ECS4620 Series 28/52-Port Layer 3 Stackable GE Switch CLI Reference Guide Software Release v1.2.2.26 www.edge-core.
CLI Reference Guide ECS4620-28T Stackable GE Switch ECS4620-52T Stackable GE Switch Layer 3 Stackable Gigabit Ethernet Switch with 24 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports Layer 3 Stackable Gigabit Ethernet Switch with 48 10/100/1000BASE-T (RJ-45) Ports, 2 10-Gigabit SFP+ Ports, and Optional Module with 2 10-Gigabit SFP+ Ports ECS4620-28P Stackable GE PoE Switch ECS4620-52P Stackable GE PoE Switch Layer 3 Stackable Gigabit Ethernet P
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
How to Use This Guide ◆ Added Command Usage for "show interfaces brief" on page 433. ◆ Updated syntax for "show port monitor" on page 475. ◆ Updated Command Usage for "spanning-tree bpdu-filter" on page 536. ◆ Updated Command Usage for "spanning-tree bpdu-guard" on page 537. ◆ Added Command Usage to "spanning-tree spanning-disabled" on page 547. ◆ Updated syntax for "switchport allowed vlan" on page 595. ◆ Added "switchport dot1q-tunnel priority map" on page 604.
How to Use This Guide December 2014 Revision This is the fourth version of this guide. This guide is valid for software release v1.2.2.0. It contains the following changes: ◆ Added information for ECS4620-28F-DC. July 2014 Revision This is the third version of this guide. This guide is valid for software release v1.2.2.0. It contains the following changes: ◆ Added information for ECS4620-28T-DC. ◆ Updated usage information for the command "mac-learning" on page 312.
How to Use This Guide ◆ Updated command usage section for the command "port security" on page 313. ◆ Added the command "port security mac-address-as-permanent" on page 315. ◆ Added the commands "ip dhcp snooping information option encode nosubtype" on page 342, "ip dhcp snooping information option remote-id" on page 343, and "ip dhcp snooping information option tr101 board-id" on page 344.
How to Use This Guide ◆ Updated syntax for the commands "show qos map cos-dscp" on page 641, "show qos map dscp-mutation" on page 641, and "show qos map phb-queue" on page 642. ◆ Added the commands "clear ip igmp snooping groups dynamic" on page 683, and "clear ip igmp snooping statistics" on page 683. ◆ Updated command usage section for the command "ip igmp authentication" on page 693.
Contents Section I How to Use This Guide 3 Contents 9 Figures 53 Tables 55 Getting Started 63 1 Initial Switch Configuration Connecting to the Switch 65 65 Configuration Options 65 Connecting to the Console Port 66 Logging Onto the Command Line Interface 67 Setting Passwords 67 Remote Connections 68 Stack Operations 69 Selecting the Stack Master 69 Selecting the Backup Unit 70 Recovering from Stack Failure or Topology Change 70 Renumbering the Stack 71 Ensuring Consistent C
Contents Section II Downloading Operation Code from a File Server 83 Specifying a DHCP Client Identifier 86 Downloading a Configuration File and Other Parameters from a DHCP Server 87 Setting the System Clock 89 Setting the Time Manually 89 Configuring SNTP 90 Configuring NTP 90 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 93 95 95 Console Connection 95 Telnet Connection 96 Entering Commands 97 Keywords and Arguments 97 Minimum Abbreviation 97 Comma
Contents configure 113 disable 114 reload (Privileged Exec) 114 show reload 115 end 115 exit 115 4 System Management Commands Device Designation 117 117 hostname 118 Banner Information 118 banner configure 119 banner configure company 120 banner configure dc-power-info 121 banner configure department 121 banner configure equipment-info 122 banner configure equipment-location 123 banner configure ip-lan 123 banner configure lp-number 124 banner configure manager-info 125
Contents show watchdog 138 watchdog software 138 Fan Control 138 fan-speed force-full Frame Size 138 139 jumbo frame 139 File Management 140 General Commands 141 boot system 141 copy 142 delete 146 dir 147 whichboot 149 Automatic Code Upgrade Commands 149 upgrade opcode auto 149 upgrade opcode path 150 upgrade opcode reload 151 show upgrade 152 TFTP Configuration Commands 152 ip tftp retry 152 ip tftp timeout 153 show ip tftp 153 Line 154 line 155 databits 155
Contents terminal 163 show line 164 Event Logging 165 logging facility 165 logging history 166 logging host 167 logging on 167 logging trap 168 clear log 169 show log 169 show logging 170 SMTP Alerts 172 logging sendmail 172 logging sendmail destination-email 172 logging sendmail host 173 logging sendmail level 174 logging sendmail source-email 174 show logging sendmail 175 Time 175 SNTP Commands 176 sntp client 176 sntp poll 177 sntp server 178 show sntp 178
Contents calendar set 188 show calendar 188 Time Range 189 time-range 189 absolute 190 periodic 191 show time-range 192 Switch Clustering 192 cluster 193 cluster commander 194 cluster ip-pool 195 cluster member 195 rcommand 196 show cluster 197 show cluster members 197 show cluster candidates 197 Stacking 198 switch all renumber 198 switch master button 199 switch stacking button 200 show switch master button 200 show switch stacking button 201 show switch stacki
Contents show snmp-server enable port-traps SNMPv3 Commands 212 213 snmp-server engine-id 213 snmp-server group 214 snmp-server user 215 snmp-server view 217 show snmp engine-id 218 show snmp group 219 show snmp user 220 show snmp view 221 Notification Log Commands 221 nlm 221 snmp-server notify-filter 222 show nlm oper-status 223 show snmp notify-filter 224 Additional Trap Commands 224 memory 224 process cpu 225 process cpu guard 226 6 Remote Monitoring Commands 229 r
Contents 8 Authentication Commands User Accounts and Privilege Levels 243 244 enable password 244 username 245 privilege 246 show privilege 247 Authentication Sequence 248 authentication enable 248 authentication login 249 RADIUS Client 250 radius-server acct-port 250 radius-server auth-port 251 radius-server host 251 radius-server key 252 radius-server retransmit 253 radius-server timeout 253 show radius-server 254 TACACS+ Client 254 tacacs-server host 255 tacacs-server
Contents accounting exec 265 authorization exec 265 show accounting 266 show authorization 267 Web Server 268 ip http authentication 268 ip http port 269 ip http secure-port 269 ip http secure-server 270 ip http server 271 Telnet Server 272 ip telnet max-sessions 272 ip telnet port 273 ip telnet server 273 telnet (client) 274 show ip telnet 274 Secure Shell 275 ip ssh authentication-retries 278 ip ssh server 278 ip ssh server-key size 279 ip ssh timeout 279 delete
Contents dot1x max-reauth-req 288 dot1x max-req 288 dot1x operation-mode 289 dot1x port-control 290 dot1x re-authentication 290 dot1x timeout quiet-period 291 dot1x timeout re-authperiod 291 dot1x timeout supp-timeout 292 dot1x timeout tx-period 293 dot1x re-authenticate 293 Supplicant Commands 294 dot1x identity profile 294 dot1x max-start 294 dot1x pae supplicant 295 dot1x timeout auth-period 296 dot1x timeout held-period 296 dot1x timeout start-period 297 Information Di
Contents Port Security 312 mac-learning 312 port security 313 port security mac-address-as-permanent 315 show port security 315 Network Access (MAC Address Authentication) 317 network-access aging 318 network-access mac-filter 319 mac-authentication reauth-time 320 network-access dynamic-qos 320 network-access dynamic-vlan 321 network-access guest-vlan 322 network-access link-detection 323 network-access link-detection link-down 324 network-access link-detection link-up 324 ne
Contents show web-auth summary DHCPv4 Snooping 337 338 ip dhcp snooping 339 ip dhcp snooping information option 341 ip dhcp snooping information option encode no-subtype 342 ip dhcp snooping information option remote-id 343 ip dhcp snooping information option tr101 board-id 344 ip dhcp snooping information policy 344 ip dhcp snooping limit rate 345 ip dhcp snooping verify mac-address 345 ip dhcp snooping vlan 346 ip dhcp snooping information option circuit-id 347 ip dhcp snooping trus
Contents clear ip source-guard binding blocked 367 show ip source-guard 367 show ip source-guard binding 368 IPv6 Source Guard 369 ipv6 source-guard binding 369 ipv6 source-guard 371 ipv6 source-guard max-binding 372 show ipv6 source-guard 373 show ipv6 source-guard binding 374 ARP Inspection 374 ip arp inspection 375 ip arp inspection filter 376 ip arp inspection log-buffer logs 377 ip arp inspection validate 378 ip arp inspection vlan 379 ip arp inspection limit 380 ip arp
Contents traffic-segmentation session 390 traffic-segmentation uplink/downlink 391 traffic-segmentation uplink-to-uplink 392 show traffic-segmentation 393 10 Access Control Lists 395 IPv4 ACLs 395 access-list ip 396 ip access-group (Global Configuration) 397 permit, deny (Standard IP ACL) 398 permit, deny (Extended IPv4 ACL) 399 ip access-group (Interface Configuration) 401 show ip access-group 402 show ip access-list 402 IPv6 ACLs 403 access-list ipv6 403 ipv6 access-group (G
Contents show access-group 421 show access-list 421 11 Interface Commands 423 Interface Configuration 424 interface 424 alias 425 capabilities 426 description 427 discard 427 flowcontrol 428 media-type 429 negotiation 430 shutdown 431 speed-duplex 431 clear counters 432 show discard 433 show interfaces brief 433 show interfaces counters 434 show interfaces status 438 show interfaces switchport 439 Transceiver Threshold Configuration 441 transceiver-monitor 441 tr
Contents Power Savings 451 power-save 451 show power-save 452 12 Link Aggregation Commands 453 Manual Configuration Commands 454 port channel load-balance 454 channel-group 456 Dynamic Configuration Commands 457 lacp 457 lacp admin-key (Ethernet Interface) 458 lacp port-priority 459 lacp system-priority 460 lacp admin-key (Port Channel) 461 lacp timeout 462 Trunk Status Display Commands 463 show lacp 463 show port-channel load-balance 466 13 Power over Ethernet Commands 4
Contents 15 Congestion Control Commands Rate Limit Commands 483 483 rate-limit 484 Storm Control Commands 485 switchport packet-rate 485 Automatic Traffic Control Commands 486 Threshold Commands 489 auto-traffic-control apply-timer 489 auto-traffic-control release-timer 490 auto-traffic-control 491 auto-traffic-control action 491 auto-traffic-control alarm-clear-threshold 492 auto-traffic-control alarm-fire-threshold 493 auto-traffic-control auto-control-release 494 auto-traffic-c
Contents show loopback-detection 506 17 UniDirectional Link Detection Commands 507 udld detection-interval 507 udld message-interval 508 udld recovery 509 udld recovery-interval 509 udld aggressive 510 udld port 511 show udld 512 18 Address Table Commands 515 mac-address-table aging-time 515 mac-address-table hash-lookup-depth 516 mac-address-table static 517 clear collision-mac-address-table 518 clear mac-address-table dynamic 518 show collision-mac-address-table 518 show m
Contents max-hops 532 mst priority 533 mst vlan 534 name 535 revision 535 spanning-tree bpdu-filter 536 spanning-tree bpdu-guard 537 spanning-tree cost 538 spanning-tree edge-port 539 spanning-tree link-type 540 spanning-tree loopback-detection 540 spanning-tree loopback-detection action 541 spanning-tree loopback-detection release-mode 542 spanning-tree loopback-detection trap 543 spanning-tree mst cost 543 spanning-tree mst port-priority 544 spanning-tree port-bpdu-floodin
Contents meg-level 560 mep-monitor 561 node-id 562 non-erps-dev-protect 562 non-revertive 564 propagate-tc 567 raps-def-mac 568 raps-without-vc 569 ring-port 571 rpl neighbor 572 rpl owner 572 version 573 wtr-timer 574 clear erps statistics 575 erps clear 575 erps forced-switch 576 erps manual-switch 578 show erps 579 21 VLAN Commands 585 GVRP and Bridge Extension Commands 586 bridge-ext gvrp 586 garp timer 587 switchport forbidden vlan 588 switchport gvrp 588
Contents switchport ingress-filtering 597 switchport mode 598 switchport native vlan 598 vlan-trunking 599 Displaying VLAN Information 601 show vlan 601 Configuring IEEE 802.
Contents switchport voice vlan 627 switchport voice vlan priority 628 switchport voice vlan rule 628 switchport voice vlan security 629 show voice vlan 630 22 Class of Service Commands 631 Priority Commands (Layer 2) 631 queue mode 632 queue weight 633 switchport priority default 634 show queue mode 635 show queue weight 635 Priority Commands (Layer 3 and 4) 636 qos map cos-dscp 636 qos map dscp-mutation 638 qos map phb-queue 639 qos map trust-mode 640 show qos map cos-dsc
Contents service-policy 661 show class-map 661 show policy-map 662 show policy-map interface 663 24 Multicast Filtering Commands 665 IGMP Snooping 666 ip igmp snooping 667 ip igmp snooping priority 668 ip igmp snooping proxy-reporting 669 ip igmp snooping querier 669 ip igmp snooping router-alert-option-check 670 ip igmp snooping router-port-expire-time 671 ip igmp snooping tcn-flood 671 ip igmp snooping tcn-query-solicit 672 ip igmp snooping unregistered-data-flood 673 ip igm
Contents ip igmp snooping vlan mrouter IGMP Filtering and Throttling 689 690 ip igmp filter (Global Configuration) 691 ip igmp profile 692 permit, deny 692 range 693 ip igmp authentication 693 ip igmp filter (Interface Configuration) 695 ip igmp max-groups 696 ip igmp max-groups action 696 ip igmp query-drop 697 ip multicast-data-drop 697 show ip igmp authentication 698 show ip igmp filter 699 show ip igmp profile 699 show ip igmp query-drop 700 show ip igmp throttle interface
Contents show ipv6 mld snooping group 713 show ipv6 mld snooping group source-list 713 show ipv6 mld snooping mrouter 714 show ipv6 mld snooping statistics 715 MLD Filtering and Throttling 719 ipv6 mld filter (Global Configuration) 719 ipv6 mld profile 720 permit, deny 721 range 721 ipv6 mld filter (Interface Configuration) 722 ipv6 mld max-groups 722 ipv6 mld max-groups action 723 ipv6 mld query-drop 724 ipv6 multicast-data-drop 724 show ipv6 mld filter 725 show ipv6 mld prof
Contents show mvr 740 show mvr associated-profile 741 show mvr interface 742 show mvr members 743 show mvr profile 745 show mvr statistics 745 MVR for IPv6 749 mvr6 associated-profile 750 mvr6 domain 751 mvr6 priority 751 mvr6 profile 752 mvr6 proxy-query-interval 753 mvr6 proxy-switching 753 mvr6 robustness-value 755 mvr6 source-port-mode dynamic 755 mvr6 upstream-source-ip 756 mvr6 vlan 757 mvr6 immediate-leave 757 mvr6 type 758 mvr6 vlan group 759 clear mvr6 group
Contents ip igmp version 774 clear ip igmp group 774 show ip igmp groups 775 show ip igmp interface 777 IGMP Proxy Routing 778 ip igmp proxy 778 ip igmp proxy unsolicited-report-interval 780 MLD (Layer 3) 780 ipv6 mld 781 ipv6 mld last-member-query-response-interval 781 ipv6 mld max-resp-interval 782 ipv6 mld query-interval 783 ipv6 mld robustval 784 ipv6 mld static-group 784 ipv6 mld version 785 clear ipv6 mld group 786 show ipv6 mld groups 787 show ipv6 mld interface 78
Contents lldp basic-tlv system-name 801 lldp dot1-tlv proto-ident 802 lldp dot1-tlv proto-vid 802 lldp dot1-tlv pvid 803 lldp dot1-tlv vlan-name 803 lldp dot3-tlv link-agg 804 lldp dot3-tlv mac-phy 804 lldp dot3-tlv max-frame 805 lldp dot3-tlv poe 805 lldp med-location civic-addr 806 lldp med-notification 808 lldp med-tlv ext-poe 808 lldp med-tlv inventory 809 lldp med-tlv location 809 lldp med-tlv med-cap 810 lldp med-tlv network-policy 810 lldp notification 811 show lldp
Contents show ethernet cfm configuration 832 show ethernet cfm md 834 show ethernet cfm ma 834 show ethernet cfm maintenance-points local 835 show ethernet cfm maintenance-points local detail mep 836 show ethernet cfm maintenance-points remote detail 837 Continuity Check Operations 839 ethernet cfm cc ma interval 839 ethernet cfm cc enable 840 snmp-server enable traps ethernet cfm cc 841 mep archive-hold-time 842 clear ethernet cfm maintenance-points remote 842 clear ethernet cfm er
Contents Delay Measure Operations ethernet cfm delay-measure two-way 27 OAM Commands 858 858 861 efm oam 862 efm oam critical-link-event 862 efm oam link-monitor frame 863 efm oam link-monitor frame threshold 864 efm oam link-monitor frame window 864 efm oam mode 865 clear efm oam counters 866 clear efm oam event-log 866 efm oam remote-loopback 867 efm oam remote-loopback test 868 show efm oam counters interface 869 show efm oam event-log interface 869 show efm oam remote-loop
Contents DHCP for IPv4 884 ip dhcp client class-id 884 ip dhcp restart client 885 DHCP for IPv6 886 ipv6 dhcp client rapid-commit vlan 886 show ipv6 dhcp duid 887 show ipv6 dhcp vlan 887 DHCP Relay 888 DHCP Relay for IPv4 888 ip dhcp relay server 888 ip dhcp restart relay 889 DHCP Relay for IPv6 890 ipv6 dhcp relay destination 890 show ipv6 dhcp relay destination 891 DHCP Server 892 ip dhcp excluded-address 893 ip dhcp pool 893 service dhcp 894 bootfile 894 client-iden
Contents 30 IP Interface Commands IPv4 Interface 907 907 Basic IPv4 Configuration 908 ip address 908 ip default-gateway 910 show ip interface 911 show ip traffic 912 traceroute 913 ping 914 ARP Configuration 915 arp 915 arp timeout 916 ip proxy-arp 917 clear arp-cache 918 show arp 918 UDP Helper Configuration 919 ip forward-protocol udp 919 ip helper 920 ip helper-address 921 show ip helper 922 IPv6 Interface 922 Interface Address Configuration and Utilities 924 ip
Contents Neighbor Discovery 942 ipv6 hop-limit 942 ipv6 neighbor 942 ipv6 nd dad attempts 944 ipv6 nd managed-config-flag 945 ipv6 nd other-config-flag 946 ipv6 nd ns-interval 947 ipv6 nd raguard 948 ipv6 nd reachable-time 949 ipv6 nd prefix 949 ipv6 nd ra interval 951 ipv6 nd ra lifetime 952 ipv6 nd ra router-preference 952 ipv6 nd ra suppress 953 clear ipv6 neighbors 954 show ipv6 nd raguard 954 show ipv6 neighbors 954 ND Snooping 956 ipv6 nd snooping 957 ipv6 nd sno
Contents vrrp priority 968 vrrp timers advertise 969 show vrrp 970 show vrrp interface 972 show vrrp interface counters 973 show vrrp router counters 974 50 IP Routing Commands Global Routing Configuration 975 975 IPv4 Commands 976 ip route 976 maximum-paths 977 show ip host-route 978 show ip route 978 show ip route database 979 show ip route summary 980 show ip traffic 980 IPv6 Commands 981 ipv6 route 981 show ipv6 route 983 Routing Information Protocol (RIP) 984 rout
Contents ip rip receive-packet 996 ip rip send version 997 ip rip send-packet 998 ip rip split-horizon 999 clear ip rip route 999 show ip protocols rip 1000 show ip rip 1001 Open Shortest Path First (OSPFv2) 1002 General Configuration 1003 router ospf 1003 compatible rfc1583 1004 default-information originate 1005 router-id 1006 timers spf 1007 clear ip ospf process 1008 Route Metrics and Summaries 1008 area default-cost 1008 area range 1009 auto-cost reference-bandwidth
Contents ip ospf priority 1027 ip ospf retransmit-interval 1028 ip ospf transmit-delay 1029 passive-interface 1030 Display Information 1030 show ip ospf 1030 show ip ospf border-routers 1032 show ip ospf database 1033 show ip ospf interface 1039 show ip ospf neighbor 1041 show ip ospf route 1042 show ip ospf virtual-links 1042 show ip protocols ospf 1043 Open Shortest Path First (OSPFv3) 1044 General Configuration 1046 router ipv6 ospf 1046 abr-type 1047 max-current-dd 10
Contents ipv6 ospf retransmit-interval 1062 ipv6 ospf transmit-delay 1063 passive-interface 1064 Display Information 1065 show ipv6 ospf 1065 show ipv6 ospf database 1066 show ipv6 ospf interface 1067 show ipv6 ospf neighbor 1068 show ipv6 ospf route 1069 show ipv6 ospf virtual-links 1070 Border Gateway Protocol (BGPv4) 1071 BGP Overview 1071 External and Internal BGP 1071 BGP Routing Basics 1073 Internal BGP Scalability 1076 Route Flap Dampening 1081 BGP Command List 1082
Contents network 1102 redistribute 1103 timers bgp 1104 clear ip bgp 1105 clear ip bgp dampening 1106 Route Metrics and Selection 1107 bgp always-compare-med 1107 bgp bestpath as-path ignore 1107 bgp bestpath compare-confed-aspath 1108 bgp bestpath compare-routerid 1108 bgp bestpath med 1109 bgp default local-preference 1110 bgp deterministic-med 1110 distance 1111 distance bgp 1112 Neighbor Configuration 1113 neighbor activate 1113 neighbor advertisement-interval 1114 n
Contents neighbor peer-group (Creating) 1126 neighbor peer-group (Group Members) 1127 neighbor port 1128 neighbor prefix-list 1128 neighbor remote-as 1129 neighbor remove-private-as 1130 neighbor route-map 1131 neighbor route-reflector-client 1131 neighbor route-server-client 1132 neighbor send-community 1133 neighbor shutdown 1134 neighbor soft-reconfiguration inbound 1134 neighbor strict-capability-match 1135 neighbor timers 1136 neighbor timers connect 1137 neighbor unsuppr
Contents show ip extcommunity-list 1151 show ip prefix-list 1151 show ip prefix-list detail 1152 show ip prefix-list summary 1152 Policy-based Routing for BGP 1153 route-map 1155 call 1156 continue 1156 description 1157 match as-path 1157 match community 1158 match extcommunity 1159 match ip address 1159 match ip next-hop 1160 match ip route-source 1160 match metric 1161 match origin 1161 match pathlimit as 1162 match peer 1163 on-match 1163 set aggregator as 1164
Contents 51 Multicast Routing Commands General Multicast Routing IPv4 Commands 1175 1175 1175 ip multicast-routing 1175 show ip mroute 1176 IPv6 Commands 1178 ipv6 multicast-routing 1178 show ipv6 mroute 1179 Static Multicast Routing 1181 ip igmp snooping vlan mrouter 1181 show ip igmp snooping mrouter 1182 PIM Multicast Routing 1183 IPv4 PIM Commands 1183 PIM Shared Mode Commands 1184 router pim 1184 ip pim 1185 ip pim hello-holdtime 1186 ip pim hello-interval 1187 ip pim j
Contents ip pim spt-threshold 1200 ip pim dr-priority 1201 ip pim join-prune-interval 1202 clear ip pim bsr rp-set 1203 show ip pim bsr-router 1204 show ip pim rp mapping 1205 show ip pim rp-hash 1206 IPv6 PIM Commands 1206 PIM6 Shared Mode Commands 1207 router pim6 1207 ipv6 pim 1208 ipv6 pim hello-holdtime 1209 ipv6 pim hello-interval 1210 ipv6 pim join-prune-holdtime 1210 ipv6 pim lan-prune-delay 1211 ipv6 pim override-interval 1212 ipv6 pim propagation-delay 1213 ipv6
Contents Section III show ipv6 pim rp mapping 1228 show ipv6 pim rp-hash 1229 Appendices 1231 A Troubleshooting 1233 Problems Accessing the Management Interface 1233 Using System Logs 1234 B License Information 1235 The GNU General Public License 1235 Glossary 1239 CLI Command List 1247 – 51 –
Contents – 52 –
Figures Figure 1: Storm Control by Limiting the Traffic Rate 488 Figure 2: Storm Control by Shutting Down a Port 489 Figure 3: Non-ERPS Device Protection 563 Figure 4: Sub-ring with Virtual Channel 570 Figure 5: Sub-ring without Virtual Channel 570 Figure 6: Configuring VLAN Trunking 600 Figure 7: Mapping QinQ Service VLAN to Customer VLAN 606 Figure 8: Configuring VLAN Translation 614 Figure 1: Connections for Internal and External BGP 1072 Figure 2: Connections for Single Route Reflecto
Figures – 54 –
Tables Table 1: Options 60, 66 and 67 Statements 88 Table 2: Options 55 and 124 Statements 88 Table 3: General Command Modes 101 Table 4: Configuration Command Modes 103 Table 5: Keystroke Commands 104 Table 6: Command Group Index 105 Table 7: General Commands 109 Table 8: System Management Commands 117 Table 9: Device Designation Commands 117 Table 10: Banner Commands 118 Table 11: System Status Commands 127 Table 12: show system – display description 134 Table 13: show version –
Tables Table 30: show snmp engine-id - display description 218 Table 31: show snmp group - display description 219 Table 32: show snmp user - display description 220 Table 33: show snmp view - display description 221 Table 34: RMON Commands 229 Table 35: sFlow Commands 237 Table 36: Authentication Commands 243 Table 37: User Access Commands 244 Table 38: Default Login Settings 246 Table 39: Authentication Sequence Commands 248 Table 40: RADIUS Client Commands 250 Table 41: TACACS+ Cli
Tables Table 65: Commands for Configuring Traffic Segmentation 389 Table 66: Traffic Segmentation Forwarding 390 Table 67: Access Control List Commands 395 Table 68: IPv4 ACL Commands 395 Table 69: IPv6 ACL Commands 403 Table 70: MAC ACL Commands 410 Table 71: ARP ACL Commands 417 Table 72: ACL Information Commands 420 Table 73: Interface Commands 423 Table 74: show interfaces counters - display description 435 Table 75: show interfaces switchport - display description 440 Table 76: L
Tables Table 100: show erps - summary display description 580 Table 101: show erps domain - detailed display description 581 Table 102: show erps statistics - detailed display description 583 Table 103: VLAN Commands 585 Table 104: GVRP and Bridge Extension Commands 586 Table 105: show bridge-ext - display description 589 Table 106: Commands for Editing VLAN Groups 591 Table 107: Commands for Configuring VLAN Interfaces 593 Table 108: Commands for Displaying VLAN Information 601 Table 109
Tables Table 135: show ipv6 MLD snooping statistics summary - display description 718 Table 136: MLD Filtering and Throttling Commands 719 Table 137: Multicast VLAN Registration for IPv4 Commands 727 Table 138: show mvr - display description 741 Table 139: show mvr interface - display description 742 Table 140: show mvr members - display description 744 Table 141: show mvr statistics input - display description 746 Table 142: show mvr statistics output - display description 746 Table 143: s
Tables Table 170: OAM Commands 861 Table 171: DNS Commands 873 Table 172: show dns cache - display description 880 Table 173: show hosts - display description 881 Table 174: DHCP Commands 883 Table 175: DHCP Client Commands 883 Table 176: Options 60, 66 and 67 Statements 884 Table 177: Options 55 and 124 Statements 885 Table 178: DHCP Relay Option 82 Commands 888 Table 179: DHCP Server Commands 892 Table 180: IP Interface Commands 907 Table 181: IPv4 Interface Commands 907 Table 182
Tables Table 11: show ip ospf database router - display description 1038 Table 12: show ip ospf database summary - display description 1039 Table 13: show ip ospf interface - display description 1040 Table 14: show ip ospf neighbor - display description 1041 Table 15: show ip ospf virtual-links - display description 1043 Table 16: show ip protocols ospf - display description 1043 Table 17: Open Shortest Path First Commands (Version 3) 1044 Table 18: show ip ospf - display description 1065 T
Tables Table 46: Troubleshooting Chart 1233 – 62 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 64 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ■ Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows keys. 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS4620-28T* is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers all switches in the ECS4620 series.
