ECS4130-28T Software Release v1.1.2.212 CLI Reference Guide www.edge-core.
CLI Reference Guide ECS4130-28T L2 Gigabit switch with 24 1000BASE-T RJ-45 ports and 4 10G SFP+ ports E072021-CS-R01
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
Contents Section I How to Use This Guide 3 Contents 5 Tables 37 Getting Started 43 1 Initial Switch Configuration Connecting to the Switch 45 45 Configuration Options 45 Connecting to the Console Port 46 Logging Onto the Command Line Interface 47 Setting Passwords 47 Remote Connections 48 Configuring the Switch for Remote Management 49 Using the Network Interface 49 Setting an IP Address 49 Enabling SNMP Management Access 54 Managing System Files 57 Upgrading the Operation Co
Contents Configuring NTP Section II 69 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 71 73 73 Console Connection 73 Telnet Connection 74 Entering Commands 75 Keywords and Arguments 75 Minimum Abbreviation 75 Command Completion 75 Getting Help on Commands 76 Partial Keyword Lookup 78 Negating the Effect of Commands 78 Using Command History 78 Understanding Command Modes 78 Exec Commands 79 Configuration Commands 80 Command Line Processing 81 Sho
Contents 4 System Management Commands Device Designation 93 93 hostname 94 Banner Information 94 banner configure 95 banner configure company 96 banner configure dc-power-info 97 banner configure department 97 banner configure equipment-info 98 banner configure equipment-location 99 banner configure ip-lan 99 banner configure lp-number 100 banner configure manager-info 101 banner configure mux 101 banner configure note 102 show banner 103 System Status 103 show access-list t
Contents General Commands 117 boot system 117 copy 118 delete 122 dir 123 whichboot 124 Automatic Code Upgrade Commands 124 upgrade opcode auto 124 upgrade opcode path 125 upgrade opcode reload 126 show upgrade 127 TFTP Configuration Commands 127 ip tftp retry 127 ip tftp timeout 128 show ip tftp 128 Line 129 line 130 databits 130 exec-timeout 131 login 132 parity 133 password 133 password-thresh 134 silent-time 135 speed 136 stopbits 136 timeout login res
Contents logging level 143 logging on 143 logging trap 144 clear log 145 show log 145 show logging 146 SMTP Alerts 148 logging sendmail 148 logging sendmail destination-email 148 logging sendmail host 149 logging sendmail level 150 logging sendmail source-email 150 show logging sendmail 151 Time 151 SNTP Commands 152 sntp client 152 sntp poll 153 sntp server 154 show sntp 154 NTP Commands 155 ntp authenticate 155 ntp authentication-key 156 ntp client 157 ntp se
Contents Time Range 166 time-range 166 absolute 167 periodic 168 show time-range 169 Switch Clustering 169 cluster 170 cluster commander 171 cluster ip-pool 172 cluster member 173 rcommand 173 show cluster 174 show cluster members 174 show cluster candidates 175 5 SNMP Commands 177 General SNMP Commands 179 snmp-server 179 snmp-server community 179 snmp-server contact 180 snmp-server location 181 show snmp 181 SNMP Target Host Commands 182 snmp-server enable trap
Contents show snmp user 194 show snmp view 195 Notification Log Commands 195 nlm 195 snmp-server notify-filter 196 show nlm oper-status 198 show snmp notify-filter 198 Additional Trap Commands 198 memory 198 process cpu 199 process cpu guard 200 6 Remote Monitoring Commands 203 rmon alarm 204 rmon event 205 rmon collection history 206 rmon collection rmon1 207 show rmon alarms 208 show rmon events 208 show rmon history 209 show rmon statistics 209 7 Flow Sampling Com
Contents authentication login RADIUS Client 223 224 radius-server acct-port 224 radius-server auth-port 225 radius-server host 225 radius-server key 226 radius-server encrypted-key 227 radius-server retransmit 227 radius-server timeout 228 show radius-server 228 TACACS+ Client 229 tacacs-server host 229 tacacs-server key 230 tacacs-server encrypted-key 231 tacacs-server port 231 tacacs-server retransmit 232 tacacs-server timeout 232 show tacacs-server 233 AAA 233 aaa acco
Contents ip http authentication 245 ip http port 246 ip http server 246 ip http secure-port 247 ip http secure-server 247 Telnet Server 249 ip telnet max-sessions 249 ip telnet port 250 ip telnet server 250 telnet (client) 250 show ip telnet 251 Secure Shell 251 ip ssh authentication-retries 254 ip ssh server 254 ip ssh timeout 255 delete public-key 256 ip ssh crypto host-key generate 256 ip ssh crypto zeroize 257 ip ssh save host-key 258 show ip ssh 258 show public-
Contents dot1x timeout re-authperiod 267 dot1x timeout supp-timeout 267 dot1x timeout tx-period 268 dot1x re-authenticate 268 Information Display Commands show dot1x 269 269 Management IP Filter 272 management 272 show management 273 PPPoE Intermediate Agent 274 pppoe intermediate-agent 274 pppoe intermediate-agent format-type 275 pppoe intermediate-agent port-enable 276 pppoe intermediate-agent port-format-type 277 pppoe intermediate-agent port-format-type remote-id-delimiter 27
Contents network-access link-detection 296 network-access link-detection link-down 296 network-access link-detection link-up 297 network-access link-detection link-up-down 298 network-access max-mac-count 298 network-access mode mac-authentication 299 network-access port-mac-filter 300 mac-authentication intrusion-action 301 mac-authentication max-mac-count 301 clear network-access 302 show network-access 302 show network-access mac-address-table 303 show network-access mac-filter
Contents ip dhcp snooping trust 323 clear ip dhcp snooping binding 324 clear ip dhcp snooping database flash 324 ip dhcp snooping database flash 324 show ip dhcp snooping 325 show ip dhcp snooping binding 325 DHCPv6 Snooping 326 ipv6 dhcp snooping 326 ipv6 dhcp snooping option remote-id 329 ipv6 dhcp snooping option remote-id policy 330 ipv6 dhcp snooping vlan 331 ipv6 dhcp snooping max-binding 332 ipv6 dhcp snooping trust 332 clear ipv6 dhcp snooping binding 333 clear ipv6 dhcp
Contents ip arp inspection log-buffer logs 351 ip arp inspection validate 352 ip arp inspection vlan 353 ip arp inspection limit 354 ip arp inspection trust 354 show ip arp inspection configuration 355 show ip arp inspection interface 355 show ip arp inspection log 356 show ip arp inspection statistics 356 show ip arp inspection vlan 357 Denial of Service Protection 357 dos-protection echo-chargen 358 dos-protection land 358 dos-protection smurf 359 dos-protection tcp-flooding
Contents show ip access-group 375 show ip access-list 375 IPv6 ACLs 376 access-list ipv6 376 permit, deny (Standard IPv6 ACL) 377 permit, deny (Extended IPv6 ACL) 378 ipv6 access-group 380 show ipv6 access-group 381 show ipv6 access-list 381 MAC ACLs 382 access-list mac 382 permit, deny (MAC ACL) 383 mac access-group 387 show mac access-group 387 show mac access-list 388 ARP ACLs 388 access-list arp 388 permit, deny (ARP ACL) 389 show access-list arp 390 ACL Informatio
Contents speed-duplex 403 clear counters 404 show discard 405 show interfaces brief 405 show interfaces counters 406 show interfaces history 410 show interfaces status 412 show interfaces switchport 413 Transceiver Threshold Configuration 415 transceiver-monitor 415 transceiver-threshold-auto 415 transceiver-threshold current 416 transceiver-threshold rx-power 417 transceiver-threshold temperature 418 transceiver-threshold tx-power 419 transceiver-threshold voltage 420 show
Contents lacp admin-key (Port Channel) 435 lacp timeout 436 Trunk Status Display Commands 437 show lacp 437 show port-channel load-balance 440 13 Port Mirroring Commands Local Port Mirroring Commands 441 441 port monitor 441 show port monitor 442 RSPAN Mirroring Commands 443 rspan source 445 rspan destination 446 rspan remote vlan 447 no rspan session 448 show rspan 448 14 Congestion Control Commands Rate Limit Commands 451 451 rate-limit 452 Storm Control Commands 453 swi
Contents snmp-server enable port-traps atc broadcast-control-release 465 snmp-server enable port-traps atc multicast-alarm-clear 465 snmp-server enable port-traps atc multicast-alarm-fire 466 snmp-server enable port-traps atc multicast-control-apply 466 snmp-server enable port-traps atc multicast-control-release 467 ATC Display Commands 467 show auto-traffic-control 467 show auto-traffic-control interface 468 15 Loopback Detection Commands 469 loopback-detection 470 loopback-detection a
Contents show mac-address-table hash-lookup-depth 18 TWAMP Commands 489 491 twamp reflector 491 twamp reflector refwait 492 show twamp reflector 492 19 Spanning Tree Commands 493 spanning-tree 494 spanning-tree cisco-prestandard 495 spanning-tree forward-time 495 spanning-tree hello-time 496 spanning-tree max-age 497 spanning-tree mode 497 spanning-tree mst configuration 499 spanning-tree pathcost method 499 spanning-tree priority 500 spanning-tree system-bpdu-flooding 501 s
Contents spanning-tree mst port-priority 515 spanning-tree port-bpdu-flooding 515 spanning-tree port-priority 516 spanning-tree root-guard 517 spanning-tree spanning-disabled 518 spanning-tree tc-prop-stop 518 spanning-tree loopback-detection release 519 spanning-tree protocol-migration 519 show spanning-tree 520 show spanning-tree mst configuration 522 show spanning-tree tc-prop 523 20 VLAN Commands 525 GVRP and Bridge Extension Commands 526 bridge-ext gvrp 526 garp timer 527
Contents dot1q-tunnel system-tunnel-control 543 dot1q-tunnel tpid 544 switchport dot1q-tunnel mode 545 switchport dot1q-tunnel priority map 545 switchport dot1q-tunnel service match cvid 546 show dot1q-tunnel service 548 show dot1q-tunnel 549 Configuring L2PT Tunneling 550 l2protocol-tunnel tunnel-dmac 550 switchport l2protocol-tunnel 553 show l2protocol-tunnel 554 Configuring VLAN Translation 554 switchport vlan-translation 554 show vlan-translation 556 Configuring Protocol-bas
Contents 21 ERPS Commands 573 erps 575 erps node-id 576 erps vlan-group 577 erps ring 577 erps instance 578 ring-port 579 exclusion-vlan 580 enable (ring) 580 enable (instance) 581 meg-level 581 control-vlan 582 rpl owner 583 rpl neighbor 584 wtr-timer 585 guard-timer 585 holdoff-timer 586 major-ring 587 propagate-tc 587 bpdu-tcn-notify 588 non-revertive 588 raps-def-mac 592 raps-without-vc 593 version 595 inclusion-vlan 596 physical-ring 597 erps forced-
Contents queue mode 608 queue weight 609 switchport priority default 610 show queue mode 611 show queue weight 611 Priority Commands (Layer 3 and 4) 612 qos map phb-queue 613 qos map cos-dscp 614 qos map dscp-mutation 615 qos map ip-prec-dscp 616 qos map trust-mode 617 show qos map cos-dscp 618 show qos map dscp-mutation 619 show qos map ip-prec-dscp 620 show qos map phb-queue 620 show qos map trust-mode 621 23 Quality of Service Commands 623 class-map 624 description 6
Contents control-plane 641 service-policy 642 show policy-map control-plane 642 25 Multicast Filtering Commands IGMP Snooping 645 645 ip igmp snooping 647 ip igmp snooping mrouter-forward-mode dynamic 648 ip igmp snooping priority 648 ip igmp snooping proxy-reporting 649 ip igmp snooping querier 650 ip igmp snooping router-alert-option-check 650 ip igmp snooping router-port-expire-time 651 ip igmp snooping tcn-flood 651 ip igmp snooping tcn-query-solicit 652 ip igmp snooping unreg
Contents show ip igmp snooping statistics Static Multicast Routing 668 671 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 671 672 ip igmp filter (Global Configuration) 673 ip igmp profile 673 permit, deny 674 range 674 ip igmp authentication 675 ip igmp filter (Interface Configuration) 677 ip igmp max-groups 677 ip igmp max-groups action 678 ip igmp query-drop 679 ip multicast-data-drop 679 show ip igmp authentication 680 show ip igmp filter 680 show ip igmp profile
Contents clear ipv6 mld snooping statistics 694 show ipv6 mld snooping 694 show ipv6 mld snooping group 695 show ipv6 mld snooping group source-list 696 show ipv6 mld snooping mrouter 696 show ipv6 mld snooping statistics 697 MLD Filtering and Throttling 701 ipv6 mld filter (Global Configuration) 702 ipv6 mld profile 702 permit, deny 703 range 703 ipv6 mld filter (Interface Configuration) 704 ipv6 mld max-groups 705 ipv6 mld max-groups action 706 ipv6 mld query-drop 706 ipv6 m
Contents clear mvr statistics 721 show mvr 722 show mvr associated-profile 723 show mvr interface 724 show mvr members 725 show mvr profile 727 show mvr statistics 727 26 LLDP Commands 733 lldp 735 lldp holdtime-multiplier 735 lldp med-fast-start-count 736 lldp notification-interval 736 lldp refresh-interval 737 lldp reinit-delay 737 lldp tx-delay 738 lldp admin-status 739 lldp basic-tlv management-ip-address 739 lldp basic-tlv management-ipv6-address 740 lldp basic-tlv
Contents lldp med-tlv network-policy 751 lldp notification 751 show lldp config 752 show lldp info local-device 753 show lldp info remote-device 754 show lldp info statistics 756 27 OAM Commands 757 efm oam 758 efm oam critical-link-event 758 efm oam link-monitor frame 759 efm oam link-monitor frame threshold 760 efm oam link-monitor frame window 760 efm oam mode 761 clear efm oam counters 762 clear efm oam event-log 762 efm oam remote-loopback 763 efm oam remote-loopback te
Contents Multicast DNS Commands 777 ip mdns 777 show ip mdns 777 29 DHCP Commands 779 DHCP Client 779 DHCP for IPv4 780 ip dhcp dynamic-provision 780 ip dhcp client class-id 781 ip dhcp restart client 783 show ip dhcp dynamic-provision 783 DHCP for IPv6 784 ipv6 dhcp client rapid-commit vlan 784 ipv6 dhcp restart client vlan 784 ipv6 dhcp dynamic-provision 786 show ipv6 dhcp duid 786 show ipv6 dhcp vlan 787 show ipv6 dhcp dynamic-provision 787 DHCP Relay 788 DHCP Relay f
Contents host 798 lease 799 netbios-name-server 800 netbios-node-type 800 network 801 next-server 802 option 803 clear ip dhcp binding 803 show ip dhcp binding 804 show ip dhcp 805 show ip dhcp pool 805 30 IP Interface Commands 807 IPv4 Interface 807 Basic IPv4 Configuration 808 ip address 808 ip default-gateway 810 show ip interface 811 show ip traffic 812 traceroute 813 ping 814 ARP Configuration 815 arp 815 arp timeout 816 ip proxy-arp 817 clear arp-cache
Contents ipv6 enable 828 ipv6 mtu 829 show ipv6 interface 830 show ipv6 mtu 832 show ipv6 traffic 833 clear ipv6 traffic 837 ping6 838 traceroute6 839 Neighbor Discovery 840 ipv6 hop-limit 840 ipv6 neighbor 841 ipv6 nd dad attempts 842 ipv6 nd managed-config-flag 844 ipv6 nd other-config-flag 844 ipv6 nd ns-interval 845 ipv6 nd raguard 846 show ipv6 nd raguard 847 ipv6 nd reachable-time 848 ipv6 nd prefix 848 ipv6 nd ra interval 850 ipv6 nd ra lifetime 851 ipv6 nd
