ECS4660-28F Layer 3 Gigabit Ethernet Switch Ma nage me nt Gu ide www.edge-core.
M ANAGEMENT G UIDE ECS4660-28F GIGABIT ETHERNET SWITCH Layer 3 Switch with 24 Gigabit Ethernet Ports (SFP), 2 10G Ethernet Ports (XSFP), and 2 Slots for Optional 10G Modules ECS4660-28F E102013/ST-R03 149100000140A
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE REVISION HISTORY This section summarizes the changes in each revision of this guide. OCTOBER 2013 REVISION This is the third release of this guide. This guide is valid for software release V1.2.2.0. It includes information on the following changes: ◆ Updated information in Parameters section under "Configuring the Console Port" on page 172. ◆ Updated information in Parameters section under "Configuring Telnet Settings" on page 174.
ABOUT THIS GUIDE ◆ Updated Parameters section under "Using the Trace Route Function" on page 746. ◆ Added commands "show watchdog" on page 909 and "watchdog software" on page 909. ◆ Updated syntax for command "delete" on page 917. ◆ Updated range for command "exec-timeout" on page 925. ◆ Added the commands "clock summer-time (date)" on page 951, "clock summer-time (predefined)" on page 953, and "clock summer-time (recurring)" on page 954.
ABOUT THIS GUIDE ◆ Updated command usage section for the command "negotiation" on page 1194. ◆ Removed the command “speed-duplex.” ◆ Moved the switchport packet-rate command from Interface Commands chapter to Congestion Control Commands on page 1241. ◆ Added the commands "transceiver-threshold-auto" on page 1205, and "transceiver-threshold-monitor" on page 1206. ◆ Updated description of all other transceiver threshold command from page 1206 to page 1212.
ABOUT THIS GUIDE NOVEMBER 2012 REVISION This is the second release of this guide. This guide is valid for software release V1.2.0.0. It includes information on the following changes: ◆ Removed information on Option 43 in "Downloading a Configuration File Referenced by a DHCP Server" on page 115. ◆ Updated parameter description in "Displaying Hardware/Software Versions" on page 151. ◆ Updated web page for "Setting the Time Zone" on page 171.
ABOUT THIS GUIDE ◆ Added parameters under "Configuring MVR6 Global Settings" on page 675. ◆ Added RA Mode under "Configuring IPv6 Interface Settings" on page 697. ◆ Updated Command Usage section under "Specifying a DHCP Client Identifier" on page 720. ◆ Added "Configuring the PPPoE Intermediate Agent" on page 735. ◆ Added IPv6 information under "Enabling Multicast Routing Globally" on page 828 and "Displaying the Multicast Routing Table" on page 829.
ABOUT THIS GUIDE ◆ Updated parameter description for "ethernet cfm cc ma interval" on page 1581. ◆ Updated Command Usage section for "ip dhcp client class-id" on page 1625. ◆ Added "ipv6 nd raguard" on page 1688. ◆ Added "IPv6 to IPv4 Tunnels" on page 1696. ◆ Updated parameter description for "show ip route" on page 1726. ◆ Added “tunnel” parameter to "ipv6 route" on page 1730. ◆ Added "Border Gateway Protocol (BGPv4)" on page 1818. ◆ Added "Policy-based Routing for BGP" on page 1897.
