip arp inspection This command enables ARP Inspection gl
Chapter 8 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Chapter 8 | General Security Measures ARP Inspection vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
Chapter 8 | General Security Measures ARP Inspection none - There is no limit on the number of ARP packets that can be processed by the CPU. Default Setting 15 Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ This command applies to both trusted and untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic
Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Usage ◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group. ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch.
Chapter 8 | General Security Measures Port-based Traffic Segmentation traffic-segmentation This command creates a traffic-segmentation client session. Use the no form to session remove a client session. Syntax [no] traffic-segmentation session session-id session-id – Traffic segmentation session. (Range: 1-4) Default Setting None Command Mode Global Configuration Command Usage Use this command to create a new traffic-segmentation client session.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ A port cannot be configured in both an uplink and downlink list. ◆ A port can only be assigned to one traffic-segmentation session. ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Example This example enables forwarding of traffic between uplink ports assigned to different client sessions. Console(config)#traffic-segmentation uplink-to-uplink forwarding Console(config)# show This command displays the configured traffic segments.
9 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 9 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 9 | Access Control Lists IPv4 ACLs dport – Protocol3 destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range.
Chapter 9 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 9 | Access Control Lists IPv4 ACLs Command Usage ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (341) Time Range (177) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 9 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (337) ip access-group (340) IPv6 ACLs The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
Chapter 9 | Access Control Lists IPv6 ACLs Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 96 rules.
Chapter 9 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Chapter 9 | Access Control Lists IPv6 ACLs Command Mode Extended IPv6 ACL Command Usage ◆ All new rules are appended to the end of the list. Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (342) Time Range (177) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port.
Chapter 9 | Access Control Lists IPv6 ACLs Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (346) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 9 | Access Control Lists MAC ACLs Related Commands permit, deny (Standard IPv6 ACL) (343) permit, deny (Extended IPv6 ACL) (344) ipv6 access-group (345) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 9 | Access Control Lists MAC ACLs ◆ An ACL can contain up to 96 rules. Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (348) mac access-group (350) show mac access-list (351) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Chapter 9 | Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [ethertype protocol [protocol-bitmask]] {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] no {permit | deny} tagged-802.
Chapter 9 | Access Control Lists MAC ACLs Command Usage ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: ■ ■ ■ 0800 - IP 0806 - ARP 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
Chapter 9 | Access Control Lists MAC ACLs ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (351) Time Range (177) show mac This command shows the ports assigned to MAC ACLs.
Chapter 9 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 9 | Access Control Lists ARP ACLs Related Commands permit, deny (353) show arp access-list (354) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
Chapter 9 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (352) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL.
Chapter 9 | Access Control Lists ACL Information Related Commands permit, deny (353) ACL Information This section describes commands used to display ACL information.
Chapter 9 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules.
Chapter 9 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 357 –
Chapter 9 | Access Control Lists ACL Information – 358 –
10 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 10 | Interface Commands Interface Configuration Table 69: Interface Commands (Continued) Command Function Mode transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger an alarm or warning message transceiver-threshold tx-power Sets thresholds for the transceiver power level
Chapter 10 | Interface Commands Interface Configuration Command Usage The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP. Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# alias This command configures an alias name for the interface.
Chapter 10 | Interface Commands Interface Configuration description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Chapter 10 | Interface Commands Interface Configuration back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation. Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)# history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples.
Chapter 10 | Interface Commands Interface Configuration media-type This command forces the module type. Use the no form to restore the default mode. Syntax media-type sfp-forced [mode] no media-type sfp-forced - Always uses the selected SFP module type (even if a module is not installed). mode 1000sfp - Always uses the SFP+ port at 1000 Mbps, full duplex. 10gsfp - Always uses the SFP+ port at 10 Gbps, full duplex.
Chapter 10 | Interface Commands Interface Configuration Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit, 10 Gigabit or 40 Gigabit Ethernet port or trunk. Use the no form to restore the default setting.
Chapter 10 | Interface Commands Interface Configuration ◆ For QinQ, the overall frame size is still calculated as described above, and does not add the length of the second tag to the frame. ◆ The port MTU size can be displayed with the show show interfaces status command.
Chapter 10 | Interface Commands Interface Configuration Example The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# hardware profile This command configures port settings for 40G operation. portmode Syntax hardware profile portmode interface {1x40g | 4x10g | reset} interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) 1x40g - Configures the port as a single 40G port. 4x10g - Configures the port as four 10G ports.
Chapter 10 | Interface Commands Interface Configuration show hardware profile This command displays the configuration settings for 40G operation. portmode Command Mode Privileged Exec Example This example shows the default 40G settings for the AS6700-32X.
Chapter 10 | Interface Commands Interface Configuration 1/54 Console# 1/75-78 - 1x40g show interfaces brief This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports.
Chapter 10 | Interface Commands Interface Configuration 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collis
Chapter 10 | Interface Commands Interface Configuration Table 70: show interfaces counters - display description (Continued) Parameter Description Octets Output The total number of octets transmitted out of the interface, including framing characters. Unicast Input The number of subnetwork-unicast packets delivered to a higher-layer protocol.
Chapter 10 | Interface Commands Interface Configuration Table 70: show interfaces counters - display description (Continued) Parameter Description Late Collisions The number of times that a collision is detected later than 512 bit-times into the transmission of a packet. Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode.
Chapter 10 | Interface Commands Interface Configuration Table 70: show interfaces counters - display description (Continued) Parameter Description 64 Octets The total number of packets (including bad packets) received and transmitted that were less than 64 octets in length (excluding framing bits but including FCS octets).
Chapter 10 | Interface Commands Interface Configuration Default Setting Shows historical statistics for all interfaces, intervals, ingress traffic, and egress traffic. Command Mode Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the statistics recorded for all named entries in the sampling table.
Chapter 10 | Interface Commands Interface Configuration Discards Errors ------------- ------------0 0 Console# This example shows the statistics recorded for a named entry in the sampling table.
Chapter 10 | Interface Commands Interface Configuration Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 10 | Interface Commands Interface Configuration Up Time Flow Control Type Max Frame Size MAC Learning Status Console# : : : : 0w 0d 1h 41m 8s (6068 seconds) None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Table 71: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 421). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 421).
Chapter 10 | Interface Commands Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 10 | Interface Commands Transceiver Threshold Configuration be generated until the sampled value has fallen below the high threshold and reaches the low threshold. ◆ If trap messages are enabled with the transceiver-monitor command, and a low-threshold alarm or warning message is sent if the current value is less than or equal to the threshold, and the last sample value was greater than the threshold.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Command Mode Interface Configuration (Ethernet) Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Command Usage ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 10 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power transmitted at port 1.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Example Console#show interfaces transceiver ethernet 1/25 Information of Eth 1/7 Connector Type : LC Fiber Type : Multimode 50um (M5), Multimode 62.5um (M6) Eth Compliance Codes : 1000BASE-SX Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name : FINISAR CORP. Vendor PN : FTLF8519P2BNL Vendor Rev : A Vendor SN : PFS4U5F Date Code : 09-07-02 DDM Info Temperature : 11.54 degree C Vcc : 3.25 V Bias Current : 7.21 mA RX Power : -31.
Chapter 10 | Interface Commands Transceiver Threshold Configuration show interfaces This command Displays the alarm/warning thresholds for temperature, transceiver-threshold voltage, bias current, transmit power, and receive power. Syntax Syntax show interfaces transceiver-threshold [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) Default Setting Shows all SFP interfaces.
Chapter 10 | Interface Commands Cable Diagnostics Cable Diagnostics test loop internal This command performs an internal loop back test on the specified port. Syntax test loop internal interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) Command Mode Privileged Exec Command Usage ◆ Loopback testing can only be performed on a port that is not linked up.
Chapter 10 | Interface Commands Cable Diagnostics Example Console#show loop internal interface ethernet 1/1 Port -------Eth 1/1 Console# Test Result -------------Succeeded Last Update -------------------2013-04-15 15:26:56 – 388 –
11 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
Chapter 11 | Link Aggregation Commands Table 72: Link Aggregation Commands (Continued) Command Function Mode show mlag Shows MLAG configuration settings PE show mlag domain Shows MLAG domain settings PE Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk on the AS6700-32X can have up to 32 ports, and up to 54 ports on the AS5700-54X.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} no port channel load-balance dst-ip - Load balancing based on destination IP address.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status portchannel 1 command shows that Trunk1 has been established.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: 1, Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout long - Specifies a slow timeout of 90 seconds. short - Specifies a fast timeout of 3 seconds.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-16/27) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 73: show lacp counters - display description (Continued) Field Description Marker Received Number of valid Marker PDUs received by this channel group. MarkerResponsePD Number of valid Marker Response PDUs transmitted from this channel group. U Sent MarkerResponsePD Number of valid Marker Response PDUs received at this channel group.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 74: show lacp internal - display description (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 75: show lacp neighbors - display description Field Description Port Channel Local identifier for a link aggregation group. Member Port The ports active in this link aggregation group. Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol.
Chapter 11 | Link Aggregation Commands MLAG Commands show port-channel This command shows the load-distribution method used on aggregated links. load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# MLAG Commands Operational Concept A multi-chassis link aggregation group (MLAG) is a pair of links that terminate on two cooperating switches and appear as an ordinary link aggregation group (LAG).
Chapter 11 | Link Aggregation Commands MLAG Commands ◆ The MLAG ID, associated MLAG domain ID and MLAG member must be configured using the mlag group member command. The associated MLAG domain may be nonexistent, which causes MLAG to be inactive locally. ◆ For a port to be configured as MLAG peer link or member: ■ STP status of the port must be disabled. ■ LACP status of the port must be disabled. ■ The port must not be any type of traffic segmentation port.
Chapter 11 | Link Aggregation Commands MLAG Commands mlag peer-link This command configures the MLAG domain peer link. Use the no form to remove the MLAG domain. Syntax mlag domain domain-id peer-link interface no mlag domain domain-id domain-id – Domain identifier. (Range: 1-16 characters) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Link Aggregation Commands MLAG Commands interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Command Mode Global Configuration Command Usage An MLAG domain can have two and only two MLAG devices. (See Figure 1.) ◆ ◆ An MLAG domain may have many MLAGs. ◆ An MLAG can belong to one and only one MLAG domain. ◆ The associated MLAG domain may be nonexistent, which causes the MLAG to be inactive locally.
Chapter 11 | Link Aggregation Commands MLAG Commands ■ When an MLAG member is operationally down, all updates for learned MAC addresses on the MLAG peer member will be synced through the peer link automatically. Figure 2: MLAG Peer Operation ◆ When the MLAG peer member is down or nonexistent, learned MAC addresses are synced through the peer link for the MLAG will be removed automatically.
Chapter 11 | Link Aggregation Commands MLAG Commands Example Console#show mlag domain 1 Peer Link : Eth 1/1 MLAG List : 10,20,33-35 Console# – 408 –
12 Port Mirroring Commands Data can be mirrored from a local port on the same switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 12 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands port - Port number. (Range: 1-32/54) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 rx Console(config)#rspan session 1 source interface ethernet 1/3 rx Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/4 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the switchport allowed vlan command. Nor can GVRP dynamically add port members to an RSPAN VLAN. Also, note that the show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Command Mode Privileged Exec Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 417 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands – 418 –
13 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 80: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 13 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
Chapter 13 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 13 | Congestion Control Commands Storm Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
14 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 14 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 14 | Loopback Detection Commands Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may be untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Chapter 14 | Loopback Detection Commands Command Usage ◆ When the loopback detection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command. To restore a specific port, use the no shutdown command.
Chapter 14 | Loopback Detection Commands detect - Sends an SNMP trap message when a loopback condition is detected. none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery.
Chapter 14 | Loopback Detection Commands show loopback- This command shows loopback detection configuration settings for the switch or detection for a specified interface. Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-52) Command Mode Privileged Exec Command Usage Although global action may be set to None, this command will still display the configured Detection Port Admin State and Information Oper State.
15 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 15 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 15 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 15 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 15 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 15 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 15 | UniDirectional Link Detection Commands Table 85: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 15 | UniDirectional Link Detection Commands – 436 –
16 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 16 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates static the address as permanent, or to be deleted on reset. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Chapter 16 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ ■ Learn - Dynamic address entries Config - Static entry Security - Port Security ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
Chapter 16 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands – 442 –
17 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 17 | Spanning Tree Commands Table 87: Spanning Tree Commands (Continued) Command Function Mode spanning-tree port-priority Configures the spanning tree priority of an interface IC spanning-tree root-guard Prevents a designated port from passing superior BPDUs IC spanning-tree spanningdisabled Disables spanning tree for an interface IC spanning-tree tc-prop-stop Stops propagation of topology change information IC spanning-tree protocolmigration Re-checks the appropriate BPDU format
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 17 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (445) spanning-tree max-age (446) spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default.
Chapter 17 | Spanning Tree Commands spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
Chapter 17 | Spanning Tree Commands ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Chapter 17 | Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
Chapter 17 | Spanning Tree Commands Related Commands mst vlan (452) mst priority (451) name (453) revision (454) max-hops (451) spanning-tree system- This command configures the system to flood BPDUs to all other ports on the bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
Chapter 17 | Spanning Tree Commands Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
Chapter 17 | Spanning Tree Commands priority - Priority of the a spanning tree instance. (Range: 0-61440 in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) Default Setting 32768 Command Mode MST Configuration Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device.
Chapter 17 | Spanning Tree Commands wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. ◆ By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 33 instances. You should try to group VLANs which cover the same general area of your network.
Chapter 17 | Spanning Tree Commands revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 453) and revision number are used to designate a unique MST region. A bridge (i.e.
Chapter 17 | Spanning Tree Commands bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree. ◆ BPDU filter can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto with the spanningtree edge-port command).
Chapter 17 | Spanning Tree Commands ◆ BPDU guard can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto with the spanningtree edge-port command).
Chapter 17 | Spanning Tree Commands Table 89: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 40G Ethernet 655351 2,000,0002 1. Undefined in standard, but recommended setting is 250. 2. Code does not support 40G path cost, and therefore defaults to 10M half duplex cost.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 17 | Spanning Tree Commands ◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link. ◆ RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies.
Chapter 17 | Spanning Tree Commands ◆ Path cost takes precedence over interface priority. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (460) spanning-tree mst This command configures the interface priority on a spanning instance in the port-priority Multiple Spanning Tree. Use the no form to restore the default.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the priority for the specified interface. Use the no form to port-priority restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
Chapter 17 | Spanning Tree Commands Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree This command stops the propagation of topology change notifications (TCN). Use tc-prop-stop the no form to allow propagation of TCN messages.
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocolmigration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Chapter 17 | Spanning Tree Commands ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces. ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
Chapter 17 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
18 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show garp timer This command shows the GARP timers for the selected interface.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Default Setting Shows both global and interface-specific configuration.
Chapter 18 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 92: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Chapter 18 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (482) Configuring VLAN Interfaces Table 93: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an interf
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (364) interface (360) vlan (473) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form vlan to restore the default. Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 3: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
Chapter 18 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 94: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to tunnel service match delete a VLAN mapping entry. cvid Syntax switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] no switchport dot1q-tunnel service [svid [match cvid cvid]] svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID).
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configures port 1 as member of VLANs 10, 20 and 30 to avoid filtering out incoming frames tagged with VID 10, 20 or 30 on port 1 Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 10,20,30 7. Verify configuration settings. Console#show dot1q-tunnel service 802.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel 802.
Chapter 18 | VLAN Commands Configuring L2CP Tunneling Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 18 | VLAN Commands Configuring L2CP Tunneling Command Usage ◆ Use this command to configure user-defined PDUs. Then use the switchport l2protocol-tunnel command to assign these PDUs to an interface. ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command. ◆ For L2PT to function properly, QinQ must be enabled on the switch using the dot1q-tunnel system-tunnel-control command, and the interface configured to 802.
Chapter 18 | VLAN Commands Configuring L2CP Tunneling ◆ L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a proprietary MAC address (for example, the spanning tree protocol uses 10-12CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad – Provider Bridges), or a user-defined address.