Contents clear ipv6 nd snooping prefix 861 show ipv6 nd snooping 862 show ipv6 nd snooping binding 862 show ipv6 nd snooping prefix 863 28 IP Routing Commands Global Routing Configuration 865 IPv4 Commands 866 ip route 866 show ip route 867 show ip host-route 868 show ip route database 869 show ip route summary 869 show ip traffic 870 IPv6 Commands 871 ipv6 route 871 show ipv6 route 872 ECMP Commands 873 maximum-paths Section III 865 873 Appendices 875 A Troubleshootin
Contents – 36 –
Tables Table 1: DHCP Options 60, 66 and 67 Statements 66 Table 2: DHCPv6 Options 59 and 60 Statements 67 Table 3: DHCP Options 55 and 124 Statements 67 Table 4: General Command Modes 79 Table 5: Configuration Command Modes 81 Table 6: Keystroke Commands 81 Table 7: Command Group Index 83 Table 8: General Commands 85 Table 9: System Management Commands 93 Table 10: Device Designation Commands 93 Table 11: Banner Commands 94 Table 12: System Status Commands 103 Table 13: show access-l
Tables Table 30: SNMP Commands 177 Table 31: show snmp engine-id - display description 192 Table 32: show snmp group - display description 193 Table 33: show snmp user - display description 194 Table 34: show snmp view - display description 195 Table 35: RMON Commands 203 Table 36: sFlow Commands 211 Table 37: Authentication Commands 217 Table 38: User Access Commands 218 Table 39: Default Login Settings 220 Table 40: Authentication Sequence Commands 222 Table 41: RADIUS Client Comman
Tables Table 65: ARP Inspection Commands 349 Table 66: DoS Protection Commands 357 Table 67: Commands for Configuring Traffic Segmentation 364 Table 68: Traffic Segmentation Forwarding 364 Table 69: Access Control List Commands 369 Table 70: IPv4 ACL Commands 369 Table 71: IPv6 ACL Commands 376 Table 72: MAC ACL Commands 382 Table 73: ARP ACL Commands 388 Table 74: ACL Information Commands 391 Table 75: Interface Commands 395 Table 76: show interfaces counters - display description 4
Tables Table 100: show bridge-ext - display description 530 Table 101: Commands for Editing VLAN Groups 531 Table 102: Commands for Configuring VLAN Interfaces 533 Table 103: Commands for Displaying VLAN Information 541 Table 104: 802.
Tables Table 135: show ipv6 MLD snooping statistics query - display description 699 Table 136: show ipv6 MLD snooping statistics summary - display description 700 Table 137: MLD Filtering and Throttling Commands 701 Table 138: Multicast VLAN Registration for IPv4 Commands 710 Table 139: show mvr - display description 722 Table 140: show mvr interface - display description 724 Table 141: show mvr members - display description 726 Table 142: show mvr statistics input - display description 728
Tables Table 189: Global Routing Configuration Commands 865 Table 190: show ip host-route - display description 869 Table 191: Troubleshooting Chart 877 – 42 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 44 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS4130-28T-AC is opened. To end the CLI session, enter [Exit].
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in-band Interface management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ip address ip-address netmask,” where “ip-address” is the switch IP address and “netmask” is the network mask for the network. Press . 3. Type “exit” to return to the global configuration mode prompt.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press . Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management from the left of the prefix and should encompass some of the ipv6-address bits.) The remaining bits are assigned to the host interface. Press . 3. Type “exit” to return to the global configuration mode prompt. Press . 4.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management when DHCP is configured on a VLAN, and the member ports which were previously shut down are now enabled. If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Obtaining an IPv6 Address Link Local Address — There are several ways to configure IPv6 addresses. The simplest method is to automatically generate a “link local” address (identified by an address prefix in the range of FE80~FEBF). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. To generate an IPv6 link local address for the switch, complete the following steps: 1.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access the entire MIB tree, and a default view for the “private” community string that provides read/write access to the entire MIB tree. However, you may assign new views to version 1 or 2c community strings that suit your specific security requirements (see snmp-server view command).
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Trap Receivers You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
Chapter 1 | Initial Switch Configuration Managing System Files Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
Chapter 1 | Initial Switch Configuration Managing System Files Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux. When downloading from an FTP server, the logon interface will prompt for a user name and password configured on the remote server. Note that “anonymous” is set as the default user name. File names on the switch are case-sensitive.
Chapter 1 | Initial Switch Configuration Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press . 2. Enter the name of the start-up file. Press .
Chapter 1 | Initial Switch Configuration Installing a Port License File Installing a Port License File The switch ports are disabled by default. The ports will only function when a port license is obtained from Edgecore and installed on the switch. To verify whether or not a port license is installed on the switch, enter the show interfaces brief command from the console port. If a port Status displays “License,” then you need to obtain and install a port license for those ports.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Download the corresponding license file as shown in the following example using the file type number “21”. Note that the license file is named according to the device MAC address. The network ports will be automatically activated within two minutes after successful installation. Console#copy tftp file TFTP server IP address: 192.168.1.9 Choose file type: 1. config; 2.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ The host portion of the upgrade file location URL must be a valid IPv4 IP address. DNS host names are not recognized. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. ◆ The path to the directory must also be defined. If the file is stored in the root directory for the FTP/TFTP service, then use the “/” to indicate this (e.g., ftp://192.168.0.1/).
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ The switch will immediately restart after the upgrade file is successfully written to the file system and set as the startup image. To enable automatic upgrade, enter the following commands: 1. Specify the TFTP or FTP server to check for new operation code.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings b. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. c. It sets the new version as the startup image. d. It then restarts the system to start using the new image. Console(config)#upgrade opcode auto Console(config)# 4. Display the automatic upgrade settings.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ECS4130_V1.0.3.192.bix OpCode Y 2016-10-17 11:30:26 9027848 Factory_Default_Config.cfg Config N 2015-04-13 13:55:58 455 startup1.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server If the switch receives information that allows it to download the remote bootup file, it will save this file to a local buffer, and then restart the provision process. Note the following DHCP client behavior: ◆ To enable dynamic provisioning via a DHCP server, this feature must be enabled using the ip dhcp dynamic-provision or ipv6 dhcp dynamic-provision command.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ◆ For DHCPv6, options 59 and 60 statements can be added to the daemon’s configuration file.
Chapter 1 | Initial Switch Configuration Setting the System Clock class "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "ECS4130-28T-AC"; option tftp-server-name "192.168.255.101"; option bootfile-name "test"; } Note: Use “ECS4130-28T-AC” for the vendor-class-identifier in the dhcpd.conf file.
Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “TWAMP Commands” on page 491 ◆ “Spanning Tree Commands” on page 493 ◆ “VLAN Commands” on page 525 ◆ “ERPS Commands” on page 573 ◆ “Class of Service Commands” on page 607 ◆ “Quality of Service Commands” on page 623 ◆ “Control Plane Commands” on page 641 ◆ “Multicast Filtering Commands” on page 645 ◆ “LLDP Commands” on page 733 ◆ “OAM Commands” on page 757 ◆ “Domain Name Service Commands” on page 769 ◆ “DHCP Commands” on page 779 ◆ “IP Interface
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Vty-1# Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp Shows the power saving information Displays PPPoE configuration Shows current privilege level Device process Protocol-VLAN information Public key information Quality of Service Priority queue information RADIUS server information Shows the reload settings Remote monitoring information Display status of the current RSP
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 4: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map DHCP IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Table 6: Keystroke Commands (Continued) Keystroke Function Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 7: Command Group Index (Continued) Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 573 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling 525 Class of Service Sets port priority for untagged fr
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Usage This command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Chapter 3 | General Commands Command Mode Privileged Exec, Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 118).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (90) enable password (218) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 78. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 92 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 11: Banner Commands (Continued) Command Function Mode banner configure equipment-location Configures the Equipment Location information that is displayed by banner GC banner configure ip-lan Configures the IP and LAN information that is displayed by GC banner banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info
Chapter 4 | System Management Commands Banner Information phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edgecore Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4130-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edgecore Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Privileged Exec Example Console#show banner Edgecore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS4130-28T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 12: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correc
Chapter 4 | System Management Commands System Status 1 1 Console# 0 0 16 17 128 128 0 0 128 DE4 128 DEM Table 13: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 14: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status FS HTTP_TD HW_WTDOG_TD IML_TX IP_SERVICE_GROU KEYGEN_TD L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface ethernet 1/1 no negotiation ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (109) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS4130-28T-AC System OID String : 1.3.6.1.4.1.259.10.1.53.102 System Information System Up Time : 0 days, 5 hours, 56 minutes, and 8.
Chapter 4 | System Management Commands System Status Table 15: show system – display description (Continued) Parameter Description Telnet Server/Port Shows administrative status of Telnet server and TCP port number. Jumbo Frame Shows if jumbo frames are enabled or disabled. show tech-support This command displays a detailed list of system settings designed to help technical support resolve configuration or functional problems.
Chapter 4 | System Management Commands System Status ... show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Console# Table 16: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. Number of Ports Number of built-in ports. Main Power Status Displays the status of the main power supply. Role Shows that this switch is operating as Master or Slave. Loader Version Version number of loader code. Linux Kernel Version Version number of Linux kernel.
Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 17: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it.
Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/`TFTP server. By saving runtime code to a file on an FTP/FTPS/SFTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Chapter 4 | System Management Commands File Management Table 18: Flash/File Commands (Continued) Command Function Mode TFTP Configuration Commands ip tftp retry Specifies the number of times the switch can retry transmitting a request to a TFTP server ip tftp timeout Specifies the time the switch can wait for a response from a GC TFTP server before retransmitting a request or timing out for the last retry show ip tftp Displays information about TFTP settings General Commands boot system This comm
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/FTPS/SFTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/FTPS/SFTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Chapter 4 | System Management Commands File Management ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”) ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.
Chapter 4 | System Management Commands File Management Example The following example shows how to download new firmware from a TFTP server: Console#copy tftp file TFTP server ip address: 10.1.0.19 Choose file type: 1. config: 2. opcode: 2 Source file name: m360.bix Destination file name: m360.bix \Write to FLASH Programming. -Write to FLASH finish. Success.