ABOUT THIS GUIDE – 12 –
CONTENTS ABOUT THIS GUIDE SECTION I 5 CONTENTS 13 FIGURES 65 TABLES 81 GETTING STARTED 91 1 INTRODUCTION 93 Key Features 93 Description of Software Features 95 IP Routing 99 Equal-cost Multipath Load Balancing 100 Address Resolution Protocol 100 System Defaults 102 2 INITIAL SWITCH CONFIGURATION 105 Connecting to the Switch 105 Configuration Options 105 Required Connections 106 Remote Connections 107 Basic Configuration 108 Console Connection 108 Setting Passwords 10
CONTENTS SECTION II WEB CONFIGURATION 121 3 USING THE WEB INTERFACE 123 Connecting to the Web Interface 123 Navigating the Web Browser Interface 124 Home Page 124 Configuration Options 125 Panel Display 125 Main Menu 126 4 BASIC MANAGEMENT TASKS 149 Displaying System Information 149 Displaying Hardware/Software Versions 151 Configuring Support for Jumbo Frames 152 Displaying Bridge Extension Capabilities 153 Managing System Files 155 Copying Files via FTP/TFTP or HTTP 155 Sav
CONTENTS Configuring Local Port Mirroring 186 Configuring Remote Port Mirroring 188 Showing Port or Trunk Statistics 192 Configuring History Sampling 196 Displaying Transceiver Data 200 Configuring Transceiver Thresholds 201 Trunk Configuration 204 Configuring a Static Trunk 205 Configuring a Dynamic Trunk 207 Displaying LACP Port Counters 213 Displaying LACP Settings and Status for the Local Side 214 Displaying LACP Settings and Status for the Remote Side 216 Configuring Load Balan
CONTENTS 7 ADDRESS TABLE SETTINGS 263 Configuring MAC Address Learning 263 Setting Static Addresses 265 Changing the Aging Time 267 Displaying the Dynamic Address Table 268 Clearing the Dynamic Address Table 269 8 SPANNING TREE ALGORITHM 271 Overview 271 Configuring Loopback Detection 274 Configuring Global Settings for STA 276 Displaying Global Settings for STA 281 Configuring Interface Settings for STA 282 Displaying Interface Settings for STA 286 Configuring Multiple Spanning T
CONTENTS Creating QoS Policies 329 Attaching a Policy Map to a Port 339 12 VOIP TRAFFIC CONFIGURATION 341 Overview 341 Configuring VoIP Traffic 342 Configuring Telephony OUI 343 Configuring VoIP Traffic Ports 345 13 SECURITY MEASURES 347 AAA Authorization and Accounting 348 Configuring Local/Remote Logon Authentication 349 Configuring Remote Logon Authentication Servers 350 Configuring AAA Accounting 355 Configuring AAA Authorization 360 Configuring User Accounts 363 Web Authent
CONTENTS Configuring a Standard IPv6 ACL 400 Configuring an Extended IPv6 ACL 402 Configuring a MAC ACL 404 Configuring an ARP ACL 406 Binding a Port to an Access Control List 408 Showing ACL Hardware Counters 409 ARP Inspection 410 Configuring Global Settings for ARP Inspection 411 Configuring VLAN Settings for ARP Inspection 413 Configuring Interface Settings for ARP Inspection 415 Displaying ARP Inspection Statistics 416 Displaying the ARP Inspection Log 417 Filtering IP Addresse
CONTENTS Sending Simple Mail Transfer Protocol Alerts Link Layer Discovery Protocol 457 458 Setting LLDP Timing Attributes 459 Configuring LLDP Interface Attributes 461 Configuring LLDP Interface Civic-Address 464 Displaying LLDP Local Device Information 466 Displaying LLDP Remote Device Information 470 Displaying Device Statistics 478 Simple Network Management Protocol 480 Configuring Global Settings for SNMP 482 Setting the Local Engine ID 483 Specifying a Remote Engine ID 484 Setti
CONTENTS Configuring CFM Maintenance Domains 555 Configuring CFM Maintenance Associations 560 Configuring Maintenance End Points 565 Configuring Remote Maintenance End Points 567 Transmitting Link Trace Messages 569 Transmitting Loop Back Messages 571 Transmitting Delay-Measure Requests 572 Displaying Local MEPs 574 Displaying Details for Local MEPs 575 Displaying Local MIPs 577 Displaying Remote MEPs 578 Displaying Details for Remote MEPs 579 Displaying the Link Trace Cache 581 D
CONTENTS Displaying Multicast Groups Discovered by IGMP Snooping 628 Displaying IGMP Snooping Statistics 629 Filtering and Throttling IGMP Groups 633 Enabling IGMP Filtering and Throttling 633 Configuring IGMP Filter Profiles 634 Configuring IGMP Filtering and Throttling for Interfaces 636 MLD Snooping (Snooping and Query for IPv6) 638 Configuring MLD Snooping and Query Parameters 638 Setting Immediate Leave Status for MLD Snooping per Interface 640 Specifying Static Interfaces for an IPv
CONTENTS Setting the Switch’s IP Address (IP Version 6) 695 Configuring the IPv6 Default Gateway 696 Configuring IPv6 Interface Settings 697 Configuring an IPv6 Address 700 Showing IPv6 Addresses 703 Showing the IPv6 Neighbor Cache 705 Showing IPv6 Statistics 706 Showing the MTU for Responding Destinations 712 17 IP SERVICES 713 Domain Name Service 713 Configuring General DNS Service Parameters 713 Configuring a List of Domain Names 714 Configuring a List of Name Servers 716 Confi