Chapter 18 | VLAN Commands Configuring L2CP Tunneling (a) all access ports for which L2PT has been disabled, and (b) all uplink ports. ■ ◆ ■ other access ports for which L2PT is enabled after decapsulating the packet and restoring the proper protocol and MAC address information. ■ all uplink ports. When a Cisco-compatible L2PT packet is received on an access port, and ■ ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
Chapter 18 | VLAN Commands Configuring L2CP Tunneling switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol. Syntax switchport l2protocol-tunnel {cdp | custom-pdu index | lldp | pvst+ | spanning-tree | vtp} cdp - Cisco Discovery Protocol custom-pdu - User defined PDU index - Identifies a custom PDU defined with the l2protocol-tunnel custompdu command.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling show This command shows settings for Layer 2 Protocol Tunneling (L2PT). l2protocol-tunnel Command Mode Privileged Exec Example Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Tunnel MAC Address : 01-12-CF-00-00-00 Interface Protocol ---------------------------------------------------------Eth 1/ 1 Spanning Tree Console# Configuring VXLAN Tunneling This section describes the commands used to configure Virtual Extensible LAN (VXLAN) tunneling.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling In addition to forwarding the packet to the destination VM, the remote VTEP learns the mapping from inner source MAC to outer source IP address. It stores this mapping in the bridge lookup table so that when the destination VM sends a response packet, there is no need for “unknown destination” flooding of the response packet.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Table 97: VxLAN Tunneling Commands (Continued) Command Function Mode show vxlan udp-dst-port Shows the VXLAN UDP destination port PE show vxlan vtep Shows the remote VXLAN tunnel endpoint (VTEP) PE show vxlan flood Shows the remote VXLAN tunnel endpoint (VTEP) used when received packet fails bridge table lookup PE show vxlan vlan-vni Shows the VLAN ID associated with a virtual network identifier (VNI) PE show debug vxlan Shows the VXLAN
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling vxlan flood This command configures remote VXLAN tunnel endpoint (VTEP) when the received packet fails bridge table lookup. Use the no form to restore the default setting. Syntax vxlan [vni vni-id] flood { r-vtep ip-address | multicast ipv4-address vlan vid interface } no vxlan [vni vni-id] flood { r-vtep ip-address | multicast } vni-id - A 24-bit segment ID used to identify each VXLAN segment, termed the VXLAN Network Identifier.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling ◆ If a VNI is already configured to flood by multicast, you can still add a remote VTEP. If a VNI is already configured to flood to a remote VTEP, you can still configure it to flood by multicast. Example Console(config)#vxlan vni 16777 flood r-vtep 10.1.2.3 Console(config)#end Console#show vxlan flood VNI Remote VTEP IP address -------- ---------------------100 3.3.3.3 101 11.1.1.1 101 11.2.2.2 102 11.1.1.1 102 224.1.1.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Console#show vxlan vlan-vni VLAN VNI ---- -------1 16777 Console# debug vxlan This command enables the specified debug flag. Use the no form to disable the specified flag. Syntax [no] debug vxlan {database | event | vni | vtep | all} database - Enables database debugging. event - Enables event debugging. vni - Enables VNI debugging. vtep - Enables VTEP debugging. all - Enables all VXLAN debugging flags.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Console(config)#vxlan vlan 2 vni 1001 Console(config)#vxlan vlan 2 vni 1002 23:19:2: VXLAN: (1805) VLAN 2 is assigned to VNI 1001 Failed to associate VLAN 2 with VNI 1002. Console(config)# This example shows the type of debug information that would be to trace internal VXLAN information on VTEP. Console#debug vxlan vtep Console#con Console(config)#vxlan vni 1001 flood r-vtep 192.168.2.13 23:24:34: VXLAN: (2176) set rvtep ip[192.168.2.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Example Console#show vxlan vtep VNI SIP R-VTEP Port -------- --------------- --------------- -------12345678 101.101.101.101 202.202.202.202 Eth 1/11 3 101.101.202.202 201.201.201.201 Eth 1/22 Console# show vxlan flood This command Shows the remote VXLAN tunnel endpoint (VTEP) used when a received packet fails bridge table lookup.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Example Console#show vxlan vlan-vni VLAN VNI ---- -------1 10 2 200 3 123 Console#show vxlan vlan-vni 3 VLAN VNI ---- -------3 123 Console# show debug vxlan This command shows the VXLAN debug settings.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling – 506 –
19 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (508) show queue weight (511) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (377) show queue mode This command shows the current queue mode. Command Mode Privileged Exec Example Console#show queue mode Unit Port queue mode --------------------1 1 Weighted Round Robin . . .
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) cfi - Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) DEFAULT SETTING.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map default-drop- This command maps the internal per-hop behavior (based on packet priority) to a precedence default drop precedence for internal processing of untagged packets. Use the no form to restore the default settings. Syntax qos map default-drop-precedence drop-precedence from phb0 ... phb7 no map default-drop-precedence phb0 ... phb7 drop-precedence - Drop precedence used for controlling traffic congestion.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface. Use the no form to restore the default settings. Syntax qos map dscp-cos cos-value cfi-value from phb0 drop-precedence0 ... phb7 drop-precedence7 no map ip dscp phb0 drop-precedence0 ... phb7 drop-precedence7 cos-value - CoS value in ingress packets.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map dscp-cos 1 0 from 1 2 Console(config-if)# qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces. ◆ This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS. dscp - Sets the QoS mapping mode to DSCP. ip-prec - Sets the QoS mapping mode to IP Precedence.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: 0 1 2 3 4 5 6 7 ------------------------------------------------------color: 0 0 0 0 0 0 0 0 Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to internal DSCP map. mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) – 526 –
20 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 20 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 20 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 531). The policy map is then bound by a service policy to an interface (page 541). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match or set commands.
Chapter 20 | Quality of Service Commands cos - A Class of Service value. (Range: 0-7) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage ◆ First enter the class-map command to designate a class map and enter the Class Map configuration mode.
Chapter 20 | Quality of Service Commands This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Chapter 20 | Quality of Service Commands ◆ Create a Class Map (page 531) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 20 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets.
Chapter 20 | Quality of Service Commands committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. ◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR – Committed Information Rate), and the maximum size of the token bucket (BC – Committed Burst Size). The token bucket C is initially full, that is, the token count Tc(0) = BC.
Chapter 20 | Quality of Service Commands committed-burst - Committed burst size (BC) in bytes. (Range: 0-524288 bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 1000-128000000 bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green). exceed-action - Action to take when rate exceeds the CIR and BC but is within the BE.
Chapter 20 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: ■ ■ ■ If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
Chapter 20 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 20 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR. The trTCM is useful for ingress policing of a service, where a peak rate needs to be enforced separately from a committed rate. ◆ The meter operates in one of two modes.
Chapter 20 | Quality of Service Commands to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.
Chapter 20 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 20 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 20 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 20 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface {input | output} interface unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) input - Apply to the input traffic. output - Apply to the output traffic.
Chapter 20 | Quality of Service Commands – 544 –
21 Data Center Bridging Commands Fibre Channel was developed as a dedicated fabric that loses little to no packets, and was not designed to work on an unreliable network. For this reason, a set of standards termed Data Center Bridging (DCB) have been developed to increase the reliability of Ethernet-based networks in the data center. DCB consists of four different technologies: DCB Exchange (DCBX), Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Congestion Notification (CN).
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands DCB Exchange Commands This section describes the commands used by DCB devices to exchange configuration information with directly-connected peers. These commands are also used to detect misconfiguration of the peer devices and, where accepted, to configured peer DCB devices.
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands Example The following example enables DCBX on port 5: Console(config)#interface ethernet 1/5 Console(config-if)#dcbx Console(config-if)# dcbx mode This command configures the DCBX mode used for message exchange. Use the no form to restore the default setting.
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands propagated information utilize this information and ignore their local configuration. The first auto-upstream port to successfully accept a compatible configuration becomes the configuration source. Peer configurations received on auto-upstream ports other than the configuration source are accepted if compatible with the configuration source, and the DCBX client is set to operationally active on the auto-upstream port.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Default Setting Shows DCBX configuration settings for all ports. Command Mode Privileged Exec Example This example displays the DCBX administrative status, operational mode, and the status of the LLDP TLV willing bit for ETS and PFC.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Table 110: Priority-based Flow Control Commands (Continued) Command Function Mode clear pfc statistics Clears PFC statistics PE show pfc Shows PFC configuration settings PE show pfc statistics Shows PFC statistics for the number of PFC frames received and transmitted for each priority PE Configuration Guidelines Take the following steps to configure PFC: 1.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands any manually configured information. Interfaces not enabled for PFC ignore received PFC frames. ◆ PFC is configurable on full duplex interfaces only. To enable PFC on a LAG, the member interfaces must have the same configuration. ◆ When PFC is enabled on an interface, it will be automatically disabled for IEEE 802.3 flow control. Any flow control frames received on a PFC enabled interface are ignored.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Example The following example configures port 5 to enable PFC for priorities 3 and 5: Console(config)#interface ethernet 1/5 Console(config-if)#pfc priority enable 3,5 Console(config-if)# clear pfc statistics Use this command to clear PFC statistics. Syntax clear pfc statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Command Mode Privileged Exec Example This example displays the PFC administrative status, operational mode, and the priority bits for frames to pause (instead of drop) when congestion occurs in the specified priority buffers.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands Enhanced Transmission Selection Commands Enhanced Transmission Selection (ETS) provides a means to allocate link bandwidth to different priority groups as a percentage of total bandwidth. These settings are then advertised to other devices in a data center network through DCBX ETS TLVs.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands ets mode Use this command to set the ETS mode to negotiate capability through DCBX or by forcing it to on state. Use the no form to restore the default setting. Syntax ets mode {auto | on} no ets mode auto – Negotiates ETS capability using DCBX. The operational capability of ETS depends on the result of DCBX negotiations. on – Forces ETS to enabled state.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands ets - Processes packets with priority values specified for a TCG using Weighted Deficit Round Robin (WDRR). Default Setting strict Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Packets with priority values not specified for a TCG use strict priority and therefore are processed ahead of the packets in the weighted queues.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands Example The following example maps priority 2 and 3 to TCG 0 for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#traffic-class map 2 1 Console(config-if)#traffic-class map 3 1 Console(config-if)# traffic-class weight Use this command to configure the bandwidth allocation for all TCGs on an interface. Use the no form to restore the default settings.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands show ets mapping Use this command to display mapping from IEEE 802.1p priorities to the traffic class group (TCGs). Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands show ets weight Use this command to display the bandwidth allocation for selected TCGs. Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Command Mode Privileged Exec Example This example shows both the locally configured settings, and current operational settings.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands its congested state and that the rate of the flow entering the network should be reduced. Upon receiving the CN messages, rate limiting is initiated as close as possible to the source of the congestion. This alleviates the congestion at the network core and stops it from spreading through the network.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands The QCN algorithm is composed of the following two parts: 1. Congestion Point (CP) Algorithm: This is the mechanism by which a congested bridge or end station buffer samples outgoing frames and generates a feedback message (CNM – Congestion Notification Message) addressed to the source of the sampled frame. The feedback message contains information about the extent of congestion at the CP. 2.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn Use this command to enable congestion notification for all ports on the switch. Use the no form to disabled congestion notification on the switch.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands Example The following example sets the CNM transmit priority to 1. Console(config)#cn cnm-transmit-priority 1 Console(config)# cn cnpv Use this command to set a dot1p priority to be a Congestion Notification Priority Value (CNPV). Use the no form to change a CNPV back to a dot1p priority value. Syntax [no] cn cnpv cnpv-priority cnpv-priority - CNPV assigned to Congestion Control Flows (CFF) on this port.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv Use this command to configure the alternate priority used to remark a received alternate-priority frame when its dot1p priority is equal to the CNPV when the defense mode is other (Global Configuration) than auto. Use the no form restore the default setting. Syntax cn cnpv cnpv-priority alternate-priority priority no cn cnpv cnpv-priority alternate-priority cnpv-priority - CN priority value.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining (Global Configuration) whether CN is enabled or not, and if enabled, whether the port remarks the CNPV to a non-CNPV value on input, and whether the port removes CN-tags on output. Use the no form to restore the default settings.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands ◆ Under the interior-ready option, on this port and for this CNPV, the priority parameters of input frames are not remapped to another value, and no priority value is remapped to this CNPV, regardless of the priority regeneration table. CN-TAGs are not removed from frames by the switch. Example The following example sets the defense mode to edge for CNPV 2.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining (Interface Configuration) whether CN is enabled or not, and if enabled, whether the port remarks the CNPV to a non-CNPV value on input, and whether the port removes CN-tags on output. Use the no form to restore the default settings.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands Example This example shows the global settings for congestion notification, and the number of discarded frames. Console#show cn Congestion Notification Admin Status Oper Status CNM Transmit Priority Total Discarded Frames Global Information : Enabled : Enabled : 1 : 0 Console# show cn cnpv Use this command to show CNPV information, including the defense mode and alternate priority.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands show cn cp Use this command to show functional settings and status for the specified CP. Syntax show cn cp interface index index interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) index - Congestion Point index. (Range: 0-1) Command Mode Privileged Exec Example This example shows information for CP 0 on port 5.
Chapter 21 | Data Center Bridging Commands Openflow Commands Table 113: show cn cp - display description (Continued) Field Description Set Point The set-point for the queue. This is the target number of octets in the CP’s queue. (Default: 26000) Feedback Weight Variable used in calculation or Quantized Feedback and New Sample Base. If the queue length is moving toward the set point, the feedback weight will be closer to 0 than if the queue length is moving away from the set point.
Chapter 21 | Data Center Bridging Commands Openflow Commands Figure 5: Openflow Process Note: The storm control function will be invalid if an Openflow flow rule is added to the switch. Due to a chip-specific behavior, storm control is detected and limited in the DA lookup stage. ACL flow is implemented by Filter Processor (FP) rules, of which the FP rule is near the last stage of ingress pipeline, and is capable of changing packet behavior. ingress port -> VLAN logic -> L2 logic (SA learing, DA lookup ..
Chapter 21 | Data Center Bridging Commands Openflow Commands Table 114: Openflow Commands (Continued) Command Function Mode show of-agent flow Displays all flow table settings PE show of-agent group Displays all group settings PE of-agent controller This command sets the address for the OpenFlow controller. Use the no form to deleted the controller address. Syntax [no] of-agent controller ip-address [port] ip-address - IPv4 address of controller. port - TCP port.
Chapter 21 | Data Center Bridging Commands Openflow Commands of-agent This command configures the data path description. Use the no form to remove the datapath-desc data path descriptor. Syntax of-agent datapath-desc description no of-agent datapath-desc description - A unique description or identifier for the flow forwarding behaviour implemented by the data path.
Chapter 21 | Data Center Bridging Commands Openflow Commands Example Console#show of-agent controller Controllers: 192.168.1.2:6633 192.168.1.3:6633 Console# show of-agent flow This command displays all flow table settings. Syntax show of-agent flow [table-id {table-id | ingress-port | vlan | termination-mac | unicast-routing | multicast-routing | bridging | acl-policy}] table-id - Flow table identifier. (Range: 0-60) ingress-port - Ingress port flow table vlan - VLAN flow table.
Chapter 21 | Data Center Bridging Commands Openflow Commands Flow 2: Table ID: 10 [VLAN table] Priority: 101, cookie: 8 Hard Timeout: 0, Idle Timeout: 0 Match: In port: 45 VLAN: 0x1002/0x1FFF Instruction: Goto table: 20 [Termination MAC table] No more flow from ofagent Console#show of-agent flow table-id 20 Flow 1: Table ID: 20 [Termination MAC table] Priority: 201, cookie: 12 Hard Timeout: 0, Idle Timeout: 0 Match: EtherType: 0x0800 VLAN: 0x2/0xFFF Dest MAC: 01-00-5E-00-00-00 Dest MAC MASK: FF-FF-FF-80-00
Chapter 21 | Data Center Bridging Commands Openflow Commands Console#show of-agent flow table-id 30 Flow 1: Table ID: 30 [Unicast Routing table] Priority: 401, cookie: 4 Hard Timeout: 0, Idle Timeout: 0 Match: EtherType: 0x0800 Dest IPv4: 192.168.2.0 Dest IPv4 Mask: 255.255.255.
