0G Data Center Switches AS5812-54X-EC AS5812-54T-EC CLI Reference Guide Software Release v1.2.184.183 www.edge-core.
CLI Reference Guide AS5812-54T-EC 54-Port 10G Data Center Switch with 48 10GbE RJ-45 Copper Ports, 6 40GBASE QSFP+ Ports, 2 Power Supply Units, and 4 +1 Fan Trays (4 + 1 Fans with F2B and B2F Airflow) AS5812-54X-EC 54-Port 10G Data Center Switch with 48 10GBASE SFP+ Ports, 6 40GBASE QSFP+ Ports, 2 Power Supply Units, and 4 +1 Fan Trays (4 + 1 Fans with F2B and B2F Airflow) E122019-CS-R02 150000000063A
How to Use This Guide This guide includes detailed information on the switch’s AOS (EdgeCOS) software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Contents Section I How to Use This Guide 3 Contents 5 Figures 43 Tables 45 Getting Started 53 1 Introduction and Boot Mode Introduction 55 55 Legacy Mode (AOS - EdgeCOS) 55 SDN Mode (OpenFlow) 55 Boot Selection 56 2 Initial Switch Configuration Connecting to the Switch 57 57 Configuration Options 57 Connecting to the Console Port 58 Logging Onto the Command Line Interface 59 Setting Passwords 59 Remote Connections (Network Interface or Craft Port) 60 Obtaining and Installing
Contents Configuring Automatic Installation of Code and Configuration Settings Downloading Operation Code from a File Server 74 Specifying a DHCP Client Identifier 76 Downloading a Configuration File Referenced by a DHCP Server 77 Setting the System Clock Section II 74 79 Setting the Time Manually 79 Configuring SNTP 80 Configuring NTP 80 Command Line Interface 3 Using the Command Line Interface Accessing the CLI 83 85 85 Console Connection 85 Telnet Connection 85 Entering Commands 8
Contents configure 101 disable 102 reload (Privileged Exec) 102 show reload 103 end 103 exit 103 5 System Management Commands Device Designation 105 105 hostname 106 Banner Information 106 banner configure 107 banner configure company 108 banner configure dc-power-info 109 banner configure department 110 banner configure equipment-info 110 banner configure equipment-location 111 banner configure ip-lan 112 banner configure lp-number 112 banner configure manager-info 113
Contents show version 125 show watchdog 126 watchdog software 126 Fan Control 127 fan-speed force-full Frame Size 127 127 jumbo frame 128 File Management 128 General Commands 130 boot system 130 copy 131 delete 134 dir 135 onie 136 umount usbdisk 138 whichboot 138 Automatic Code Upgrade Commands 139 upgrade opcode auto 139 upgrade opcode path 140 upgrade opcode reload 141 show upgrade 142 TFTP Configuration Commands 142 ip tftp retry 142 ip tftp timeout 143 sho
Contents stopbits 151 timeout login response 151 disconnect 152 show line 153 Event Logging 153 logging facility 154 logging history 155 logging host 156 logging on 156 logging trap 157 clear log 158 show log 158 show logging 159 Time 160 SNTP Commands 161 sntp client 161 sntp poll 162 sntp server 163 show sntp 163 NTP Commands 164 ntp authenticate 164 ntp authentication-key 165 ntp client 166 ntp server 166 show ntp 167 Manual Configuration Commands 168
Contents General SNMP Commands 176 snmp-server 176 snmp-server community 177 snmp-server contact 178 snmp-server location 178 show snmp 179 SNMP Target Host Commands 180 snmp-server enable traps 180 snmp-server host 181 snmp-server enable port-traps mac-notification 183 show snmp-server enable port-traps 184 SNMPv3 Commands 184 snmp-server engine-id 184 snmp-server group 185 snmp-server user 187 snmp-server view 188 show snmp engine-id 189 show snmp group 190 show snmp u
Contents rmon collection rmon1 203 show rmon alarms 204 show rmon events 204 show rmon history 205 show rmon statistics 205 8 Authentication Commands User Accounts 207 208 enable password 208 username 209 Authentication Sequence 210 authentication enable 210 authentication login 211 RADIUS Client 212 radius-server acct-port 213 radius-server auth-port 213 radius-server host 214 radius-server key 215 radius-server retransmit 215 radius-server timeout 216 show radius-serve
Contents ip telnet max-sessions 225 ip telnet port 225 ip telnet server 226 show ip telnet 226 Secure Shell 227 ip ssh authentication-retries 230 ip ssh server 230 ip ssh server-key size 231 ip ssh timeout 231 delete public-key 232 ip ssh crypto host-key generate 233 ip ssh crypto zeroize 233 ip ssh save host-key 234 show ip ssh 234 show public-key 235 show ssh 236 802.
Contents management 248 show management 249 9 General Security Measures Port Security 251 252 mac-learning 252 port security 253 show port security 255 Network Access (MAC Address Authentication) 257 network-access aging 258 network-access mac-filter 258 mac-authentication reauth-time 259 network-access dynamic-qos 260 network-access dynamic-vlan 261 network-access guest-vlan 262 network-access link-detection 262 network-access link-detection link-down 263 network-access link-
Contents web-auth re-authenticate (IP) 274 show web-auth 275 show web-auth interface 275 show web-auth summary 276 DHCPv4 Snooping 276 ip dhcp snooping 277 ip dhcp snooping information option 279 ip dhcp snooping information option encode no-subtype 280 ip dhcp snooping information option remote-id 281 ip dhcp snooping information policy 282 ip dhcp snooping limit rate 282 ip dhcp snooping verify mac-address 283 ip dhcp snooping vlan 284 ip dhcp snooping information option circuit
Contents ip source-guard max-binding 302 ip source-guard mode 303 clear ip source-guard binding blocked 304 show ip source-guard 304 show ip source-guard binding 305 IPv6 Source Guard 306 ipv6 source-guard binding 306 ipv6 source-guard 308 ipv6 source-guard max-binding 309 show ipv6 source-guard 310 show ipv6 source-guard binding 311 IPv6 Source Guard 311 ipv6 source-guard binding 312 ipv6 source-guard 313 ipv6 source-guard max-binding 315 show ipv6 source-guard 316 show ipv
Contents show traffic-segmentation 10 Access Control Lists 330 331 IPv4 ACLs 331 access-list ip 332 permit, deny (Standard IP ACL) 333 permit, deny (Extended IPv4 ACL) 334 ip access-group 336 show ip access-group 337 show ip access-list 337 IPv6 ACLs 338 access-list ipv6 338 permit, deny (Standard IPv6 ACL) 339 permit, deny (Extended IPv6 ACL) 340 ipv6 access-group 341 show ipv6 access-group 342 show ipv6 access-list 342 MAC ACLs 343 access-list mac 343 permit, deny (MAC
Contents description 357 flowcontrol 357 history 358 media-type 359 shutdown 359 switchport mtu 360 clear counters 361 hardware profile portmode 362 show hardware profile portmode 363 show interfaces brief 363 show interfaces counters 364 show interfaces history 368 show interfaces status 371 show interfaces switchport 372 Transceiver Threshold Configuration 373 transceiver-threshold-auto 373 transceiver-monitor 373 transceiver-threshold current 374 transceiver-threshold
Contents lacp port-priority 391 lacp system-priority 392 lacp admin-key (Port Channel) 393 lacp timeout 394 Trunk Status Display Commands 395 show lacp 395 show port-channel load-balance 399 MLAG Commands 399 mlag 400 mlag peer-link 401 mlag group member 401 show mlag 403 show mlag domain 403 13 Port Mirroring Commands Local Port Mirroring Commands 405 405 port monitor 405 show port monitor 406 RSPAN Mirroring Commands 407 rspan source 409 rspan destination 410 rspan r
Contents loopback detection trap 422 loopback-detection release 423 show loopback-detection 424 16 UniDirectional Link Detection Commands 425 udld detection-interval 425 udld message-interval 426 udld recovery 427 udld recovery-interval 427 udld aggressive 428 udld port 429 show udld 430 17 Address Table Commands 433 mac-address-table aging-time 433 mac-address-table static 434 clear mac-address-table dynamic 435 show mac-address-table 435 show mac-address-table aging-time
Contents spanning-tree bpdu-filter 450 spanning-tree bpdu-guard 450 spanning-tree cost 451 spanning-tree edge-port 453 spanning-tree link-type 454 spanning-tree mst cost 455 spanning-tree mst port-priority 456 spanning-tree port-priority 456 spanning-tree root-guard 457 spanning-tree spanning-disabled 458 spanning-tree tc-prop-stop 458 spanning-tree protocol-migration 459 show spanning-tree 460 show spanning-tree mst configuration 461 19 VLAN Commands 463 Editing VLAN Groups
Contents switchport dot1q-tunnel service default match all 479 switchport dot1q-tunnel service match cvid 480 show dot1q-tunnel 482 Configuring L2CP Tunneling 484 l2protocol-tunnel custom-pdu 484 l2protocol-tunnel tunnel-dmac 485 switchport l2protocol-tunnel 488 show l2protocol-tunnel 489 Configuring VxLAN Tunneling 489 vxlan udp-dst-port 491 vxlan flood 492 vxlan vlan vni 493 debug vxlan 494 show vxlan udp-dst-port 495 show vxlan vtep 496 show vxlan flood 496 show vxlan vla
Contents show qos map cos-dscp 513 show map default-drop-precedence 513 show map dscp-cos 514 show qos map dscp-mutation 515 show qos map ip-port-dscp 515 show qos map ip-prec-dscp 516 show qos map phb-queue 517 show qos map trust-mode 517 21 Quality of Service Commands 519 class-map 520 description 521 match 521 rename 523 policy-map 523 class 524 police flow 525 police srtcm-color 526 police trtcm-color 529 set cos 531 set phb 532 service-policy 533 show class-ma
Contents show pfc statistics Enhanced Transmission Selection Commands 545 545 ets mode 546 traffic-class algo 547 traffic-class map 548 traffic-class weight 549 show ets mapping 550 show ets weight 551 Congestion Notification Commands 551 cn 554 cn cnm-transmit-priority 554 cn cnpv 555 cn cnpv alternate-priority (Global Configuration) 556 cn cnpv defense-mode (Global Configuration) 557 cn cnpv alternate-priority (Interface Configuration) 558 cn cnpv defense-mode (Interface Confi
Contents ip igmp snooping vlan general-query-suppression 574 ip igmp snooping vlan immediate-leave 574 ip igmp snooping vlan last-memb-query-count 575 ip igmp snooping vlan last-memb-query-intvl 576 ip igmp snooping vlan mrd 577 ip igmp snooping vlan proxy-address 578 ip igmp snooping vlan query-interval 579 ip igmp snooping vlan query-resp-intvl 580 ip igmp snooping vlan static 580 clear ip igmp snooping groups dynamic 581 clear ip igmp snooping statistics 581 show ip igmp snooping
Contents ipv6 mld snooping query-interval 601 ipv6 mld snooping query-max-response-time 601 ipv6 mld snooping robustness 602 ipv6 mld snooping router-port-expire-time 603 ipv6 mld snooping unknown-multicast mode 603 ipv6 mld snooping version 604 ipv6 mld snooping vlan immediate-leave 604 ipv6 mld snooping vlan mrouter 605 ipv6 mld snooping vlan static 606 clear ipv6 mld snooping groups dynamic 606 clear ipv6 mld snooping statistics 607 show ipv6 mld snooping 607 show ipv6 mld snoopi
Contents ipv6 mld static-group 626 ipv6 mld version 627 clear ipv6 mld group 628 show ipv6 mld groups 629 show ipv6 mld interface 630 MLD Proxy Routing 631 ipv6 mld proxy 631 ipv6 mld proxy unsolicited-report-interval 633 24 LLDP Commands 635 lldp 637 lldp holdtime-multiplier 637 lldp med-fast-start-count 638 lldp notification-interval 639 lldp refresh-interval 639 lldp reinit-delay 640 lldp tx-delay 640 lldp admin-status 641 lldp basic-tlv management-ip-address 641 lldp
Contents lldp med-tlv inventory 652 lldp med-tlv location 653 lldp med-tlv med-cap 653 lldp med-tlv network-policy 654 lldp notification 654 show lldp config 655 show lldp info local-device 656 show lldp info remote-device 657 show lldp info statistics 660 25 CFM Commands 661 Defining CFM Structures 664 ethernet cfm ais level 664 ethernet cfm ais ma 665 ethernet cfm ais period 666 ethernet cfm ais suppress alarm 666 ethernet cfm domain 667 ethernet cfm enable 669 ma index
Contents clear ethernet cfm errors 685 show ethernet cfm errors 686 Cross Check Operations 687 ethernet cfm mep crosscheck start-delay 687 snmp-server enable traps ethernet cfm crosscheck 687 mep crosscheck mpid 688 ethernet cfm mep crosscheck 689 show ethernet cfm maintenance-points remote crosscheck 690 Link Trace Operations 690 ethernet cfm linktrace cache 690 ethernet cfm linktrace cache hold-time 691 ethernet cfm linktrace cache size 692 ethernet cfm linktrace 692 clear ether
Contents show dns cache 710 show hosts 710 27 DHCP Commands 713 DHCP Client 713 ip dhcp client class-id 713 ip dhcp restart client 715 ipv6 dhcp client rapid-commit vlan 716 DHCP Relay 717 DHCP for IPv4 717 ip dhcp relay server 717 ip dhcp restart relay 718 DHCP for IPv6 719 ipv6 dhcp relay destination 719 show ipv6 dhcp relay destination 720 28 IP Interface Commands IPv4 Interface 721 721 Basic IPv4 Configuration 722 ip address 722 ip default-gateway 726 show ip interfa
Contents ipv6 enable 740 ipv6 mtu 742 show ipv6 interface 743 show ipv6 mtu 745 show ipv6 traffic 745 clear ipv6 traffic 750 ping6 750 traceroute6 751 Neighbor Discovery 753 ipv6 hop-limit 753 ipv6 nd dad attempts 753 ipv6 nd ns-interval 755 ipv6 nd raguard 756 ipv6 nd reachable-time 757 ipv6 neighbor 758 clear ipv6 neighbors 759 show ipv6 nd raguard 759 show ipv6 neighbors 760 ND Snooping 761 ipv6 nd snooping 762 ipv6 nd snooping auto-detect 764 ipv6 nd snooping a
Contents vrrp ip 773 vrrp preempt 774 vrrp priority 775 vrrp timers advertise 776 show vrrp 776 show vrrp interface 778 show vrrp interface counters 779 show vrrp router counters 780 30 IP Routing Commands Global Routing Configuration 781 781 IPv4 Commands 783 ip route 783 show ip host-route 784 show ip route 785 show ip route database 786 show ip route summary 787 show ip traffic 787 ECMP Commands 788 ecmp load-balance 788 hash-selection list 789 maximum-paths 790 d
Contents next-header (IPv6 Hash) 795 src-l4-port (IPv6 Hash) 795 vlan (IPv6 Hash) 795 show ecmp load-balance 796 show hash-selection list 796 IPv6 Commands 797 ipv6 route 797 show ipv6 route 798 Routing Information Protocol (RIP) 800 router rip 800 default-information originate 801 default-metric 802 distance 803 maximum-prefix 803 neighbor 804 network 805 passive-interface 806 redistribute 806 timers basic 808 version 809 ip rip authentication mode 810 ip rip auth
Contents router-id 822 timers spf 823 clear ip ospf process 824 Route Metrics and Summaries 824 area default-cost 824 area range 825 auto-cost reference-bandwidth 826 default-metric 827 redistribute 827 summary-address 829 Area Configuration 830 area authentication 830 area nssa 831 area stub 833 area virtual-link 834 network area 836 Interface Configuration 837 ip ospf authentication 837 ip ospf authentication-key 839 ip ospf cost 840 ip ospf dead-interval 841 ip
Contents show ip protocols ospf Open Shortest Path First (OSPFv3) 859 860 General Configuration 862 router ipv6 ospf 862 abr-type 863 max-concurrent-dd 864 router-id 865 timers spf 866 Route Metrics and Summaries 866 area default-cost 866 area range 867 default-metric 868 redistribute 869 Area Configuration 870 area stub 870 area virtual-link 871 ipv6 router ospf area 873 ipv6 router ospf tag area 874 Interface Configuration 875 ipv6 ospf cost 875 ipv6 ospf dead-interv
Contents External and Internal BGP 888 BGP Routing Basics 889 Internal BGP Scalability 893 Route Flap Dampening 897 BGP Command List 898 General Configuration 902 router bgp 902 ip as-path access-list 903 ip community-list 904 ip extcommunity-list 906 ip prefix-list 908 aggregate-address 909 bgp client-to-client reflection 911 bgp cluster-id 912 bgp confederation identifier 913 bgp confederation peer 914 bgp dampening 915 bgp enforce-first-as 916 bgp fast-external-failov
Contents bgp deterministic-med 927 distance 928 distance bgp 929 Neighbor Configuration 930 neighbor activate 930 neighbor advertisement-interval 931 neighbor allowas-in 931 neighbor attribute-unchanged 932 neighbor capability dynamic 933 neighbor capability orf prefix-list 933 neighbor default-originate 934 neighbor description 935 neighbor distribute-list 935 neighbor dont-capability-negotiate 936 neighbor ebgp-multihop 937 neighbor enforce-multihop 937 neighbor filter-lis
Contents neighbor strict-capability-match 952 neighbor timers 952 neighbor timers connect 953 neighbor unsuppress-map 954 neighbor update-source 955 neighbor weight 955 Display Information 956 show ip bgp 956 show ip bgp attribute-info 957 show ip bgp cidr-only 958 show ip bgp community 958 show ip bgp community-info 959 show ip bgp community-list 960 show ip bgp dampening 960 show ip bgp filter-list 962 show ip bgp neighbors 962 show ip bgp paths 964 show ip bgp prefix-li
Contents match extcommunity 977 match ip address 977 match ip next-hop 978 match ip route-source 979 match metric 979 match origin 980 match pathlimit 980 match peer 981 on-match 982 set aggregator as 982 set as-path 983 set atomic-aggregate 983 set comm-list delete 984 set community 985 set extcommunity 986 set ip next-hop 987 set local-preference 988 set metric 988 set origin 989 set originator-id 990 set pathlimit ttl 990 set weight 991 show route-map 991 31
Contents ip igmp snooping vlan mrouter 1000 show ip igmp snooping mrouter 1001 PIM Multicast Routing 1002 IPv4 PIM Commands 1002 PIM Shared Mode Commands 1003 router pim 1003 ip pim 1004 ip pim hello-holdtime 1005 ip pim hello-interval 1006 ip pim join-prune-holdtime 1007 ip pim lan-prune-delay 1007 ip pim override-interval 1008 ip pim propagation-delay 1009 ip pim trigger-hello-delay 1010 show ip pim interface 1010 show ip pim neighbor 1011 PIM-DM Commands 1012 ip pim gra
Contents IPv6 PIM Commands 1027 PIM6 Shared Mode Commands 1028 router pim6 1028 ipv6 pim 1029 ipv6 pim hello-holdtime 1030 ipv6 pim hello-interval 1031 ipv6 pim join-prune-holdtime 1031 ipv6 pim lan-prune-delay 1032 ipv6 pim override-interval 1033 ipv6 pim propagation-delay 1034 ipv6 pim trigger-hello-delay 1034 show ipv6 pim interface 1035 show ipv6 pim neighbor 1036 PIM6-DM Commands 1036 ipv6 pim graft-retry-interval 1036 ipv6 pim max-graft-retries 1037 ipv6 pim state-refr
Contents B Troubleshooting 1061 Problems Accessing the Management Interface 1061 Using System Logs 1062 C License Information 1063 The GNU General Public License 1063 Glossary 1067 List of CLI Commands 1075 Index 1085 – 41 –
Contents – 42 –
Figures Figure 1: Boot Menu Selection 56 Figure 2: MLAG Domain Topology 399 Figure 3: MLAG Peer Operation 403 Figure 4: Configuring VLAN Trunking 472 Figure 5: Mapping QinQ Service VLAN to Customer VLAN 481 Figure 6: Connections for Internal and External BGP 888 Figure 7: Connections for Single Route Reflector 894 Figure 8: Connections for Multiple Route Reflectors 894 Figure 9: Connections for BGP Confederation 896 Figure 10: Connections for Route Server – 43 – 897
Figures – 44 –
Tables Table 1: Options 60, 66 and 67 Statements 78 Table 2: Options 55 and 124 Statements 78 Table 3: General Command Modes 90 Table 4: Configuration Command Modes 92 Table 5: Keystroke Commands 94 Table 6: Command Group Index 95 Table 7: General Commands 97 Table 8: System Management Commands 105 Table 9: Device Designation Commands 105 Table 10: Banner Commands 106 Table 11: System Status Commands 115 Table 12: show access-list tcam-utilization - display description 117 Table 13:
Tables Table 30: show snmp view - display description 192 Table 31: RMON Commands 199 Table 32: Authentication Commands 207 Table 33: User Access Commands 208 Table 34: Default Login Settings 209 Table 35: Authentication Sequence Commands 210 Table 36: RADIUS Client Commands 212 Table 37: TACACS+ Client Commands 217 Table 38: Web Server Commands 220 Table 39: HTTPS System Support 224 Table 40: Telnet Server Commands 224 Table 41: Secure Shell Commands 227 Table 42: show ssh - displa
Tables Table 65: ACL Information Commands 351 Table 66: Interface Commands 355 Table 67: show interfaces counters - display description 365 Table 68: show interfaces switchport - display description 372 Table 69: Link Aggregation Commands 385 Table 70: show lacp counters - display description 395 Table 71: show lacp internal - display description 396 Table 72: show lacp neighbors - display description 398 Table 73: show lacp sysid - display description 398 Table 74: Port Mirroring Command
Tables Table 100: Mapping Internal PHB/Drop Precedence to CoS/CFI Values 508 Table 101: Default Mapping of DSCP Values to Internal PHB/Drop Values 509 Table 102: Default Mapping of IP Precedence to Internal PHB/Drop Values 511 Table 103: Quality of Service Commands 519 Table 104: Data Center Bridging Commands 537 Table 105: DCB Exchange Commands 537 Table 106: Priority-based Flow Control Commands 541 Table 107: ETS Commands 546 Table 108: CN Commands 553 Table 109: show cn cp - display de
Tables Table 135: MEP Defect Descriptions 698 Table 136: show fault-notify-generator - display description 699 Table 137: Address Table Commands 703 Table 138: show dns cache - display description 710 Table 139: show hosts - display description 711 Table 140: DHCP Commands 713 Table 141: DHCP Client Commands 713 Table 142: Options 60, 66 and 67 Statements 714 Table 143: Options 55 and 124 Statements 714 Table 144: DHCP Relay Commands 717 Table 145: IP Interface Commands 721 Table 146:
Tables Table 170: show ip ospf interface - display description 856 Table 171: show ip ospf neighbor - display description 857 Table 172: show ip ospf virtual-links - display description 859 Table 173: show ip protocols ospf - display description 859 Table 174: Open Shortest Path First Commands (Version 3) 860 Table 175: show ip ospf - display description 881 Table 176: show ip ospf database - display description 883 Table 177: show ip ospf interface - display description 883 Table 178: show
Tables Table 205: Troubleshooting Chart 1061 – 51 –
Tables – 52 –
Section I Getting Started This section provides an overview of the switch, its modes of operation, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 54 –
1 Introduction and Boot Mode This chapter includes information on the execution modes of the switch. The switch’s execution mode is selected during boot-up. It is essential that you select the correct mode that matches your data networks operations. Introduction This switch can be used either as a bare metal switch in an OpenFlow SDN environment or as a traditional switch utilizing the Edgecore AOS (EdgeCOS) firmware.
