ECS4530-54CSFP C L I R e fe re n c e G u id e S o ftw a re R e lea se v1 .0 .3 .1 93 w w w .e d g e -co re .
CLI Reference Guide ECS4530-54CSFP Gigabit Ethernet Switch with 44 1000BASE CSFP ports 4 1000BASE combo (CSFP + GE) ports 4 10GBASE SFP+ ports and 20GBASE QSFP+ ports E112019-MR-R01
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
Contents Section I How to Use This Guide 3 Contents 5 Tables 37 Getting Started 43 1 Initial Switch Configuration Connecting to the Switch 45 45 Configuration Options 45 Connecting to the Console Port 46 Logging Onto the Command Line Interface 47 Setting Passwords 47 Remote Connections 48 Configuring the Switch for Remote Management 49 Using the Craft Port or Network Interface 49 Setting an IP Address 49 Enabling SNMP Management Access 55 Managing System Files 57 Upgrading th
Contents Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI 69 71 71 Console Connection 71 Telnet Connection 72 Entering Commands 73 Keywords and Arguments 73 Minimum Abbreviation 73 Command Completion 73 Getting Help on Commands 74 Partial Keyword Lookup 76 Negating the Effect of Commands 76 Using Command History 76 Understanding Command Modes 76 Exec Commands 77 Configuration Commands 78 Command Line Processing 79 Showing Status Informati
Contents Device Designation 91 hostname 92 Banner Information 92 banner configure 93 banner configure company 94 banner configure dc-power-info 95 banner configure department 95 banner configure equipment-info 96 banner configure equipment-location 97 banner configure ip-lan 97 banner configure lp-number 98 banner configure manager-info 99 banner configure mux 99 banner configure note 100 show banner 101 System Status 101 show access-list tcam-utilization 102 show memory
Contents delete 120 dir 121 umount 122 whichboot 122 Automatic Code Upgrade Commands 123 upgrade opcode auto 123 upgrade opcode path 124 upgrade opcode reload 125 show upgrade 126 TFTP Configuration Commands 126 ip tftp retry 126 ip tftp timeout 127 show ip tftp 127 Line 128 line 129 databits 129 exec-timeout 130 login 131 parity 132 password 132 password-thresh 133 silent-time 134 speed 135 stopbits 135 timeout login response 136 disconnect 136 terminal
Contents logging trap 143 clear log 144 show log 144 show logging 145 SMTP Alerts 147 logging sendmail 147 logging sendmail destination-email 147 logging sendmail host 148 logging sendmail level 149 logging sendmail source-email 149 show logging sendmail 150 Time 150 SNTP Commands 151 sntp client 151 sntp poll 152 sntp server 153 show sntp 153 NTP Commands 154 ntp authenticate 154 ntp authentication-key 155 ntp client 156 ntp server 156 show ntp 157 show ntp st
Contents absolute 166 periodic 167 show time-range 168 5 SNMP Commands 169 General SNMP Commands 171 snmp-server 171 snmp-server community 171 snmp-server contact 172 snmp-server location 173 show snmp 173 SNMP Target Host Commands 174 snmp-server enable traps 174 snmp-server host 175 snmp-server enable port-traps link-up-down 177 snmp-server enable port-traps mac-notification 178 show snmp-server enable port-traps 178 SNMPv3 Commands 179 snmp-server engine-id 179 snmp-s
Contents 6 Remote Monitoring Commands 195 rmon alarm 196 rmon event 197 rmon collection history 198 rmon collection rmon1 199 show rmon alarms 200 show rmon events 200 show rmon history 201 show rmon statistics 201 7 Flow Sampling Commands 203 sflow owner 204 sflow polling instance 205 sflow sampling instance 206 show sflow 207 8 Authentication Commands 209 User Accounts and Privilege Levels 210 enable password 210 username 211 privilege 213 show privilege 213 Authen
Contents tacacs-server key 222 tacacs-server encrypted-key 223 tacacs-server port 223 tacacs-server retransmit 224 tacacs-server timeout 224 show tacacs-server 225 AAA 225 aaa accounting commands 226 aaa accounting dot1x 227 aaa accounting exec 228 aaa accounting update 229 aaa authorization commands 229 aaa authorization exec 230 aaa group server 231 server 231 accounting dot1x 232 accounting commands 232 accounting exec 233 authorization commands 234 authorization exe
Contents ip ssh authentication-retries 246 ip ssh server 246 ip ssh timeout 247 delete public-key 248 ip ssh crypto host-key generate 248 ip ssh crypto zeroize 249 ip ssh save host-key 250 show ip ssh 250 show public-key 250 show ssh 251 802.
Contents Information Display Commands show dot1x 265 265 Management IP Filter 268 management 268 show management 269 PPPoE Intermediate Agent 270 pppoe intermediate-agent 270 pppoe intermediate-agent format-type 271 pppoe intermediate-agent port-enable 272 pppoe intermediate-agent port-format-type 273 pppoe intermediate-agent port-format-type remote-id-delimiter 274 pppoe intermediate-agent trust 275 pppoe intermediate-agent vendor-tag strip 275 clear pppoe intermediate-agent statis
Contents network-access max-mac-count 295 network-access mode mac-authentication 295 network-access port-mac-filter 296 mac-authentication intrusion-action 297 mac-authentication max-mac-count 297 clear network-access 298 show network-access 298 show network-access mac-address-table 299 show network-access mac-filter 300 Web Authentication 301 web-auth login-attempts 302 web-auth quiet-period 302 web-auth session-timeout 303 web-auth system-auth-control 303 web-auth 304 web-au
Contents show ip dhcp snooping 321 show ip dhcp snooping binding 321 DHCPv6 Snooping 322 ipv6 dhcp snooping 322 ipv6 dhcp snooping option remote-id 325 ipv6 dhcp snooping option remote-id policy 326 ipv6 dhcp snooping vlan 327 ipv6 dhcp snooping max-binding 328 ipv6 dhcp snooping trust 328 clear ipv6 dhcp snooping binding 329 clear ipv6 dhcp snooping statistics 330 show ipv6 dhcp snooping 330 show ipv6 dhcp snooping binding 330 show ipv6 dhcp snooping statistics 331 IPv4 Source
Contents ip arp inspection trust 350 show ip arp inspection configuration 351 show ip arp inspection interface 351 show ip arp inspection log 352 show ip arp inspection statistics 352 show ip arp inspection vlan 353 Denial of Service Protection 353 dos-protection echo-chargen 354 dos-protection land 354 dos-protection smurf 355 dos-protection tcp-flooding 355 dos-protection tcp-null-scan 356 dos-protection tcp-syn-fin-scan 356 dos-protection tcp-udp-port-zero 357 dos-protection
Contents permit, deny (Standard IPv6 ACL) 373 permit, deny (Extended IPv6 ACL) 374 ipv6 access-group 376 show ipv6 access-group 377 show ipv6 access-list 377 MAC ACLs 378 access-list mac 378 permit, deny (MAC ACL) 379 mac access-group 383 show mac access-group 383 show mac access-list 384 ARP ACLs 384 access-list arp 384 permit, deny (ARP ACL) 385 show access-list arp 386 ACL Information 387 clear access-list hardware counters 387 show access-group 388 show access-list
Contents show interfaces history 404 show interfaces status 406 show interfaces switchport 407 Transceiver Threshold Configuration 409 transceiver-monitor 409 transceiver-threshold-auto 409 transceiver-threshold current 410 transceiver-threshold rx-power 411 transceiver-threshold temperature 412 transceiver-threshold tx-power 413 transceiver-threshold voltage 414 show interfaces transceiver 415 show interfaces transceiver-threshold 416 Cable Diagnostics 417 test cable-diagnostic
Contents MLAG Commands 435 mlag 436 mlag domain peer-link 436 mlag group member 437 show mlag 438 show mlag group 438 show mlag domain 439 13 Port Mirroring Commands Local Port Mirroring Commands 441 441 port monitor 441 show port monitor 443 RSPAN Mirroring Commands 444 rspan source 446 rspan destination 447 rspan remote vlan 448 no rspan session 449 show rspan 450 14 Congestion Control Commands Rate Limit Commands 451 451 rate-limit 452 Storm Control Commands 453 swi
Contents snmp-server enable port-traps atc broadcast-alarm-fire 464 snmp-server enable port-traps atc broadcast-control-apply 464 snmp-server enable port-traps atc broadcast-control-release 465 snmp-server enable port-traps atc multicast-alarm-clear 465 snmp-server enable port-traps atc multicast-alarm-fire 466 snmp-server enable port-traps atc multicast-control-apply 466 snmp-server enable port-traps atc multicast-control-release 467 ATC Display Commands 467 show auto-traffic-control 467
Contents spanning-tree max-age 487 spanning-tree mode 487 spanning-tree mst configuration 489 spanning-tree pathcost method 489 spanning-tree priority 490 spanning-tree system-bpdu-flooding 491 spanning-tree tc-prop 491 spanning-tree transmission-limit 492 max-hops 493 mst priority 493 mst vlan 494 name 495 revision 495 spanning-tree bpdu-filter 496 spanning-tree bpdu-guard 497 spanning-tree cost 498 spanning-tree edge-port 499 spanning-tree link-type 500 spanning-tree l
Contents 18 VLAN Commands 515 GVRP and Bridge Extension Commands 516 bridge-ext gvrp 516 garp timer 517 switchport forbidden vlan 518 switchport gvrp 519 show bridge-ext 519 show garp timer 520 show gvrp configuration 521 Editing VLAN Groups 521 vlan database 522 vlan 522 Configuring VLAN Interfaces 523 interface vlan 524 switchport acceptable-frame-types 525 switchport allowed vlan 525 switchport ingress-filtering 527 switchport mode 528 switchport native vlan 528 vla
Contents Configuring VLAN Translation 544 switchport vlan-translation 544 show vlan-translation 546 Configuring Protocol-based VLANs 547 protocol-vlan protocol-group (Configuring Groups) 548 protocol-vlan protocol-group (Configuring Interfaces) 548 show protocol-vlan protocol-group 549 show interfaces protocol-vlan protocol-group 550 Configuring IP Subnet VLANs 551 subnet-vlan 551 show subnet-vlan 552 Configuring MAC Based VLANs 553 mac-vlan 553 show mac-vlan 554 Configuring Voi
Contents control-vlan 572 rpl owner 573 rpl neighbor 574 wtr-timer 575 guard-timer 575 holdoff-timer 576 major-ring 577 propagate-tc 577 bpdu-tcn-notify 578 non-revertive 578 raps-def-mac 582 raps-without-vc 583 version 585 inclusion-vlan 586 physical-ring 587 erps forced-switch 587 erps manual-switch 589 erps clear 591 clear erps statistics 591 show erps statistics 592 show erps 593 20 Class of Service Commands 597 Priority Commands (Layer 2) 597 queue mode 5
Contents show qos map cos-dscp 608 show qos map dscp-mutation 609 show qos map ip-prec-dscp 610 show qos map phb-queue 610 show qos map trust-mode 611 21 Quality of Service Commands 613 class-map 614 description 615 match 616 rename 617 policy-map 618 class 618 police flow 619 police srtcm-color 621 police trtcm-color 623 set cos 625 set ip dscp 626 set phb 627 service-policy 628 show class-map 629 show policy-map 629 show policy-map interface 630 22 Control Plan
Contents ip igmp snooping router-alert-option-check 640 ip igmp snooping router-port-expire-time 641 ip igmp snooping tcn-flood 641 ip igmp snooping tcn-query-solicit 642 ip igmp snooping unregistered-data-flood 643 ip igmp snooping unsolicited-report-interval 644 ip igmp snooping version 644 ip igmp snooping version-exclusive 645 ip igmp snooping vlan general-query-suppression 646 ip igmp snooping vlan immediate-leave 646 ip igmp snooping vlan last-memb-query-count 647 ip igmp snoopi
Contents ip igmp max-groups action 668 ip igmp query-drop 669 ip multicast-data-drop 669 show ip igmp authentication 670 show ip igmp filter 670 show ip igmp profile 671 show ip igmp query-drop 672 show ip igmp throttle interface 672 show ip multicast-data-drop 673 MLD Snooping 674 ipv6 mld snooping 675 ipv6 mld snooping proxy-reporting 675 ipv6 mld snooping querier 676 ipv6 mld snooping query-interval 677 ipv6 mld snooping query-max-response-time 677 ipv6 mld snooping robustn
Contents ipv6 mld filter (Interface Configuration) 694 ipv6 mld max-groups 695 ipv6 mld max-groups action 696 ipv6 mld query-drop 696 ipv6 multicast-data-drop 697 show ipv6 mld filter 697 show ipv6 mld profile 698 show ipv6 mld query-drop 698 show ipv6 mld throttle interface 699 MVR for IPv4 700 mvr 701 mvr associated-profile 701 mvr domain 702 mvr profile 702 mvr proxy-query-interval 703 mvr proxy-switching 704 mvr robustness-value 705 mvr source-port-mode 706 mvr upstr
Contents lldp med-fast-start-count 726 lldp notification-interval 726 lldp refresh-interval 727 lldp reinit-delay 727 lldp tx-delay 728 lldp admin-status 729 lldp basic-tlv management-ip-address 729 lldp basic-tlv management-ipv6-address 730 lldp basic-tlv port-description 731 lldp basic-tlv system-capabilities 731 lldp basic-tlv system-description 732 lldp basic-tlv system-name 732 lldp dot1-tlv proto-ident 733 lldp dot1-tlv proto-vid 733 lldp dot1-tlv pvid 734 lldp dot1-tlv
Contents efm oam link-monitor frame threshold 750 efm oam link-monitor frame window 750 efm oam mode 751 clear efm oam counters 752 clear efm oam event-log 752 efm oam remote-loopback 753 efm oam remote-loopback test 754 show efm oam counters interface 755 show efm oam event-log interface 755 show efm oam remote-loopback interface 757 show efm oam status interface 757 show efm oam status remote interface 758 26 Domain Name Service Commands DNS Commands 759 760 ip domain-list 760