Chapter 1 | Initial Switch Configuration Stack Operations Stack Operations Up to eight switches can be stacked together as described in the Installation Guide. One unit in the stack acts as the Master for configuration tasks and firmware upgrade. All of the other units function in Slave mode, but can automatically take over management of the stack if the Master unit fails.
Chapter 1 | Initial Switch Configuration Stack Operations Selecting the Once the Master unit finishes booting up, it continues to synchronize configuration Backup Unit information to all of the Slave units in the stack. If the Master unit fails or is powered off, a new master unit will be selected based on the election rules described in the preceding section. The backup unit elected to serve as the new stack Master will take control of the stack without any loss of configuration settings.
Chapter 1 | Initial Switch Configuration Stack Operations failover events, you should include port members on several units within the primary VLAN used for stack management. Resilient Configuration If a unit in the stack fails, the unit numbers will not change. This means that when you replace a unit in the stack, the original configuration for the failed unit will be restored to the replacement unit. This applies to both the Master and Slave units.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management image” and downloads the image to those backup units that are running a different image version. Configuring the Switch for Remote Management Using the Network The switch can be managed through the operational network, known as in-band Interface management.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address ipv6-address/prefix-length,” where “prefix-length” indicates the address bits used to form the network portion of the address.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FB Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 Proxy ARP is disabled DHCP Client Vendor Class ID (text): ECS4620-28T DHCP Inform is disabled DHCP relay server: 0.0.0.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 203 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux.
Chapter 1 | Initial Switch Configuration Managing System Files the new file as the startup file. To select a previously saved configuration file, use the boot system config: command. The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from code file when a file newer than the currently installed one is discovered on the file a File Server server.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# 2. Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# 3.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The following shows an example of the upgrade process. Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ------Unit 1: ECS4620-28T_V1.2.2.26.bix OpCode Y 2000-12-31 00:19:13 18601012 Factory_Default_Config.cfg Config N 1999-12-31 00:00:34 455 startup1.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server To successfully transmit a bootup configuration file to the switch, the DHCP daemon (using a Linux based system for this example) must be configured with the following information: ◆ Options 60, 66 and 67 statements can be added to the daemon’s configuration file.
Chapter 1 | Initial Switch Configuration Setting the System Clock subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.100"; #Default Option 66 option bootfile-name "bootfile"; #Default Option 67 } class "Option66,67_1" { #DHCP Option 60 Vendor class two match if option vendor-class-identifier = "ecs4620-28t.cfg"; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 1 | Initial Switch Configuration Setting the System Clock Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.23 key 19 Console(config)#exit Console#show ntp Current Time : Apr 29 13:57:32 2011 Polling : 1024 seconds Current Mode : unicast NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 1 | Initial Switch Configuration Setting the System Clock – 92 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “Address Table Commands” on page 515 ◆ “Spanning Tree Commands” on page 523 ◆ “ERPS Commands” on page 553 ◆ “VLAN Commands” on page 585 ◆ “Class of Service Commands” on page 631 ◆ “Quality of Service Commands” on page 645 ◆ “Multicast Filtering Commands” on page 665 ◆ “LLDP Commands” on page 793 ◆ “CFM Commands” on page 819 ◆ “OAM Commands” on page 861 ◆ “Domain Name Service Commands” on page 873 ◆ “DHCP Commands” on page 883 ◆ “IP Interface Co
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands port port-channel power power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon route-map rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan switch system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice vrrp watchdog web-auth Console#show Port characteristics Port channel information Shows power S
Chapter 2 | Using the Command Line Interface Entering Commands display the rest of the information without stopping. You can press any other key to terminate the display. Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map DHCP ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Route Map Router Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands ◆ VLAN Configuration - Includes the command to create VLAN groups. To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands.
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups Showing Status There are various “show” commands which display configuration settings or the Information status of specified processes. Many of these commands will not display any information unless the switch is properly configured, and in some cases the interface to which a command applies is up.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description General Security Measures Segregates traffic for clients attached to common data ports; 311 and prevents unauthorized access by configuring valid static or dynamic addresses, web authentication, MAC address authentication, filtering DHCP requests and replies, and discarding invalid ARP responses Access Control List Provides filtering for IPv4 frames (based on address, prot
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page OAM Configures Operations, Administration and Maintenance 861 remote management tools required to monitor and maintain the links to subscriber CPEs Domain Name Service Configures DNS services.
Chapter 2 | Using the Command Line Interface CLI Command Groups – 108 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 142).
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (114) enable password (244) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 100. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2016. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 116 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure equipment-info Configures the Equipment information that is displayed by GC banner banner configure equipment-location Configures the Equipment Location information that is displayed by banner banner configure ip-lan Configures the IP and LAN information that is displayed by GC banner banner configure lp-number Configures the LP Number information that is displaye
Chapter 4 | System Management Commands Banner Information Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4620-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner Edge-Core WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS4620-28T Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show users Shows all active console, Telnet, SSH and Web connections, NE, PE including user name, idle time and IP address show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly P
Chapter 4 | System Management Commands System Status Example Console#show memory Status Bytes % ------ ---------- --Free 111706112 41 Used 156729344 59 Total 268435456 Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands memory (224) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization watermark and threshold settings.
Chapter 4 | System Management Commands System Status L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG_PROC XFER_GROUP XFER_TD 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.
Chapter 4 | System Management Commands System Status port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage ◆ Use the interface keyword to display configuration data for the specified interface. ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 4 | System Management Commands System Status username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet state active ! spanning-tree mst configuration ! interface ethernet 1/1 ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (131) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS4620-28T System OID String : 1.3.6.1.4.1.259.10.1.41.104 System Information System Up Time : 0 days, 0 hours, 15 minutes, and 38.
Chapter 4 | System Management Commands System Status Table 12: show system – display description (Continued) Parameter Description System Location Specifies the system location. System Contact Administrator responsible for the system. MAC Address MAC address assigned to this switch. Web Server/Port Shows administrative status of web server and UDP port number. Web Secure Server/Port Shows administrative status of secure web server and UDP port number.
Chapter 4 | System Management Commands System Status ECS4620-28T_V1.2.1.6.bix OpCode Y 2013-07-02 08:18:42 17601308 Factory_Default_Config.cfg Config N 2000-12-31 00:00:32 455 startup1.cfg Config Y 2000-01-01 02:31:23 2924 ---------------------------------------------------------------------------Free space for compressed user config files: 65220608 show apr: ARP Cache Timeout: 1200 (seconds) IP Address --------------192.168.0.2 192.168.0.
Chapter 4 | System Management Commands System Status Web Online Users: Line User Name Idle time (h:m:s) Remote IP Addr ----- -------------------------------- ----------------- --------------HTTP admin 0:00:01 192.168.0.99 Console# show version This command displays hardware and software version information for the system.
Chapter 4 | System Management Commands Fan Control show watchdog This command shows if watchdog debugging is enabled. Command Mode Privileged Exec Example Console#show watchdog Software Watchdog Information Status : Enabled Console# watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly.
Chapter 4 | System Management Commands Frame Size Syntax [no] fan-speed force-full Default Setting Normal speed Command Mode Global Configuration Example Console(config)#fan-speed force-full Console(config)# Frame Size This section describes commands used to configure the Ethernet frame size on the switch.
Chapter 4 | System Management Commands File Management operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames. ◆ The current setting for jumbo frames can be displayed with the show system command.
Chapter 4 | System Management Commands File Management Table 16: Flash/File Commands (Continued) Command Function Mode copy Copies a code image or a switch configuration to or from flash memory or an FTP/SFTP/TFTP server PE delete Deletes a file or code image PE dir Displays a list of files in flash memory PE whichboot Displays the files booted PE Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated serv
Chapter 4 | System Management Commands File Management Command Usage ◆ A colon (:) is required after the specified unit number and file type. ◆ If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (147) whichboot (149) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/SFTP/TFTP server.
Chapter 4 | System Management Commands File Management add-to-running-config - Keyword that adds the settings listed in the specified file to the running configuration. file - Keyword that allows you to copy to/from a file. ftp - Keyword that allows you to copy to/from an FTP server. https-certificate - Keyword that allows you to copy the HTTPS secure site certificate. public-key - Keyword that allows you to copy a SSH key from a TFTP server. (See “Secure Shell” on page 275.
Chapter 4 | System Management Commands File Management ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ SFTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. ◆ For information on specifying an https-certificate, see “Replacing the Default Secure-site Certificate” in the Web Management Guide.
Chapter 4 | System Management Commands File Management The following example shows how to upload the configuration settings to a file on the TFTP server: Console#copy file tftp Choose file type: 1. config: 2. opcode: 1 Source file name: startup TFTP server ip address: 10.1.0.99 Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file.
Chapter 4 | System Management Commands File Management This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
Chapter 4 | System Management Commands File Management file - Keyword that allows you to delete a file. name - Keyword indicating a file. unit - Unit identifier. (Range: 1-8) filename - Name of configuration file or code image. https-certificate - Keyword that allows you to delete the HTTPS secure site certificate. You must reboot the switch to load the default certificate. public-key - Keyword that allows you to delete a SSH key on the switch. (See “Secure Shell” on page 275.
Chapter 4 | System Management Commands File Management unit - Unit identifier. (Range: 1-8) boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown. Default Setting None Command Mode Privileged Exec Command Usage ◆ If you enter the command dir without any parameters, the system displays all files.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot [unit] unit - Unit identifier. (Range: 1-8) Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Chapter 4 | System Management Commands File Management the TFTP server must be ECS4620-28T.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3.
Chapter 4 | System Management Commands File Management Command Mode Global Configuration Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS462028T.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4620-28T.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (160) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (284) show users (136) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging However, it may be used by the syslog server to sort messages or to store messages in the corresponding database. Example Console(config)#logging facility 19 Console(config)# logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - UDP port number used by the remote server.
Chapter 4 | System Management Commands Event Logging Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (169) show log This command displays the log messages stored in local memory.
Chapter 4 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
Chapter 4 | System Management Commands Event Logging Table 21: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command. History Logging in Flash The message level(s) reported based on the logging history command. History Logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level - One of the system message levels (page 166). Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.
Chapter 4 | System Management Commands Time Table 24: Time Commands (Continued) Command Function Mode ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE Manual Configuration Commands clock summer-time (date) Configures summer time* for the switch’s internal clock GC clock summer-time (predefined) Configures summer time* for the switch’s internal clo
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2016 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4 or IPv6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2015 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65535) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch.
Chapter 4 | System Management Commands Time NTP Status : Disabled NTP Authenticate Status : Enabled Last Update NTP Server : 0.0.0.0 Port: 0 Last Update Time : Jan 1 00:00:00 1970 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time relative to the configured time zone.
Chapter 4 | System Management Commands Time b-day - The day of the week when summer time will begin. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin. (Range: 0-23 hours) b-minute - The minute when summer time will begin.
Chapter 4 | System Management Commands Time Related Commands show sntp (178) clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC.
Chapter 4 | System Management Commands Time calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
Chapter 4 | System Management Commands Time Range Summer Time in Effect : No Console# Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month.
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes. Example Console(config)#cluster Console(config)# cluster commander This command enables the switch as a cluster Commander.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering show cluster This command shows the switch clustering configuration. Command Mode Privileged Exec Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members.
Chapter 4 | System Management Commands Stacking Stacking This section includes commands which configure a unit as the stack master, set the 10G ports to stacking mode, or renumber all units in the stack. For information on how to physically connect units into a stack, see the Hardware Installation Guide. For detailed information on how stacking is implemented for this type of switch, refer to “Stack Operations” on page 69.
Chapter 4 | System Management Commands Stacking switch master button This command configures a unit as the stack master. Use the no form to disable the master button. Syntax [no] switch master button unit unit - Unit identifier. (Range: 1-8) Default Setting Disabled Command Mode Privileged Exec Command Usage ◆ The switch must be rebooted to activate this command. Note that the configured setting is not affected by changes to the start-up configuration file.
Chapter 4 | System Management Commands Stacking Provision complete ... Finished module 2 provision complete ... Module provision complete. switch stacking This command sets the switch to operate in stacking mode. Use the no form to button disable this function. Syntax [no] switch stacking button unit unit - Unit identifier. (Range: 1-8) Default Setting Disabled Command Mode Privileged Exec Command Usage Use this command on all stack members.
Chapter 4 | System Management Commands Stacking 2 Console# N show switch stacking This command shows the status of the stacking button. button Command Mode Privileged Exec Command Usage Use the switch stacking button command to set the 10G ports to stacking mode. Example Console#show switch stacking button Switch ID Config Status Active Status --------- ------------- ------------1 Y Y Console# show switch stacking This command shows if the stacking ports are up or down.
Chapter 4 | System Management Commands Stacking – 202 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands ATC Trap Commands snm
Chapter 5 | SNMP Commands General SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode transceiver-threshold tx-power Sends a trap when the power level of the transmitted signal IC (Port) power outside the specified thresholds transceiver-threshold voltage Sends a trap when the transceiver voltage falls outside the IC (Port) specified thresholds Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising
Chapter 5 | SNMP Commands General SNMP Commands string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Communities : 1. public, and the access level is read-only 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (208) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 31: show snmp group - display description Field Description Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 32: show snmp user - display description (Continued) Field Description Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications. ◆ If notification logging is not configured and enabled, when the switch reboots, some SNMP traps (such as warm start) cannot be logged.
Chapter 5 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
Chapter 5 | SNMP Commands Additional Trap Commands Related Commands show memory (128) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 228 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01 Received 77671 octets, 1077 packets, 61 broadcast and 978 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions.
Chapter 6 | Remote Monitoring Commands – 236 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector. A full IPv6 address including the network prefix and host address bits. An IPv6 address consists of 8 colon-separated 16-bit hexadecimal values.
Chapter 7 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow polling instance This command enables an sFlow polling data source, for a specified interface, that polls periodically based on a specified time interval. Use the no form to remove the polling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands The following command removes a sampling data source from Ethernet interface 1/1. Console# no sflow sampling interface ethernet 1/1 instance 1 Console# show sflow This command shows the global and interface settings for the sFlow process. Syntax show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Unit identifier.
Chapter 7 | Flow Sampling Commands – 242 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 154), user authentication via a remote authentication server (page 243), and host access authentication for specific ports (page 284).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels {0 | 7} - 0 means plain password, 7 means encrypted password. password password - The authentication password for the user. (Maximum length: 32 characters plain text or encrypted, case sensitive) Default Setting The default access level is 0 (Normal Exec).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels command - Specifies any command contained within the specified mode. Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the switch, as well as several database clear and reset functions. Levels 1- 15 provide full access to all commands. Command Mode Global Configuration Example This example sets the privilege level for the ping command to Privileged Exec.
Chapter 8 | Authentication Commands Authentication Sequence Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked. Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (244) authentication login This command defines the login authentication method and precedence. Use the no form to restore the default.
Chapter 8 | Authentication Commands RADIUS Client Example Console(config)#authentication login radius Console(config)# Related Commands username - for setting the local user names and passwords (245) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUSaware devices on the network.
Chapter 8 | Authentication Commands RADIUS Client Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#radius-server 1 host 192.168.1.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network.
Chapter 8 | Authentication Commands AAA default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configured with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands AAA Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 8 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Line Configuration Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands AAA Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# show authorization This command displays the current authorization settings per function and per port.
Chapter 8 | Authentication Commands Web Server Interface : Console# Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Related Commands aaa authorization exec (262) ip http server (271) show system (134) ip http port This command specifies the UDP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The UDP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server Command Usage ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
Chapter 8 | Authentication Commands Web Server A padlock icon should appear in the status bar for Internet Explorer 11, Mozilla Firefox 40, or Google Chrome 45, or more recent versions.
Chapter 8 | Authentication Commands Telnet Server Related Commands ip http port (269) show system (134) Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | Authentication Commands Telnet Server Command Usage A maximum of eight sessions can be concurrently opened for Telnet and Secure Shell (i.e., both Telnet and SSH share a maximum number of eight sessions). Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port.
Chapter 8 | Authentication Commands Telnet Server telnet (client) This command accesses a remote device using a Telnet connection. Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254...
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: 1. Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it. The following exchanges take place during this process: Authenticating SSH v1.5 Clients a. The client sends its RSA public key to the switch. b.
Chapter 8 | Authentication Commands Secure Shell ip ssh This command configures the number of times the SSH server attempts to authentication-retries reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Chapter 8 | Authentication Commands Secure Shell Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (281) show ssh (284) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting. Syntax ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key.
Chapter 8 | Authentication Commands Secure Shell Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-32 characters) Default Setting Shows all public keys.
Chapter 8 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.0 Session-Started Username Encryption admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 47: show ssh - display description Field Description Connection The session number. (A total of eight SSH and Telnet sessions are allowed.) Version The Secure Shell version number.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 48: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ dot1x operation-mode ◆ dot1x max-req ◆ dot1x timeout quiet-period ◆ dot1x timeout tx-period ◆ dot1x timeout re-authperiod ◆ dot1x timeout sup-timeout ◆ dot1x re-authentication ◆ dot1x intrusion-action Example Console(config)#dot1x default Console(config)# dot1x eapol- This command passes EAPOL frames through to all ports in STP forwarding state pass-through when dot1x is globally disabled.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x system- This command enables IEEE 802.1X port authentication globally on the switch. auth-control Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x intrusion-action guest-vlan Console(config-if)# dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAPrequest/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication connected the network and the process is handled transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 3600 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an tx-period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an start-period EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 286). ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 294). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine ■ ■ ■ ◆ State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server.