Chapter 1 | Introduction and Boot Mode Boot Selection Boot Selection To select the switch’s mode of operation, the system software can be selected from the GRUB menu during boot-up: ◆ AOS (EdgeCOS) - The switch will use the AOS (EdgeCOS) firmware. This guide covers CLI configuration when the switch executes using AOS (EdgeCOS) firmware functioning as a traditional switch.
2 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 2 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 2 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 2 | Initial Switch Configuration Connecting to the Switch Username: admin Password: CLI session with the AS5812-54X-EC* is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the AS5812-54X-EC and AS5812-54T-EC 10G Ethernet switches.
Chapter 2 | Initial Switch Configuration Connecting to the Switch Obtaining and The operational ports (that is network ports but not the craft port) are disabled by Installing a License default. These ports will only function when a port usage license is obtained from for the Network Ports your distributor and installed on the switch. To verify whether or not a port usage license is installed on the switch, enter the following command from the craft port.
Chapter 2 | Initial Switch Configuration Connecting to the Switch System Contact MAC Address (Unit 1) Web Server Web Server Port Web Secure Server Web Secure Server Port Telnet Server Telnet Server Port Jumbo Frame Unit 1 Fan 1: Fail Fan 4: Fail : : : : : : : : : A8-2B-B5-76-B0-CE Enabled 80 Enabled 443 Enabled 23 Disabled System Temperature: Unit 1 Temperature 1: 24 degrees Temperature 3: 28 degrees Fan 2: Fail Fan 5: Fail Temperature 2: Temperature 4: Fan 3: Fail 31 degrees 26 degrees Main Power
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management Accept-Mode: * License-Number: 5b22f83f-6219-49d8-94ec-6f0ab171dea0 License-Issue-Date: Mon Mar 5 12:16:29 2018 License-Valid-Start-Date: Mon Mar 5 00:00:00 2018 License-Valid-End-Date: Thu Apr 5 00:00:00 2018 License-Access-List: gf5zGdtiN8WPaSgQEPBm7WsU0MvylPKyKIC0mfIjbeCRz1GrK1TVm3IB Yk9QLzbZl2Yq5OfZyseMpOszYpRFmxD969aLn9oWFYfUAX9pZi2KRp+A6m+PwYYaABDFw5NxoumC yqS0vvZO63d8jpvoZMuBu+C69uIHmGw0dWKjtGwHty5xWDfMY44LvZbfktH7
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management can also be dynamically generated as described in “Obtaining an IPv6 Address” on page 68. This switch is designed as a router, and therefore does not support DHCP for IPv6, so an IPv6 global unicast address for use in a network containing more than one subnet can only be manually configured as described in “Assigning an IPv6 Address” on page 65. Manual Configuration You can manually assign an IP address to the switch.
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv6 Address This section describes how to configure a “link local” address for connectivity within the local subnet only, and also how to configure a “global unicast” address, including a network prefix for use on a multi-segment network and the host portion of the address.
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management Address for Multi-segment Network — Before you can assign an IPv6 address to the switch that will be used to connect to a multi-segment network, you must obtain the following information from your network administrator: ◆ Prefix for this network ◆ IP address for the switch ◆ Default gateway for the network For networks that encompass several different subnets, you must define the full address, including a network pr
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management ND ND ND ND ND ND DAD is enabled, number of DAD attempts: 1.
Chapter 2 | Initial Switch Configuration Configuring the Switch for Remote Management 5. Then save your configuration changes by typing “copy running-config startupconfig.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FB Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.
Chapter 2 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Chapter 2 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Chapter 2 | Initial Switch Configuration Managing System Files Console(config)#snmp-server user karl r&d v3 auth md5 greenpeace priv des56 einstien Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to the CLI Reference Guide or Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP.
Chapter 2 | Initial Switch Configuration Managing System Files Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings. If you download directly to the runningconfig, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it.
Chapter 2 | Initial Switch Configuration Managing System Files the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config: command. The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1.
Chapter 2 | Initial Switch Configuration Configuring Automatic Installation of Code and Configuration Settings Configuring Automatic Installation of Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from code file when a file newer than the currently installed one is discovered on the file a File Server server.
Chapter 2 | Initial Switch Configuration Configuring Automatic Installation of Code and Configuration Settings ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
Chapter 2 | Initial Switch Configuration Configuring Automatic Installation of Code and Configuration Settings 2. Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# 3. Set the switch to automatically upgrade the current operational code when a new version is detected on the server.
Chapter 2 | Initial Switch Configuration Configuring Automatic Installation of Code and Configuration Settings The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Chapter 2 | Initial Switch Configuration Configuring Automatic Installation of Code and Configuration Settings To successfully transmit a bootup configuration file to the switch, the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Chapter 2 | Initial Switch Configuration Setting the System Clock subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "as5812-54x.cfg"; option tftp-server-name "192.168.255.
Chapter 2 | Initial Switch Configuration Setting the System Clock To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 2 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 2 | Initial Switch Configuration Setting the System Clock – 82 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Class of Service Commands” on page 499 ◆ “Quality of Service Commands” on page 519 ◆ “Data Center Bridging Commands” on page 537 ◆ “Multicast Filtering Commands” on page 563 ◆ “LLDP Commands” on page 635 ◆ “CFM Commands” on page 661 ◆ “DHCP Commands” on page 713 ◆ “IP Interface Commands” on page 721 ◆ “VRRP Commands” on page 771 ◆ “IP Routing Commands” on page 781 ◆ “Multicast Routing Commands” on page 993 – 84 –
3 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Chapter 3 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 3 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Chapter 3 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 3 | Using the Command Line Interface Entering Commands radius-server reload rmon route-map rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config system tacacs-server tech-support traffic-segmentation udld upgrade users version vlan vrrp vxlan watchdog web-auth Console#show RADIUS server information Shows the reload settings Remote Monitoring Protocol Shows route-map Display status of the current RSPAN configuration Information on the running configuration Shows the sflo
Chapter 3 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel Commands the effect of a command or reset the configuration to the default value. For example, the logging command will log system messages to a host server. To disable logging, specify the no logging command. This guide describes the negation effect for all applicable commands.
Chapter 3 | Using the Command Line Interface Entering Commands Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.” The system will now display the “Console#” command prompt. You can also enter Privileged Exec mode from within Normal Exec mode, by entering the enable command, followed by the privileged level password “super.
Chapter 3 | Using the Command Line Interface Entering Commands ◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. ◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. ◆ Line Configuration - These commands modify the console port and Telnet configuration, and include command such as parity and databits.
Chapter 3 | Using the Command Line Interface Entering Commands Table 4: Configuration Command Modes (Continued) Mode Command Prompt Page Route Map route-map Console(config-route-map) 973 Router router {bgp | ipv6 ospf | ospf } pim} pim6 | rip Console(config-router) 888 862 819 1002 1027 800 VLAN vlan database Console(config-vlan) 464 – 93 –
Chapter 3 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 3 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 3 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Quality of Service Configures Differentiated Services 519 Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router 563 Link Layer Discovery Protocol Configures LLDP settings to enable information discovery about neighbor devices 635 Domain Name Service Configures DNS services.
4 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 4 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Chapter 4 | General Commands Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 131).
Chapter 4 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (102) enable password (208) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 4 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 4 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 90. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 4 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 4 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 104 –
5 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 5 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 5 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure department Configures the Department information that is displayed by banner GC banner configure equipment-info Configures the Equipment information that is displayed by GC banner banner configure equipment-location Configures the Equipment Location information that is displayed by banner banner configure ip-lan Configures the IP and LAN information that is displ
Chapter 5 | System Management Commands Banner Information Example Console(config)#banner configure Company: Edgecore Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
Chapter 5 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number.
Chapter 5 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the department banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure department dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 5 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 5 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask ip-lan information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 5 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting.
Chapter 5 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 5 | System Management Commands System Status unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information.
Chapter 5 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show license file Shows information on the installed license file required for PE the network ports show location-led status Shows if location LED function is enabled or not PE show memory Shows memory utilization parameters NE, PE show process cpu Shows CPU utilization parameters NE, PE show running-config Displays the configuration data currently in use PE show startup-
Chapter 5 | System Management Commands System Status show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Chapter 5 | System Management Commands System Status Table 12: show access-list tcam-utilization - display description (Continued) Field Description Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features. Total The maximum number of policy control entries allocated to the each pool. Used The number of policy control entries used by the operating system. Free The number of policy control entries available for use.
Chapter 5 | System Management Commands System Status show location-led This command shows if location LED function is enabled or not. status Command Mode Privileged Exec Example Console#show location-led status Location Led Status:On Console# show memory This command shows memory utilization parameters, and alarm thresholds.
Chapter 5 | System Management Commands System Status CPU Utilization in the past 60 seconds Average Utilization : 8% Maximum Utilization : 9% Alarm Status Current Alarm Status : Off Last Alarm Start Time : Jun 9 15:10:09 2011 Last Alarm Duration Time : 10 seconds Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands process cpu (196) show running-config This command displays the configuration information currently in use.
Chapter 5 | System Management Commands System Status Example Console#show running-config Building startup configuration. Please wait...
Chapter 5 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 5 | System Management Commands System Status ◆ There are two thermal detectors in the switch The first detector is near the air flow intake vents. The second detector is near the switch ASIC and CPU. Example Console#show system System Description : AOS5810-54X System OID String : 1.3.6.1.4.1.259.12.1.5.101 System Information System Up Time : 0 days, 0 hours, 42 minutes, and 13.
Chapter 5 | System Management Commands System Status Table 13: show system – display description (Continued) Parameter Description System Fan Shows if forced full-speed mode is enabled. System Temperature Temperature at specified thermal detection point. Main Power Status Displays the status of the internal power supply. Redundant Power Status Displays the status of the redundant power supply. (This switch does not support a redundant power supply.
Chapter 5 | System Management Commands System Status show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 5 | System Management Commands System Status Operation Code Version : 1.2.184.183 Console# Table 14: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. EPLD Version Version number of Erasable Programmable Logic Device. Number of Ports Number of built-in ports. Main Power Status Displays the status of the internal power supply.
Chapter 5 | System Management Commands Fan Control Example Console#watchdog software enable Console# Fan Control This section describes the command used to force fan speed. Table 15: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed GC show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed.
Chapter 5 | System Management Commands File Management jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This switch provides more efficient throughput for large sequential data transfers by supporting Layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks of up to 12288 bytes.
Chapter 5 | System Management Commands File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file. Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
Chapter 5 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required. Default Setting None Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type.
Chapter 5 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 5 | System Management Commands File Management ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server.
Chapter 5 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file Destination configuration file name: startup Flash programming started. Flash programming completed. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
Chapter 5 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config; 2. opcode; 3. license: 2 Source file name: BLANC.swi Destination file name: BLANC.swi Console# delete This command deletes a file or image. Syntax delete file name filename file name - System file in switch memory. filename - Name of configuration file or code image.
Chapter 5 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir {boot-rom: | config: | opcode: | usbdisk:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. usbdisk - System file on a USB memory stick or disk. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Chapter 5 | System Management Commands File Management onie This command configures the switch to install, rescue or update runtime code under the open network installation environment (ONIE). Syntax onie {install | rescue | upgrade} install - Installs a new operating system. This option will reboot the switch and the ONIE install process will run again. rescue - Boots into the ONIE environment for troubleshooting.
Chapter 5 | System Management Commands File Management Hash value: 185b962f Verifying Hash Integrity ... crc32+ OK .... pci 0000:00:00.0: ignoring class b20 (doesn't match header type 01) Info: Mounting kernel filesystems... done. Info: Using eth0 MAC address: 00:11:22:33:44:55 Info: eth0: Checking link... scsi 0:0:0:0: Direct-Access USB DISK 2.0 PMAP PQ: 0 ANSI: 0 CCS sd 0:0:0:0: [sda] 3911680 512-byte logical blocks: (2.00 GB/1.
Chapter 5 | System Management Commands File Management Install Image EXT3-fs (sda1): warning: checktime reached, running e2fsck is recommended filemapping file write OK!! FS_GenFilemappingFile OK Updating U-Boot environment variables ONIE:/ # umount: can't remount rootfs read-only The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL toRestarting system. umount usbdisk This command prepares the USB memory device to be safely removed from the switch.
Chapter 5 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: AS5812-54X_V1.0.102.152.swi startup1.
Chapter 5 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.
Chapter 5 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection.
Chapter 5 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : as5812-54x.
Chapter 5 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 5 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 5 | System Management Commands Line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Chapter 5 | System Management Commands Line Related Commands parity (147) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
Chapter 5 | System Management Commands Line Default Setting login local Command Mode Line Configuration Command Usage ◆ There are three authentication modes provided by the switch itself at login: ◆ ■ login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode. ■ login local selects authentication via the user name and password specified by the username command (i.e.
Chapter 5 | System Management Commands Line Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line-console)#parity none Console(config-line-console)# password This command specifies the password for a line. Use the no form to remove the password.
Chapter 5 | System Management Commands Line Example Console(config-line-console)#password 0 secret Console(config-line-console)# Related Commands login (146) password-thresh (149) password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts.
Chapter 5 | System Management Commands Line silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response.
Chapter 5 | System Management Commands Line Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. Example To specify 57600 bps, enter this command: Console(config-line-console)#speed 57600 Console(config-line-console)# stopbits This command sets the number of the stop bits transmitted per byte.
Chapter 5 | System Management Commands Line Default Setting 300 seconds Command Mode Line Configuration Command Usage ◆ If a login attempt is not detected within the timeout interval, the connection is terminated for the session. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
Chapter 5 | System Management Commands Event Logging show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 5 | System Management Commands Event Logging Table 20: Event Logging Commands (Continued) Command Function Mode logging trap Limits syslog messages saved to a remote server based on GC severity clear log Clears messages from the logging buffer PE show log Displays log messages PE show logging Displays the state of logging PE logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default.
Chapter 5 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
Chapter 5 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - The UDP port number used by the remote server.
Chapter 5 | System Management Commands Event Logging Example Console(config)#logging on Console(config)# Related Commands logging history (155) logging trap (157) clear log (158) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Chapter 5 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (158) show log This command displays the log messages stored in local memory.
Chapter 5 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
Chapter 5 | System Management Commands Time Level Type Console# : Debugging messages (7) Table 22: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
Chapter 5 | System Management Commands Time Table 24: Time Commands (Continued) Command Function Mode sntp poll Sets the interval at which the client polls for time GC sntp server Specifies one or more time servers GC show sntp Shows current SNTP configuration settings NE, PE ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifie
Chapter 5 | System Management Commands Time Command Usage ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command.
Chapter 5 | System Management Commands Time Related Commands sntp client (161) sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4/v6 address of a time server (NTP or SNTP).
Chapter 5 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 5 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 5 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 5 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
Chapter 5 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 5 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time zone relative to the currently configured time zone.
Chapter 5 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time relative to the configured time zone.
Chapter 5 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin. (Range: 0-59 minutes) e-week - The week of the month when summer time will end. (Range: 1-5) e-day - The day of the week summer time will end.
Chapter 5 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC.
Chapter 5 | System Management Commands Time city - Select the city associated with the chosen GMT offset. After the offset has been entered, use the tab-complete function to display the available city options.
Chapter 5 | System Management Commands Time Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2011. Console#calendar set 15 12 34 1 February 2011 Console# show calendar This command displays the system clock.
6 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 6 | SNMP Commands General SNMP Commands Table 26: SNMP Commands (Continued) Command Function Mode show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands
Chapter 6 | SNMP Commands General SNMP Commands Command Mode Global Configuration Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Chapter 6 | SNMP Commands General SNMP Commands snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
Chapter 6 | SNMP Commands General SNMP Commands show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Chapter 6 | SNMP Commands SNMP Target Host Commands SNMP Target Host Commands snmp-server enable This command enables this device to send Simple Network Management Protocol traps traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications. Syntax [no] snmp-server enable traps [authentication | ethernet cfm | mac-notification [interval seconds]] authentication - Keyword to issue authentication failure notifications. ethernet cfm - Connectivity Fault Management traps.
Chapter 6 | SNMP Commands SNMP Target Host Commands Related Commands snmp-server host (181) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (targeted recipient).
Chapter 6 | SNMP Commands SNMP Target Host Commands Command Usage ◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host. ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command.
Chapter 6 | SNMP Commands SNMP Target Host Commands ◆ If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the snmpserver user command. Otherwise, an SNMPv3 group will be automatically created by the snmp-server host command using the name of the specified community string, and default settings for the read, write, and notify view. Example Console(config)#snmp-server host 10.1.19.
Chapter 6 | SNMP Commands SNMPv3 Commands show snmp-server This command shows if SNMP traps are enabled or disabled for the specified enable port-traps interfaces. Syntax show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 6 | SNMP Commands SNMPv3 Commands Command Usage ◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. ◆ A remote engine ID is required when using SNMPv3 informs. (See the snmpserver host command.
Chapter 6 | SNMP Commands SNMPv3 Commands auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. readview - Defines the view for read access. (1-32 characters) writeview - Defines the view for write access. (1-32 characters) notifyview - Defines the view for notifications.
Chapter 6 | SNMP Commands SNMPv3 Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Chapter 6 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch.
Chapter 6 | SNMP Commands SNMPv3 Commands included - Defines an included view. excluded - Defines an excluded view. Default Setting defaultview (includes access to the entire MIB tree) Command Mode Global Configuration Command Usage ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. Examples This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.
Chapter 6 | SNMP Commands SNMPv3 Commands Remote SNMP EngineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 27: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured. Remote SNMP engineID String identifying an engine ID on a remote device.
Chapter 6 | SNMP Commands SNMPv3 Commands Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 28: show snmp group - display description Field Description Group Name Name of an SNMP group. Security Model The SNMP version. Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry.
Chapter 6 | SNMP Commands SNMPv3 Commands Table 29: show snmp user - display description Field Description SNMP remote user A user associated with an SNMP engine on a remote device. Engine ID String identifying the engine ID. User Name Name of user connecting to the SNMP agent. Group Name Name of an SNMP group. Security Model Shows the SNMP version 1, 2c or 3. Security Level Shows if authentication or privacy is used. Authentication Protocol The authentication protocol used with SNMPv3.
Chapter 6 | SNMP Commands Notification Log Commands Notification Log Commands nlm This command enables or disables the specified notification log. Syntax [no] nlm filter-name filter-name - Notification log name. (Range: 1-32 characters) Default Setting Enabled Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command.
Chapter 6 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits. The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged.
Chapter 6 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 6 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (119) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 6 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 6 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
7 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 7 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 7 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 7 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 7 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 7 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 7 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 7 | Remote Monitoring Commands – 206 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods.
Chapter 8 | Authentication Commands User Accounts User Accounts The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 144), and user authentication via a remote authentication server (page 207).
Chapter 8 | Authentication Commands User Accounts Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (99) authentication enable (210) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Chapter 8 | Authentication Commands Authentication Sequence Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords. Example This example shows how the set the access level and password for a user.
Chapter 8 | Authentication Commands Authentication Sequence Command Usage ◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
Chapter 8 | Authentication Commands RADIUS Client ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port for accounting messages. Use acct-port the no form to restore the default. Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages.
Chapter 8 | Authentication Commands RADIUS Client radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values. Syntax [no] radius-server index host host-ip-address [acct-port acct-port] [auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout] index - Allows you to specify up to five servers.
Chapter 8 | Authentication Commands RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
Chapter 8 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Client RADIUS Server Group: Group Name Member Index ------------------------- ------------radius 1 Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands Web Server Example Console(config)#tacacs-server timeout 10 Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 8 | Authentication Commands Web Server Table 38: Web Server Commands Command Function Mode ip http secure-port Specifies the UDP port number for HTTPS GC ip http secure-server Enables HTTPS (HTTP/SSL) for encrypted communications GC Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Example Console(config)#ip http port 769 Console(config)# Related Commands ip http server (222) show system (122) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 8 | Authentication Commands Telnet Server ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions.