Contents show ipv6 dhcp duid 774 show ipv6 dhcp vlan 774 DHCP Relay 775 DHCP Relay for IPv4 775 ip dhcp relay server 775 ip dhcp restart relay 776 DHCP Relay for IPv6 777 ipv6 dhcp relay destination 777 show ipv6 dhcp relay destination 778 DHCP Server 779 ip dhcp excluded-address 780 ip dhcp pool 780 service dhcp 781 bootfile 781 client-identifier 782 default-router 783 dns-server 783 domain-name 784 hardware-address 784 host 785 lease 786 netbios-name-server 787
Contents ip default-gateway 798 show ip interface 799 show ip traffic 800 traceroute 801 ping 802 ARP Configuration 803 arp 803 arp timeout 804 ip proxy-arp 805 clear arp-cache 806 show arp 806 IPv6 Interface 807 Interface Address Configuration and Utilities 808 ipv6 default-gateway 808 ipv6 address 809 ipv6 address autoconfig 811 ipv6 address eui-64 812 ipv6 address link-local 814 ipv6 enable 815 ipv6 address dhcp 816 ipv6 mtu 817 show ipv6 interface 818 show ip
Contents show ipv6 nd raguard 835 ipv6 nd reachable-time 835 ipv6 nd prefix 836 ipv6 nd ra interval 837 ipv6 nd ra lifetime 838 ipv6 nd ra router-preference 839 ipv6 nd ra suppress 840 clear ipv6 neighbors 840 show ipv6 neighbors 841 ND Snooping 842 ipv6 nd snooping 843 ipv6 nd snooping auto-detect 845 ipv6 nd snooping auto-detect retransmit count 845 ipv6 nd snooping auto-detect retransmit interval 846 ipv6 nd snooping prefix timeout 846 ipv6 nd snooping max-binding 847 ipv
Contents ECMP Commands 859 maximum-paths Section III 859 Appendices 861 A Troubleshooting 863 Problems Accessing the Management Interface 863 Using System Logs 864 B License Information 865 The GNU General Public License 865 List of Commands 869 – 35 –
Contents – 36 –
Tables Table 1: Options 60, 66 and 67 Statements 65 Table 2: Options 55 and 124 Statements 65 Table 3: General Command Modes 77 Table 4: Configuration Command Modes 79 Table 5: Keystroke Commands 79 Table 6: Command Group Index 81 Table 7: General Commands 83 Table 8: System Management Commands 91 Table 9: Device Designation Commands 91 Table 10: Banner Commands 92 Table 11: System Status Commands 101 Table 12: show access-list tcam-utilization - display description 103 Table 13: sh
Tables Table 30: show snmp group - display description 185 Table 31: show snmp user - display description 186 Table 32: show snmp view - display description 187 Table 33: RMON Commands 195 Table 34: sFlow Commands 203 Table 35: Authentication Commands 209 Table 36: User Access Commands 210 Table 37: Default Login Settings 212 Table 38: Authentication Sequence Commands 214 Table 39: RADIUS Client Commands 216 Table 40: TACACS+ Client Commands 221 Table 41: AAA Commands 225 Table 42:
Tables Table 65: Commands for Configuring Traffic Segmentation 360 Table 66: Traffic Segmentation Forwarding 360 Table 67: Access Control List Commands 365 Table 68: IPv4 ACL Commands 365 Table 69: IPv6 ACL Commands 372 Table 70: MAC ACL Commands 378 Table 71: ARP ACL Commands 384 Table 72: ACL Information Commands 387 Table 73: Interface Commands 391 Table 74: show interfaces counters - display description 402 Table 75: show interfaces switchport - display description 408 Table 76: L
Tables Table 100: L2 Protocol Tunnel Commands 540 Table 101: VLAN Translation Commands 544 Table 102: Protocol-based VLAN Commands 547 Table 103: IP Subnet VLAN Commands 551 Table 104: MAC Based VLAN Commands 553 Table 105: Voice VLAN Commands 555 Table 106: ERPS Commands 563 Table 107: ERPS Request/State Priority 588 Table 108: show erps statistics - detailed display description 593 Table 109: show erps r ing - summary display description 594 Table 110: Priority Commands 597 Table 1
Tables Table 135: show mvr interface - display description 714 Table 136: show mvr members - display description 716 Table 137: show mvr statistics input - display description 718 Table 138: show mvr statistics output - display description 718 Table 139: show mvr statistics query - display description 719 Table 140: show mvr statistics summary interface - display description 720 Table 141: show mvr statistics summary interface mvr vlan - description 721 Table 142: LLDP Commands 723 Table 14
Tables – 42 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 44 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS4530-54CSFP is opened. To end the CLI session, enter [Exit].
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Craft Port or The Craft port is a dedicated for out-of-band management. In general, the Craft Network Interface port should be used to manage the switch for security reasons. Traffic on this port is segregated from normal network traffic on other switch ports and cannot be switched or routed to the operational network.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 169 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux.
Chapter 1 | Initial Switch Configuration Managing System Files There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config: command.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the currently installed one is discovered on the file from a File Server server.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# 2. Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# 3.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The following shows an example of the upgrade process. Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ------Unit 1: ECS4530_V1.0.3.191.bix OpCode Y 2019-10-17 11:30:26 9027848 Factory_Default_Config.cfg Config N 2019-04-13 13:55:58 455 startup1.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
Chapter 1 | Initial Switch Configuration Setting the System Clock #option option option option 66, 67 space dynamicProvision code width 1 length 1 hash size 2; dynamicProvision.tftp-server-name code 66 = text; dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2019 0 0 30 june 2019 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 1 | Initial Switch Configuration Setting the System Clock To configure NTP time synchronization, enter commands similar to the following. Console(config)#ntp client Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)#ntp authenticate Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “VLAN Commands” on page 515 ◆ “ERPS Commands” on page 563 ◆ “Class of Service Commands” on page 597 ◆ “Quality of Service Commands” on page 613 ◆ “Control Plane Commands” on page 631 ◆ “Multicast Filtering Commands” on page 635 ◆ “LLDP Commands” on page 723 ◆ “OAM Commands” on page 747 ◆ “Domain Name Service Commands” on page 759 ◆ “DHCP Commands” on page 767 ◆ “IP Interface Commands” on page 795 ◆ “IP Routing Commands” on page 851 – 70 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows the power saving information Displays PPPoE configuration Shows current privilege level Device process P
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map DHCP IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Table 5: Keystroke Commands (Continued) Keystroke Function Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 563 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling 515 Class of Service Sets port priority for untagged fr
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Usage This command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Chapter 3 | General Commands Command Mode Privileged Exec, Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 116).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (88) enable password (210) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 76. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2019. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 90 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure equipment-location Configures the Equipment Location information that is displayed by banner GC banner configure ip-lan Configures the IP and LAN information that is displayed by GC banner banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info
Chapter 4 | System Management Commands Banner Information phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edgecore Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS453054CSFP floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edgecore Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Privileged Exec Example Console#show banner Edgecore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS4530-54CSFP Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correc
Chapter 4 | System Management Commands System Status 1 1 Console# 0 0 16 17 128 128 0 0 128 DE4 128 DEM Table 12: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 13: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status FS HTTP_TD HW_WTDOG_TD IML_TX IP_SERVICE_GROU KEYGEN_TD L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface ethernet 1/1 no negotiation ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (107) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS4530-54CSFP System OID String : 1.3.6.1.4.1.259.10.1.51.102 System Information System Up Time : 0 days, 2 hours, 0 minutes, and 45.
Chapter 4 | System Management Commands System Status Table 14: show system – display description (Continued) Parameter Description System Up Time Length of time the management agent has been up. System Name Name assigned to the switch system. System Location Specifies the system location. System Contact Administrator responsible for the system. MAC Address MAC address assigned to this switch. Web Server/Port Shows administrative status of web server and UDP port number.
Chapter 4 | System Management Commands System Status startup1.cfg Config Y 2017-12-24 12:33:24 1,180 ---------------------------------------------------------------------------Free space for compressed user config files: 434,008,064 Total space: 1,073,741,824 show arp: ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------192.168.2.
Chapter 4 | System Management Commands System Status show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number Hardware Version EPLD Version Number of Ports Main Power Status Redundant Power Status Role Loader Version Linux Kernel Version Operation Code Version : : : : : : : : : : S123456 R0A 0.01 54 Up Not present Master 0.0.0.3 3.10.70 1.0.4.
Chapter 4 | System Management Commands Frame Size watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly. Syntax watchdog software {disable | enable} Default Setting Disabled Command Mode Privileged Exec Example Console#watchdog software disable Console# Frame Size This section describes commands used to configure the Ethernet frame size on the switch.
Chapter 4 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
Chapter 4 | System Management Commands File Management Table 17: Flash/File Commands Command Function Mode boot system Specifies the file or image used to start up the system GC copy Copies a code image or a switch configuration to or from flash memory or an FTP/FTPS/SFTP/TFTP server PE delete Deletes a file or code image PE dir Displays a list of files in flash memory PE umount Unmount a removable USB device.
Chapter 4 | System Management Commands File Management Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type. ◆ If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (121) whichboot (122) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/FTPS/SFTP/TFTP server.
Chapter 4 | System Management Commands File Management running-config - Keyword that allows you to copy to/from the current running configuration. sftp - Keyword that copies a file to or from an SFTP server. startup-config - The configuration used for system initialization. tftp - Keyword that allows you to copy to/from a TFTP server. unit - Keyword that copies a file to/from a device unit. usbdisk - Keyword that copies a file to/from a USB device.
Chapter 4 | System Management Commands File Management ◆ When logging into a remote SFTP/FTPS server, the interface prompts for a user name and password configured on the remote server. If this is a first time connection, the system checks to see if the public key offered by the server matches one stored locally. If not, the server’s public key will be copied to the local system.
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
Chapter 4 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# This example shows how to copy a file from an SFTP server.
Chapter 4 | System Management Commands File Management Command Usage ◆ If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete file name test2.cfg Console# Related Commands dir (121) delete public-key (248) dir This command displays a list of files in flash memory.
Chapter 4 | System Management Commands File Management File information is shown below: Table 18: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Operation Code, and Config file. Startup Shows if this file is used when the system is started. Modify Time The date and time the file was last modified. Size The length of the file in bytes.
Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modified Time Size (bytes) ------------------------------ ------- ------- ------------------- -----------Unit 1: ECS4530-54CSFP_V1.0.4.192.
Chapter 4 | System Management Commands File Management 3. It sets the new version as the startup image. 4. It then restarts the system to start using the new image. ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS453054P.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4530-54P.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (134) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (251) show users (111) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 21: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g.
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging level This command sets the syslog logging severity level for user login and log out. Use the no form to set the logging level to the default value.
Chapter 4 | System Management Commands Event Logging Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging ◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example Console(config)#logging trap level 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging Command Usage ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
Chapter 4 | System Management Commands Event Logging Flash Logging Configuration: History Logging in Flash : Level Errors (3) Console#show logging ram Global Configuration: Syslog Logging : Enabled Ram Logging Configuration: History Logging in RAM : Level Debugging (7) Console# Table 22: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level - One of the system message levels (page 140). Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.
Chapter 4 | System Management Commands Time Table 25: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE show ntp status Shows the status of time updates PE show ntp statistics peer
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2019 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4 or IPv6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2019 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 : 137.92.140.90 : 137.92.140.99 Current Server : 137.92.140.80 Console# N T P C o m m an d s ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch. ◆ You can configure up to 50 NTP servers on the switch.
Chapter 4 | System Management Commands Time NTP Status : Disabled NTP Authenticate Status : Enabled Last Update NTP Server : 0.0.0.0 Port: 0 Last Update Time : Jan 1 00:00:00 1970 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console# show ntp status This command displays the current status of received time updates from an NTP peer.
Chapter 4 | System Management Commands Time Bogus Origin Duplicate Bad Dispersion Bad Reference Time Candidate Order Console# : : : : : 0 0 0 0 6 show ntp peer-status This command displays the status of connections to NTP peers. Syntax show ntp peer-status [ip-address | ipv6-address | hostname] ip-address - IP address of an NTP time server. ipv6-address - IPv6 address of an NTP time server. hostname - Host name of an NTP time server.
Chapter 4 | System Management Commands Time b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Chapter 4 | System Management Commands Time clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (153) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 4 | System Management Commands Time Range show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar Current Time Time Zone Summer Time Summer Time in Effect Console# : : : : May 13 14:08:18 2019 UTC, 08:00 Not configured No Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range Command Usage ◆ This command sets a time range for use by other functions, such as Access Control Lists. ◆ A maximum of eight rules can be configured for a time range. Example Console(config)#time-range r&d Console(config-time-range)# Related Commands Access Control Lists (365) absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time.
Chapter 4 | System Management Commands Time Range Example This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Time Range Example This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 28: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands Table 28: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization GC alarm process cpu guard Sets the CPU utilization watermark and threshold GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilizat
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. ◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. port - Host UDP port to use.
Chapter 5 | SNMP Commands SNMP Target Host Commands 4. Allow the switch to send SNMP traps; i.e., notifications (page 174). 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 171). 2. Create a remote SNMPv3 user to use in the message exchange process 3. 4. 5. 6. (page 181). Create a view with the required notification messages (page 183).
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps link-up-down Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNM Pv3 C om m ands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) priv - Uses SNMPv3 with privacy.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 30: show snmp group - display description (Continued) Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 31: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (103) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 194 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 202 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value [destination {ipv4-address | ipv6-address} [max-datagram-size max-datagram-size] [version {v4 | v5}] [port destination-udp-port ] [max-datagram-size max-datagram-size] [version {v4 | v5}]] [port destination-udp-port] no sflow owner owner-name owner-name - Name of the collector.
Chapter 7 | Flow Sampling Commands ◆ Once an owner is created, the sflow owner command can again be used to modify the owner’s port number. All other parameter values for the owner will be retained if the port is modified. ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) polling-interval - The time interval at which the sFlow process adds counter values to the sample datagram. (Range: 1-10000000 seconds, 0 disables this feature) Default Setting No sFlow polling instance is configured.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) sample-rate - The packet sampling rate, or the number of packets out of which one sample will be taken. (Range: 256-16777215 packets) max-header-size - The maximum size of the sFlow datagram header. (Range: 64-256 bytes) Default Setting No sFlow sampling instance id configured.
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Example Console#show sflow interface ethernet 1/2 Receiver Owner Name Receiver Timeout Receiver Destination Receiver Socket Port Maximum Datagram Size Datagram Version : : : : : : stat1 99633 sec 192.168.32.
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 128), user authentication via a remote authentication server (page 209), and host access authentication for specific ports (page 252).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 76 and “Configuration Commands” on page 78.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default.
Chapter 8 | Authentication Commands RADIUS Client acct-port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands RADIUS Client Example Console(config)#radius-server key green Console(config)# radius-server This command sets the RADIUS encryption key to be sent in encrypted text. Use the encrypted-key no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Client radius Console# 1 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the TACACS+ encryption key to be sent in encrypted text. Use encrypted-key the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 8 | Authentication Commands AAA Table 41: AAA Commands (Continued) Command Function Mode accounting dot1x Applies an accounting method to an interface for 802.
Chapter 8 | Authentication Commands AAA Command Usage ◆ The accounting of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ The authorization of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the authorization method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled. ◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Server Group Configuration Command Usage ◆ When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command. ◆ When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.
Chapter 8 | Authentication Commands AAA Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default method list created with the aaa accounting commands command. list-name - Specifies a method list created with the aaa accounting commands command.
Chapter 8 | Authentication Commands AAA Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands. Syntax authorization commands level {default | list-name} no authorization commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands AAA Interface Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : vty : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# show authorization This command displays the current authorization settings per function and per port. Syntax show authorization [commands [level] | exec] commands - Displays command authorization information.
Chapter 8 | Authentication Commands Web Server Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Related Commands aaa authorization commands (229) ip http server (238) show system (109) ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server Related Commands ip http authentication (237) show system (109) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 8 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 8 | Authentication Commands Secure Shell Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254... *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES User Access Verification Username: Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
Chapter 8 | Authentication Commands Secure Shell Table 45: Secure Shell Commands Command Function Mode ip ssh authentication-retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public-key Copies the user’s public key from a TFTP server to the switch PE delete public-key Deletes the public key for the specified user PE disconnect Terminates a
Chapter 8 | Authentication Commands Secure Shell 108259132128902337654680172627257141342876294130119619556678259566410486957427 888146206519417467729848654686157177393901647793559423035774130980227370877945 4524083971752646358058176716709574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Chapter 8 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | Authentication Commands Secure Shell Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | Authentication Commands Secure Shell Example Console(config)#ip ssh timeout 60 Console(config)# Related Commands exec-timeout (130) show ip ssh (250) delete public-key This command deletes the specified user’s public key. Syntax delete public-key username username – Name of an SSH user. (Range: 1-8 characters) Default Setting Deletes the RSA key. Command Mode Privileged Exec Example Console#delete public-key admin Console# ip ssh crypto This command generates the host key pair (i.e.
Chapter 8 | Authentication Commands Secure Shell ◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it. ◆ The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it.
Chapter 8 | Authentication Commands Secure Shell ip ssh save host-key This command saves the host key from RAM to flash memory. Syntax ip ssh save host-key Default Setting Saves the RSA key. Command Mode Privileged Exec Example Console#ip ssh save host-key Console# Related Commands ip ssh crypto host-key generate (248) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server.
Chapter 8 | Authentication Commands Secure Shell Command Usage ◆ If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 47: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 47: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state through when dot1x is globally disabled. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication A u th e n tic a to r C o m m an d s dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (259) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 256) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication S u p p lic a n t C o m m a n d s dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password | encrypted-password encrypted-password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an start-period EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ◆ Reauthentication – Periodic re-authentication (page 258).
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ Reauthentication State Machine State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters System Auth Control : Enabled Authenticator Parameters: EAPOL Pass Through : Disabled 802.
Chapter 8 | Authentication Commands Management IP Filter Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# PPPoE Intermediate Agent This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Global Configuration Command Usage ◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Default Setting ◆ Access Node Identifier: IP address of the first IPv4 interface on the switch. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added. ◆ Vendor Identifier: 3561 (This is the enterprise number assigned to the Broadband Forum.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-enable Console(config-if)# pppoe intermediate- This command sets the circuit-id, remote-id, or remote-id delimiter for an interface. agent port-format- Use the no form to restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent ◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server. The tag contains the Line-ID of the customer line over which the discovery packet was received, entering the switch (or access node) where the intermediate agent resides.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example This command enables the delimiter for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-format-type remote-iddelimiter enable Console(config-if)# pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a agent trust PPPoE server. Use the no form to set an interface to untrusted mode.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage This command only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console#show pppoe intermediate-agent info PPPoE Intermediate Agent Global Status : Enabled PPPoE Intermediate Agent Vendor ID : 3561 PPPoE Intermediate Agent Admin Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Oper Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 50: show pppoe intermediate-agent statistics - display description Field Description Received PADI PPPoE Active Discovery Initiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted.
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Incoming traffic with source addresses not stored in the static address table, will be flooded. However, if a security function such as 802.
Chapter 9 | General Security Measures Port Security action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable port. max-mac-count address-count - The maximum number of MAC addresses that can be learned on a port.
Chapter 9 | General Security Measures Port Security number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out. ◆ MAC addresses that port security has learned, can be saved in the configuration file as static entries. See command port security mac-address-as-permanent.
Chapter 9 | General Security Measures Port Security ◆ If sticky MAC addresses are received on another secure port, then the port intrusion action is taken. Example Console(config-if)#port security mac-address sticky Console# port security Use this command to save the MAC addresses that port security has learned as mac-address-as- static entries. permanent Syntax port security mac-address-as-permanent [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) only source MAC address entries in MAC Filter table can be learned as secure MAC addresses.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 54: Network Access Commands (Continued) Command Function Mode mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated GC network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN IC network-access lin
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# :
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out.
Chapter 9 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After login-attempts the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains session-timeout valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
Chapter 9 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends the web authentication session associated with the authenticate (IP) designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
Chapter 9 | General Security Measures DHCPv4 Snooping DHCPv4 Snooping DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch. Use the no form without any keywords to disable this function.
Chapter 9 | General Security Measures DHCPv4 Snooping This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping This command disables the use of sub-type and sub-length fields for the information option circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the encode no-subtype switch. Use the no form to enable the use of these fields.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ ◆ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. The format for TR101 option 82 is: “ eth /[:]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Chapter 9 | General Security Measures DHCPv4 Snooping mac-address - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU). ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier. tr101 board-id Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (308) ip dhcp snooping vlan (316) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address ip.address] mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: a. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. b.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (327) ipv6 dhcp snooping trust (328) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping remove option 37 information in incoming DHCPv6 packets. Packets are processed as follows: ◆ ■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Chapter 9 | General Security Measures DHCPv6 Snooping these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information. Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN.
Chapter 9 | General Security Measures DHCPv6 Snooping Related Commands ipv6 dhcp snooping (322) ipv6 dhcp snooping trust (328) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ When DHCPv6 snooping is enabled globally using the ipv6 dhcp snooping command, and enabled on a VLAN with ipv6 dhcp snooping vlan command, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 61: IPv4 Source Guard Commands (Continued) Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 322).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (322) ipv6 dhcp snooping vlan (327) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures ARP Inspection Eth 1/5 Eth 1/6 . . . SIP Disabled 1 5 show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 322) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. ◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Chapter 9 | General Security Measures ARP Inspection Command Usage ◆ ARP ACLs are configured with the commands described under “ARP ACLs” on page 384. ◆ If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
Chapter 9 | General Security Measures ARP Inspection ◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message. ◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
Chapter 9 | General Security Measures ARP Inspection Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Command Mode Interface Configuration (Port, Static Aggregation) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip arp inspection interface ethernet 1/1 Port Number ------------Eth 1/1 Console# Trust Status -------------------Trusted Rate Limit (pps) -----------------------------150 show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components.
Chapter 9 | General Security Measures Denial of Service Protection show ip arp inspection This command shows the configuration settings for VLANs, including ARP vlan Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] vlan-id - VLAN ID.