Chapter 21 | Data Center Bridging Commands Openflow Commands Flow 2: Table ID: 50 [Bridging table] Priority: 501, cookie: 18 Hard Timeout: 0, Idle Timeout: 0 Match: VLAN: 0x2 Dest MAC: 00-00-00-11-22-33 Dest MAC MASK: FF-FF-FF-FF-FF-FF Instruction: Group: 0x2002D [L2 Interface] Goto table: 60 [ACL table] No more flow from ofagent Console#show of-agent flow table-id 60 Flow 1: Table ID: 60 [ACL table] Priority: 601, cookie: 6 Hard Timeout: 0, Idle Timeout: 0 Match: EtherType: 0x0800 In port: 45/0xFFFFFFFF I
Chapter 21 | Data Center Bridging Commands Openflow Commands Match: In port: 0/0xFFFF0000 Instruction: Goto table: 10 [VLAN table] No more flow from ofagent Console# show of-agent group This command displays all group settings. Syntax show of-agent group [type {group-type | l2-interface | l2-rewrite | l3-unicast | l2-multicast | l2-flood | l3-interface | l3-multicast | l3-ecmp | l2-overlay}] group-type - Specifies group type. (Range: 0-8) l2-interface - Specifies L2 interface group.
Chapter 21 | Data Center Bridging Commands Openflow Commands Output: 3 Group 0x10000001 [L2 Rewrite] Bucket Index: 0 New Source MAC: 00-00-62-22-33-55 New Dest MAC: 00-00-62-22-44-66 New VID: 3 Reference Group: 0x30001 [L2 Interface] Group 0x20000001 [L3 Unicast] Bucket Index: 0 New Source MAC: 00-00-63-22-33-55 New Dest MAC: 00-00-63-22-44-66 New VID: 2 Reference Group: 0x20001 [L2 Interface] Group 0x20000003 [L3 Unicast] Bucket Index: 0 New Source MAC: 00-00-04-22-33-55 New Dest MAC: 00-00-04-22-44-66 Ne
Chapter 21 | Data Center Bridging Commands Openflow Commands Output: 45 Group 0x30001 [L2 Interface] VID: 3, Port: 1 Bucket Index: 0 Output: 1 Group 0x30003 [L2 Interface] VID: 3, Port: 3 Bucket Index: 0 Output: 3 No more group from ofagent Console#show of-agent group type l3-interface Group 0x50000003 [L3 Interface] Bucket Index: 0 New Source MAC: 00-00-05-22-33-99 New VID: 3 Reference Group: 0x30003 [L2 Interface] No more group from ofagent Console#show of-agent group type 7 Group 0x70000001 [L3 ECMP] Bu
22 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 116: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port-expire- default. time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive seconds - The interval at which to issue unsolicited reports.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period. (The timeout for this release is currently defined by Last Member Query Interval (fixed at one second) * Robustness Variable (fixed at 2) as defined in RFC 2236.). ◆ If immediate-leave is used, the switch assumes that only one host is connected to the interface.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address. Syntax [no] ip igmp snooping vlan vlan-id proxy-address source-address vlan-id - VLAN ID (Range: 1-4094) source-address - The source address used for proxied IGMP query and report, and leave messages.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Static multicast entries are never aged out. ◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 224.0.0.
Chapter 22 | Multicast Filtering Commands IGMP Snooping vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ---- --------------- -------1 235.0.0.0 Eth 1/ 5 . . . show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified.
Chapter 22 | Multicast Filtering Commands IGMP Snooping 1 224.1.1.1 00:00:00:37 Eth 1/ 1(R) Eth 1/ 2(M) 2(P) 0(H) Console# show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Chapter 22 | Multicast Filtering Commands IGMP Snooping port-channel channel-id (Range: 1-16/27) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays IGMP snooping-related statistics.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 118: show ip igmp snooping statistics output - display description Field Description Interface Shows interface. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 22 | Multicast Filtering Commands Static Multicast Routing Table 119: show ip igmp snooping statistics vlan query - display description Field Description Warn Rate Limit The rate at which received query messages of the wrong version type cause the Vx warning count to increment. Note that “0 sec” means that the Vx warning count is incremented for each wrong message version received.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Table 121: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Table 122: IGMP Authentication RADIUS Attribute Value Pairs (Continued) Attribute Name AVP Type Entry NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp authentication Ethernet 1/1: Enabled Ethernet 1/2: Enabled Ethernet 1/3: Enabled . . .
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 22 | Multicast Filtering Commands MLD Snooping Table 123: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports PE ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping.
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default.
Chapter 22 | Multicast Filtering Commands MLD Snooping Default Setting 10 seconds Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the router-port-expire- default. time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Proxy Reporting : Querier Status : Robustness : Query Interval : Query Max Response Time : Router Port Expiry Time : Unsolicit Report Interval : Immediate Leave : Immediate Leave By Host : Unknown Flood Behavior : MLD Snooping Version : Disabled Disabled Disabled 2 125 sec 10 sec 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN T
Chapter 22 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) IGMP (Layer 3) This section describes commands used to configure Layer 3 Internet Group Management Protocol (IGMP) on the switch.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Console#show ip igmp interface IGMP IGMP Version IGMP Proxy IGMP Unsolicited Report Interval Robustness Variable Query Interval Query Max Response Time Last Member Query Interval Querier Joined Groups : Static Groups : : : : : : : : : : Enabled 2 Disabled 400 sec 2 125 sec 100 (resolution in 0.1 sec) 10 (resolution in 0.1 sec) 0.0.0.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp This command configures the maximum response time advertised in IGMP queries. max-resp-interval Use the no form of this command to restore the default. Syntax ip igmp max-resp-interval seconds no ip igmp max-resp-interval seconds - The report delay advertised in IGMP queries.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp query-interval This command configures the frequency at which host query messages are sent. Use the no form to restore the default. Syntax ip igmp query-interval seconds no ip igmp query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ip igmp robustval robust-value no ip igmp robustval robust-value - The robustness of this interface.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ Group addresses within the entire multicast group address range can be specified with this command.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Default Setting IGMP Version 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ All routers on the subnet must support the same version. However, the multicast hosts on the subnet may support any of the IGMP versions 1 - 3. ◆ If the switch receives an IGMP Version 1 Membership Report, it sets a timer to note that there are Version 1 hosts which are members of the group for which it heard the report.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Example The following example clears all multicast group entries for VLAN 1. Console#clear ip igmp interface vlan1 Console# show ip igmp groups This command displays information on multicast groups active on the switch and learned through IGMP. Syntax show ip igmp groups [{group-address | interface} [detail] | detail] group-address - IP multicast group address. interface vlan vlan-id - VLAN ID.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Table 125: show ip igmp groups - display description Field Description Group Address IP multicast group address with subscribers directly attached or downstream from the switch. Interface VLAN The interface on the switch that has received traffic directed to the multicast group address. Last Reporter The IP address of the source of the last membership report received for this multicast group address on this interface.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Table 126: show ip igmp groups detail - display description (Continued) Field Description Group mode In INCLUDE mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 22 | Multicast Filtering Commands IGMP Proxy Routing Last Member Query Interval Querier Joined Groups : Static Groups : switch# : 10 (resolution in 0.1 sec) : 0.0.0.0 IGMP Proxy Routing This section describes commands used to configure IGMP Proxy Routing on the switch.
Chapter 22 | Multicast Filtering Commands IGMP Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When IGMP proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions. ◆ Interfaces with IGMP enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ip igmp proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports. Use the no form to restore the default value. interval Syntax ip igmp proxy unsolicited-report-interval seconds no ip igmp proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld This command enables MLD on a VLAN interface. Use the no form of this command to disable MLD on the selected interface. Syntax [no] ipv6 mld Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage MLD (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ipv6 mld command.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Default Setting 10 (1 second) Command Mode Interface Configuration (VLAN) Command Usage When the switch receives an MLD or MLDv2 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command. If no response is received after this period, the switch stops forwarding for the group, source or channel.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Example The following shows how to configure the maximum response time to 20 seconds. Console(config-if)#ipv6 mld max-resp-interval 200 Console(config-if)# Related Commands ipv6 mld query-interval (643) ipv6 mld This command configures the frequency at which host query messages are sent. query-interval Use the no form to restore the default.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ipv6 mld robustval robust-value no ipv6 mld robustval robust-value - The robustness of this interface. (Range: 1-255) Default Setting 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ The robustness value is used to compensate for expected packet lose on a link.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ If a static group is configured for an any-source multicast (*,G), a source address cannot subsequently be defined for this group without first deleting the entry. ◆ If a static group is configured for one or more source-specific multicasts (S,G), an any-source multicast (*,G) cannot subsequently be defined for this group without first deleting all of the associated (S,G) entries.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Command Usage ◆ MLDv1 is derived from IGMPv2, and MLDv2 from IGMPv3. IGMP uses IP Protocol 2 message types, and MLD uses IP Protocol 58 message types, which is a subset of the ICMPv6 messages.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) show ipv6 mld groups This command displays information on multicast groups active on the switch and learned through MLD. Syntax show ipv6 mld groups [{group-address | interface} [detail] | detail] group-address - IPv6 multicast group address. (Note that link-local scope addresses FF02:* are not allowed.) interface vlan vlan-id - VLAN ID.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Table 129: show ipv6 mld groups - display description (Continued) Field Description Expire The time remaining before this entry will be aged out. (The default is 260 seconds.) This field displays “stopped” if the Group Mode is INCLUDE. Group Mode In Include mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing Querier Joined Groups : Static Groups : FFEE::101 Console# : FE80::200:E8FF:FE93:82A0 MLD Proxy Routing This section describes commands used to configure MLD Proxy Routing on the switch.
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When MLD proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of MLD by sending MLD membership reports, and automatically disables MLD router functions. ◆ Interfaces with MLD enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing ipv6 mld proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD reports. Use the no form to restore the default value. interval Syntax ipv6 mld proxy unsolicited-report-interval seconds no ipv6 mld proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing – 652 –
23 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 23 | LLDP Commands Table 131: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dcbx-tlv ets-config Configures an LLDP-enabled port to advertise ETS configuration settings IC lldp dcbx-tlv ets-recommend Configures an LLDP-enabled port to advertise ETS recommendation information IC lldp dc
Chapter 23 | LLDP Commands Table 131: LLDP Commands (Continued) Command Function Mode show lldp info remote-device Shows LLDP global and interface-specific configuration settings for remote devices PE show lldp info statistics Shows statistical counters for all LLDP-enabled interfaces PE * Vendor-specific options may or may not be advertised by neighboring devices. lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP.
Chapter 23 | LLDP Commands Command Usage ◆ The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. ◆ If the local interface attached to a remote device is shut down or otherwise disabled, information about the remote device is purged immediately.
Chapter 23 | LLDP Commands lldp notification- This command configures the allowed interval for sending SNMP notifications interval about LLDP MIB changes. Use the no form to restore the default setting. Syntax lldp notification-interval seconds no lldp notification-interval seconds - Specifies the periodic interval at which SNMP notifications are sent.
Chapter 23 | LLDP Commands Example Console(config)#lldp refresh-interval 60 Console(config)# lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
Chapter 23 | LLDP Commands Command Usage ◆ The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature.
Chapter 23 | LLDP Commands ◆ If you configure ETS on an interface (using the ets mode command), DCBX advertises each priority group on the interface, the priorities in each priority group, and the bandwidth properties of each priority group and priority. ◆ If you do not configure ETS on an interface, DCBX advertises the default priority group, its priorities, and the assigned bandwidth.
Chapter 23 | LLDP Commands lldp dcbx-tlv This command configures an LLDP-enabled port to advertise PFC configuration pfc-config settings. Use the no form to disable this feature. Syntax [no] lldp dcbx-tlv pfc-config Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage After enabling PFC on a switch interface (using the pfc mode command), DCBX uses autonegotiation to control the operational state of the PFC functionality.
Chapter 23 | LLDP Commands lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface.
Chapter 23 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use vlan-name the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See switchport allowed vlan.
Chapter 23 | LLDP Commands lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
Chapter 23 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 23 | LLDP Commands Table 132: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be
Chapter 23 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv network- This command configures an LLDP-MED-enabled port to advertise its network policy policy configuration. Use the no form to disable this feature.
Chapter 23 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 23 | LLDP Commands Eth 1/3 Eth 1/4 Eth 1/5 Tx-Rx Tx-Rx Tx-Rx True True True . . . Console#show lldp config detail LLDP Port Configuration Detail Port Admin Status Notification Enabled Basic TLVs Advertised ethernet 1/1 : : : : 802.1 specific TLVs Advertised : 802.
Chapter 23 | LLDP Commands Example Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : 00-E0-0C-02-00-FD System Name : System Description : AOS5700-54X System Capabilities Support : Bridge, Router System Capabilities Enabled : Bridge, Router Management Address : 192.168.0.
Chapter 23 | LLDP Commands Example Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
Chapter 23 | LLDP Commands ETS Configuration Willing CBS Number of TCs supported Priority Assignment Table : : : : Traffic Class Bandwidth(Hex) : : Traffic Selection Algorithm : : : PFC Configuration Willing MBC Max PFC classes supported PFC Enable Vector : : : : False False 3 [0]00 [4]00 [0]00 [4]00 [0]0 [4]0 [4]0 [1]00 [5]00 [1]00 [5]00 [1]0 [5]0 [5]0 [2]00 [6]00 [2]00 [6]00 [2]0 [6]0 [6]0 [3]00 [7]00 [3]00 [7]00 [3]0 [7]0 [7]0 False True 8 [0]0 [1]0 [2]0 [3]0 [4]0 [5]0 [6]0 [7]0 ---------------
Chapter 23 | LLDP Commands Location Identification Extended Power via MDI - PSE Inventory Location Identification : Location Data Format Country Name What Extended Power via MDI : Power Type Power Source Power Priority Power Value Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID : Civic Address LCI : TW : 2 : : : : PSE Unknown Unknown 0 Watts : R01 : 1.2.2.1 : 1.2.2.
Chapter 23 | LLDP Commands Eth 1/2 11 12 Eth 1/3 0 0 Eth 1/4 0 0 Eth 1/5 0 0 . . .
Chapter 23 | LLDP Commands – 680 –
24 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 24 | CFM Commands Table 133: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 24 | CFM Commands Table 133: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 24 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 24 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 24 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 24 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 24 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 24 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 24 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 24 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 24 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 24 | CFM Commands Defining CFM Structures Table 135: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 24 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 24 | CFM Commands Continuity Check Operations Table 136: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 24 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 24 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 24 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (709) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 24 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 24 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 24 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 24 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 24 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 24 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 24 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 24 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
Chapter 24 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 24 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec Example Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.
Chapter 24 | CFM Commands Loopback Operations Table 138: show ethernet cfm linktrace-cache - display description (Continued) Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false. EgrBlocked – The egress port can be identified, but the data frame was not passed through the egress port due to active topology management, i.e.
Chapter 24 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆ The point from which the loopback message is transmitted (i.e., the DSAP) and the target maintenance point specified in this command must be within the same MA.
Chapter 24 | CFM Commands Fault Generator Operations more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm.
Chapter 24 | CFM Commands Fault Generator Operations ◆ Priority defects include the following items: Table 139: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. 3 remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported.
Chapter 24 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm This command displays configuration settings for the fault notification generator.
Chapter 24 | CFM Commands Delay Measure Operations Table 141: show fault-notify-generator - display description (Continued) Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the mep fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Chapter 24 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
Chapter 24 | CFM Commands Delay Measure Operations – 722 –
25 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 25 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 25 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage If one or more name servers are configured, but DNS is not yet enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers, then the switch will automatically enable DNS host name-to-address translation.
Chapter 25 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS Disabled Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (724) ip name-server (727) ip domain-lookup (725) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address.
Chapter 25 | Domain Name Service Commands No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 Console# TTL Domain ----- -----------------------------rd5 ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server.
Chapter 25 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values.
Chapter 25 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. Default Setting None Command Mode Privileged Exec Command Usage Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. Example This example clears all dynamic entries from the DNS table.
Chapter 25 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 143: show dns cache - display description Field Description No.
Chapter 25 | Domain Name Service Commands Table 144: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
Chapter 25 | Domain Name Service Commands – 732 –
26 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 26 | DHCP Commands DHCP Client Default Setting Class identifier option enabled, with the name AOS5700-54X Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command without any keyword to restore the default setting. ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Chapter 26 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572 Console(config-if)# Related Commands ip dhcp restart client (735) ip dhcp restart client This command submits a DHCP client request.
Chapter 26 | DHCP Commands DHCP Client Related Commands ip address (742) ipv6 dhcp client rapid- This command specifies the Rapid Commit option for DHCPv6 message exchange commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 26 | DHCP Commands DHCP Relay DHCP Relay This section describes commands used to configure DHCP relay functions for host devices attached to the switch.