Chapter 8 | Authentication Commands Telnet Server Note: This switch also supports a Telnet client function. A Telnet connection can be made from this switch to another device by entering the telnet command at the Privileged Exec configuration level. ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting.
Chapter 8 | Authentication Commands Telnet Server Command Mode Global Configuration Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b.
Chapter 8 | Authentication Commands Secure Shell ip ssh authentication- This command configures the number of times the SSH server attempts to retries reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Chapter 8 | Authentication Commands Secure Shell Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (233) show ssh (236) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
Chapter 8 | Authentication Commands Secure Shell Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto host-key This command generates the host key pair (i.e., public and private). generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-8 characters) Default Setting Shows all public keys.
Chapter 8 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.0 Session-Started Username Encryption admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 42: show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 43: 802.
Chapter 8 | Authentication Commands 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAPrequest/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized port. Use mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (243) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 240) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered.
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator Parameters: EAPOL Pass Through : Disabled 802.1X Port Summary Port -------Eth 1/ 1 Eth 1/ 2 . . . Eth 1/51 Eth 1/52 Type ------------Disabled Disabled Operation Mode -------------Single-Host Single-Host Control Mode -----------------Force-Authorized Force-Authorized Authorized ---------Yes Yes Disabled Enabled Single-Host Single-Host Force-Authorized Auto Yes Yes 802.1X Port Details 802.
Chapter 8 | Authentication Commands Management IP Filter Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 8 | Authentication Commands Management IP Filter TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
9 General Security Measures This switch provides port-based traffic segmentation to segregate traffic for clients attached to each of the data ports. Table 45: General Security Commands Command Group Function Port Security* Configures secure addresses for a port 802.1X Port Authentication* Configures host authentication on specific ports using 802.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Related Commands show interfaces status (371) shutdown (359) mac-address-table static (434) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Port Security Table 47: show port security - display description Field Description MaxMacCnt The maximum number of addresses which can be stored in the address table for this interface (either dynamic or static). CurrMacCnt The current number of secure entries in the address table. The following example shows the port security settings and number of secure addresses for a specific port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port. Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table. Use the no form of this command to disable address aging.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ Specified addresses are exempt from network access authentication. ◆ This command is different from configuring static addresses with the macaddress-table static command in that it allows you configure a range of addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the dynamic QoS feature for an authenticated port. dynamic-qos Use the no form to restore the default. Syntax [no] network-access dynamic-qos Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example The following example enables the dynamic QoS feature on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-qos Console(config-if)# network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link- Use this command to detect link-up and link-down events. When either event is detection link-up- detected, the switch can shut down the port, send an SNMP trap, or both. Use the down no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabled
Chapter 9 | General Security Measures Web Authentication 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 Console# mac-address-table RADIUS Server Time --------------- ---------------------172.155.120.17 00d06h32m50s 172.155.120.
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 210). Note: Web authentication cannot be configured on trunk ports.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default.
Chapter 9 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters.
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 9 | General Security Measures DHCPv4 Snooping Table 51: DHCP Snooping Commands (Continued) Command Function Mode clear ip dhcp snooping binding Clears DHCP snooping binding table entries from RAM PE clear ip dhcp snooping database flash Removes all dynamically learned snooping entries from flash memory.
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (284) ip dhcp snooping trust (286) ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients. ◆ When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage See the Command Usage section under the ip dhcp snooping information option circuit-id command for a description of how these fields are included in TR-101 syntax. EXAMPLE This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP client information policy packets that include Option 82 information. Use the no form to restore the default setting. Syntax ip dhcp snooping information policy {drop | keep | replace} no ip dhcp snooping information policy drop - Drops the client’s request packet instead of relaying it.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Example This example sets the DHCP snooping rate limit to 100 packets per second. Console(config)#ip dhcp snooping limit rate 100 Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header. Use the no form to disable this function.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting VLAN-Unit-Port Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (277) ip dhcp snooping vlan (284) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) vlan-id - ID of a configured VLAN.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: A. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. B.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (294) ipv6 dhcp snooping trust (295) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ ■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command. ■ If an incoming packet is a DHCPv6 request packet without option 37 information, enabling the DHCPv6 snooping information option will add option 37 information to the packet.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form vlan to restore the default setting. Syntax [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 9 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which it submits a client request to the DHCPv6 server must be configured as trusted.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard Link-layer Address: 00-12-cf-01-02-03 IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 54: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 289).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IP-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (289) ipv6 dhcp snooping vlan (294) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures IPv6 Source Guard . . . show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 289) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 source-guard This command adds a static address to the source-guard binding table. Use the no binding form to remove a static entry. Syntax ipv6 source-guard binding mac-address vlan vlan-id ipv6-address interface interface no ipv6 source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address. vlan-id - ID of a configured VLAN (Range: 1-4094) ipv6-address - Corresponding IPv6 address.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Static bindings are processed as follows: ■ If there is no entry with same and MAC address and IPv6 address, a new entry is added to binding table using static IPv6 source guard binding. ■ If there is an entry with same MAC address and IPv6 address, and the type of entry is static IPv6 source guard binding, then the new entry will replace the old one.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ This command checks the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table. Use the no ipv6 source guard command to disable this function on the selected port. ◆ After IPv6 source guard is enabled on an interface, the switch initially blocks all IPv6 traffic received on that interface, except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping.
Chapter 9 | General Security Measures IPv6 Source Guard Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard sip Console(config-if)# Related Commands ipv6 source-guard binding (306) ipv6 dhcp snooping (289) ipv6 dhcp snooping vlan (294) ipv6 source-guard This command sets the maximum number of entries that can be bound to an max-binding interface. Use the no form to restore the default setting.
Chapter 9 | General Security Measures IPv6 Source Guard binding table reaches the newly configured maximum number of allowed bindings. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard max-binding 1 Console(config-if)# show ipv6 source- This command shows whether IPv6 source guard is enabled or disabled on each guard interface, and the maximum allowed bindings.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ipv6 source-guard binding MAC Address IPv6 Address VLAN Interface Type -------------- --------------------------------------- ---- --------- ---00AB-11CD-2345 2001::1 1 Eth 1/5 STA Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection Table 57: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection statistics Shows statistics about the number of ARP packets processed, or dropped for various reasons PE show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is completed PE ip arp inspection This command enables ARP Inspection gl
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Chapter 9 | General Security Measures ARP Inspection vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command.
Chapter 9 | General Security Measures ARP Inspection none - There is no limit on the number of ARP packets that can be processed by the CPU. Default Setting 15 Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ This command applies to both trusted and untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Usage ◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group. ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch.
Chapter 9 | General Security Measures Port-based Traffic Segmentation traffic-segmentation This command creates a traffic-segmentation client session. Use the no form to session remove a client session. Syntax [no] traffic-segmentation session session-id session-id – Traffic segmentation session. (Range: 1-4) Default Setting None Command Mode Global Configuration Command Usage Use this command to create a new traffic-segmentation client session.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ A port cannot be configured in both an uplink and downlink list. ◆ A port can only be assigned to one traffic-segmentation session. ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Example This example enables forwarding of traffic between uplink ports assigned to different client sessions. Console(config)#traffic-segmentation uplink-to-uplink forwarding Console(config)# show This command displays the configured traffic segments.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address. bitmask – Dotted decimal number representing the address bits to match.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. Default Setting None Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list.
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 10 | Access Control Lists IPv4 ACLs ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (337) (174) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands permit, deny (333) ip access-group (336) IPv6 ACLs The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 96 rules.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (338) (174) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name {in | out} [counter] no ipv6 access-group acl-name {in | out} acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs show ipv6 This command shows the ports assigned to IPv6 ACLs. access-group Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# Related Commands ipv6 access-group (341) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL.
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Related Commands permit, deny (344) mac access-group (346) show mac access-list (347) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Chapter 10 | Access Control Lists MAC ACLs {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} no {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} tagged-eth2 – Tagged Ethernet II packets. untagged-eth2 – Untagged Ethernet II packets. tagged-802.3 – Tagged Ethernet 802.3 packets. untagged-802.3 – Untagged Ethernet 802.3 packets.
Chapter 10 | Access Control Lists MAC ACLs Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (343) (174) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (346) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs Related Commands permit, deny (349) show arp access-list (350) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
Chapter 10 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (348) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (349) ACL Information This section describes commands used to display ACL information.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 353 –
Chapter 10 | Access Control Lists ACL Information – 354 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 66: Interface Commands (Continued) Command Function Mode transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger an alarm or warning message transceiver-threshold tx-power Sets thresholds for the transceiver power level
Chapter 11 | Interface Commands Interface Configuration Command Usage The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP. Example To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# description This command adds a description to an interface.
Chapter 11 | Interface Commands Interface Configuration Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 10GBASE-SFP+ and 40GBASE-QSFP transceivers do not support autonegotiation. Forced mode should always be used to establish a connection over any 10GBASE-SFP+ or 10GBASE-SFP+ port or trunk. ◆ Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill.
Chapter 11 | Interface Commands Interface Configuration Example This example sets a interval of 15 minutes for sampling standard statisical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)# media-type This command forces the module type. Use the no form to restore the default mode. Syntax media-type sfp-forced [mode] no media-type sfp-forced - Always uses the selected SFP module type (even if a module is not installed).
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Chapter 11 | Interface Commands Interface Configuration exceeds the configured port MTU, the switch will not respond to the ping message. ◆ For other traffic types, calculation of overall frame size is basically the same, including the additional header fields SA(6) + DA(6) + Type(2) + VLAN-Tag(4) (for tagged packets, for untaqged packets, the 4-byte field will not be added by switch), and the payload. This should all be less than the configured port MTU, including the CRC at the end of the frame.
Chapter 11 | Interface Commands Interface Configuration Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
Chapter 11 | Interface Commands Interface Configuration Example Console#hardware profile portmode ethernet 1/1 4x10g Console# show hardware profile This command displays the configuration settings for 40G operation. portmode Command Mode Privileged Exec Example This example shows the default 40G and 10G port settings for the AS5812-54X-EC.
Chapter 11 | Interface Commands Interface Configuration . . show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration 0 0 0 0 0 Frames Too Long Carrier Sense Errors Symbol Errors Pause Frames Input Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 102
Chapter 11 | Interface Commands Interface Configuration Table 67: show interfaces counters - display description (Continued) Parameter Description Unknown Protocols Input The number of packets received which were discarded because of an unknown or unsupported protocol. QLen Output The length of the output packet queue (in packets).
Chapter 11 | Interface Commands Interface Configuration Table 67: show interfaces counters - display description (Continued) Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 67: show interfaces counters - display description (Continued) Parameter Description Input utilization The input utilization rate for this interface. Octets output per second Number of octets leaving this interface in kbits per second. Packets output per second Number of packets leaving this interface in packets per second. Output utilization The output utilization rate for this interface.
Chapter 11 | Interface Commands Interface Configuration Example This example shows the statistics recorded for all named entries in the sampling table. Console#show interfaces history ethernet 1/1 Interface : Eth 1/ 1 Name : 15min Interval : 900 second(s) Buckets Requested : 96 Buckets Granted : 7 Status : Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 01:45:01 0.
Chapter 11 | Interface Commands Interface Configuration This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 60 second(s) Buckets Requested : 10 Buckets Granted : 1 Status : Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 02:00:31 0.
Chapter 11 | Interface Commands Interface Configuration show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Default Setting Shows all interfaces.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 68: show interfaces switchport - display description (Continued) Field Description LACP Status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 389). VLAN Membership Mode Indicates membership mode as Trunk or Hybrid (page 470). Ingress Rule Shows if ingress filtering is enabled or disabled (page 470).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-monitor Console# transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration be generated until the sampled value has risen above the low threshold and reaches the high threshold. ◆ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power received at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power transmitted at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold tx-power low-alarm 8 Console(config-if)#transceiver-threshold tx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example Console#show interfaces transceiver ethernet 1/25 Information of Eth 1/7 Connector Type : LC Fiber Type : Multimode 50um (M5), Multimode 62.5um (M6) Eth Compliance Codes : 1000BASE-SX Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name : FINISAR CORP. Vendor PN : FTLF8519P2BNL Vendor Rev : A Vendor SN : PFS4U5F Date Code : 09-07-02 DDM Info Temperature : 11.54 degree C Vcc : 3.25 V Bias Current : 7.21 mA RX Power : -31.
Chapter 11 | Interface Commands Transceiver Threshold Configuration show interfaces This command Displays the alarm/warning thresholds for temperature, transceiver-threshold voltage, bias current, transmit power, and receive power. Syntax Syntax show interfaces transceiver-threshold [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) Default Setting Shows all SFP interfaces.
Chapter 11 | Interface Commands Cable Diagnostics Cable Diagnostics test loop internal This command performs an internal loop back test on the specified port. Syntax test loop internal interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) Command Mode Privileged Exec Command Usage ◆ Loopback testing can only be performed on a port that is not linked up.
Chapter 11 | Interface Commands Cable Diagnostics Example Console#show loop internal interface ethernet 1/1 Port -------Eth 1/1 Console# Test Result -------------Succeeded Last Update -------------------2013-04-15 15:26:56 – 383 –
Chapter 11 | Interface Commands Cable Diagnostics – 384 –
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
Chapter 12 | Link Aggregation Commands Table 69: Link Aggregation Commands (Continued) Command Function Mode show mlag Shows MLAG configuration settings PE show mlag domain Shows MLAG domain settings PE Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 54 ports on the AS5812-54X-EC or AS5812-54T-EC.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} no port channel load-balance dst-ip - Load balancing based on destination IP address.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status portchannel 1 command shows that Trunk1 has been established.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: 1, Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout long - Specifies a slow timeout of 90 seconds. short - Specifies a fast timeout of 3 seconds.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-27) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 70: show lacp counters - display description (Continued) Field Description Marker Received Number of valid Marker PDUs received by this channel group. MarkerResponsePD Number of valid Marker Response PDUs transmitted from this channel group. U Sent MarkerResponsePD Number of valid Marker Response PDUs received at this channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 71: show lacp internal - display description (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 72: show lacp neighbors - display description Field Description Port Channel Local identifier for a link aggregation group. Member Port The ports active in this link aggregation group. Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol.
Chapter 12 | Link Aggregation Commands MLAG Commands show port-channel This command shows the load-distribution method used on aggregated links. load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# MLAG Commands Operational Concept A multi-chassis link aggregation group (MLAG) is a pair of links that terminate on two cooperating switches and appear as an ordinary link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands MLAG Commands ◆ The MLAG ID, associated MLAG domain ID and MLAG member must be configured using the mlag group member command. The associated MLAG domain may be nonexistent, which causes MLAG to be inactive locally. ◆ For a port to be configured as MLAG peer link or member: ■ STP status of the port must be disabled. ■ LACP status of the port must be disabled. ■ The port must not be any type of traffic segmentation port.
Chapter 12 | Link Aggregation Commands MLAG Commands mlag peer-link This command configures the MLAG domain peer link. Use the no form to remove the MLAG domain. Syntax mlag domain domain-id peer-link interface no mlag domain domain-id domain-id – Domain identifier. (Range: 1-16 characters) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 12 | Link Aggregation Commands MLAG Commands interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Command Mode Global Configuration Command Usage An MLAG domain can have two and only two MLAG devices. (See Figure 2.) ◆ ◆ An MLAG domain may have many MLAGs. ◆ An MLAG can belong to one and only one MLAG domain. ◆ The associated MLAG domain may be nonexistent, which causes the MLAG to be inactive locally.
Chapter 12 | Link Aggregation Commands MLAG Commands ■ When an MLAG member is operationally down, all updates for learned MAC addresses on the MLAG peer member will be synced through the peer link automatically. Figure 3: MLAG Peer Operation ◆ When the MLAG peer member is down or nonexistent, learned MAC addresses are synced through the peer link for the MLAG will be removed automatically.
Chapter 12 | Link Aggregation Commands MLAG Commands Example Console#show mlag domain 1 Peer Link : Eth 1/1 MLAG List : 10,20,33-35 Console# – 404 –
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands port - Port number. (Range: 1-54) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 2. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 3.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. Syntax [no] rspan session session-id source interface interface [rx | tx | both] session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. Syntax rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1-2) Only two mirror sessions are allowed, including both local and remote mirroring.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. Syntax [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session. Syntax no rspan session session-id session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 413 – : : : : : : : : : : None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands – 414 –
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 77: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Storm Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may be untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Chapter 15 | Loopback Detection Commands Command Usage ◆ When the loopback detection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command. To restore a specific port, use the no shutdown command.
Chapter 15 | Loopback Detection Commands detect - Sends an SNMP trap message when a loopback condition is detected. none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery.
Chapter 15 | Loopback Detection Commands show loopback- This command shows loopback detection configuration settings for the switch or detection for a specified interface. Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) Command Mode Privileged Exec Command Usage Although global action may be set to None, this command will still display the configured Detection Port Admin State and Information Oper State.
16 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 16 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 16 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 16 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 16 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 16 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | UniDirectional Link Detection Commands Table 82: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 16 | UniDirectional Link Detection Commands – 432 –
17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 17 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates static the address as permanent, or to be deleted on reset. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Chapter 17 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ ■ Learn - Dynamic address entries Config - Static entry Security - Port Security ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
Chapter 17 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands – 438 –
18 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 18 | Spanning Tree Commands Table 84: Spanning Tree Commands (Continued) Command Function Mode spanning-tree spanningdisabled Disables spanning tree for an interface IC spanning-tree tc-prop-stop Stops propagation of topology change information IC spanning-tree protocolmigration Re-checks the appropriate BPDU format PE show spanning-tree Shows spanning tree configuration for the common spanning tree (i.e.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 18 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (441) spanning-tree max-age (442) spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default.
Chapter 18 | Spanning Tree Commands spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
Chapter 18 | Spanning Tree Commands ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Chapter 18 | Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
Chapter 18 | Spanning Tree Commands Related Commands mst vlan (448) mst priority (447) name (448) revision (449) max-hops (446) spanning-tree This command configures the minimum interval between the transmission of transmission-limit consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds.
Chapter 18 | Spanning Tree Commands Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU.
Chapter 18 | Spanning Tree Commands mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs. (Range: 1-4094) Default Setting none Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances.
Chapter 18 | Spanning Tree Commands Command Mode MST Configuration Command Usage The MST region name and revision number (page 449) are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 18 | Spanning Tree Commands spanning-tree This command allows you to avoid transmitting BPDUs on configured edge ports bpdu-filter that are connected to end nodes. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-filter Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command stops all Bridge Protocol Data Units (BPDUs) from being transmitted on configured edge ports to save CPU processing time.
Chapter 18 | Spanning Tree Commands auto-recovery - Automatically re-enables an interface after the specified interval. interval - The time to wait before re-enabling an interface. (Range: 30-86400 seconds) Default Setting BPDU Guard: Disabled Auto-Recovery: Disabled Auto-Recovery Interval: 300 seconds Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An edge port should only be connected to end nodes which do not generate BPDUs.
Chapter 18 | Spanning Tree Commands cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method7, 1-200,000,000 for long path cost method) Table 85: Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.1D-2004) Ethernet 50-600 200,000-20,000,000 Fast Ethernet 10-60 20,000-2,000,000 Gigabit Ethernet 3-10 2,000-200,000 10G Ethernet 1-5 200-20,000 40G Ethernet 1-655351 20-2,0001 1.
Chapter 18 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 444) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default.
Chapter 18 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Chapter 18 | Spanning Tree Commands spanning-tree mst This command configures the path cost on a spanning instance in the Multiple cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 18 | Spanning Tree Commands spanning-tree mst This command configures the interface priority on a spanning instance in the port-priority Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Chapter 18 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 18 | Spanning Tree Commands ◆ Root Guard can be used to ensure that the root bridge is not formed at a suboptimal location. Root Guard should be enabled on any designated port connected to low-speed bridges which could potentially overload a slower link by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed.
Chapter 18 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 18 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) instance-id - Instance identifier of the multiple spanning tree.
Chapter 18 | Spanning Tree Commands Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes : 5 Last Topology Change Time (sec.
Chapter 18 | Spanning Tree Commands – 462 –
19 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 19 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 88: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Chapter 19 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Configuring VLAN Interfaces Table 89: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an interface IC switchport ingress-filter
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (359) interface (356) vlan (465) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form vlan to restore the default. Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Ingress filtering only affects tagged frames.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces trunk - Specifies a port as an end-point for a VLAN trunk. A trunk is a direct link between two switches, so the port transmits tagged frames that identify the source VLAN. Note that frames belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. Default Setting All ports are in hybrid mode with the PVID set to VLAN 1.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces the PVID for an interface can be set to any VLAN for which it is an untagged member. ◆ If acceptable frame types is set to all or switchport mode is set to hybrid, the PVID will be inserted into all untagged frames entering the ingress port.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
Chapter 19 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 90: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command copies the inner tag priority to the outer tag priority. Use the no tunnel priority map form to disable this feature. Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to tunnel service match delete a VLAN mapping entry. cvid Syntax switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] no switchport dot1q-tunnel service [svid [match cvid cvid]] svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID).