Chapter 9 | General Security Measures Denial of Service Protection Table 64: DoS Protection Commands (Continued) Command Function Mode dos-protection tcp-syn-fin-scan Protects against DoS TCP-SYN/FIN-scan attacks GC dos-protection tcp-udp-port-zero Protects against attacks which set the Layer 4 source GC or destination port to zero dos-protection tcp-xmas-scan Protects against DoS TCP-XMAS-scan attacks GC dos-protection udp-flooding Protects against DoS UDP-flooding attacks GC dos-protection
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection land Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Chapter 9 | General Security Measures Denial of Service Protection rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports.
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection syn-fin-scan Console(config)# dos-protection This command protects against DoS attacks in which the TCP or UDP source port or tcp-udp-port-zero destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-xmas-scan Console(config)# dos-protection This command protects against DoS UDP-flooding attacks in which a perpetrator udp-flooding sends a large number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Chapter 9 | General Security Measures Port-based Traffic Segmentation rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection win-nuke bit-rate-in-kilo 65 Console(config)# show dos-protection This command shows the configuration settings for the DoS protection commands.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 65: Commands for Configuring Traffic Segmentation Command Function Mode traffic-segmentation Enables traffic segmentation GC traffic-segmentation session Creates a client session GC traffic-segmentation uplink/ downlink Configures uplink/downlink ports for client sessions GC traffic-segmentation uplink-to-uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 66: Traffic Segmentation Forwarding (Continued) Destination Source Session #1 Downlinks Session #1 Uplinks Session #2 Downlinks Session #2 Uplinks Normal Ports Session #2 Downlink Ports Blocking Blocking Blocking Forwarding Blocking Session #2 Uplink Ports Blocking Blocking/ Forwarding* Forwarding Forwarding Forwarding Normal Ports Forwarding Forwarding Forwarding Forwarding Forwarding * The forwarding stat
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#traffic-segmentation session 1 Console(config)# traffic-segmentation This command configures the uplink and down-link ports for a segmented group of uplink/downlink ports. Use the no form to remove a port from the segmented group.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Syntax show traffic-segmentation [session session-id] session-id – Traffic segmentation session.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs no {permit | deny} [protocol-number] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} [icmp | tcp | udp] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport
Chapter 10 | Access Control Lists IPv4 ACLs Default Setting None Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
Chapter 10 | Access Control Lists IPv4 ACLs Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any destinationport 80 Console(config-ext-acl)# This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (366) Time Range (165) ip access-group This command binds an IPv4 ACL to a port.
Chapter 10 | Access Control Lists IPv4 ACLs Related Commands show ip access-list (371) Time Range (165) show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (373) permit, deny (Extended IPv6 ACL) (374) ipv6 access-group (376) show ipv6 access-list (377) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (372) Time Range (165) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit any 2009:db90:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one or the configuration will fail. Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (377) Time Range (165) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (373) permit, deny (Extended IPv6 ACL) (374) ipv6 access-group (376) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Chapter 10 | Access Control Lists MAC ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 2048 rules.
Chapter 10 | Access Control Lists MAC ACLs [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-port dport [port-bitmask]] Note: The default is for Ethernet II packets.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address} {any | host destination | destination address} [ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask}] [ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}] [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-p
Chapter 10 | Access Control Lists MAC ACLs vid – VLAN ID. (Range: 1-4094) vid-bitmask6 – VLAN bitmask. (Range: 1-4095) ethertype – A specific Ethernet protocol number. (Range: 0-ffff hex) ethertype-bitmask6 – Protocol bitmask. (Range: 0-ffff hex) protocol - IP protocol or IPv6 next header. (Range: 0-255) For information on next headers, see permit, deny (Extended IPv6 ACL). sport7 – Protocol source port number. (Range: 0-65535) dport7 – Protocol destination port number.
Chapter 10 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. Syntax mac access-group acl-name {in | out} [time-range time-range-name] [counter] no mac access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists ARP ACLs Related Commands mac access-group (383) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs acl-name – Name of the ACL. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Chapter 10 | Access Control Lists ARP ACLs {any | host destination-ip | destination-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [any | host destination-mac | destination-mac mac-address-bitmask] [log] source-ip – Source IP address. destination-ip – Destination IP address with bitmask. ip-address-bitmask8 – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask.
Chapter 10 | Access Control Lists ACL Information Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.0 mac any any Console# Related Commands permit, deny (385) ACL Information This section describes commands used to display ACL information.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/1 IP access-list ex1 in IP access-list ex1 out Interface ethernet 1/2 IPv6 access-list i6ex in IPv6 access-list i6ex out Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information permit TCP 192.168.1.0 255.255.255.0 any destination-port 80 permit TCP 192.168.1.0 255.255.255.0 any control-flag 2 2 permit 10.7.1.1 255.255.255.0 any MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 permit any any VID 1 ethertype 0000 cos 1 1 IP extended access-list A6: permit any any DSCP 5 permit any any next-header 43 permit any 2009:db90:2229::79/8 ARP access-list arp1: permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information – 390 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Table 73: Interface Commands (Continued) Command Function Mode transceiver-threshold current Sets thresholds for transceiver current which can be used to trigger an alarm or warning message IC transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger
Chapter 11 | Interface Commands Default Setting None Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Chapter 11 | Interface Commands description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file.
Chapter 11 | Interface Commands Command Usage Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. Example The following example forwards CDP packets entering port 5. Console(config)#interface ethernet 1/5 Console(config-if)#discard cdp Console(config-if)# flowcontrol This command enables flow control. Use the no form to disable flow control.
Chapter 11 | Interface Commands history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table. Syntax history name interval buckets no history [name] name - A symbolic name for this entry in the sampling table. (Range: 1-31 characters) interval - The interval for sampling statistics. (Range: 1-86400 seconds. buckets - The number of samples to take.
Chapter 11 | Interface Commands copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Forces transceiver mode for the SFP/SFP+ port. sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link. mode 1000sfp - Always uses 1000BASE SFP mode. 10gsfp - Always uses 10GBASE SFP mode.
Chapter 11 | Interface Commands Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
Chapter 11 | Interface Commands clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-26) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Chapter 11 | Interface Commands . . show interfaces brief This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports. Command Mode Privileged Exec Command Usage ◆ If an SFP transceiver is inserted in a port, the Type field will show the SFP type as interpreted from Ethernet Compliance Codes (Data Byte 6 in Address A0h).
Chapter 11 | Interface Commands port-channel channel-id (Range: 1-26) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands 606 Octets Output in kbits per second 1 Packets Output per second 0.00 % Output Utilization Console# Table 74: show interfaces counters - display description Parameter Description IF Table Stats Octets Input The total number of octets received on the interface, including framing characters. Octets Output The total number of octets transmitted out of the interface, including framing characters.
Chapter 11 | Interface Commands Table 74: show interfaces counters - display description (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
Chapter 11 | Interface Commands Table 74: show interfaces counters - display description (Continued) Parameter Description Utilization Statistics Octets input in kbits per second Number of octets entering this interface in kbits per second. Packets input per second Number of packets entering this interface in packets per second. Input utilization The input utilization rate for this interface. Octets output in kbits per second Number of octets leaving this interface in kbits per second.
Chapter 11 | Interface Commands Command Usage If no interface is specified, information on all interfaces is displayed. Example Console#show interfaces history ethernet 1/1 15min Interface : Eth 1/ 1 Name : 15min Interval : 900 second(s) Buckets Requested : 96 Buckets Granted : 17 Status : Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 04:15:00 0.
Chapter 11 | Interface Commands 00d 00d 00d 00d 00d 00d 00d 00d 00d 00d 01:45:00 02:00:00 02:15:00 02:30:00 02:45:00 03:00:00 03:15:00 03:30:00 03:45:00 04:00:00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands VLAN Trunking LACP MAC Learning Link-up-down Trap Media Type Current Status: Link Status Operation Speed-duplex Flow Control Type Max Frame Size MAC Learning Status Console# : : : : : Disabled Disabled Enabled Enabled None : : : : : Down 10Gfull None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of the specified switchport interfaces.
Chapter 11 | Interface Commands Allowed VLAN Forbidden VLAN 802.1Q Tunnel Status 802.1Q Tunnel Mode 802.1Q Tunnel TPID Layer 2 Protocol Tunnel Console# : : : : : : 1(u) Disabled Normal 8100 (Hex) None Table 75: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 453).
Chapter 11 | Interface Commands T ra n sc e iv e r T h res h o ld C o n fig u ratio n transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver current at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold current low-alarm 100 Console(config-if)#transceiver-threshold rx-power high-alarm 700 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the received signal rx-power which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver temperature at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold temperature low-alarm 97 Console(config-if)#transceiver-threshold temperature high-alarm -83 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the transmitted tx-power signal which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power transmitted at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold tx-power low-alarm -4000 Console(config-if)#transceiver-threshold tx-power high-alarm 820 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver voltage at port 9.
Chapter 11 | Interface Commands DDM Information Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.00 C a b le D ia g n o s tics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.
Chapter 11 | Interface Commands ◆ The test takes approximately 1 second. Use the show cable-diagnostics command to display the results of the test, including common cable failures, as well as the status and approximate length of each cable pair. ◆ Potential conditions which may be listed by the diagnostics include those listed below.
Chapter 11 | Interface Commands Command Mode Privileged Exec Command Usage ◆ Loopback testing can only be performed on a port that is not linked up. The internal loopback makes it possible to check that an interface is working properly without having to make any network connections. ◆ When performing an internal loopback test, packets from the specified interface are looped back into its internal PHY. Outgoing data is looped back to the receiver without actually being transmitted.
Chapter 11 | Interface Commands ■ Impedance mismatch: Terminating impedance is not in the reference range. Example Console#show cable-diagnostics interface ethernet 1/21 Cable Diagnostics on interface Ethernet 1/21: Cable OK with accuracy 10 meters. Pair A OK, length 0 meters Pair B OK, length 0 meters Pair C OK, length 7 meters Pair D Open, length 2 meters Last Update 0n 2019-05-31 09:16:57 Console# show loop internal This command shows the results of a loop back test.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 26 trunks.
Chapter 12 | Link Aggregation Commands Table 76: Link Aggregation Commands Command Function Mode show mlag Shows MLAG configuration settings PE show mlag group Shows MLAG group settings PE show mlag group Shows MLAG domain settings PE Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports.
Chapter 12 | Link Aggregation Commands M a n u a l C o n fig u ra tio n C o m m a n d s port-channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} no port-channel load-balance dst-ip - Load balancing based on destination IP address.
Chapter 12 | Link Aggregation Commands router trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-ip: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 12 | Link Aggregation Commands Example The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# D y n am ic C o n fig u ra tio n C o m m a n d s lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Chapter 12 | Link Aggregation Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Basic Information: Port Type : 10GBASE SFP+ MAC Address : 12-34-12-34-12-3F Configuration: Name : Port Admin : Up Speed-duplex : 10Gfull Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second
Chapter 12 | Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ An LACP trunk cannot be instantiated if both sides are set to passive. Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor mode passive Console(config-if)# lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting.
Chapter 12 | Link Aggregation Commands Note: Configuring the partner admin-key does not affect remote or local switch operation. The local switch just records the partner admin-key for user reference. ◆ If the admin key is not set, the actor’s operational key is determined by port's link speed (20G - 6, 10G - 5, 1G - 4). Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority.
Chapter 12 | Link Aggregation Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands lacp admin-key This command configures a port channel's LACP administration key. Use the no (Port Channel) form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Command Usage ◆ The timeout configured by this command is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds.
Chapter 12 | Link Aggregation Commands LACPDU Received MarkerPDU Sent MarkerPDU Received MarkerResponsePDU Sent MarkerResponsePDU Received Unknown Packet Received Illegal Packet Received : : : : : : : 6 0 0 0 0 0 0 . . . Table 77: show lacp counters - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. LACPDUs Sent Number of valid LACPDUs transmitted from this channel group.
Chapter 12 | Link Aggregation Commands Table 78: show lacp internal - display description (Continued) Field Description Admin Key Current administrative value of the key for the aggregation port. Oper Key Current operational value of the key for the aggregation port. Timeout Time to wait for the next LACPDU before deleting partner port information. Periodic Time The number of seconds between periodic LACPDU transmissions. System Priority LACP system priority assigned to this port channel.