Chapter 4 | System Management Commands File Management This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate Source private file name: SS-private Private password: ******** Success.
Chapter 4 | System Management Commands File Management and 'N' to deny connect to new sftp server: y Success. Console# delete This command deletes a file or image. Syntax delete {file name filename | https-certificate | public-key username} file - Keyword that allows you to delete a file. name - Keyword indicating a file. filename - Name of configuration file or code image. https-certificate - Keyword that allows you to delete the HTTPS secure site certificate.
Chapter 4 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir [unit:] {boot-rom | config | opcode | usbdisk}: [filename]} unit - Unit identifier. (Range: 1) boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. usbdisk - Installed USB device file. filename - Name of configuration file or code image.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: runtime.bix startup1.
Chapter 4 | System Management Commands File Management newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3. It sets the new version as the startup image. 4. It then restarts the system to start using the new image.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS4130.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4130.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (135) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (259) show users (113) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 22: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g.
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging level This command sets the syslog logging severity level for user login and log out. Use the no form to set the logging level to the default value.
Chapter 4 | System Management Commands Event Logging Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging ◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example Console(config)#logging trap level 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging Command Usage ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
Chapter 4 | System Management Commands Event Logging Flash Logging Configuration: History Logging in Flash : Level Errors (3) Console#show logging ram Global Configuration: Syslog Logging : Enabled Ram Logging Configuration: History Logging in RAM : Level Debugging (7) Console# Table 23: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level - One of the system message levels (page 141). Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.
Chapter 4 | System Management Commands Time Table 26: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE show ntp status Shows the status of time updates PE show ntp statistics peer
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2015 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4 or IPv6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2015 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 : 137.92.140.90 : 137.92.140.99 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65533) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch. ◆ You can configure up to 3 NTP servers on the switch.
Chapter 4 | System Management Commands Time NTP Status : Disabled NTP Authenticate Status : Enabled Last Update NTP Server : 0.0.0.0 Port: 0 Last Update Time : Jan 1 00:00:00 1970 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console# show ntp status This command displays the current status of received time updates from an NTP peer.
Chapter 4 | System Management Commands Time Bogus Origin Duplicate Bad Dispersion Bad Reference Time Candidate Order Console# : : : : : 0 0 0 0 6 show ntp peer-status This command displays the status of connections to NTP peers. Syntax show ntp peer-status [ip-address | ipv6-address | hostname] ip-address - IP address of an NTP time server. ipv6-address - IPv6 address of an NTP time server. hostname - Host name of an NTP time server.
Chapter 4 | System Management Commands Time b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Chapter 4 | System Management Commands Time clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (154) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 4 | System Management Commands Time Range show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar Current Time Time Zone Summer Time Summer Time in Effect Console# : : : : May 13 14:08:18 2014 UTC, 08:00 Not configured No Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range Command Usage ◆ This command sets a time range for use by other functions, such as Access Control Lists. ◆ A maximum of eight rules can be configured for a time range. Example Console(config)#time-range r&d Console(config-time-range)# Related Commands Access Control Lists (369) absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time.
Chapter 4 | System Management Commands Time Range Example This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering Example This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering Table 29: Switch Cluster Commands (Continued) Command Function Mode show cluster Displays the switch clustering status PE show cluster members Displays current cluster Members PE show cluster candidates Displays current cluster Candidates in the network PE Using Switch Clustering ◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Default Setting Disabled Command Mode Global Configuration Command Usage ◆ To create a switch cluster, first be sure that clustering is enabled on the switch (the default is disabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
Chapter 4 | System Management Commands Switch Clustering ◆ Cluster Member switches can be managed through a Telnet connection to the Commander. From the Commander CLI prompt, use the rcommand id command to connect to the Member switch. Example Console(config)#cluster commander Console(config)# cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address.
Chapter 4 | System Management Commands Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. Syntax cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
Chapter 4 | System Management Commands Switch Clustering Example Console#rcommand id 1 CLI session with the ECS4130-28T is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the discovered Candidate switches in the network.
Chapter 4 | System Management Commands Switch Clustering – 176 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 30: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands Table 30: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization GC alarm process cpu guard Sets the CPU utilization watermark and threshold GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilizat
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. ◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. port - Host UDP port to use.
Chapter 5 | SNMP Commands SNMP Target Host Commands 4. Allow the switch to send SNMP traps; i.e., notifications (page 182). 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 179). 2. Create a remote SNMPv3 user to use in the message exchange process 3. 4. 5. 6. (page 189). Create a view with the required notification messages (page 191).
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps link-up-down Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) priv - Uses SNMPv3 with privacy.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 32: show snmp group - display description (Continued) Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 33: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (105) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 202 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 210 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value [destination {ipv4-address | ipv6-address} [max-datagram-size max-datagram-size] [version {v4 | v5}] [port destination-udp-port ] [max-datagram-size max-datagram-size] [version {v4 | v5}]] [port destination-udp-port] no sflow owner owner-name owner-name - Name of the collector.
Chapter 7 | Flow Sampling Commands ◆ Once an owner is created, the sflow owner command can again be used to modify the owner’s port number. All other parameter values for the owner will be retained if the port is modified. ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) polling-interval - The time interval at which the sFlow process adds counter values to the sample datagram. (Range: 1-10000000 seconds, 0 disables this feature) Default Setting No sFlow polling instance is configured.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) sample-rate - The packet sampling rate, or the number of packets out of which one sample will be taken. (Range: 256-16777215 packets) max-header-size - The maximum size of the sFlow datagram header. (Range: 64-256 bytes) Default Setting No sFlow sampling instance id configured.
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Example Console#show sflow interface ethernet 1/2 Receiver Owner Name Receiver Timeout Receiver Destination Receiver Socket Port Maximum Datagram Size Datagram Version : : : : : : stat1 99633 sec 192.168.32.
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 129), user authentication via a remote authentication server (page 217), and host access authentication for specific ports (page 260).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 78 and “Configuration Commands” on page 80.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default.
Chapter 8 | Authentication Commands RADIUS Client acct-port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands RADIUS Client Example Console(config)#radius-server key green Console(config)# radius-server This command sets the RADIUS encryption key to be sent in encrypted text. Use the encrypted-key no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Client radius Console# 1 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 3 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the TACACS+ encryption key to be sent in encrypted text. Use encrypted-key the no form to restore the default. Syntax tacacs-server encrypted-key key-string no tacacs-server encrypted-key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 3 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 8 | Authentication Commands AAA Table 43: AAA Commands (Continued) Command Function Mode accounting dot1x Applies an accounting method to an interface for 802.
Chapter 8 | Authentication Commands AAA Command Usage ◆ The accounting of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ The authorization of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the authorization method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled. ◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Server Group Configuration Command Usage ◆ When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command. ◆ When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.
Chapter 8 | Authentication Commands AAA Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default method list created with the aaa accounting commands command. list-name - Specifies a method list created with the aaa accounting commands command.
Chapter 8 | Authentication Commands AAA Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands. Syntax authorization commands level {default | list-name} no authorization commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands AAA Interface Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : vty : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# show authorization This command displays the current authorization settings per function and per port. Syntax show authorization [commands [level] | exec] commands - Displays command authorization information.
Chapter 8 | Authentication Commands Web Server Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Related Commands aaa authorization commands (237) ip http server (246) show system (111) ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server Related Commands ip http authentication (245) show system (111) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 8 | Authentication Commands Telnet Server show system (111) Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 8 | Authentication Commands Secure Shell Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254... *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES User Access Verification Username: Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
Chapter 8 | Authentication Commands Secure Shell Table 47: Secure Shell Commands Command Function Mode ip ssh authentication-retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public-key Copies the user’s public key from a TFTP server to the switch PE delete public-key Deletes the public key for the specified user PE disconnect Terminates a
Chapter 8 | Authentication Commands Secure Shell 108259132128902337654680172627257141342876294130119619556678259566410486957427 888146206519417467729848654686157177393901647793559423035774130980227370877945 4524083971752646358058176716709574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Chapter 8 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | Authentication Commands Secure Shell Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | Authentication Commands Secure Shell Example Console(config)#ip ssh timeout 60 Console(config)# Related Commands exec-timeout (131) show ip ssh (258) delete public-key This command deletes the specified user’s public key. Syntax delete public-key username username – Name of an SSH user. (Range: 1-8 characters) Default Setting Deletes the RSA key. Command Mode Privileged Exec Example Console#delete public-key admin Console# ip ssh crypto This command generates the host key pair (i.e.
Chapter 8 | Authentication Commands Secure Shell ◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it. ◆ The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it.
Chapter 8 | Authentication Commands Secure Shell ip ssh save host-key This command saves the host key from RAM to flash memory. Syntax ip ssh save host-key Default Setting Saves the RSA key. Command Mode Privileged Exec Example Console#ip ssh save host-key Console# Related Commands ip ssh crypto host-key generate (256) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server.
Chapter 8 | Authentication Commands Secure Shell Command Usage If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 49: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Usage ◆ When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
Chapter 8 | Authentication Commands 802.1X Port Authentication block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN. Default block-traffic Command Mode Interface Configuration Command Usage ◆ For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Usage ◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command. ◆ In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails reauthentication or sends an EAPOL logoff message.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x This command enables periodic re-authentication for a specified port. Use the no re-authentication form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout This command sets the time period after which a connected client must be rere-authperiod authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information. It may also send other EAP-request frames to the client during an active connection as required for reauthentication.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked.
Chapter 8 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands 802.1X Port Authentication Port -------Eth 1/ 1 Eth 1/ 2 ,,, Eth 1/17 Eth 1/18 Type ------------Disabled Disabled Operation Mode -------------Single-Host Single-Host Control Mode -----------------Force-Authorized Force-Authorized Authorized ---------Yes Yes Disabled Enabled Single-Host Single-Host Force-Authorized Auto Yes Yes Console#show dot1x interface ethernet 1/5 802.
Chapter 8 | Authentication Commands Management IP Filter Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# PPPoE Intermediate Agent This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Global Configuration Command Usage ◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Default Setting ◆ Access Node Identifier: IP address of the first IPv4 interface on the switch. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added. ◆ Vendor Identifier: 3561 (This is the enterprise number assigned to the Broadband Forum.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-enable Console(config-if)# pppoe intermediate- This command sets the circuit-id, remote-id, or remote-id delimiter for an interface. agent port-format- Use the no form to restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent ◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server. The tag contains the Line-ID of the customer line over which the discovery packet was received, entering the switch (or access node) where the intermediate agent resides.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example This command enables the delimiter for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-format-type remote-iddelimiter enable Console(config-if)# pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a agent trust PPPoE server. Use the no form to set an interface to untrusted mode.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage This command only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console#show pppoe intermediate-agent info PPPoE Intermediate Agent Global Status : Enabled PPPoE Intermediate Agent Vendor ID : 3561 PPPoE Intermediate Agent Admin Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Oper Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 52: show pppoe intermediate-agent statistics - display description Field Description Received PADI PPPoE Active Discovery Initiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted.
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Incoming traffic with source addresses not stored in the static address table, will be flooded. However, if a security function such as 802.
Chapter 9 | General Security Measures Port Security Default Setting Status: Disabled Action: None Maximum Addresses: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (412) shutdown (403) mac-address-table static (484) port security Use this command to save the MAC addresses that port security has learned as mac-address sticky “sticky” entries.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the switch saving the MAC addresses learned by port security on ethernet port 1/3. Console#port security mac-address-as-permanent interface ethernet 1/3 Console# show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 9 | General Security Measures Port Security Table 55: show port security - display description Field Description Port The Ethernet interface port number. Secure MAC Aging Mode Secure MAC aging mode status (enabled or disabled). Port Security The configured status (enabled or disabled). Port Status The operational status: Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆ Shutdown – Port is shut down due to a response to a port security violation.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Port Status Intrusion Action Max MAC Count Current MAC Count MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : : : : Secure/Up None 0 0 Disabled 00-10-22-00-00-01 2017/7/29 15:13:03 Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 56: Network Access Commands (Continued) Command Function Mode clear network-access Clears authenticated MAC addresses from the address table PE show network-access Displays the MAC authentication settings for port interfaces PE show network-access mac-address-table Displays information for entries in the secure MAC address table PE show network-access mac-filter Displays information for entries in the MAC fil
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this mac-filter command to remove the specified MAC address. Syntax network-access mac-filter filter-id mac-address mac-address [mask mask-address] no network-access mac-filter filter-id mac-address mac-address mask mask-address filter-id - Specifies a MAC address filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which an authenticated MAC reauth-time address is removed from the secure address table. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 57: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (kbps) rate-limit-input=100 (kbps) rate-limit-output=rate (kbps) rate-limit-output=200 (kbps) 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command). ◆ A port can only be assigned to the guest VLAN in case of failed authentication, if switchport mode is set to Hybrid.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link- Use this command to detect link-up events. When detected, the switch can shut detection link-up down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-up and link-down events. When either event is link-detection detected, the switch can shut down the port, send an SNMP trap, or both. Use the link-up-down no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures. Example Console(config-if)#network-access max-mac-count 5 Console(config-if)# network-access mode Use this command to enable network access authentication on a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN. The “Tunnel-Type” attribute should be set to “VLAN,” and the “Tunnel-Medium-Type” attribute set to “802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default. Syntax mac-authentication intrusion-action {block-traffic | pass-traffic} no mac-authentication intrusion-action block-traffic - Blocks traffic when the authentication has failed. pass-traffic - Allows network access when authentication has failed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disable
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 mac-address-table RADIUS Server Time --------------- ------------------------172.155.120.17 00d06h32m50s 172.155.