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configures port 1 as member of VLANs 10, 20 and 30 to avoid filtering out incoming frames tagged with VID 10, 20 or 30 on port 1 Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 10,20,30 7. Verify configuration settings. Console#show dot1q-tunnel service 802.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel mode access Console(config-if)#interface ethernet 1/2 Console(config-if)#switchport dot1q-tunnel mode uplink Console(config-if)#end Console#show dot1q-tunnel 802.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 19 | VLAN Commands Configuring L2CP Tunneling Command Usage ◆ Use this command to configure user-defined PDUs. Then use the switchport l2protocol-tunnel command to assign these PDUs to an interface. ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command. ◆ For L2PT to function properly, QinQ must be enabled on the switch using the dot1q-tunnel system-tunnel-control command, and the interface configured to 802.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling ◆ L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a proprietary MAC address (for example, the spanning tree protocol uses 10-12CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad – Provider Bridges), or a user-defined address.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling (a) all access ports for which L2PT has been disabled, and (b) all uplink ports. ■ ◆ ■ other access ports for which L2PT is enabled after decapsulating the packet and restoring the proper protocol and MAC address information. ■ all uplink ports. When a Cisco-compatible L2PT packet is received on an access port, and ■ ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
Chapter 19 | VLAN Commands Configuring L2CP Tunneling switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol. Syntax switchport l2protocol-tunnel {cdp | custom-pdu index | lldp | pvst+ | spanning-tree | vtp} cdp - Cisco Discovery Protocol custom-pdu - User defined PDU index - Identifies a custom PDU defined with the l2protocol-tunnel custom-pdu command.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling show This command shows settings for Layer 2 Protocol Tunneling (L2PT). l2protocol-tunnel Command Mode Privileged Exec Example Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Tunnel MAC Address : 01-12-CF-00-00-00 Interface Protocol ---------------------------------------------------------Eth 1/ 1 Spanning Tree Console# Configuring VxLAN Tunneling This section describes the commands used to configure Virtual Extensible LAN (VxLAN) tunneling.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling packet is stripped of its encapsulating headers and passed on to the destination VM. In addition to forwarding the packet to the destination VM, the remote VTEP learns the mapping from inner source MAC to outer source IP address. It stores this mapping in the bridge lookup table so that when the destination VM sends a response packet, there is no need for “unknown destination” flooding of the response packet.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling Table 93: VxLAN Tunneling Commands (Continued) Command Function Mode debug vxlan Enables specified debug flag PE show mac-address-table Shows MAC address entries for VXLAN VNI PE show vxlan udp-dst-port Shows the VXLAN UDP destination port PE show vxlan vtep Shows the remote VXLAN tunnel endpoint (VTEP) PE show vxlan flood Shows the remote VXLAN tunnel endpoint (VTEP) used when received packet fails bridge table lookup PE show vxlan v
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling VXLAN UDP Destination Port: 4933 Console# vxlan flood This command configures remote VxLAN tunnel endpoint (VTEP) when the received packet fails bridge table lookup. Use the no form to restore the default setting.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling ◆ Each VNI can be assigned to only one VLAN (using the vxlan vlan vni command); and each VLAN can be assigned a maximum of one VNI. Multiple remote VTEPs can be configured to flood packets on the same VNI. ◆ If a VNI is already configured to flood by multicast, you can still add a remote VTEP. If a VNI is already configured to flood to a remote VTEP, you can still configure it to flood by multicast.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling Example Console(config)#vxlan vlan 1 vni 16777 Console(config)#end Console#show vxlan vlan-vni VLAN VNI ---- -------1 16777 Console# debug vxlan This command enables the specified debug flag. Use the no form to disable the specified flag. Syntax [no] debug vxlan {database | event | vni | vtep | all} database - Enables database debugging. event - Enables event debugging. vni - Enables VNI debugging. vtep - Enables VTEP debugging.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling This example shows the type of debug information that would be displayed for an error on a VNI. Console#debug vxlan vni Console#con Console(config)#vxlan vlan 2 vni 1001 Console(config)#vxlan vlan 2 vni 1002 23:19:2: VXLAN: (1805) VLAN 2 is assigned to VNI 1001 Failed to associate VLAN 2 with VNI 1002. Console(config)# This example shows the type of debug information that would be to trace internal VXLAN information on VTEP.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling show vxlan vtep This command shows the remote VxLAN tunnel endpoint (VTEP). Syntax show vxlan vtep Command Mode Privileged Exec Example Console#show vxlan vtep VNI SIP R-VTEP Port -------- --------------- --------------- -------12345678 101.101.101.101 202.202.202.202 Eth 1/11 3 101.101.202.202 201.201.201.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling show vxlan vlan-vni This command shows the VLAN ID associated with a virtual network identifier (VNI). Syntax show vxlan vlan-vni [vid] vid - The VLAN associated with this VNI. Command Mode Privileged Exec Example Console#show vxlan vlan-vni VLAN VNI ---- -------1 10 2 200 3 123 Console#show vxlan vlan-vni 3 VLAN VNI ---- -------3 123 Console# show debug vxlan This command shows the VxLAN debug settings.
Chapter 19 | VLAN Commands Configuring VxLAN Tunneling – 498 –
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (500) show queue weight (503) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (372) show queue mode This command shows the current queue mode. Command Mode Privileged Exec Example Console#show queue mode Unit Port queue mode --------------------1 1 Weighted Round Robin . . .
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) cfi - Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) DEFAULT SETTING.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map default-drop- This command maps the internal per-hop behavior (based on packet priority) to a precedence default drop precedence for internal processing of untagged packets. Use the no form to restore the default settings. Syntax qos map default-drop-precedence drop-precedence from phb0 ... phb7 no map default-drop-precedence phb0 ... phb7 drop-precedence - Drop precedence used for controlling traffic congestion.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface. Use the no form to restore the default settings. Syntax qos map dscp-cos cos-value cfi-value from phb0 drop-precedence0 ... phb7 drop-precedence7 no map ip dscp phb0 drop-precedence0 ... phb7 drop-precedence7 cos-value - CoS value in ingress packets.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map dscp-cos 1 0 from 1 2 Console(config-if)# qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ...
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces. ◆ This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS. dscp - Sets the QoS mapping mode to DSCP. ip-prec - Sets the QoS mapping mode to IP Precedence.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: 0 1 2 3 4 5 6 7 ------------------------------------------------------color: 0 0 0 0 0 0 0 0 Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to internal DSCP map. mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) – 518 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 21 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 523). The policy map is then bound by a service policy to an interface (page 533). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match or set commands.
Chapter 21 | Quality of Service Commands cos - A Class of Service value. (Range: 0-7) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration Command Usage ◆ First enter the class-map command to designate a class map and enter the Class Map configuration mode.
Chapter 21 | Quality of Service Commands This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Chapter 21 | Quality of Service Commands ◆ Create a Class Map (page 523) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. ◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR – Committed Information Rate), and the maximum size of the token bucket (BC – Committed Burst Size). The token bucket C is initially full, that is, the token count Tc(0) = BC.
Chapter 21 | Quality of Service Commands committed-burst - Committed burst size (BC) in bytes. (Range: 0-524288 bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 1000-128000000 bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green). exceed-action - Action to take when rate exceeds the CIR and BC but is within the BE.
Chapter 21 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: ■ ■ ■ If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
Chapter 21 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 21 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR. The trTCM is useful for ingress policing of a service, where a peak rate needs to be enforced separately from a committed rate. ◆ The meter operates in one of two modes.
Chapter 21 | Quality of Service Commands to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate.
Chapter 21 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 21 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 21 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 21 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface {input | output} interface unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) input - Apply to the input traffic. output - Apply to the output traffic.
Chapter 21 | Quality of Service Commands – 536 –
22 Data Center Bridging Commands Fibre Channel was developed as a dedicated fabric that loses little to no packets, and was not designed to work on an unreliable network. For this reason, a set of standards termed Data Center Bridging (DCB) have been developed to increase the reliability of Ethernet-based networks in the data center. DCB consists of four different technologies: DCB Exchange (DCBX), Priority-based Flow Control (PFC), Enhanced Transmission Selection (ETS), and Congestion Notification (CN).
Chapter 22 | Data Center Bridging Commands DCB Exchange Commands dcbx This command enables DCBX on the selected interface. Use the no form to disable DCBX. Syntax [no] dcbx Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage DCBX is normally deployed in FCoE topologies to support lossless operation for FCoE traffic. In these scenarios, all network elements are DCBX enabled. LLDP is also enabled on any port configured to use DCBX.
Chapter 22 | Data Center Bridging Commands DCB Exchange Commands configuration source. Selection of a port based upon compatibility of the received configuration is suppressed. auto-up – In auto-upstream mode, the port advertises a configuration, but it is also willing to accept a configuration from the link-partner and propagate it internally to the auto-downstream ports, as well as receive a configuration propagated internally by other auto-upstream ports.
Chapter 22 | Data Center Bridging Commands DCB Exchange Commands ◆ On a port set to manual mode, only locally configured settings are used to construct DCBX TLVs. On these ports, the operational mode, traffic classes, and bandwidth information must be specified by the operator. These ports advertise their configuration to their peer if DCBX is enabled on that port. Any incompatible peer configurations received on these ports are logged and an error counter incremented.
Chapter 22 | Data Center Bridging Commands Priority-based Flow Control Commands Priority-based Flow Control Commands Priority-based Flow Control (PFC) is used to reduce frame loss due to congestion by inhibiting the transmission of frames based on individual traffic classes. PFC can pause high priority traffic only when necessary to avoid dropping frames, while allowing traditional traffic assigned other priorities to continue flowing through an interface.
Chapter 22 | Data Center Bridging Commands Priority-based Flow Control Commands pfc mode Use this command to sets the PFC mode to negotiate capability through DCBX or by forcing it to on state. Use the no form to disable this feature. Syntax pfc mode {auto | on} no pfc mode auto – Negotiates PFC capability using DCBX. The operational capability of PFC depends on the result of DCBX negotiations.
Chapter 22 | Data Center Bridging Commands Priority-based Flow Control Commands pfc priority Use this command to enable PFC for specified priorities. Use the no form to disable PFC for specified priorities. Syntax [no] pfc priority enable priority-list priority-list – Priority identifier, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 22 | Data Center Bridging Commands Priority-based Flow Control Commands Default Setting None Command Mode Privileged Exec Example This example clears PFC statistics on all interfaces. Console#clear pfc statistics Console# show pfc Use this command to show PFC configuration settings. Syntax show pfc [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands show pfc statistics Use this command to how PFC statistics for the number of PFC frames received and transmitted for each priority. Syntax show pfc statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands Table 107: ETS Commands Command Function Mode ets mode Sets the ETS mode to negotiate capability through DCBX or by forcing it to on state IC traffic-class algo Sets the queue scheduling algorithm assigned to a traffic class group IC traffic-class map Maps a given priority to a traffic class group IC traffic-class weight Configures the bandwidth allocation for all TCGs IC show ets mapping Displays priority t
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Operator configuration of ETS is used only when the port is configured in DCBX manual mode. When interoperating with other equipment in manual mode, the peer equipment must be configured with identical ETS TCG queuing algorithm, priority queue mapping, and minimum bandwidth requirements.
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands Example The following example sets the traffic-class algorithm for port 5 to use ETS. Console(config)#interface ethernet 1/5 Console(config-if)#traffic-class algo ets Console(config-if)# traffic-class map Use this command to map a given priority to a traffic class group (TCG). Use the no form to restore the default mapping for a priority value.
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands traffic-class weight Use this command to configure the bandwidth allocation for all TCGs on an interface. Use the no form to restore the default settings. Syntax traffic-class weight weight1 weight2 weight3 no traffic-class weight weight1~3 - The percentage of bandwidth assigned to each TCG.
Chapter 22 | Data Center Bridging Commands Enhanced Transmission Selection Commands show ets mapping Use this command to display mapping from IEEE 802.1p priorities to the traffic class group (TCGs). Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Command Mode Privileged Exec Example This example shows both the locally configured settings, and current operational settings.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands show ets weight Use this command to display the bandwidth allocation for selected TCGs. Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) Command Mode Privileged Exec Example This example shows both the locally configured settings, and current operational settings.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands its congested state and that the rate of the flow entering the network should be reduced. Upon receiving the CN messages, rate limiting is initiated as close as possible to the source of the congestion. This alleviates the congestion at the network core and stops it from spreading through the network.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands The QCN algorithm is composed of the following two parts: 1. Congestion Point (CP) Algorithm: This is the mechanism by which a congested bridge or end station buffer samples outgoing frames and generates a feedback message (CNM – Congestion Notification Message) addressed to the source of the sampled frame. The feedback message contains information about the extent of congestion at the CP. 2.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands cn Use this command to enable congestion notification for all ports on the switch. Use the no form to disabled congestion notification on the switch.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands Example The following example sets the CNM transmit priority to 1. Console(config)#cn cnm-transmit-priority 1 Console(config)# cn cnpv Use this command to set a dot1p priority to be a Congestion Notification Priority Value (CNPV). Use the no form to change a CNPV back to a dot1p priority value. Syntax [no] cn cnpv cnpv-priority cnpv-priority - CNPV assigned to Congestion Control Flows (CFF) on this port.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands cn cnpv Use this command to configure the alternate priority used to remark a received alternate-priority frame when its dot1p priority is equal to the CNPV when the defense mode is other (Global Configuration) than auto. Use the no form restore the default setting. Syntax cn cnpv cnpv-priority alternate-priority priority no cn cnpv cnpv-priority alternate-priority cnpv-priority - CN priority value.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining (Global Configuration) whether CN is enabled or not, and if enabled, whether the port remarks the CNPV to a non-CNPV value on input, and whether the port removes CN-tags on output. Use the no form to restore the default settings.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands ◆ Under the interior-ready option, on this port and for this CNPV, the priority parameters of input frames are not remapped to another value, and no priority value is remapped to this CNPV, regardless of the priority regeneration table. CN-TAGs are not removed from frames by the switch. Example The following example sets the defense mode to edge for CNPV 2.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining (Interface Configuration) whether CN is enabled or not, and if enabled, whether the port remarks the CNPV to a non-CNPV value on input, and whether the port removes CN-tags on output. Use the no form to restore the default settings.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands Example This example shows the global settings for congestion notification, and the number of discarded frames. Console#show cn Congestion Notification Admin Status Oper Status CNM Transmit Priority Total Discarded Frames Global Information : Enabled : Enabled : 1 : 0 Console# show cn cnpv Use this command to show CNPV information, including the defense mode and alternate priority.
Chapter 22 | Data Center Bridging Commands Congestion Notification Commands show cn cp Use this command to show functional settings and status for the specified CP. Syntax show cn cp interface index index interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-27) index - Congestion Point index. (Range: 0-1) Command Mode Privileged Exec Example This example shows information for CP 0 on port 5.
Chapter 22 | Data Center Bridging Commands Table 109: show cn cp - display description (Continued) Field Description Set Point The set-point for the queue. This is the target number of octets in the CP’s queue. (Default: 26000) Feedback Weight Variable used in calculation or Quantized Feedback and New Sample Base. If the queue length is moving toward the set point, the feedback weight will be closer to 0 than if the queue length is moving away from the set point.
23 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 23 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 111: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port-expire- default. time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 23 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 23 | Multicast Filtering Commands IGMP Snooping The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period. (The timeout for this release is currently defined by Last Member Query Interval (fixed at one second) * Robustness Variable (fixed at 2) as defined in RFC 2236.). ◆ If immediate-leave is used, the switch assumes that only one host is connected to the interface.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address. Syntax [no] ip igmp snooping vlan vlan-id proxy-address source-address vlan-id - VLAN ID (Range: 1-4094) source-address - The source address used for proxied IGMP query and report, and leave messages.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Static multicast entries are never aged out. ◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 224.0.0.
Chapter 23 | Multicast Filtering Commands IGMP Snooping vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ---- --------------- -------1 235.0.0.0 Eth 1/ 5 . . . show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified.
Chapter 23 | Multicast Filtering Commands IGMP Snooping 1 224.1.1.1 00:00:00:37 Eth 1/ 1(R) Eth 1/ 2(M) 2(P) 0(H) Console# show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Chapter 23 | Multicast Filtering Commands IGMP Snooping port-channel channel-id (Range: 1-27) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays IGMP snooping-related statistics.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 113: show ip igmp snooping statistics output - display description Field Description Interface Shows interface. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 23 | Multicast Filtering Commands Static Multicast Routing Table 114: show ip igmp snooping statistics vlan query - display description Field Description Warn Rate Limit The rate at which received query messages of the wrong version type cause the Vx warning count to increment. Note that “0 sec” means that the Vx warning count is incremented for each wrong message version received.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Table 116: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Table 117: IGMP Authentication RADIUS Attribute Value Pairs (Continued) Attribute Name AVP Type Entry NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp authentication Ethernet 1/1: Enabled Ethernet 1/2: Enabled Ethernet 1/3: Enabled . . .
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode Privileged Exec Example Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50 Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 118: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports PE ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping.
Chapter 23 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping Default Setting 10 seconds Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the router-port-expire- default. time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 23 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage This command only clears entries learned though MLD snooping. Statically configured multicast address are not cleared. Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Proxy Reporting : Querier Status : Robustness : Query Interval : Query Max Response Time : Router Port Expiry Time : Unsolicit Report Interval : Immediate Leave : Immediate Leave By Host : Unknown Flood Behavior : MLD Snooping Version : Disabled Disabled Disabled 2 125 sec 10 sec 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN T
Chapter 23 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) IGMP (Layer 3) This section describes commands used to configure Layer 3 Internet Group Management Protocol (IGMP) on the switch.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Console#show ip igmp interface IGMP IGMP Version IGMP Proxy IGMP Unsolicited Report Interval Robustness Variable Query Interval Query Max Response Time Last Member Query Interval Querier Joined Groups : Static Groups : : : : : : : : : : Enabled 2 Disabled 400 sec 2 125 sec 100 (resolution in 0.1 sec) 10 (resolution in 0.1 sec) 0.0.0.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) ip igmp This command configures the maximum response time advertised in IGMP queries. max-resp-interval Use the no form of this command to restore the default. Syntax ip igmp max-resp-interval seconds no ip igmp max-resp-interval seconds - The report delay advertised in IGMP queries.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) ip igmp query-interval This command configures the frequency at which host query messages are sent. Use the no form to restore the default. Syntax ip igmp query-interval seconds no ip igmp query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ip igmp robustval robust-value no ip igmp robustval robust-value - The robustness of this interface.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ Group addresses within the entire multicast group address range can be specified with this command.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Default Setting IGMP Version 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ All routers on the subnet must support the same version. However, the multicast hosts on the subnet may support any of the IGMP versions 1 - 3. ◆ If the switch receives an IGMP Version 1 Membership Report, it sets a timer to note that there are Version 1 hosts which are members of the group for which it heard the report.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Example The following example clears all multicast group entries for VLAN 1. Console#clear ip igmp interface vlan1 Console# show ip igmp groups This command displays information on multicast groups active on the switch and learned through IGMP. Syntax show ip igmp groups [{group-address | interface} [detail] | detail] group-address - IP multicast group address. interface vlan vlan-id - VLAN ID.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Table 120: show ip igmp groups - display description Field Description Group Address IP multicast group address with subscribers directly attached or downstream from the switch. Interface VLAN The interface on the switch that has received traffic directed to the multicast group address. Last Reporter The IP address of the source of the last membership report received for this multicast group address on this interface.
Chapter 23 | Multicast Filtering Commands IGMP (Layer 3) Table 121: show ip igmp groups detail - display description (Continued) Field Description Group mode In INCLUDE mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 23 | Multicast Filtering Commands IGMP Proxy Routing Last Member Query Interval Querier Joined Groups : Static Groups : switch# : 10 (resolution in 0.1 sec) : 0.0.0.0 IGMP Proxy Routing This section describes commands used to configure IGMP Proxy Routing on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When IGMP proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions. ◆ Interfaces with IGMP enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) ip igmp proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports. Use the no form to restore the default value. interval Syntax ip igmp proxy unsolicited-report-interval seconds no ip igmp proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld This command enables MLD on a VLAN interface. Use the no form of this command to disable MLD on the selected interface. Syntax [no] ipv6 mld Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage MLD (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ipv6 mld command.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) Default Setting 10 (1 second) Command Mode Interface Configuration (VLAN) Command Usage When the switch receives an MLD or MLDv2 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command. If no response is received after this period, the switch stops forwarding for the group, source or channel.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) Example The following shows how to configure the maximum response time to 20 seconds. Console(config-if)#ipv6 mld max-resp-interval 200 Console(config-if)# Related Commands ipv6 mld query-interval (625) ipv6 mld This command configures the frequency at which host query messages are sent. query-interval Use the no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ipv6 mld robustval robust-value no ipv6 mld robustval robust-value - The robustness of this interface. (Range: 1-255) Default Setting 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ The robustness value is used to compensate for expected packet lose on a link.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ If a static group is configured for an any-source multicast (*,G), a source address cannot subsequently be defined for this group without first deleting the entry. ◆ If a static group is configured for one or more source-specific multicasts (S,G), an any-source multicast (*,G) cannot subsequently be defined for this group without first deleting all of the associated (S,G) entries.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) Command Usage ◆ MLDv1 is derived from IGMPv2, and MLDv2 from IGMPv3. IGMP uses IP Protocol 2 message types, and MLD uses IP Protocol 58 message types, which is a subset of the ICMPv6 messages.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) show ipv6 mld groups This command displays information on multicast groups active on the switch and learned through MLD. Syntax show ipv6 mld groups [{group-address | interface} [detail] | detail] group-address - IPv6 multicast group address. (Note that link-local scope addresses FF02:* are not allowed.) interface vlan vlan-id - VLAN ID.
Chapter 23 | Multicast Filtering Commands MLD (Layer 3) Table 124: show ipv6 mld groups - display description (Continued) Field Description Expire The time remaining before this entry will be aged out. (The default is 260 seconds.) This field displays “stopped” if the Group Mode is INCLUDE. Group Mode In Include mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 23 | Multicast Filtering Commands MLD Proxy Routing Querier Joined Groups : Static Groups : FFEE::101 Console# : FE80::200:E8FF:FE93:82A0 MLD Proxy Routing This section describes commands used to configure MLD Proxy Routing on the switch.