CONTENTS Using the Trace Route Function 746 Address Resolution Protocol 748 Basic ARP Configuration 748 Configuring Static ARP Addresses 750 Displaying Dynamic or Local ARP Entries 752 Displaying ARP Statistics 753 Configuring Static Routes 753 Displaying the Routing Table 755 Equal-cost Multipath Routing 757 19 CONFIGURING ROUTER REDUNDANCY 759 Configuring VRRP Groups 760 Displaying VRRP Global Statistics 766 Displaying VRRP Group Statistics 767 20 UNICAST ROUTING 769 Overview
CONTENTS Redistributing External Routes 807 Configuring Summary Addresses (for External AS Routes) 809 Configuring OSPF Interfaces 811 Configuring Virtual Links 817 Displaying Link State Database Information 820 Displaying Information on Neighboring Routers 823 21 MULTICAST ROUTING 825 Overview 825 Configuring Global Settings for Multicast Routing 828 Enabling Multicast Routing Globally 828 Displaying the Multicast Routing Table 829 Configuring PIM for IPv4 833 Enabling PIM Globally
CONTENTS SECTION III COMMAND LINE INTERFACE 867 22 USING THE COMMAND LINE INTERFACE 869 Accessing the CLI 869 Console Connection 869 Telnet Connection 870 Entering Commands 871 Keywords and Arguments 871 Minimum Abbreviation 871 Command Completion 871 Getting Help on Commands 872 Partial Keyword Lookup 874 Negating the Effect of Commands 874 Using Command History 874 Understanding Command Modes 874 Exec Commands 875 Configuration Commands 876 Command Line Processing 878 C
CONTENTS banner configure company 894 banner configure dc-power-info 895 banner configure department 895 banner configure equipment-info 896 banner configure equipment-location 897 banner configure ip-lan 897 banner configure lp-number 898 banner configure manager-info 899 banner configure mux 899 banner configure note 900 show banner 901 System Status 901 show access-list tcam-utilization 902 show alarm-status 902 show memory 903 show process cpu 904 show running-config 90
CONTENTS Automatic Code Upgrade Commands 920 upgrade opcode auto 920 upgrade opcode path 921 upgrade opcode reload 922 show upgrade 923 Line 923 line 924 databits 925 exec-timeout 925 login 926 parity 927 password 928 password-thresh 929 silent-time 929 speed 930 stopbits 931 timeout login response 931 disconnect 932 show line 932 Event Logging 933 logging facility 934 logging history 934 logging host 935 logging on 936 logging trap 936 clear log 937 show
CONTENTS Time 944 SNTP Commands 945 sntp client 945 sntp poll 946 sntp server 946 show sntp 947 NTP Commands 947 ntp authenticate 947 ntp authentication-key 948 ntp client 949 ntp server 950 show ntp 951 Manual Configuration Commands 951 clock summer-time (date) 951 clock summer-time (predefined) 953 clock summer-time (recurring) 954 clock timezone 955 calendar set 956 show calendar 957 Time Range 957 time-range 957 absolute 958 periodic 959 show time-range 960
CONTENTS ptp log-min-pdelay-request-interval 969 ptp log-sync-interval 970 ptp port-enable 971 ptp transport 971 ptp port-release 973 show ptp configuration 974 show ptp foreign-master 974 show ptp information 975 Synchronous Ethernet 979 synce 980 synce ethernet 981 synce ethernet clock-source 982 synce auto-clock-source-selecting 983 synce force-clock-source-selecting 984 synce ssm ethernet 985 synce clk-src-ssm 986 show synce 987 Switch Clustering 989 cluster 990 cl
CONTENTS snmp-server enable port-traps mac-notification 1003 show snmp-server enable port-traps 1004 SNMPv3 Commands 1004 snmp-server engine-id 1004 snmp-server group 1006 snmp-server user 1007 snmp-server view 1008 show snmp engine-id 1009 show snmp group 1010 show snmp user 1011 show snmp view 1012 Notification Log Commands 1012 nlm 1012 snmp-server notify-filter 1013 show nlm oper-status 1014 show snmp notify-filter 1015 Additional Trap Commands 1015 memory 1015 proce
CONTENTS username 1033 Authentication Sequence 1034 authentication enable 1034 authentication login 1035 RADIUS Client 1036 radius-server acct-port 1036 radius-server auth-port 1037 radius-server host 1037 radius-server key 1038 radius-server retransmit 1039 radius-server timeout 1039 show radius-server 1040 TACACS+ Client 1040 tacacs-server host 1041 tacacs-server key 1041 tacacs-server port 1042 tacacs-server retransmit 1042 tacacs-server timeout 1043 show tacacs-serve
CONTENTS Telnet Server 1055 ip telnet max-sessions 1055 ip telnet port 1056 ip telnet server 1056 show ip telnet 1057 Secure Shell 1057 ip ssh authentication-retries 1060 ip ssh server 1060 ip ssh server-key size 1061 ip ssh timeout 1062 delete public-key 1062 ip ssh crypto host-key generate 1063 ip ssh crypto zeroize 1064 ip ssh save host-key 1064 show ip ssh 1065 show public-key 1065 show ssh 1066 802.