Chapter 9 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After login-attempts the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains session-timeout valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
Chapter 9 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends the web authentication session associated with the authenticate (IP) designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
Chapter 9 | General Security Measures DHCPv4 Snooping DHCPv4 Snooping DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch. Use the no form without any keywords to disable this function.
Chapter 9 | General Security Measures DHCPv4 Snooping This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping This command disables the use of sub-type and sub-length fields for the information option circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the encode no-subtype switch. Use the no form to enable the use of these fields.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ ◆ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. The format for TR101 option 82 is: “ eth /[:]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Chapter 9 | General Security Measures DHCPv4 Snooping mac-address - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU). ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier. tr101 board-id Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (312) ip dhcp snooping vlan (320) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: a. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. b.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (331) ipv6 dhcp snooping trust (332) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping remove option 37 information in incoming DHCPv6 packets. Packets are processed as follows: ◆ ■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Chapter 9 | General Security Measures DHCPv6 Snooping these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information. Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN.
Chapter 9 | General Security Measures DHCPv6 Snooping Related Commands ipv6 dhcp snooping (326) ipv6 dhcp snooping trust (332) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ When DHCPv6 snooping is enabled globally using the ipv6 dhcp snooping command, and enabled on a VLAN with ipv6 dhcp snooping vlan command, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 63: IPv4 Source Guard Commands (Continued) Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 326).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (326) ipv6 dhcp snooping vlan (331) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures ARP Inspection Eth 1/5 Eth 1/6 . . . SIP Disabled 1 5 show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 326) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. ◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Chapter 9 | General Security Measures ARP Inspection Command Usage ◆ ARP ACLs are configured with the commands described under “ARP ACLs” on page 388. ◆ If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
Chapter 9 | General Security Measures ARP Inspection ◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message. ◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
Chapter 9 | General Security Measures ARP Inspection Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Command Mode Interface Configuration (Port, Static Aggregation) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip arp inspection interface ethernet 1/1 Port Number ------------Eth 1/1 Console# Trust Status -------------------Trusted Rate Limit (pps) -----------------------------150 show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components.
Chapter 9 | General Security Measures Denial of Service Protection show ip arp inspection This command shows the configuration settings for VLANs, including ARP vlan Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] vlan-id - VLAN ID.
Chapter 9 | General Security Measures Denial of Service Protection Table 66: DoS Protection Commands (Continued) Command Function Mode dos-protection tcp-syn-fin-scan Protects against DoS TCP-SYN/FIN-scan attacks GC dos-protection tcp-udp-port-zero Protects against attacks which set the Layer 4 source GC or destination port to zero dos-protection tcp-xmas-scan Protects against DoS TCP-XMAS-scan attacks GC dos-protection udp-flooding Protects against DoS UDP-flooding attacks GC dos-protection
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection land Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Chapter 9 | General Security Measures Denial of Service Protection rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports.
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection tcp-syn-fin-scan Console(config)# dos-protection This command protects against DoS attacks in which the TCP or UDP source port or tcp-udp-port-zero destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-xmas-scan Console(config)# dos-protection This command protects against DoS UDP-flooding attacks in which a perpetrator udp-flooding sends a large number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Chapter 9 | General Security Measures Port-based Traffic Segmentation rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection win-nuke bit-rate-in-kilo 65 Console(config)# show dos-protection This command shows the configuration settings for the DoS protection commands.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 67: Commands for Configuring Traffic Segmentation Command Function Mode traffic-segmentation Enables traffic segmentation GC traffic-segmentation session Creates a client session GC traffic-segmentation uplink/ downlink Configures uplink/downlink ports for client sessions GC traffic-segmentation uplink-to-uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 68: Traffic Segmentation Forwarding (Continued) Destination Source Session #1 Downlinks Session #1 Uplinks Session #2 Downlinks Session #2 Uplinks Normal Ports Session #2 Downlink Ports Blocking Blocking Blocking Forwarding Blocking Session #2 Uplink Ports Blocking Blocking/ Forwarding* Forwarding Forwarding Forwarding Normal Ports Forwarding Forwarding Forwarding Forwarding Forwarding * The forwarding stat
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#traffic-segmentation session 1 Console(config)# traffic-segmentation This command configures the uplink and down-link ports for a segmented group of uplink/downlink ports. Use the no form to remove a port from the segmented group.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Syntax show traffic-segmentation [session session-id] session-id – Traffic segmentation session.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} [icmp | tcp | udp ] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [icmp-type icmp-type] [control-flag control-flags flag-bitmask] [time-range time-range-name] no {permit | deny} [icmp |
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (370) Time Range (166) ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (377) permit, deny (Extended IPv6 ACL) (378) ipv6 access-group (380) show ipv6 access-list (381) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (376) Time Range (166) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit any 2009:db90:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (381) Time Range (166) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (377) permit, deny (Extended IPv6 ACL) (378) ipv6 access-group (380) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Chapter 10 | Access Control Lists MAC ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 1024 rules.
Chapter 10 | Access Control Lists MAC ACLs [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-port dport [port-bitmask]] Note: The default is for Ethernet II packets.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address} {any | host destination | destination address} [ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask}] [ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}] [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-p
Chapter 10 | Access Control Lists MAC ACLs vid – VLAN ID. (Range: 1-4094) vid-bitmask6 – VLAN bitmask. (Range: 1-4095) ethertype – A specific Ethernet protocol number. (Range: 0-ffff hex) ethertype-bitmask6 – Protocol bitmask. (Range: 0-ffff hex) protocol - IP protocol or IPv6 next header. (Range: 0-255) For information on next headers, see permit, deny (Extended IPv6 ACL). sport7 – Protocol source port number. (Range: 0-65535) dport7 – Protocol destination port number.
Chapter 10 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. Syntax mac access-group acl-name {in | out} [time-range time-range-name] [counter] no mac access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists ARP ACLs Related Commands mac access-group (387) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs acl-name – Name of the ACL. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Chapter 10 | Access Control Lists ARP ACLs {any | host destination-ip | destination-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [any | host destination-mac | destination-mac mac-address-bitmask] [log] source-ip – Source IP address. destination-ip – Destination IP address with bitmask. ip-address-bitmask8 – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask.
Chapter 10 | Access Control Lists ACL Information Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.0 mac any any Console# Related Commands permit, deny (389) ACL Information This section describes commands used to display ACL information.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/1 IP access-list ex1 in IP access-list ex1 out Interface ethernet 1/2 IPv6 access-list i6ex in IPv6 access-list i6ex out Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information permit TCP 192.168.1.0 255.255.255.0 any destination-port 80 permit TCP 192.168.1.0 255.255.255.0 any control-flag 2 2 permit 10.7.1.1 255.255.255.0 any MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 permit any any VID 1 ethertype 0000 cos 1 1 IP extended access-list A6: permit any any DSCP 5 permit any any next-header 43 permit any 2009:db90:2229::79/8 ARP access-list arp1: permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information – 394 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Table 75: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sets thresholds for transceiver current which can be used to trigger an
Chapter 11 | Interface Commands Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. Syntax interface interface no interface interface [port-channel channel-id | vlan vlan-id] interface ethernet unit/port-list unit - Unit identifier.
Chapter 11 | Interface Commands capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file.
Chapter 11 | Interface Commands Command Usage Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. Example The following example forwards CDP packets entering port 5. Console(config)#interface ethernet 1/5 Console(config-if)#discard cdp Console(config-if)# flowcontrol This command enables flow control. Use the no form to disable flow control.
Chapter 11 | Interface Commands history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history [name] name - A symbolic name for this entry in the sampling table. (Range: 1-31 characters) interval - The interval for sampling statistics. (Range: 1-86400 seconds. buckets - The number of samples to take.
Chapter 11 | Interface Commands Command Mode Interface Configuration (Ethernet) Command Usage Available sfp-forced modes include: 1000sfp, 10gsfp Example This forces the switch to use the 1000sfp mode for SFP port 8. Console(config)#interface ethernet 1/8 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
Chapter 11 | Interface Commands shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons.
Chapter 11 | Interface Commands Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. Example The following example configures port 5 to 100 Mbps, half-duplex operation.
Chapter 11 | Interface Commands show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port CDP PVST -------- ------- ------Eth 1/ 1 No No Eth 1/ 2 No No Eth 1/ 3 No No Eth 1/ 4 No No Eth 1/ 5 No No Eth 1/ 6 No No . . .
Chapter 11 | Interface Commands . . show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 802 Packet Size <= 64 Octets 83 Packet Size 65 to 127 Octets 99 Packet Size 128 to 255 Octets 25 Packet Size 256 to 511 Octets 6 Packet Size 512 to 1023 Octets 0 Packet Size 1024 to 1518 Octets ===== Port Utilization (recent 300 seconds) =====
Chapter 11 | Interface Commands Table 76: show interfaces counters - display description (Continued) Parameter Description Multicast Input The number of packets, delivered by this sub-layer to a higher (sub)layer, which were addressed to a multicast address at this sub-layer. Multicast Output The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent.
Chapter 11 | Interface Commands Table 76: show interfaces counters - display description (Continued) Parameter Description Packets The total number of packets (bad, broadcast and multicast) received. Broadcast Packets The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Packets The total number of good packets received that were directed to this multicast address.
Chapter 11 | Interface Commands show interfaces This command displays periodic sampling of statistics, including the sampling history interval, number of samples, and counter values. Syntax show interfaces history [interface [name [current | previous index count] [input | output]]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) vlan vlan-id (Range: 1-4094) name - Name of sample as defined in the history command.
Chapter 11 | Interface Commands 00d 04:15:00 0.00 3201 0 31 6 Errors ------------0 % Octets Output Unicast Multicast Broadcast ------ --------------- ------------- ------------- ------------0.00 716 4 2 0 Discards Errors ------------- ------------0 0 Previous Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 00:00:00 0.00 52248 0 560 120 00d 00:15:00 0.00 51278 0 549 99 00d 00:30:00 0.
Chapter 11 | Interface Commands show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Table 77: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 453). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 453).
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver current at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold current low-alarm 100 Console(config-if)#transceiver-threshold rx-power high-alarm 700 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the received signal rx-power which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver temperature at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold temperature low-alarm 97 Console(config-if)#transceiver-threshold temperature high-alarm -83 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the transmitted tx-power signal which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power transmitted at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold tx-power low-alarm -4000 Console(config-if)#transceiver-threshold tx-power high-alarm 820 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver voltage at port 9.
Chapter 11 | Interface Commands DDM Information Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.00 Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.
Chapter 11 | Interface Commands Example Console#test cable-diagnostics interface ethernet 1/24 Console# show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands UN: Unknown Port Type Link Status -------- ---- -------Eth 1/ 7 GE Up Console# Pair A Pair B Pair C Pair D Last meters meters meters meters Updated -------- -------- -------- -------- ----------------OK (8) OK (8) OK (8) OK (8) 2019-07-16 11:54:24 Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature.
Chapter 11 | Interface Commands ◆ When the power-save command is enabled and traffic is reduced there is a reduction in power. For example, factory hardware component testing has shown significant power reduction >10%-45%10 are realized when 1000M Ethernet ports operate at slower rates from 300 to 0 Mbps. Note: Power savings can only be implemented on Ethernet ports using twistedpair cabling.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 28 trunks.
Chapter 12 | Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
Chapter 12 | Link Aggregation Commands src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-mac Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Example Console(config)#port-channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-28) Default Setting The current port is not a member of any trunk.
Chapter 12 | Link Aggregation Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Chapter 12 | Link Aggregation Commands Max Frame Size MAC Learning Status Member Ports Active Member Ports Console# : : : : 1518 bytes (1522 bytes for tagged frames) Enabled Eth1/25, Eth1/26, Eth1/27, Eth1/25, Eth1/26, Eth1/27, lacp actor/partner This command configures a port's LACP actor or partner negotiation activity mode. mode (Ethernet Interface) Use the no form to restore to the default setting.
Chapter 12 | Link Aggregation Commands lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting. Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Chapter 12 | Link Aggregation Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
Chapter 12 | Link Aggregation Commands Default Setting None Command Mode Interface Configuration (Port Channel) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
Chapter 12 | Link Aggregation Commands ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port. ◆ When a dynamic port-channel is torn down, the configured timeout value will be retained. When the dynamic port-channel is constructed again, that timeout value will be used.