Chapter 23 | Multicast Filtering Commands MLD Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When MLD proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of MLD by sending MLD membership reports, and automatically disables MLD router functions. ◆ Interfaces with MLD enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 23 | Multicast Filtering Commands MLD Proxy Routing ipv6 mld proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD reports. Use the no form to restore the default value. interval Syntax ipv6 mld proxy unsolicited-report-interval seconds no ipv6 mld proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands MLD Proxy Routing – 634 –
24 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 24 | LLDP Commands Table 126: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dcbx-tlv ets-config Configures an LLDP-enabled port to advertise ETS configuration settings IC lldp dcbx-tlv ets-recommend Configures an LLDP-enabled port to advertise ETS recommendation information IC lldp dc
Chapter 24 | LLDP Commands Table 126: LLDP Commands (Continued) Command Function Mode show lldp info remote-device Shows LLDP global and interface-specific configuration settings for remote devices PE show lldp info statistics Shows statistical counters for all LLDP-enabled interfaces PE * Vendor-specific options may or may not be advertised by neighboring devices. lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP.
Chapter 24 | LLDP Commands Command Usage ◆ The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. ◆ If the local interface attached to a remote device is shut down or otherwise disabled, information about the remote device is purged immediately.
Chapter 24 | LLDP Commands lldp notification- This command configures the allowed interval for sending SNMP notifications interval about LLDP MIB changes. Use the no form to restore the default setting. Syntax lldp notification-interval seconds no lldp notification-interval seconds - Specifies the periodic interval at which SNMP notifications are sent.
Chapter 24 | LLDP Commands Example Console(config)#lldp refresh-interval 60 Console(config)# lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
Chapter 24 | LLDP Commands Command Usage ◆ The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Chapter 24 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature.
Chapter 24 | LLDP Commands ◆ If you configure ETS on an interface (using the ets mode command), DCBX advertises each priority group on the interface, the priorities in each priority group, and the bandwidth properties of each priority group and priority. ◆ If you do not configure ETS on an interface, DCBX advertises the default priority group, its priorities, and the assigned bandwidth.
Chapter 24 | LLDP Commands lldp dcbx-tlv This command configures an LLDP-enabled port to advertise PFC configuration pfc-config settings. Use the no form to disable this feature. Syntax [no] lldp dcbx-tlv pfc-config Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage After enabling PFC on a switch interface (using the pfc mode command), DCBX uses autonegotiation to control the operational state of the PFC functionality.
Chapter 24 | LLDP Commands lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface.
Chapter 24 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use vlan-name the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See switchport allowed vlan.
Chapter 24 | LLDP Commands lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
Chapter 24 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 24 | LLDP Commands Table 127: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be
Chapter 24 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv network- This command configures an LLDP-MED-enabled port to advertise its network policy policy configuration. Use the no form to disable this feature.
Chapter 24 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 24 | LLDP Commands Eth 1/3 Eth 1/4 Eth 1/5 Tx-Rx Tx-Rx Tx-Rx True True True . . . Console#show lldp config detail LLDP Port Configuration Detail Port Admin Status Notification Enabled Basic TLVs Advertised ethernet 1/1 : : : : 802.1 specific TLVs Advertised : 802.
Chapter 24 | LLDP Commands Example Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : 00-E0-0C-02-00-FD System Name : System Description : AS5812-54X-EC System Capabilities Support : Bridge, Router System Capabilities Enabled : Bridge, Router Management Address : 192.168.0.
Chapter 24 | LLDP Commands Example Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
Chapter 24 | LLDP Commands ETS Configuration Willing CBS Number of TCs supported Priority Assignment Table : : : : Traffic Class Bandwidth(Hex) : : Traffic Selection Algorithm : : : PFC Configuration Willing MBC Max PFC classes supported PFC Enable Vector LLDP-MED Capability : Device Class Supported Capabilities Current Capabilities Location Identification : Location Data Format Country Name What Extended Power via MDI : Power Type Power Source Power Priority Power Value Inventory : Hardware Revision F
Chapter 24 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
25 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 25 | CFM Commands Table 128: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 25 | CFM Commands Table 128: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 25 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 25 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 25 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 25 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 25 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 25 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 25 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 25 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 25 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 25 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 25 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 25 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 25 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 25 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 25 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 25 | CFM Commands Defining CFM Structures Table 130: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 25 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 25 | CFM Commands Continuity Check Operations Table 131: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 25 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 25 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 25 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (689) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 25 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 25 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 25 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 25 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 25 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 25 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 25 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 25 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
Chapter 25 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 25 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec Example Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.
Chapter 25 | CFM Commands Loopback Operations Table 133: show ethernet cfm linktrace-cache - display description (Continued) Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false. EgrBlocked – The egress port can be identified, but the data frame was not passed through the egress port due to active topology management, i.e.
Chapter 25 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆ The point from which the loopback message is transmitted (i.e., the DSAP) and the target maintenance point specified in this command must be within the same MA.
Chapter 25 | CFM Commands Fault Generator Operations set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)# mep fault-notify This command sets the lowest priority defect that is allowed to generate a fault lowest-priority alarm. Use the no form to restore the default setting.
Chapter 25 | CFM Commands Fault Generator Operations ◆ Priority defects include the following items: Table 134: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. 3 remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported.
Chapter 25 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm This command displays configuration settings for the fault notification generator.
Chapter 25 | CFM Commands Delay Measure Operations Table 136: show fault-notify-generator - display description (Continued) Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the mep fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Chapter 25 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
Chapter 25 | CFM Commands Delay Measure Operations – 702 –
26 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 26 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 26 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage If one or more name servers are configured, but DNS is not yet enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers, then the switch will automatically enable DNS host name-to-address translation.
Chapter 26 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS Disabled Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (704) ip name-server (707) ip domain-lookup (705) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address.
Chapter 26 | Domain Name Service Commands No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.1.55 Console# TTL Domain ----- -----------------------------rd5 ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server.
Chapter 26 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values.
Chapter 26 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. Default Setting None Command Mode Privileged Exec Command Usage Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. Example This example clears all dynamic entries from the DNS table.
Chapter 26 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 138: show dns cache - display description Field Description No.
Chapter 26 | Domain Name Service Commands Table 139: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
Chapter 26 | Domain Name Service Commands – 712 –
27 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Client Default Setting Class identifier option enabled, with the name AS5812-54X. Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command without any keyword to restore the default setting. ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Chapter 27 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572 Console(config-if)# Related Commands ip dhcp restart client (715) ip dhcp restart client This command submits a DHCP client request.
Chapter 27 | DHCP Commands DHCP Client Related Commands ip address (722) ipv6 dhcp client rapid- This command specifies the Rapid Commit option for DHCPv6 message exchange commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 27 | DHCP Commands DHCP Relay DHCP Relay This section describes commands used to configure DHCP relay functions for host devices attached to the switch.
Chapter 27 | DHCP Commands DHCP Relay Related Commands ip dhcp restart relay (718) ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. Syntax ip dhcp restart relay Default Setting Disabled Command Mode Privileged Exec Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch.
Chapter 27 | DHCP Commands DHCP Relay DHCP for IPv6 ipv6 dhcp relay This command specifies a DHCPv6 server or the VLAN to which client requests are destination forwarded, and also enables DHCPv6 relay service on this interface. Use the no form to disable this service. Syntax ipv6 dhcp relay destination {ipv6-address | multicast {all | vlan vlan-id}} no ipv6 dhcp relay destination [ipv6-address | multicast {all | vlan vlan-id}] ipv6-address - IPv6 address of a DHCPv6 server or another relay server.
Chapter 27 | DHCP Commands DHCP Relay Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination multicast vlan 2 Console(config-if)# Console# show ipv6 dhcp relay This command displays a DHCPv6 server or the VLAN to which client requests are destination forwarded.
28 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on. To ensure that this router resides at a known location in the network, a global IPv6 address can only be manually configured.
Chapter 28 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface segment that is connected to that interface, and allows you to send IP packets to or from the router. ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs.
Chapter 28 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.
Chapter 28 | IP Interface Commands IPv4 Interface This example shows that the no ip default-gateway command can be used to remove the active default gateway. Note that the active default gateway in the previous example was 192.168.1.224.
Chapter 28 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in the local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established. Command Mode Global Configuration Command Usage ◆ The default gateway can also be defined using the following command: ip route 0.0.0.
Chapter 28 | IP Interface Commands IPv4 Interface Related Commands ip address (722) ip route (783) ipv6 default-gateway (735) show ip interface This command displays the settings of an IPv4 interface. show ip interface [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting VLAN 1 Command Mode Privileged Exec Example Console#show ip interface VLAN 1 is Administrative Up - Link Down Address is 70-72-CF-EA-1B-71 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.2.9 Mask: 255.255.255.
Chapter 28 | IP Interface Commands IPv4 Interface reassembly request datagrams reassembly succeeded reassembly failed IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask requ
Chapter 28 | IP Interface Commands IPv4 Interface Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one.
Chapter 28 | IP Interface Commands IPv4 Interface ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Chapter 28 | IP Interface Commands IPv4 Interface Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 10 ms, Average = 8 ms Console# Related Commands interface (356) ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface ◆ You may need to put a static entry in the cache if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out. ◆ Static entries will not be aged out nor deleted when power is reset. A static entry can only be removed through the configuration interface. Example Console(config)#arp 10.1.0.
Chapter 28 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 28 | IP Interface Commands IPv6 Interface Table 149: IPv6 Configuration Commands (Continued) Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway.
Chapter 28 | IP Interface Commands IPv6 Interface Related Commands ip route (783) show ip route (785) ip default-gateway (726) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 28 | IP Interface Commands IPv6 Interface Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::2e0:cff:fe02:fd%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 28 | IP Interface Commands IPv6 Interface Command Usage ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface.
Chapter 28 | IP Interface Commands IPv6 Interface ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 28 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 28 | IP Interface Commands IPv6 Interface host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 737). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. ◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size. (Range: 1280-65535 bytes) Default Setting 1500 bytes Command Mode Interface Configuration (VLAN) Command Usage ◆ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device.
Chapter 28 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4094) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 28 | IP Interface Commands IPv6 Interface Table 150: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 28 | IP Interface Commands IPv6 Interface Craft Console# Up Down Unassigned Related Commands show ip interface (727) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 28 | IP Interface Commands IPv6 Interface too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo rep
Chapter 28 | IP Interface Commands IPv6 Interface Table 152: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 28 | IP Interface Commands IPv6 Interface Table 152: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 28 | IP Interface Commands IPv6 Interface Table 152: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 28 | IP Interface Commands IPv6 Interface Table 152: show ipv6 traffic - display description (Continued) Field Description no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity.
Chapter 28 | IP Interface Commands IPv6 Interface Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 28 | IP Interface Commands IPv6 Interface max-failures - The maximum number of failures before which the trace route is terminated. (Range: 1-255) Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
Chapter 28 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆ Duplicate address detection is stopped on any interface that has been suspended (see the vlan command). While an interface is suspended, all unicast IPv6 addresses assigned to that interface are placed in a “pending” state.
Chapter 28 | IP Interface Commands IPv6 Interface ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 nd ns-interval (755) show ipv6 neighbors (760) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 28 | IP Interface Commands IPv6 Interface Global unicast address(es): 2001:db8:0:1:2e0:cff:fe02:fd/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff19:6779 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 5.
Chapter 28 | IP Interface Commands IPv6 Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#pv6 nd raguard Console(config-if)# ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. Syntax ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 mtu ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
Chapter 28 | IP Interface Commands IPv6 Interface Example The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Age Link-layer Addr State VLAN 2009:DB9:2229::80 956 12-34-11-11-43-21 R 1 2009:DB9:2229::81 Permanent 30-65-14-01-11-86 R 1
Chapter 28 | IP Interface Commands IPv6 Interface Example Console#show ipv6 nd raguard interface ethernet 1/1 Interface RA Guard --------- -------Eth 1/ 1 Yes Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device.
Chapter 28 | IP Interface Commands ND Snooping Table 153: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 28 | IP Interface Commands ND Snooping packet to the target host. If it receives an NA packet in response, it knows that the target still exists and updates the lifetime of the binding; otherwise, it deletes the binding. This section describes commands used to configure ND Snooping.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
Chapter 28 | IP Interface Commands ND Snooping Example This example enables ND snooping globally and on VLAN 1. Console(config)#ipv6 nd snooping Console(config)#ipv6 nd snooping vlan 1 Console(config)# ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval (see the ipv6 nd snooping auto-detect retransmit interval command). Based on the default settings, this is 3 seconds.
Chapter 28 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the time to wait for an RA message before deleting an entry in prefix timeout the prefix table. Use the no form to restore the default setting. Syntax ipv6 nd snooping prefix timeout timeout no ipv6 nd snooping prefix timeout timeout – The time to wait for an RA message to confirm that a prefix entry is still valid.
Chapter 28 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping max-binding 200 Console(config)# ipv6 nd snooping trust This command configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table, or NS messages can be forwarded without validation. Use the no form to restore the default setting.
Chapter 28 | IP Interface Commands ND Snooping Example Console#clear ipv6 nd snooping binding Console#show ipv6 nd snooping binding MAC Address IPv6 Address Lifetime VLAN Interface -------------- -------------------------------------- ---------- ---- --------Console# clear ipv6 nd This command clears all entries in the address prefix table. snooping prefix Syntax clear ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
Chapter 28 | IP Interface Commands ND Snooping . . . show ipv6 nd This command shows all entries in the dynamic user binding table.
Chapter 28 | IP Interface Commands ND Snooping – 770 –
29 VRRP Commands Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Chapter 29 | VRRP Commands Default Setting Disabled Command Usage When a host cannot communicate, the first debug method is to ping the host's default gateway to determine whether the problem is in the first hop of the path to the destination. When the default gateway is a virtual router that does not respond to pings, this debug method is unavailable. This vrrp ping-enable command allows the system to respond to pings sent to the virtual IP address.
Chapter 29 | VRRP Commands ◆ When a VRRP packet is received from another router in the group, its authentication key is compared to the string configured on this router. If the keys match, the message is accepted. Otherwise, the packet is discarded. ◆ Plain text authentication does not provide any real security. It is supported only to prevent a misconfigured router from participating in VRRP.
Chapter 29 | VRRP Commands Example This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner. Console(config)#interface vlan 1 Console(config-if)#vrrp 1 ip 192.168.1.6 Console(config-if)# vrrp preempt This command configures the router to take over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router. Use the no form to disable preemption.
Chapter 29 | VRRP Commands vrrp priority This command sets the priority of this router in a VRRP group. Use the no form to restore the default setting. Syntax vrrp group priority level no vrrp group priority group - Identifies the VRRP group. (Range: 1-255) The maximum number or groups which can be defined is 64. level - Priority of this router in the VRRP group.
Chapter 29 | VRRP Commands vrrp timers advertise This command sets the interval at which the master virtual router sends advertisements communicating its state as the master. Use the no form to restore the default interval. Syntax vrrp group timers advertise interval no vrrp group timers advertise group - Identifies the VRRP group. (Range: 1-255) The maximum number or groups which can be defined is 64. interval - Advertisement interval for the master virtual router.
Chapter 29 | VRRP Commands Command Mode Privileged Exec Command Usage ◆ Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router. ◆ Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on this router. ◆ Specify a group number to display status information for a specific group Example This example displays the full listing of status information for all groups.
Chapter 29 | VRRP Commands Table 156: show vrrp - display description (Continued) Field Description Master Advertisement Interval The advertisement interval configured on the VRRP master. Master Down interval The down interval configured on the VRRP master (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups.
Chapter 29 | VRRP Commands Example This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 Vlan 1 - Group 1, State Master Virtual IP Address 192.168.1.6 Virtual MAC Address 00-00-5E-00-01-01 Advertisement Interval 5 sec Preemption Enabled Min Delay 10 sec Priority 1 Authentication SimpleText Authentication Key bluebird Master Router 192.168.1.
Chapter 29 | VRRP Commands show vrrp router This command displays counters for errors found in VRRP protocol packets. counters Command Mode Privileged Exec Example Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
30 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
Chapter 30 | IP Routing Commands Global Routing Configuration Table 159: Global Routing Configuration Commands (Continued) Command Function Mode show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE ipv6 route Configures static routes GC show ipv6 route Displays specified entries in the routing table PE IPv6 Commands ECMP Commands ecmp load-balance Configures the load-balance method used when there are GC multiple equal-cost paths to the same destination address incl
Chapter 30 | IP Routing Commands Global Routing Configuration Table 159: Global Routing Configuration Commands (Continued) Command Function Mode show ecmp load-balance Shows the load-balance method used when there are multiple equal-cost paths to the same destination PE show hash-selection list Shows the packet type and hash list attributes PE 1 2 3 MAC HS – MAC hash selection. IPv4 HS – IPv4 hash selection.
Chapter 30 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP and OSPF updates periodically sent by the router if this feature is enabled by the RIP or OSPF redistribute command (see page 806 or page 827, respectively).
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [bgp | connected | database | ospf | rip | static | summary] bgp – Displays external routes imported from the Border Gateway Protocol (BGP) into this routing domain. connected – Displays all currently connected entries. database – All known routes, including inactive routes.
Chapter 30 | IP Routing Commands Global Routing Configuration Example In the following example, note that the entry for RIP displays both the distance and metric for this route. Console#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default R 10.1.1.
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays summary information for the routing table. summary Command Mode Privileged Exec Example In the following example, the numeric identifier following the routing table name (0) indicates the Forwarding Information Base (FIB) identifier.
Chapter 30 | IP Routing Commands Global Routing Configuration address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages UDP Statistics: 2 input no port errors other errors output TCP Statistics: 4698 input input
Chapter 30 | IP Routing Commands Global Routing Configuration ◆ If dstip-l4-port is selected, traffic matching the same destination IP address and L4 protocol port will be carried across the same ECMP path. ◆ If hash-selection-list is selected, use the hash-selection list command to enter hash-selection list configuration mode, and then configure the required hash list attributes.
Chapter 30 | IP Routing Commands Global Routing Configuration maximum-paths This command sets the maximum number of paths allowed. Use the no form to restore the default settings. Syntax maximum-paths path-count no maximum-paths path-count - The maximum number of equal-cost paths to the same destination that can be installed in the routing table.
Chapter 30 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 1 mac Console(config-mac-hash-sel)#ethertype Console# src-mac (MAC Hash) This command adds the source-mac address hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 30 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#dst-ip Console# dst-l4-port (IPv4 Hash) This command adds the destination Layer 4 protocol port hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 30 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#src-ip Console# src-l4-port (IPv4 Hash) This command adds the source Layer 4 protocol port hash attribute to the hash selection list. Use the no form to remove the specified attribute.
Chapter 30 | IP Routing Commands Global Routing Configuration Command Usage An example of an IPv6 address in full form and collapsed form is shown below. Full IPv6 Address: FE80:0000:0000:0000:0202:B3FF:FE1E:8329 Collapsed IPv6 Address: FE80::0202:B3FF:FE1E:8329 Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv6-hash-sel)#collapsed-dst-ip Console# collapsed-src-ip This command adds the collapsed source IPv6 address hash attribute to the hash (IPv6 Hash) selection list.
Chapter 30 | IP Routing Commands Global Routing Configuration next-header (IPv6 Hash) This command adds the next header hash attribute to the hash selection list. Use the no form to remove the specified attribute. Syntax [no] next-header Command Mode IPv6 hash selection mode Command Usage The next header identifies the type of header immediately following the IPv6 header.
Chapter 30 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv4-hash-sel)#vlan Console# show ecmp This command shows the load-balance method used when there are multiple load-balance equal-cost paths to the same destination. Command Mode Privileged Exec Example The default setting is shown in the following example.
Chapter 30 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. Syntax ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance]} no ipv6 route destination-ipv6-address/prefix-length {gateway-address | link-local-address%zone-id} destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host.
Chapter 30 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP, OSPF and BGP updates periodically sent by the router if this feature is enabled by the RIP, OSPF or BGP redistribute command (see page 806, 827, 869 or 920 respectively).
Chapter 30 | IP Routing Commands Global Routing Configuration Command Usage ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Routing Information Protocol (RIP) .
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Global Configuration Default Setting Disabled Command Usage ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode. Example Console(config)#router rip Console(config-router)# Related Commands network (805) default-information This command generates a default external route into the local RIP autonomous originate system.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to external routes. (Range: 1-15) Default Setting 1 Command Mode Router Configuration Command Usage This command does not override the metric value set by the redistribute command.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. Syntax [no] distance distance network-address netmask distance - Administrative distance for external routes. External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage All the learned RIP routes may not be copied to the hardware tables in ASIC for fast data forwarding because of hardware resource limitations. Example Console(config-router)#maximum-prefix 1024 Console(config-router)# neighbor This command defines a neighboring router with which this router will exchange routing information. Use the no form to remove an entry.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax [no] network {ip-address netmask | vlan vlan-id} ip-address – IP address of a network directly connected to this router. netmask - Network mask for the route. This mask identifies the network address bits used for the associated routing entries. vlan-id - VLAN ID.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) passive-interface This command stops RIP from sending routing updates on the specified interface. Use the no form to disable this feature. Syntax [no] passive-interface vlan vlan-id vlan-id - VLAN ID.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) metric-value - Metric value assigned to all external routes for the specified protocol. (Range: 1-16) Default Setting redistribution - none metric-value - set by the default-metric command Command Mode Router Configuration Command Usage When a metric value has not been configured by the redistribute command, the default-metric command sets the metric value to be used for all imported external routes.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) timers basic This command configures the RIP update timer, timeout timer, and garbagecollection timer. Use the no form to restore the defaults. Syntax timers basic update timeout garbage no timers basic update – Sets the update timer to the specified value. (Range: 5-2147483647 seconds) timeout – Sets the timeout timer to the specified value. (Range: 90-360 seconds) garbage – Sets the garbage collection timer to the specified value.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. Syntax version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 Default Setting Receive: Accepts RIPv1 or RIPv2 packets Send: Route information is broadcast to other routers with RIPv2.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets. Use the no form to restore the default value. Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key. Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface. Example Console(config)#interface vlan 1 Console(config-if)#ip rip receive-packet Console(config-if)# Related Commands ip rip send-packet (814) ip rip send version This command specifies a RIP version to send on an interface.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (809) ip rip send-packet This command configures the interface to send RIP packets. Use the no form to disable this feature.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) ip rip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable this function. Syntax ip rip split-horizon [poisoned] no rip ip split-horizon poisoned - Enables poison-reverse on the current interface.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) ospf - Deletes all entries learned through the Open Shortest Path First routing protocol. rip - Deletes all entries learned through the Routing Information Protocol. static - Deletes all static entries. Default Setting None Command Mode Privileged Exec Command Usage Using this command with the “all” parameter clears the RIP table of all routes.