Chapter 12 | Link Aggregation Commands Table 79: show lacp neighbors - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port ID Current administrative value of the port number for the protocol Partner.
Chapter 12 | Link Aggregation Commands show port-channel This command shows the load-distribution method used on aggregated links. load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console M LAG Com m ands A multi-chassis link aggregation group (MLAG) is a pair of links that terminate on two cooperating switches and appear as an ordinary link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands ◆ STP cannot be enabled on a peer link or an MLAG member. An STP enabled port cannot be configured as a peer link or an MLAG member. mlag This command enables MLAG globally on the switch. Use the no form to disable MLAG. Syntax [no] mlag Default Setting Enabled Command Mode Global Configuration Example Console(config)#mlag Console(config)# mlag domain This command configures an MLAG domain. Use the no form to remove the MLAG peer-link domain.
Chapter 12 | Link Aggregation Commands ◆ An MLAG domain is active if the domain ID and a peer link are set. Command Mode Global Configuration Example Console(config)#mlag domain 1 peer-link ethernet 1/1 Console(config)# mlag group member This command configures MLAG domain member ports. Use the no form to remove member ports. Syntax mlag group mlag-id domain domain-id member interface no domain domain-id mlag-id – MLAG identifier. (Range: 1-1000) domain-id – Domain identifier.
Chapter 12 | Link Aggregation Commands ◆ An MLAG is formed when the peer MLAG members are both active. ◆ The following items apply when an MLAG is formed. ◆ ■ When an MLAG member is operationally up and the MLAG peer member is not operationally down, all traffic from the peer link can not be forwarded to the MLAG member. ■ When an MLAG member is operationally up and the MLAG peer member is operationally down, all traffic from the peer link can be forwarded to the MLAG member.
Chapter 12 | Link Aggregation Commands Syntax show mlag group mlag-id mlag-id – MLAG identifier. (Range: 1-1000) Example Console#show mlag group 1 Domain ID: 1 Local Member: Eth 1/5 Local State: Inactive Remote State: Inactive Console# show mlag domain The command shows MLAG domain settings. Command Mode Privileged Exec Syntax show mlag domain domain-id domain-id – Domain identifier.
Chapter 12 | Link Aggregation Commands – 440 –
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3. Use the port monitor access-list command to specify the destination port to which traffic matching the ACL will be mirrored.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 2 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then no session can be configured for RSPAN.
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 84: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 87: ATC Commands (Continued) Command Function Mode ATC Trap Commands snmp-server enable Sends a trap when broadcast traffic falls beneath port-traps atc broadcast- the lower threshold after a storm control response alarm-clear has been triggered IC (Port) snmp-server enable Sends a trap when broadcast traffic exceeds the port-traps atc broadcast- upper threshold for automatic storm control alarm-fire IC (Port) snmp-ser
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (459) auto-traffic-control alarm-clear-threshold (460) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (461) auto-traffic-control apply-timer (457) snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (459) auto-traffic-control alarm-clear-threshold (460) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for port-traps atc automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (461) auto-traffic-control apply-timer (457) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold port-traps atc after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Apply-timer (sec) : 300 release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands none - No action is taken. shutdown - Shuts down the interface. Default Setting Shut down Command Mode Global Configuration Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in a looped state, and the VLAN in the frame payload is also in looped state. The looped port is therefore shut down.
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 15 | Loopback Detection Commands Command Usage Although global action may be set to None, this command will still display the configured Detection Port Admin State and Information Oper State.
16 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash lookup depth used when searching the MAC address hash-lookup-depth table. Use the no form to restore the default setting. Syntax mac-address-table hash-lookup-depth depth no mac-address-table hash-lookup-depth depth - The depth used in the hash lookup process.
Chapter 16 | Address Table Commands port-channel channel-id (Range: 1-26) vlan-id - VLAN ID (Range: 1-4094) action delete-on-reset - Assignment lasts until the switch is reset. permanent - Assignment is permanent. Default Setting No static addresses are defined. The default lifetime is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Chapter 16 | Address Table Commands clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Syntax clear mac-address-table dynamic [[all] | [address mac-address [mask]] | [interface interface] | [vlan vlan-id]] all - all learned entries address mac-address - MAC address. mask - Bits to match in the address. interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec. Console# show mac-address- This command shows the hash table algorithm configured and activated by the table hash-algorithm switch.
Chapter 16 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands Example Console#show mac-address-table hash-lookup-depth Configured Hash Lookup Depth: 4 Activated Hash Lookup Depth: 4 Console# – 482 –
17 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 17 | Spanning Tree Commands Table 90: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection Enables BPDU loopback detection for a port IC spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for
Chapter 17 | Spanning Tree Commands Command Usage ◆ The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 17 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 17 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 17 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 17 | Spanning Tree Commands and higher values assigned to ports with slower media. Note that path cost (page 498) takes precedence over port priority (page 506). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures how the system floods BPDUs to other ports when system-bpdu-flooding spanning tree is disabled globally on the switch or disabled on specific ports. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other spanning-tree disabled ports on the switch.
Chapter 17 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group. When a TCN BPDU or BPDU with the TC flag set is received on an interface, that interface will only notify members in same group to propagate this topology change.
Chapter 17 | Spanning Tree Commands max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form of the command to set the number of hops to the default value. Syntax max-hops hop-number no max-hops hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
Chapter 17 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 17 | Spanning Tree Commands RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form of the command to set the name to the default name. Syntax name name no name name - Name of multiple spanning tree region.
Chapter 17 | Spanning Tree Commands no revision number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 495) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (499) spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree edge-port (499) spanning-tree spanning-disabled (508) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Chapter 17 | Spanning Tree Commands Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 489) is set to short, the maximum value for path cost is 65,535.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.
Chapter 17 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback loopback-detection BPDU packets on the port. Use the no form to disable this feature. Syntax [no] spanning-tree loopback-detection Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
Chapter 17 | Spanning Tree Commands selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
Chapter 17 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree restricted-tcn spanning-tree This command configures the path cost on a spanning instance in the Multiple mst cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree mst port-priority (505) spanning-tree This command configures the interface priority on a spanning instance in the mst port-priority Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When enabled, BPDUs are flooded to all other spanning-tree disabled ports on the switch or within the receiving port's native VLAN as specified by the spanning-tree system-bpdu-flooding command. ◆ The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 Related Commands spanning-tree cost (498) spanning-tree This command prevents a designated port12 from taking superior BPDUs into root-guard account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Chapter 17 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use spanning-disabled the no form to re-enable the spanning tree algorithm for the specified interface.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#spanning-tree tc-prop-stop Console(config-if)# spanning-tree This command manually releases a port placed in discarding state by loopbackloopback-detection detection. release Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocolmigration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Chapter 17 | Spanning Tree Commands ◆ Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST). ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces.
Chapter 17 | Spanning Tree Commands Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status TC Propagate Stop Restricted TCN : : : : : : : : : Disabled Block Disabled Disabled Disabled 300 Disabled Disabled Disabled . . . This example shows a brief summary of global and interface setting for the spanning tree.
Chapter 17 | Spanning Tree Commands Syntax show spanning-tree tc-prop [group group-id] group-id - Group identifier.
Chapter 17 | Spanning Tree Commands – 514 –
18 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (520) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands Table 95: show bridge-ext - display description Field Description Maximum Supported VLAN Numbers The maximum number of VLANs supported on this switch. Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Chapter 18 | VLAN Commands Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands garp timer (517) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 444.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Table 97: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport forbidden vlan Configures forbidden VLANs for an interface IC switchport gvrp Enables GVRP for an interface IC switchport ingress-filtering Enables ingress filtering on an interface IC switchport mode Configures VLAN membership mode for an interface IC switchport native vlan Configures the PVID (native VLAN) of an interface IC vlan-trunking
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (397) interface (392) vlan (522) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed. The interface is added as an untagged member if switchport mode is set to hybrid or access, or as an tagged member if switchport mode is set to trunk. Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094).
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When changing the PVID for a port using access mode, the port will automatically join the new PVID VLAN and leave the VLAN which it had joined before. ◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Figure 3: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
Chapter 18 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 98: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid Use this command to set the global setting for the QinQ outer tag ethertype field. Use the no form of the command to set the ethertype field to the default value. Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number. (Range: 800-ffff hex) Default Setting The ethertype is set to 0x8100 Command Mode Global Configuration Command Usage Use the dot1q-tunnel tpid command to set the global custom 802.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs. ◆ Note that all customer interfaces should be configured as access interfaces (that is, a user-to-network interface) and service provider interfaces as uplink interfaces (that is, a network-to-network interface). Use the dot1q-tunnel tpid uplink command to set an interface to access or uplink mode.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 100 match cvid 10 Console(config-if)#switchport dot1q-tunnel service 200 match cvid 20 Console(config-if)#switchport dot1q-tunnel service 300 match cvid 30 6.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 3 10 100 Console# show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Eth 1/ 6 1 100 Console# Related Commands dot1q-tunnel tpid (534) Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Command Usage ◆ When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network. ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling ■ ■ L2PT is disabled on the port, the frame is decapsulated and processed locally by the switch if the protocol is supported. with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 18 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 18 | VLAN Commands Configuring VLAN Translation ingress - specifies ingress only egress - specifies egress only original-vlan - The original VLAN ID. (Range: 1-4094) new-vlan - The new VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port.
Chapter 18 | VLAN Commands Configuring VLAN Translation Console(config-vlan)#vlan 100 media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 10 tagged Console(config-if)#switchport allowed vlan add 100 tagged Console(config-if)#interface ethernet 1/1 Console(config-if)#switchport vlan-translation 10 100 Console(config-if)#end Console#show vlan-translation Ingress VLAN Translation Interface Old VID New VID --------- -----
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Eth 1/ 2 Console# 200 10 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs access can be regained by removing the offending Protocol VLAN rule via the console. Alternately, the switch can be power-cycled, however all unsaved configuration changes will be lost. protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs vlan-id - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) priority - The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs group-id - Group identifier for a protocol group. (Range: 1-2147483647) sort-by-type - Sort display information by frame type and protocol type. Default Setting All protocol groups are displayed.
Chapter 18 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 18 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 18 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 18 | VLAN Commands Configuring MAC Based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ◆ The binary equivalent mask matching the characters in the front of the first non-zero character must all be 1s (e.g., 111, i.e., it cannot be 101 or 001...).
Chapter 18 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 18 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 18 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 18 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "A new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 18 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 18 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 723 for more information on LLDP.
Chapter 18 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 18 | VLAN Commands Configuring Voice VLANs – 562 –
19 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 19 | ERPS Commands Table 106: ERPS Commands (Continued) Command Function Mode raps-def-mac Sets the switch’s MAC address to be used as the node identifier ERPS Inst in R-APS messages raps-without-vc Terminates the R-APS channel at the primary ring to sub-ring interconnection nodes ERPS Inst version Specifies compatibility with ERPS version 1 or 2 ERPS Inst inclusion-vlan Specifies the VLAN groups to be included in the ERPS protection ERPS Inst ring.
Chapter 19 | ERPS Commands 6. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, the holdofftimer command to filter out intermittent link faults, and the wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 7. Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands.
Chapter 19 | ERPS Commands Example Console(config)#erps Console(config)# Related Commands enable (ring) (570) erps node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax erps node-id mac-address no erps node-id mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 19 | ERPS Commands erps vlan-group This command creates or modifies an ERPS VLAN group. Use the no form of this command to remove VLANs from a VLAN group or to delete a VLAN group. Syntax erps vlan-group vlan-group-name {add|remove} vlan-list no erps vlan-group vlan-group-name vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). add – Adds VLANs to a group. remove – Deletes VLANs from a group.