Chapter 26 | DHCP Commands DHCP Relay Related Commands ip dhcp restart relay (738) ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. Syntax ip dhcp restart relay Default Setting Disabled Command Mode Privileged Exec Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch.
Chapter 26 | DHCP Commands DHCP Relay DHCP for IPv6 ipv6 dhcp relay This command specifies a DHCPv6 server or the VLAN to which client requests are destination forwarded, and also enables DHCPv6 relay service on this interface. Use the no form to disable this service. Syntax ipv6 dhcp relay destination {ipv6-address | multicast {all | vlan vlan-id}} no ipv6 dhcp relay destination [ipv6-address | multicast {all | vlan vlan-id}] ipv6-address - IPv6 address of a DHCPv6 server or another relay server.
Chapter 26 | DHCP Commands DHCP Relay Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination multicast vlan 2 Console(config-if)# Console# show ipv6 dhcp relay This command displays a DHCPv6 server or the VLAN to which client requests are destination forwarded.
27 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on. To ensure that this router resides at a known location in the network, a global IPv6 address can only be manually configured.
Chapter 27 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 27 | IP Interface Commands IPv4 Interface segment that is connected to that interface, and allows you to send IP packets to or from the router. ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs.
Chapter 27 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.
Chapter 27 | IP Interface Commands IPv4 Interface This example shows that the no ip default-gateway command can be used to remove the active default gateway. Note that the active default gateway in the previous example was 192.168.1.224.
Chapter 27 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in the local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established. Command Mode Global Configuration Command Usage ◆ The default gateway can also be defined using the following command: ip route 0.0.0.
Chapter 27 | IP Interface Commands IPv4 Interface Related Commands ip address (742) ip route (803) ipv6 default-gateway (755) show ip interface This command displays the settings of an IPv4 interface. show ip interface [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting VLAN 1 Command Mode Privileged Exec Example Console#show ip interface VLAN 1 is Administrative Up - Link Down Address is 70-72-CF-EA-1B-71 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.2.9 Mask: 255.255.255.
Chapter 27 | IP Interface Commands IPv4 Interface reassembly request datagrams reassembly succeeded reassembly failed IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask requ
Chapter 27 | IP Interface Commands IPv4 Interface Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one.
Chapter 27 | IP Interface Commands IPv4 Interface ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Chapter 27 | IP Interface Commands IPv4 Interface Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 10 ms, Average = 8 ms Console# Related Commands interface (360) ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
Chapter 27 | IP Interface Commands IPv4 Interface ◆ You may need to put a static entry in the cache if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. ◆ Static entries will not be aged out nor deleted when power is reset. A static entry can only be removed through the configuration interface. Example Console(config)#arp 10.1.0.
Chapter 27 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 27 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 27 | IP Interface Commands IPv6 Interface Table 154: IPv6 Configuration Commands (Continued) Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway.
Chapter 27 | IP Interface Commands IPv6 Interface Related Commands ip route (803) show ip route (805) ip default-gateway (746) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 27 | IP Interface Commands IPv6 Interface Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::2e0:cff:fe02:fd%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 27 | IP Interface Commands IPv6 Interface Command Usage ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface.
Chapter 27 | IP Interface Commands IPv6 Interface ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 27 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 27 | IP Interface Commands IPv6 Interface host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 757). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. ◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size. (Range: 1280-65535 bytes) Default Setting 1500 bytes Command Mode Interface Configuration (VLAN) Command Usage ◆ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
Chapter 27 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4094) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 27 | IP Interface Commands IPv6 Interface Table 155: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 27 | IP Interface Commands IPv6 Interface Craft Console# Up Down Unassigned Related Commands show ip interface (747) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 27 | IP Interface Commands IPv6 Interface too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo rep
Chapter 27 | IP Interface Commands IPv6 Interface Table 157: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 27 | IP Interface Commands IPv6 Interface Table 157: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 27 | IP Interface Commands IPv6 Interface Table 157: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 27 | IP Interface Commands IPv6 Interface Table 157: show ipv6 traffic - display description (Continued) Field Description no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity.
Chapter 27 | IP Interface Commands IPv6 Interface Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 27 | IP Interface Commands IPv6 Interface max-failures - The maximum number of failures before which the trace route is terminated. (Range: 1-255) Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
Chapter 27 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 27 | IP Interface Commands IPv6 Interface ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆ Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state.
Chapter 27 | IP Interface Commands IPv6 Interface ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 nd ns-interval (775) show ipv6 neighbors (780) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 27 | IP Interface Commands IPv6 Interface Global unicast address(es): 2001:db8:0:1:2e0:cff:fe02:fd/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff19:6779 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 5.
Chapter 27 | IP Interface Commands IPv6 Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#pv6 nd raguard Console(config-if)# ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. Syntax ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 mtu ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
Chapter 27 | IP Interface Commands IPv6 Interface Example The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Age Link-layer Addr State VLAN 2009:DB9:2229::80 956 12-34-11-11-43-21 R 1 2009:DB9:2229::81 Permanent 30-65-14-01-11-86 R 1
Chapter 27 | IP Interface Commands IPv6 Interface Example Console#show ipv6 nd raguard interface ethernet 1/1 Interface RA Guard --------- -------Eth 1/ 1 Yes Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device.
Chapter 27 | IP Interface Commands ND Snooping Table 158: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 27 | IP Interface Commands ND Snooping packet to the target host. If it receives an NA packet in response, it knows that the target still exists and updates the lifetime of the binding; otherwise, it deletes the binding. This section describes commands used to configure ND Snooping.
Chapter 27 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
Chapter 27 | IP Interface Commands ND Snooping Console(config)#ipv6 nd snooping Console(config)#ipv6 nd snooping vlan 1 Console(config)# ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 27 | IP Interface Commands ND Snooping Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval (see the ipv6 nd snooping auto-detect retransmit interval command). Based on the default settings, this is 3 seconds.
Chapter 27 | IP Interface Commands ND Snooping timeout – The time to wait for an RA message to confirm that a prefix entry is still valid. (Range: 3-1800 seconds) Default Setting Set to the valid lifetime field in received RA packet Command Mode Global Configuration Command Usage If ND snooping is enabled and an RA message is received on a trusted interface, the switch will add an entry in the prefix table based upon the Prefix Information contained in the message.
Chapter 27 | IP Interface Commands ND Snooping ipv6 nd snooping trust This command configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table, or NS messages can be forwarded without validation. Use the no form to restore the default setting.
Chapter 27 | IP Interface Commands ND Snooping clear ipv6 nd This command clears all entries in the address prefix table. snooping prefix Syntax clear ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
Chapter 27 | IP Interface Commands ND Snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping binding MAC Address IPv6 Address Lifetime VLAN Interface -------------- -------------------------------------- ---------- ---- --------0013-49aa-3926 2001:b001::211:95ff:fe84:cb9e 100 1 Eth 1/1 0012-cf01-0203 2001::1 3400 2 Eth 1/2 Console# show ipv6 nd This command shows all entries in the address prefix table.
Chapter 27 | IP Interface Commands ND Snooping – 790 –
28 VRRP Commands Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Chapter 28 | VRRP Commands Default Setting Disabled Command Usage When a host cannot communicate, the first debug method is to ping the host's default gateway to determine whether the problem is in the first hop of the path to the destination. When the default gateway is a virtual router that does not respond to pings, this debug method is unavailable. This vrrp ping-enable command allows the system to respond to pings sent to the virtual IP address.
Chapter 28 | VRRP Commands ◆ When a VRRP packet is received from another router in the group, its authentication key is compared to the string configured on this router. If the keys match, the message is accepted. Otherwise, the packet is discarded. ◆ Plain text authentication does not provide any real security. It is supported only to prevent a misconfigured router from participating in VRRP.
Chapter 28 | VRRP Commands Example This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner. Console(config)#interface vlan 1 Console(config-if)#vrrp 1 ip 192.168.1.6 Console(config-if)# vrrp preempt This command configures the router to take over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router. Use the no form to disable preemption.
Chapter 28 | VRRP Commands vrrp priority This command sets the priority of this router in a VRRP group. Use the no form to restore the default setting. Syntax vrrp group priority level no vrrp group priority group - Identifies the VRRP group. (Range: 1-255) The maximum number or groups which can be defined is 64. level - Priority of this router in the VRRP group.
Chapter 28 | VRRP Commands vrrp timers advertise This command sets the interval at which the master virtual router sends advertisements communicating its state as the master. Use the no form to restore the default interval. Syntax vrrp group timers advertise interval no vrrp group timers advertise group - Identifies the VRRP group. (Range: 1-255) The maximum number or groups which can be defined is 64. interval - Advertisement interval for the master virtual router.
Chapter 28 | VRRP Commands Command Mode Privileged Exec Command Usage ◆ Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router. ◆ Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on this router. ◆ Specify a group number to display status information for a specific group Example This example displays the full listing of status information for all groups.
Chapter 28 | VRRP Commands Table 161: show vrrp - display description (Continued) Field Description Master Advertisement Interval The advertisement interval configured on the VRRP master. Master Down interval The down interval configured on the VRRP master (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups.
Chapter 28 | VRRP Commands Example This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 Vlan 1 - Group 1, State Master Virtual IP Address 192.168.1.6 Virtual MAC Address 00-00-5E-00-01-01 Advertisement Interval 5 sec Preemption Enabled Min Delay 10 sec Priority 1 Authentication SimpleText Authentication Key bluebird Master Router 192.168.1.
Chapter 28 | VRRP Commands show vrrp router This command displays counters for errors found in VRRP protocol packets. counters Command Mode Privileged Exec Example Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
29 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
Chapter 29 | IP Routing Commands Global Routing Configuration Table 164: Global Routing Configuration Commands (Continued) Command Function Mode show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE ipv6 route Configures static routes GC show ipv6 route Displays specified entries in the routing table PE IPv6 Commands ECMP Commands ecmp load-balance Configures the load-balance method used when there are GC multiple equal-cost paths to the same destination address incl
Chapter 29 | IP Routing Commands Global Routing Configuration Table 164: Global Routing Configuration Commands (Continued) Command Function Mode show ecmp load-balance Shows the load-balance method used when there are multiple equal-cost paths to the same destination PE show hash-selection list Shows the packet type and hash list attributes PE 1 2 3 MAC HS – MAC hash selection. IPv4 HS – IPv4 hash selection.
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the RIP or OSPF redistribute command (see page 826 or page 847, respectively).
Chapter 29 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [bgp | connected | database | ospf | rip | static | summary] bgp – Displays external routes imported from the Border Gateway Protocol (BGP) into this routing domain. connected – Displays all currently connected entries. database – All known routes, including inactive routes.
Chapter 29 | IP Routing Commands Global Routing Configuration Example In the following example, note that the entry for RIP displays both the distance and metric for this route. Console#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default R 10.1.1.
Chapter 29 | IP Routing Commands Global Routing Configuration show ip route This command displays summary information for the routing table. summary Command Mode Privileged Exec Example In the following example, the numeric identifier following the routing table name (0) indicates the Forwarding Information Base (FIB) identifier.
Chapter 29 | IP Routing Commands Global Routing Configuration address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages UDP Statistics: 2 input no port errors other errors output TCP Statistics: 4698 input input
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If dstip-l4-port is selected, traffic matching the same destination IP address and L4 protocol port will be carried across the same ECMP path. ◆ If hash-selection-list is selected, use the hash-selection list command to enter hash-sele tion list configuration mode, and then configure the required hash list attributes.
Chapter 29 | IP Routing Commands Global Routing Configuration maximum-paths This command sets the maximum number of paths allowed. Use the no form to restore the default settings. Syntax maximum-paths path-count no maximum-paths path-count - The maximum number of equal-cost paths to the same destination that can be installed in the routing table.
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 1 mac Console(config-mac-hash-sel)#ethertype Console# src-mac (MAC Hash) This command adds the source-mac address hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#dst-ip Console# dst-l4-port (IPv4 Hash) This command adds the destination Layer 4 protocol port hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#src-ip Console# src-l4-port (IPv4 Hash) This command adds the source Layer 4 protocol port hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 29 | IP Routing Commands Global Routing Configuration Command Usage An example of an IPv6 address in full form and collapsed form is shown below. Full IPv6 Address: FE80:0000:0000:0000:0202:B3FF:FE1E:8329 Collapsed IPv6 Address: FE80::0202:B3FF:FE1E:8329 Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv6-hash-sel)#collapsed-dst-ip Console# collapsed-src-ip This command adds the collapsed source IPv6 address hash attribute to the hash (IPv6 Hash) selection list.
Chapter 29 | IP Routing Commands Global Routing Configuration next-header (IPv6 Hash) This command adds the next header hash attribute to the hash selection list. Use the no form to remove the specified attribute. Syntax [no] next-header Command Mode IPv6 hash selection mode Command Usage The next header identifies the type of header immediately following the IPv6 header.
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv4-hash-sel)#vlan Console# show ecmp This command shows the load-balance method used when there are multiple load-balance equal-cost paths to the same destination. Command Mode Privileged Exec Example The default setting is shown in the following example.
Chapter 29 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. Syntax ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance]} no ipv6 route destination-ipv6-address/prefix-length {gateway-address | link-local-address%zone-id} destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host.
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP, OSPF and BGP updates periodically sent by the router if this feature is enabled by the RIP, OSPF or BGP redistribute command (see page 826, 847, 889 or 940 respectively).
Chapter 29 | IP Routing Commands Global Routing Configuration Command Usage ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Routing Information Protocol (RIP) .
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Global Configuration Default Setting Disabled Command Usage ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode. Example Console(config)#router rip Console(config-router)# Related Commands network (825) default-information This command generates a default external route into the local RIP autonomous originate system.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to external routes. (Range: 1-15) Default Setting 1 Command Mode Router Configuration Command Usage This command does not override the metric value set by the redistribute command.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. Syntax [no] distance distance network-address netmask distance - Administrative distance for external routes. External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage All the learned RIP routes may not be copied to the hardware tables in ASIC for fast data forwarding because of hardware resource limitations. Example Console(config-router)#maximum-prefix 1024 Console(config-router)# neighbor This command defines a neighboring router with which this router will exchange routing information. Use the no form to remove an entry.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax [no] network {ip-address netmask | vlan vlan-id} ip-address – IP address of a network directly connected to this router. netmask - Network mask for the route. This mask identifies the network address bits used for the associated routing entries. vlan-id - VLAN ID.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) passive-interface This command stops RIP from sending routing updates on the specified interface. Use the no form to disable this feature. Syntax [no] passive-interface vlan vlan-id vlan-id - VLAN ID.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) metric-value - Metric value assigned to all external routes for the specified protocol. (Range: 1-16) Default Setting redistribution - none metric-value - set by the default-metric command Command Mode Router Configuration Command Usage When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults. Syntax timers basic update timeout garbage no timers basic update – Sets the update timer to the specified value. (Range: 5-2147483647 seconds) timeout – Sets the timeout timer to the specified value. (Range: 90-360 seconds) garbage – Sets the garbage collection timer to the specified value.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. Syntax version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 Default Setting Receive: Accepts RIPv1 or RIPv2 packets Send: Route information is broadcast to other routers with RIPv2.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (834) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (829) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable this function. Syntax ip rip split-horizon [poisoned] no rip ip split-horizon poisoned - Enables poison-reverse on the current interface.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ospf - Deletes all entries learned through the Open Shortest Path First routing protocol. rip - Deletes all entries learned through the Routing Information Protocol. static - Deletes all static entries. Default Setting None Command Mode Privileged Exec Command Usage Using this command with the “all” parameter clears the RIP table of all routes.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Distance: Default is 120 Console# show ip rip This command displays information about RIP routes and configuration settings. Use this command without any keywords to display all RIP routes. Syntax show ip rip [interface [vlan vlan-id]] interface - Shows RIP configuration settings for all interfaces or for a specified interface. vlan-id - VLAN ID.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) .
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 167: Open Shortest Path First Commands (Continued) Command Function Mode ip ospf priority Sets the router priority used to determine the designated router IC ip ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ip ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#router ospf Console(config-router)# Related Commands network area (856) compatible rfc1583 This command calculates summary route costs using RFC 1583 (early OSPFv2). Use the no form to calculate costs using RFC 2328 (OSPFv2).