Chapter 12 | Link Aggregation Commands Table 79: show lacp counters - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. MarkerPDU Sent Number of valid Marker PDUs transmitted from this channel group.
Chapter 12 | Link Aggregation Commands Table 80: show lacp internal - display description (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner. ◆ Distributing – If false, distribution of outgoing frames on this link is disabled; i.e.
Chapter 12 | Link Aggregation Commands Table 81: show lacp neighbors - display description (Continued) Field Description Partner Oper Port ID Operational port number assigned to this aggregation port by the port’s protocol partner. Partner Admin Key Current administrative value of the Key for the protocol partner. Partner Oper Key Current operational value of the Key for the protocol partner. Partner Admin State Administrative values of the partner’s state parameters. (See preceding table.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. Syntax [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. Syntax rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. Syntax [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. Example The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 449 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands – 450 –
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 86: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps. (Range: 64 - 100,000 kbits per second for 10/100 Mbps ports.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 89: ATC Commands (Continued) Command Function Mode ATC Trap Commands snmp-server enable Sends a trap when broadcast traffic falls beneath port-traps atc broadcast- the lower threshold after a storm control response alarm-clear has been triggered IC (Port) snmp-server enable Sends a trap when broadcast traffic exceeds the port-traps atc broadcast- upper threshold for automatic storm control alarm-fire IC (Port) snmp-ser
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (459) auto-traffic-control alarm-clear-threshold (460) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (461) auto-traffic-control apply-timer (457) snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (459) auto-traffic-control alarm-clear-threshold (460) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for port-traps atc automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (461) auto-traffic-control apply-timer (457) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold port-traps atc after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands none - No action is taken. shutdown - Shuts down the interface. Default Setting Shut down Command Mode Global Configuration Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in a looped state, and the VLAN in the frame payload is also in looped state. The looped port is therefore shut down.
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 15 | Loopback Detection Commands Command Usage Although global action may be set to None, this command will still display the configured Detection Port Admin State and Information Oper State.
16 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 16 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 16 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 16 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 30 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 16 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 16 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | UniDirectional Link Detection Commands Table 92: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 16 | UniDirectional Link Detection Commands – 482 –
17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash lookup depth used when searching the MAC address hash-lookup-depth table. Use the no form to restore the default setting. Syntax mac-address-table hash-lookup-depth depth no mac-address-table hash-lookup-depth depth - The depth used in the hash lookup process.
Chapter 17 | Address Table Commands port-channel channel-id (Range: 1-28) vlan-id - VLAN ID (Range: 1-4094) action delete-on-reset - Assignment lasts until the switch is reset. permanent - Assignment is permanent. Default Setting No static addresses are defined. The default lifetime is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Chapter 17 | Address Table Commands clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Syntax clear mac-address-table dynamic [[all] | [address mac-address [mask]] | [interface interface] | [vlan vlan-id]] all - all learned entries address mac-address - MAC address. mask - Bits to match in the address. interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec. Console# show mac-address- This command shows the hash table algorithm configured and activated by the table hash-algorithm switch.
Chapter 17 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Example Console#show mac-address-table hash-lookup-depth Configured Hash Lookup Depth: 4 Activated Hash Lookup Depth: 4 Console# – 490 –
18 TWAMP Commands The Two-Way Active Measurement Protocol (TWAMP) is defined by RFC 5357. TWAMP is an open protocol for measuring network performance between any two devices that support the TWAMP protocol. TWAMP uses the methodology and architecture of OWAMP (One-Way Active Measurement Protocol, RFC 4656), which defines an open protocol for the measurement of one-way metrics, but extends it to two-way, or round-trip, metrics.
Chapter 18 | TWAMP Commands Example Console(config)#twamp reflector Console(config)# twamp reflector This command sets the TWAMP session timeout on the switch. Use the no form to refwait restore the default. Syntax twamp reflector refwait seconds no twamp reflector refwait seconds - The timeout value in seconds.
19 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 19 | Spanning Tree Commands Table 95: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection Enables BPDU loopback detection for a port IC spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for
Chapter 19 | Spanning Tree Commands Command Usage ◆ The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 19 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 19 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 19 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 19 | Spanning Tree Commands and higher values assigned to ports with slower media. Note that path cost (page 508) takes precedence over port priority (page 516). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures how the system floods BPDUs to other ports when system-bpdu-flooding spanning tree is disabled globally on the switch or disabled on specific ports. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other spanning-tree disabled ports on the switch.
Chapter 19 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group. When a TCN BPDU or BPDU with the TC flag set is received on an interface, that interface will only notify members in same group to propagate this topology change.
Chapter 19 | Spanning Tree Commands max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form of the command to set the number of hops to the default value. Syntax max-hops hop-number no max-hops hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
Chapter 19 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 19 | Spanning Tree Commands RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form of the command to set the name to the default name. Syntax name name no name name - Name of multiple spanning tree region.
Chapter 19 | Spanning Tree Commands no revision number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 505) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (509) spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree edge-port (509) spanning-tree spanning-disabled (518) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Chapter 19 | Spanning Tree Commands Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 499) is set to short, the maximum value for path cost is 65,535.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.
Chapter 19 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback loopback-detection BPDU packets on the port. Use the no form to disable this feature. Syntax [no] spanning-tree loopback-detection Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
Chapter 19 | Spanning Tree Commands selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
Chapter 19 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree restricted-tcn spanning-tree This command configures the path cost on a spanning instance in the Multiple mst cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst port-priority (515) spanning-tree This command configures the interface priority on a spanning instance in the mst port-priority Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Chapter 19 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When enabled, BPDUs are flooded to all other spanning-tree disabled ports on the switch or within the receiving port's native VLAN as specified by the spanning-tree system-bpdu-flooding command. ◆ The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 Related Commands spanning-tree cost (508) spanning-tree This command prevents a designated port13 from taking superior BPDUs into root-guard account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Chapter 19 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use spanning-disabled the no form to re-enable the spanning tree algorithm for the specified interface.
Chapter 19 | Spanning Tree Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#spanning-tree tc-prop-stop Console(config-if)# spanning-tree This command manually releases a port placed in discarding state by loopbackloopback-detection detection. release Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocolmigration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Chapter 19 | Spanning Tree Commands ◆ Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST). ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces.
Chapter 19 | Spanning Tree Commands Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status TC Propagate Stop Restricted TCN : : : : : : : : : Disabled Block Disabled Disabled Disabled 300 Disabled Disabled Disabled . . . This example shows a brief summary of global and interface setting for the spanning tree.
Chapter 19 | Spanning Tree Commands show spanning-tree This command shows the configuration of topology change propagation domains. tc-prop Syntax show spanning-tree tc-prop [group group-id] group-id - Group identifier.
Chapter 19 | Spanning Tree Commands – 524 –
20 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 20 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 20 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 20 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (530) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 20 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Chapter 20 | VLAN Commands GVRP and Bridge Extension Commands Table 100: show bridge-ext - display description Field Description Maximum Supported VLAN Numbers The maximum number of VLANs supported on this switch. Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Chapter 20 | VLAN Commands Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands garp timer (527) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 443.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Table 102: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport forbidden vlan Configures forbidden VLANs for an interface IC switchport gvrp Enables GVRP for an interface IC switchport ingress-filtering Enables ingress filtering on an interface IC switchport mode Configures VLAN membership mode for an interface IC switchport native vlan Configures the PVID (native VLAN) of an interface IC vlan-trunking
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (403) interface (397) vlan (532) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed. The interface is added as an untagged member if switchport mode is set to hybrid or access, or as an tagged member if switchport mode is set to trunk. Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094).
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When changing the PVID for a port using access mode, the port will automatically join the new PVID VLAN and leave the VLAN which it had joined before. ◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 20 | VLAN Commands Configuring VLAN Interfaces Figure 3: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
Chapter 20 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 103: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid Use this command to set the global setting for the QinQ outer tag ethertype field. Use the no form of the command to set the ethertype field to the default value. Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number. (Range: 800-ffff hex) Default Setting The ethertype is set to 0x8100 Command Mode Global Configuration Command Usage Use the dot1q-tunnel tpid command to set the global custom 802.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs. ◆ Note that all customer interfaces should be configured as access interfaces (that is, a user-to-network interface) and service provider interfaces as uplink interfaces (that is, a network-to-network interface). Use the dot1q-tunnel tpid uplink command to set an interface to access or uplink mode.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 100 match cvid 10 Console(config-if)#switchport dot1q-tunnel service 200 match cvid 20 Console(config-if)#switchport dot1q-tunnel service 300 match cvid 30 6.
Chapter 20 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 3 10 100 Console# show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | VLAN Commands Configuring L2PT Tunneling Eth 1/ 6 1 100 Console# Related Commands dot1q-tunnel tpid (544) Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 20 | VLAN Commands Configuring L2PT Tunneling Command Usage ◆ When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network. ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network.
Chapter 20 | VLAN Commands Configuring L2PT Tunneling ■ ■ L2PT is disabled on the port, the frame is decapsulated and processed locally by the switch if the protocol is supported. with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported.
Chapter 20 | VLAN Commands Configuring L2PT Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 20 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 20 | VLAN Commands Configuring VLAN Translation ingress - specifies ingress only egress - specifies egress only original-vlan - The original VLAN ID. (Range: 1-4094) new-vlan - The new VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port.
Chapter 20 | VLAN Commands Configuring VLAN Translation Console(config-vlan)#vlan 100 media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 10 tagged Console(config-if)#switchport allowed vlan add 100 tagged Console(config-if)#interface ethernet 1/1 Console(config-if)#switchport vlan-translation 10 100 Console(config-if)#end Console#show vlan-translation Ingress VLAN Translation Interface Old VID New VID --------- -----
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs Eth 1/ 2 Console# 200 10 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs access can be regained by removing the offending Protocol VLAN rule via the console. Alternately, the switch can be power-cycled, however all unsaved configuration changes will be lost. protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs vlan-id - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) priority - The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command.
Chapter 20 | VLAN Commands Configuring Protocol-based VLANs group-id - Group identifier for a protocol group. (Range: 1-2147483647) sort-by-type - Sort display information by frame type and protocol type. Default Setting All protocol groups are displayed.
Chapter 20 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 20 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 20 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 20 | VLAN Commands Configuring MAC Based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ◆ The binary equivalent mask matching the characters in the front of the first non-zero character must all be 1s (e.g., 111, i.e., it cannot be 101 or 001...).
Chapter 20 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 20 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 20 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 20 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "A new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 20 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 20 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 733 for more information on LLDP.
Chapter 20 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 20 | VLAN Commands Configuring Voice VLANs – 572 –
21 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 21 | ERPS Commands Table 111: ERPS Commands (Continued) Command Function Mode raps-def-mac Sets the switch’s MAC address to be used as the node identifier ERPS Inst in R-APS messages raps-without-vc Terminates the R-APS channel at the primary ring to sub-ring interconnection nodes ERPS Inst version Specifies compatibility with ERPS version 1 or 2 ERPS Inst inclusion-vlan Specifies the VLAN groups to be included in the ERPS protection ERPS Inst ring.
Chapter 21 | ERPS Commands 6. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, the holdofftimer command to filter out intermittent link faults, and the wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 7. Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands.
Chapter 21 | ERPS Commands Example Console(config)#erps Console(config)# Related Commands enable (ring) (580) erps node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax erps node-id mac-address no erps node-id mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 21 | ERPS Commands erps vlan-group This command creates or modifies an ERPS VLAN group. Use the no form of this command to remove VLANs from a VLAN group or to delete a VLAN group. Syntax erps vlan-group vlan-group-name {add|remove} vlan-list no erps vlan-group vlan-group-name vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). add – Adds VLANs to a group. remove – Deletes VLANs from a group.
Chapter 21 | ERPS Commands Command Usage ◆ The switch can support ERPS rings up to half the number of physical ports on the switch. Example Console(config)#erps ring campus1 Console(config-erps-ring)# erps instance This command creates an ERPS instance and enters ERPS instance configuration mode. Use the no form to delete an ERPS instance. Syntax erps instance instance-name [id ring-id] no erps instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 21 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface no ring-port {east | west} east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | ERPS Commands exclusion-vlan Use this command to specify VLAN groups that are to be on the exclusion list of a physical ERPS ring. Use the no form of the command to remove VLAN groups from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters) Default Setting None Command Mode ERPS Ring Configuration Command Usage ◆ VLANs that are on the exclusion list are not protected by the ERPS ring.
Chapter 21 | ERPS Commands ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps-ring)#enable Console(config-erps-ring)# Related Commands erps (575) enable (instance) This command activates the current ERPS instance. Use the no form to disable the current instance.
Chapter 21 | ERPS Commands no meg-level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 1 Command Mode ERPS Instance Configuration Command Usage ◆ This parameter is used to ensure that received R-APS PDUs are directed for this instance. A unique level should be configured for each local instance if there are many R-APS PDUs passing through this switch.