Chapter 8 | Authentication Commands Management IP Filter Reauth Count Current Identifier : 0 : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command enables the PPPoE Intermediate Agent globally on the switch. Use intermediate-agent the no form to disable this feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Default Setting ◆ Access Node Identifier: IP address of the first IPv4 interface on the switch. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets the circuit-id or remote-id for an interface. Use the no form to intermediate-agent restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe intermediate-agent port-format-type remote-id-delimiter This command sets the remote-id delimiter for an interface. Use the enable keyword to enable the delimiter. Use the no form with the enable keyword to disable the delimiter. Use the no form without any keywords toto restore the default settings. Syntax pppoe intermediate-agent port-format-type remote-id-delimiter {enable | ascii-code} ascii-code - ASCII character of delimiter.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent ◆ At least one trusted interface must be configured on the switch for the PPPoE IA to function. Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# pppoe This command enables the stripping of vendor tags from PPPoE Discovery packets intermediate-agent sent from a PPPoE server. Use the no form to disable this feature.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Privileged Exec Example Console#clear pppoe intermediate-agent statistics Console# show pppoe This command displays configuration settings for the PPPoE Intermediate Agent. intermediate-agent info Syntax show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1-8) port - Port number.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent show pppoe This command displays statistics for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent – 310 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security security function such as 802.1X or DHCP snooping is enabled and maclearning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (438) shutdown (431) mac-address-table static (517) port security Use this command to save the MAC addresses that port security has learned as mac-address-as- static entries.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Port Security Details Port Port Security Port Status Intrusion Action Max MAC Count Current MAC Count MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : : : : : : 1/2 Enabled Secure/Up None 0 0 Disabled NA NA This example shows information about a detected intrusion.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 55: Network Access Commands (Continued) Command Function Mode network-access link-detection Enables the link detection feature IC network-access link-detection link-down Configures the link detection feature to detect and act upon link-down events IC network-access link-detection link-up Configures the link detection feature to detect and act upon link-up events IC network-access link-detection link-up-down
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ This parameter applies to authenticated MAC addresses configured by the MAC Address Authentication process described in this section, as well as to any secure MAC addresses authenticated by 802.1X, regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 289). ◆ The maximum number of secure MAC addresses supported for the switch system is 1024.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 56: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (kbps) rate-limit-input=100 (kbps) rate-limit-output=rate (kbps) rate-limit-output=200 (kbps) 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command). ◆ A port can only be assigned to the guest VLAN in case of failed authentication, if switchport mode is set to Hybrid.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature. Syntax network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either event is link-detection detected, the switch can shut down the port, send an SNMP trap, or both. Use the link-up-down no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx) interface - Specifies a port interface.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabl
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access Interface MAC Address --------- ----------------1/1 00-00-01-02-03-04 1/1 00-00-01-02-03-05 1/1 00-00-01-02-03-06 1/3 00-00-01-02-03-07 mac-address-table RADIUS Server Time --------------- ------------------------172.155.120.17 00d06h32m50s 172.155.120.
Chapter 9 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After login-attempts the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains session-timeout valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
Chapter 9 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth This command ends the web authentication session associated with the re-authenticate (IP) designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
Chapter 9 | General Security Measures DHCPv4 Snooping DHCPv4 Snooping DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/remove option 82 information in incoming DHCP packets but not relay them.
Chapter 9 | General Security Measures DHCPv4 Snooping EXAMPLE This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID). Console(config)#no ip dhcp snooping information option encode no-subtype Console(config)# ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, arbitrary information option string, or TR-101 compliant node identifier. Use the no form to restore the default remote-id setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier. Use the no form to tr101 board-id restore the default setting. Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. Example This example enables MAC address verification.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# Related Commands ip dhcp snooping (339) ip dhcp snooping trust (348) ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings.
Chapter 9 | General Security Measures DHCPv4 Snooping Table 59: Option 82 information 82 3-69 opt82 opt-len 1 1-67 x1 x2 sub-opt1 string-len x3 x4 x5 x63 R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string. The R-124 string includes the following information: ■ sub-type - Distinguishes different types of circuit IDs. ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆ Set all ports connected to DHCP servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
Chapter 9 | General Security Measures DHCPv4 Snooping Console#clear ip dhcp snooping binding 11-22-33-44-55-66 vlan 1 Console# clear ip dhcp This command removes all dynamically learned snooping entries from flash snooping database memory. flash Command Mode Privileged Exec Example Console#clear ip dhcp snooping database flash Console# ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory.
Chapter 9 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping. ◆ Table entries are only learned for trusted interfaces. Each entry includes a MAC address, IPv6 address, lease time, binding type, VLAN identifier, and port identifier. ◆ When DHCPv6 snooping is enabled, the rate limit for the number of DHCPv6 messages that can be processed by the switch is 100 packets per second.
Chapter 9 | General Security Measures DHCPv6 Snooping ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: A. Check if IPv6 address in IA option is found in binding table: ■ ■ If yes, continue to C. If not, continue to B. B. Check if IPv6 address in IA option is found in binding cache: ■ ■ If yes, continue to C. If not, check failed, and forward packet to trusted port. C.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages. Remote-id option information such as the port attached to the client, DUID, and VLAN ID is used by the DHCPv6 server to assign preassigned configuration data specific to the DHCPv6 client. Use the no form of the command to disable this function.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables the DHCPv6 Snooping Remote-ID Option. Console(config)#ipv6 dhcp snooping option remote-id Console(config)# ipv6 dhcp snooping This command sets the remote-id option policy for DHCPv6 client packets that option remote-id include Option 37 information. Use the no form to disable this function.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form vlan to restore the default setting. Syntax [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 9 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which it submits a client request to the DHCPv6 server must be configured as trusted.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard 2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 61: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 351).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Related Commands ipv6 source-guard (371) ipv6 dhcp snooping (352) ipv6 dhcp snooping vlan (357) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ If IPv6 source guard is enabled, an inbound packet’s source IPv6 address will be checked against the binding table. If no matching entry is found, the packet will be dropped. ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures ARP Inspection . . . show ipv6 This command shows the IPv6 source guard binding table. source-guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 351) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection Table 63: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection validate Specifies additional validation of address components in GC an ARP packet ip arp inspection vlan Enables ARP Inspection for a specified VLAN or range of GC VLANs ip arp inspection limit Sets a rate limit for the ARP packets received on a port IC ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection IC show ip arp ins
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets. ◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs. ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs.
Chapter 9 | General Security Measures ARP Inspection ◆ If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database.
Chapter 9 | General Security Measures ARP Inspection ◆ The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer. Example Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Denial of Service Protection Command Usage Enter this command to display the configuration settings for all VLANs, or display the settings for a specific VLAN by entering the VLAN identifier.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS echo/chargen attacks in which the echo echo-chargen service repeats anything sent to it, and the chargen (character generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the defautl rate limit.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-flooding attacks in which a perpetrator tcp-flooding sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-null-scan Console(config)# dos-protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a TCP SYN/ tcp-syn-fin-scan FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
Chapter 9 | General Security Measures Port-based Traffic Segmentation – 394 –
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs ip access-group This command binds an IPv4 ACL to all ports for ingress traffic. Use the no form to (Global Configuration) remove the port. Syntax ip access-group acl-name in [time-range time-range-name] [counter] no ip access-group acl-name in acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list.
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (402) Time Range (189) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (398) ip access-group (Interface Configuration) (401) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 64 rules.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#ipv6 access-group standard david in Console(config)# Related Commands show ipv6 access-list (409) Time Range (189) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (403) Time Range (189) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Extended IPv6 ACL Command Usage ◆ All new rules are appended to the end of the list. ◆ Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet.
Chapter 10 | Access Control Lists IPv6 ACLs Here is a more detailed example for setting the CPU rate limit for SNMP packets.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (409) Time Range (189) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (405) permit, deny (Extended IPv6 ACL) (406) ipv6 access-group (Interface Configuration) (408) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Chapter 10 | Access Control Lists MAC ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 2048 rules.
Chapter 10 | Access Control Lists MAC ACLs Related Commands show mac access-list (416) Time Range (189) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types. Use the no form to remove a rule.
Chapter 10 | Access Control Lists MAC ACLs {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol] [l4-source-port sport
Chapter 10 | Access Control Lists MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.
Chapter 10 | Access Control Lists MAC ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode MAC ACL Command Usage ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060.
Chapter 10 | Access Control Lists MAC ACLs time-range-name - Name of the time range. (Range: 1-32 characters) counter – Enables counter for ACL statistics. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one.
Chapter 10 | Access Control Lists ARP ACLs Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands permit, deny (412) mac access-group (Interface Configuration) (415) ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages.
Chapter 10 | Access Control Lists ARP ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 128 rules.
Chapter 10 | Access Control Lists ARP ACLs log - Logs a packet when it matches the access control entry. Default Setting None Command Mode ARP ACL Command Usage New rules are added to the end of the list. Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information ACL Information This section describes commands used to display ACL information. Table 72: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 422 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 73: Interface Commands (Continued) Command Function Mode transceiver-threshold current Sets thresholds for transceiver current which can be used to trigger an alarm or warning message IC transceiver-threshold rx-power Sets thresholds for the transceiver power level of the received signal which can be used to trigger an alarm or warning message IC transceiver-threshold temperature Sets thresholds for the transceiver temperature which ca
Chapter 11 | Interface Commands Interface Configuration Default Setting None Command Mode Global Configuration Example To specify several different ports, enter the following command: Console(config)#interface ethernet 1/17-20,23 Console(config-if)# alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
Chapter 11 | Interface Commands Interface Configuration capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands Interface Configuration Related Commands negotiation (430) speed-duplex (431) flowcontrol (428) description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet) Command Usage Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. Example The following example forwards CDP packets entering port 5. Console(config)#interface ethernet 1/5 Console(config-if)#no discard cdp Console(config-if)# flowcontrol This command enables flow control.
Chapter 11 | Interface Commands Interface Configuration Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (430) capabilities (426) media-type This command forces the transceiver mode to use for SFP/SFP+ ports, or the port type to use for combination RJ-45/SFP ports. Use the no form to restore the default mode.
Chapter 11 | Interface Commands Interface Configuration Example This forces the switch to use the 1000sfp mode for SFP port 28. Console(config)#interface ethernet 1/28 Console(config-if)#media-type sfp-forced 1000sfp Console(config-if)# negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation.
Chapter 11 | Interface Commands Interface Configuration shutdown This command disables an interface. To restart a disabled interface, use the no form. Syntax [no] shutdown Default Setting All interfaces are enabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons.
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. If not used, the success of the link process cannot be guaranteed when connecting to other types of switches. ◆ To force operation to the speed and duplex mode specified in a speed-duplex command, use the no negotiation command to disable auto-negotiation on the selected interface.
Chapter 11 | Interface Commands Interface Configuration Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session. However, if you log out and back into the management interface, the statistics displayed will show the absolute value accumulated since the last power reset. Example The following example clears statistics on port 5.
Chapter 11 | Interface Commands Interface Configuration ◆ The Type field will always display “NA” for a trunk entry because a trunk allows for mixed port types such as 1000BASE-T and 1000BASE SFP. ◆ If link status is down due to an administrative setting or the result of a protocol state, the reason will be listed in the Status field (i.e., STP LBD, BpduGuard, LinkDet, DynQoS, PortSec, LBD, ATC Bcast, ATC Mcast, UDLD).
Chapter 11 | Interface Commands Interface Configuration 0 0 0 0 Error Input Error Output Unknown Protocols Input QLen Output ===== Extended Iftable Stats ===== 23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output ===== Ether-like Stats ===== 0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frame
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description Unicast Input The number of subnetwork-unicast packets delivered to a higher-layer protocol. Unicast Output The total number of packets that higher-level protocols requested be transmitted to a subnetwork-unicast address, including those that were discarded or not sent.
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
Chapter 11 | Interface Commands Interface Configuration Table 74: show interfaces counters - display description (Continued) Parameter Description 64 Octets The total number of packets (including bad packets) received and transmitted that were less than 64 octets in length (excluding framing bits but including FCS octets).
Chapter 11 | Interface Commands Interface Configuration Basic Information: Port Type : 1000BASE-T MAC Address : 00-E0-0C-00-00-FE Configuration: Name : Port Admin : Up Speed-duplex : Auto Capabilities : 10half, 10full, 100half, 100full, 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Flow Control : Disabled VLAN Trunking : Disa
Chapter 11 | Interface Commands Interface Configuration Example This example shows the configuration setting for port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Table 75: show interfaces switchport - display description (Continued) Field Description 802.1Q-tunnel Status Shows if 802.1Q tunnel is enabled on this interface (page 603). 802.1Q-tunnel Mode Shows the tunnel mode as Normal, 802.1Q Tunnel or 802.1Q Tunnel Uplink (page 604). 802.1Q-tunnel TPID Shows the Tag Protocol Identifier used for learning and switching packets (page 607).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold-auto Console# transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Threshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high threshold or the low threshold. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power received at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power transmitted at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration DDM Info Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands Cable Diagnostics Transceiver-threshold-auto : Enabled Low Alarm ---------------------Temperature(Celsius) -123.00 Voltage(Volts) 3.10 Current(mA) 6.00 TxPower(dBm) -12.00 RxPower(dBm) -21.50 Console# Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.
Chapter 11 | Interface Commands Cable Diagnostics show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 11 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature. Syntax [no] power-save Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
Chapter 11 | Interface Commands Power Savings determine whether or not it can reduce the signal amplitude used on a particular link. Note: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands src-dst-ip - Load balancing based on source and destination IP address. src-dst-mac - Load balancing based on source and destination MAC address. src-ip - Load balancing based on source IP address. src-mac - Load balancing based on source MAC address. Default Setting src-dst-ip Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ■ src-mac: All traffic with the same source MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from many different hosts. Example Console(config)#port-channel load-balance dst-ip Console(config)# channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it. Syntax [no] lacp Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Flow Control : Disabled VLAN Trunking : Disabled MAC Learning : Enabled Media Type : None Current status: Created By : LACP Link Status : Up Port Operation Status : Up Operation Speed-duplex : 1000full Up Time : 0w 0d 0h 0m 53s (53 seconds) Flow Control Type : None Max Frame Size : 1518 b
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state. Note: Configuring the partner admin-key does not affect remote or local switch operation. The local switch just records the partner admin-key for user reference.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side. Configuring LACP settings for the partner only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with the partner.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the (Port Channel) no form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout long - Specifies a slow timeout of 90 seconds. short - Specifies a fast timeout of 3 seconds.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-16) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 77: show lacp counters - display description (Continued) Field Description Unknown Packet Received Number of frames received that either (1) Carry the Slow Protocols Ethernet Type value, but contain an unknown PDU, or (2) are addressed to the Slow Protocols group MAC Address, but do not carry the Slow Protocols Ethernet Type.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 78: show lacp internal - display description (Continued) Field Description Admin State, Oper State (continued) ◆ ◆ ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. LACP-Activity – Activity control value with regard to this link.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands . . . 4 5 6 7 8 9 10 11 12 32768 32768 32768 32768 32768 32768 32768 32768 32768 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0 Table 80: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch.
13 Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through the RJ-45 ports 1-24/48 on the ECS4620-28P/52P/52P-2AC. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 13 | Power over Ethernet Commands ◆ When detection is enabled for PoE-compliant devices, power is automatically supplied when a device is detected on the port, providing that the power demanded does not exceed the port’s power budget or the switch’s power budget.
Chapter 13 | Power over Ethernet Commands power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port.
Chapter 13 | Power over Ethernet Commands show power inline This command displays the current power status for all ports or for specific ports. status Syntax show power inline status [interface] interface ethernet unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 13 | Power over Ethernet Commands show power Use this command to display the current power status for the switch. mainpower Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power for the ECS4620-52P. Console#show power mainpower Unit 1 Main Power Status PoE Maximum Available Power PoE Maximum Allocation Power System Operation Status PoE Power Consumption Software Version Console# : : : : : 780.0 Watts (using main power) 780.
Chapter 13 | Power over Ethernet Commands – 472 –
14 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands ◆ You can create multiple mirror sessions, but all sessions must share the same destination port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN uplink ports cannot be configured to use IEEE 802.1X Port Authentication, but RSPAN source ports and destination ports can be configured to use it ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ The source port and destination port cannot be configured on the same switch. Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ The source port and destination port cannot be configured on the same switch. ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then no session can be configured for RSPAN.
15 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 87: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port. Enabling hardware-level storm control on a port will disable automatic storm control on that port.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Table 90: ATC Commands (Continued) Command Function Mode auto-traffic-control action Sets the control action to limit ingress traffic or shut IC (Port) down the offending port auto-traffic-control alarm-clear-threshold Sets the lower threshold for ingress traffic beneath which a cleared storm control trap is sent auto-traffic-control alarm-fire-threshold Sets the upper threshold for ingress traffic beyond IC (Port) which a
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (491) auto-traffic-control alarm-clear-threshold (492) snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (493) auto-traffic-control apply-timer (489) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (491) auto-traffic-control alarm-clear-threshold (492) snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (493) auto-traffic-control apply-timer (489) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release ti
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
16 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Chapter 16 | Loopback Detection Commands Command Usage ◆ When the loopback detection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command. To restore a specific port, use the no shutdown command.
Chapter 16 | Loopback Detection Commands detect - Sends an SNMP trap message when a loopback condition is detected. none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery.
Chapter 16 | Loopback Detection Commands show loopback- This command shows loopback detection configuration settings for the switch or detection for a specified interface. Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
17 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 17 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 17 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 17 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 17 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 17 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 17 | UniDirectional Link Detection Commands Table 93: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 17 | UniDirectional Link Detection Commands – 514 –
18 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 18 | Address Table Commands Command Usage The aging time is used to age out dynamically learned forwarding information. Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash lookup depth used when searching the MAC address hash-lookup-depth table. Use the no form to restore the default setting. Syntax mac-address-table hash-lookup-depth depth no mac-address-table hash-lookup-depth depth - The depth used in the hash lookup process.
Chapter 18 | Address Table Commands mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 18 | Address Table Commands clear collision-mac- This command removes all entries from the collision MAC address table. address-table Default Setting None Command Mode Privileged Exec Example Console#clear collision-mac-address-table Console# clear mac-address- This command removes any learned entries from the forwarding database.
Chapter 18 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 18 | Address Table Commands Eth 1/ 1 00-E0-29-94-34-64 Console# 1 Learn Delete on Timeout show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec.
Chapter 18 | Address Table Commands Maximum number of MAC Address which can be created in the system: Total Number of MAC Address : 16384 Number of Static MAC Address : 1024 Current number of entries which have been created in the system: Total Number of MAC Address : 3 Number of Static MAC Address : 1 Number of Dynamic MAC Address : 2 Console# show mac-address- This command shows the hash lookup depth used when searching the MAC table hash-lookup- address table.
Chapter 18 | Address Table Commands – 522 –
19 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 19 | Spanning Tree Commands Table 95: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection Enables BPDU loopback detection for a port IC spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for
Chapter 19 | Spanning Tree Commands Command Usage ◆ The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default setting. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 19 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (526) spanning-tree max-age (527) spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default.
Chapter 19 | Spanning Tree Commands spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
Chapter 19 | Spanning Tree Commands ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode.
Chapter 19 | Spanning Tree Commands Command Mode Global Configuration Command Usage ◆ The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 538) takes precedence over port priority (page 545). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP).
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on the system-bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 19 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group. When a TCN BPDU or BPDU with the TC flag set is received on an interface, that interface will only notify members in same group to propagate this topology change.
Chapter 19 | Spanning Tree Commands hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed.
Chapter 19 | Spanning Tree Commands priority, the device with the lowest MAC address will then become the root device. ◆ You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384. Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs.
Chapter 19 | Spanning Tree Commands name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of multiple spanning tree region. (Range: 1-32 alphanumeric characters) Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number (page 535) are used to designate a unique MST region. A bridge (i.e.
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#revision 1 Console(config-mstp)# Related Commands name (535) spanning-tree This command allows you to avoid transmitting BPDUs on configured edge ports bpdu-filter that are connected to end nodes. Use the no form to disable this feature.
Chapter 19 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]] auto-recovery - Automatically re-enables an interface after the specified interval.
Chapter 19 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method11, 1-200,000,000 for long path cost method) Table 96: Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.
Chapter 19 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 529) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Chapter 19 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore release-mode the default. Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
Chapter 19 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default.
Chapter 19 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority.
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst cost (543) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 19 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 19 | Spanning Tree Commands by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Chapter 19 | Spanning Tree Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 19 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface. Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id | brief | stp-enabled-only] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Spanning Tree Commands VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes : 5 Last Topology Change Time (sec.
Chapter 19 | Spanning Tree Commands Current Root Cost : 10000 Interface Pri Designated Designated Oper STP Role State Oper Bridge ID Port ID Cost Status Edge --------- --- --------------------- ---------- -------- ------ ---- ----- --Eth 1/ 1 128 32768.0000E89382A0 128.1 100000 EN DESG FWD No Eth 1/ 2 128 32768.0000E89382A0 128.2 10000 EN DISB BLK No Eth 1/ 3 128 32768.0000E89382A0 128.3 10000 EN DISB BLK No Eth 1/ 4 128 32768.0000E89382A0 128.4 10000 EN DISB BLK No Eth 1/ 5 128 32768.0000E89382A0 128.
20 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 20 | ERPS Commands Table 98: ERPS Commands (Continued) Command Function Mode clear erps statistics Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages PE erps clear Manually clears protection state which has been invoked by a Forced PE Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode erps forced-switch Blocks the specified ring port er
Chapter 20 | ERPS Commands 6. Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work. 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command.
Chapter 20 | ERPS Commands erps domain This command creates an ERPS ring and enters ERPS configuration mode for the specified domain. Use the no form to delete a ring. Syntax erps domain ring-name [id ring-id] no erps domain ring-name ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) ring-id - ERPS ring identifier used in R-APS messages.
Chapter 20 | ERPS Commands Command Usage ◆ Configure one control VLAN for each ERPS ring. First create the VLAN to be used as the control VLAN (vlan, page 592), add the ring ports for the east and west interface as tagged members to this VLAN (switchport allowed vlan, page 595), and then use the control-vlan command to add it to the ring.
Chapter 20 | ERPS Commands ring-port command, the RPL owner specified with the rpl owner command, and the control VLAN configured with the control-vlan command. ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps)#enable Console(config-erps)# Related Commands erps (555) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages.
Chapter 20 | ERPS Commands holdoff-timer This command sets the timer to filter out intermittent link faults. Use the no form to restore the default setting. Syntax holdoff-timer milliseconds milliseconds - The hold-off timer is used to filter out intermittent link faults. Faults will only be reported to the ring protection mechanism if this timer expires.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ This switch can support up to six rings. However, ERPS control packets can only be sent on one ring. This command is used to indicate that the current ring is a secondary ring, and to specify the major ring which will be used to send ERPS control packets. ◆ The Ring Protection Link (RPL) is the west port and can not be configured. So the physical port on a secondary ring must be the west port.