CONTENTS Management IP Filter 1078 management 1079 show management 1080 PPPoE Intermediate Agent 1081 pppoe intermediate-agent 1081 pppoe intermediate-agent format-type 1082 pppoe intermediate-agent port-enable 1083 pppoe intermediate-agent port-format-type 1083 pppoe intermediate-agent trust 1084 pppoe intermediate-agent vendor-tag strip 1085 clear pppoe intermediate-agent statistics 1085 show pppoe intermediate-agent info 1086 show pppoe intermediate-agent statistics 1087 29 GEN
CONTENTS show network-access 1107 show network-access mac-address-table 1108 show network-access mac-filter 1109 Web Authentication 1109 web-auth login-attempts 1110 web-auth quiet-period 1111 web-auth session-timeout 1111 web-auth system-auth-control 1112 web-auth 1112 web-auth re-authenticate (Port) 1113 web-auth re-authenticate (IP) 1113 show web-auth 1114 show web-auth interface 1114 show web-auth summary 1115 DHCPv4 Snooping 1115 ip dhcp snooping 1116 ip dhcp snooping i
CONTENTS show ipv6 dhcp snooping statistics IPv4 Source Guard 1133 1133 ip source-guard binding 1134 ip source-guard 1135 ip source-guard max-binding 1137 ip source-guard mode 1138 clear ip source-guard binding blocked 1138 show ip source-guard 1139 show ip source-guard binding 1139 IPv6 Source Guard 1140 ipv6 source-guard binding 1140 ipv6 source-guard 1142 ipv6 source-guard max-binding 1143 show ipv6 source-guard 1144 show ipv6 source-guard binding 1145 ARP Inspection 1145 i
CONTENTS traffic-segmentation session 1158 traffic-segmentation uplink/downlink 1159 traffic-segmentation uplink-to-uplink 1160 show traffic-segmentation 1161 30 ACCESS CONTROL LISTS IPv4 ACLs 1163 1163 access-list ip 1164 permit, deny (Standard IP ACL) 1165 permit, deny (Extended IPv4 ACL) 1166 ip access-group 1168 show ip access-group 1169 show ip access-list 1169 IPv6 ACLs 1170 access-list ipv6 1170 permit, deny (Standard IPv6 ACL) 1171 permit, deny (Extended IPv6 ACL) 1172
CONTENTS alias 1189 capabilities 1189 description 1190 discard 1191 flowcontrol 1191 history 1192 media-type 1193 negotiation 1194 shutdown 1194 switchport mtu 1195 clear counters 1196 show discard 1197 show interfaces brief 1197 show interfaces counters 1198 show interfaces history 1199 show interfaces status 1202 show interfaces switchport 1203 Transceiver Threshold Configuration 1205 transceiver-threshold-auto 1205 transceiver-threshold-monitor 1206 transceiver-th
CONTENTS lacp admin-key (Port Channel) 1222 lacp timeout 1223 Trunk Status Display Commands 1224 show lacp 1224 show port-channel load-balance 1228 33 PORT MIRRORING COMMANDS Local Port Mirroring Commands 1229 1229 port monitor 1229 show port monitor 1230 RSPAN Mirroring Commands 1231 rspan source 1233 rspan destination 1234 rspan remote vlan 1235 no rspan session 1236 show rspan 1236 34 CONGESTION CONTROL COMMANDS Rate Limit Commands rate-limit 1239 1239 1240 Storm Control Co
CONTENTS snmp-server enable port-traps atc multicast-alarm-clear 1254 snmp-server enable port-traps atc multicast-alarm-fire 1254 snmp-server enable port-traps atc multicast-control-apply 1255 snmp-server enable port-traps atc multicast-control-release 1255 ATC Display Commands 1256 show auto-traffic-control 1256 show auto-traffic-control interface 1256 35 LOOPBACK DETECTION COMMANDS 1259 loopback-detection 1260 loopback-detection action 1260 loopback-detection recover-time 1261 loopb