Chapter 21 | ERPS Commands ◆ ■ The Control VLAN must not be configured as a Layer 3 interface (with an IP address), nor as a dynamic VLAN (with GVRP enabled). ■ In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN. ■ Also, the ring ports of the Control VLAN must be tagged. Once the instance has been activated with the enable (instance) command, the configuration of the control VLAN cannot be modified.
Chapter 21 | ERPS Commands Example Console(config-erps-inst)#rpl owner Console(config-erps-inst)# rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting.
Chapter 21 | ERPS Commands wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting. Syntax wtr-timer minutes no wtr-timer minutes - The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
Chapter 21 | ERPS Commands Command Usage The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. Example Console(config-erps-inst)#guard-timer 300 Console(config-erps-inst)# holdoff-timer This command sets the timer to filter out intermittent link faults.
Chapter 21 | ERPS Commands major-ring This command specifies the ERPS ring used for sending control packets. Use the no form to remove the current setting. Syntax major-ring instance-name no major-ring instance-name - Name of the ERPS instance used for sending control packets. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage ◆ ERPS control packets can only be sent on one instance.
Chapter 21 | ERPS Commands Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. ◆ When the MAC addresses are cleared, data traffic may flood onto the major ring.
Chapter 21 | ERPS Commands Default Setting Disabled Command Mode ERPS Instance Configuration Command Usage ◆ Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages. Non-revertive behavior for Protection, Forced Switch, and Manual Switch states are basically the same. Non-revertive behavior requires the erps clear command to used to return the RPL from Protection state to Idle state.
Chapter 21 | ERPS Commands it is an R-APS (NR, RB) message without a DNF (do not flush) indication, all ring nodes flush the FDB. ■ Recovery with Non-revertive Mode – In non-revertive operation, the ring does not automatically revert when all ring links and ring nodes have recovered and no external requests are active. Non-revertive operation is handled in the following way: a. The RPL Owner Node does not generate a response on reception of an R-APS (NR) messages. b.
Chapter 21 | ERPS Commands channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes the FDB. d. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command.
Chapter 21 | ERPS Commands APS (MS) message is ignored due to the higher priority of the WTB running signal. b. When the WTB timer expires, it generates the WTB expire signal. The RPL Owner Node, upon reception of this signal, initiates reversion by blocking the traffic channel on the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
Chapter 21 | ERPS Commands Command Usage ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”. ◆ If this command is disabled, the following strings are used as the node identifier: ■ ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] Example Console(config-erps-inst)#raps-def-mac Console(config-erps-inst)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes.
Chapter 21 | ERPS Commands Note that the R-APS virtual channel requires a certain amount of bandwidth to forward R-APS messages on the interconnected Ethernet network where a subring is attached. Also note that the protection switching time of the sub-ring may be affected if R-APS messages traverse a long distance over an R-APS virtual channel.
Chapter 21 | ERPS Commands Figure 7: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Example Console(config-erps-inst)#raps-without-vc Console(config-erps-inst)# version This command specifies compatibility with ERPS version 1 or 2. Syntax version {1 | 2} no version 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
Chapter 21 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 21 | ERPS Commands physical-ring Use this command to associate an ERPS instance with an existing physical ring. Use the no form of the command to removed the association. Syntax physical-ring ring-name no physical-ring ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage The physical ring name must first be defined using the erps ring command.
Chapter 21 | ERPS Commands continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command (see Table 112 on page 598). The R-APS (FS) message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d.
Chapter 21 | ERPS Commands Table 112: ERPS Request/State Priority (Continued) Request / State and Status Type WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote * Priority lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
Chapter 21 | ERPS Commands a. If no other higher priority commands exist, the ring node, where a manual switch command was issued, blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS.
Chapter 21 | ERPS Commands Example Console#erps manual-switch instance r&d west Console# erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under nonrevertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. Syntax erps clear instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 21 | ERPS Commands Command Mode Privileged Exec Example Console#clear erps statistics instance r&d Console# show erps statistics This command displays statistics information for all configured instances, or for a specified instance. Syntax show erps statistics [instance instance-name]] instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) Command Mode Privileged Exec Example This example displays statistics for all configured ERPS instances.
Chapter 21 | ERPS Commands Table 113: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 21 | ERPS Commands Console# This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ring ERPS Status : Enabled ERPS node-id : B8-6A-97-41-F3-83 Number of ERPS Ring : 2 Ring ID Enabled West I/F EAST I/F ------------ --- ------- --------- --------test1 1 No campus1 2 Yes Eth 1/1 Eth 1/3 Console# Table 114: show erps r ing - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch.
Chapter 21 | ERPS Commands This example displays a summary of all the ERPS instances configured on the switch.
Chapter 21 | ERPS Commands – 606 –
22 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (608) show queue weight (611) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (413) show queue mode This command shows the current queue mode.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) 7 14 ... Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map cos-dscp phb drop-precedence from cos0 cfi0...cos7 cfi7 no qos map cos-dscp cos0 cfi0...cos7 cfi7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used to control traffic congestion. ◆ The specified mapping applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 120: Default Mapping of DSCP Values to Internal PHB/Drop Values The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other words, ingress-dscp = ingress-dscp10 * 10 + ingress-dscp1); and the corresponding internal-dscp is shown at the intersecting cell in the table.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) drop-precedence - Drop precedence used for controlling traffic congestion.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ If the QoS mapping mode is set to IP Precedence with this command, and the ingress packet type is IPv4, then priority processing will be based on the IP Precedence value in the ingress packet. ◆ If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) CoS-DSCP map.(x,y),x: phb,y: drop precedence: CoS : CFI 0 1 --------------------------------0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) Console# show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress IP precedence to internal DSCP map. ip-prec-dscp Syntax show qos map ip-prec-dscp interface interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 PHB-queue map: PHB: 0 1 2 3 4 5 6 7 ------------------------------------------------------queue: 2 0 1 3 4 5 6 7 Console# show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) – 622 –
23 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 23 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 23 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 627). The policy map is then bound by a service policy to an interface (page 638). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 23 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 23 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 23 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 627) before assigning it to a Policy Map.
Chapter 23 | Quality of Service Commands ◆ ■ set cos command sets the class of service value in matching packets. (This modifies packet priority in the VLAN tag.) ■ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Chapter 23 | Quality of Service Commands Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option.
Chapter 23 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
Chapter 23 | Quality of Service Commands ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 23 | Quality of Service Commands Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conformaction transmit exceed-action 0 violate-action drop Console(config-pmap-c)# police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Chapter 23 | Quality of Service Commands Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).
Chapter 23 | Quality of Service Commands which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 23 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 23 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 23 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 23 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
24 Control Plane Commands Network control packets that are received by the switch are handled by the CPU. This traffic can potentially overwhelm the switch CPU and impact the overall system performance. To prevent the switch CPU from receiving too much traffic, QoS class maps and policy maps can be defined and applied as a service policy to ingress traffic on the CPU’s “control-plane” interface. For details on configuring QoS class maps and policy maps, see “Quality of Service Commands” on page 623.
Chapter 24 | Control Plane Commands service-policy This command applies a QoS policy map defined by the policy-map command to the ingress side of the control-plane interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to the control-plane interface.
Chapter 24 | Control Plane Commands Example Console#show policy-map control-plane input Console# show policy-map control-plane input class cp-class hardware counters Service-policy cpu-rate-limit-policy Class-map cp-class Receive Packets: 95 Drop Packets: 0 Console# – 643 –
Chapter 24 | Control Plane Commands – 644 –
25 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 125: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs GC ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into th
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 125: IGMP Snooping Commands (Continued) Command Function Mode clear ip igmp snooping statistics Clears IGMP snooping statistics PE show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statisti
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures multicast router ports to forward multicast streams only mrouter-forward- when multicast groups are joined. Use the no form to disable it. mode dynamic Syntax ip igmp snooping mrouter-forward dynamic no ip igmp snooping mrouter-forward Default Setting Disabled Command Mode Global Configuration Example The following example enables IGMP dynamic forwarding.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables the switch as an IGMP querier. Use the no form to disable it. querier Syntax [no] ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ ◆ If enabled, the switch will serve as querier if elected.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping router-alert-option-check Console(config)# ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port- default. expire-time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 25 | Multicast Filtering Commands IGMP Snooping by default, a switch in a VLAN (with IGMP snooping enabled) that receives a Bridge Protocol Data Unit (BPDU) with the TC bit set (by the root bridge) will enter into “multicast flooding mode” for a period of time until the topology has stabilized and the new locations of all multicast receivers are learned.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ When the root bridge in a spanning tree receives a topology change notification for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when report suppression/proxy reporting is enabled. Use interval the no form to restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping version-exclusive Console(config)# ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled (page 649). Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 25 | Multicast Filtering Commands IGMP Snooping 2006). If proxy reporting is enabled (see ip igmp snooping proxy-reporting), report suppression will still be enabled, regardless of the configuration setting for the report suppression command. ◆ IGMP reports are relayed to the router port only when necessary; that is, when the first user joins a multicast group, and once only per multicast group in response to an IGMP query.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 228.0.0.15 ethernet 1/5 Console(config)# ip igmp snooping This command enables immediate leave processing on the interface. Use the no immediate-leave form to restore the default.
Chapter 25 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears IGMP snooping statistics. snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Querier : Disabled VLAN 1: -------IGMP Snooping IGMP Snooping Running Status Version Version Exclusive Immediate Leave Last Member Query Interval Last Member Query Count General Query Suppression Query Interval Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : : : : : : : : : : Enabled Inactive Using global Version (2) Using global status (Disabled) Disabled 10 (unit: 1/10s) 2 Disabled 125 100 (unit: 1/
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port). P - Port counts (number of ports join the group).
Chapter 25 | Multicast Filtering Commands IGMP Snooping 1 Eth 1/10 Console# Static show ip igmp This command shows IGMP snooping protocol statistics for the specified interface. snooping statistics Syntax show ip igmp snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id]} input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 126: show ip igmp snooping statistics input - display description Field Description G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 25 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : 192.168.2.12 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 0 General Query Sent : 0 Specific Query Received : 0 Specific Query Sent : 0 Warn Rate Limit : 0 sec.
Chapter 25 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 129: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping vlan This command statically configures a (Layer 2) multicast router port on the mrouter specified VLAN.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling ◆ If the interface leaves the group and subsequently rejoins the same group, the join report needs to again be authenticated. ◆ When receiving an IGMP v3 report message, the switch will send the access request to the RADIUS server only when the record type is either IS_EX or TO_EX, and the source list is empty. Other types of packets will not initiate RADIUS authentication.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax ip igmp filter profile-number no ip igmp filter profile-number - An IGMP filter profile number.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace” (see the ip igmp max-groups action command). If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting. Syntax [no] ip igmp query-drop [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to drop any query packets received on the specified interface.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command displays the interface settings for IGMP authentication. authentication Syntax show ip igmp authentication interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Privileged Exec Example Console#show ip igmp filter IGMP Filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp query-drop [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 1024 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast data multicast-data-drop packets.
Chapter 25 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 25 | Multicast Filtering Commands MLD Snooping Table 132: MLD Snooping Commands (Continued) Command Function Mode clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports
Chapter 25 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states. Proxy-reporting devices may use the IPv6 address configured on this VLAN or Source IP address from received report message as source address when forwarding any summarized reports upstream.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 25 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD snooping reports when proxy reporting is enabled. Use the no interval form to restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command statically configures an IPv6 multicast router port. Use the no form vlan mrouter to remove the configuration. Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-28) Default Setting No static multicast router ports are configured.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands MLD Snooping clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands MLD Snooping Router Port Expiry Time Unsolicit Report Interval Immediate Leave Immediate Leave By Host Unknown Flood Behavior MLD Snooping Version : : : : : : 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN To Router Port Version 2 VLAN Group IPv6 Address Port ---- --------------------------------------- --------1 ff05:0:1:2:3:4:5:6 Eth 1/1 Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Con
Chapter 25 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list. source-list Syntax show ipv6 mld snooping group source-list [ipv6-address | vlan vlan-id] ipv6-address - An IPv6 address of a multicast group.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- -----1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface.
Chapter 25 | Multicast Filtering Commands MLD Snooping Table 133: show ipv6 MLD snooping statistics input - display description Field Description Interface The unit/port or VLAN interface. Report The number of MLD membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface.
Chapter 25 | Multicast Filtering Commands MLD Snooping Self Querier Expire Time Self Querier UpTime General Query Received General Query Sent Specific Query Received Specific Query Sent Console# : : : : : : 1(m):49(s) 0(h):9(m):6(s) 0 6 0 0 Table 135: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired.