Chapter 30 | IP Routing Commands Routing Information Protocol (RIP) Distance: Default is 120 Console# show ip rip This command displays information about RIP routes and configuration settings. Use this command without any keywords to display all RIP routes. Syntax show ip rip [interface [vlan vlan-id]] interface - Shows RIP configuration settings for all interfaces or for a specified interface. vlan-id - VLAN ID.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) .
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 162: Open Shortest Path First Commands (Continued) Command Function Mode ip ospf priority Sets the router priority used to determine the designated router IC ip ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ip ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#router ospf Console(config-router)# Related Commands network area (836) compatible rfc1583 This command calculates summary route costs using RFC 1583 (early OSPFv2). Use the no form to calculate costs using RFC 2328 (OSPFv2).
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) default-information This command generates a default external route into an autonomous system. Use originate the no form to disable this feature. Syntax default-information originate [always] [metric interface-metric] [metrictype metric-type] no default-information originate [always | metric | metric-type] always - Always advertise itself as a default external route for the local AS regardless of whether the router has a default route.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. ◆ This command should not be used to generate a default route for a stub or NSSA. To generate a default route for these area types, use the area stub or area nssa commands. Example This example assigns a metric of 20 to the default external route advertised into an autonomous system, sending it as a Type 2 external metric.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected. Example Console(config-router)#router-id 10.1.1.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) clear ip ospf process This command clears and restarts the OSPF routing process. Specify the process ID to clear a particular OSPF process. When no process ID is specified, this command clears all running OSPF processes. Syntax clear ip ospf [process-id] process process-id - Specifies the routing process ID. (Range: 1-65535) Default Setting Clears all routing processes.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config-router)#area 10.3.9.0 default-cost 10 Console(config-router)# Related Commands area stub (833) area nssa (831) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. Syntax [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# auto-cost reference- Use this command to calculate the default metrics for an interface based on bandwidth bandwidth. Use the no form to automatically assign costs based on interface type.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) rip – Imports external routes learned through Routing Information Protocol (RIP) into this routing domain. static - Static routes will be imported into this Autonomous System. metric-value - Metric assigned to all external routes for the specified protocol. (Range: 0-16777214) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal route metric to external route metric.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example redistributes routes learned from BGP as Type 1 external routes. Console(config-router)#redistribute bgp metric-type 1 Console(config-router)# Related Commands default-information originate (821) summary-address This command aggregates routes learned from other protocols. Use the no form to remove a summary address.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Area Configuration area authentication This command enables authentication for an OSPF area. Use the no form to remove authentication for an area. Syntax [no] area area-id authentication [message-digest] area-id - Identifies an area for which authentication is to be configured. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example enables message-digest authentication for the specified area. Console(config-router)#area 10.3.0.0 authentication Console(config-router)# Related Commands ip ospf authentication-key (839) ip ospf message-digest-key (842) area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. Command Mode Router Configuration Default Setting No NSSA is configured. Command Usage ◆ All routers in a NSSA must be configured with the same area ID.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword. Syntax [no] area area-id stub [no-summary] area-id - Identifies the stub area. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission. This value must be the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 1 second) authentication - Specifies the authentication mode.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) configured as a backup connection that can take over if the normal connection to the backbone fails. ◆ A virtual link can be configured between any two backbone routers that have an interface to a common non-backbone area. The two routers joined by a virtual link are treated as if they were connected by an unnumbered point-topoint network.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. ◆ Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ Use authentication to prevent routers from inadvertently joining an unauthorized area. Configure routers in the same area with the same password or key. All neighboring routers on the same network with the same password will exchange routing data. ◆ This command creates a password (key) that is inserted into the OSPF header when routing protocol packets are originated by this device.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf This command assigns a simple password to be used by neighboring routers to authentication-key verify the authenticity of routing protocol messages. Use the no form to remove the password. Syntax ip ospf [ip-address] authentication-key key no ip ospf [ip-address] authentication-key ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value. Syntax ip ospf [ip-address] cost cost no ip ospf [ip-address] cost ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. Syntax ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Mode Interface Configuration (VLAN) Default Setting 10 seconds Command Usage Hello packets are used to inform other routers that the sending router is still active. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase routing traffic.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key. This rollover process gives the network administrator time to update all the routers on the network without affecting the network connectivity.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) become the DR and the router with the next highest priority becomes the BDR. If two or more routers are tied with the same highest priority, the router with the higher ID will be elected. ◆ If a DR already exists for a network segment when this interface comes up, the new router will accept the current DR regardless of its own priority. The DR will not change until the next time the election process is initiated.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#interface vlan 1 Console(config-if)#ip ospf retransmit-interval 7 Console(config-if)# ip ospf transmit-delay This command sets the estimated time to send a link-state update packet over an interface. Use the no form to restore the default value.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. Syntax [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID. (Range: 1-4094) ip-address - An IPv4 address configured on this interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 LSDB database overflow limit is 20480 Number of LSA originated 1 Number of LSA received 0 Number of areas attached to this router: 1 Area 192.168.1.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 163: show ip ospf - display description (Continued) Field Description Number of LSA originated The number of new link-state advertisements that have been originated. Number of LSA received The number of link-state advertisements that have been received. Number of areas attached to this router The number of configured areas attached to this router.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf database This command shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database. Syntax show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID 192.168.0.2 ADV Router 192.168.0.2 Age Seq# CkSum 225 0x80000001 0x9c0f AS External Link States Link ID 0.0.0.0 0.0.0.0 ADV Router 192.168.0.2 192.168.0.3 Age Seq# CkSum Route 487 0x80000001 0xd491 E2 0.0.0.0/0 0 222 0x80000001 0xce96 E2 0.0.0.0/0 0 Tag Console# Table 164: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF process ID and router ID.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 165: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detec
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Metric: 1 Forward Address: 0.0.0.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) . . .
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 168: show ip ospf database router - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA Flags Indicate if this router is a virtual link endpoint, an ASBR, or an ABR LS Type Router Link - LSA describes the router's interfaces.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 169: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to networks Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 170: show ip ospf interface - display description Field Description VLAN VLAN ID and Status of physical link Internet Address IP address of OSPF interface Area OSPF area to which this interface belongs MTU Maximum transfer unit Process ID OSPF process ID Router ID Router ID Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf neighbor This command displays information about neighboring routers on each interface within an OSPF area. Syntax show ip ospf [process-id] neighbor process-id - The ID of the router process for which information will be displayed. (Range: 1-65535) Command Mode Privileged Exec Example Console#show ip ospf neighbor ID Pri State Address Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf route This command displays the OSPF routing table. Syntax show ip ospf [process-id] route process-id - The ID of the router process for which information will be displayed.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 172: show ip ospf virtual-links - display description Field Description Virtual Link to router OSPF neighbor and link state (up or down) Transit area Common area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area. Remote address The IP address this virtual neighbor is using.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 173: show ip protocols ospf - display description (Continued) Field Description Routing for Summary Address Shows the networks for which route summarization is in effect Distance The administrative distance used for external routes learned by OSPF (see the ip route command). Open Shortest Path First (OSPFv3) .
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 174: Open Shortest Path First Commands (Version 3) (Continued) Command Function Mode ipv6 ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ipv6 ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface RC show ipv6 ospf Displays general information about the routing proce
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) General Configuration router ipv6 ospf This command creates an Open Shortest Path First (OSPFv3) routing process and enters router configuration mode. Use the no form to disable OSPF for all processes or for a specified process. Syntax [no] router ipv6 ospf [tag process-name] process-name - A process name must be entered when configuring multiple routing instances.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) abr-type This command sets the criteria used to determine if this router can declare itself an ABR and issue Type 3 and Type 4 summary LSAs. Use the no form to restore the default setting. Syntax abr-type {cisco | ibm | standard} no abr-type cisco - ABR criteria and functional behavior is based on RFC 3509.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) summary-LSAs are examined. Otherwise (when either the router is not an ABR or it has no active backbone connection), the router should consider summaryLSAs from all actively attached areas. This ensures that the summary-LSAs originated by area border routers advertise only intra-area routes into the backbone if the router has an active backbone connection, and advertises both intra-area and inter-area routes into the other areas.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) router-id This command assigns a unique router ID for this device within the autonomous system for the current OSPFv3 process. Use the no form to restore the default setting. Syntax router-id ip-address no router-id ip-address - Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting None Command Usage ◆ This command sets the router ID for the OSPF process specified in the router ipv6 ospf command.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations. Use the no form to restore the default values. Syntax timers spf spf-delay spf-holdtime no timers spf spf-delay - The delay after receiving a topology change notification and starting the SPF calculation.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Router Configuration Default Setting Default cost: 1 Command Usage ◆ If the default cost is set to “0,” the router will not advertise a default route into the attached stub. Example Console(config)#router ipv6 ospf tag 1 Console(config-router)#area 1 default-cost 1 Console(config-router)# Related Commands area stub (833) area range This command summarizes the routes advertised by an Area Border Router (ABR).
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ If the network addresses within an area are assigned in a contiguous manner, the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range using a single area range command. ◆ If routes are set to be advertised by this command, the router will issue a Type 3 summary LSA for each address range specified by this command.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Related Commands redistribute (869) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example redistributes automatically connected routes as Type 1 external routes. Console(config-router)#redistribute connected metric-type 1 Console(config-router)# Area Configuration area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ Use the area default-cost command to specify the cost of a default summary route sent into a stub by an ABR attached to the stub area. Example This example creates a stub area 2, and makes it totally stubby by blocking all Type 3 summary LSAs. Console(config-router)#area 2 stub no-summary Console(config-router)# Related Commands area default-cost (866) area virtual-link This command defines a virtual link.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) adequate flow of routing information, but does not produce unnecessary protocol traffic. However, note that this value should be larger for virtual links. (Range: 1-65535 seconds; Default: 5 seconds) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf area This command binds an OSPF area to the selected interface. Use the no form to remove an OSPF area, disable an OSPF process, or remove an instance identifier from an interface. Syntax [no] ipv6 router ospf area area-id [tag process-name | instance-id instance-id] area-id - Area to bind to the current Layer 3 interface. An OSPF area identifies a group of routers that share common routing information.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Console(config-if)# Related Commands router ipv6 ospf (862) router-id (865) ipv6 router ospf tag area (874) ipv6 router ospf tag This command binds an OSPF area to the selected interface and process. Use the area no form to remove the specified area from an interface. [no] ipv6 router ospf tag process-name area area-id [instance-id instance-id] area-id - Area to bind to the current Layer 3 interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example assigns area 0.0.0.1 to the currently selected interface under routing process “1.” Console(config)#interface vlan 1 Console(config-if)#ipv6 router ospf tag 1 area 0.0.0.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf cost 10 Console(config-if)# ipv6 ospf This command sets the interval at which hello packets are not seen before dead-interval neighbors declare the router down. Use the no form to restore the default value.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf This command specifies the interval between sending hello packets on an hello-interval interface. Use the no form to restore the default value. Syntax ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Interface Configuration (VLAN) Default Setting 1 Command Usage ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Default Setting 5 seconds Command Usage ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) problem, use the transmit delay to force the router to wait a specified interval between transmissions. Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.2 Process uptime is 24 minutes Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of incoming concurrent DD exchange neighbors 0/5 Number of outgoing concurrent DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 175: show ip ospf - display description (Continued) Field Description Number of areas attached to this router The number of configured areas attached to this router. Area Information Area The area identifier. Note that “(Inactive)” will be displayed if no IPv6 address has been configured on the interface.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 176: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF router ID and process ID. The router ID uniquely identifies the router in the autonomous system. By convention, this is normally set to one of the router's IP interface addresses. Link State ID This field identifies the piece of the routing domain that is being described by the advertisement.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 177: show ip ospf interface - display description (Continued) Field Description Router ID Identifier for this router Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ ◆ ◆ ◆ ◆ ◆ ◆ Backup – Backup Designated Router Down – OSPF is enabled on this interface, but interface is down DR – Designated Router DROther – I
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf neighbor ID Pri State Interface ID Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area C ::1/128, lo0 O 2001:DB8:2222:7272::/64, VLAN1 C 2001:DB8:2222:7272::/64, VLAN1 ? FE80::/64, VLAN1 inactive C FE80::/64, VLAN1 ? FF00::
Chapter 30 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 179: show ipv6 ospf virtual-links - display description (Continued) Field Description Timer intervals Configuration settings for timer intervals, including Hello, Dead and Retransmit Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have receiv
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Border Gateway Protocol (BGPv4) BGP Overview An autonomous system (AS) functions as a separate routing domain under one administrative authority, which implements its own routing policies. An AS exchanges routing information within its boundaries using Interior Gateway Protocols (IGPs) such as RIP or OSPF, and connects to external organizations or to the Internet using an Exterior Gateway Protocol (EGP).
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) External BGP – eBGP interconnects different ASs through border routers, or eBGP peers. These peering routers are commonly connected over a WAN link using a single physical path. Alternatively, multiple eBGP peer connections may be used to provide redundancy or load balancing. Distinct BGP sessions are used between redundancy peers to ensure that if one session fails, another will take over.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) BGP uses a path vector routing approach, which is roughly based on a distancevector approach, where the cost between two adjacent ASes is implicitly assumed to be a single hop. The shortest path from an AS to a remote AS is therefore the path with the shortest number or AS hops.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ COMMUNITY – This attribute associates routing information with a community of users. These communities share a common property, and tagging routes with a community makes it easier for routers to identify that property and enforce appropriate routing policies. ◆ ORIGINATOR_ID – This attribute is included when a route reflector reflects a route.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) 5. Choose the path with the lowest ORIGIN (IGP < EGP < Incomplete). If the value of this criteria is the same for more than one candidate, go to the next step. 6. Choose the path with the lowest MED. By default, the MED attribute is considered only when a prefix is received from neighbors in the same AS. If the value of this criteria is the same for more than one candidate, go to the next step. 7.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Aggregation and Dissemination In the Internet, the number of destinations is larger than most routing protocols can manage. It is not possible for routers to track every possible destination in their routing tables. To overcome this problem BGP relies on route aggregation, whereby multiple destinations are combined in a single advertisement.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 7: Connections for Single Route Reflector Router Router Advertised Routes Router Reflected Routes Router Route Reflector eBGP Speaker Router Router Route reflector clients are not aware that they are connected to a route reflector, and function as though fully meshed within the autonomous system. For redundancy, a cluster many contain more than one route reflector. Each cluster is identified a Cluster-ID.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) connected to its designated route reflector. Once all iBGP routing sessions are established, routing advertisements must follow these rules: ◆ Announcements received by a route reflector from another reflector are passed to its clients. ◆ Announcements received by a route reflector from a reflector client are passed to other route reflectors in the cluster.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 9: Connections for BGP Confederation AS16478 Public Domain Router Autonomous System AS200 Member AS Router iBGP Router eBGP Router Router AS100 Member AS Router iBGP eBGP Router Router AS300 Router Member AS Router iBGP Router Router To prevent looping within the confederation, the AS-Confed-Set and AS-ConfedSequence path attributes are added. These attributes function in the same manner as AS-Set and AS-Sequence.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) 2. Use the bgp confederation peer command to add an internal peer autonomous system to a confederation. Route Servers Route Servers are used to relay routes received from remote ASes to client routers, as well as to relay routes between client routers. Clients maintain BGP sessions only with the assigned route servers. Sessions with more than one server can be used to provide redundancy and load sharing.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Route damping provides a relief mechanism to minimize the effects of route flapping. It can reduce the propagation of updates for flapping routes without impacting the route convergence time for stable routes. When enabled, a route is assigned a penalty each time it flaps (i.e., announced and then quickly withdrawn). If the penalty exceeds 2000 (the suppress limit) the route is suppressed.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 180: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode bgp confederation peer Adds an internal peer autonomous system to a confederation RC bgp dampening Configures route dampening to reduce the propagation of RC unstable routes bgp enforce-first-as Denies an update received from an external peer that does RC not list its own autonomous system number at the beginning of the AS path attribute bgp fa
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 180: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode distance bgp Sets the administrative distance for BGP external, internal, RC and local routes Neighbor Configuration neighbor activate Enables exchange of routing information with a neighboring router or peer group RC neighbor advertisementinterval Configures the interval between sending update messages RC to a neighbor neighbor allowas-in Con
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 180: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode neighbor prefix-list Configures prefix restrictions applied in inbound/ outbound route updates to/from specified neighbors RC neighbor remote-as Configures a neighbor and its AS number, identifying the neighbor as a local AS member RC neighbor remove-privateas Removes private autonomous system numbers from outbound routing updates to an externa
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 180: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode show ip bgp prefix-list Shows routes matching the specified prefix-list PE show ip bgp regexp Shows routes matching the AS path regular expression PE show ip bgp route-map Shows routes matching the specified route map PE show ip bgp scan Shows BGP scan status PE show ip bgp summary Shows summary information for all connections PE show i
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to specify all of the routers within an autonomous system used to exchange interior or exterior BGP routing messages. Repeat this process for any other autonomous system under your administrative control to create a distributed routing core for the exchange of routing information between autonomous systems.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Example The regular expression in this example uses symbols which instruct the filter to match the character or null string at the beginning and end of an input string. Console(config-router)#ip as-path access-list RD deny ^100$ Console(config-router)# Related Commands neighbor filter-list (938) match as-path (976) ip community-list This command configures a community access list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) no-export – Routes with this community attribute are advertised only to peers in the same autonomous system or to other sub-autonomous systems within a confederation. These routes are not advertised to external peers. 100-500 – Expanded community list number that identifies one or more groups of communities. expanded community-list-name – Name of expanded access list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Example This example configures a named standard community list LN that permits routes with community value 100:10, denoting that they come from autonomous system 100 and network 10. Console(config)#ip community-list standard LN permit 100:10 Console(config)# Related Commands neighbor send-community (950) match community (976) ip extcommunity-list This command configures an extended community access list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) IP:NN – Community to deny or permit. The community number is composed of a 4-byte IP address (representing the autonomous system number) and a 2-byte network number, separated by one colon. The 2byte network number can range from 0 to 65535. One or more community numbers can be entered, separated by a space. Up to 3 community numbers are supported. 100-500 – Expanded community list number that identifies one or more groups of communities.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command in conjunction with the neighbor filter-list to filter route updates sent to or received from a neighbor, or with the match extcommunity route map command to implement a more comprehensive filter for policybased routing. Example This example configures a named standard community list LR that permits routes with the route target 100:20, denoting that they destined for the autonomous system 100 and network 20.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Global Configuration Default Setting No prefix lists are defined. Command Usage ◆ Prefix filtering can be performed on an IP address expressed as a classful network, a subnet, or a single host route. ◆ Prefix lists are checked starting from the lowest sequence number and continues through the list until a match is found.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) as-set – Generates autonomous system set information for the AS path attribute, indicating that a route originated in multiple autonomous systems. summary-only – Sends the summary routes only, ignoring more specific routes. Command Mode Router Configuration Default Setting No aggregate routes are defined.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp client-to-client This command restores route reflection via this router. Use the no form to disable reflection route reflection. Syntax [no] bgp client-to-client reflection Command Mode Router Configuration Default Setting Enabled Command Usage Route reflection from this device is enabled by default, but is only functional if a client has been configured with the neighbor route-reflector-client command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp cluster-id This command configures the cluster identifier for multiple route reflectors in the same cluster. Use the no form to remove the cluster identifier. Syntax bgp cluster-id cluster-identifier no bgp cluster-id cluster-identifier – The cluster identifier of this router when acting as a route reflector. This identifier can be expressed in the form an IPv4 address or an integer in the range of 1-4294967295.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command configures the identifier for a confederation containing smaller identifier multiple internal autonomous systems, and declares this router as a member of the confederation. Use the no form to remove the confederation identifier.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command adds an internal peer autonomous system to a confederation. Use peer the no form to remove an autonomous system from a confederation. Syntax bgp confederation peer as-number no bgp confederation identifier as-number – Autonomous system number which identifies this router as a member of the specified domain, and tags routing messages passed to other BGP routers with this number.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp dampening This command configures route dampening to reduce the propagation of unstable routes. Use the no form to restore the default settings. Syntax bgp dampening [half-life [reuse-limit [suppress-limit max-suppress-time]]] no dampening half-life – The time after which a penalty is reduced. The penalty value is reduced to half of the previous value after the half-life time expires.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp enforce-first-as This command denies an update received from an external peer that does not list its own autonomous system number at the beginning of the AS path attribute. Use the no form to disable this feature.