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) default-information This command generates a default external route into an autonomous system. Use originate the no form to disable this feature. Syntax default-information originate [always] [metric interface-metric] [metrictype metric-type] no default-information originate [always | metric | metric-type] always - Always advertise itself as a default external route for the local AS regardless of whether the router has a default route.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. ◆ This command should not be used to generate a default route for a stub or NSSA. To generate a default route for these area types, use the area stub or area nssa commands. Example This example assigns a metric of 20 to the default external route advertised into an autonomous system, sending it as a Type 2 external metric.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected. Example Console(config-router)#router-id 10.1.1.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) clear ip ospf process This command clears and restarts the OSPF routing process. Specify the process ID to clear a particular OSPF process. When no process ID is specified, this command clears all running OSPF processes. Syntax clear ip ospf [process-id] process process-id - Specifies the routing process ID. (Range: 1-65535) Default Setting Clears all routing processes.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config-router)#area 10.3.9.0 default-cost 10 Console(config-router)# Related Commands area stub (853) area nssa (851) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. Syntax [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# auto-cost reference- Use this command to calculate the default metrics for an interface based on bandwidth bandwidth. Use the no form to automatically assign costs based on interface type.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) rip – Imports external routes learned through Routing Information Protocol (RIP) into this routing domain. static - Static routes will be imported into this Autonomous System. metric-value - Metric assigned to all external routes for the specified protocol. (Range: 0-16777214) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal route metric to external route metric.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example redistributes routes learned from BGP as Type 1 external routes. Console(config-router)#redistribute bgp metric-type 1 Console(config-router)# Related Commands default-information originate (841) summary-address This command aggregates routes learned from other protocols. Use the no form to remove a summary address.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Area Configuration area authentication This command enables authentication for an OSPF area. Use the no form to remove authentication for an area. Syntax [no] area area-id authentication [message-digest] area-id - Identifies an area for which authentication is to be configured. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example enables message-digest authentication for the specified area. Console(config-router)#area 10.3.0.0 authentication Console(config-router)# Related Commands ip ospf authentication-key (859) ip ospf message-digest-key (862) area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. Command Mode Router Configuration Default Setting No NSSA is configured. Command Usage ◆ All routers in a NSSA must be configured with the same area ID.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword. Syntax [no] area area-id stub [no-summary] area-id - Identifies the stub area. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission. This value must be the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 1 second) authentication - Specifies the authentication mode.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) configured as a backup connection that can take over if the normal connection to the backbone fails. ◆ A virtual link can be configured between any two backbone routers that have an interface to a common non-backbone area. The two routers joined by a virtual link are treated as if they were connected by an unnumbered point-topoint network.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. ◆ Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ Use authentication to prevent routers from inadvertently joining an unauthorized area. Configure routers in the same area with the same password or key. All neighboring routers on the same network with the same password will exchange routing data. ◆ This command creates a password (key) that is inserted into the OSPF header when routing protocol packets are originated by this device.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf This command assigns a simple password to be used by neighboring routers to authentication-key verify the authenticity of routing protocol messages. Use the no form to remove the password. Syntax ip ospf [ip-address] authentication-key key no ip ospf [ip-address] authentication-key ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value. Syntax ip ospf [ip-address] cost cost no ip ospf [ip-address] cost ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. Syntax ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Mode Interface Configuration (VLAN) Default Setting 10 seconds Command Usage Hello packets are used to inform other routers that the sending router is still active. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase routing traffic.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key. This rollover process gives the network administrator time to update all the routers on the network without affecting the network connectivity.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) become the DR and the router with the next highest priority becomes the BDR. If two or more routers are tied with the same highest priority, the router with the higher ID will be elected. ◆ If a DR already exists for a network segment when this interface comes up, the new router will accept the current DR regardless of its own priority. The DR will not change until the next time the election process is initiated.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#interface vlan 1 Console(config-if)#ip ospf retransmit-interval 7 Console(config-if)# ip ospf transmit-delay This command sets the estimated time to send a link-state update packet over an interface. Use the no form to restore the default value.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. Syntax [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID. (Range: 1-4094) ip-address - An IPv4 address configured on this interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 LSDB database overflow limit is 20480 Number of LSA originated 1 Number of LSA received 0 Number of areas attached to this router: 1 Area 192.168.1.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 168: show ip ospf - display description (Continued) Field Description Number of LSA originated The number of new link-state advertisements that have been originated. Number of LSA received The number of link-state advertisements that have been received. Number of areas attached to this router The number of configured areas attached to this router.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf database This command shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database. Syntax show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID 192.168.0.2 ADV Router 192.168.0.2 Age Seq# CkSum 225 0x80000001 0x9c0f AS External Link States Link ID 0.0.0.0 0.0.0.0 ADV Router 192.168.0.2 192.168.0.3 Age Seq# CkSum Route 487 0x80000001 0xd491 E2 0.0.0.0/0 0 222 0x80000001 0xce96 E2 0.0.0.0/0 0 Tag Console# Table 169: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF process ID and router ID.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 170: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detec
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Metric: 1 Forward Address: 0.0.0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) . . .
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 173: show ip ospf database router - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA Flags Indicate if this router is a virtual link endpoint, an ASBR, or an ABR LS Type Router Link - LSA describes the router's interfaces.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 174: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to networks Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 175: show ip ospf interface - display description Field Description VLAN VLAN ID and Status of physical link Internet Address IP address of OSPF interface Area OSPF area to which this interface belongs MTU Maximum transfer unit Process ID OSPF process ID Router ID Router ID Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf neighbor This command displays information about neighboring routers on each interface within an OSPF area. Syntax show ip ospf [process-id] neighbor process-id - The ID of the router process for which information will be displayed. (Range: 1-65535) Command Mode Privileged Exec Example Console#show ip ospf neighbor ID Pri State Address Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf route This command displays the OSPF routing table. Syntax show ip ospf [process-id] route process-id - The ID of the router process for which information will be displayed.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 177: show ip ospf virtual-links - display description Field Description Virtual Link to router OSPF neighbor and link state (up or down) Transit area Common area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area. Remote address The IP address this virtual neighbor is using.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 178: show ip protocols ospf - display description (Continued) Field Description Routing for Summary Address Shows the networks for which route summarization is in effect Distance The administrative distance used for external routes learned by OSPF (see the ip route command). Open Shortest Path First (OSPFv3) .
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 179: Open Shortest Path First Commands (Version 3) (Continued) Command Function Mode ipv6 ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ipv6 ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface RC show ipv6 ospf Displays general information about the routing proce
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) General Configuration router ipv6 ospf This command creates an Open Shortest Path First (OSPFv3) routing process and enters router configuration mode. Use the no form to disable OSPF for all processes or for a specified process. Syntax [no] router ipv6 ospf [tag process-name] process-name - A process name must be entered when configuring multiple routing instances.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) abr-type This command sets the criteria used to determine if this router can declare itself an ABR and issue Type 3 and Type 4 summary LSAs. Use the no form to restore the default setting. Syntax abr-type {cisco | ibm | standard} no abr-type cisco - ABR criteria and functional behavior is based on RFC 3509.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) summary-LSAs are examined. Otherwise (when either the router is not an ABR or it has no active backbone connection), the router should consider summaryLSAs from all actively attached areas. This ensures that the summary-LSAs originated by area border routers advertise only intra-area routes into the backbone if the router has an active backbone connection, and advertises both intra-area and inter-area routes into the other areas.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) router-id This command assigns a unique router ID for this device within the autonomous system for the current OSPFv3 process. Use the no form to restore the default setting. Syntax router-id ip-address no router-id ip-address - Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting None Command Usage ◆ This command sets the router ID for the OSPF process specified in the router ipv6 ospf command.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations. Use the no form to restore the default values. Syntax timers spf spf-delay spf-holdtime no timers spf spf-delay - The delay after receiving a topology change notification and starting the SPF calculation.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Router Configuration Default Setting Default cost: 1 Command Usage ◆ If the default cost is set to “0,” the router will not advertise a default route into the attached stub. Example Console(config)#router ipv6 ospf tag 1 Console(config-router)#area 1 default-cost 1 Console(config-router)# Related Commands area stub (853) area range This command summarizes the routes advertised by an Area Border Router (ABR).
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ If the network addresses within an area are assigned in a contiguous manner, the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range using a single area range command. ◆ If routes are set to be advertised by this command, the router will issue a Type 3 summary LSA for each address range specified by this command.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Related Commands redistribute (889) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example redistributes automatically connected routes as Type 1 external routes. Console(config-router)#redistribute connected metric-type 1 Console(config-router)# Area Configuration area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ Use the area default-cost command to specify the cost of a default summary route sent into a stub by an ABR attached to the stub area. Example This example creates a stub area 2, and makes it totally stubby by blocking all Type 3 summary LSAs. Console(config-router)#area 2 stub no-summary Console(config-router)# Related Commands area default-cost (886) area virtual-link This command defines a virtual link.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) adequate flow of routing information, but does not produce unnecessary protocol traffic. However, note that this value should be larger for virtual links. (Range: 1-65535 seconds; Default: 5 seconds) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf area This command binds an OSPF area to the selected interface. Use the no form to remove an OSPF area, disable an OSPF process, or remove an instance identifier from an interface. Syntax [no] ipv6 router ospf area area-id [tag process-name | instance-id instance-id] area-id - Area to bind to the current Layer 3 interface. An OSPF area identifies a group of routers that share common routing information.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Console(config-if)# Related Commands router ipv6 ospf (882) router-id (885) ipv6 router ospf tag area (894) ipv6 router ospf tag This command binds an OSPF area to the selected interface and process. Use the area no form to remove the specified area from an interface. [no] ipv6 router ospf tag process-name area area-id [instance-id instance-id] area-id - Area to bind to the current Layer 3 interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example assigns area 0.0.0.1 to the currently selected interface under routing process “1.” Console(config)#interface vlan 1 Console(config-if)#ipv6 router ospf tag 1 area 0.0.0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf cost 10 Console(config-if)# ipv6 ospf This command sets the interval at which hello packets are not seen before dead-interval neighbors declare the router down. Use the no form to restore the default value.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf This command specifies the interval between sending hello packets on an hello-interval interface. Use the no form to restore the default value. Syntax ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Interface Configuration (VLAN) Default Setting 1 Command Usage ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Default Setting 5 seconds Command Usage ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) problem, use the transmit delay to force the router to wait a specified interval between transmissions. Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.2 Process uptime is 24 minutes Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of incoming concurrent DD exchange neighbors 0/5 Number of outgoing concurrent DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 180: show ip ospf - display description (Continued) Field Description Number of areas attached to this router The number of configured areas attached to this router. Area Information Area The area identifier. Note that “(Inactive)” will be displayed if no IPv6 address has been configured on the interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 181: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF router ID and process ID. The router ID uniquely identifies the router in the autonomous system. By convention, this is normally set to one of the router's IP interface addresses. Link State ID This field identifies the piece of the routing domain that is being described by the advertisement.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 182: show ip ospf interface - display description (Continued) Field Description Router ID Identifier for this router Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ ◆ ◆ ◆ ◆ ◆ ◆ Backup – Backup Designated Router Down – OSPF is enabled on this interface, but interface is down DR – Designated Router DROther – I
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf neighbor ID Pri State Interface ID Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area C ::1/128, lo0 O 2001:DB8:2222:7272::/64, VLAN1 C 2001:DB8:2222:7272::/64, VLAN1 ? FE80::/64, VLAN1 inactive C FE80::/64, VLAN1 ? FF00::
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 184: show ipv6 ospf virtual-links - display description (Continued) Field Description Timer intervals Configuration settings for timer intervals, including Hello, Dead and Retransmit Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have receiv
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Border Gateway Protocol (BGPv4) BGP Overview An autonomous system (AS) functions as a separate routing domain under one administrative authority, which implements its own routing policies. An AS exchanges routing information within its boundaries using Interior Gateway Protocols (IGPs) such as RIP or OSPF, and connects to external organizations or to the Internet using an Exterior Gateway Protocol (EGP).