Chapter 20 | ERPS Commands Example Console(config-erps)#meg-level 0 Console(config-erps)# Related Commands ethernet cfm domain (825) ethernet cfm mep (830) mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east. west - Connects to next ring node to the west. mpid – Maintenance end point identifier.
Chapter 20 | ERPS Commands Related Commands ethernet cfm domain (825) ethernet cfm mep (830) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 20 | ERPS Commands Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL.
Chapter 20 | ERPS Commands non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode. Syntax [no] non-revertive Default Setting Disabled Command Mode ERPS Configuration Command Usage Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages.
Chapter 20 | ERPS Commands traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and performing a flush FDB action. d. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL link that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF (do not flush) indication, all ring nodes flush the FDB.
Chapter 20 | ERPS Commands b. The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c. When the WTB timer expires, in the absence of any other higher priority request, the RPL Owner Node initiates reversion by blocking the traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes the FDB. d.
Chapter 20 | ERPS Commands ■ Recovery with revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request, starts the WTB timer and waits for it to expire. While the WTB timer is running, any latent RAPS (MS) message is ignored due to the higher priority of the WTB running signal. b. When the WTB timer expires, it generates the WTB expire signal.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. ◆ When the MAC addresses are cleared, data traffic may flood onto the major ring.
Chapter 20 | ERPS Commands raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes. Use the no form to restore the default setting. Syntax [no] raps-without-vc Default Setting R-APS with Virtual Channel Command Mode ERPS Configuration Command Usage A sub-ring may be attached to a primary ring with or without a virtual channel.
Chapter 20 | ERPS Commands Figure 4: Sub-ring with Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Virtual Channel ◆ Sub-ring without R-APS Virtual Channel – Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub-ring over an arbitrary Ethernet network. In this situation, the R-APS messages are terminated on the interconnection points.
Chapter 20 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 20 | ERPS Commands rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting. Syntax rpl neighbor no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage ◆ The RPL neighbor node, when configured, is a ring node adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions (i.e.
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the erps forced-switch or erps manual-switch command). ◆ The east and west connections to the ring must be specified for all ring nodes using the ring-port command.
Chapter 20 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 20 | ERPS Commands clear erps statistics This command clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages. Syntax clear erps statistics [domain ring-name] ring-name - Name of a specific ERPS ring.
Chapter 20 | ERPS Commands Example Console#erps clear domain r&d Console# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port. Command Mode Privileged Exec Command Usage ◆ A ring with no pending request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links.
Chapter 20 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS.
Chapter 20 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch domain r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command. Syntax erps manual-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port.
Chapter 20 | ERPS Commands e. A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. f. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node. At this point, traffic flows around the ring are resumed. From this point on, the following rules apply regarding processing of further manual switch commands: a.
Chapter 20 | ERPS Commands Example This example displays a summary of all the ERPS rings configured on the switch.
Chapter 20 | ERPS Commands Table 100: show erps - summary display description (Continued) Field Description Port State The operational state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all RAPS messages is allowed.
Chapter 20 | ERPS Commands Table 101: show erps domain - detailed display description (Continued) Field Description R-APS with VC The R-APS Virtual Channel is the R-APS channel connection used to tunnel R-APS messages between two interconnection nodes of a subring in another Ethernet ring or network. R-APS Def MAC Indicates if the switch’s MAC address is used to identify the node in RAPS messages. Propagate TC Shows if the ring is configured to propagate topology change notification messages.
Chapter 20 | ERPS Commands Table 102: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 20 | ERPS Commands – 584 –
21 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Table 105: show bridge-ext - display description (Continued) Field Description Static Entry Individual Port This switch allows static filtering for unicast and multicast addresses. (Refer to the mac-address-table static command.) VLAN Version Number Based on IEEE 802.1Q, “1” indicates Bridges that support only single spanning tree (SST) operation, and “2” indicates Bridges that support multiple spanning tree (MST) operation.
Chapter 21 | VLAN Commands Editing VLAN Groups Related Commands garp timer (587) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) Default Setting Shows both global and interface-specific configuration.
Chapter 21 | VLAN Commands Editing VLAN Groups Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command. ◆ Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Note: Ports can only be added to an RSPAN VLAN using the commands described under “RSPAN Mirroring Commands”. Default Setting By default only VLAN 1 exists and is active. Command Mode VLAN Database Configuration Command Usage ◆ no vlan vlan-id deletes the VLAN. ◆ no vlan vlan-id name removes the VLAN name. ◆ no vlan vlan-id state returns the VLAN to the default state (i.e., active). ◆ You can configure up to 4094 VLANs on the switch.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Table 107: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport priority default Sets a port priority for incoming untagged frames IC vlan-trunking Allows unknown VLANs to cross the switch IC interface vlan This command enters interface configuration mode for VLANs, which is used to configure VLAN parameters for a physical interface. Use the no form to change a Layer 3 normal VLAN back to a Layer 2 interface.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094). add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained. remove vlan-list - List of VLAN identifiers to remove. Default Setting All ports are assigned to VLAN 1 by default.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Ingress filtering only affects tagged frames.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces vlan-id - Default VLAN ID for a port. (Range: 1-4094) Default Setting VLAN 1 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN. When using Hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Figure 6: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
Chapter 21 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 108: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling ◆ Note that all customer interfaces should be configured as access interfaces (that is, a user-to-network interface) and service provider interfaces as uplink interfaces (that is, a network-to-network interface). Use the switchport dot1q-tunnel mode uplink command to set an interface to access or uplink mode. Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config-if)#switchport dot1q-tunnel service 200 match cvid 20 Console(config-if)#switchport dot1q-tunnel service 300 match cvid 30 6. Configures port 1 as member of VLANs 10, 20 and 30 to avoid filtering out incoming frames tagged with VID 10, 20 or 30 on port 1 Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 10,20,30 7. Verify configuration settings. Console#show dot1q-tunnel service 802.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling custom 802.1Q ethertype on a trunk port, incoming frames containing that ethertype are assigned to the VLAN contained in the tag following the ethertype field, as they would be with a standard 802.1Q trunk. Frames arriving on the port containing any other ethertype are looked upon as untagged frames, and assigned to the native VLAN of that port.
Chapter 21 | VLAN Commands Configuring L2PT Tunneling Eth 1/ 3 Normal 8100 . . . Console#show dot1q-tunnel interface ethernet 1/5 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 5 1 100 Console#show dot1q-tunnel service 100 802.
Chapter 21 | VLAN Commands Configuring L2PT Tunneling ■ IPv6 multicast addresses (with prefix 33-33-33) ■ Addresses used by the spanning tree protocol. Default Setting 01-12-CF-.00-00-02, proprietary tunnel address Command Mode Global Configuration Command Usage When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network.
Chapter 21 | VLAN Commands Configuring L2PT Tunneling ■ ◆ with the destination address 01-80-C2-00-00-01~0A (S-VLAN tag), it is filtered, decapsulated, and processed locally by the switch if the protocol is supported. When a protocol packet is received on an access port (i.e., an 802.
Chapter 21 | VLAN Commands Configuring L2PT Tunneling ■ ■ ◆ L2PT is disabled on this port, it is forwarded to the following ports in the same S-VLAN: (a) other access ports for which L2PT is disabled, and (b) all uplink ports. recognized as a GBPT protocol packet (i.e.
Chapter 21 | VLAN Commands Configuring VLAN Translation ◆ For L2PT to function properly, QinQ must be enabled on the switch using the dot1q-tunnel system-tunnel-control command, and the interface configured to 802.1Q tunnel mode using the switchport dot1q-tunnel mode command.
Chapter 21 | VLAN Commands Configuring VLAN Translation switchport This command maps VLAN IDs between the customer and service provider. vlan-translation Syntax switchport vlan-translation original-vlan new-vlan no switchport vlan-translation original-vlan original-vlan - The original VLAN ID. (Range: 1-4094) new-vlan - The new VLAN ID.
Chapter 21 | VLAN Commands Configuring VLAN Translation Console(config)#vlan database Console(config-vlan)#vlan 10 media ethernet state active Console(config-vlan)#vlan 100 media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 10 tagged Console(config-if)#switchport allowed vlan add 100 tagged Console(config-if)#interface ethernet 1/1 Console(config-if)#switchport vlan-translation 10 100 Console(config-if)#end Console#s
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group. (Configuring Groups) Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame15 - Frame type used by this protocol.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Default Setting No protocol groups are mapped for any interface. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ------------------ ------------- --------------1 ethernet 08 00 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected protocol-vlan interfaces.
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ◆ The binary equivalent mask matching the characters in the front of the first non-zero character must all be 1s (e.g., 111, i.e., it cannot be 101 or 001...).
Chapter 21 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 21 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 21 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 21 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description A new phone Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 21 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 21 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 793 for more information on LLDP.
Chapter 21 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
22 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (632) show queue weight (635) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (439) show queue mode This command shows the current queue mode.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 119: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ The default mapping of CoS to PHB values shown in Table 119 is based on the recommended settings in IEEE 802.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ Two QoS domains can have different DSCP definitions, so the DSCP-to-PHB/ Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain. The mutation map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ◆ The specified mapping applies to all interfaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP. cos - Sets the QoS mapping mode to CoS.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example The ingress DSCP is composed of “d1” (most significant digit in the left column) and “d2” (least significant digit in the top row (in other words, ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table. Console#show qos map dscp-mutation interface ethernet 1/5 Information of Eth 1/5 DSCP mutation map.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) – 644 –
23 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 23 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, a CoS value, or a source port. 3.
Chapter 23 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 650). The policy map is then bound by a service policy to an interface (page 661). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the match or set commands.
Chapter 23 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | source-port interface | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 23 | Quality of Service Commands Example This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Chapter 23 | Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Chapter 23 | Quality of Service Commands Command Mode Policy Map Configuration Command Usage ◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: ◆ ■ set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Chapter 23 | Quality of Service Commands police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. Syntax [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 0-10000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
Chapter 23 | Quality of Service Commands ■ Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else else the packet is red and Tc is not decremented.
Chapter 23 | Quality of Service Commands violate-action - Action to take when rate exceeds the BE. (There are not enough tokens in bucket BE to service the packet, the packet is set red.) transmit - Transmits without taking any action. drop - Drops packet as required by exceed-action or violate-action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage You can configure up to 16 policers (i.e.
Chapter 23 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode: ■ ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
Chapter 23 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 23 | Quality of Service Commands ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR.
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 23 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 23 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 23 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for ingress or egress traffic, and may include policers for bandwidth limitations.
Chapter 23 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface {input | output} interface unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 23 | Quality of Service Commands – 664 –
24 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 24 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 124: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port- default. expire-time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 24 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period. (The timeout for this release is currently defined by ip igmp snooping vlan last-memb-query-intvl * ip igmp robustval.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled (page 669). Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address. Syntax [no] ip igmp snooping vlan vlan-id proxy-address source-address vlan-id - VLAN ID (Range: 1-4094) source-address - The source address used for proxied IGMP query and report, and leave messages.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Static multicast entries are never aged out. ◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 224.0.0.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings. snooping Syntax show ip igmp snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Multicast Router Discovery . . . : Disabled VLAN Static Group Port ---- --------------- -------1 224.1.1.1 Eth 1/ 1 show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified.
Chapter 24 | Multicast Filtering Commands IGMP Snooping VLAN Group Port Up time Expire Count ---- --------------- ----------- ----------- ------ -------1 224.1.1.1 00:00:00:37 2(P) Eth 1/ 1(R) Eth 1/ 2(M) 0(H) Console# show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports.
Chapter 24 | Multicast Filtering Commands IGMP Snooping port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays IGMP snooping-related statistics.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 126: show ip igmp snooping statistics output - display description Field Description Interface Shows interface. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 24 | Multicast Filtering Commands Static Multicast Routing Table 127: show ip igmp snooping statistics vlan query - display description Field Description Warn Rate Limit The rate at which received query messages of the wrong version type cause the Vx warning count to increment. Note that “0 sec” means that the Vx warning count is incremented for each wrong message version received.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Table 129: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE show ip multicast-datadrop Shows if the interface is configured to drop multicast data PE packets ip igmp filter This command globally enables IGMP filtering and thro
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Table 130: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). Example Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp This command displays the interface settings for IGMP authentication.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
Chapter 24 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 24 | Multicast Filtering Commands MLD Snooping Table 131: MLD Snooping Commands (Continued) Command Function Mode clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states. Proxy-reporting devices may use the all-zeros IP source address when forwarding any summarized reports upstream. For this reason, IGMP membership reports received by the snooping switch must not be rejected because the source IP address is set to 0.0.0.0.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD snooping reports when proxy reporting is enabled. Use the no interval form to restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default. Syntax ipv6 mld snooping vlan vlan-id immediate-leave [by-host-ip] vlan-id - A VLAN identification number.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command statically configures an IPv6 multicast router port. Use the no form vlan mrouter to remove the configuration. Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) Default Setting No static multicast router ports are configured.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Snooping clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Snooping Unknown Flood Behavior MLD Snooping Version : To Router Port : Version 2 VLAN Group IPv6 Address Port ---- --------------------------------------- --------1 ff05:0:1:2:3:4:5:6 Eth 1/1 Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Console# show ipv6 mld This command shows known multicast groups, member ports, and the means by snooping group which each group was learned.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping group mapping information: Console#show ipv6 mld snooping group source-list VLAN ID Mutlicast IPv6 Address Member Port MLD Snooping Filter Mode (if exclude filter mode) Filter Timer Elapse Request List Exclude List (if include filter mode) Include List : : : : : 1 FF02::01:01:01:01 Eth 1/1 Multicast Data Include : 10 sec.
Chapter 24 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface. snooping statistics Syntax show ipv6 mld snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id] | summary interface interface} interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Snooping Table 132: show ipv6 MLD snooping statistics input - display description Field Description Join Succ The number of times a multicast group was successfully joined. Group The number of MLD groups active on this interface.
Chapter 24 | Multicast Filtering Commands MLD Snooping Table 134: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired. Other Querier Uptime Time remote querier has been up. Self Querier IP address of local querier on this interface. Self Querier Expire Time after which local querier is assumed to have expired.
Chapter 24 | Multicast Filtering Commands MLD Snooping Table 135: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General The number of general queries sent from this interface. Group Specific The number of group specific queries sent from this interface. Recieved General The number of general queries received on this interface.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The MLD filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and MLD throttling limits the number of simultaneous multicast groups a port can join.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, MLD join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the MLD join report is forwarded as normal. If a requested multicast group is denied, the MLD join report is dropped.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling permit, deny This command sets the access mode for an MLD filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting deny Command Mode MLD Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config-mld-profile)#range ff01::0101 ff01::0202 Console(config-mld-profile)# ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax [no] ipv6 mld filter profile-number profile-number - An MLD filter profile number.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups action replace Console(config-if)# ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling show ipv6 mld filter This command displays the global and interface settings for MLD filtering. Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Console#show ipv6 mld profile 5 MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld This command shows if the specified interface is configured to drop MLD query query-drop packets. Syntax show ipv6 mld query-drop interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ipv6 mld throttle interface ethernet 1/3 Eth 1/3 Information Status : TRUE Action : Replace Max Multicast Groups : 10 Current Multicast Groups : 0 Console# MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR).
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 137: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode mvr robustness-value Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries GC mvr source-port-mode dynamic Configures the switch to only forward multicast streams which the source port has dynamically joined GC mvr upstream-source-ip Configures the source IP address assigned to all control pac
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following example enables MVR globally. Console(config)#mvr Console(config)# mvr associated-profile This command binds the MVR group addresses specified in a profile to an MVR domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr profile profile-name start-ip-address end-ip-address no mvr profile profile-name profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr This command configures the interval at which the receiver port sends out general proxy-query-interval queries. Use the no form to restore the default setting. Syntax mvr proxy-query-interval interval no mvr proxy-query-interval interval - The interval at which the receiver port sends out general queries.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR proxy service. ◆ When the source port receives report and leave messages, it only forwards them to other source ports.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ This command is used to set the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. ◆ This command only takes effect when MVR proxy switching is enabled.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example Console(config)#mvr source-port-mode dynamic Console(config)# mvr This command configures the source IP address assigned to all MVR control packets upstream-source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Usage ◆ This command specifies the VLAN through which MVR multicast data is received. This is the VLAN to which all source ports must be assigned. ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 would without this option having been used). Instead of immediately deleting that group, it will look up the record, and only delete the group if there are no other subscribers for it on the member port. Only when all hosts on that port leave the group will the member port be deleted.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ One or more interfaces may be configured as MVR source ports. A source port is able to both receive and send data for multicast groups which it has joined through the MVR protocol or which have been assigned through the mvr vlan group command. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear mvr statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 138: show mvr - display description Field Description MVR 802.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 141: show mvr statistics input - display
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 142: show mvr statistics output - display description (Continued) Field Description Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 143: show mvr statistics query - display description (Continued) Field Description Warn Rate Limit Count down from 15 seconds after receiving a Query different from the configured version. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 144: show mvr statistics summary interface - display description Field Description Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter. Source Port Drop Number of report/leave messages dropped by MVR source port. Others Drop Number of report/leave messages dropped for other reasons.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 145: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function clear mvr6 groups dynamic Clears multicast group information dynamically learned through MVR6 Mode PE clear mvr6 statistics Clears the MVR6 statistics globally or on a per-interface basis PE show mvr6 Shows information about MVR6 domain settings, including MVR6 operational status, the multicast VLAN, the current number of group addresses, and the upstream sourc
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 domain This command enables Multicast VLAN Registration for IPv6 (MVR6) for a specific domain. Use the no form of this command to disable MVR6 for a domain. Syntax [no] mvr6 domain domain-id domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example Console(config)#mvr6 priority 6 Console(config)# RELATED COMMANDS show mvr6 (761) mvr6 profile This command maps a range of MVR6 group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr6 profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR6 group addresses.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following example maps a range of MVR6 group addresses to a profile: Console(config)#mvr6 profile rd ff01:0:0:0:0:0:0:fe ff01:0:0:0:0:0:0:ff Console(config)# mvr6 This command configures the interval at which the receiver port sends out general proxy-query-interval queries. Use the no form to restore the default setting.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ When MVR6 proxy-switching is enabled, an MVR6 source port serves as the upstream or host interface, and the MVR6 receiver port serves as the querier. The source port performs only the host portion of MVR6 by sending summarized membership reports, and automatically disables MVR6 router functions. ◆ Receiver ports are known as downstream or router interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 This command configures the expected packet loss, and thereby the number of robustness-value times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr6 source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined. In other words, both the receiver port and source port must subscribe to a multicast group before a multicast stream is forwarded to any attached client.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR6 multicast data is received. Use the no form of this command to restore the default MVR6 VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR6 multicast data is received. This is also the VLAN to which all source ports must be assigned.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ A port configured as an MVR6 receiver or source port can join or leave multicast groups configured under MVR6. A port which is not configured as an MVR6 receiver or source port can use MLD snooping to join or leave multicast groups using the standard rules for multicast filtering (see “MLD Snooping” on page 702). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR6 VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 ip-address - Statically configures an interface to receive multicast traffic from the IPv6 address specified for an MVR6 multicast group. This parameter must be a full IPv6 address including the network prefix and host address bits. Default Setting No receiver port is a member of any configured multicast group.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example Console#clear mvr6 groups dynamic Console# clear mvr6 statistics Use this command to clear MVR6 statistics. Syntax clear mvr6 statistics [interface interface] ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage If the interface option is not used then all MVR6 statistics are cleared.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following shows the MVR6 settings: Console#show mvr6 MVR6 802.1p Forwarding Priority: MVR6 Proxy Switching : MVR6 Robustness Value : MVR6 Proxy Query Interval : MVR6 Source Port Mode : Domain : MVR6 Config Status : MVR6 Running Status : MVR6 Multicast VLAN : MVR6 Current Learned Groups : MVR6 Upstream Source IP : . . . Disabled Enabled 1 125(sec.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 show mvr6 This command shows the profiles bound the specified domain. associated-profile Syntax show mvr6 [domain domain-id] associated-profile domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays profiles bound to all MVR6 domains. Command Mode Privileged Exec Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR6 Profile Name Start IPv6 Addr.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 147: show mvr6 interface - display description Field Description Port Shows interfaces attached to the MVR6. Type Shows the MVR6 port type. Status Shows the MVR6 status and interface status. MVR6 status for source ports is “ACTIVE” if MVR6 is globally enabled on the switch.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 24 | Multicast Filtering Commands MVR for IPv6 show mvr6 statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr6 statistics {input | output} [interface interface] show mvr6 domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 149: show mvr6 statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Table 151: show mvr6 statistics query - display description Field Description Other Querier Address The IPv6 address of the querier on this interface. Other Querier Uptime Other querier’s time up. Other Querier Expire Time The time after which this querier is assumed to have expired. Self Querier Address This querier’s IPv6 address. Self Querier Uptime This querier’s time up. Self Querier Expire Time This querier’s expire time.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) ip igmp This command enables IGMP on a VLAN interface. Use the no form of this command to disable IGMP on the specified interface. Syntax [no] ip igmp Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage IGMP (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ip igmp command. ◆ ◆ When a multicast routing protocol, such as PIM, is enabled, IGMP is also enabled.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) ip igmp last-member- This command configures the frequency at which to send IGMP group-specific or query-interval IGMPv3 group-source-specific query messages in response to receiving a groupspecific or group-source-specific leave message. Use the no form to restore the default setting.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Command Usage ◆ IGMPv1 does not support a configurable maximum response time for query messages. It is fixed at 10 seconds for IGMPv1. ◆ By varying the Maximum Response Interval, the burstiness of IGMP messages passed on the subnet can be tuned; where larger values make the traffic less bursty, as host responses are spread out over a larger interval.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Example The following shows how to configure the query interval to 100 seconds. Console(config-if)#ip igmp query-interval 100 Console(config-if)# Related Commands ip igmp max-resp-interval (770) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) ip igmp static-group This command configures the router to be a static member of a multicast group on the specified VLAN interface. Use the no form to remove the static mapping. Syntax ip igmp static-group group-address [source source-address] no ip igmp static-group group-address - IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 - 239.255.255.255.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) ip igmp version This command configures the IGMP version used on an interface. Use the no form of this command to restore the default. Syntax ip igmp version {1 | 2 | 3} no ip igmp version 1 - IGMP Version 1 2 - IGMP Version 2 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ All routers on the subnet must support the same version.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Command Mode Privileged Exec Command Usage Enter the address for a multicast group to delete all entries for the specified group. Enter the interface option to delete all multicast groups for the specified interface. Enter no options to clear all multicast groups from the cache. Example The following example clears all multicast group entries for VLAN 1.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Console#show ip igmp groups interface vlan 1 Group Address Interface VLAN Last Reporter Uptime Expire V1 Timer --------------- --------------- --------------- -------- -------- -------224.0.17.17 1 192.168.1.10 0:0:1 0:4:19 0:0:0 Console# Table 153: show ip igmp groups - display description Field Description Group Address IP multicast group address with subscribers directly attached or downstream from the switch.