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp log-neighbor- This command enables logging of neighbor resets (that is, up or down status changes changes). Use the no form to disable this feature. Command Mode Router Configuration Default Setting Disabled Command Usage ◆ This command helps detect network problems by indicating if a neighbor connection is flapping. A high number of neighbor resets might indicate unacceptable error rates or high packet loss in the network.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp router-id This command sets the router ID for this device. Use the no form to remove this ID. Syntax bgp router-id router-id no bgp router-id router-id – Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting The highest IP address configured for an interface. Command Usage ◆ By default, the router ID is automatically set to the highest IP address configured for a Layer 3 interface.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ This command sets the interval at which to check the validity of the next hop for all routes in the routing information database. During the interval between scan cycles, IGP instability or other network problems may cause black holes or routing loops to form. Example Console(config-router)#bgp scan-time 30 Console(config-router)# network This command specifies a network to advertise.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) backdoor network is treated as a local network, except that it not advertised by the local router. A backdoor route should not be sourced at the local router, but should be one that has been learned from external neighbors. However, since these routes are treated as a local network, they are given priority over routes learned through eBGP, even if the distance of the external route is shorter. Example Console(config-router)#network 172.16.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. Example Console(config-router)#redistribute static metric 10 Console(config-router)# timers bgp This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down. Use the no form to restore the default settings.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) clear ip bgp This command clears connections using hard or soft re-configuration. Syntax clear ip bgp {* | as-number | external | peer-group group-name | neighbor-address} [in [prefix-list] | out | soft [in | out]] * – All BGP peering sessions. as-number – All peering sessions within this autonomous system number. (Range: 1-4294967295) external – All eBGP peering sessions.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to clear peering sessions when changes are made to any BGP access lists, weights, or route-maps. ◆ Route refresh (RFC 2918) allows a router to reset inbound routing tables dynamically by exchanging route refresh requests with peers. Route refresh relies on the dynamic exchange of information with supporting peers. It is advertised through BGP capability negotiation, and all BGP routers must support this capability.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Metrics and Selection bgp always-compare- This command allows comparison of the Multi Exit Discriminator (MED) for paths med advertised from neighbors in different autonomous systems. Use the no form to disable this feature.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Example Console(config-router)#bgp bestpath as-path ignore Console(config-router)# bgp bestpath This command compare confederation AS path length in addition to external AS compare-confed- path length in the selection of a path. Use the no form to disable this feature.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Normally, the first route arriving from different external peers (with other conditions equal) will be chosen as the best route. By using this command, the route with lowest router ID will be selected.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp default local- This command sets the default local preference used for best path selection among preference local iBGP peers. Use the no form to restore the default setting. Syntax bgp default local-preference preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ The router immediately groups and sorts all local paths when this command is entered. For correct results, deterministic comparison of the MED must be configured in the same manner (enabled or disabled) on all routers in the local AS. ◆ If deterministic comparison of the MED is not enabled, route selection can be affected by the order in which routes are received.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ If an access-list is specified, it will be applied to received routes. If the received routes are not matched in the access-list or the specified list does not exist, the original distance value will be used. Example Console(config-router)#distance 90 10.1.1.64 255.255.255.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Changing the administrative distance of iBGP routes is not recommended. It may cause an accumulation of routing table inconsistencies which can break routing to many parts of the network. Example Console(config-router)#distance bgp 20 200 20 Console(config-router)# Related Commands distance (928) Neighbor Configuration neighbor activate This command enables the exchange of routing information with a neighboring router or peer group.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the interval between sending update messages to a advertisement- neighbor. Use the no form to restore the default setting. interval Syntax neighbor ip-address advertisement-interval interval no neighbor ip-address advertisement-interval ip-address – IP address of a neighbor. interval – The minimum interval between sending routing updates to the specified neighbor.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Under standard routing practices, BGP will not accept a route sent from a neighbor if the same AS number appears in the AS path more than once. This could indicate a routing loop, and the route message would therefore be dropped.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor capability This command configures dynamic negotiation of capabilities between dynamic neighboring routers. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} capability dynamic ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage When this command is entered, the side configured with inbound prefix-list filter rules will transmit its own rules to the peer, and the peer will then use these rules as its own outbound rules, thereby avoiding sending routes which will be denied by its partner. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console(config-router)#neighbor 10.1.1.64 default-originate Console(config-router)# neighbor description This command configures the description of a neighbor or peer group. Use the no form to remove a description. Syntax neighbor {ip-address | group-name} description description no neighbor {ip-address | group-name} description ip-address – IP address of a neighbor.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting None Command Usage ◆ If the specified access list for input or output mode does not exist, all input or output route updates will be filtered. ◆ The neighbor prefix-list and the neighbor distribute-list commands are mutually exclusive for a BGP peer. That is, only one of these commands may be applied in the inbound or outbound direction. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor ebgp- This command allows eBGP neighbors to exist in different segments, and multihop configures the maximum hop count (TTL). Use the no form to restore the default setting. Syntax neighbor {ip-address | group-name} ebgp-multihop [count] no neighbor {ip-address | group-name} ebgp-multihop ip-address – IP address of a neighbor.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Not enforced Command Usage By default, the multi-hop check is only performed on iBGP and eBGP non-direct routes. This command can be used to force the router to perform the multi-hop check on directly connected routes as well. In other words, the router will not perform the next-hop direct-connect check the specified neighbor. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In this example, the AS path access list “ASPF” is first configured to deny access to any route passing through AS 100. It then enables route filtering by assigning this list to a peer. Console(config)#ip as-path access-list ASPF deny 100 Console(config)#router bgp 100 Console(config-router)#redistribute static Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) threshold – The percentage of the maximum number of allowed prefixes at which the router will initiate the specified response. restart – Restarts BGP connection after the threshold is exceeded. interval – Time to wait after a BGP connection has been terminated, before reestablishing the session. (Range: 1-65535 minutes) warning – Sends a log message if the threshold is exceeded.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ iBGP routers only connected to other iBGP routers in same segment will not be able to talk with iBGP routers outside of the segment if they are not directly connected with each other. This command can be used in these kinds of networks (i.e., un-meshed or non-broadcast) where iBGP neighbors may not have direct access to all other neighbors on the same IP subnet.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor passive This command passively forms a connection with the specified neighbor, not sending a TCP connection request, but waiting a connection request from the specified neighbor. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} passive ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ When MD5 authentication is configured on a TCP connection between two peers, neighbor authentication occurs whenever routing updates are exchanged. Authentication must be configured with the same password on both peers; otherwise, the connection between them will not be made.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor peer-group This command assigns routers to a peer group. Use the no form to remove a group (Group Members) member. Syntax [no] neighbor ip-address peer-group group-name ip-address – IP address of a neighbor. group-name – A BGP peer group. Command Mode Router Configuration Default Setting No group members are defined. Command Usage To create a peer group, use the neighbor group-name peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor prefix-list This command configures prefix restrictions applied in inbound/outbound route updates to/from specified neighbors. Use the no form to remove the neighbor binding for a prefix list. Syntax neighbor {ip-address | group-name} prefix-list list-name {in | out} no neighbor {ip-address | group-name} prefix-list {in | out} ip-address – IP address of a neighbor.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor remote-as This command configures a neighbor and its AS number, identifying the neighbor as an iBGP or eBGP peer. Use the no form to remove a neighbor. Syntax neighbor {ip-address | group-name} remote-as as-number no neighbor {ip-address | group-name} remote-as ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage ◆ This command only applies to eBGP neighbors. It is used to avoid passing an internal AS number to an external AS. Internal AS numbers range from 6451265535, and should not be sent to the Internet since they are not valid external AS numbers. ◆ This configuration only takes effect when the AS Path attribute of a route contains only internal AS numbers.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ First, use route-map command to create a route map, and the match and set commands to configure the route attributes to act upon. Then use this command to specify neighbors to which the route map is applied. ◆ If the specified route map does not exist, all input/output route updates will be filtered. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor route- This command configures this router as a route server and the specified neighbor server-client as its client. Use the no form to disable the route server for the specified neighbor. Syntax [no] neighbor {ip-address | group-name} route-server-client ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor send- This command configures the router to send community attributes to a neighbor in community peering messages. Use the no form to stop sending this attribute to a neighbor. Syntax [no] neighbor {ip-address | group-name} send-community [both | extended | standard] ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting None Command Usage ◆ This command terminates any active sessions for the specified neighbor, and removes any associated routing information. ◆ Use the show ip bgp summary command display the neighbors which have been administratively shut down. Entries with in an Idle (Admin) state have been disabled by the neighbor shutdown command. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ To use soft reconfiguration, without preconfiguration, both BGP neighbors must support the soft route refresh capability advertised in open messages sent when a BGP session is established. To see if a BGP router supports this capability, use the show ip bgp neighbors command. Example Console(config-router)#neighbor 11.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) hold-time – The maximum interval after which a neighbor is declared dead if a keep-alive or update message has not been received. (Range: 0-65535 seconds) Command Mode Router Configuration Default Setting Keep Alive time: 60 seconds Hold time: 180 seconds Command Usage ◆ This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage This command sets the time to wait before attempting to reconnect to a BGP neighbor after having failed to connect. During the idle time specified by the Connect Retry timer, the remote BGP peer can actively establish a BGP session with the local router. Example Console(config-router)#neighbor 10.1.1.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor update- This command specifies the interface to use for a TCP connection, instead of using source the nearest interface. Use the no form to use the default interface. Syntax [no] neighbor {ip-address | group-name} update-source interface vlan vlan-id ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command. vlan-id - VLAN ID.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ Use this command to specify a weight for all the routes learned from a neighbor. The route with the highest weight gets preference over other routes to the same network. ◆ Weights assigned using the set weight command override those assigned by this command. Example Console(config-router)#neighbor 10.1.1.66 weight 500 Console(config-router)# Display Information show ip bgp This command shows entries in the routing table.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 181: show ip bgp - display description Field Description BGP table version Internal version number of routing table, incremented per table change. local router ID IP address of router. Status codes Status of table entry includes these values: ◆ s – Entry is suppressed. ◆ d – Entry is dampened. ◆ h – Entry history ◆ * – Entry is valid ◆ > – Best entry for that network ◆ i – Entry learned via internal BGP (iBGP).
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In the following example, Refcnt refers to the number of routes using the indicated next hop. Console#show ip bgp attribute-info Refcnt Nexthop 1 0.0.0.0 1 10.1.1.64 3 10.1.1.64 1 10.1.1.121 2 10.1.1.200 Console# show ip bgp cidr-only This command shows routes which use classless interdomain routing network masks.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) internet – Specifies the entire Internet. Routes with this community attribute are advertised to all internal and external peers. local-as – Specifies the local autonomous system. Routes with this community attribute are advertised only to peers that are part of the local autonomous system or to peers within a sub-autonomous system of a confederation.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 182: show ip bgp community-info - display description Field Description Address Internal address in memory where the entry is stored. Refcnt The number of routes which refer to this community. Community 4-byte community number composed of a 2-byte autonomous system number and a 2-byte network number, separated by one colon show ip bgp This command shows the routes matching a community-list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) parameters – Route dampening parameters. Command Mode Privileged Exec Example In the following example, “From” indicates the peer that advertised this path, while “Reuse” is the time after which the path will be made available. Console#show ip bgp dampening dampened-paths BGP table version is 0, local router ID is 192.168.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 183: show ip bgp dampening parameters- display description (Continued) Field Description Suppress penalty The point at which to start suppressing a route. Max suppress time The maximum time a route can be suppressed. show ip bgp filter-list This command shows routes matching the specified filter list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Console#show ip bgp neighbors 192.168.0.3 BGP neighbor is 192.168.0.3, remote AS 200, local AS 100, external link Member of peer-group for session parameters BGP version 4, remote router ID 192.168.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 184: show ip bgp - display description (Continued) Field Description keepalive interval Interval at which keepalive messages are transmitted to this neighbor. Neighbor capabilities BGP capabilities advertised and received from this neighbor. Message statistics Statistics organized by message type. Minimum time between advertisement runs Time between transmission of advertisements.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp prefix-list This command shows routes matching the specified prefix-list. Syntax show ip bgp prefix-list list-name list-name – Name of a prefix-list. The prefix list can be used to filter the networks to import or export as defined by the match ip address prefix-list command. (Range: 1-80 characters) Command Mode Privileged Exec Example Console#show ip bgp prefix-list rd BGP table version is 0, local router ID is 192.168.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes matching the specified route map. route-map Syntax show ip bgp route-map map-name map-name – Name of the route map as defined by the route-map command. The route map can be used to filter the networks to advertise. (Range: 1-80 characters) Command Mode Privileged Exec Example Console#show ip bgp route-map rd BGP table version is 0, local router ID is 192.168.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Example In the following example, “Up/Down” refers to the length of time the session has been in the Established state, or the current status if not in Established state. Console#show ip bgp summary BGP router identifier 192.168.0.2, local AS number 100 RIB entries 0 Peers 1 Peer groups 0 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) 100-500 – Expanded community list number that identifies one or more groups of communities. community-list-name – Name of standard or expanded access list. (Maximum length: 32 characters, no spaces or other special characters) Command Mode Privileged Exec Example Console#show ip extcommunity-list rd Named extended community standard list rd permit RT:192.168.0.0:10 Console# show ip prefix-list This command shows the specified prefix list.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip prefix-list This command shows detailed information for the specified prefix list. detail Syntax show ip prefix-list detail [prefix-list-name] prefix-list-name – Name of prefix list. (Maximum length: 128 characters, no spaces or other special characters) Command Mode Privileged Exec Example Console#show ip prefix-list detail rd ip prefix-list rd: count: 1, range entries: 0, sequences: 5 - 5 seq 5 deny 10.0.0.
Chapter 30 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip protocols bgp This command shows BGP process parameters. Command Mode Privileged Exec Example Console#show ip protocols bgp Routing Protocol is "bgp 1" Neighbor(s): Address FiltIn FiltOut DistIn DistOut Weight RouteMap 192.168.1.1 Routing Information Sources: Gateway Distance Last Update 192.168.1.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Policy-based Routing for BGP This section describes commands used to configure policy-based routing (PBR) maps for Border Gateway Protocol (BGP). Policy-based routing is performed before regular routing. PBR inspects traffic on the interface where the policy is applied and then, based on the policy, makes some decision. First, the traffic is “matched” according to the policy. Second, for each match, there is something “set.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Table 187: Policy-based Routing Configuration Commands (Continued) Command Function Mode match ip address Specifies destination addresses to match in a standard access list, extended access list, or prefix list RM match ip next-hop Specifies next hop addresses to match in a standard access RM list, extended access list, or prefix list match ip route-source Specifies the source of routing messages to match in a standard access list, exte
Chapter 30 | IP Routing Commands Policy-based Routing for BGP route-map This command enters route-map configuration mode, allowing route maps to be created or modified. Use the no form to remove a route map. Syntax [no] route-map map-name {deny | permit} sequence-number map-name – Name for the route map. (Range: 1-128 case-sensitive alphanumeric characters) deny – Route-map denies set operations. permit – Route-map permits set operations.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP ■ For a permit route-map, if it does not have a match clause, any routing message is matched, and therefore all routes are permitted. ■ For a permit route-map which includes a match clause for an access-list, if the access-list does not exist, no routing messages are matched, and therefore all routes are skipped.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP continue This command goes to a route-map entry with a higher sequence number after a successful match occurs. Use the no form to remove this entry from a route map. Syntax continue [sequence-number] no continue sequence-number – Sequence number at which to continue processing. (Range: 1-65535) Command Mode Route Map Command Usage If no match statements precede the call entry, the call is automatically executed.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP match as-path This command sets a BGP autonomous system path access list to match. Use the no form to remove this entry from a route map. Syntax [no] match as-path access-list-name access-list-name – Name of the access list.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Command Usage This command matches the community attributes of the BGP routing message following the rules specified with the ip community-list command. Example Console(config)#route-map RD permit 2 Console(config-route-map)#match community 60 Console(config-route-map)#set weight 30 Console(config-route-map)# match extcommunity This command sets a BGP extended community access list to match.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP prefix-list-name – Name of a specific prefix list.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP match ip route-source This command specifies the source of routing messages advertised by routers and access servers to be matched in a standard access list, an extended access list, or a prefix list. Use the no form to remove this entry from a route map.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP match origin This command sets the originating protocol to match in routing messages. Use the no form to remove this entry from a route map. Syntax match origin {egp | igp | incomplete} no match origin egp – Routes learned from exterior gateway protocols. igp – Routes learned from internal gateway protocols. incomplete – Routes of uncertain origin.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Traffic engineering via longer prefixes is only effective when the longer prefixes have a different next hop from the less specific prefix. Thus, past the point where the next hops become identical, the longer prefixes provide no value whatsoever. This command can be used to limit the radius of propagation of more specific prefixes by adding a count of the ASes that may be traversed by the more specific prefix.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP on-match This command sets the next entry to go to when this entry matches. Use the no form to remove this entry from a route map. Syntax on-match peer {goto sequence-number | next} no on-match peer {goto | next} goto – On match, go to specified entry. sequence-number – Route-map entry. (Range: 1-65535) next – Go to next entry. Command Mode Route Map Command Usage Use this command when no set action is for a match clause.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 8 Console(config-route-map)#match pathlimit as 5 Console(config-route-map)#set aggregator 1 192.168.0.0 Console(config-route-map)# set as-path This command modifies the AS path by prepending or excluding an AS number. Use the no form to remove this entry from a route map. Syntax set as-path {exclude | prepend} as-number...
Chapter 30 | IP Routing Commands Policy-based Routing for BGP and that the aggregate path might not be the best path to the destination. This attribute should be set when the BGP speaker advertises ONLY the less-specific prefix and suppresses more specific ones. Example Console(config)#route-map RD permit 9 Console(config-route-map)#match peer 192.168.0.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP set community This command sets the community attributes of routing messages. Use the no form to remove this entry from a route map. Syntax set community [AA:NN...] [additive {[AA:NN...] [internet] [local-as] [no-advertise] [no-export]} [internet [[AA:NN...] [local-as] [no-advertise] [no-export]] [local-as [[AA:NN...] [no-advertise] [no-export]] [no-advertise [AA:NN...] [no-export]] [no-export [AA:NN...
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Console(config-route-map)#set community 20:01 Console(config-route-map)# Related Commands set comm-list delete (984) set extcommunity This command sets the extended community attributes of routing messages. Use the no form to remove this entry from a route map. Syntax set extcommunity {rt extended-community-value | soo extended-community-value} no set extcommunity [rt | soo] rt – The route target extended community attribute.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP site are assigned the same site of origin attribute, no matter if a site is connected to a single PE router or multiple PE routers. Filtering based on this extended community attribute can prevent routing loops from occurring when a site is multi-homed. Example Console(config)#route-map RD permit 13 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set extcommunity 100:0 192.168.1.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP set local-preference This command sets the priority within the local AS for a routing message. Use the no form to remove this entry from a route map. Syntax set local-preference preference no set local-preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP ◆ This command can modify the current metric for a route using the “+” or “-” keywords. ◆ The metric applies to external routers in the inter-autonomous system. To specify the metric for the local AS, use the set local-preference command. ◆ This path metric is normally only compared with neighbors in the local AS.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP set originator-id This command sets the IP address of the routing message’s originator. Use the no form to remove this entry from a route map. Syntax set originator-id ip-address no set originator-id ip-address – An IPv4 address of the route source, expressed in dotted decimal notation.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 18 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set pathlimit ttl 255 Console(config-route-map)# set weight This command sets the weight for routing messages. Use the no form to remove this entry from a route map. Syntax set weight weight no set weight weight – The weight assigned to this route.
Chapter 30 | IP Routing Commands Policy-based Routing for BGP Example Console#show route-map RD route-map RD, permit, sequence 1 Match clauses: peer 102.168.0.
31 Multicast Routing Commands Multicast routers can use various kinds of multicast routing protocols to deliver IP multicast packets across different subnetworks. This router supports Protocol Independent Multicasting (PIM). (Note that IGMP will be enabled for any interface that is using multicast routing.
Chapter 31 | Multicast Routing Commands General Multicast Routing Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This command is used to enable IPv4 multicast routing globally for the router. A specific multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim command, and then specify the interfaces that will support multicast routing using the ip pim dense-mode or ip pim sparse-mode commands.
Chapter 31 | Multicast Routing Commands General Multicast Routing Example This example shows detailed multicast information for a specified group/source pair Console#show ip mroute 224.0.255.3 192.111.46.8 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Channel, C - Connected, P - Pruned, F - Register flag, R - RPT-bit set, T - SPT-bit set, J - Join SPT Interface state: F - Forwarding, P - Pruned, L - Local (192.168.2.1, 224.0.17.
Chapter 31 | Multicast Routing Commands General Multicast Routing Table 190: show ip mroute - display description (Continued) Field Description Incoming Interface Interface leading to the upstream neighbor. PIM creates a multicast routing tree based on the unicast routing table. If the related unicast routing table does not exist, PIM will still create a multicast routing entry, but displays “Null” for the upstream interface to indicate that the unicast routing table is not valid.
Chapter 31 | Multicast Routing Commands General Multicast Routing will support multicast routing using the router pim6 command, and then specify the interfaces that will support multicast routing using the ipv6 pim command. ◆ To use multicast routing, MLD proxy can not enabled on any interface of the device (see ipv6 mld proxy on page 631). Example Console(config)#ipv6 multicast-routing Console(config)# show ipv6 mroute This command displays the IPv6 multicast routing table.
Chapter 31 | Multicast Routing Commands General Multicast Routing Incoming Interface: VLAN2, RPF neighbor: FE80::0303 Outgoing Interface List: VLAN1(F) Console# Table 191: show ip mroute - display description Field Description Flags The flags associated with this entry: ◆ D (Dense) - PIM Dense mode in use. ◆ S (Sparse) - PIM Sparse mode in use. ◆ s (SSM) - A multicast group with the range of IP addresses used for PIM-SSM. ◆ C (Connected) - A member of the multicast group is present on this interface.