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) External BGP – eBGP interconnects different ASs through border routers, or eBGP peers. These peering routers are commonly connected over a WAN link using a single physical path. Alternatively, multiple eBGP peer connections may be used to provide redundancy or load balancing. Distinct BGP sessions are used between redundancy peers to ensure that if one session fails, another will take over.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) BGP uses a path vector routing approach, which is roughly based on a distancevector approach, where the cost between two adjacent ASes is implicitly assumed to be a single hop. The shortest path from an AS to a remote AS is therefore the path with the shortest number or AS hops.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ COMMUNITY – This attribute associates routing information with a community of users. These communities share a common property, and tagging routes with a community makes it easier for routers to identify that property and enforce appropriate routing policies. ◆ ORIGINATOR_ID – This attribute is included when a route reflector reflects a route.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) 5. Choose the path with the lowest ORIGIN (IGP < EGP < Incomplete). If the value of this criteria is the same for more than one candidate, go to the next step. 6. Choose the path with the lowest MED. By default, the MED attribute is considered only when a prefix is received from neighbors in the same AS. If the value of this criteria is the same for more than one candidate, go to the next step. 7.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Aggregation and Dissemination In the Internet, the number of destinations is larger than most routing protocols can manage. It is not possible for routers to track every possible destination in their routing tables. To overcome this problem BGP relies on route aggregation, whereby multiple destinations are combined in a single advertisement.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 7: Connections for Single Route Reflector Router Router Advertised Routes Router Reflected Routes Router Route Reflector eBGP Speaker Router Router Route reflector clients are not aware that they are connected to a route reflector, and function as though fully meshed within the autonomous system. For redundancy, a cluster many contain more than one route reflector. Each cluster is identified a Cluster-ID.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) connected to its designated route reflector. Once all iBGP routing sessions are established, routing advertisements must follow these rules: ◆ Announcements received by a route reflector from another reflector are passed to its clients. ◆ Announcements received by a route reflector from a reflector client are passed to other route reflectors in the cluster.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 9: Connections for BGP Confederation AS16478 Public Domain Router Autonomous System AS200 Member AS Router iBGP Router eBGP Router Router AS100 Member AS Router iBGP eBGP Router Router AS300 Router Member AS Router iBGP Router Router To prevent looping within the confederation, the AS-Confed-Set and AS-ConfedSequence path attributes are added. These attributes function in the same manner as AS-Set and AS-Sequence.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) 2. Use the bgp confederation peer command to add an internal peer autonomous system to a confederation. Route Servers Route Servers are used to relay routes received from remote ASes to client routers, as well as to relay routes between client routers. Clients maintain BGP sessions only with the assigned route servers. Sessions with more than one server can be used to provide redundancy and load sharing.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route damping provides a relief mechanism to minimize the effects of route flapping. It can reduce the propagation of updates for flapping routes without impacting the route convergence time for stable routes. When enabled, a route is assigned a penalty each time it flaps (i.e., announced and then quickly withdrawn). If the penalty exceeds 2000 (the suppress limit) the route is suppressed.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 185: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode bgp confederation peer Adds an internal peer autonomous system to a confederation RC bgp dampening Configures route dampening to reduce the propagation of RC unstable routes bgp enforce-first-as Denies an update received from an external peer that does RC not list its own autonomous system number at the beginning of the AS path attribute bgp fa
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 185: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode distance bgp Sets the administrative distance for BGP external, internal, RC and local routes Neighbor Configuration neighbor activate Enables exchange of routing information with a neighboring router or peer group RC neighbor advertisementinterval Configures the interval between sending update messages RC to a neighbor neighbor allowas-in Con
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 185: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode neighbor prefix-list Configures prefix restrictions applied in inbound/ outbound route updates to/from specified neighbors RC neighbor remote-as Configures a neighbor and its AS number, identifying the neighbor as a local AS member RC neighbor remove-privateas Removes private autonomous system numbers from outbound routing updates to an externa
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 185: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode show ip bgp prefix-list Shows routes matching the specified prefix-list PE show ip bgp regexp Shows routes matching the AS path regular expression PE show ip bgp route-map Shows routes matching the specified route map PE show ip bgp scan Shows BGP scan status PE show ip bgp summary Shows summary information for all connections PE show i
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to specify all of the routers within an autonomous system used to exchange interior or exterior BGP routing messages. Repeat this process for any other autonomous system under your administrative control to create a distributed routing core for the exchange of routing information between autonomous systems.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example The regular expression in this example uses symbols which instruct the filter to match the character or null string at the beginning and end of an input string. Console(config-router)#ip as-path access-list RD deny ^100$ Console(config-router)# Related Commands neighbor filter-list (958) match as-path (996) ip community-list This command configures a community access list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) no-export – Routes with this community attribute are advertised only to peers in the same autonomous system or to other sub-autonomous systems within a confederation. These routes are not advertised to external peers. 100-500 – Expanded community list number that identifies one or more groups of communities. expanded community-list-name – Name of expanded access list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example This example configures a named standard community list LN that permits routes with community value 100:10, denoting that they come from autonomous system 100 and network 10. Console(config)#ip community-list standard LN permit 100:10 Console(config)# Related Commands neighbor send-community (970) match community (996) ip extcommunity-list This command configures an extended community access list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) IP:NN – Community to deny or permit. The community number is composed of a 4-byte IP address (representing the autonomous system number) and a 2-byte network number, separated by one colon. The 2byte network number can range from 0 to 65535. One or more community numbers can be entered, separated by a space. Up to 3 community numbers are supported. 100-500 – Expanded community list number that identifies one or more groups of communities.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command in conjunction with the neighbor filter-list to filter route updates sent to or received from a neighbor, or with the match extcommunity route map command to implement a more comprehensive filter for policybased routing. Example This example configures a named standard community list LR that permits routes with the route target 100:20, denoting that they destined for the autonomous system 100 and network 20.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Global Configuration Default Setting No prefix lists are defined. Command Usage ◆ Prefix filtering can be performed on an IP address expressed as a classful network, a subnet, or a single host route. ◆ Prefix lists are checked starting from the lowest sequence number and continues through the list until a match is found.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) as-set – Generates autonomous system set information for the AS path attribute, indicating that a route originated in multiple autonomous systems. summary-only – Sends the summary routes only, ignoring more specific routes. Command Mode Router Configuration Default Setting No aggregate routes are defined.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp client-to-client This command restores route reflection via this router. Use the no form to disable reflection route reflection. Syntax [no] bgp client-to-client reflection Command Mode Router Configuration Default Setting Enabled Command Usage Route reflection from this device is enabled by default, but is only functional if a client has been configured with the neighbor route-reflector-client command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp cluster-id This command configures the cluster identifier for multiple route reflectors in the same cluster. Use the no form to remove the cluster identifier. Syntax bgp cluster-id cluster-identifier no bgp cluster-id cluster-identifier – The cluster identifier of this router when acting as a route reflector. This identifier can be expressed in the form an IPv4 address or an integer in the range of 1-4294967295.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command configures the identifier for a confederation containing smaller identifier multiple internal autonomous systems, and declares this router as a member of the confederation. Use the no form to remove the confederation identifier.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command adds an internal peer autonomous system to a confederation. Use peer the no form to remove an autonomous system from a confederation. Syntax bgp confederation peer as-number no bgp confederation identifier as-number – Autonomous system number which identifies this router as a member of the specified domain, and tags routing messages passed to other BGP routers with this number.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp dampening This command configures route dampening to reduce the propagation of unstable routes. Use the no form to restore the default settings. Syntax bgp dampening [half-life [reuse-limit [suppress-limit max-suppress-time]]] no dampening half-life – The time after which a penalty is reduced. The penalty value is reduced to half of the previous value after the half-life time expires.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp enforce-first-as This command denies an update received from an external peer that does not list its own autonomous system number at the beginning of the AS path attribute. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp log-neighbor- This command enables logging of neighbor resets (that is, up or down status changes changes). Use the no form to disable this feature. Command Mode Router Configuration Default Setting Disabled Command Usage ◆ This command helps detect network problems by indicating if a neighbor connection is flapping. A high number of neighbor resets might indicate unacceptable error rates or high packet loss in the network.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp router-id This command sets the router ID for this device. Use the no form to remove this ID. Syntax bgp router-id router-id no bgp router-id router-id – Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting The highest IP address configured for an interface. Command Usage ◆ By default, the router ID is automatically set to the highest IP address configured for a Layer 3 interface.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ This command sets the interval at which to check the validity of the next hop for all routes in the routing information database. During the interval between scan cycles, IGP instability or other network problems may cause black holes or routing loops to form. Example Console(config-router)#bgp scan-time 30 Console(config-router)# network This command specifies a network to advertise.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) backdoor network is treated as a local network, except that it not advertised by the local router. A backdoor route should not be sourced at the local router, but should be one that has been learned from external neighbors. However, since these routes are treated as a local network, they are given priority over routes learned through eBGP, even if the distance of the external route is shorter. Example Console(config-router)#network 172.16.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. Example Console(config-router)#redistribute static metric 10 Console(config-router)# timers bgp This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down. Use the no form to restore the default settings.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) clear ip bgp This command clears connections using hard or soft re-configuration. Syntax clear ip bgp {* | as-number | external | peer-group group-name | neighbor-address} [in [prefix-list] | out | soft [in | out]] * – All BGP peering sessions. as-number – All peering sessions within this autonomous system number. (Range: 1-4294967295) external – All eBGP peering sessions.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to clear peering sessions when changes are made to any BGP access lists, weights, or route-maps. ◆ Route refresh (RFC 2918) allows a router to reset inbound routing tables dynamically by exchanging route refresh requests with peers. Route refresh relies on the dynamic exchange of information with supporting peers. It is advertised through BGP capability negotiation, and all BGP routers must support this capability.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Metrics and Selection bgp always-compare- This command allows comparison of the Multi Exit Discriminator (MED) for paths med advertised from neighbors in different autonomous systems. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Example Console(config-router)#bgp bestpath as-path ignore Console(config-router)# bgp bestpath This command compare confederation AS path length in addition to external AS compare-confed- path length in the selection of a path. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Normally, the first route arriving from different external peers (with other conditions equal) will be chosen as the best route. By using this command, the route with lowest router ID will be selected.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp default local- This command sets the default local preference used for best path selection among preference local iBGP peers. Use the no form to restore the default setting. Syntax bgp default local-preference preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ The router immediately groups and sorts all local paths when this command is entered. For correct results, deterministic comparison of the MED must be configured in the same manner (enabled or disabled) on all routers in the local AS. ◆ If deterministic comparison of the MED is not enabled, route selection can be affected by the order in which routes are received.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ If an access-list is specified, it will be applied to received routes. If the received routes are not matched in the access-list or the specified list does not exist, the original distance value will be used. Example Console(config-router)#distance 90 10.1.1.64 255.255.255.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Changing the administrative distance of iBGP routes is not recommended. It may cause an accumulation of routing table inconsistencies which can break routing to many parts of the network. Example Console(config-router)#distance bgp 20 200 20 Console(config-router)# Related Commands distance (948) Neighbor Configuration neighbor activate This command enables the exchange of routing information with a neighboring router or peer group.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the interval between sending update messages to a advertisement- neighbor. Use the no form to restore the default setting. interval Syntax neighbor ip-address advertisement-interval interval no neighbor ip-address advertisement-interval ip-address – IP address of a neighbor. interval – The minimum interval between sending routing updates to the specified neighbor.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Under standard routing practices, BGP will not accept a route sent from a neighbor if the same AS number appears in the AS path more than once. This could indicate a routing loop, and the route message would therefore be dropped.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor capability This command configures dynamic negotiation of capabilities between dynamic neighboring routers. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} capability dynamic ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage When this command is entered, the side configured with inbound prefix-list filter rules will transmit its own rules to the peer, and the peer will then use these rules as its own outbound rules, thereby avoiding sending routes which will be denied by its partner. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console(config-router)#neighbor 10.1.1.64 default-originate Console(config-router)# neighbor description This command configures the description of a neighbor or peer group. Use the no form to remove a description. Syntax neighbor {ip-address | group-name} description description no neighbor {ip-address | group-name} description ip-address – IP address of a neighbor.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting None Command Usage ◆ If the specified access list for input or output mode does not exist, all input or output route updates will be filtered. ◆ The neighbor prefix-list and the neighbor distribute-list commands are mutually exclusive for a BGP peer. That is, only one of these commands may be applied in the inbound or outbound direction. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor ebgp- This command allows eBGP neighbors to exist in different segments, and multihop configures the maximum hop count (TTL). Use the no form to restore the default setting. Syntax neighbor {ip-address | group-name} ebgp-multihop [count] no neighbor {ip-address | group-name} ebgp-multihop ip-address – IP address of a neighbor.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Not enforced Command Usage By default, the multi-hop check is only performed on iBGP and eBGP non-direct routes. This command can be used to force the router to perform the multi-hop check on directly connected routes as well. In other words, the router will not perform the next-hop direct-connect check the specified neighbor. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In this example, the AS path access list “ASPF” is first configured to deny access to any route passing through AS 100. It then enables route filtering by assigning this list to a peer. Console(config)#ip as-path access-list ASPF deny 100 Console(config)#router bgp 100 Console(config-router)#redistribute static Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) threshold – The percentage of the maximum number of allowed prefixes at which the router will initiate the specified response. restart – Restarts BGP connection after the threshold is exceeded. interval – Time to wait after a BGP connection has been terminated, before reestablishing the session. (Range: 1-65535 minutes) warning – Sends a log message if the threshold is exceeded.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ iBGP routers only connected to other iBGP routers in same segment will not be able to talk with iBGP routers outside of the segment if they are not directly connected with each other. This command can be used in these kinds of networks (i.e., un-meshed or non-broadcast) where iBGP neighbors may not have direct access to all other neighbors on the same IP subnet.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor passive This command passively forms a connection with the specified neighbor, not sending a TCP connection request, but waiting a connection request from the specified neighbor. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} passive ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ When MD5 authentication is configured on a TCP connection between two peers, neighbor authentication occurs whenever routing updates are exchanged. Authentication must be configured with the same password on both peers; otherwise, the connection between them will not be made.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor peer-group This command assigns routers to a peer group. Use the no form to remove a group (Group Members) member. Syntax [no] neighbor ip-address peer-group group-name ip-address – IP address of a neighbor. group-name – A BGP peer group. Command Mode Router Configuration Default Setting No group members are defined. Command Usage To create a peer group, use the neighbor group-name peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor prefix-list This command configures prefix restrictions applied in inbound/outbound route updates to/from specified neighbors. Use the no form to remove the neighbor binding for a prefix list. Syntax neighbor {ip-address | group-name} prefix-list list-name {in | out} no neighbor {ip-address | group-name} prefix-list {in | out} ip-address – IP address of a neighbor.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor remote-as This command configures a neighbor and its AS number, identifying the neighbor as an iBGP or eBGP peer. Use the no form to remove a neighbor. Syntax neighbor {ip-address | group-name} remote-as as-number no neighbor {ip-address | group-name} remote-as ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage ◆ This command only applies to eBGP neighbors. It is used to avoid passing an internal AS number to an external AS. Internal AS numbers range from 6451265535, and should not be sent to the Internet since they are not valid external AS numbers. ◆ This configuration only takes effect when the AS Path attribute of a route contains only internal AS numbers.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ First, use route-map command to create a route map, and the match and set commands to configure the route attributes to act upon. Then use this command to specify neighbors to which the route map is applied. ◆ If the specified route map does not exist, all input/output route updates will be filtered. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor route- This command configures this router as a route server and the specified neighbor server-client as its client. Use the no form to disable the route server for the specified neighbor. Syntax [no] neighbor {ip-address | group-name} route-server-client ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor send- This command configures the router to send community attributes to a neighbor in community peering messages. Use the no form to stop sending this attribute to a neighbor. Syntax [no] neighbor {ip-address | group-name} send-community [both | extended | standard] ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting None Command Usage ◆ This command terminates any active sessions for the specified neighbor, and removes any associated routing information. ◆ Use the show ip bgp summary command display the neighbors which have been administratively shut down. Entries with in an Idle (Admin) state have been disabled by the neighbor shutdown command. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ To use soft reconfiguration, without preconfiguration, both BGP neighbors must support the soft route refresh capability advertised in open messages sent when a BGP session is established. To see if a BGP router supports this capability, use the show ip bgp neighbors command. Example Console(config-router)#neighbor 11.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) hold-time – The maximum interval after which a neighbor is declared dead if a keep-alive or update message has not been received. (Range: 0-65535 seconds) Command Mode Router Configuration Default Setting Keep Alive time: 60 seconds Hold time: 180 seconds Command Usage ◆ This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage This command sets the time to wait before attempting to reconnect to a BGP neighbor after having failed to connect. During the idle time specified by the Connect Retry timer, the remote BGP peer can actively establish a BGP session with the local router. Example Console(config-router)#neighbor 10.1.1.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor update- This command specifies the interface to use for a TCP connection, instead of using source the nearest interface. Use the no form to use the default interface. Syntax [no] neighbor {ip-address | group-name} update-source interface vlan vlan-id ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command. vlan-id - VLAN ID.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ Use this command to specify a weight for all the routes learned from a neighbor. The route with the highest weight gets preference over other routes to the same network. ◆ Weights assigned using the set weight command override those assigned by this command. Example Console(config-router)#neighbor 10.1.1.66 weight 500 Console(config-router)# Display Information show ip bgp This command shows entries in the routing table.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 186: show ip bgp - display description Field Description BGP table version Internal version number of routing table, incremented per table change. local router ID IP address of router. Status codes Status of table entry includes these values: ◆ s – Entry is suppressed. ◆ d – Entry is dampened. ◆ h – Entry history ◆ * – Entry is valid ◆ > – Best entry for that network ◆ i – Entry learned via internal BGP (iBGP).