Chapter 24 | Multicast Filtering Commands IGMP (Layer 3) Table 154: show ip igmp groups detail - display description (Continued) Field Description Uptime The time elapsed since this entry was created. Group mode In INCLUDE mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 24 | Multicast Filtering Commands IGMP Proxy Routing Query Interval Query Max Response Time Last Member Query Interval Querier Joined Groups : Static Groups : switch# : : : : 125 sec 100 (resolution in 0.1 sec) 10 (resolution in 0.1 sec) 0.0.0.0 IGMP Proxy Routing This section describes commands used to configure IGMP Proxy Routing on the switch.
Chapter 24 | Multicast Filtering Commands IGMP Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When IGMP proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions. ◆ Interfaces with IGMP enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) ip igmp proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports. Use the no form to restore the default value. interval Syntax ip igmp proxy unsolicited-report-interval seconds no ip igmp proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld This command enables MLD on a VLAN interface. Use the no form of this command to disable MLD on the selected interface. Syntax [no] ipv6 mld Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage MLD (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ipv6 mld command.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) Default Setting 10 (1 second) Command Mode Interface Configuration (VLAN) Command Usage When the switch receives an MLD or MLDv2 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command. If no response is received after this period, the switch stops forwarding for the group, source or channel.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) Example The following shows how to configure the maximum response time to 20 seconds. Console(config-if)#ipv6 mld max-resp-interval 200 Console(config-if)# Related Commands ipv6 mld query-interval (783) ipv6 mld This command configures the frequency at which host query messages are sent. query-interval Use the no form to restore the default.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ipv6 mld robustval robust-value no ipv6 mld robustval robust-value - The robustness of this interface. (Range: 1-255) Default Setting 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ The robustness value is used to compensate for expected packet lose on a link.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ If a static group is configured for an any-source multicast (*,G), a source address cannot subsequently be defined for this group without first deleting the entry. ◆ If a static group is configured for one or more source-specific multicasts (S,G), an any-source multicast (*,G) cannot subsequently be defined for this group without first deleting all of the associated (S,G) entries.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) Command Usage ◆ MLDv1 is derived from IGMPv2, and MLDv2 from IGMPv3. IGMP uses IP Protocol 2 message types, and MLD uses IP Protocol 58 message types, which is a subset of the ICMPv6 messages.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) show ipv6 mld groups This command displays information on multicast groups active on the switch and learned through MLD. Syntax show ipv6 mld groups [{group-address | interface} [detail] | detail] group-address - IPv6 multicast group address. (Note that link-local scope addresses FF02:* are not allowed.) interface vlan vlan-id - VLAN ID.
Chapter 24 | Multicast Filtering Commands MLD (Layer 3) Table 157: show ipv6 mld groups - display description (Continued) Field Description Expire The time remaining before this entry will be aged out. (The default is 260 seconds.) This field displays “stopped” if the Group Mode is INCLUDE. Group Mode In Include mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 24 | Multicast Filtering Commands MLD Proxy Routing Querier Joined Groups : Static Groups : FFEE::101 Console# : FE80::200:E8FF:FE93:82A0 MLD Proxy Routing This section describes commands used to configure MLD Proxy Routing on the switch.
Chapter 24 | Multicast Filtering Commands MLD Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When MLD proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of MLD by sending MLD membership reports, and automatically disables MLD router functions. ◆ Interfaces with MLD enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
Chapter 24 | Multicast Filtering Commands MLD Proxy Routing ipv6 mld proxy This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD reports. Use the no form to restore the default value. interval Syntax ipv6 mld proxy unsolicited-report-interval seconds no ipv6 mld proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 24 | Multicast Filtering Commands MLD Proxy Routing – 792 –
25 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 25 | LLDP Commands Table 159: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port- IC based protocol related VLAN information
Chapter 25 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 25 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 25 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 25 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 25 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 25 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 25 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 616). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 595 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 617. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Usage ◆ This command only applies to the ECS4510-28P/52P/52P-2AC. ◆ This option advertises Power-over-Ethernet capabilities, including whether or not PoE is supported, currently enabled, if the port pins through which power is delivered can be controlled, the port pins selected to deliver power, and the power class.
Chapter 25 | LLDP Commands ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information. The address location is specified as a type and value pair, with the civic address (CA) type being defined in RFC 4776. The following table describes some of the CA type numbers and provides examples.
Chapter 25 | LLDP Commands Console(config-if)#lldp med-location civic-addr what 2 Console(config-if)# lldp med-notification This command enables the transmission of SNMP trap notifications about LLDPMED changes. Use the no form to disable LLDP-MED notifications.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command only applies to the ECS4510-28P/52P/52P-2AC. ◆ This option advertises extended Power-over-Ethernet capability details, such as power availability from the switch, and power state of the switch, including whether the switch is operating from primary or backup power (the Endpoint Device could use this information to decide to enter power conservation mode).
Chapter 25 | LLDP Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv location Console(config-if)# lldp med-tlv med-cap This command configures an LLDP-MED-enabled port to advertise its Media Endpoint Device capabilities. Use the no form to disable this feature.
Chapter 25 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port. Improper network policy configurations frequently result in voice quality degradation or complete service disruption.
Chapter 25 | LLDP Commands show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-16) Command Mode Privileged Exec Example The following example shows all basic LLDP parameters are enabled on Port 1.
Chapter 25 | LLDP Commands MED Notification Status MED Enabled TLVs Advertised max-frame : Enabled : med-cap network-policy location ext-poe inventory MED Location Identification: Location Data Format : Civic Address LCI Civic Address Status : Enabled Country Name : US What : 2 CA-Type : 1 CA-Value : Alabama CA-Type : 2 CA-Value : Tuscaloosa Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 25 | LLDP Commands . Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 25 | LLDP Commands Enabled Capabilities : Bridge, Router Management Address : 192.168.0.
Chapter 25 | LLDP Commands Software Revision Serial Number Manufacture Name Model Name Asset ID : : : : : 1.2.6.0 S123456 Prye VP101 340937 Console# show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 25 | LLDP Commands Console# – 817 –
Chapter 25 | LLDP Commands – 818 –
26 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 26 | CFM Commands Table 161: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 26 | CFM Commands Table 161: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 26 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 26 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 26 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 26 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 26 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 26 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 26 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 26 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 26 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 26 | CFM Commands Defining CFM Structures Table 163: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 26 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 26 | CFM Commands Continuity Check Operations Table 164: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 26 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 26 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 26 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (847) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 26 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 26 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 26 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 26 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 26 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 26 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 26 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 26 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
Chapter 26 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 26 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec Example Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.
Chapter 26 | CFM Commands Loopback Operations Table 166: show ethernet cfm linktrace-cache - display description (Continued) Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false. EgrBlocked – The egress port can be identified, but the data frame was not passed through the egress port due to active topology management, i.e.
Chapter 26 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆ The point from which the loopback message is transmitted (i.e., the DSAP) and the target maintenance point specified in this command must be within the same MA.
Chapter 26 | CFM Commands Fault Generator Operations set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)# mep fault-notify This command sets the lowest priority defect that is allowed to generate a fault lowest-priority alarm. Use the no form to restore the default setting.
Chapter 26 | CFM Commands Fault Generator Operations ◆ Priority defects include the following items: Table 167: Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects. 2 macRemErrXcon DefMACstatus, DefRemoteCCM, DefErrorCCM, or DefXconCCM. 3 remErrXcon DefErrorCCM, DefXconCCM or DefRemoteCCM. 4 errXcon DefErrorCCM or DefXconCCM. 5 xcon DefXconCCM 6 noXcon No defects DefXconCCM or lower are to be reported.
Chapter 26 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm This command displays configuration settings for the fault notification generator.
Chapter 26 | CFM Commands Delay Measure Operations Table 169: show fault-notify-generator - display description (Continued) Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the mep fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Chapter 26 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
Chapter 26 | CFM Commands Delay Measure Operations – 860 –
27 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 27 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 27 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 27 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 27 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 27 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 27 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-28/52) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 27 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 27 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1-8) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 27 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
28 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 28 | Domain Name Service Commands Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
Chapter 28 | Domain Name Service Commands ◆ If one or more name servers are configured, but DNS is not yet enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers, then the switch will automatically enabled DNS host name-to-address translation. ◆ If all name servers are deleted, DNS will automatically be disabled. Example This example enables DNS and then displays the configuration.
Chapter 28 | Domain Name Service Commands Console#show dns Domain Lookup Status: DNS Disabled Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (873) ip name-server (877) ip domain-lookup (874) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host.
Chapter 28 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
Chapter 28 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values.
Chapter 28 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-127 characters) * - Removes all entries. Default Setting None Command Mode Privileged Exec Command Usage Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. Example This example clears all dynamic entries from the DNS table.
Chapter 28 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 172: show dns cache - display description Field Description No.
Chapter 28 | Domain Name Service Commands Table 173: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
Chapter 28 | Domain Name Service Commands – 882 –
29 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network, or it can be configured to provide DHCP service directly to any client.
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp client class-id This command specifies the DCHP client vendor class identifier for the current interface. Use the no form to remove the class identifier from the DHCP packet. Syntax ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value.
Chapter 29 | DHCP Commands DHCP Client Table 177: Options 55 and 124 Statements Statement Option Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier ◆ The server should reply with Option 66 attributes, including the TFTP server name and boot file name.
Chapter 29 | DHCP Commands DHCP Client Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#exit Console#ip dhcp restart client Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-00-00-00-01 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.
Chapter 29 | DHCP Commands DHCP Client ◆ If the rapid commit option has been enabled on the switch with this command, and on the DHCPv6 server, message exchange can be reduced from the normal four step process to a two-step exchange of only solicit and reply messages. Example Console(config)#ipv6 dhcp client rapid-commit vlan 2 Console(config)# show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch.
Chapter 29 | DHCP Commands DHCP Relay List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# RELATED COMMANDS ipv6 address (925) DHCP RELAY This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 29 | DHCP Commands DHCP Relay Usage Guidelines ◆ DHCP relay service applies to DHCP client requests received on the specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to a DHCP server on another network.
Chapter 29 | DHCP Commands DHCP Relay request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then broadcasts the DHCP response received from the server to the client. Example In the following example, the device is reassigned the same address.
Chapter 29 | DHCP Commands DHCP Relay DHCPv6 request broadcast, it inserts its own IP address into the request so the DHCPv6 server will know the subnet where the client is located. Then, the switch forwards the packet to the next relay agent or DHCPv6 server on another network. When the server receives the DHCPv6 request, it allocates a free IP address for the DHCPv6 client from its defined scope for the DHCPv6 client’s subnet, and sends a DHCPv6 response back to the DHCPv6 relay agent (i.e.
Chapter 29 | DHCP Commands DHCP Server DHCP Server This section describes commands used to configure client address pools for the DHCP service.
Chapter 29 | DHCP Commands DHCP Server ip dhcp This command specifies IP addresses that the DHCP server should not assign to excluded-address DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range. high-address - The last IP address in an excluded address range. Default Setting All IP pool addresses may be assigned.
Chapter 29 | DHCP Commands DHCP Server Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (901) host (898) service dhcp This command enables the DHCP server on this switch. Use the no form to disable the DHCP server. Syntax [no] service dhcp Default Setting Enabled Command Mode Global Configuration Command Usage If the DHCP server is running, you must restart it to implement any configuration changes.
Chapter 29 | DHCP Commands DHCP Server Example Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# Related Commands next-server (902) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier. Syntax client-identifier {text text | hex hex} no client-identifier text - A text string. (Range: 1-15 characters) hex - The hexadecimal value.
Chapter 29 | DHCP Commands DHCP Server default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router address1 [address2] no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. Default Setting None Command Mode DHCP Pool Configuration Usage Guidelines The IP address of the router should be on the same subnet as the client.
Chapter 29 | DHCP Commands DHCP Server ◆ Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# domain-name This command specifies the domain name for a DHCP client. Use the no form to remove the domain name. Syntax domain-name domain no domain-name domain - Specifies the domain name of the client.
Chapter 29 | DHCP Commands DHCP Server Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 29 | DHCP Commands DHCP Server ◆ When searching for a manual binding, the switch compares the client identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients. ◆ If no manual binding has been specified for a host entry with the clientidentifier or hardware-address commands, then the switch will assign an address from the matching network pool. ◆ If the mask is unspecified, DHCP examines its address pools.
Chapter 29 | DHCP Commands DHCP Server Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Use the no form to remove the NetBIOS name server list.
Chapter 29 | DHCP Commands DHCP Server netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
Chapter 29 | DHCP Commands DHCP Server the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. If no manually configured host address is found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored.
Chapter 29 | DHCP Commands DHCP Server clear ip dhcp binding This command deletes an automatic address binding from the DHCP server database. Syntax clear ip dhcp binding {address | * } address - The address of the binding to clear. * - Clears all automatic bindings. Default Setting None Command Mode Privileged Exec Usage Guidelines An address specifies the client’s IP address. If an asterisk (*) is used as the address parameter, the DHCP server clears all automatic bindings.
Chapter 29 | DHCP Commands DHCP Server show ip dhcp binding This command displays address bindings on the DHCP server. Syntax show ip dhcp binding [address] address - Specifies the IP address of the DHCP client for which bindings will be displayed. Default Setting None Command Mode Privileged Exec Example Console#show ip dhcp binding IP MAC Lease Time Start (dd/hh/mm/ss) --------------- ----------------- ------------------ ----------192.1.3.
Chapter 29 | DHCP Commands DHCP Server Default router DNS server Domain name Hardware type Hardware address Lease time Netbios name server Netbios node type Next server : 0.0.0.0 0.0.0.0 : 0.0.0.0 0.0.0.0 : : None : 00-00-00-00-00-00 : infinite : 0.0.0.0 0.0.0.0 : Hybrid : 0.0.0.
Chapter 29 | DHCP Commands DHCP Server – 906 –
30 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 30 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask. This interface address defines both the network number to which the router interface is attached and the router’s host number on that network.
Chapter 30 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.
Chapter 30 | IP Interface Commands IPv4 Interface after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 192.168.0.
Chapter 30 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 30 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 30 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 Hop Packet 1 Packet 2 Packet 3 --- -------- -------- -------1 20 ms <10 ms <10 ms hops max, timeout is 3 seconds IP Address --------------192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 30 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 877) and host name-to-address translation enabled (page 874). If necessary, local devices can also be specified in the DNS static host table (page 876). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 30 | IP Interface Commands IPv4 Interface Default Setting No default entries Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128.
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
Chapter 30 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)? Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 30 | IP Interface Commands IPv4 Interface UDP Helper User Datagram Protocol (UDP) Helper allows host applications to forward UDP Configuration broadcast packets from this switch to another part of the network. This section describes the commands used to configure UDP Helper.
Chapter 30 | IP Interface Commands IPv4 Interface Example This example enables forwarding for DHCPv6 UDP packets. Console(config)#ip forward-protocol udp 547 Console(config)# ip helper This command enables UDP helper globally on the switch. Use the no form to disable this feature. Syntax [no] ip helper Default Setting Disabled Command Mode Global Configuration Command Usage Network hosts occasionally use UDP broadcasts to determine information such as address configuration, and domain name mapping.
Chapter 30 | IP Interface Commands IPv4 Interface ip helper-address This command specifies the application server or subnet (indicated by a directed broadcast address) to which designated UDP broadcast packets are forwarded. Use the no form to remove a UDP helper address. Syntax [no] ip helper-address ip-address ip-address - Host address or directed broadcast address to which UDP broadcast packets are forwarded.
Chapter 30 | IP Interface Commands IPv6 Interface Example This example indicates that designated UDP broadcast packets are to be forwarded to the directed broadcast address of 192.168.2.255. Console(config)#interface vlan 1 Console(config-if)#ip helper-address 192.168.2.255 Console(config-if)# show ip helper This command displays configuration settings for UDP helper.
Chapter 30 | IP Interface Commands IPv6 Interface Table 185: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 enable Enables IPv6 on an interface that has not been configured IC with an explicit IPv6 address ipv6 mtu Sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface IC show ipv6 interface Displays the usability and configured settings for IPv6 interfaces PE show ipv6 mtu Displays maximum transmission unit (MTU) information for IPv6 inte
Chapter 30 | IP Interface Commands IPv6 Interface Table 185: IPv6 Configuration Commands (Continued) Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard PE show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known next hop. Use the no form to remove a previously configured default gateway.
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands show ipv6 route (983) ip default-gateway (910) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: fe80::7272:cfff:fe83:3466%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address and a link-local address for this interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 30 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269.
Chapter 30 | IP Interface Commands IPv6 Interface address to modified EUI-64 format (see page 926). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. ◆ If a duplicate address is detected on the local segment, this interface will be disabled and a warning message displayed on the console. ◆ The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an IPv6 address.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting 1500 bytes Command Mode Interface Configuration (VLAN) Command Usage ◆ If a non-default value is configured, an MTU option is included in the router advertisements sent from this device. ◆ The maximum value set by this command cannot exceed the MTU of the physical interface, which is currently fixed at 1500 bytes. ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers.
Chapter 30 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4094) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Table 186: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands show ip interface (911) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 30 | IP Interface Commands IPv6 Interface truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages router advertisement mess
Chapter 30 | IP Interface Commands IPv6 Interface Table 188: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 30 | IP Interface Commands IPv6 Interface Table 188: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 30 | IP Interface Commands IPv6 Interface Table 188: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Table 188: show ipv6 traffic - display description (Continued) Field Description UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting count: 5 size: 32 bytes Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 30 | IP Interface Commands IPv6 Interface host-name - A host name string which can be resolved into an IPv6 address through a domain name server. failure-count - The maximum number of failures before which the trace route is terminated. (Range: 1-255) Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination.
Chapter 30 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting None Command Mode Global Configuration Command Usage ◆ Address Resolution Protocol (ARP) has been replaced in IPv6 with the Neighbor Discovery Protocol (NDP). The ipv6 neighbor command is similar to the macaddress-table static command that is implemented using ARP. ◆ Static entries can only be configured on an IPv6-enabled interface.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
Chapter 30 | IP Interface Commands IPv6 Interface Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going.
Chapter 30 | IP Interface Commands IPv6 Interface ◆ The ipv6 nd other-config-flag command is used to tell hosts that they should use stateless address autoconfiguration to get IPv6 address (based on the IPv6 prefixes found in router advertisements) and stateful autoconfiguration to get other non-address parameters (such as DNS server addresses) from DHCPv6 servers.
Chapter 30 | IP Interface Commands IPv6 Interface Example The following tells hosts to use stateful autoconfiguration to obtain other nonaddress information from a DHCPv6 server: Console(config)#interface vlan 1 Console(config)#ipv6 nd other-config-flag Console(config)# ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value.
Chapter 30 | IP Interface Commands IPv6 Interface ff01::1/16 ff02::1/16 ff02::1:ff00:79/104 ff02::1:ff90:0/104 IPv6 link MTU is 1500 bytes. ND DAD is enabled, number of DAD attempts: 5.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 30 | IP Interface Commands IPv6 Interface no ipv6 nd prefix ipv6-address/prefix-length ipv6-address - An IPv6 address including the network prefix and host address bits. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). default - Uses default values for remaining parameters. valid-lifetime - The amount of time that the specified IPv6 prefix is advertised as being valid.
Chapter 30 | IP Interface Commands IPv6 Interface Example The following configures a network prefix with a valid lifetime of 1000 seconds, and a preferred lifetime of 900 seconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd prefix 2011:0DBF::/35 1000 900 Console(config)# ipv6 nd ra interval This command configures the interval between the transmission of IPv6 router advertisements on an interface. Use the no form to restore the default interval.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd ra lifetime This command configures the router lifetime value used in IPv6 router advertisements sent from an interface. Use the no form to restore the default setting. Syntax ipv6 nd ra lifetime lifetime no ipv6 nd ra lifetime lifetime - Router lifetime.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting medium Command Usage Default router preference may be used to prioritize routers which provide equivalent, but not equal-cost, routing, and policy dictates that hosts should prefer one of the routers.
Chapter 30 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 nd raguard This command displays the configuration setting for RA Guard. Syntax show ipv6 nd raguard [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting All IPv6 neighbor discovery cache entries are displayed.
Chapter 30 | IP Interface Commands ND Snooping Related Commands show mac-address-table (519) ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table. These tables can be used for stateless address auto-configuration or for address filtering by IPv6 Source Guard. ND snooping maintains a binding table in the process of neighbor discovery. When it receives an Neighbor Solicitation (NS) packet from a host, it creates a new binding.
Chapter 30 | IP Interface Commands ND Snooping Table 190: ND Snooping Commands (Continued) Command Function Mode show ipv6 nd snooping Shows configuration settings for ND snooping PE show ipv6 nd snooping binding Shows entries in the binding table PE show ipv6 nd snooping prefix Show entries in the prefix table PE ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of VLANs. Use the no form to disable this feature.
Chapter 30 | IP Interface Commands ND Snooping ■ If an NS message is received on an untrusted interface, and the address prefix does not match any entry in the prefix table, it drops the packet. ■ If the message does match an entry in the prefix table, it adds an entry to the dynamic user binding table after a fixed delay, and forwards the packet.
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect Console(config)# ipv6 nd snooping This command sets the number of times the auto-detection process sends an NS auto-detect message to determine if a dynamic user binding is still valid. Use the no form to retransmit count restore the default setting.
Chapter 30 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping autodetect retransmit count command) x the retransmit interval. Based on the default settings, this is 3 seconds.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user max-binding binding table which can be bound to a port. Use the no form to restore the default setting. Syntax ipv6 nd snooping max-binding max-bindings no ipv6 nd snooping max-binding max-bindings – The maximum number of address entries in the dynamic user binding table which can be bound to a port.
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table.
Chapter 30 | IP Interface Commands ND Snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping Global ND Snooping status: enabled ND Snooping auto-detection: disabled ND Snooping auto-detection retransmit count: 3 ND Snooping auto-detection retransmit interval: 1 (second) ND Snooping is configured on the following VLANs: VLAN 1, Interface Trusted Max-binding --------------------------Eth 1/1 Yes 1 Eth 1/2 No 5 Eth 1/3 No 5 Eth 1/4 No 5 Eth 1/5 No 5 . . .
Chapter 30 | IP Interface Commands ND Snooping Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------2001:b000:: 64 2592000 100 1 Eth 1/1 2001:: 64 600 34 2 Eth 1/2 Console# – 964 –
31 VRRP Commands Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
Chapter 31 | VRRP Commands vrrp authentication This command specifies the key used to authenticate VRRP packets received from other routers. Use the no form to prevent authentication. Syntax vrrp group authentication key no vrrp group authentication group - Identifies the virtual router group. (Range: 1-255) The maximum number or groups which can be defined is 64. key - Authentication string. (Range: 1-8 alphanumeric characters) Default Setting No key is defined.