Chapter 25 | Multicast Filtering Commands MLD Snooping Filter Drop : 0 Source Port Drop: 0 Others Drop : 0 Console# Table 136: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General The number of general queries sent from this interface. Group Specific The number of group specific queries sent from this interface.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Table 136: show ipv6 MLD snooping statistics summary - display description Field Description Host Addr The link-local or global IPv6 address that is assigned on that VLAN. Unsolicit Expire The number of group leaves resulting from timeouts instead of explicit leave messages. MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration Command Usage MLD filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Syntax [no] range low-ipv6-address high-ipv6-address low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range. high-ipv6-address - A valid IPv6 address (X:X:X:X::X) for the end of a multicast group range. Default Setting None Command Mode MLD Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19 Console(config-if)# ipv6 mld max-groups This command configures the maximum number of MLD groups that an interface can join. Use the no form to restore the default setting. Syntax ipv6 mld max-groups number no ipv6 mld max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. Use the action no form of the command to set the action to the default. Syntax ipv6 mld max-groups action {deny | replace} no ipv6 mld max-groups action deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface. Use the multicast-data-drop no form of the command to disable multicast data drop.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling. interface Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 138: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr members Shows information about the current number of entries in PE the forwarding database, or detailed information about a specific multicast address show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR)
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (712) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) end-ip-address - Ending IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. Example This example sets the proxy query interval for MVR proxy switching.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 ◆ When MVR proxy switching is disabled: ■ Any membership reports received from receiver/source ports are forwarded to all source ports. ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Example The following example enable MVR proxy switching.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Related Commands mvr proxy-switching (714) mvr source-port- This command configures the switch to forward only multicast streams that a mode source port has dynamically joined or to forward all multicast groups. Use the no form to restore the default setting. Syntax mvr source-port-mode {dynamic | forward} no mvr source-port-mode dynamic - Configures source ports to only forward dynamically-joined MVR group multicast streams.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr upstream- This command configures the source IP address assigned to all MVR control packets source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command. ◆ MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but MVR receiver ports should not be statically configured as members of this VLAN.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 ◆ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to the same interface. ◆ Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command. Example The following enables immediate leave on a receiver port.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following configures one source port and several receiver ports on the switch.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-28) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear mvr statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 139: show mvr - display description (Continued) Field Description MVR Proxy Query Interval Shows the interval at which the receiver port sends out general queries MVR Source Port Mode Shows if the switch forwards all multicast streams, or only those which the source port has dynamically joined MVR Domain An independent multicast domain. MVR Config Status Shows if MVR is globally enabled on the switch.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 25 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 142: show mvr statistics input - display
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 143: show mvr statistics output - display description (Continued) Field Description Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 144: show mvr statistics query - display description (Continued) Field Description Warn Rate Limit Count down from 15 seconds after receiving a Query different from the configured version. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 145: show mvr statistics summary interface - display description Field Description Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter. Source Port Drop Number of report/leave messages dropped by MVR source port. Others Drop Number of report/leave messages dropped for other reasons.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 146: show mvr statistics summary interface mvr vlan - description Field Description General Number of general queries sent from receiver port. Group Specific Number of group specific queries sent from receiver port. Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured by IGMP version 1, 2 or 3.
26 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 26 | LLDP Commands Table 147: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-capabilities Configures an LLDP-enabled port to advertise its system capabilities IC lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1
Chapter 26 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 26 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 26 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 26 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 26 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 26 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 26 | LLDP Commands Neither the IPv4 address nor the IPv6 address of a VLAN interface is configured. The CPU MAC address (or device MAC address) will be sent in the Management Address TLV of the LLDP PDU transmitted. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ipv6-address Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its port description. port-description Use the no form to disable this feature.
Chapter 26 | LLDP Commands Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-description description.
Chapter 26 | LLDP Commands Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols. Use the no form to disable this feature.
Chapter 26 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 557). Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 26 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 535 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 558. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 26 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 26 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 26 | LLDP Commands Table 148: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be
Chapter 26 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 26 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 26 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature.
Chapter 26 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 26 | LLDP Commands proto-vlan proto-ident 802.3 specific TLVs Advertised : mac-phy link-agg max-frame MED Notification Status : Disabled MED Enabled TLVs Advertised : med-cap network-policy location inventory MED Location Identification Location Data Format : Civic Address LCI Country Name : DK What : 2 - DHCP Client CA Type 1 : 12 CA Type 13 : 13 Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 26 | LLDP Commands . Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 26 | LLDP Commands Enabled Capabilities : Bridge Management Address : 192.168.0.
Chapter 26 | LLDP Commands Software Revision Serial Number Manufacture Name Model Name Asset ID Console# : : : : : 1.2.6.0 S123456 Prye VP101 340937 show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
27 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 27 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 27 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 27 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 27 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 27 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 27 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 27 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 27 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
28 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 28 | Domain Name Service Commands DNS Commands Table 150: Address Table Commands Command Function Mode ip mdns Enables multicast DNS GC show ip mdns Shows configuration state for multicast DNS GC mDNS DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list.
Chapter 28 | Domain Name Service Commands DNS Commands Domain Name List: sample.com.jp sample.com.uk Name Server List: Console# Related Commands ip domain-name (772) ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage ◆ At least one name server must be specified before DNS can be enabled.
Chapter 28 | Domain Name Service Commands DNS Commands Related Commands ip domain-name (772) ip name-server (773) ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 28 | Domain Name Service Commands DNS Commands name - Name of an IPv4 host. (Range: 1-127 characters) address - Corresponding IPv4 address. Default Setting No static entries Command Mode Global Configuration Command Usage Use the no ip host command to clear static entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No.
Chapter 28 | Domain Name Service Commands DNS Commands Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
Chapter 28 | Domain Name Service Commands DNS Commands 1 2 Address 2001:DB8:1::12 Console# rd6 clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# show dns This command displays the configuration of the DNS service.
Chapter 28 | Domain Name Service Commands DNS Commands 3 Console# 4 CNAME POINTER TO:2 1787 www.ignitenet.com Table 151: show dns cache - display description Field Description No. The entry number for each resource record. Flag The flag is always “4” indicating a cache entry and therefore unreliable.
Chapter 28 | Domain Name Service Commands Multicast DNS Commands Table 152: show hosts - display description (Continued) Field Description TTL The time to live reported by the name server. This field is always blank for static entries. Host The host name associated with this record. Multicast DNS Commands ip mdns This command enables multicast DNS. Use the no form to disable this feature.
Chapter 28 | Domain Name Service Commands Multicast DNS Commands – 778 –
29 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 29 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edgecore"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 29 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 29 | DHCP Commands DHCP Client ip dhcp restart client This command submits a DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a DHCP client request for any IP interface that has been set to DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 29 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 29 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (823) ipv6 dhcp This command enables dynamic provisioning via DHCPv6. Use the no form to dynamic-provision disable this feature.
Chapter 29 | DHCP Commands DHCP Client Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options. Static or dynamic address prefixes may be assigned by a DHCPv6 server based on the client’s DUID. Example Console#show ipv6 dhcp duid DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD Console# show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface(s).
Chapter 29 | DHCP Commands DHCP Relay Example Console#show ipv6 dhcp dynamic-provision Dynamic Provision via DHCPv6 Status: Disabled Console# DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 29 | DHCP Commands DHCP Relay request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to a DHCP server on another network. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch).
Chapter 29 | DHCP Commands DHCP Relay (i.e., this switch). This switch then broadcasts the DHCP response received from the server to the client. Example In the following example, the device is reassigned the same address. Console#ip dhcp restart relay Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is CC-37-AB-BC-4F-FA Index: 1001, MTU: 1500 Address Mode is User specified IP Address: 192.168.2.98 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Relay Server: 192.168.2.
Chapter 29 | DHCP Commands DHCP Relay enables DHCPv6 relay service for the VLAN from which the command is entered. ◆ Up to five destination addresses may be defined using consecutive commands. ◆ This command is used to configure DHCPv6 relay functions for host devices attached to the switch.
Chapter 29 | DHCP Commands DHCP Server Unicast Console# : 2001:DB8:3000:3000::42 DHCP Server This section describes commands used to configure client address pools for the DHCP service.
Chapter 29 | DHCP Commands DHCP Server ip dhcp This command specifies IP addresses that the DHCP server should not assign to excluded-address DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range. high-address - The last IP address in an excluded address range. Default Setting All IP pool addresses may be assigned.
Chapter 29 | DHCP Commands DHCP Server Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (801) host (798) service dhcp This command enables the DHCP server on this switch. Use the no form to disable the DHCP server. Syntax [no] service dhcp Default Setting Enabled Command Mode Global Configuration Command Usage If the DHCP server is running, you must restart it to implement any configuration changes.
Chapter 29 | DHCP Commands DHCP Server Example Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# Related Commands next-server (802) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier. Syntax client-identifier {text text | hex hex} no client-identifier text - A text string. (Range: 1-32 characters) hex - The hexadecimal value.
Chapter 29 | DHCP Commands DHCP Server default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router { address1 [address2] | bootfile filename} no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. bootfile filename - specifies the boot file name.
Chapter 29 | DHCP Commands DHCP Server Usage Guidelines ◆ If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. ◆ Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# domain-name This command specifies the domain name for a DHCP client. Use the no form to remove the domain name.
Chapter 29 | DHCP Commands DHCP Server Default Setting If no type is specified, the default protocol is Ethernet. Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 29 | DHCP Commands DHCP Server ◆ When searching for a manual binding, the switch compares the client identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients. ◆ If no manual binding has been specified for a host entry with the clientidentifier or hardware-address commands, then the switch will assign an address from the matching network pool. ◆ If the mask is unspecified, DHCP examines its address pools.
Chapter 29 | DHCP Commands DHCP Server Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Use the no form to remove the NetBIOS name server list.
Chapter 29 | DHCP Commands DHCP Server broadcast hybrid (recommended) mixed peer-to-peer Default Setting None Command Mode DHCP Pool Configuration Example Console(config-dhcp)#netbios-node-type hybrid Console(config-dhcp)# Related Commands netbios-name-server (800) network This command configures the subnet number and mask for a DHCP address pool. Use the no form to remove the subnet number and mask. Syntax network network-number [mask] no network network-number - The IP address of the DHCP address pool.
Chapter 29 | DHCP Commands DHCP Server interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.xxx is entered, the first field (nnn) determines the class: 0 - 127 is class A, only uses the first field in the network address. 128 - 191 is class B, uses the first two fields in the network address. 192 - 223 is class C, uses the first three fields in the network address. ◆ The DHCP server assumes that all host addresses are available.
Chapter 29 | DHCP Commands DHCP Server option Use this command to enable DHCP options. Use the no form of the command to disable DHCP options. Syntax option code {ascii word | hex hex-value | ip-address address1[address2 [address3[ address 4]]]} code - A DHCP option code (Range: 0-254). ascii word - ASCII character string representing a network device (Range: 148 ASCII characters). hex hex-value - A concatenated hex number string of up to 4 IPv4 addresses in hex format each representing a network device.
Chapter 29 | DHCP Commands DHCP Server Command Mode Privileged Exec Usage Guidelines ◆ An address specifies the client’s IP address. If no ip address is specified, the DHCP server clears all automatic bindings. ◆ Use the no host command to delete a manual binding. ◆ This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
Chapter 29 | DHCP Commands DHCP Server show ip dhcp This command displays DHCP address pools configured on the switch. Command Mode Privileged Exec Example Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp pool This command displays the detailed configuration information of DHCP address pools on the switch.
Chapter 29 | DHCP Commands DHCP Server – 806 –
30 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated. The IPv4 address for VLAN 1 on this switch is set to 192.168.2.
Chapter 30 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets.
Chapter 30 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (783) ip default-gateway (810) ipv6 address (821) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 30 | IP Interface Commands IPv4 Interface C 192.168.2.0/24 is directly connected, VLAN1 Console(config)# Related Commands ip address (808) ip route (866) ipv6 default-gateway (820) show ip interface This command displays the settings of an IPv4 interface.
Chapter 30 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 30 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 30 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.99 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms <10 ms <10 ms 192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 30 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 773) and host name-to-address translation enabled (page 771). If necessary, local devices can also be specified in the DNS static host table (page 772). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 30 | IP Interface Commands IPv4 Interface Default Setting No default entries Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
Chapter 30 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)? Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 30 | IP Interface Commands IPv6 Interface Table 163: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd ns-interval Configures the interval between IPv6 neighbor solicitation IC retransmissions on an interface ipv6 nd raguard Blocks incoming Router Advertisement and Router Redirect packets ipv6 nd reachable-time Configures the amount of time that a remote IPv6 node is IC considered reachable after some reachability confirmation event has occurred ipv6 nd prefix Configur
Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ To connect to a larger network with multiple subnets, you must configure a global unicast address.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 address This command enables stateless autoconfiguration of IPv6 addresses on an autoconfig interface and enables IPv6 on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages; the host portion is based on the modified EUI-64 form of the interface identifier (i.e., the switch’s MAC address). Use the no form to remove the address generated by this command.
Chapter 30 | IP Interface Commands IPv6 Interface Console# Related Commands ipv6 address (821) show ipv6 interface (830) ipv6 address dhcp This command enables IPv6 DHCP client functionality on an interface so that it can acquire a stateful IPv6 address. Use the no form of the command to disabled the IPv6 DHCP client.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 30 | IP Interface Commands IPv6 Interface globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35. ◆ This host addressing method allows the same interface identifier to be used on multiple IP interfaces of a single device, as long as those interfaces are attached to different subnets.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 30 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set.