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In the following example, Refcnt refers to the number of routes using the indicated next hop. Console#show ip bgp attribute-info Refcnt Nexthop 1 0.0.0.0 1 10.1.1.64 3 10.1.1.64 1 10.1.1.121 2 10.1.1.200 Console# show ip bgp cidr-only This command shows routes which use classless interdomain routing network masks.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) internet – Specifies the entire Internet. Routes with this community attribute are advertised to all internal and external peers. local-as – Specifies the local autonomous system. Routes with this community attribute are advertised only to peers that are part of the local autonomous system or to peers within a sub-autonomous system of a confederation.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 187: show ip bgp community-info - display description Field Description Address Internal address in memory where the entry is stored. Refcnt The number of routes which refer to this community. Community 4-byte community number composed of a 2-byte autonomous system number and a 2-byte network number, separated by one colon show ip bgp This command shows the routes matching a community-list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) parameters – Route dampening parameters. Command Mode Privileged Exec Example In the following example, “From” indicates the peer that advertised this path, while “Reuse” is the time after which the path will be made available. Console#show ip bgp dampening dampened-paths BGP table version is 0, local router ID is 192.168.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 188: show ip bgp dampening parameters- display description (Continued) Field Description Suppress penalty The point at which to start suppressing a route. Max suppress time The maximum time a route can be suppressed. show ip bgp filter-list This command shows routes matching the specified filter list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Console#show ip bgp neighbors 192.168.0.3 BGP neighbor is 192.168.0.3, remote AS 200, local AS 100, external link Member of peer-group for session parameters BGP version 4, remote router ID 192.168.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 189: show ip bgp - display description (Continued) Field Description keepalive interval Interval at which keepalive messages are transmitted to this neighbor. Neighbor capabilities BGP capabilities advertised and received from this neighbor. Message statistics Statistics organized by message type. Minimum time between advertisement runs Time between transmission of advertisements.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp prefix-list This command shows routes matching the specified prefix-list. Syntax show ip bgp prefix-list list-name list-name – Name of a prefix-list. The prefix list can be used to filter the networks to import or export as defined by the match ip address prefix-list command. (Range: 1-80 characters) Command Mode Privileged Exec Example Console#show ip bgp prefix-list rd BGP table version is 0, local router ID is 192.168.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes matching the specified route map. route-map Syntax show ip bgp route-map map-name map-name – Name of the route map as defined by the route-map command. The route map can be used to filter the networks to advertise. (Range: 1-80 characters) Command Mode Privileged Exec Example Console#show ip bgp route-map rd BGP table version is 0, local router ID is 192.168.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Example In the following example, “Up/Down” refers to the length of time the session has been in the Established state, or the current status if not in Established state. Console#show ip bgp summary BGP router identifier 192.168.0.2, local AS number 100 RIB entries 0 Peers 1 Peer groups 0 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) 100-500 – Expanded community list number that identifies one or more groups of communities. community-list-name – Name of standard or expanded access list. (Maximum length: 32 characters, no spaces or other special characters) Command Mode Privileged Exec Example Console#show ip extcommunity-list rd Named extended community standard list rd permit RT:192.168.0.0:10 Console# show ip prefix-list This command shows the specified prefix list.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip prefix-list This command shows detailed information for the specified prefix list. detail Syntax show ip prefix-list detail [prefix-list-name] prefix-list-name – Name of prefix list. (Maximum length: 128 characters, no spaces or other special characters) Command Mode Privileged Exec Example Console#show ip prefix-list detail rd ip prefix-list rd: count: 1, range entries: 0, sequences: 5 - 5 seq 5 deny 10.0.0.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip protocols bgp This command shows BGP process parameters. Command Mode Privileged Exec Example Console#show ip protocols bgp Routing Protocol is "bgp 1" Neighbor(s): Address FiltIn FiltOut DistIn DistOut Weight RouteMap 192.168.1.1 Routing Information Sources: Gateway Distance Last Update 192.168.1.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Policy-based Routing for BGP This section describes commands used to configure policy-based routing (PBR) maps for Border Gateway Protocol (BGP). Policy-based routing is performed before regular routing. PBR inspects traffic on the interface where the policy is applied and then, based on the policy, makes some decision. First, the traffic is “matched” according to the policy. Second, for each match, there is something “set.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Table 192: Policy-based Routing Configuration Commands (Continued) Command Function Mode match ip address Specifies destination addresses to match in a standard access list, extended access list, or prefix list RM match ip next-hop Specifies next hop addresses to match in a standard access RM list, extended access list, or prefix list match ip route-source Specifies the source of routing messages to match in a standard access list, exte
Chapter 29 | IP Routing Commands Policy-based Routing for BGP route-map This command enters route-map configuration mode, allowing route maps to be created or modified. Use the no form to remove a route map. Syntax [no] route-map map-name {deny | permit} sequence-number map-name – Name for the route map. (Range: 1-128 case-sensitive alphanumeric characters) deny – Route-map denies set operations. permit – Route-map permits set operations.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP ■ For a permit route-map, if it does not have a match clause, any routing message is matched, and therefore all routes are permitted. ■ For a permit route-map which includes a match clause for an access-list, if the access-list does not exist, no routing messages are matched, and therefore all routes are skipped.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP continue This command goes to a route-map entry with a higher sequence number after a successful match occurs. Use the no form to remove this entry from a route map. Syntax continue [sequence-number] no continue sequence-number – Sequence number at which to continue processing. (Range: 1-65535) Command Mode Route Map Command Usage If no match statements precede the call entry, the call is automatically executed.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match as-path This command sets a BGP autonomous system path access list to match. Use the no form to remove this entry from a route map. Syntax [no] match as-path access-list-name access-list-name – Name of the access list.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Command Usage This command matches the community attributes of the BGP routing message following the rules specified with the ip community-list command. Example Console(config)#route-map RD permit 2 Console(config-route-map)#match community 60 Console(config-route-map)#set weight 30 Console(config-route-map)# match extcommunity This command sets a BGP extended community access list to match.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP prefix-list-name – Name of a specific prefix list.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match ip route-source This command specifies the source of routing messages advertised by routers and access servers to be matched in a standard access list, an extended access list, or a prefix list. Use the no form to remove this entry from a route map.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match origin This command sets the originating protocol to match in routing messages. Use the no form to remove this entry from a route map. Syntax match origin {egp | igp | incomplete} no match origin egp – Routes learned from exterior gateway protocols. igp – Routes learned from internal gateway protocols. incomplete – Routes of uncertain origin.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Traffic engineering via longer prefixes is only effective when the longer prefixes have a different next hop from the less specific prefix. Thus, past the point where the next hops become identical, the longer prefixes provide no value whatsoever. This command can be used to limit the radius of propagation of more specific prefixes by adding a count of the ASes that may be traversed by the more specific prefix.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP on-match This command sets the next entry to go to when this entry matches. Use the no form to remove this entry from a route map. Syntax on-match peer {goto sequence-number | next} no on-match peer {goto | next} goto – On match, go to specified entry. sequence-number – Route-map entry. (Range: 1-65535) next – Go to next entry. Command Mode Route Map Command Usage Use this command when no set action is for a match clause.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 8 Console(config-route-map)#match pathlimit as 5 Console(config-route-map)#set aggregator 1 192.168.0.0 Console(config-route-map)# set as-path This command modifies the AS path by prepending or excluding an AS number. Use the no form to remove this entry from a route map. Syntax set as-path {exclude | prepend} as-number...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP and that the aggregate path might not be the best path to the destination. This attribute should be set when the BGP speaker advertises ONLY the less-specific prefix and suppresses more specific ones. Example Console(config)#route-map RD permit 9 Console(config-route-map)#match peer 192.168.0.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP set community This command sets the community attributes of routing messages. Use the no form to remove this entry from a route map. Syntax set community [AA:NN...] [additive {[AA:NN...] [internet] [local-as] [no-advertise] [no-export]} [internet [[AA:NN...] [local-as] [no-advertise] [no-export]] [local-as [[AA:NN...] [no-advertise] [no-export]] [no-advertise [AA:NN...] [no-export]] [no-export [AA:NN...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Console(config-route-map)#set community 20:01 Console(config-route-map)# Related Commands set comm-list delete (1004) set extcommunity This command sets the extended community attributes of routing messages. Use the no form to remove this entry from a route map. Syntax set extcommunity {rt extended-community-value | soo extended-community-value} no set extcommunity [rt | soo] rt – The route target extended community attribute.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP site are assigned the same site of origin attribute, no matter if a site is connected to a single PE router or multiple PE routers. Filtering based on this extended community attribute can prevent routing loops from occurring when a site is multi-homed. Example Console(config)#route-map RD permit 13 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set extcommunity 100:0 192.168.1.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP set local-preference This command sets the priority within the local AS for a routing message. Use the no form to remove this entry from a route map. Syntax set local-preference preference no set local-preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP ◆ This command can modify the current metric for a route using the “+” or “-” keywords. ◆ The metric applies to external routers in the inter-autonomous system. To specify the metric for the local AS, use the set local-preference command. ◆ This path metric is normally only compared with neighbors in the local AS.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP set originator-id This command sets the IP address of the routing message’s originator. Use the no form to remove this entry from a route map. Syntax set originator-id ip-address no set originator-id ip-address – An IPv4 address of the route source, expressed in dotted decimal notation.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 18 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set pathlimit ttl 255 Console(config-route-map)# set weight This command sets the weight for routing messages. Use the no form to remove this entry from a route map. Syntax set weight weight no set weight weight – The weight assigned to this route.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Example Console#show route-map RD route-map RD, permit, sequence 1 Match clauses: peer 102.168.0.
30 Multicast Routing Commands Multicast routers can use various kinds of multicast routing protocols to deliver IP multicast packets across different subnetworks. This router supports Protocol Independent Multicasting (PIM). (Note that IGMP will be enabled for any interface that is using multicast routing.
Chapter 30 | Multicast Routing Commands General Multicast Routing Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This command is used to enable IPv4 multicast routing globally for the router. A specific multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim command, and then specify the interfaces that will support multicast routing using the ip pim dense-mode or ip pim sparse-mode commands.
Chapter 30 | Multicast Routing Commands General Multicast Routing Example This example shows detailed multicast information for a specified group/source pair Console#show ip mroute 224.0.255.3 192.111.46.8 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Channel, C - Connected, P - Pruned, F - Register flag, R - RPT-bit set, T - SPT-bit set, J - Join SPT Interface state: F - Forwarding, P - Pruned, L - Local (192.168.2.1, 224.0.17.
Chapter 30 | Multicast Routing Commands General Multicast Routing Table 195: show ip mroute - display description (Continued) Field Description Incoming Interface Interface leading to the upstream neighbor. PIM creates a multicast routing tree based on the unicast routing table. If the related unicast routing table does not exist, PIM will still create a multicast routing entry, but displays “Null” for the upstream interface to indicate that the unicast routing table is not valid.
Chapter 30 | Multicast Routing Commands General Multicast Routing will support multicast routing using the router pim6 command, and then specify the interfaces that will support multicast routing using the ipv6 pim command. ◆ To use multicast routing, MLD proxy can not enabled on any interface of the device (see ipv6 mld proxy on page 649). Example Console(config)#ipv6 multicast-routing Console(config)# show ipv6 mroute This command displays the IPv6 multicast routing table.
Chapter 30 | Multicast Routing Commands General Multicast Routing Incoming Interface: VLAN2, RPF neighbor: FE80::0303 Outgoing Interface List: VLAN1(F) Console# Table 196: show ip mroute - display description Field Description Flags The flags associated with this entry: ◆ D (Dense) - PIM Dense mode in use. ◆ S (Sparse) - PIM Sparse mode in use. ◆ s (SSM) - A multicast group with the range of IP addresses used for PIM-SSM. ◆ C (Connected) - A member of the multicast group is present on this interface.
Chapter 30 | Multicast Routing Commands Static Multicast Routing This example lists all entries in the multicast table in summary form: Console#show ipv6 mroute summary IP Multicast Forwarding is disabled IP Multicast Routing Table (Summary) Flags: F - Forwarding, P - Pruned, D - PIM-DM, S – PIM-SM, V – DVMRP, M - MLD Group Source Interface Flag ------------------------------ ------------------------------ ---------- ---FF02::0101 FE80::0101 VLAN 4096 DF Total Entry is 1 Console# Static Multicast Routing
Chapter 30 | Multicast Routing Commands Static Multicast Routing Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Chapter 30 | Multicast Routing Commands Static Multicast Routing Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing PIM Multicast Routing This section describes the PIM commands used for IPv4 and IPv6. Note that PIM can run on an IPv4 network and PIM6 on an IPv6 network simultaneously. Also note that Internet Group Management Protocol (IGMP) is used for IPv4 networks and Multicast Listener Discovery (MLD) for IPv6 networks. Table 199: IPv4 and IPv6 PIM Commands Command Group Function IPv4 PIM Commands Configures multicast routing for IPv4 PIM.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Table 200: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ip pim bsr-candidate Configures the switch as a Bootstrap Router (BSR) candidate GC ip pim register-rate-limit Configures the rate at which register messages are sent by GC the Designated Router (DR) ip pim register-source Configure the IP source address of a register message to an GC address other than the outgoing interface address of the designa
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ◆ To use multicast routing, IGMP proxy cannot be enabled on any interface of the device (see the ip igmp proxy command). Example Console(config)#router pim Console(config)#exit Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing join messages are received from downstream routers, or a group member is directly connected to the interface. ◆ Dense-mode interfaces are subject to multicast flooding by default, and are only removed from the multicast routing table when the router determines that there are no group members or downstream routers, or when a prune message is received from a downstream router.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Default Setting 105 seconds Command Mode Interface Configuration (VLAN) Command Usage The ip pim hello-holdtime should be greater than the value of ip pim hellointerval. Example Console(config-if)#ip pim hello-holdtime 210 Console(config-if)# ip pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the hold time for the prune state. Use the no form to join-prune-holdtime restore the default value. Syntax ip pim join-prune-holdtime seconds no ip pim join-prune-holdtime seconds - The hold time for the prune state.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing a Join message. If no join messages are received after the prune delay expires, this router will prune the flow.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example Console(config-if)#ip pim override-interval 3500 Console(config-if)# Related Commands ip pim propagation-delay (1029) ip pim lan-prune-delay (1027) ip pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the maximum time before transmitting a triggered PIM trigger-hello-delay Hello message after the router is rebooted or PIM is enabled on an interface. Use the no form to restore the default value. Syntax ip pim trigger-hello-delay seconds no ip pim trigger-hello-delay seconds - The maximum time before sending a triggered PIM Hello message.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example Console#show ip pim interface vlan 1 PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Table 201: show ip pim neighbor - display description (Continued) Field Description Expiration Time The time before this entry will be removed. DR The designated PIM-SM router. If multicast hosts are directly connected to the LAN, then only one of these routers is elected as the DR, and acts on behalf of these hosts, sending periodic Join/Prune messages toward a group-specific RP for each group.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Default Setting 3 Command Mode Interface Configuration (VLAN) Example Console(config-if)#ip pim max-graft-retries 5 Console(config-if)# ip pim state-refresh This command sets the interval between sending PIM-DM state refresh control origination-interval messages. Use the no form to restore the default value.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing PIM-SM Commands ip pim bsr-candidate This command configures the switch as a Bootstrap Router (BSR) candidate. Use the no form to restore the default value. Syntax ip pim bsr-candidate interface vlan vlan-id [hash hash-mask-length] [priority priority] no ip pim bsr-candidate vlan-id - VLAN ID (Range: 1-4094) hash-mask-length - Hash mask length (in bits) used for RP selection (see ip pim rp-candidate and ip pim rp-address).
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of its PIM-SM neighbors. Console(config)#ip pim bsr-candidate interface vlan 1 hash 20 priority 200 Console(config)#exit Console#show ip pim bsr-router PIMv2 Bootstrap information BSR Address : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ip pim register-source This command configures the IP source address of a register message to an address other than the outgoing interface address of the designated router (DR) that leads back toward the rendezvous point (RP). Use the no form to restore the default setting.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ The router specified by this command will act as an RP for all multicast groups in the local PIM-SM domain if no groups are specified. A static RP can either be configured for the whole multicast group range 224.0.0.0/4, or for specific group ranges. ◆ Using this command to configure multiple static RPs with the same RP address is not allowed.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Info source Uptime Expire Console# : static : 00:00:21 : Never ip pim rp-candidate This command configures the router to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR). Use the no form to remove this router as an RP candidate.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ◆ The election process for each group is based on the following criteria: ■ Find all RPs with the most specific group range. ■ Select those with the highest priority (lowest priority value). ■ Compute a hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. ■ If there is a tie, use the candidate RP with the highest IP address.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Default Setting The last-hop PIM router joins the shortest path tree immediately after the first packet arrives from a new source. Command Mode Global Configuration Command Usage ◆ The default path for packets from a multicast source to a receiver is through the RP. However, the path through the RP is not always the shortest path. Therefore, the router uses the RP to forward only the first packet from a new multicast group to its receivers.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ For multicast group addresses that fall within fall within the default SSM range of 232/8 or within a range set by this command, source-specific multicast service mode is used. For all other multicast addresses, any-source multicast service mode is used. ◆ SSM requires the client to specify the multicast source address in registration messages.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing receivers to the source will be maintained, even if the source is not sending traffic for long periods of time, or has stopped sending altogether. Example This example sets the SSM address range to 224.2.151.0/24. Console(config)#ip pim ssm range 224.2.151.0 255.255.255.0 Console# ip pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ip pim dr-priority 20 Console(config-if)#end Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Sparse Mode IP Address : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing prune state for this multicast stream. The protocol maintains both the current join state and the pending Reverse Path Tree (RPT) prune state for this (source, group) pair until the join/prune-interval timer expires. Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ip pim join-prune-interval 210 Console#show ip pim interface PIM is enabled. VLAN 1 is up.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing show ip pim bsr-router This command displays information about the bootstrap router (BSR). Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR. Console#show ip pim bsr-router PIMv2 Bootstrap information BSR Address : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing show ip pim rp This command displays active RPs and associated multicast routing entries. mapping Command Mode Privileged Exec Example This example displays the RP map. Console#show ip pim rp mapping PIM Group-to-RP Mappings Groups : 224.0.0.0/8 RP address : 192.168.0.2/32 Info source : 192.168.0.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Table 204: show ip pim rp-hash - display description Field Description RP address IP address of the RP used for the specified multicast group Info source RP that advertised the mapping, and how the RP was selected show ip pim ssm This command displays the range for source-specific multicast (SSM) addresses. range Command Mode Privileged Exec Example Console#show ip pim ssm range Group-address: 224.2.151.0 Group-mask: 255.255.255.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Table 205: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode PIM-DM Commands ipv6 pim graft-retry-interval Configures the time to wait for a Graft acknowledgement before resending a Graft message IC ipv6 pim max-graft-retries Configures the maximum number of times to resend a Graft message if it has not been acknowledged IC ipv6 pim state-refresh origination-interval Sets the interval between PIM-DM state re
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Usage ◆ This command enables PIM-DM and PIM-SM for IPv6 globally for the router. You also need to enable PIM-DM and PIM-SM for each interface that will support multicast routing using the ipv6 pim command, and make any changes necessary to the multicast protocol parameters. ◆ To use PIMv6, IPv6 multicast routing must be enabled on the switch using the ipv6 multicast-routing command.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Usage The ip pim hello-holdtime should be greater than the value of ipv6 pim hello-interval. Example Console(config-if)#ipv6 pim hello-holdtime 210 Console(config-if)# ipv6 pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value. Syntax ipv6 pim hello-interval seconds no pimv6 hello-interval seconds - Interval between sending PIM hello messages.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Related Commands ipv6 pim override-interval (1053) ipv6 pim propagation-delay (1054) ipv6 pim This command configures the override interval, or the time it takes a downstream override-interval router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting. ipv6 pim propagation-delay milliseconds no ipv6 pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays information about PIM neighbors. neighbor Syntax show ipv6 pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays information for all known PIM neighbors.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ipv6 pim max-graft-retries command).