Chapter 31 | VRRP Commands Command Mode Interface (VLAN) Command Usage ◆ The interfaces of all routers participating in a virtual router group must be within the same IP subnet. ◆ If the IP address assigned to the virtual router with this command is already configured as the primary address on this interface, this router is considered the Owner, and will assume the role of the Master virtual router in the group.
Chapter 31 | VRRP Commands Command Usage ◆ If preempt is enabled, and this backup router has a priority higher than the current acting master, it will take over as the new master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master. ◆ The delay can give additional time to receive an advertisement message from the current master before taking control.
Chapter 31 | VRRP Commands ◆ If two or more routers are configured with the same VRRP priority, the router with the highest IP address is elected as the new master router if the current master fails. ◆ If the backup preempt function is enabled with the vrrp preempt command, and a backup router with a priority higher than the current acting master comes on line, this backup router will take over as the new acting master. However, note that if the original master (i.e.
Chapter 31 | VRRP Commands ◆ VRRP advertisements are sent to the multicast address 224.0.0.18. Using a multicast address reduces the amount of traffic that has to processed by network devices that are not part of the designated VRRP group. ◆ If the master router stops sending advertisements, backup routers will bid to become the master router based on priority.
Chapter 31 | VRRP Commands Authentication Authentication Key Master Router Master Priority Master Advertisement Interval Master Down Interval Console# SimpleText bluebird 192.168.1.
Chapter 31 | VRRP Commands Table 193: show vrrp brief - display description (Continued) Field Description Virtual Addr Virtual address that identifies this VRRP group Interval Interval at which the master virtual router advertises its role as the master Preempt Shows whether or not a higher priority router can preempt the current acting master Priority Priority of this router show vrrp interface This command displays status information for the specified VRRP interface.
Chapter 31 | VRRP Commands show vrrp interface This command displays counters for VRRP protocol events and errors that have counters occurred for the specified group and interface. show vrrp group interface vlan interface counters group - Identifies a VRRP group. (Range: 1-255) interface - Identifier of configured VLAN interface.
Chapter 31 | VRRP Commands Table 194: show vrrp interface counters - display description Parameter Description Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router. Received Invalid Number of packets received with an unknown authentication type.
50 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
Chapter 50 | IP Routing Commands Global Routing Configuration Table 2: Global Routing Configuration Commands (Continued) Command Function Mode show ip route Displays specified entries in the routing table PE show ip route database Displays static or dynamically learned entries in the routing PE table show ip route summary Displays summary information for the routing table PE show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE ipv6 route Configures static routes G
Chapter 50 | IP Routing Commands Global Routing Configuration ◆ If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used. ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used.
Chapter 50 | IP Routing Commands Global Routing Configuration show ip host-route This command displays the interface associated with known routes. COMMAND MODE Privileged Exec EXAMPLE Console#show ip host-route IP Address MAC Address VLAN Port --------------- ----------------- ---- ------192.168.0.99 00-E0-29-94-34-64 1 1/1 192.168.1.250 00-00-30-01-01-01 3 1/ 1 10.2.48.2 00-00-30-01-01-02 1 1/ 1 10.2.5.6 00-00-30-01-01-03 1 1/ 2 10.3.9.
Chapter 50 | IP Routing Commands Global Routing Configuration Command Usage ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
Chapter 50 | IP Routing Commands Global Routing Configuration Example Console#show ip route database Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info C C *> 127.0.0.0/8 is directly connected, lo0 *> 192.168.1.
Chapter 50 | IP Routing Commands Global Routing Configuration discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages
Chapter 50 | IP Routing Commands Global Routing Configuration destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host. This must be a full IPv6 address including the network prefix and host address bits. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). gateway-address – IP address of the next hop router used for this route.
Chapter 50 | IP Routing Commands Global Routing Configuration Example This example forwards all traffic for subnet 2001::/64 to the next hop router 2001:DB8:2222:7272::254, using the default metric of 1. Console(config)#ipv6 route 2001::/64 2001:DB8:2222:7272::254 Console(config)# Related Commands show ip route summary (980) show ipv6 route This command displays information in the Forwarding Information Base (FIB).
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) within a forwarding information base entry are a network prefix, a router port identifier, and next hop information. ◆ This command only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any dynamic or static route entry must be up.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Table 4: Routing Information Protocol Commands (Continued) Command Function Mode version Specifies the RIP version to use on all network interfaces (if RC not already specified with a receive version or send version command) ip rip authentication mode Specifies the type of authentication used for RIP2 packets ip rip authentication string Enables authentication for RIP2 packets and specifies keys IC ip rip receive version Sets the
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) default-information This command generates a default external route into the local RIP autonomous originate system. Use the no form to disable this feature. Syntax [no] default-information originate Default Setting Disabled Command Mode Router Configuration Command Usage This command sets a default route for every Layer 3 interface where RIP is enabled.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ◆ The default metric must be used to resolve the problem of redistributing external routes with incompatible metrics. ◆ It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Usage ◆ Administrative distance is used by the routers to select the preferred path when there are two or more different routes to the same destination from two different routing protocols. A smaller administrative distance indicates a more reliable protocol. ◆ The administrative distance is applied to all routes learned for the specified network. Example Console(config-router)#distance 2 192.168.3.0 255.255.255.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Default Setting No neighbors are defined. Command Mode Router Configuration Command Usage ◆ This command can be used to configure a static neighbor (specifically for pointto-point links) with which this router will exchange routing information, rather than relying on broadcast or multicast messages generated by the RIP protocol.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ◆ Subnet addresses are interpreted as class A, B or C, based on the first field in the specified address. In other words, if a subnet address nnn.xxx.xxx.xxx is entered, the first field (nnn) determines the class: 0 - 127 is class A, and only the first field in the network address is used. 128 - 191 is class B, and the first two fields in the network address are used.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) redistribute This command imports external routing information from other routing domains (that is, directly connected routes, protocols, or static routes) into the autonomous system. Use the no form to disable this feature. Syntax [no] redistribute (bgp | connected | ospf | static} [metric metric-value] bgp - External routes will be imported from the Border Gateway Protocol (BGP) into this routing domain.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Example This example redistributes routes learned from OSPF and sets the metric for all external routes imported from OSPF to a value of 3. Console(config-router)#redistribute ospf metric 3 Console(config-router)# This example redistributes static routes and sets the metric for all of these routes to a value of 3.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) set to infinite) and advertised as unreachable. However, packets are still forwarded on this route. ◆ After the timeout interval expires, the router waits for an interval specified by the garbage-collection timer before removing this entry from the routing table. This timer allows neighbors to become aware of an invalid route prior to it being purged by this device.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ◆ Any configured interface settings take precedence over the global settings. Example This example sets the global version for RIP to send and receive version 2 packets. Console(config-router)#version 2 Console(config-router)# Related Commands ip rip receive version (996) ip rip send version (997) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 mode packets.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the authentication mode to plain text. Console(config)#interface vlan 1 Console(config-if)#ip rip authentication mode text Console(config-if)# Related Commands ip rip authentication string (995) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to string delete the authentication key.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ip rip receive version This command specifies a RIP version to receive on an interface. Use the no form to restore the default value. Syntax ip rip receive version {1 | 2} no ip rip receive version 1 - Accepts only RIPv1 packets. 2 - Accepts only RIPv2 packets.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Interface Configuration (VLAN) Default Setting Enabled Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) normally required by RIPv2. (Using this mode allows older RIPv2 routers which only receive RIP broadcast messages to receive all of the information provided by RIPv2, including subnet mask, next hop and authentication information.) Example This example sets the interface version for VLAN 1 to send RIPv1 packets.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ip rip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable this function. Syntax ip rip split-horizon [poisoned] no rip ip split-horizon poisoned - Enables poison-reverse on the current interface.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) ospf - Deletes all entries learned through the Open Shortest Path First routing protocol. rip - Deletes all entries learned through the Routing Information Protocol. static - Deletes all static entries. Default Setting None Command Mode Privileged Exec Command Usage Using this command with the “all” parameter clears the RIP table of all routes.
Chapter 50 | IP Routing Commands Routing Information Protocol (RIP) Distance: Default is 120 Console# show ip rip This command displays information about RIP routes and configuration settings. Use this command without any keywords to display all RIP routes. Syntax show ip rip [interface [vlan vlan-id]] interface - Shows RIP configuration settings for all interfaces or for a specified interface. vlan-id - VLAN ID.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) .
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 5: Open Shortest Path First Commands (Continued) Command Function Mode ip ospf priority Sets the router priority used to determine the designated router IC ip ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ip ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface RC
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#router ospf Console(config-router)# Related Commands network area (1020) compatible rfc1583 This command calculates summary route costs using RFC 1583 (early OSPFv2). Use the no form to calculate costs using RFC 2328 (OSPFv2).
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) default-information This command generates a default external route into an autonomous system. Use originate the no form to disable this feature. Syntax default-information originate [always] [metric interface-metric] [metric-type metric-type] no default-information originate [always | metric | metric-type] always - Always advertise itself as a default external route for the local AS regardless of whether the router has a default route.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. ◆ This command should not be used to generate a default route for a stub or NSSA. To generate a default route for these area types, use the area stub or area nssa commands. Example This example assigns a metric of 20 to the default external route advertised into an autonomous system, sending it as a Type 2 external metric.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected. Example Console(config-router)#router-id 10.1.1.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) clear ip ospf process This command clears and restarts the OSPF routing process. Specify the process ID to clear a particular OSPF process. When no process ID is specified, this command clears all running OSPF processes. Syntax clear ip ospf [process-id] process process-id - Specifies the routing process ID. (Range: 1-65535) Default Setting Clears all routing processes.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config-router)#area 10.3.9.0 default-cost 10 Console(config-router)# Related Commands area stub (1017) area nssa (1015) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. Syntax [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# auto-cost Use this command to calculate the default metrics for an interface based on reference-bandwidth bandwidth. Use the no form to automatically assign costs based on interface type.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) rip – Imports external routes learned through Routing Information Protocol (RIP) into this routing domain. static - Static routes will be imported into this Autonomous System. metric-value - Metric assigned to all external routes for the specified protocol. (Range: 0-16777214: Default: 10) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal route metric to external route metric.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example redistributes routes learned from RIP as Type 1 external routes. Console(config-router)#redistribute rip metric-type 1 Console(config-router)# Related Commands default-information originate (1005) summary-address This command aggregates routes learned from other protocols. Use the no form to remove a summary address.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Area Configuration area authentication This command enables authentication for an OSPF area. Use the no form to remove authentication for an area. Syntax [no] area area-id authentication [message-digest] area-id - Identifies an area for which authentication is to be configured. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example enables message-digest authentication for the specified area. Console(config-router)#area 10.3.0.0 authentication Console(config-router)# Related Commands ip ospf authentication-key (1023) ip ospf message-digest-key (1026) area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. Command Mode Router Configuration Default Setting No NSSA is configured. Command Usage ◆ All routers in a NSSA must be configured with the same area ID.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword. Syntax [no] area area-id stub [no-summary] area-id - Identifies the stub area. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission. This value must be the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 1 second) authentication - Specifies the authentication mode.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) configured as a backup connection that can take over if the normal connection to the backbone fails. ◆ A virtual link can be configured between any two backbone routers that have an interface to a common non-backbone area. The two routers joined by a virtual link are treated as if they were connected by an unnumbered point-topoint network.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. ◆ Set the area ID to the same value for all routers on a network segment using the network mask to add one or more interfaces to an area.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ Use authentication to prevent routers from inadvertently joining an unauthorized area. Configure routers in the same area with the same password or key. All neighboring routers on the same network with the same password will exchange routing data. ◆ This command creates a password (key) that is inserted into the OSPF header when routing protocol packets are originated by this device.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf This command assigns a simple password to be used by neighboring routers to authentication-key verify the authenticity of routing protocol messages. Use the no form to remove the password. Syntax ip ospf [ip-address] authentication-key key no ip ospf [ip-address] authentication-key ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value. Syntax ip ospf [ip-address] cost cost no ip ospf [ip-address] cost ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. Syntax ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Mode Interface Configuration (VLAN) Default Setting 10 seconds Command Usage Hello packets are used to inform other routers that the sending router is still active. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase routing traffic.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key. This rollover process gives the network administrator time to update all the routers on the network without affecting the network connectivity.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) become the DR and the router with the next highest priority becomes the BDR. If two or more routers are tied with the same highest priority, the router with the higher ID will be elected. ◆ If a DR already exists for a network segment when this interface comes up, the new router will accept the current DR regardless of its own priority. The DR will not change until the next time the election process is initiated.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#interface vlan 1 Console(config-if)#ip ospf retransmit-interval 7 Console(config-if)# ip ospf transmit-delay This command sets the estimated time to send a link-state update packet over an interface. Use the no form to restore the default value.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. Syntax [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID. (Range: 1-4094) ip-address - An IPv4 address configured on this interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 LSDB database overflow limit is 20480 Number of LSA originated 1 Number of LSA received 0 Number of areas attached to this router: 1 Area 192.168.1.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 6: show ip ospf - display description (Continued) Field Description Number of LSA originated The number of new link-state advertisements that have been originated. Number of LSA received The number of link-state advertisements that have been received. Number of areas attached to this router The number of configured areas attached to this router.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf database This command shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database. Syntax show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID 192.168.0.2 ADV Router 192.168.0.2 Age Seq# CkSum 225 0x80000001 0x9c0f AS External Link States Link ID 0.0.0.0 0.0.0.0 ADV Router 192.168.0.2 192.168.0.3 Age Seq# CkSum Route 487 0x80000001 0xd491 E2 0.0.0.0/0 0 222 0x80000001 0xce96 E2 0.0.0.0/0 0 Tag Console# Table 7: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF process ID and router ID.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 8: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Metric: 1 Forward Address: 0.0.0.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) . . .
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 11: show ip ospf database router - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA Flags Indicate if this router is a virtual link endpoint, an ASBR, or an ABR LS Type Router Link - LSA describes the router's interfaces.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 12: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to networks Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs)
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 13: show ip ospf interface - display description Field Description VLAN VLAN ID and Status of physical link Internet Address IP address of OSPF interface Area OSPF area to which this interface belongs MTU Maximum transfer unit Process ID OSPF process ID Router ID Router ID Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf neighbor This command displays information about neighboring routers on each interface within an OSPF area. Syntax show ip ospf [process-id] neighbor process-id - The ID of the router process for which information will be displayed. (Range: 1-65535) Command Mode Privileged Exec Example Console#show ip ospf neighbor ID Pri State Address Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf route This command displays the OSPF routing table. Syntax show ip ospf [process-id] route process-id - The ID of the router process for which information will be displayed.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 15: show ip ospf virtual-links - display description Field Description Virtual Link to router OSPF neighbor and link state (up or down) Transit area Common area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area. Remote address The IP address this virtual neighbor is using.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 16: show ip protocols ospf - display description (Continued) Field Description Routing for Summary Address Shows the networks for which route summarization is in effect Distance The administrative distance used for external routes learned by OSPF (see the ip route command). OPEN SHORTEST PATH FIRST (OSPFV3) .
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 17: Open Shortest Path First Commands (Version 3) (Continued) Command Function Mode ipv6 ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ipv6 ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface RC show ipv6 ospf Displays general information about the routing proces
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) General Configuration router ipv6 ospf This command creates an Open Shortest Path First (OSPFv3) routing process and enters router configuration mode. Use the no form to disable OSPF for all processes or for a specified process. Syntax [no] router ipv6 ospf [tag process-name] process-name - A process name must be entered when configuring multiple routing instances.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) abr-type This command sets the criteria used to determine if this router can declare itself an ABR and issue Type 3 and Type 4 summary LSAs. Use the no form to restore the default setting. Syntax abr-type {cisco | ibm | standard} no abr-type cisco - ABR criteria and functional behavior is based on RFC 3509.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) In other words, inter-area routes are calculated by examining summary-LSAs. If the router is an ABR and has an active backbone connection, only backbone summary-LSAs are examined. Otherwise (when either the router is not an ABR or it has no active backbone connection), the router should consider summaryLSAs from all actively attached areas.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) router-id This command assigns a unique router ID for this device within the autonomous system for the current OSPFv3 process. Use the no form to restore the default setting. Syntax router-id ip-address no router-id ip-address - Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting None Command Usage ◆ This command sets the router ID for the OSPF process specified in the router ipv6 ospf command.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations. Use the no form to restore the default values. Syntax timers spf spf-delay spf-holdtime no timers spf spf-delay - The delay after receiving a topology change notification and starting the SPF calculation.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Router Configuration Default Setting Default cost: 1 Command Usage If the default cost is set to “0,” the router will not advertise a default route into the attached stub. Example Console(config)#router ipv6 ospf tag 1 Console(config-router)#area 1 default-cost 1 Console(config-router)# Related Commands area stub (1017) area range This command summarizes the routes advertised by an Area Border Router (ABR).
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ If the network addresses within an area are assigned in a contiguous manner, the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range using a single area range command. ◆ If routes are set to be advertised by this command, the router will issue a Type 3 summary LSA for each address range specified by this command.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Related Commands redistribute (1053) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example redistributes automatically connected routes as Type 1 external routes. Console(config-router)#redistribute connected metric-type 1 Console(config-router)# Area Configuration area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example creates a stub area 2, and makes it totally stubby by blocking all Type 3 summary LSAs. Console(config-router)#area 2 stub no-summary Console(config-router)# Related Commands area default-cost (1050) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission. This value must be the same for all routers attached to an autonomous system.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf area This command binds an OSPF area to the selected interface. Use the no form to remove an OSPF area, disable an OSPF process, or remove an instance identifier from an interface. Syntax [no] ipv6 router ospf area area-id [tag process-name | instance-id instance-id] area-id - Area to bind to the current Layer 3 interface. An OSPF area identifies a group of routers that share common routing information.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Console(config-if)#ipv6 router ospf area 0 tag 0 instance-id 0 Console(config-if)# Related Commands router ipv6 ospf (1046) router-id (1049) ipv6 router ospf tag area (1058) ipv6 router ospf This command binds an OSPF area to the selected interface and process. Use the tag area no form to remove the specified area from an interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example assigns area 0.0.0.1 to the currently selected interface under routing process “1.” Console(config)#interface vlan 1 Console(config-if)#ipv6 router ospf tag 1 area 0.0.0.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf cost 10 Console(config-if)# ipv6 ospf This command sets the interval at which hello packets are not seen before dead-interval neighbors declare the router down. Use the no form to restore the default value.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf This command specifies the interval between sending hello packets on an hello-interval interface. Use the no form to restore the default value. Syntax ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Interface Configuration (VLAN) Default Setting 1 Command Usage ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Default Setting 5 seconds Command Usage ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) problem, use the transmit delay to force the router to wait a specified interval between transmissions. Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Display Information show ipv6 ospf This command shows basic information about the routing configuration. Command Mode Privileged Exec Example Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 18: show ip ospf - display description (Continued) Field Description Number of opaque AS LSA Number of opaque link-state advertisements (Type 9, 10 and 11 LSAs) in the linkstate database. These LSAs advertise information about external applications, and are only used by OSPF for the graceful restart process. Checksum The sum of the LS checksums of opaque link-state advertisements contained in the link-state database.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) AS-external-LSA ADV Router Age Link State ID Console# Seq# CkSum Table 19: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF router ID and process ID. The router ID uniquely identifies the router in the autonomous system. By convention, this is normally set to one of the router's IP interface addresses.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 20: show ip ospf interface - display description Field Description VLAN VLAN ID and Status of physical link Link local Address Link local address of OSPF interface Area OSPF area to which this interface belongs Tag OSPF process identifier string Router ID Identifier for this router Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit de
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Privileged Exec Example Console#show ipv6 ospf neighbor ID Pri State Interface ID Interface --------------- ------ ---------------- --------------- -------------192.168.0.