Chapter 30 | IP Interface Commands IPv6 Interface FF01::1/16 FF02::1/16 FF02::1:FF00:1/104 FF02::1:FF11:6770/104 FF02::1:FF32:2120/104 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 30 | IP Interface Commands IPv6 Interface Table 164: show ipv6 interface - display description (Continued) Field Description ND advertised reachable time The reachable time is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value. ND advertised router lifetime The length of time during which the prefix is valid for on-link determination.
Chapter 30 | IP Interface Commands IPv6 Interface Table 165: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path. Since Time since an ICMP packet-too-big message was received from this destination. Destination Address Address which sent an ICMP packet-too-big message. * No information is displayed if an IPv6 address has not been assigned to the switch.
Chapter 30 | IP Interface Commands IPv6 Interface neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages ICMPv6 sent 6 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 3 neighbor solicit messages neighbor advertisement messages redirect messages group
Chapter 30 | IP Interface Commands IPv6 Interface Table 166: show ipv6 traffic - display description (Continued) Field Description discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. delivers The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP).
Chapter 30 | IP Interface Commands IPv6 Interface Table 166: show ipv6 traffic - display description (Continued) Field Description ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Chapter 30 | IP Interface Commands IPv6 Interface Table 166: show ipv6 traffic - display description (Continued) Field Description echo reply messages The number of ICMP Echo Reply messages sent by the interface. router solicit messages The number of ICMP Router Solicitation messages sent by the interface. router advertisement messages The number of ICMP Router Advertisement messages sent by the interface.
Chapter 30 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 30 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# traceroute6 This command shows the route packets take to the specified destination.
Chapter 30 | IP Interface Commands IPv6 Interface prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. Example Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. Syntax ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 neighbor ipv6-address vlan vlan-id ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
Chapter 30 | IP Interface Commands IPv6 Interface Example The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Age Link-layer Addr State VLAN 2009:DB9:2229::80 956 12-34-11-11-43-21 R 1 2009:DB9:2229::81 Permanent 30-65-14-01-11-86 R 1
Chapter 30 | IP Interface Commands IPv6 Interface in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses. ◆ If a duplicate address is detected, it is set to “duplicate” state, and a warning message is sent to the console. If a duplicate link-local address is detected, IPv6 processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures IPv6 router advertisements to indicate to attached hosts managed-config-flag that they can use stateful autoconfiguration to obtain addresses. Use the no form to clear this flag from router advertisements.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage ◆ The “other-stateful-configuration” flag tells hosts that they should use stateful autoconfiguration to obtain information other than addresses from a DHCPv6 server.
Chapter 30 | IP Interface Commands IPv6 Interface ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. ◆ Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router.Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router.
Chapter 30 | IP Interface Commands IPv6 Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 30 | IP Interface Commands IPv6 Interface no ipv6 nd prefix ipv6-address/prefix-length ipv6-address - An IPv6 address including the network prefix and host address bits. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). default - Uses default values for remaining parameters. valid-lifetime - The amount of time that the specified IPv6 prefix is advertised as being valid.
Chapter 30 | IP Interface Commands IPv6 Interface Example The following configures a network prefix with a valid lifetime of 1000 seconds, and a preferred lifetime of 900 seconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd prefix 2011:0DBF::/35 1000 900 Console(config)# ipv6 nd ra interval This command configures the interval between the transmission of IPv6 router advertisements on an interface. Use the no form to restore the default interval.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd ra lifetime This command configures the router lifetime value used in IPv6 router advertisements sent from an interface. Use the no form to restore the default setting. Syntax ipv6 nd ra lifetime lifetime no ipv6 nd ra lifetime lifetime - Router lifetime.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting medium Command Usage Default router preference may be used to prioritize routers which provide equivalent, but not equal-cost, routing, and policy dictates that hosts should prefer one of the routers.
Chapter 30 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache.
Chapter 30 | IP Interface Commands IPv6 Interface Table 167: show ipv6 neighbors - display description (Continued) Field Description Link-layer Addr Physical layer MAC address. State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 30 | IP Interface Commands ND Snooping Example The following shows all neighbor discovery IPv6 prefixes for VLAN 1: Console#show ipv6 nd prefix vlan 1 Ipv6 Neighbor Discovery Prefix Information. VLAN Name IPv6 Prefix Valid Lifetime Preferred Lifetime On-link Flag Autonomous Flag : DefaultVlan : : : : : 2011:dbf::/35 2592000 604800 On On Console# ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table.
Chapter 30 | IP Interface Commands ND Snooping Table 168: ND Snooping Commands (Continued) Command Function Mode ipv6 nd snooping auto-detect Sets the interval between sending NS messages to retransmit interval determine if a binding is still valid GC ipv6 nd snooping prefix timeout Sets the time to wait for an RA message before deleting an entry in the prefix table GC ipv6 nd snooping max-binding Sets the maximum number of address entries which can IC be bound to a port ipv6 nd snooping trust C
Chapter 30 | IP Interface Commands ND Snooping according to the Prefix Information option in the RA message. The prefix table records prefix, prefix length, valid lifetime, as well as the VLAN and port interface which received the message. ■ ◆ If an RA message is not received updating a table entry with the same prefix for a specified timeout period, the entry is deleted.
Chapter 30 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage If auto-detection is enabled, the switch periodically sends an NS message to determine is a client listed in the dynamic binding table still exists. If it does not receive an RA message in response after the configured timeout, the entry is dropped. If the switch receives an RA message before the timeout expires, it resets the lifetime for the dynamic binding, and the auto-detection process resumes.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the interval between which the auto-detection process sends auto-detect NS messages to determine if a dynamic user binding is still valid. Use the no form to retransmit interval restore the default setting.
Chapter 30 | IP Interface Commands ND Snooping contained in the message. If an RA message is not received for a table entry with the same prefix for the specified timeout period, the entry is deleted. Example Console(config)#ipv6 nd snooping prefix timeout 200 Console(config)# ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user max-binding binding table which can be bound to a port. Use the no form to restore the default setting.
Chapter 30 | IP Interface Commands ND Snooping Command Usage ◆ In general, interfaces facing toward to the network core, or toward routers supporting the Network Discovery protocol, are configured as trusted interfaces. ◆ RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination. ◆ NS messages received from a trusted interface are forwarded toward their destination. Nothing is added to the dynamic user binding table.
Chapter 30 | IP Interface Commands ND Snooping -------------------------------------- --- ---------- ---------- ---- --------Console# show ipv6 nd This command shows the configuration settings for ND snooping.
Chapter 30 | IP Interface Commands ND Snooping show ipv6 nd This command shows all entries in the address prefix table. snooping prefix Syntax show ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
Chapter 30 | IP Interface Commands ND Snooping – 864 –
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. See show ip route database. static – Displays all static entries.
Chapter 28 | IP Routing Commands Global Routing Configuration C 192.168.2.0/24 is directly connected, VLAN1 Console# The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Global Routing Configuration Console# Table 190: show ip host-route - display description Field Description IP Address IP address of the destination network, subnetwork, or host. MAC Address The physical layer address associated with the IP address. VLAN The VLAN that connects to this IP address. Port The port that connects to this IP address. show ip route This command displays entries in the Routing Information Base (RIB).
Chapter 28 | IP Routing Commands Global Routing Configuration Console#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 8 Connected 2 Total 2 Console# show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 28 | IP Routing Commands Global Routing Configuration source quench messages address mask request messages address mask reply messages UDP Statistics: 2 input no port errors other errors output TCP Statistics: 4698 input input errors 5867 output Console# IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes.
Chapter 28 | IP Routing Commands Global Routing Configuration ◆ If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used. ◆ The default distance of 1 will take precedence over any other type of route, except for local routes.
Chapter 28 | IP Routing Commands Global Routing Configuration changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers. The forwarding information base contains unique paths only. It does not contain any secondary paths.
Chapter 28 | IP Routing Commands Global Routing Configuration Example Console(config)#maximum-paths 8 Console(config)# – 874 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 877 ◆ “License Information” on page 879 – 875 –
Section III | Appendices – 876 –
A Troubleshooting Problems Accessing the Management Interface Table 191: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
List of Commands aaa accounting commands 234 aaa accounting dot1x 235 aaa accounting exec 236 aaa accounting update 237 aaa authorization commands 237 aaa authorization exec 238 aaa group server 239 absolute 167 access-list arp 388 access-list ip 370 access-list ipv6 376 access-list mac 382 accounting commands 240 accounting dot1x 240 accounting exec 241 arp 815 arp timeout 816 authentication enable 222 authentication login 223 authorization commands 242 authorization exec 242 auto-traffic-control 459 auto
List of Commands delete public-key 256 description 625 description 399 dir 123 disable 90 discard 399 disconnect 137 dns-server 796 domain-name 797 dos-protection echo-chargen 358 dos-protection land 358 dos-protection smurf 359 dos-protection tcp-flooding 359 dos-protection tcp-null-scan 360 dos-protection tcp-syn-fin-scan 360 dos-protection tcp-udp-port-zero 361 dos-protection tcp-xmas-scan 361 dos-protection udp-flooding 362 dos-protection win-nuke 362 dot1q-tunnel system-tunnel-control 543 dot1q-tunnel
List of Commands ip http server 246 ip igmp authentication 675 ip igmp filter (Global Configuration) 673 ip igmp filter (Interface Configuration) 677 ip igmp max-groups 677 ip igmp max-groups action 678 ip igmp profile 673 ip igmp query-drop 679 ip igmp snooping 647 ip igmp snooping immediate-leave 664 ip igmp snooping mrouter-forward-mode dynamic 648 ip igmp snooping priority 648 ip igmp snooping proxy-reporting 649 ip igmp snooping querier 650 ip igmp snooping router-alert-option-check 650 ip igmp snoopi
List of Commands ipv6 nd snooping auto-detect retransmit interval 859 ipv6 nd snooping max-binding 860 ipv6 nd snooping prefix timeout 859 ipv6 nd snooping trust 860 ipv6 neighbor 841 ipv6 route 871 ipv6 source-guard 345 ipv6 source-guard binding 343 ipv6 source-guard max-binding 346 jumbo frame 115 l2protocol-tunnel tunnel-dmac 550 lacp 430 lacp actor/partner mode (Ethernet Interface) 432 lacp admin-key (Ethernet Interface) 433 lacp admin-key (Port Channel) 435 lacp port-priority 434 lacp system-priority
List of Commands network-access link-detection 296 network-access link-detection link-down 296 network-access link-detection link-up 297 network-access link-detection link-up-down 298 network-access mac-filter 292 network-access max-mac-count 298 network-access mode mac-authentication 299 network-access port-mac-filter 300 next-server 802 nlm 195 no rspan session 448 non-revertive 588 ntp authenticate 155 ntp authentication-key 156 ntp client 157 ntp server 157 option 803 parity 133 password 133 password-t
List of Commands show authorization 244 show auto-traffic-control 467 show auto-traffic-control interface 468 show banner 103 show bridge-ext 529 show cable-diagnostics 424 show calendar 166 show class-map 638 show cluster 174 show cluster candidates 175 show cluster members 174 show discard 405 show dns 775 show dns cache 775 show dos-protection 363 show dot1q-tunnel 549 show dot1q-tunnel service 548 show dot1x 269 show efm oam counters interface 765 show efm oam event-log interface 765 show efm oam remot
List of Commands show lldp info remote-device 754 show lldp info statistics 756 show log 145 show logging 146 show logging sendmail 151 show loopback-detection 473 show mac access-group 387 show mac access-list 388 show mac-address-table 487 show mac-address-table aging-time 488 show mac-address-table count 489 show mac-address-table hash-algorithm 488 show mac-address-table hash-lookup-depth 489 show mac-vlan 564 show management 273 show memory 105 show mvr 722 show mvr associated-profile 723 show mvr int
List of Commands snmp-server enable port-traps atc multicast-control-apply 466 snmp-server enable port-traps atc multicast-controlrelease 467 snmp-server enable port-traps link-up-down 185 snmp-server enable port-traps mac-notification 186 snmp-server enable traps 182 snmp-server engine-id 187 snmp-server group 188 snmp-server host 183 snmp-server location 181 snmp-server notify-filter 196 snmp-server user 189 snmp-server view 191 sntp client 152 sntp poll 153 sntp server 154 spanning-tree 494 spanning-tre
List of Commands vlan database 532 vlan-trunking 539 voice vlan 565 voice vlan aging 566 voice vlan mac-address 567 watchdog software 114 web-auth 308 web-auth login-attempts 306 web-auth quiet-period 306 web-auth re-authenticate (IP) 309 web-auth re-authenticate (Port) 308 web-auth session-timeout 307 web-auth system-auth-control 307 whichboot 124 wtr-timer 585 – 891 –
List of Commands – 892 –