CONTENTS spanning-tree system-bpdu-flooding 1284 spanning-tree transmission-limit 1284 max-hops 1285 mst priority 1286 mst vlan 1286 name 1287 revision 1288 spanning-tree bpdu-filter 1288 spanning-tree bpdu-guard 1289 spanning-tree cost 1290 spanning-tree edge-port 1291 spanning-tree link-type 1292 spanning-tree loopback-detection 1293 spanning-tree loopback-detection action 1293 spanning-tree loopback-detection release-mode 1294 spanning-tree loopback-detection trap 1295 sp
CONTENTS mep-monitor 1312 node-id 1313 non-erps-dev-protect 1314 non-revertive 1315 propagate-tc 1319 raps-def-mac 1320 raps-without-vc 1320 ring-port 1322 rpl neighbor 1323 rpl owner 1324 version 1325 wtr-timer 1326 clear erps statistics 1326 erps clear 1327 erps forced-switch 1327 erps manual-switch 1329 show erps 1331 40 VLAN COMMANDS 1337 GVRP and Bridge Extension Commands 1338 bridge-ext gvrp 1338 garp timer 1339 switchport forbidden vlan 1340 switchport gvr
CONTENTS vlan-trunking 1350 Displaying VLAN Information 1352 show vlan 1352 Configuring IEEE 802.
CONTENTS voice vlan aging 1380 voice vlan mac-address 1381 switchport voice vlan 1382 switchport voice vlan priority 1383 switchport voice vlan rule 1383 switchport voice vlan security 1384 show voice vlan 1385 41 CLASS OF SERVICE COMMANDS 1387 Priority Commands (Layer 2) 1387 queue mode 1388 queue weight 1389 switchport priority default 1390 show queue mode 1391 show queue weight 1391 Priority Commands (Layer 3 and 4) 1392 qos map cos-dscp 1393 qos map default-drop-preceden
CONTENTS class 1412 police flow 1413 police srtcm-color 1415 police trtcm-color 1417 set cos 1419 set phb 1420 service-policy 1421 show class-map 1422 show policy-map 1422 show policy-map interface 1423 43 MULTICAST FILTERING COMMANDS IGMP Snooping 1425 1426 ip igmp snooping 1427 ip igmp snooping priority 1428 ip igmp snooping proxy-reporting 1428 ip igmp snooping querier 1429 ip igmp snooping router-alert-option-check 1429 ip igmp snooping router-port-expire-time 1430 ip
CONTENTS Static Multicast Routing 1446 ip igmp snooping vlan mrouter 1447 show ip igmp snooping mrouter 1447 IGMP Filtering and Throttling 1448 ip igmp filter (Global Configuration) 1449 ip igmp profile 1450 permit, deny 1450 range 1451 ip igmp authentication 1451 ip igmp filter (Interface Configuration) 1453 ip igmp max-groups 1454 ip igmp max-groups action 1454 ip igmp query-drop 1455 ip multicast-data-drop 1455 show ip igmp authentication 1456 show ip igmp filter 1457 sho
CONTENTS MLD Filtering and Throttling 1469 ipv6 mld filter (Global Configuration) 1470 ipv6 mld profile 1471 permit, deny 1471 range 1472 ipv6 mld filter (Interface Configuration) 1472 ipv6 mld max-groups 1473 ipv6 mld max-groups action 1474 ipv6 mld query-drop 1474 ipv6 multicast-data-drop 1475 show ipv6 mld filter 1475 show ipv6 mld profile 1476 show ipv6 mld query-drop 1476 show ipv6 mld throttle interface 1477 MVR for IPv4 1478 mvr 1479 mvr associated-profile 1479 mvr