Chapter 50 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area C ::1/128, lo0 O 2001:DB8:2222:7272::/64, VLAN1 C 2001:DB8:2222:7272::/64, VLAN1 ? FE80::/64, VLAN1 inactive C FE80::/64, VLAN1 ? FF00::
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 22: show ipv6 ospf virtual-links - display description (Continued) Field Description Timer intervals Configuration settings for timer intervals, including Hello, Dead and Retransmit Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have received He
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 1: Connections for Internal and External BGP Router AS100 Router iBGP Router Router eBG eBG P Router P Router eBGP AS200 AS300 Router iBGP Router Router Router iBGP Router Router External BGP – eBGP interconnects different ASs through border routers, or eBGP peers. These peering routers are commonly connected over a WAN link using a single physical path.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) current best available path is withdrawn), it can be used to calculate a new best available path. BGP cannot detect routes and provide reachability information. To ensure that each iBGP peer knows how to reach other, each peer must run some sort of Interior Gateway Protocol (such as static routes, direct routes, RIP or OSPF) which provides neighbor IP addresses.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ WEIGHT – This attribute is used locally by a router to select a path when multiple paths are available for a prefix. ◆ LOCAL_PREF – This local preference attribute is similar to that of the MED, but within an AS. It sets a metric which is used between BGP speakers within an AS. It can help in selecting an outgoing BGP when an AS has connectivity to multiple ASes or multiple BGP routes even with the same next hop AS.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Path Selection When there are multiple paths to the same prefix (with the same prefix length), the information included in route advertisement is used to select the best path to a destination following the rules shown below. 1. Choose the path with the highest WEIGHT. If the value of this attribute is the same for more than one candidate, go to the next step. 2. Choose the path with the highest LOCAL-PREF.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) on the capabilities advertised in these messages. Open messages include information about the BGP version number in use, the peer’s AS number, the hold time, the BGP identifier (i.e., loopback address or the highest value of all the BGP speaker’s interfaces), and optional parameter length.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Reflectors Route reflection designates one or more iBGP speakers as router concentrators or route reflectors, which are allowed to re-advertise routing information within the same autonomous system. It also clusters a subset of iBGP speakers with each route reflector (also known as route reflector clients), and adds several new attributes to help detect routing loops.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) If there is only one route reflector in a cluster, that router would still have to process the same number of routing messages that would be required if it were in a fully meshed network. It is therefore preferable to use more than one route reflector in a cluster to reduce the overall number of iBGP sessions a single reflector has to handle.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Confederations Confederations simply divides an autonomous system into smaller groups. It splits up an AS into multiple sub-ASes, where full mesh connections are maintained only within each sub-As, and sub-ASes are connected by eBGP. The overall AS is known as a confederation, while the sub-ASes may also be referred to as member ASes.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) and AS-Confed-Set. Neither are AS numbers of member ASes advertised to exterior peers. Configuration Guidelines 1. Use the bgp confederation identifier command to configures the identifier for a confederation containing smaller multiple internal autonomous systems. 2. Use the bgp confederation peer command to add an internal peer autonomous system to a confederation.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Flap An update message is sent from a BGP speaker to a neighboring speaker whenever Dampening any change to a route occurs. A speaker announcing such a route is also responsible for any changes, including withdrawal, change in AS-Path or Next-Hop, to the same neighbor, irrespective of where the change was learned.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) BGP Command List Table 23: Border Gateway Protocol Commands – Version 4 Command Function Mode router bgp Enables BGPv4 routing process and enters router configuration mode GC ip as-path access-list Configures an autonomous system path access list GC ip community-list Configures a community list GC ip extcommunity-list Configures an extended community list GC ip prefix-list Configures an address prefix list GC aggregate-addr
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 23: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode Route Metrics and Selection bgp always-compare-med Allows comparison of the Multi Exit Discriminator (MED) for RC paths advertised from neighbors in different autonomous systems bgp bestpath as-path ignore Ignores AS path length in the selection of a path RC bgp bestpath compareconfed-aspath Compare confederation AS path length in addition to ext
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 23: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode neighbor filter-list Filters route updates sent to or received from a neighbor based on an AS path access-list RC neighbor interface Specifies the interface to a neighbor RC neighbor maximum-prefix Sets the maximum number or route prefixes that can be received from a neighbor RC neighbor next-hop-self Configures the local router as the next h
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 23: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode neighbor update-source Specifies the interface to use for a connection, instead of using the nearest interface RC neighbor weight Assigns a weight to a neighbor connection RC show ip bgp Shows entries in the routing table PE show ip bgp attribute-info Shows internal attribute information PE show ip bgp cidr-only Shows routes which use clas
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Global Configuration Default Setting No routing process is defined. Command Usage ◆ To enable BGP routing, you must use this command to establish a BGP routing process. After entering this command, the switch enters router configuration mode.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Global Configuration Default Setting No AS path access lists are defined. Command Usage ◆ If the regular expression in an AS path list is matched, then the deny/permit condition is applied to the routing message.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) and a 2-byte network number, separated by one colon. Each 2-byte number can range from 0 to 65535. One or more communities can be entered, separated by a space. Up to 16 community numbers are supported. internet – Specifies the entire Internet. Routes with this community attribute are advertised to all internal and external peers. local-as – Specifies the local autonomous system.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ By default, the internet community is set with a route if no other communities are defined. ◆ Use this command in conjunction with the neighbor send-community to filter route updates sent to or received from a neighbor, or with the match community route map command to implement a more comprehensive filter for policy-based routing.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) extended-community-value – The route target or site of origin in one of the following formats: AAAA:NN or AA:NNNN – Community-number to deny or permit. The community number can either be formatted as a 4-byte autonomous system number and a 2-byte network number, or as a 2-byte autonomous system number and a 4-byte network number, separated by one colon. Each 2-byte number can range from 0 to 65535, and 4byte numbers from 0 to 4294967295.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) placed in per-site forwarding tables used for routing traffic received from the corresponding sites. ◆ The site of origin (SOO) attribute is used to identify the site from which the provider edge (PE) router learned the route. All routes learned from a particular site are assigned the same site of origin attribute, no matter if a site is connected to a single PE router or multiple PE routers.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) any – Any matching criteria. ip-address – An IPv4 address expressed in dotted decimal notation. netmask – Network mask for the route. This mask identifies the network address bits used for the associated routing entries. ge – The minimum prefix length to match. le – The maximum prefix length to match. Command Mode Global Configuration Default Setting No prefix lists are defined.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) aggregate-address This command configures an aggregate address in the routing table. Use the no form to delete an aggregate address. Syntax [no] aggregate-address ip-address netmask [as-set] [summary-only] ip-address – An IPv4 address expressed in dotted decimal notation. netmask – Network mask for the route. This mask identifies the network address bits used for the associated routing entries.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Console#show ip bgp BGP table version is 0, local router ID is 192.168.0.4 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network *>i192.168.0.0/24 Next Hop 0.0.0.0 Metric LocPrf Weight Path 0 32768 i bgp client-to-client This command restores route reflection via this router.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Related Commands neighbor route-reflector-client (1131) bgp cluster-id (1095) bgp cluster-id This command configures the cluster identifier for multiple route reflectors in the same cluster. Use the no form to remove the cluster identifier. Syntax bgp cluster-id cluster-identifier no bgp cluster-id cluster-identifier – The cluster identifier of this router when acting as a route reflector.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command configures the identifier for a confederation containing smaller identifier multiple internal autonomous systems, and declares this router as a member of the confederation. Use the no form to remove the confederation identifier.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command adds an internal peer autonomous system to a confederation. Use peer the no form to remove an autonomous system from a confederation. Syntax bgp confederation peer as-number no bgp confederation identifier as-number – Autonomous system number which identifies this router as a member of the specified domain, and tags routing messages passed to other BGP routers with this number.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp dampening This command configures route dampening to reduce the propagation of unstable routes. Use the no form to restore the default settings. Syntax bgp dampening [half-life [reuse-limit [suppress-limit max-suppress-time]]] no dampening half-life – The time after which a penalty is reduced. The penalty value is reduced to half of the previous value after the half-life time expires.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp enforce-first-as This command denies an update received from an external peer that does not list its own autonomous system number at the beginning of the AS path attribute. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp log-neighbor- This command enables logging of neighbor resets (that is, up or down status changes changes). Use the no form to disable this feature. Command Mode Router Configuration Default Setting Disabled Command Usage ◆ This command helps detect network problems by indicating if a neighbor connection is flapping. A high number of neighbor resets might indicate unacceptable error rates or high packet loss in the network.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp router-id This command sets the router ID for this device. Use the no form to remove this ID. Syntax bgp router-id router-id no bgp router-id router-id – Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting The highest IP address configured for an interface. Command Usage ◆ By default, the router ID is automatically set to the highest IP address configured for a Layer 3 interface.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage This command sets the interval at which to check the validity of the next hop for all routes in the routing information database. During the interval between scan cycles, IGP instability or other network problems may cause black holes or routing loops to form. Example Console(config-router)#bgp scan-time 30 Console(config-router)# network This command specifies a network to advertise.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) backdoor network is treated as a local network, except that it not advertised by the local router. A backdoor route should not be sourced at the local router, but should be one that has been learned from external neighbors. However, since these routes are treated as a local network, they are given priority over routes learned through eBGP, even if the distance of the external route is shorter. Example Console(config-router)#network 172.16.0.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. Example Console(config-router)#redistribute static metric 10 Console(config-router)# timers bgp This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down. Use the no form to restore the default settings.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) clear ip bgp This command clears connections using hard or soft re-configuration. Syntax clear ip bgp {* | as-number | external | peer-group group-name | neighbor-address} [in [prefix-list] | out | soft [in | out]] * – All BGP peering sessions. as-number – All peering sessions within this autonomous system number. (Range: 1-4294967295) external – All eBGP peering sessions.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to clear peering sessions when changes are made to any BGP access lists, weights, or route-maps. ◆ Route refresh (RFC 2918) allows a router to reset inbound routing tables dynamically by exchanging route refresh requests with peers. Route refresh relies on the dynamic exchange of information with supporting peers. It is advertised through BGP capability negotiation, and all BGP routers must support this capability.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Metrics and Selection bgp always- This command allows comparison of the Multi Exit Discriminator (MED) for paths compare-med advertised from neighbors in different autonomous systems. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Example Console(config-router)#bgp bestpath as-path ignore Console(config-router)# bgp bestpath This command compare confederation AS path length in addition to external AS compare-confed- path length in the selection of a path. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Normally, the first route arriving from different external peers (with other conditions equal) will be chosen as the best route. By using this command, the route with lowest router ID will be selected.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp default This command sets the default local preference used for best path selection among local-preference local iBGP peers. Use the no form to restore the default setting. Syntax bgp default local-preference preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ The router immediately groups and sorts all local paths when this command is entered. For correct results, deterministic comparison of the MED must be configured in the same manner (enabled or disabled) on all routers in the local AS. ◆ If deterministic comparison of the MED is not enabled, route selection can be affected by the order in which routes are received.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ If an access-list is specified, it will be applied to received routes. If the received routes are not matched in the access-list or the specified list does not exist, the original distance value will be used. Example Console(config-router)#distance 90 10.1.1.64 255.255.255.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Changing the administrative distance of iBGP routes is not recommended. It may cause an accumulation of routing table inconsistencies which can break routing to many parts of the network. Example Console(config-router)#distance bgp 20 200 20 Console(config-router)# Related Commands distance (1111) Neighbor Configuration neighbor activate This command enables the exchange of routing information with a neighboring router or peer group.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the interval between sending update messages to a advertisement- neighbor. Use the no form to restore the default setting. interval Syntax neighbor ip-address advertisement-interval interval no neighbor ip-address advertisement-interval ip-address – IP address of a neighbor. interval – The minimum interval between sending routing updates to the specified neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Under standard routing practices, BGP will not accept a route sent from a neighbor if the same AS number appears in the AS path more than once. This could indicate a routing loop, and the route message would therefore be dropped.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures dynamic negotiation of capabilities between capability dynamic neighboring routers. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} capability dynamic ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Command Usage When this command is entered, the side configured with inbound prefix-list filter rules will transmit its own rules to the peer, and the peer will then use these rules as its own outbound rules, thereby avoiding sending routes which will be denied by its partner. Example Console(config-router)#neighbor 10.1.1.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) entry in the ip prefix-list. Example Console(config-router)#neighbor 10.1.1.64 default-originate Console(config-router)# neighbor description This command configures the description of a neighbor or peer group. Use the no form to remove a description. Syntax neighbor {ip-address | group-name} description description no neighbor {ip-address | group-name} description ip-address – IP address of a neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) out – Filters outbound routing messages. Command Mode Router Configuration Default Setting None Command Usage ◆ If the specified access list for input or output mode does not exist, all input or output route updates will be filtered. ◆ The neighbor prefix-list and the neighbor distribute-list commands are mutually exclusive for a BGP peer. That is, only one of these commands may be applied in the inbound or outbound direction.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console(config-router)#neighbor 10.1.1.64 dont-capability-negotiate Console(config-router)# neighbor This command allows eBGP neighbors to exist in different segments, and ebgp-multihop configures the maximum hop count (TTL). Use the no form to restore the default setting. Syntax neighbor {ip-address | group-name} ebgp-multihop [count] no neighbor {ip-address | group-name} ebgp-multihop ip-address – IP address of a neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command enforces the requirement for all neighbors to form multi-hop enforce-multihop connections. Use the no form to disable this requirement. Syntax [no] neighbor {ip-address | group-name} enforce-multihop ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage Use this command in conjunction with the ip as-path access-list command to filter route updates sent to or received from a neighbor. Example In this example, the AS path access list “ASPF” is first configured to deny access to any route passing through AS 100. It then enables route filtering by assigning this list to a peer.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command sets the maximum number or route prefixes that can be received maximum-prefix from a neighbor. Use the no form to restore the default setting. Syntax neighbor {ip-address | group-name} maximum-prefix max-count [threshold [restart interval | warning]] no neighbor {ip-address | group-name} maximum-prefix ip-address – IP address of a neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the local router as the next hop for a neighbor in all next-hop-self routing messages it sends. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} next-hop-self ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Example Console(config-router)#neighbor 10.1.1.64 override-capability Console(config-router)# neighbor passive This command passively forms a connection with the specified neighbor, not sending a TCP connection request, but waiting a connection request from the specified neighbor. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor password This command enables message-digest (MD5) authentication for the specified neighbor and assigns a password (key) to be used. Use the no form to remove an existing key. Syntax neighbor {ip-address | group-name} password no neighbor {ip-address | group-name} ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting No peer groups are defined. Command Usage ◆ Neighbors with the same BGP attributes can grouped into peer groups. This simplifies the application of various policies, such as filter lists. Other configuration settings can be applied to a peer-group using any of the neighbor commands. Any changes made to the peer group affect all members.Use this command to create a peer-group.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor port This command specifies the TCP port number of the partner through which communications are carried. Use the no form to restore the default setting. Syntax neighbor ip-address port port-number no neighbor ip-address port ip-address – IP address of a neighbor. port-number – TCP port number to use for BGP communications.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ First, configure a prefix list with the ip prefix-list command, and then use this command to specify the neighbors to which it applies, and whether it applies to inbound or outbound messages. ◆ Filtering routes based on a prefix list searches for entries matching the router specified by this command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ If the neighbor’s AS number is the same as that of the local router, the neighbor is an iBGP peer. If it is different, the neighbor is an eBGP peer. Example Console(config-router)#neighbor 10.1.1.64 remote-as 100 Console(config-router)# neighbor This command removes private autonomous system numbers from outbound remove-private-as routing updates to an external neighbor. Use the no form to disable this feature.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor route-map This command specifies the route mapping policy for inbound/outbound routing updates for specified neighbors. Use the no form to remove this policy binding. Syntax neighbor {ip-address | group-name} route-map map-name {in | out} no neighbor {ip-address | group-name} route-map {in | out} ip-address – IP address of a neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Command Usage ◆ Route reflection from this device is enabled by default, but is only functional if a client has been configured with this command. ◆ Under standard configuration rules, all BGP speakers within the same AS must be fully meshed. Route reflection can used to reduce the number of connections required between peers.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Using a route server reduces the configuration complexity required for an eBGP full mesh, limits CPU and memory requirements for the exchange of peering messages, and avoids the need for negotiating a large number of individual peering agreements. Example In the following example, the router 10.1.1.64 (AS100) is configured as the route server for neighbors 10.1.1.66 (AS200) and 10.1.1.68 (AS300).
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Related Commands set community (1166) neighbor shutdown This command closes a neighbor connection without canceling the neighbor configuration. Use the no form to restore the connection. Syntax [no] neighbor {ip-address | group-name} shutdown ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage ◆ Use this command to employ soft reconfiguration for a neighbor. A hard reset clears and rebuilds specified peering sessions and routing tables. Soft reconfiguration uses stored information to reconfigure and activate routing tables without clearing existing sessions. It uses stored update information to allow you to restore a connection or to apply a new BGP policy without disrupting the network.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage This command specifies that a connection can only be established when the both sides have perfectly matching capabilities. Example Console(config-router)#neighbor 10.1.1.66 strict-capability-match Console(config-router)# neighbor timers This command sets the Keep Alive time and Hold time used for specified neighbors. Use the no form to restore the default settings.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor timers This command sets the time to wait before attempting to reconnect to a neighbor connect whose TCP connection has failed. Use the no form to restore the default setting. Syntax [no] neighbor ip-address timers connect retry-interval ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting No exceptions Command Usage This command is used to leak routes suppressed by the aggregate-address command (with summary-only option) to specified neighbors. Other routes that meet the route map conditions, but have not been suppressed, will still be sent. Example Console(config-router)#neighbor 10.1.1.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor weight This command assigns a weight to routes sent from a neighbor. Use the no form to restore the default weight. Syntax neighbor {ip-address | group-name} weight weight no neighbor {ip-address | group-name} weight ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Example Console#show ip bgp BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network *>12.0.0.0 *>100.1.1.0/24 *>100.1.2.0/24 *i192.168.0.0/24 Next Hop 10.1.1.121 10.1.1.200 10.1.1.200 0.0.0.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows internal attribute hash information. attribute-info Syntax show ip bgp attribute-info Command Mode Privileged Exec Example In the following example, Refcnt refers to the number of routes using the indicated next hop. Console#show ip bgp attribute-info Refcnt Nexthop 1 0.0.0.0 1 10.1.1.64 3 10.1.1.64 1 10.1.1.121 2 10.1.1.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes that belong to specified BGP communities. community Syntax show ip bgp community [{[AA:NN] [internet] [local-as] [no-advertise] [no-export]} [exact-match]] AA:NN – Standard community-number to match. The 4-byte community number is composed of a 2-byte autonomous system number and a 2-byte network number, separated by one colon. Each 2-byte number can range from 0 from 65535.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows community messages permitted by BGP. community-info Syntax show ip bgp community-info Command Mode Privileged Exec Example Console#show ip bgp community-info Address Refcnt Community [0x3312558](3) 100:50 Console# Table 25: show ip bgp community-info - display description Field Description Address Internal address in memory where the entry is stored.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console#show ip bgp community-list rd BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network * 100.1.1.0/24 *> 172.0.0.0/8 Console# Next Hop 0.0.0.0 0.0.0.0 Metric LocPrf Weight Path 32768 700 800 i 32768 700 800 i show ip bgp This command shows dampened routes.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Total number of prefixes 1 Console# This example shows the dampening parameters configured on this router. Console#show ip bgp dampening parameters Dampening 15 750 2000 60 Reachability half-life time :15 min Reuse penalty :750 Suppress penalty :2000 Max suppress time :60 min Console# Table 26: show ip bgp dampening parameters- display description Field Description Reachability half- The time after which a penalty is reduced.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command chows connection information for neighbor sessions. neighbors Syntax show ip bgp neighbors [ip-address [advertised-routes | received prefix-filter | received-routes | routes]] ip-address – IP address of the neighbor. advertised-routes – Shows the routes advertised to a neighbor. received prefix-filter – Shows the prefix-list (outbound route filter) sent from a neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 27: show ip bgp - display description Field Description BGP neighbor IP address of neighbor. remote AS Autonomous system number of the neighbor. local AS Local autonomous system number. external link “external link” is displayed for external BGP neighbors. “internal link” is displayed for iBGP neighbors. BGP version BGP version used to communicate with remote router. remote router ID IP address of the neighbor.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) 0x331d8d8:249 Console# 2 200 300 Table 28: show ip bgp paths - display description Field Description Address Internal address in memory where the path is stored. Refcnt The number of routes using this path. ASpath The autonomous system path for this route. show ip bgp prefix-list This command shows routes matching the specified prefix-list. Syntax show ip bgp prefix-list list-name list-name – Name of a prefix-list.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console#show ip bgp regexp 100 BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network * 100.1.1.0/24 Console# Next Hop 10.1.1.64 Metric LocPrf Weight Path 0 0 500 100 600 ? show ip bgp This command shows routes matching the specified route map.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console#show ip bgp scan BGP scan is running BGP scan interval is 60 Current BGP nexthop cache: 10.10.10.64 valid [IGP metric 0] BGP connected route: 10.10.10.0/24 10.10.11.0/24 Console# show ip bgp summary This command shows summary information for all connections.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Example Console#show ip community-list rd Named Community standard list rd permit 100:10 Console# show ip This command shows routes permitted by an extended community list. extcommunity-list Syntax show ip extcommmunity-list [1-99 | 100-500 | community-list-name] 1-99 – Standard community list number that identifies one or more groups of communities.
Chapter 50 | IP Routing Commands Border Gateway Protocol (BGPv4) sequence-number – The sequence number of an entry. (Range: 1-429496725) Command Mode Privileged Exec Example Console#show ip prefix-list rd ip prefix-list rd: 1 entries seq 5 deny 10.0.0.0/8 ge 14 le 22 Console# show ip prefix-list This command shows detailed information for the specified prefix list. detail Syntax show ip prefix-list detail [prefix-list-name] prefix-list-name – Name of prefix list.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console#show ip prefix-list summary rd ip prefix-list rd: count: 1, range entries: 0, sequences: 5 - 5 Console# Policy-based Routing for BGP This section describes commands used to configure policy-based routing (PBR) maps for Border Gateway Protocol (BGP). Policy-based routing is performed before regular routing. PBR inspects traffic on the interface where the policy is applied and then, based on the policy, makes some decision.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Table 29: Policy-based Routing Configuration Commands (Continued) Command Function continue Goes to a route-map entry with a higher sequence number RM after a successful match occurs description Creates a description of an entry in the route map RM match as-path Sets an AS path access list to match RM match community Sets a BGP community access list to match RM match extcommunity Sets a BGP extended community access list to match
Chapter 50 | IP Routing Commands Policy-based Routing for BGP route-map This command enters route-map configuration mode, allowing route maps to be created or modified. Use the no form to remove a route map. Syntax [no] route-map map-name {deny | permit} sequence-number map-name – Name for the route map. (Range: 1-128 case-sensitive alphanumeric characters) deny – Route-map denies set operations. permit – Route-map permits set operations.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP ■ For a permit route-map, if it does not have a match clause, any routing message is matched, and therefore all routes are permitted. ■ For a permit route-map which includes a match clause for an access-list, if the access-list does not exist, no routing messages are matched, and therefore all routes are skipped.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Command Mode Route Map Command Usage If no match statements precede the call entry, the call is automatically executed. If no sequence number is specified by the call entry, the next entry is executed.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Command Usage The weights assigned by the match as-path and set weight route-map commands command override the weight assigned using the BGP neighbor weight command. Example Console(config)#route-map RD permit 1 Console(config-route-map)#match as-path 60 Console(config-route-map)#set weight 30 Console(config-route-map)# Related Commands ip as-path access-list (1086) match community This command sets a BGP community access list to match.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP match extcommunity This command sets a BGP extended community access list to match. Use the no form to remove this entry from a route map. Syntax match extcommunity {1-99 | 100-500} [exact-match] no match extcommunity 1-99 – Standard community list number that identifies one or more groups of communities. 100-500 – Expanded community list number that identifies one or more groups of communities.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Related Commands ip prefix-list (1091) Access Control Lists (395) match ip next-hop This command specifies the next-hop addresses to be matched in a standard access list, an extended access list, or a prefix list. Use the no form to remove this entry from a route map. Syntax match ip next-hop {access-list-name | prefix-list prefix-list-name} no match ip next-hop access-list-name – Name of standard or extended access list.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Command Usage Note that there may be situations in which the next hop and source router address of the route are not the same. Example Console(config)#route-map RD permit 6 Console(config-route-map)#match ip route-source rd-sources Console(config-route-map)#set weight 30 Console(config-route-map)# match metric This command sets the metric value to match in routing messages. Use the no form to remove this entry from a route map.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 8 Console(config-route-map)#match origin igp Console(config-route-map)#set weight 30 Console(config-route-map)# match pathlimit as This command sets the maximum AS path length allowed for propagation of more specific prefixes to match in routing messages. Use the no form to remove this entry from a route map. Syntax match pathlimit as as-limit no match pathlimit as as-limit – Maximum AS path length.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP boundary, then the AS number of the confederation member inside of the AS_PATHLIMIT attribute should be replaced by the confederation's AS number. Example Console(config)#route-map RD permit 8 Console(config-route-map)#match pathlimit as 5 Console(config-route-map)#on match goto 20 Console(config-route-map)# match peer This command sets the peer address to match in routing messages. Use the no form to remove this entry from a route map.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 8 Console(config-route-map)#match pathlimit as 5 Console(config-route-map)#on match goto 20 Console(config-route-map)# set aggregator as This command assigns an AS number and IP address to the aggregator attribute of a route. Use the no form to remove this entry from a route map.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP prepend – Appends one or more autonomous system numbers to the AS path of the route that is matched. as-number – Autonomous system number. (Range: 1-4294967295) Command Mode Route Map Command Usage Note that best path selection may be influenced with this command by varying the length of the autonomous system path. Example Console(config)#route-map RD permit 8 Console(config-route-map)#match peer 192.168.0.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP set comm-list delete This command removes communities from the community attribute of inbound or outbound routing messages. Use the no form to remove this entry from a route map. Syntax [no] set comm-list {1-99 | 100-500 | community-list-name} [delete] 1-99 – Standard community list number that identifies one or more groups of communities. 100-500 – Expanded community list number that identifies one or more groups of communities.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP AA:NN – Standard community-number. The 4-byte community number is composed of a 2-byte autonomous system number and a 2-byte network number, separated by one colon. Each 2-byte number can range from 0 from 65535. One or more communities can be entered, separated by a space. Up to 16 community numbers are supported. additive – Adds community attributes to already existing community attributes. internet – Specifies the entire Internet.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP set extcommunity This command sets the extended community attributes of routing messages. Use the no form to remove this entry from a route map. Syntax set extcommunity {rt extended-community-value | soo extended-community-value} no set extcommunity [rt | soo] rt – The route target extended community attribute. soo – The site of origin extended community attribute.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 13 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set extcommunity 100:0 192.168.1.1:1 Console(config-route-map)# set ip next-hop This command sets the next-hop for a routing message. Use the no form to remove this entry from a route map.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP set local-preference This command sets the priority within the local AS for a routing message. Use the no form to remove this entry from a route map. Syntax set local-preference preference no set local-preference preference – Degree of preference iBGP peers give local routes during BGP best path selection. The higher the value, the more the route is to be preferred.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP ◆ This command can modify the current metric for a route using the “+” or “-” keywords. ◆ The metric applies to external routers in the inter-autonomous system. To specify the metric for the local AS, use the set local-preference command. ◆ This path metric is normally only compared with neighbors in the local AS.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP set originator-id This command sets the IP address of the routing message’s originator. Use the no form to remove this entry from a route map. Syntax set originator-id ip-address no set originator-id ip-address – An IPv4 address of the route source, expressed in dotted decimal notation.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console(config)#route-map RD permit 18 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set pathlimit ttl 255 Console(config-route-map)# set weight This command sets the weight for routing messages. Use the no form to remove this entry from a route map. Syntax set weight weight no set weight weight – The weight assigned to this route.