Chapter 19 | ERPS Commands Command Usage ◆ The switch can support ERPS rings up to half the number of physical ports on the switch. Example Console(config)#erps ring campus1 Console(config-erps-ring)# erps instance This command creates an ERPS instance and enters ERPS instance configuration mode. Use the no form to delete an ERPS instance. Syntax erps instance instance-name [id ring-id] no erps instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 19 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface no ring-port {east | west} east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | ERPS Commands exclusion-vlan Use this command to specify VLAN groups that are to be on the exclusion list of a physical ERPS ring. Use the no form of the command to remove VLAN groups from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters) Default Setting None Command Mode ERPS Ring Configuration Command Usage ◆ VLANs that are on the exclusion list are not protected by the ERPS ring.
Chapter 19 | ERPS Commands ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps-ring)#enable Console(config-erps-ring)# Related Commands erps (565) enable (instance) This command activates the current ERPS instance. Use the no form to disable the current instance.
Chapter 19 | ERPS Commands no meg-level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 1 Command Mode ERPS Instance Configuration Command Usage ◆ This parameter is used to ensure that received R-APS PDUs are directed for this instance. A unique level should be configured for each local instance if there are many R-APS PDUs passing through this switch.
Chapter 19 | ERPS Commands ◆ ■ The Control VLAN must not be configured as a Layer 3 interface (with an IP address), nor as a dynamic VLAN (with GVRP enabled). ■ In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN. ■ Also, the ring ports of the Control VLAN must be tagged. Once the instance has been activated with the enable (instance) command, the configuration of the control VLAN cannot be modified.
Chapter 19 | ERPS Commands Example Console(config-erps-inst)#rpl owner Console(config-erps-inst)# rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting.
Chapter 19 | ERPS Commands wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting. Syntax wtr-timer minutes no wtr-timer minutes - The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
Chapter 19 | ERPS Commands Command Usage The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. Example Console(config-erps-inst)#guard-timer 300 Console(config-erps-inst)# holdoff-timer This command sets the timer to filter out intermittent link faults.
Chapter 19 | ERPS Commands major-ring This command specifies the ERPS ring used for sending control packets. Use the no form to remove the current setting. Syntax major-ring instance-name no major-ring instance-name - Name of the ERPS instance used for sending control packets. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage ◆ ERPS control packets can only be sent on one instance.
Chapter 19 | ERPS Commands Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. ◆ When the MAC addresses are cleared, data traffic may flood onto the major ring.
Chapter 19 | ERPS Commands Default Setting Disabled Command Mode ERPS Instance Configuration Command Usage ◆ Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages. Non-revertive behavior for Protection, Forced Switch, and Manual Switch states are basically the same. Non-revertive behavior requires the erps clear command to used to return the RPL from Protection state to Idle state.
Chapter 19 | ERPS Commands it is an R-APS (NR, RB) message without a DNF (do not flush) indication, all ring nodes flush the FDB. ■ Recovery with Non-revertive Mode – In non-revertive operation, the ring does not automatically revert when all ring links and ring nodes have recovered and no external requests are active. Non-revertive operation is handled in the following way: a. The RPL Owner Node does not generate a response on reception of an R-APS (NR) messages. b.
Chapter 19 | ERPS Commands channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes the FDB. d. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command.
Chapter 19 | ERPS Commands APS (MS) message is ignored due to the higher priority of the WTB running signal. b. When the WTB timer expires, it generates the WTB expire signal. The RPL Owner Node, upon reception of this signal, initiates reversion by blocking the traffic channel on the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
Chapter 19 | ERPS Commands Command Usage ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”. ◆ If this command is disabled, the following strings are used as the node identifier: ■ ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] Example Console(config-erps-inst)#raps-def-mac Console(config-erps-inst)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes.
Chapter 19 | ERPS Commands Note that the R-APS virtual channel requires a certain amount of bandwidth to forward R-APS messages on the interconnected Ethernet network where a subring is attached. Also note that the protection switching time of the sub-ring may be affected if R-APS messages traverse a long distance over an R-APS virtual channel.
Chapter 19 | ERPS Commands Figure 7: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Example Console(config-erps-inst)#raps-without-vc Console(config-erps-inst)# version This command specifies compatibility with ERPS version 1 or 2. Syntax version {1 | 2} no version 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
Chapter 19 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 19 | ERPS Commands physical-ring Use this command to associate an ERPS instance with an existing physical ring. Use the no form of the command to removed the association. Syntax physical-ring ring-name no physical-ring ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage The physical ring name must first be defined using the erps ring command.
Chapter 19 | ERPS Commands continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command (see Table 107 on page 588). The R-APS (FS) message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d.
Chapter 19 | ERPS Commands Table 107: ERPS Request/State Priority (Continued) Request / State and Status Type WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote * Priority lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
Chapter 19 | ERPS Commands a. If no other higher priority commands exist, the ring node, where a manual switch command was issued, blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS.
Chapter 19 | ERPS Commands Example Console#erps manual-switch instance r&d west Console# erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under nonrevertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. Syntax erps clear instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 19 | ERPS Commands Command Mode Privileged Exec Example Console#clear erps statistics instance r&d Console# show erps statistics This command displays statistics information for all configured instances, or for a specified instance. Syntax show erps statistics [instance instance-name]] instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) Command Mode Privileged Exec Example This example displays statistics for all configured ERPS instances.
Chapter 19 | ERPS Commands Table 108: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 19 | ERPS Commands Console# This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ring ERPS Status : Enabled ERPS node-id : B8-6A-97-41-F3-83 Number of ERPS Ring : 2 Ring ID Enabled West I/F EAST I/F ------------ --- ------- --------- --------test1 1 No campus1 2 Yes Eth 1/1 Eth 1/3 Console# Table 109: show erps r ing - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch.
Chapter 19 | ERPS Commands This example displays a summary of all the ERPS instances configured on the switch.
Chapter 19 | ERPS Commands – 596 –
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (598) show queue weight (601) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (407) show queue mode This command shows the current queue mode.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) 7 14 ... Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map cos-dscp phb drop-precedence from cos0 cfi0...cos7 cfi7 no qos map cos-dscp cos0 cfi0...cos7 cfi7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used to control traffic congestion. ◆ The specified mapping applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 115: Default Mapping of DSCP Values to Internal PHB/Drop Values The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other words, ingress-dscp = ingress-dscp10 * 10 + ingress-dscp1); and the corresponding internal-dscp is shown at the intersecting cell in the table.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) drop-precedence - Drop precedence used for controlling traffic congestion.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet. ◆ If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet's CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) CoS-DSCP map.(x,y),x: phb,y: drop precedence: CoS : CFI 0 1 --------------------------------0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) Console# show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress IP precedence to internal DSCP map. ip-prec-dscp Syntax show qos map ip-prec-dscp interface interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 PHB-queue map: PHB: 0 1 2 3 4 5 6 7 ------------------------------------------------------queue: 2 0 1 3 4 5 6 7 Console# show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) – 612 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 21 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 618). The policy map is then bound by a service policy to an interface (page 628). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 21 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | source-port interface | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 21 | Quality of Service Commands Example This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Chapter 21 | Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Chapter 21 | Quality of Service Commands Command Mode Policy Map Configuration Command Usage ◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: ◆ ■ set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Chapter 21 | Quality of Service Commands violate-action - Action to take when packet exceeds the CIR and BC. (There are not enough tokens to service the packet, the packet is set red). transmit - Transmits without taking any action. drop - Drops packet as required by violate-action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage You can configure up to 16 policers (i.e., class maps) for ingress ports.
Chapter 21 | Quality of Service Commands Console(config-pmap-c)#police flow 100000 4000 conform-action transmit violate-action drop Console(config-pmap-c)# police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer.
Chapter 21 | Quality of Service Commands ◆ The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets
Chapter 21 | Quality of Service Commands drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage You can configure up to 16 policers (i.e., class maps) for ingress ports.
Chapter 21 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode: ■ ■ ■ ◆ If the packet has been precolored as red or if Tp(t)-B < 0, the packet is red, else if the packet has been precolored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
Chapter 21 | Quality of Service Commands ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
Chapter 21 | Quality of Service Commands Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
Chapter 21 | Quality of Service Commands Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
22 Control Plane Commands Network control packets that are received by the switch are handled by the CPU. This traffic can potentially overwhelm the switch CPU and impact the overall system performance. To prevent the switch CPU from receiving too much traffic, QoS class maps and policy maps can be defined and applied as a service policy to ingress traffic on the CPU’s “control-plane” interface. For details on configuring QoS class maps and policy maps, see “Quality of Service Commands” on page 613.
Chapter 22 | Control Plane Commands service-policy This command applies a QoS policy map defined by the policy-map command to the ingress side of the control-plane interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to the control-plane interface.
Chapter 22 | Control Plane Commands Example Console#show policy-map control-plane input Console# show policy-map control-plane input class cp-class hardware counters Service-policy cpu-rate-limit-policy Class-map cp-class Receive Packets: 95 Drop Packets: 0 Console# – 633 –
Chapter 22 | Control Plane Commands – 634 –
23 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 120: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs GC ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into th
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 120: IGMP Snooping Commands (Continued) Command Function Mode clear ip igmp snooping statistics Clears IGMP snooping statistics PE show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statisti
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures multicast router ports to forward multicast streams only mrouter-forward- when multicast groups are joined. Use the no form to disable it. mode dynamic Syntax ip igmp snooping mrouter-forward dynamic no ip igmp snooping mrouter-forward Default Setting Disabled Command Mode Global Configuration Example The following example enables IGMP dynamic forwarding.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables the switch as an IGMP querier. Use the no form to disable it. querier Syntax [no] ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ ◆ If enabled, the switch will serve as querier if elected.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping router-alert-option-check Console(config)# ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port- default. expire-time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 23 | Multicast Filtering Commands IGMP Snooping by default, a switch in a VLAN (with IGMP snooping enabled) that receives a Bridge Protocol Data Unit (BPDU) with the TC bit set (by the root bridge) will enter into “multicast flooding mode” for a period of time until the topology has stabilized and the new locations of all multicast receivers are learned.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ When the root bridge in a spanning tree receives a topology change notification for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when report suppression/proxy reporting is enabled. Use interval the no form to restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping version-exclusive Console(config)# ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled (page 639). Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 23 | Multicast Filtering Commands IGMP Snooping 2006). If proxy reporting is enabled (see ip igmp snooping proxy-reporting), report suppression will still be enabled, regardless of the configuration setting for the report suppression command. ◆ IGMP reports are relayed to the router port only when necessary; that is, when the first user joins a multicast group, and once only per multicast group in response to an IGMP query.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 228.0.0.15 ethernet 1/5 Console(config)# ip igmp snooping This command enables immediate leave processing on the interface. Use the no immediate-leave form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears IGMP snooping statistics. snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Querier : Disabled VLAN 1: -------IGMP Snooping IGMP Snooping Running Status Version Version Exclusive Immediate Leave Last Member Query Interval Last Member Query Count General Query Suppression Query Interval Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : : : : : : : : : : Enabled Inactive Using global Version (2) Using global status (Disabled) Disabled 10 (unit: 1/10s) 2 Disabled 125 100 (unit: 1/
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port). P - Port counts (number of ports join the group).
Chapter 23 | Multicast Filtering Commands IGMP Snooping 1 Eth 1/10 Console# Static show ip igmp This command shows IGMP snooping protocol statistics for the specified interface. snooping statistics Syntax show ip igmp snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id]} input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 121: show ip igmp snooping statistics input - display description Field Description G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 23 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : 192.168.2.12 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 0 General Query Sent : 0 Specific Query Received : 0 Specific Query Sent : 0 Warn Rate Limit : 0 sec.
Chapter 23 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 124: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping vlan This command statically configures a (Layer 2) multicast router port on the mrouter specified VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ◆ If the interface leaves the group and subsequently rejoins the same group, the join report needs to again be authenticated. ◆ When receiving an IGMP v3 report message, the switch will send the access request to the RADIUS server only when the record type is either IS_EX or TO_EX, and the source list is empty. Other types of packets will not initiate RADIUS authentication.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax ip igmp filter profile-number no ip igmp filter profile-number - An IGMP filter profile number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace” (see the ip igmp max-groups action command). If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting. Syntax [no] ip igmp query-drop [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to drop any query packets received on the specified interface.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command displays the interface settings for IGMP authentication. authentication Syntax show ip igmp authentication interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Privileged Exec Example Console#show ip igmp filter IGMP Filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp query-drop [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 1024 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast data multicast-data-drop packets.