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ipv6 pim state-refresh This command sets the interval between sending PIM-DM state refresh control origination-interval messages. Use the no form to restore the default value. Syntax ipv6 pim state-refresh origination-interval seconds no ipv6 pim max-graft-retries seconds - The interval between sending PIM-DM state refresh control messages.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing when the hash function is executed on any BSR, all groups with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32 bits) priority - Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR ipv6 pim register-rate- This command configures the rate at which register messages are sent by the limit Designated Router (DR) for each (source, group) entry. Use the no form to restore the default value. Syntax ipv6 pim register-rate-limit rate no ipv6 pim register-rate-limit rate - The maximum number of register packets per second.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to which the RP can send packets, the replies sent from the RP to the source address will fail to reach the DR, resulting in PIM6-SM protocol failures.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen. ◆ Static definitions for RP addresses may be used together with RP addresses dynamically learned through the bootstrap router (BSR).
Chapter 30 | Multicast Routing Commands PIM Multicast Routing seconds - The interval at which this device advertises itself as an RP candidate. (Range: 60-16383 seconds) value - Priority used by the candidate RP in the election process. The RP candidate with the largest priority is preferred. If the priority values are the same, the candidate with the larger IP address is elected to be the RP. Setting the priority to zero means that this router is not eligible to server as the RP.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example The following example configures the router to start advertising itself to the BSR as a candidate RP for the indicated multicast groups.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing ◆ Only one entry is allowed for this command. Example This example prevents the switch from using the SPT for multicast groups FF01:1::0101/64.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ipv6 pim dr-priority 20 Console(config-if)#end Console#show ipv6 pim interface PIM is enabled. VLAN 1 is up.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing prune state for this multicast stream. The protocol maintains both the current join state and the pending Reverse Path Tree (RPT) prune state for this (source, group) pair until the join/prune-interval timer expires. Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ipv6 pim join-prune-interval 220 Console#show ipv6 pim interface PIM is enabled. VLAN 1 is up.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays information about the bootstrap router (BSR). bsr-router Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays active RPs and associated multicast routing entries. rp mapping Command Mode Privileged Exec Example This example displays the RP map.
Chapter 30 | Multicast Routing Commands PIM Multicast Routing Table 209: show ip pim rp-hash - display description Field Description RP address IP address of the RP used for the specified multicast group Info source RP that advertised the mapping, and how the RP was selected – 1070 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 1077 ◆ “License Information” on page 1079 – 1071 –
Section III | Appendices – 1072 –
A Legacy and Hybrid Operating Mode Feature Set Differences Table 210: Legacy and Hybrid Operating Mode Feature Set Differences Function Feature Legacy Mode Hybrid Mode L2 Features Link Aggregation 802.
Appendix A | Legacy and Hybrid Operating Mode Feature Set Differences Table 210: Legacy and Hybrid Operating Mode Feature Set Differences Function Feature Legacy Mode Hybrid Mode DiffServ SRTCM (1 rate 3 YES color) Color aware /color blind NO TRTCM (2 rate 3 YES color) Color aware /color blind NO Ingress Policy map YES NO Egress Policy map YES NO Ingress YES NO Egress YES NO Statistics YES NO Remote YES Authentication via RADIUS NO Remote Authentication via TACACS+ YES NO HTTPS
Appendix A | Legacy and Hybrid Operating Mode Feature Set Differences Table 210: Legacy and Hybrid Operating Mode Feature Set Differences Function Feature Legacy Mode Hybrid Mode CLI “show tech” YES NO IPV6 Management (Telnet Server/ ICMP v6) YES NO MAC learning YES NO USB Port Management YES NO SNMP over IPv6 YES NO HTTP over IPv6 YES NO IPv6 sFlow YES NO Client YES NO Relay YES NO YES NO Multi-netting YES NO CIDR (Classless Inter-Domain Routing) YES NO Static Unicas
Appendix A | Legacy and Hybrid Operating Mode Feature Set Differences Table 210: Legacy and Hybrid Operating Mode Feature Set Differences Function Feature Legacy Mode Hybrid Mode Termination MAC Flow Table NO YES Bridging Flow Table NO YES Unicast Routing Flow Table NO YES Multicast Routing Flow Table NO YES ACL Policy Flow Table NO YES – 1076 –
B Troubleshooting Problems Accessing the Management Interface Table 211: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
List of CLI Commands A abr-type 883 absolute 178 access-list arp 352 access-list ip 336 access-list ipv6 342 access-list mac 347 aggregate-address 929 alias 361 area authentication 850 area default-cost 844 area default-cost 886 area nssa 851 area range 845 area range 887 area stub 853 area stub 890 area virtual-link 854 area virtual-link 891 arp 751 arp timeout 752 authentication enable 214 authentication login 215 auto-cost reference-bandwidth 846 B banner configure 105 banner configure company 106 bann
List of CLI Commands clear ipv6 nd snooping prefix 788 clear ipv6 neighbors 779 clear ipv6 pim bsr rp-set 1067 clear ipv6 traffic 770 clear log 157 clear mac-address-table dynamic 439 clear network-access 272 clear of-agent 573 clear pfc statistics 552 clock summer-time date 171 clock summer-time predefined 172 clock summer-time recurring 173 clock timezone 175 clock timezone-predefined 175 cn 562 cn cnm-transmit-priority 562 cn cnpv 563 cn cnpv alternate-priority (Global Configuration) 564 cn cnpv alterna
List of CLI Commands H hardware profile portmode 367 hash-selection list 809 history 363 hostname 104 I interface 360 interface vlan 474 ip access-group 340 ip address 742 ip arp inspection 322 ip arp inspection filter 323 ip arp inspection limit 326 ip arp inspection log-buffer logs 324 ip arp inspection trust 327 ip arp inspection validate 325 ip arp inspection vlan 325 ip as-path access-list 923 ip community-list 924 ip default-gateway 746 ip dhcp client class-id 733 ip dhcp relay server 737 ip dhcp re
List of CLI Commands ip pim override-interval 1028 ip pim propagation-delay 1029 ip pim register-rate-limit 1035 ip pim register-source 1036 ip pim rp-address 1036 ip pim rp-candidate 1038 ip pim spt-threshold 1039 ip pim ssm range 1040 ip pim state-refresh origination-interval 1033 ip pim trigger-hello-delay 1030 ip prefix-list 928 ip rip authentication mode 830 ip rip authentication string 831 ip rip receive version 831 ip rip receive-packet 832 ip rip send version 833 ip rip send-packet 834 ip rip split
List of CLI Commands ipv6 pim state-refresh origination-interval 1058 ipv6 pim trigger-hello-delay 1054 ipv6 route 817 ipv6 router ospf area 893 ipv6 router ospf tag area 894 ipv6 source-guard 312 ipv6 source-guard 317 ipv6 source-guard binding 310 ipv6 source-guard binding 316 ipv6 source-guard max-binding 313 ipv6 source-guard max-binding 319 J jumbo frame 126 L l2protocol-tunnel custom-pdu 492 l2protocol-tunnel tunnel-dmac 493 lacp 393 lacp admin-key (Ethernet Interface) 394 lacp admin-key (Port Chann
List of CLI Commands mlag 404 mlag group member 405 mlag peer-link 405 mst priority 451 mst vlan 452 N name 453 neighbor 824 neighbor activate 950 neighbor advertisement-interval 951 neighbor allowas-in 951 neighbor attribute-unchanged 952 neighbor capability dynamic 953 neighbor capability orf prefix-list 953 neighbor default-originate 954 neighbor description 955 neighbor distribute-list 955 neighbor dont-capability-negotiate 956 neighbor ebgp-multihop 957 neighbor enforce-multihop 957 neighbor filter-l
List of CLI Commands Q qos map cos-dscp 513 qos map default-drop-precedence 515 qos map dscp-cos 516 qos map dscp-mutation 517 qos map ip-port-dscp 518 qos map ip-prec-dscp 519 qos map phb-queue 513 qos map trust-mode 520 queue mode 508 queue weight 509 quit 98 R radius-server acct-port 217 radius-server auth-port 217 radius-server host 218 radius-server key 219 radius-server retransmit 219 radius-server timeout 220 range 609 rate-limit 420 redistribute 826 redistribute 847 redistribute 889 redistribute 9
List of CLI Commands show interfaces status 376 show interfaces switchport 377 show interfaces transceiver 384 show interfaces transceiver-threshold 386 show ip access-group 341 show ip access-list 341 show ip arp inspection configuration 328 show ip arp inspection interface 328 show ip arp inspection log 329 show ip arp inspection statistics 329 show ip arp inspection vlan 329 show ip bgp 976 show ip bgp attribute-info 977 show ip bgp cidr-only 978 show ip bgp community 978 show ip bgp community-info 979
List of CLI Commands show ipv6 source-guard 320 show ipv6 source-guard binding 315 show ipv6 source-guard binding 320 show ipv6 traffic 765 show l2protocol-tunnel 497 show lacp 399 show license file 116 show line 152 show lldp config 673 show lldp info local-device 674 show lldp info remote-device 675 show lldp info statistics 678 show location-led status 117 show log 157 show logging 158 show logging sendmail 163 show loop internal 387 show loopback-detection 428 show mac access-group 351 show mac access-
List of CLI Commands snmp-server host 187 snmp-server location 184 snmp-server notify-filter 199 snmp-server user 193 snmp-server view 194 sntp client 164 sntp poll 165 sntp server 166 spanning-tree 444 spanning-tree bpdu-filter 454 spanning-tree bpdu-guard 455 spanning-tree cost 456 spanning-tree edge-port 457 spanning-tree forward-time 445 spanning-tree hello-time 445 spanning-tree link-type 458 spanning-tree max-age 446 spanning-tree mode 447 spanning-tree mst configuration 449 spanning-tree mst cost 45
List of CLI Commands vrrp authentication 792 vrrp ip 793 vrrp ping-enable 791 vrrp preempt 794 vrrp priority 795 vrrp timers advertise 796 vxlan flood 500 vxlan udp-dst-port 499 vxlan vlan vni 501 W watchdog software 124 web-auth 277 web-auth login-attempts 275 web-auth quiet-period 276 web-auth re-authenticate (IP) 278 web-auth re-authenticate (Port) 278 web-auth session-timeout 276 web-auth system-auth-control 277 whichboot 136 – 1101 –
List of CLI Commands – 1102 –
Index (not ready) Numerics 802.1Q tunnel 484 access 487 configuration, guidelines 484 configuration, limitations 485 CVID to SVID map 489 ethernet type 486 interface configuration ??–486, 487–?? mode selection 487 status, configuring 485 TPID 486 uplink 487 802.
Index route servers 917 router ID 938 bootstrap router PIM-SM 1034 PIMv6-SM 1058 Border Gateway Protocol See BGP BPDU filter 454 flooding when STA globally disabled 450 guard 455 ignoring superior BPDUs 461 selecting protocol based on message format 463 shut down port on receipt 455 bridge extension capabilities, displaying 470 broadcast storm, threshold 421 C CFM continuity check errors 705, 706 continuity check messages 681, 701, 702 cross-check errors 703, 707, 709 cross-check message 681, 707, 709, 71
Index dynamic configuration 65 IPv4 relay service, enabling 738 relay service 737 DHCP snooping 280 enabling 281 global configuration 281 information option 283 information option policy 286 information option, circuit ID 288 information option, enabling 283 information option, remote ID 283 information option, suboption format 283 policy selection 286 specifying trusted interfaces 290 subtype field 284 trusted port 290 untrusted port 290 verifying MAC addresses 287 VLAN configuration 288 DHCPv4 snooping i
Index Enhanced Transmission Selection See ETS ETS 555, 556 bandwidth allocation for TCGs 557 mode, negotiated or forced 555 event logging 153 excess burst size, QoS policy 535, 537 external BGP 909 F fault isolation, CFM 681, 713 fault notification generator, CFM 717, 719 fault notification, CFM 681, 716, 717, 718 fault verification, CFM 681 FIB, description 805 firmware displaying version 123 upgrading 129 upgrading automatically 137 upgrading with FTP or TFP 129 version, displaying 123 forwarding inform
Index forwarding entries 601 immediate leave, status 592 interface attached to multicast router 602, 605 last member query count 593 last member query interval 594 proxy query address 596 proxy query interval 597 proxy query response interval 598 proxy reporting 585 querier timeout 587 querier, enabling 585 router port expire time 587 static host interface 598 static multicast routing 605 static port assignment 598 static router interface 605 static router port, configuring 605 statistics, displaying 602 T
Index Link Layer Discovery Protocol See LLDP link trace cache, CFM 711, 712, 714 link trace message, CFM 681, 710, 711, 712 link type, STA 458 LLDP 653 device statistics details, displaying 678 device statistics, displaying 678 display device information 675 displaying remote information 675 ETS advertised settings 663 ETS, advertised PFC configuration 664 interface attributes, configuring 659–672 local device information, displaying 674 message attributes 653 message statistics 678 remote information, dis
Index unknown multicast, handling 621 version 622 MSTP 447 global settings, configuring 443 global settings, displaying 464 interface settings, configuring 443 interface settings, displaying 464 max hop count 451 path cost 459 region name 453 region revision 454 MTU for IPv6 762 multicast filtering 581 enabling IGMP snooping 583 enabling IGMP snooping per interface 583 enabling MLD snooping 618 router configuration 605 multicast groups 601 static 598, 601 Multicast Listener Discovery See MLD Multicast List
Index SPF timers 843 stub 853 transit area 854 transmit delay over interface 865 virtual link 854 virtual links, displaying 878 OSPFv3 880 ABR route summary 887 area border router 887 backbone 893, 894 configuration settings, displaying 900 enabling 882 general settings 880 interface summary information, displaying 903 LSA database, displaying 902 neighboring router information, diplaying 904 network area 893 normal area 893, 894 process ID 882 redistributing external routes 889 route summary, ABR 887 rout
Index hash mask length for BSR 1058 interface settings 1065 register rate limit for DR 1060 rendezvous point 1061, 1062 RP candidate 1062 RP candidate, advertising 1062 RP mapping, displaying 1069 shared tree 1064 shortest path tree 1064 SPT threshold 1064 static RP, configuring 1061 policy map description 529 DiffServ 531 port authentication 240, 242 port priority configuring 507 default ingress 510 STA 460, 461 port security, configuring 256 ports broadcast storm threshold 421 configuring 359 flow contro
Index protocol packets, receiving 832 protocol packets, sending 834 receive version 831 redistributing external routing information 826 routes, clearing 835 routes, displaying 837 routing table, clearing 835 send version 833 specifying interfaces 825 split horizon 835 timers 828 version 829 RMON 203 alarm, displaying settings 208 alarm, setting thresholds 204 commands 203 event settings, displaying 208 response to alarm setting 205 statistics history, collection 206 statistics history, displaying 209 stati
Index protocol migration 463 transmission limit 450 startup files creating 129 displaying 120, 136 setting 128 static addresses, setting 438 static routes, configuring 803 statistics ARP 747, 807 history for port 373 history for trunk 373 ICMP 747, 807 IP 747, 807 port 369 TCP 747, 807 UDP 747, 807 VLAN 369 STP 447 Also see STA summer time, setting 171–173 switch settings restoring 127 saving 127 system clock setting 163 setting manually 176 setting the time zone 175 setting with NTP 169–170 setting with S
Index preemption 794 priority 795 protocol message statistics 800 timers 796 virtual address 793 W web authentication 277 address, re-authenticating 278 configuring 277 configuring ports 277 port information, displaying 279 ports, configuring 277 ports, re-authenticating 278 – 1112 –
AS5700-54X AS6700-32X E032016/ST-R02 149100000198A