Chapter 31 | Multicast Routing Commands Static Multicast Routing This example lists all entries in the multicast table in summary form: Console#show ipv6 mroute summary IP Multicast Forwarding is disabled IP Multicast Routing Table (Summary) Flags: F - Forwarding, P - Pruned, D - PIM-DM, S – PIM-SM, V – DVMRP, M - MLD Group Source Interface Flag ------------------------------ ------------------------------ ---------- ---FF02::0101 FE80::0101 VLAN 4096 DF Total Entry is 1 Console# Static Multicast Routing
Chapter 31 | Multicast Routing Commands Static Multicast Routing Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Chapter 31 | Multicast Routing Commands Static Multicast Routing Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing PIM Multicast Routing This section describes the PIM commands used for IPv4 and IPv6. Note that PIM can run on an IPv4 network and PIM6 on an IPv6 network simultaneously. Also note that Internet Group Management Protocol (IGMP) is used for IPv4 networks and Multicast Listener Discovery (MLD) for IPv6 networks. Table 194: IPv4 and IPv6 PIM Commands Command Group Function IPv4 PIM Commands Configures multicast routing for IPv4 PIM.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Table 195: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ip pim bsr-candidate Configures the switch as a Bootstrap Router (BSR) candidate GC ip pim register-rate-limit Configures the rate at which register messages are sent by GC the Designated Router (DR) ip pim register-source Configure the IP source address of a register message to an GC address other than the outgoing interface address of the designa
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ◆ To use multicast routing, IGMP proxy cannot be enabled on any interface of the device (see the ip igmp proxy command). Example Console(config)#router pim Console(config)#exit Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing join messages are received from downstream routers, or a group member is directly connected to the interface. ◆ Dense-mode interfaces are subject to multicast flooding by default, and are only removed from the multicast routing table when the router determines that there are no group members or downstream routers, or when a prune message is received from a downstream router.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Default Setting 105 seconds Command Mode Interface Configuration (VLAN) Command Usage The ip pim hello-holdtime should be greater than the value of ip pim hellointerval. Example Console(config-if)#ip pim hello-holdtime 210 Console(config-if)# ip pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the hold time for the prune state. Use the no form to join-prune-holdtime restore the default value. Syntax ip pim join-prune-holdtime seconds no ip pim join-prune-holdtime seconds - The hold time for the prune state.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing a Join message. If no join messages are received after the prune delay expires, this router will prune the flow.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example Console(config-if)#ip pim override-interval 3500 Console(config-if)# Related Commands ip pim propagation-delay (1009) ip pim lan-prune-delay (1007) ip pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the maximum time before transmitting a triggered PIM trigger-hello-delay Hello message after the router is rebooted or PIM is enabled on an interface. Use the no form to restore the default value. Syntax ip pim trigger-hello-delay seconds no ip pim trigger-hello-delay seconds - The maximum time before sending a triggered PIM Hello message.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example Console#show ip pim interface vlan 1 PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Table 196: show ip pim neighbor - display description (Continued) Field Description Expiration Time The time before this entry will be removed. DR The designated PIM-SM router. If multicast hosts are directly connected to the LAN, then only one of these routers is elected as the DR, and acts on behalf of these hosts, sending periodic Join/Prune messages toward a group-specific RP for each group.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Default Setting 3 Command Mode Interface Configuration (VLAN) Example Console(config-if)#ip pim max-graft-retries 5 Console(config-if)# ip pim state-refresh This command sets the interval between sending PIM-DM state refresh control origination-interval messages. Use the no form to restore the default value.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing PIM-SM Commands ip pim bsr-candidate This command configures the switch as a Bootstrap Router (BSR) candidate. Use the no form to restore the default value. Syntax ip pim bsr-candidate interface vlan vlan-id [hash hash-mask-length] [priority priority] no ip pim bsr-candidate vlan-id - VLAN ID (Range: 1-4094) hash-mask-length - Hash mask length (in bits) used for RP selection (see ip pim rp-candidate and ip pim rp-address).
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of its PIM-SM neighbors. Console(config)#ip pim bsr-candidate interface vlan 1 hash 20 priority 200 Console(config)#exit Console#show ip pim bsr-router PIMv2 Bootstrap information BSR Address : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ip pim register-source This command configures the IP source address of a register message to an address other than the outgoing interface address of the designated router (DR) that leads back toward the rendezvous point (RP). Use the no form to restore the default setting.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ The router specified by this command will act as an RP for all multicast groups in the local PIM-SM domain if no groups are specified. A static RP can either be configured for the whole multicast group range 224.0.0.0/4, or for specific group ranges. ◆ Using this command to configure multiple static RPs with the same RP address is not allowed.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Info source Uptime Expire Console# : static : 00:00:21 : Never ip pim rp-candidate This command configures the router to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR). Use the no form to remove this router as an RP candidate.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ◆ The election process for each group is based on the following criteria: ■ Find all RPs with the most specific group range. ■ Select those with the highest priority (lowest priority value). ■ Compute a hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. ■ If there is a tie, use the candidate RP with the highest IP address.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Default Setting The last-hop PIM router joins the shortest path tree immediately after the first packet arrives from a new source. Command Mode Global Configuration Command Usage ◆ The default path for packets from a multicast source to a receiver is through the RP. However, the path through the RP is not always the shortest path. Therefore, the router uses the RP to forward only the first packet from a new multicast group to its receivers.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ For multicast group addresses that fall within fall within the default SSM range of 232/8 or within a range set by this command, source-specific multicast service mode is used. For all other multicast addresses, any-source multicast service mode is used. ◆ SSM requires the client to specify the multicast source address in registration messages.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing receivers to the source will be maintained, even if the source is not sending traffic for long periods of time, or has stopped sending altogether. Example This example sets the SSM address range to 224.2.151.0/24. Console(config)#ip pim ssm range 224.2.151.0 255.255.255.0 Console# ip pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ip pim dr-priority 20 Console(config-if)#end Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Sparse Mode IP Address : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing prune state for this multicast stream. The protocol maintains both the current join state and the pending Reverse Path Tree (RPT) prune state for this (source, group) pair until the join/prune-interval timer expires. Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ip pim join-prune-interval 210 Console#show ip pim interface PIM is enabled. VLAN 1 is up.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing show ip pim bsr-router This command displays information about the bootstrap router (BSR). Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR. Console#show ip pim bsr-router PIMv2 Bootstrap information BSR Address : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing show ip pim rp This command displays active RPs and associated multicast routing entries. mapping Command Mode Privileged Exec Example This example displays the RP map. Console#show ip pim rp mapping PIM Group-to-RP Mappings Groups : 224.0.0.0/8 RP address : 192.168.0.2/32 Info source : 192.168.0.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Table 199: show ip pim rp-hash - display description Field Description RP address IP address of the RP used for the specified multicast group Info source RP that advertised the mapping, and how the RP was selected show ip pim ssm This command displays the range for source-specific multicast (SSM) addresses. range Command Mode Privileged Exec Example Console#show ip pim ssm range Group-address: 224.2.151.0 Group-mask: 255.255.255.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Table 200: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode PIM-DM Commands ipv6 pim graft-retry-interval Configures the time to wait for a Graft acknowledgement before resending a Graft message IC ipv6 pim max-graft-retries Configures the maximum number of times to resend a Graft message if it has not been acknowledged IC ipv6 pim state-refresh origination-interval Sets the interval between PIM-DM state re
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Usage ◆ This command enables PIM-DM and PIM-SM for IPv6 globally for the router. You also need to enable PIM-DM and PIM-SM for each interface that will support multicast routing using the ipv6 pim command, and make any changes necessary to the multicast protocol parameters. ◆ To use PIMv6, IPv6 multicast routing must be enabled on the switch using the ipv6 multicast-routing command.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Usage The ip pim hello-holdtime should be greater than the value of ipv6 pim hello-interval. Example Console(config-if)#ipv6 pim hello-holdtime 210 Console(config-if)# ipv6 pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value. Syntax ipv6 pim hello-interval seconds no pimv6 hello-interval seconds - Interval between sending PIM hello messages.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Related Commands ipv6 pim override-interval (1033) ipv6 pim propagation-delay (1034) ipv6 pim This command configures the override interval, or the time it takes a downstream override-interval router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting. ipv6 pim propagation-delay milliseconds no ipv6 pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays information about PIM neighbors. neighbor Syntax show ipv6 pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays information for all known PIM neighbors.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ipv6 pim max-graft-retries command).
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ipv6 pim state-refresh This command sets the interval between sending PIM-DM state refresh control origination-interval messages. Use the no form to restore the default value. Syntax ipv6 pim state-refresh origination-interval seconds no ipv6 pim max-graft-retries seconds - The interval between sending PIM-DM state refresh control messages.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing when the hash function is executed on any BSR, all groups with the same seed hash will be mapped to the same RP. If the mask length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32 bits) priority - Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR ipv6 pim register-rate- This command configures the rate at which register messages are sent by the limit Designated Router (DR) for each (source, group) entry. Use the no form to restore the default value. Syntax ipv6 pim register-rate-limit rate no ipv6 pim register-rate-limit rate - The maximum number of register packets per second.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to which the RP can send packets, the replies sent from the RP to the source address will fail to reach the DR, resulting in PIM6-SM protocol failures.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen. ◆ Static definitions for RP addresses may be used together with RP addresses dynamically learned through the bootstrap router (BSR).
Chapter 31 | Multicast Routing Commands PIM Multicast Routing seconds - The interval at which this device advertises itself as an RP candidate. (Range: 60-16383 seconds) value - Priority used by the candidate RP in the election process. The RP candidate with the largest priority is preferred. If the priority values are the same, the candidate with the larger IP address is elected to be the RP. Setting the priority to zero means that this router is not eligible to server as the RP.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example The following example configures the router to start advertising itself to the BSR as a candidate RP for the indicated multicast groups.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing ◆ Only one entry is allowed for this command. Example This example prevents the switch from using the SPT for multicast groups FF01:1::0101/64.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ipv6 pim dr-priority 20 Console(config-if)#end Console#show ipv6 pim interface PIM is enabled. VLAN 1 is up.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing prune state for this multicast stream. The protocol maintains both the current join state and the pending Reverse Path Tree (RPT) prune state for this (source, group) pair until the join/prune-interval timer expires. Example This example sets the priority used in the bidding process for the DR. Console(config)#interface vlan 1 Console(config-if)#ipv6 pim join-prune-interval 220 Console#show ipv6 pim interface PIM is enabled. VLAN 1 is up.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays information about the bootstrap router (BSR). bsr-router Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays active RPs and associated multicast routing entries. rp mapping Command Mode Privileged Exec Example This example displays the RP map.
Chapter 31 | Multicast Routing Commands PIM Multicast Routing Table 204: show ip pim rp-hash - display description Field Description RP address IP address of the RP used for the specified multicast group Info source RP that advertised the mapping, and how the RP was selected – 1050 –
Section III Appendices This section provides additional information and includes these items: ◆ “Linux Startup Script” on page 1053 ◆ “Troubleshooting” on page 1061 ◆ “License Information” on page 1063 – 1051 –
Section III | Appendices – 1052 –
A Linux Startup Script The current software allows you to enter the Linux Shell and manage the switch like a Linux PC. You can use this shell to add Linux commands or install 3rd party software. We also provide a script file that can be used to save your configuration in Linux to be automatically executed in the next start-up.
Appendix A | Linux Startup Script – 1054 –
Appendix A | Linux Startup Script – 1055 –
Appendix A | Linux Startup Script – 1056 –
Appendix A | Linux Startup Script – 1057 –
Appendix A | Linux Startup Script – 1058 –
Appendix A | Linux Startup Script – 1059 –
Appendix A | Linux Startup Script – 1060 –
B Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix B | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix C | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix C | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. Indigo Indigo is an open source project aimed at enabling support for OpenFlow on physical switches. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages. MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs.
Glossary Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
List of CLI Commands abr-type 863 access-list arp 348 access-list ip 332 access-list ipv6 338 access-list mac 343 aggregate-address 909 area authentication 830 area default-cost 824 area default-cost 866 area nssa 831 area range 825 area range 867 area stub 833 area stub 870 area virtual-link 834 area virtual-link 871 arp 731 arp timeout 732 authentication enable 210 authentication login 211 auto-cost reference-bandwidth 826 banner configure 107 banner configure company 108 banner configure dc-power-info 1
List of CLI Commands clock summer-time recurring 170 clock timezone 172 clock timezone-predefined 172 cn 554 cn cnm-transmit-priority 554 cn cnpv 555 cn cnpv alternate-priority (Global Configuration) 556 cn cnpv alternate-priority (Interface Configuration) 558 cn cnpv defense-mode (Global Configuration) 557 cn cnpv defense-mode (Interface Configuration) 559 collapsed-dst-ip (IPv6 Hash) 793 collapsed-src-ip (IPv6 Hash) 794 compatible rfc1583 820 configure 101 continue 975 copy 131 databits 145 dcbx 538 dcbx
List of CLI Commands ip dhcp snooping information option circuit-id 284 ip dhcp snooping information option encode no-subtype 280 ip dhcp snooping information option remote-id 281 ip dhcp snooping information policy 282 ip dhcp snooping limit rate 282 ip dhcp snooping trust 286 ip dhcp snooping verify mac-address 283 ip dhcp snooping vlan 284 ip domain-list 704 ip domain-lookup 705 ip domain-name 705 ip extcommunity-list 906 ip host 706 ip http authentication 221 ip http port 221 ip http secure-port 222 ip
List of CLI Commands ip ssh server-key size 231 ip ssh timeout 231 ip telnet max-sessions 225 ip telnet port 225 ip telnet server 226 ip tftp retry 142 ip tftp timeout 143 ipv6 access-group 341 ipv6 address 736 ipv6 address eui-64 737 ipv6 address link-local 739 ipv6 default-gateway 735 ipv6 dhcp client rapid-commit vlan 716 ipv6 dhcp relay destination 719 ipv6 dhcp snooping 289 ipv6 dhcp snooping max-binding 295 ipv6 dhcp snooping option remote-id 292 ipv6 dhcp snooping option remote-id policy 293 ipv6 dh
List of CLI Commands lldp dcbx-tlv ets-config 644 lldp dcbx-tlv ets-recommend 645 lldp dcbx-tlv pfc-config 646 lldp dot1-tlv proto-ident 646 lldp dot1-tlv proto-vid 647 lldp dot1-tlv pvid 647 lldp dot1-tlv vlan-name 648 lldp dot3-tlv link-agg 648 lldp dot3-tlv mac-phy 649 lldp dot3-tlv max-frame 649 lldp holdtime-multiplier 637 lldp med-fast-start-count 638 lldp med-location civic-addr 650 lldp med-notification 651 lldp med-tlv inventory 652 lldp med-tlv location 653 lldp med-tlv med-cap 653 lldp med-tlv n
List of CLI Commands neighbor timers connect 953 neighbor unsuppress-map 954 neighbor update-source 955 neighbor weight 955 network 805 network 919 network area 836 network-access aging 258 network-access dynamic-qos 260 network-access dynamic-vlan 261 network-access guest-vlan 262 network-access link-detection 262 network-access link-detection link-down 263 network-access link-detection link-up 263 network-access link-detection link-up-down 264 network-access mac-filter 258 network-access max-mac-count 26
List of CLI Commands set local-preference 988 set metric 988 set origin 989 set originator-id 990 set pathlimit ttl 990 set phb 532 set weight 991 show access-group 352 show access-list 352 show access-list arp 350 show access-list tcam-utilization 117 show arp 733 show arp access-list 350 show banner 115 show calendar 174 show class-map 533 show cn 559 show cn cnpv 560 show cn cp 561 show dcbx 540 show debug vxlan 497 show dns 709 show dns cache 710 show dot1q-tunnel 482 show dot1x 245 show ecmp load-bala
List of CLI Commands show ip protocols bgp 970 show ip protocols ospf 859 show ip protocols rip 816 show ip rip 817 show ip route 785 show ip route database 786 show ip route summary 787 show ip source-guard 304 show ip source-guard binding 305 show ip ssh 234 show ip telnet 226 show ip tftp 143 show ip traffic 727 show ip traffic 787 show ipv6 access-group 342 show ipv6 access-list 342 show ipv6 dhcp relay destination 720 show ipv6 dhcp snooping 297 show ipv6 dhcp snooping binding 297 show ipv6 dhcp snoop
List of CLI Commands show snmp engine-id 189 show snmp group 190 show snmp notify-filter 195 show snmp user 191 show snmp view 192 show snmp-server enable port-traps 184 show sntp 163 show spanning-tree 460 show spanning-tree mst configuration 461 show ssh 236 show startup-config 122 show system 122 show tacacs-server 220 show tech-support 124 show traffic-segmentation 330 show udld 430 show upgrade 142 show users 125 show version 125 show vlan 474 show vrrp 776 show vrrp interface 778 show vrrp interface
List of CLI Commands traffic-class weight 549 traffic-segmentation 326 traffic-segmentation session 328 traffic-segmentation uplink/downlink 328 traffic-segmentation uplink-to-uplink 329 transceiver-monitor 373 transceiver-threshold current 374 transceiver-threshold rx-power 375 transceiver-threshold temperature 376 transceiver-threshold tx-power 377 transceiver-threshold voltage 378 transceiver-threshold-auto 373 udld aggressive 428 udld detection-interval 425 udld message-interval 426 udld port 429 udld
Index Numerics 802.1Q tunnel 475 access 478 configuration, guidelines 475 configuration, limitations 476 CVID to SVID map 480 ethernet type 477 interface configuration ??–477, 478–?? mode selection 478 status, configuring 476 TPID 477 uplink 478 802.
Index PIMv6-SM 1038 Border Gateway Protocol See BGP BPDU filter 450 guard 450 ignoring superior BPDUs 457 selecting protocol based on message format 459 shut down port on receipt 450 broadcast storm, threshold 417 C CFM continuity check errors 685, 686 continuity check messages 661, 681, 682 cross-check errors 683, 687, 689 cross-check message 661, 687, 689, 690 cross-check start delay 687 delay measure 700 domain service access point 668 fault isolation 661, 693 fault notification 661, 696, 697, 698 faul
Index information option 279 information option policy 282 information option, circuit ID 284 information option, enabling 279 information option, remote ID 279 information option, suboption format 279 policy selection 282 specifying trusted interfaces 286 subtype field 280 trusted port 286 untrusted port 286 verifying MAC addresses 283 VLAN configuration 284 DHCPv4 snooping information option 281 information option, enabling 281 remote ID 281 sub-length field 280 sub-option format 280 sub-type and sub-len
Index external BGP 889 F fault isolation, CFM 661, 693 fault notification generator, CFM 697, 699 fault notification, CFM 661, 696, 697, 698 fault verification, CFM 661 FIB, description 785 firmware displaying version 125 upgrading 131 upgrading automatically 139 upgrading with FTP or TFP 131 version, displaying 125 forwarding information base See FIB G gateway, IPv4 default 726 gateway, IPv6 default 735 general security measures 251 GNU license 1063 H hardware version, displaying 125 hash mask length,
Index router port expire time 569 static host interface 580 static multicast routing 587 static port assignment 580 static router interface 587 static router port, configuring 587 statistics, displaying 584 TCN flood 569 unregistered data flooding 571 version exclusive 573 version for interface, setting 572 version, setting 572 with proxy reporting 567 immediate leave, IGMP snooping 574 immediate leave, MLD snooping 604 importing user public keys 131 ingress filtering 470 internal BGP 889 IP address DHCP 7
Index interface attributes, configuring 641–654 local device information, displaying 656 message attributes 635 message statistics 660 remote information, displaying 657 remote port information, displaying 657 timing attributes, configuring 637–640 TLV, 802.1 646–648 TLV, 802.
Index MTU for IPv6 742 multicast filtering 563 enabling IGMP snooping 565 enabling IGMP snooping per interface 565 enabling MLD snooping 600 router configuration 587 multicast groups 583 static 580, 583 Multicast Listener Discovery See MLD Multicast Listener Discovery See MLD snooping multicast router discovery 577 multicast router port, displaying 584 multicast routing 993 ECMP 790 ECMP maximum paths 790 enabling, IPv4 993 enabling, IPv6 996 global settings, IPv4 993 global settings, IPv6 996 PIM 1002 PIM
Index enabling 862 general settings 860 interface summary information, displaying 883 LSA database, displaying 882 neighboring router information, diplaying 884 network area 873 normal area 873, 874 process ID 862 redistributing external routes 869 route summary, ABR 867 router ID 865 routing table, displaying 885 SPF timers 866 stub 870 transit area 871 virtual link 871 virtual links, displaying 886 P password, line 148 passwords 59, 208 administrator setting 209 path cost 451 method 444 STA 444, 451 pea
Index srTCM 526 srTCM police meter 526 trTCM 529 trTCM police meter 529 QoS policy, committed information rate 525, 526, 529 QoS policy, peak information rate 529 queue mode, setting 500 queue weight, assigning to CoS 501 policy map description 521 DiffServ 523 port authentication 236, 238 port priority configuring 499 default ingress 502 STA 456 port security, configuring 252 ports broadcast storm threshold 417 configuring 355 flow control 357 forced selection on combo ports 359 loopback test 382 mirrori
Index version 809 RMON 199 alarm, displaying settings 204 alarm, setting thresholds 200 commands 199 event settings, displaying 204 response to alarm setting 201 statistics history, collection 202 statistics history, displaying 205 statistics, collection 203 statistics, displaying 205 root guard 457 router redundancy protocols 771 VRRP 771 Routing Information Protocol See RIP routing nformation base, description 785 routing table, displaying 784, 785 RSA encryption 233 RSTP 443 global settings, configuring
Index port 364 TCP 727, 787 UDP 727, 787 VLAN 364 STP 443 Also see STA summer time, setting 168–170 switch settings restoring 129 saving 129 system clock setting 160 setting manually 173 setting the time zone 172 setting with NTP 166–167 setting with SNTP 161–163 summer time 168–170 system logs 156 system software, downloading from server 131 T TACACS+ logon authentication 217 settings 217 TCN flood 569 general query solicitation 570 Telnet configuring 224 server, enabling 226 telnet connection, configuri
Index – 1096 –
AS5812-54X-EC AS5812-54T-EC E122019-CS-R02 150000000063A