Chapter 23 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 127: MLD Snooping Commands (Continued) Command Function Mode clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states. Proxy-reporting devices may use the IPv6 address configured on this VLAN or Source IP address from received report message as source address when forwarding any summarized reports upstream.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD snooping reports when proxy reporting is enabled. Use the no interval form to restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command statically configures an IPv6 multicast router port. Use the no form vlan mrouter to remove the configuration. Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) port-channel channel-id (Range: 1-26) Default Setting No static multicast router ports are configured.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping Router Port Expiry Time Unsolicit Report Interval Immediate Leave Immediate Leave By Host Unknown Flood Behavior MLD Snooping Version : : : : : : 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN To Router Port Version 1 VLAN Group IPv6 Address Port ---- --------------------------------------- --------1 ff05:0:1:2:3:4:5:6 Eth 1/1 Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Con
Chapter 23 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list. source-list Syntax show ipv6 mld snooping group source-list [ipv6-address | vlan vlan-id] ipv6-address - An IPv6 address of a multicast group.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- -----1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 128: show ipv6 MLD snooping statistics input - display description Field Description Interface The unit/port or VLAN interface. Report The number of MLD membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping Self Querier Expire Time Self Querier UpTime General Query Received General Query Sent Specific Query Received Specific Query Sent Console# : : : : : : 1(m):49(s) 0(h):9(m):6(s) 0 6 0 0 Table 130: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired.
Chapter 23 | Multicast Filtering Commands MLD Snooping Filter Drop : 0 Source Port Drop: 0 Others Drop : 0 Console# Table 131: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General The number of general queries sent from this interface. Group Specific The number of group specific queries sent from this interface.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Table 131: show ipv6 MLD snooping statistics summary - display description Field Description Host Addr The link-local or global IPv6 address that is assigned on that VLAN. Unsolicit Expire The number of group leaves resulting from timeouts instead of explicit leave messages. MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration Command Usage MLD filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Syntax [no] range low-ipv6-address high-ipv6-address low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range. high-ipv6-address - A valid IPv6 address (X:X:X:X::X) for the end of a multicast group range. Default Setting None Command Mode MLD Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19 Console(config-if)# ipv6 mld max-groups This command configures the maximum number of MLD groups that an interface can join. Use the no form to restore the default setting. Syntax ipv6 mld max-groups number no ipv6 mld max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. Use the action no form of the command to set the action to the default. Syntax ipv6 mld max-groups action {deny | replace} no ipv6 mld max-groups action deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface. Use the multicast-data-drop no form of the command to disable multicast data drop.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling. interface Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 133: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr members Shows information about the current number of entries in PE the forwarding database, or detailed information about a specific multicast address show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR)
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (702) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) end-ip-address - Ending IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. Example This example sets the proxy query interval for MVR proxy switching.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ When MVR proxy switching is disabled: ■ Any membership reports received from receiver/source ports are forwarded to all source ports. ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Example The following example enable MVR proxy switching.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Related Commands mvr proxy-switching (704) mvr source-port- This command configures the switch to forward only multicast streams that a mode source port has dynamically joined or to forward all multicast groups. Use the no form to restore the default setting. Syntax mvr source-port-mode {dynamic | forward} no mvr source-port-mode dynamic - Configures source ports to only forward dynamically-joined MVR group multicast streams.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 mvr upstream- This command configures the source IP address assigned to all MVR control packets source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command. ◆ MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but MVR receiver ports should not be statically configured as members of this VLAN.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to the same interface. ◆ Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command. Example The following enables immediate leave on a receiver port.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following configures one source port and several receiver ports on the switch.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-26) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear mvr statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 134: show mvr - display description (Continued) Field Description MVR Proxy Query Interval Shows the interval at which the receiver port sends out general queries MVR Source Port Mode Shows if the switch forwards all multicast streams, or only those which the source port has dynamically joined MVR Domain An independent multicast domain. MVR Config Status Shows if MVR is globally enabled on the switch.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 137: show mvr statistics input - display
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 138: show mvr statistics output - display description (Continued) Field Description Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 139: show mvr statistics query - display description (Continued) Field Description Warn Rate Limit Count down from 15 seconds after receiving a Query different from the configured version. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 140: show mvr statistics summary interface - display description Field Description Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter. Source Port Drop Number of report/leave messages dropped by MVR source port. Others Drop Number of report/leave messages dropped for other reasons.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 141: show mvr statistics summary interface mvr vlan - description Field Description General Number of general queries sent from receiver port. Group Specific Number of group specific queries sent from receiver port. Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured by IGMP version 1, 2 or 3.
24 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 24 | LLDP Commands Table 142: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-capabilities Configures an LLDP-enabled port to advertise its system capabilities IC lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1
Chapter 24 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 24 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 24 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 24 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 24 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 24 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 24 | LLDP Commands Neither the IPv4 address nor the IPv6 address of a VLAN interface is configured. The CPU MAC address (or device MAC address) will be sent in the Management Address TLV of the LLDP PDU transmitted. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ipv6-address Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its port description. port-description Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-description description.
Chapter 24 | LLDP Commands Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 547). Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 525 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 548. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 24 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 24 | LLDP Commands Table 143: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be
Chapter 24 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature.
Chapter 24 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 24 | LLDP Commands proto-vlan proto-ident 802.3 specific TLVs Advertised : mac-phy link-agg max-frame MED Notification Status : Disabled MED Enabled TLVs Advertised : med-cap network-policy location inventory MED Location Identification Location Data Format : Civic Address LCI Country Name : DK What : 2 - DHCP Client CA Type 1 : 12 CA Type 13 : 13 Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 24 | LLDP Commands . Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 24 | LLDP Commands Enabled Capabilities : Bridge Management Address : 192.168.0.
Chapter 24 | LLDP Commands Software Revision Serial Number Manufacture Name Model Name Asset ID Console# : : : : : 1.2.6.0 S123456 Prye VP101 340937 show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
25 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 25 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 25 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 25 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 25 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 25 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 25 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-54) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 25 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 25 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
26 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 26 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 26 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 26 | Domain Name Service Commands DNS Commands no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 characters) Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS Disabled Default Domain Name: sample.
Chapter 26 | Domain Name Service Commands DNS Commands Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.55 rd5 Console# ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution.
Chapter 26 | Domain Name Service Commands DNS Commands Related Commands ip domain-name (761) ip domain-lookup (761) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 26 | Domain Name Service Commands DNS Commands show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No.
Chapter 26 | Domain Name Service Commands DNS Commands show hosts This command displays the static host name-to-address mapping table. Command Mode Privileged Exec Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.2.1 1 4 Address 52.196.118.60 2 4 Address 166.62.56.229 3 4 Address 35.201.87.
27 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and and relay functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Client D H C P fo r IP v 4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 27 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edgecore"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 27 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 27 | DHCP Commands DHCP Client ip dhcp restart client This command submits a DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a DHCP client request for any IP interface that has been set to DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 27 | DHCP Commands DHCP Client D H C P fo r IP v 6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 27 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 27 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (811) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 27 | DHCP Commands DHCP Relay List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# Related Commands ipv6 address (809) DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 27 | DHCP Commands DHCP Relay Usage Guidelines ◆ DHCP relay service applies to DHCP client requests received on the specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Relay Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Relay Command Mode Interface Configuration (VLAN) Usage Guidelines ◆ You must specify the IPv6 address for at least one DHCPv6 server or another relay agent, or the VLAN to which to multicast a relay message. Otherwise, the switch’s DHCPv6 relay agent will not forward client requests. This command enables DHCPv6 relay service for the VLAN from which the command is entered. ◆ Up to five destination addresses may be defined using consecutive commands.
Chapter 27 | DHCP Commands DHCP Server Example Console#show ipv6 dhcp relay destination interface vlan 1 DHCP relay destination : VLAN 1 : Unicast : 2001:DB8:3000:3000::42 Console# DHCP Server This section describes commands used to configure client address pools for the DHCP service.
Chapter 27 | DHCP Commands DHCP Server * These commands are used for manually binding an address to a client. ip dhcp This command specifies IP addresses that the DHCP server should not assign to excluded-address DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range. high-address - The last IP address in an excluded address range.
Chapter 27 | DHCP Commands DHCP Server host address per pool). However, note that any address specified in a host command must fall within the range of a configured network address pool. Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (788) host (785) service dhcp This command enables the DHCP server on this switch. Use the no form to disable the DHCP server.
Chapter 27 | DHCP Commands DHCP Server Command Mode DHCP Pool Configuration Example Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# Related Commands next-server (789) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier. Syntax client-identifier {text text | hex hex} no client-identifier text - A text string. (Range: 1-32 characters) hex - The hexadecimal value.
Chapter 27 | DHCP Commands DHCP Server default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router { address1 [address2] | bootfile filename} no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. bootfile filename - specifies the boot file name.
Chapter 27 | DHCP Commands DHCP Server Usage Guidelines ◆ If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. ◆ Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# domain-name This command specifies the domain name for a DHCP client. Use the no form to remove the domain name.
Chapter 27 | DHCP Commands DHCP Server • • ethernet ieee802 Default Setting If no type is specified, the default protocol is Ethernet. Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 27 | DHCP Commands DHCP Server network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. ◆ When searching for a manual binding, the switch compares the client identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients.
Chapter 27 | DHCP Commands DHCP Server Command Modes DHCP Pool Configuration Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Use the no form to remove the NetBIOS name server list.
Chapter 27 | DHCP Commands DHCP Server netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
Chapter 27 | DHCP Commands DHCP Server the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. If no manually configured host address is found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored.
Chapter 27 | DHCP Commands DHCP Server option Use this command to enable DHCP options. Use the no form of the command to disable DHCP options. Syntax option code {ascii word | hex hex-value | ip-address address1[address2 [address3[ address 4]]]} code - A DHCP option code (Range: 0-254). ascii word - ASCII character string representing a network device (Range: 148 ASCII characters). hex hex-value - A concatenated hex number string of up to 4 IPv4 addresses in hex format each representing a network device.
Chapter 27 | DHCP Commands DHCP Server Command Mode Privileged Exec Usage Guidelines ◆ An address specifies the client’s IP address. If no ip address is specified, the DHCP server clears all automatic bindings. ◆ Use the no host command to delete a manual binding. ◆ This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
Chapter 27 | DHCP Commands DHCP Server show ip dhcp This command displays DHCP address pools configured on the switch. Command Mode Privileged Exec Example Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp pool This command displays the detailed configuration information of DHCP address pools on the switch.
Chapter 27 | DHCP Commands DHCP Server – 793 –
Chapter 27 | DHCP Commands DHCP Server – 794 –
28 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated. The IPv4 address for VLAN 1 on this switch is set to 192.168.2.
Chapter 28 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets.
Chapter 28 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (771) ip default-gateway (798) ipv6 address (809) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 28 | IP Interface Commands IPv4 Interface C 192.168.2.0/24 is directly connected, VLAN1 Console(config)# Related Commands ip address (796) ip route (852) ipv6 default-gateway (808) show ip interface This command displays the settings of an IPv4 interface.
Chapter 28 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 28 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 28 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.99 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms <10 ms <10 ms 192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 28 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 763) and host name-to-address translation enabled (page 761). If necessary, local devices can also be specified in the DNS static host table (page 762). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 28 | IP Interface Commands IPv4 Interface Default Setting No default entries Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 256.
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
Chapter 28 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)? Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 28 | IP Interface Commands IPv6 Interface Table 158: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd raguard Blocks incoming Router Advertisement and Router Redirect packets IC ipv6 nd reachable-time Configures the amount of time that a remote IPv6 node is IC considered reachable after some reachability confirmation event has occurred ipv6 nd prefix Configures the IPv6 prefixes to include in router advertisements ipv6 nd ra interval minimum-interval [maximum-interval
Chapter 28 | IP Interface Commands IPv6 Interface ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ To connect to a larger network with multiple subnets, you must configure a global unicast address. This address can be manually configured with this command, or it can be automatically configured using the ipv6 address autoconfig command. ◆ If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 address This command enables stateless autoconfiguration of IPv6 addresses on an autoconfig interface and enables IPv6 on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages; the host portion is based on the modified EUI-64 form of the interface identifier (i.e., the switch’s MAC address). Use the no form to remove the address generated by this command.