Chapter 50 | IP Routing Commands Policy-based Routing for BGP Example Console#show route-map RD route-map RD, permit, sequence 1 Match clauses: peer 102.168.0.
51 Multicast Routing Commands Multicast routers can use various kinds of multicast routing protocols to deliver IP multicast packets across different subnetworks. This router supports Protocol Independent Multicasting (PIM). (Note that IGMP will be enabled for any interface that is using multicast routing.
Chapter 51 | Multicast Routing Commands General Multicast Routing Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This command is used to enable IPv4 multicast routing globally for the router. A specific multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim command, and then specify the interfaces that will support multicast routing using the ip pim dense-mode or ip pim sparse-mode commands.
Chapter 51 | Multicast Routing Commands General Multicast Routing Example This example shows detailed multicast information for a specified group/source pair Console#show ip mroute 224.0.255.3 192.111.46.8 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Channel, C - Connected, P - Pruned, F - Register flag, R - RPT-bit set, T - SPT-bit set, J - Join SPT Interface state: F - Forwarding, P - Pruned, L - Local (192.168.2.1, 224.0.17.
Chapter 51 | Multicast Routing Commands General Multicast Routing Table 32: show ip mroute - display description (Continued) Field Description Incoming Interface Interface leading to the upstream neighbor. PIM creates a multicast routing tree based on the unicast routing table. If the related unicast routing table does not exist, PIM will still create a multicast routing entry, but displays “Null” for the upstream interface to indicate that the unicast routing table is not valid.
Chapter 51 | Multicast Routing Commands General Multicast Routing will support multicast routing using the router pim6 command, and then specify the interfaces that will support multicast routing using the ipv6 pim command. ◆ To use multicast routing, MLD proxy can not enabled on any interface of the device (see ipv6 mld proxy on page 789). Example Console(config)#ipv6 multicast-routing Console(config)# show ipv6 mroute This command displays the IPv6 multicast routing table.
Chapter 51 | Multicast Routing Commands General Multicast Routing Incoming Interface: VLAN2, RPF neighbor: FE80::0303 Outgoing Interface List: VLAN1(F) Console# Table 33: show ip mroute - display description Field Description Flags The flags associated with this entry: ◆ D (Dense) - PIM Dense mode in use. ◆ S (Sparse) - PIM Sparse mode in use. ◆ s (SSM) - A multicast group with the range of IP addresses used for PIM-SSM. ◆ C (Connected) - A member of the multicast group is present on this interface.
Chapter 51 | Multicast Routing Commands Static Multicast Routing This example lists all entries in the multicast table in summary form: Console#show ipv6 mroute summary IP Multicast Forwarding is disabled IP Multicast Routing Table (Summary) Flags: F - Forwarding, P - Pruned, D - PIM-DM, S – PIM-SM, V – DVMRP, M - MLD Group Source Interface Flag ------------------------------ ------------------------------ ---------- ---FF02::0101 FE80::0101 VLAN 4096 DF Total Entry is 1 Console# Static Multicast Routing
Chapter 51 | Multicast Routing Commands Static Multicast Routing Command Mode Global Configuration Command Usage Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing PIM Multicast Routing This section describes the PIM commands used for IPv4 and IPv6. Note that PIM can run on an IPv4 network and PIM6 on an IPv6 network simultaneously. Also note that Internet Group Management Protocol (IGMP) is used for IPv4 networks and Multicast Listener Discovery (MLD) for IPv6 networks. Table 35: IPv4 and IPv6 PIM Commands Command Group Function IPv4 PIM Commands Configures multicast routing for IPv4 PIM.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Table 36: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ip pim bsr-candidate Configures the switch as a Bootstrap Router (BSR) candidate GC ip pim register-rate-limit Configures the rate at which register messages are sent by GC the Designated Router (DR) ip pim register-source Configure the IP source address of a register message to an GC address other than the outgoing interface address of the designat
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example Console(config)#router pim Console(config)#exit Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ◆ Dense-mode interfaces are subject to multicast flooding by default, and are only removed from the multicast routing table when the router determines that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage The ip pim hello-holdtime should be greater than the value of ip pim hellointerval. Example Console(config-if)#ip pim hello-holdtime 210 Console(config-if)# ip pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Default Setting 210 seconds Command Mode Interface Configuration (VLAN) Command Usage The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example Console(config-if)#ip pim lan-prune-delay Console(config-if)# Related Commands ip pim override-interval (1189) ip pim propagation-delay (1190) ip pim This command configures the override interval, or the time it takes a downstream override-interval router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting. ip pim propagation-delay milliseconds no ip pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing show ip pim neighbor This command displays information about PIM neighbors. Syntax show ip pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays information for all known PIM neighbors. Command Mode Normal Exec, Privileged Exec Example Console#show ip pim neighbor Neighbor Address VLAN Interface Uptime (sec.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ip pim max-graft-retries command).
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Default Setting 60 seconds Command Mode Interface Configuration (VLAN) Command Usage ◆ The pruned state times out approximately every three minutes and the entire PIM-DM network is reflooded with multicast packets and prune messages.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Default Setting Hash Mask Length: 10 Priority: 0 Command Mode Global Configuration Command Usage ◆ When the ip pim bsr-candidate command is entered, the router starts sending bootstrap messages to all of its PIM-SM neighbors. The IP address of the designated VLAN is sent as the candidate’s BSR address. Each neighbor receiving the bootstrap message compares the BSR address with the address from previous messages.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the rate at which register messages are sent by the register-rate-limit Designated Router (DR) for each (source, group) entry. Use the no form to restore the default value. Syntax ip pim register-rate-limit rate no ip pim register-rate-limit rate - The maximum number of register packets per second.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Usage When the source address of a register message is filtered by intermediate network devices, or is not a uniquely routed address to which the RP can send packets, the replies sent from the RP to the source address will fail to reach the DR, resulting in PIM-SM protocol failures.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen. ◆ Static definitions for RP addresses may be used together with RP addresses dynamically learned through the bootstrap router (BSR).
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ip pim rp-candidate This command configures the router to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR). Use the no form to remove this router as an RP candidate. Syntax ip pim rp-candidate interface vlan vlan-id [group-prefix group-address mask] [interval seconds] [priority value] no ip pim rp-candidate interface vlan vlan-id vlan-id - VLAN ID (Range: 1-4094) group-address - An IP multicast group address.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ■ If there is a tie, use the candidate RP with the highest IP address. ◆ This distributed election process provides faster convergence and minimal disruption when an RP fails. It also serves to provide load balancing by distributing groups across multiple RPs. Moreover, when an RP fails, the responsible RPs are re-elected on each router, and the groups automatically distributed to the remaining RPs.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Usage ◆ The default path for packets from a multicast source to a receiver is through the RP. However, the path through the RP is not always the shortest path. Therefore, the router uses the RP to forward only the first packet from a new multicast group to its receivers.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing sending periodic Join/Prune messages toward a group-specific RP for each group. A single DR is elected per interface (LAN or otherwise) using a simple election process. ◆ The router with the highest priority configured on an interface is elected as the DR. If more than one router attached to this interface uses the same priority, then the router with the highest IP address is elected to serve as the DR.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Usage ◆ By default, the switch sends join/prune messages every 210 seconds to inform other PIM-SM routers about clients who want to join or leave a multicast group. ◆ Use the same join/prune message interval on all the PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example This example clears the RP map. Console#clear ip pim bsr rp-set Console#show ip pim rp mapping PIM Group-to-RP Mappings Console# show ip pim bsr-router This command displays information about the bootstrap router (BSR). Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Table 38: show ip pim bsr-router - display description (Continued) Field Description State Operation state of BSR includes: ◆ No information – No information stored for this device. ◆ Accept Any – The router does not know of an active BSR, and will accept the first bootstrap message it sees as giving the new BSR's identity and the RP-set.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing show ip pim rp-hash This command displays the RP used for the specified multicast group, and the RP that advertised the mapping. Syntax show ip pim rp-hash group-address group-address - An IP multicast group address. Command Mode Privileged Exec Example This example displays the RP used for the specified group. Console#show ip pim rp-hash 224.0.1.3 RP address : 192.168.0.2/32 Info source : 192.168.0.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Table 41: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ipv6 pim trigger-hello-delay Configures the trigger hello delay IC show ipv6 pim interface Displays information about interfaces configured for PIM NE, PE show ipv6 pim neighbor Displays information about PIM neighbors NE, PE PIM-DM Commands ipv6 pim graft-retry-interval Configures the time to wait for a Graft acknowledgement before resending a G
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ This command enables PIM-DM and PIM-SM for IPv6 globally for the router. You also need to enable PIM-DM and PIM-SM for each interface that will support multicast routing using the ipv6 pim command, and make any changes necessary to the multicast protocol parameters. ◆ To use PIMv6, IPv6 multicast routing must be enabled on the switch using the ipv6 multicast-routing command.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ◆ Dense-mode interfaces are subject to multicast flooding by default, and are only removed from the multicast routing table when the router determines that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage The ip pim hello-holdtime should be greater than the value of ipv6 pim hello-interval. Example Console(config-if)#ipv6 pim hello-holdtime 210 Console(config-if)# ipv6 pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Default Setting 210 seconds Command Mode Interface Configuration (VLAN) Command Usage The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example Console(config-if)#ipv6 pim lan-prune-delay Console(config-if)# Related Commands ipv6 pim override-interval (1212) ipv6 pim propagation-delay (1213) ipv6 pim This command configures the override interval, or the time it takes a downstream override-interval router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the propagation delay required for a LAN prune delay propagation-delay message to reach downstream routers. Use the no form to restore the default setting. ipv6 pim propagation-delay milliseconds no ipv6 pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim This command displays information about PIM neighbors. neighbor Syntax show ipv6 pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays information for all known PIM neighbors.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Interface Configuration (VLAN) Command Usage A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ipv6 pim max-graft-retries command).
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ipv6 pim state-refresh This command sets the interval between sending PIM-DM state refresh control origination-interval messages. Use the no form to restore the default value. Syntax ipv6 pim state-refresh origination-interval seconds no ipv6 pim max-graft-retries seconds - The interval between sending PIM-DM state refresh control messages.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing PIM6-SM Commands ipv6 pim This command configures the switch as a Bootstrap Router (BSR) candidate. Use the bsr-candidate no form to restore the default value. Syntax ipv6 pim bsr-candidate interface vlan vlan-id [hash hash-mask-length] [priority priority] no ipv6 pim bsr-candidate vlan-id - VLAN ID (Range: 1-4094) hash-mask-length - Hash mask length (in bits) used for RP selection (see ipv6 pim rp-candidate and ipv6 pim rp-address).
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example The following example configures the router to start sending bootstrap messages out of the interface for VLAN 1 to all of its PIM-SM neighbors.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the IP source address of a register message to an address register-source other than the outgoing interface address of the designated router (DR) that leads back toward the rendezvous point (RP). Use the no form to restore the default setting.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Command Mode Global Configuration Command Usage ◆ The router specified by this command will act as an RP for all multicast groups in the local PIM6-SM domain if no groups are specified. A static RP can either be configured for the whole multicast group range FF00::/8, or for specific group ranges. ◆ Using this command to configure multiple static RPs with the same RP address is not allowed.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ipv6 pim rp-candidate This command configures the router to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR). Use the no form to remove this router as an RP candidate.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ◆ This distributed election process provides faster convergence and minimal disruption when an RP fails. It also serves to provide load balancing by distributing groups across multiple RPs. Moreover, when an RP fails, the responsible RPs are re-elected on each router, and the groups automatically distributed to the remaining RPs.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing group to its receivers. Afterwards, it calculates the shortest path tree (SPT) directly between the receiver and source, and then uses the SPT to send all subsequent packets from the source to the receiver instead of using the shared tree. Note that when the SPT threshold is not set by this command, the PIM leaf router will join the shortest path tree immediately after receiving the first packet from a new source.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ◆ The router with the highest priority configured on an interface is elected as the DR. If more than one router attached to this interface uses the same priority, then the router with the highest IP address is elected to serve as the DR. ◆ If a router does not advertise a priority in its hello messages, it is assumed to have the highest priority and is elected as the DR.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing ◆ Use the same join/prune message interval on all the PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected. ◆ The multicast interface that first receives a multicast stream from a particular source forwards this traffic only to those interfaces on the router that have requested to join this group.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Example This example clears the RP map. Console#clear ipv6 pim bsr rp-set Console#show ipv6 pim rp mapping PIM Group-to-RP Mappings Console# show ipv6 pim This command displays information about the bootstrap router (BSR). bsr-router Command Mode Privileged Exec Command Usage This command displays information about the elected BSR. Example This example displays information about the BSR.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing Table 43: show ip pim bsr-router - display description Field Description Role Candidate BSR or Non-candidate BSR. State Operation state of BSR includes: ◆ No information – No information stored for this device. ◆ Accept Any – The router does not know of an active BSR, and will accept the first bootstrap message it sees as giving the new BSR's identity and the RP-set.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing show ipv6 pim rp-hash This command displays the RP used for the specified multicast group, and the RP that advertised the mapping. Syntax show ipv6 pim rp-hash group-address group-address - An IP multicast group address. Command Mode Privileged Exec Example This example displays the RP used for the specified group.
Chapter 51 | Multicast Routing Commands PIM Multicast Routing – 1230 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 1233 ◆ “License Information” on page 1235 – 1231 –
Section III | Appendices – 1232 –
A Troubleshooting Problems Accessing the Management Interface Table 46: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary ICMP Internet Control Message Protocol is a network layer protocol that reports errors in processing IP packets. ICMP is also used by routers to feed back information about better routing choices. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information.
Glossary IGMP Query On each subnetwork, one IGMP-capable device will act as the querier — that is, the device that asks all hosts to report on the IP multicast groups they wish to join or to which they already belong. The elected querier will be the device with the lowest IP address in the subnetwork. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
Glossary MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device. MRD Multicast Router Discovery is a A protocol used by IGMP snooping and multicast routing devices to discover which interfaces are attached to multicast routers. This process allows IGMP-enabled devices to determine where to send multicast source and group membership messages.
Glossary Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links. QinQ QinQ tunneling is designed for service providers carrying traffic for multiple customers across their networks. It is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs. QoS Quality of Service.
Glossary SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. STA Spanning Tree Algorithm is a technology that checks your network for any loops. A loop can often occur in complicated or backup linked network systems. Spanning Tree detects and directs data along the shortest available path, maximizing the performance and efficiency of the network.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
CLI Command List aaa accounting commands 258 aaa accounting dot1x 259 aaa accounting exec 260 aaa accounting update 261 aaa authorization exec 262 aaa group server 263 abr-type 1047 absolute 190 access-list arp 417 access-list ip 396 access-list ipv6 403 access-list mac 410 accounting commands 264 accounting dot1x 264 accounting exec 265 aggregate-address 1093 alias 425 area authentication 1014 area default-cost 1008 area default-cost 1050 area nssa 1015 area range 1009 area range 1051 area stub 1017 area
CLI Command List clear ip bgp 1105 clear ip bgp dampening 1106 clear ip dhcp binding 903 clear ip dhcp snooping binding 349 clear ip dhcp snooping database flash 350 clear ip igmp group 774 clear ip igmp snooping groups dynamic 683 clear ip igmp snooping statistics 683 clear ip ospf process 1008 clear ip pim bsr rp-set 1203 clear ip rip route 999 clear ip source-guard binding blocked 367 clear ipv6 dhcp snooping binding 359 clear ipv6 dhcp snooping statistics 360 clear ipv6 mld group 786 clear ipv6 mld sno
CLI Command List erps clear 575 erps domain 556 erps forced-switch 576 erps manual-switch 578 ethernet cfm ais level 822 ethernet cfm ais ma 823 ethernet cfm ais period 824 ethernet cfm ais suppress alarm 824 ethernet cfm cc enable 840 ethernet cfm cc ma interval 839 ethernet cfm delay-measure two-way 858 ethernet cfm domain 825 ethernet cfm enable 827 ethernet cfm linktrace 850 ethernet cfm linktrace cache 848 ethernet cfm linktrace cache hold-time 849 ethernet cfm linktrace cache size 850 ethernet cfm lo
CLI Command List ip igmp snooping vlan last-memb-query-intvl 678 ip igmp snooping vlan mrd 679 ip igmp snooping vlan mrouter 1181 ip igmp snooping vlan mrouter 689 ip igmp snooping vlan proxy-address 680 ip igmp snooping vlan query-interval 681 ip igmp snooping vlan query-resp-intvl 682 ip igmp snooping vlan static 682 ip igmp static-group 773 ip igmp version 774 ip multicast-data-drop 697 ip multicast-routing 1175 ip name-server 877 ip ospf authentication 1021 ip ospf authentication-key 1023 ip ospf cost
CLI Command List ipv6 mld snooping vlan mrouter 710 ipv6 mld snooping vlan static 711 ipv6 mld static-group 784 ipv6 mld version 785 ipv6 mtu 930 ipv6 multicast-data-drop 724 ipv6 multicast-routing 1178 ipv6 nd dad attempts 944 ipv6 nd managed-config-flag 945 ipv6 nd ns-interval 947 ipv6 nd other-config-flag 946 ipv6 nd prefix 949 ipv6 nd ra interval 951 ipv6 nd ra lifetime 952 ipv6 nd ra router-preference 952 ipv6 nd ra suppress 953 ipv6 nd raguard 948 ipv6 nd reachable-time 949 ipv6 nd snooping 957 ipv6
CLI Command List loopback-detection 502 loopback-detection action 502 loopback-detection recover-time 503 loopback-detection release 505 loopback-detection transmit-interval 504 ma index name 828 ma index name-format 829 mac access-group (Global Configuration) 411 mac access-group (Interface Configuration) 415 mac-address-table aging-time 515 mac-address-table hash-lookup-depth 516 mac-address-table static 517 mac-authentication intrusion-action 328 mac-authentication max-mac-count 328 mac-authentication r
CLI Command List neighbor timers connect 1137 neighbor unsuppress-map 1137 neighbor update-source 1138 neighbor weight 1139 netbios-name-server 900 netbios-node-type 901 network 1102 network 901 network 989 network area 1020 network-access aging 318 network-access dynamic-qos 320 network-access dynamic-vlan 321 network-access guest-vlan 322 network-access link-detection 323 network-access link-detection link-down 324 network-access link-detection link-up 324 network-access link-detection link-up-down 325 n
CLI Command List rmon event 231 route-map 1155 router bgp 1085 router ipv6 ospf 1046 router ospf 1003 router pim 1184 router pim6 1207 router rip 985 router-id 1006 router-id 1049 rpl neighbor 572 rpl owner 572 rspan destination 479 rspan remote vlan 480 rspan source 478 server 263 service dhcp 894 service-policy 661 set aggregator as 1164 set as-path 1164 set atomic-aggregate 1165 set comm-list delete 1166 set community 1166 set cos 658 set extcommunity 1168 set ip dscp 659 set ip next-hop 1169 set local-
CLI Command List show ip bgp regexp 1148 show ip bgp route-map 1149 show ip bgp scan 1149 show ip bgp summary 1150 show ip community-list 1150 show ip dhcp 903 show ip dhcp binding 904 show ip dhcp pool 904 show ip dhcp snooping 351 show ip dhcp snooping binding 351 show ip extcommunity-list 1151 show ip helper 922 show ip host-route 978 show ip igmp authentication 698 show ip igmp filter 699 show ip igmp groups 775 show ip igmp interface 777 show ip igmp profile 699 show ip igmp query-drop 700 show ip igm
CLI Command List show loopback-detection 506 show mac access-group 416 show mac access-list 416 show mac-address-table 519 show mac-address-table aging-time 520 show mac-address-table count 520 show mac-address-table hash-lookup-depth 521 show mac-vlan 623 show management 301 show memory 128 show mvr 740 show mvr associated-profile 741 show mvr interface 742 show mvr members 743 show mvr profile 745 show mvr statistics 745 show mvr6 761 show mvr6 associated-profile 763 show mvr6 interface 763 show mvr6 mem
CLI Command List snmp-server enable port-traps atc broadcast-control-apply 496 snmp-server enable port-traps atc broadcast-controlrelease 497 snmp-server enable port-traps atc multicast-alarm-clear 497 snmp-server enable port-traps atc multicast-alarm-fire 498 snmp-server enable port-traps atc multicast-control-apply 498 snmp-server enable port-traps atc multicast-controlrelease 499 snmp-server enable port-traps mac-notification 212 snmp-server enable traps 208 snmp-server engine-id 213 snmp-server group 2
CLI Command List udld aggressive 510 udld detection-interval 507 udld message-interval 508 udld port 511 udld recovery 509 udld recovery-interval 509 upgrade opcode auto 149 upgrade opcode path 150 upgrade opcode reload 151 username 245 version 573 version 993 vlan 592 vlan database 591 vlan-trunking 599 voice vlan 624 voice vlan aging 625 voice vlan mac-address 626 vrrp authentication 966 vrrp ip 966 vrrp preempt 967 vrrp priority 968 vrrp timers advertise 969 watchdog software 138 web-auth 335 web-auth l
E022019-CS-R06