Chapter 28 | IP Interface Commands IPv6 Interface Console# Related Commands ipv6 address (809) show ipv6 interface (818) ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ IPv6 addresses are 16 bytes long, of which the bottom 8 bytes typically form a unique host identifier based on the device’s MAC address. The EUI-64 specification is designed for devices that use an extended 8-byte MAC address.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 28 | IP Interface Commands IPv6 Interface Related Commands ipv6 address eui-64 (812) ipv6 address link-local (814) show ipv6 interface (818) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size.
Chapter 28 | IP Interface Commands IPv6 Interface Related Commands show ipv6 mtu (820) jumbo frame (113) show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4094) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 28 | IP Interface Commands IPv6 Interface Table 159: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 28 | IP Interface Commands IPv6 Interface VLAN 1 Console# Up Up FE80::2E0:CFF:FE00:FD%1/64 Related Commands show ip interface (799) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 28 | IP Interface Commands IPv6 Interface too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 6 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo repl
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity. clear ipv6 traffic This command resets IPv6 traffic counters.
Chapter 28 | IP Interface Commands IPv6 Interface Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 28 | IP Interface Commands IPv6 Interface N e ig h b o r D is c o v e ry ipv6 hop-limit This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting None Command Mode Global Configuration Command Usage ◆ Address Resolution Protocol (ARP) has been replaced in IPv6 with the Neighbor Discovery Protocol (NDP). The ipv6 neighbor command is similar to the macaddress-table static command that is implemented using ARP. ◆ Static entries can only be configured on an IPv6-enabled interface.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
Chapter 28 | IP Interface Commands IPv6 Interface Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 28 | IP Interface Commands IPv6 Interface Command Usage ◆ The “managed-address configuration” flag tells hosts that they should use stateful autoconfiguration to obtain addresses from a DHCPv6 server.
Chapter 28 | IP Interface Commands IPv6 Interface autoconfiguration to get other non-address parameters from DHCPv6 servers. In this case, the absence of both the “managed address configuration” flag and the “other stateful configuration” flag is interpreted to mean that they should use only stateless autoconfiguration to obtain addresses.
Chapter 28 | IP Interface Commands IPv6 Interface Example The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd ns-interval 30000 Console(config)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 28 | IP Interface Commands IPv6 Interface possibly malicious attacks on the network, may lead to bogus RAs being sent, which in turn can cause operational problems for hosts on the network. ◆ This command can be used to block RAs and Router Redirect (RR) messages on the specified interface. Determine which interfaces are connected to known routers, and enable RA Guard on all other untrusted interfaces.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting 30000 milliseconds is used for neighbor discovery operations 0 milliseconds is advertised in router advertisements Command Mode Interface Configuration (VLAN) Command Usage ◆ The time limit configured by this parameter allows the router to detect unavailable neighbors. During the neighbor discover process, an IPv6 node will multicast neighbor solicitation messages to search for neighbor nodes.
Chapter 28 | IP Interface Commands IPv6 Interface preferred-lifetime - The amount of time that the specified IPv6 prefix is advertised as being preferred. The preferred lifetime is counted down in real time. (Range: 0-4294967295 seconds) no-autoconfig - Indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration. off-link - Indicates that the specified prefix is assigned to the link.
Chapter 28 | IP Interface Commands IPv6 Interface Syntax ipv6 nd ra interval minimum-interval [maximum-interval] no ipv6 nd ra interval minimum-interval - The maximum interval between IPv6 router advertisements. (Range: 4-1800 seconds) maximum-interval - The minimum interval between IPv6 router advertisements.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting 1800 seconds Command Usage ◆ This command can be used to indicate the usefulness of this router as a default router on this interface. ◆ Set the router lifetime to 0 to indicate that this router should not be considered a default router. Set the lifetime to a non-zero value to indicate that it should be considered a default router. When a non-zero value is used, the lifetime should not be less than the router advertisement interval.
Chapter 28 | IP Interface Commands IPv6 Interface Console(config)#interface vlan 1 Console(config)#ipv6 nd ra router-preference high Console(config)# ipv6 nd ra suppress This command suppresses router advertisement transmissions on an interface. Use the no form to re-enable router advertisements. Syntax [no] ipv6 nd ra suppress Command Mode Interface Configuration (VLAN, IPv6/v4 Tunnel) Default Setting Not suppressed Command Usage This command suppresses periodic unsolicited router advertisements.
Chapter 28 | IP Interface Commands IPv6 Interface show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 28 | IP Interface Commands ND Snooping Table 162: show ipv6 neighbors - display description (Continued) Field Description D (Delay) - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval.
Chapter 28 | IP Interface Commands ND Snooping This section describes commands used to configure ND Snooping.
Chapter 28 | IP Interface Commands ND Snooping Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
Chapter 28 | IP Interface Commands ND Snooping ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 28 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect retransmit count 5 Console(config)# ipv6 nd snooping This command sets the interval between which the auto-detection process sends auto-detect NS messages to determine if a dynamic user binding is still valid. Use the no form to retransmit interval restore the default setting.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage If ND snooping is enabled and an RA message is received on a trusted interface, the switch will add an entry in the prefix table based upon the Prefix Information contained in the message. If an RA message is not received for a table entry with the same prefix for the specified timeout period, the entry is deleted.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ In general, interfaces facing toward to the network core, or toward routers supporting the Network Discovery protocol, are configured as trusted interfaces. ◆ RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination. ◆ NS messages received from a trusted interface are forwarded toward their destination.
Chapter 28 | IP Interface Commands ND Snooping Example Console#clear ipv6 nd snooping prefix Console#show ipv6 nd snooping prefix Prefix entry timeout: (seconds) Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------Console# show ipv6 nd This command shows the configuration settings for ND snooping.
Chapter 28 | IP Interface Commands ND Snooping show ipv6 nd This command shows all entries in the address prefix table. snooping prefix Syntax show ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IP v 4 C o m m a n d s ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. See show ip route database. static – Displays all static entries.
Chapter 28 | IP Routing Commands Global Routing Configuration C 192.168.2.0/24 is directly connected, VLAN1 Console# The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Global Routing Configuration Console# Table 190: show ip host-route - display description Field Description IP Address IP address of the destination network, subnetwork, or host. MAC Address The physical layer address associated with the IP address. VLAN The VLAN that connects to this IP address. Port The port that connects to this IP address. show ip route This command displays entries in the Routing Information Base (RIB).
Chapter 28 | IP Routing Commands Global Routing Configuration Console#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 8 Connected 2 Total 2 Console# show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 28 | IP Routing Commands Global Routing Configuration source quench messages address mask request messages address mask reply messages UDP Statistics: 2 input no port errors other errors output TCP Statistics: 4698 input input errors 5867 output Console# IP v 6 C o m m a n d s ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes.
Chapter 28 | IP Routing Commands Global Routing Configuration ◆ If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used. ◆ The default distance of 1 will take precedence over any other type of route, except for local routes.
Chapter 28 | IP Routing Commands Global Routing Configuration changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers. The forwarding information base contains unique paths only. It does not contain any secondary paths.
Chapter 28 | IP Routing Commands Global Routing Configuration Example Console(config)#maximum-paths 8 Console(config)# – 860 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 863 ◆ “License Information” on page 865 – 861 –
Section III | Appendices – 862 –
A Troubleshooting Problems Accessing the Management Interface Table 191: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
List of Commands aaa accounting commands 226 aaa accounting dot1x 227 aaa accounting exec 228 aaa accounting update 229 aaa authorization commands 229 aaa authorization exec 230 aaa group server 231 absolute 166 access-list arp 384 access-list ip 366 access-list ipv6 372 access-list mac 378 accounting commands 232 accounting dot1x 232 accounting exec 233 alias 393 arp 803 arp timeout 804 authentication enable 214 authentication login 215 authorization commands 234 authorization exec 234 auto-traffic-contro
List of Commands disable 88 discard 394 disconnect 136 dns-server 783 domain-name 784 dos-protection echo-chargen 354 dos-protection land 354 dos-protection smurf 355 dos-protection tcp-flooding 355 dos-protection tcp-null-scan 356 dos-protection tcp-syn-fin-scan 356 dos-protection tcp-udp-port-zero 357 dos-protection tcp-xmas-scan 357 dos-protection udp-flooding 358 dos-protection win-nuke 358 dot1q-tunnel system-tunnel-control 533 dot1q-tunnel tpid 534 dot1x default 253 dot1x eapol-pass-through 254 dot1x
List of Commands ip http secure-port 239 ip http secure-server 239 ip http server 238 ip igmp authentication 665 ip igmp filter (Global Configuration) 663 ip igmp filter (Interface Configuration) 667 ip igmp max-groups 667 ip igmp max-groups action 668 ip igmp profile 663 ip igmp query-drop 669 ip igmp snooping 637 ip igmp snooping immediate-leave 654 ip igmp snooping mrouter-forward-mode dynamic 638 ip igmp snooping priority 638 ip igmp snooping proxy-reporting 639 ip igmp snooping querier 640 ip igmp sno
List of Commands ipv6 nd snooping auto-detect retransmit interval 846 ipv6 nd snooping max-binding 847 ipv6 nd snooping prefix timeout 846 ipv6 nd snooping trust 847 ipv6 neighbor 828 ipv6 route 857 ipv6 source-guard 341 ipv6 source-guard binding 339 ipv6 source-guard max-binding 342 jumbo frame 113 l2protocol-tunnel tunnel-dmac 540 lacp 425 lacp actor/partner mode (Ethernet Interface) 426 lacp admin-key (Ethernet Interface) 427 lacp admin-key (Port Channel) 430 lacp port-priority 428 lacp system-priority
List of Commands network-access dynamic-vlan 291 network-access guest-vlan 292 network-access link-detection 292 network-access link-detection link-down 293 network-access link-detection link-up 293 network-access link-detection link-up-down 294 network-access mac-filter 288 network-access max-mac-count 295 network-access mode mac-authentication 295 network-access port-mac-filter 296 next-server 789 nlm 187 no rspan session 449 non-revertive 578 ntp authenticate 154 ntp authentication-key 155 ntp client 15
List of Commands show authorization 236 show auto-traffic-control 467 show auto-traffic-control interface 468 show banner 101 show bridge-ext 519 show cable-diagnostics 419 show calendar 165 show class-map 629 show discard 399 show dns 765 show dns cache 765 show dos-protection 359 show dot1q-tunnel 539 show dot1q-tunnel service 538 show dot1x 265 show efm oam counters interface 755 show efm oam event-log interface 755 show efm oam remote-loopback interface 757 show efm oam status remote interface 758 show
List of Commands show loopback-detection 473 show mac access-group 383 show mac access-list 384 show mac-address-table 479 show mac-address-table aging-time 480 show mac-address-table count 481 show mac-address-table hash-algorithm 480 show mac-address-table hash-lookup-depth 481 show mac-vlan 554 show management 269 show memory 103 show mlag 438 show mlag domain 439 show mlag group 438 show mvr 712 show mvr associated-profile 713 show mvr interface 714 show mvr members 715 show mvr profile 717 show mvr st
List of Commands snmp-server enable port-traps mac-notification 178 snmp-server enable traps 174 snmp-server engine-id 179 snmp-server group 180 snmp-server host 175 snmp-server location 173 snmp-server notify-filter 188 snmp-server user 181 snmp-server view 183 sntp client 151 sntp poll 152 sntp server 153 spanning-tree 484 spanning-tree bpdu-filter 496 spanning-tree bpdu-guard 497 spanning-tree cisco-prestandard 485 spanning-tree cost 498 spanning-tree edge-port 499 spanning-tree forward-time 485 spannin
List of Commands web-auth session-timeout 303 web-auth system-auth-control 303 whichboot 122 wtr-timer 575 – 877 –
List of Commands – 878 –