CONTENTS MVR for IPv6 1496 mvr6 associated-profile 1497 mvr6 domain 1498 mvr6 profile 1498 mvr6 proxy-query-interval 1499 mvr6 proxy-switching 1500 mvr6 robustness-value 1501 mvr6 source-port-mode dynamic 1501 mvr6 upstream-source-ip 1502 mvr6 vlan 1503 mvr6 immediate-leave 1503 mvr6 type 1504 mvr6 vlan group 1505 clear mvr6 groups 1506 clear mvr6 statistics 1507 show mvr6 1507 show mvr6 associated-profile 1508 show mvr6 interface 1509 show mvr6 members 1510 show mvr6
CONTENTS MLD (Layer 3) 1525 ipv6 mld 1525 ipv6 mld last-member-query-response-interval 1526 ipv6 mld max-resp-interval 1527 ipv6 mld query-interval 1528 ipv6 mld robustval 1528 ipv6 mld static-group 1529 ipv6 mld version 1530 clear ipv6 mld group 1531 show ipv6 mld groups 1531 show ipv6 mld interface 1533 MLD Proxy Routing 1533 ipv6 mld proxy 1534 ipv6 mld proxy unsolicited-report-interval 1535 44 LLDP COMMANDS 1537 lldp 1539 lldp holdtime-multiplier 1539 lldp med-fast-sta
CONTENTS lldp med-notification 1551 lldp med-tlv inventory 1552 lldp med-tlv location 1553 lldp med-tlv med-cap 1553 lldp med-tlv network-policy 1554 lldp notification 1554 show lldp config 1555 show lldp info local-device 1556 show lldp info remote-device 1557 show lldp info statistics 1560 45 CFM COMMANDS 1561 Defining CFM Structures 1564 ethernet cfm ais level 1564 ethernet cfm ais ma 1565 ethernet cfm ais period 1566 ethernet cfm ais suppress alarm 1566 ethernet cfm doma
CONTENTS show ethernet cfm errors Cross Check Operations 1585 1586 ethernet cfm mep crosscheck start-delay 1586 snmp-server enable traps ethernet cfm crosscheck 1587 mep crosscheck mpid 1588 ethernet cfm mep crosscheck 1589 show ethernet cfm maintenance-points remote crosscheck 1590 Link Trace Operations 1590 ethernet cfm linktrace cache 1590 ethernet cfm linktrace cache hold-time 1591 ethernet cfm linktrace cache size 1591 ethernet cfm linktrace 1592 clear ethernet cfm linktrace-cach
CONTENTS show efm oam remote-loopback interface 1612 show efm oam status interface 1613 show efm oam status remote interface 1613 47 DOMAIN NAME SERVICE COMMANDS 1615 ip domain-list 1615 ip domain-lookup 1616 ip domain-name 1617 ip host 1618 ip name-server 1619 ipv6 host 1620 clear dns cache 1620 clear host 1621 show dns 1621 show dns cache 1622 show hosts 1622 48 DHCP COMMANDS 1625 DHCP Client 1625 DHCP for IPv4 1625 ip dhcp client class-id 1625 ip dhcp restart client
CONTENTS dns-server 1637 domain-name 1637 hardware-address 1638 host 1638 lease 1639 netbios-name-server 1640 netbios-node-type 1641 network 1641 next-server 1642 clear ip dhcp binding 1643 show ip dhcp 1644 show ip dhcp binding 1644 show ip dhcp pool 1644 49 IP INTERFACE COMMANDS IPv4 Interface 1647 1647 Basic IPv4 Configuration 1648 ip address 1648 ip default-gateway 1650 show ip interface 1651 show ip traffic 1652 traceroute 1653 ping 1654 ARP Configuration 165
CONTENTS ipv6 address 1665 ipv6 address eui-64 1667 ipv6 address link-local 1669 ipv6 enable 1670 ipv6 mtu 1671 show ipv6 interface 1672 show ipv6 mtu 1674 show ipv6 traffic 1675 clear ipv6 traffic 1679 ping6 1679 traceroute6 1681 Neighbor Discovery 1682 ipv6 hop-limit 1682 ipv6 neighbor 1683 ipv6 nd dad attempts 1684 ipv6 nd managed-config-flag 1685 ipv6 nd other-config-flag 1686 ipv6 nd ns-interval 1687 ipv6 nd raguard 1688 ipv6 nd reachable-time 1689 ipv6 nd prefi
CONTENTS ND Snooping 1704 ipv6 nd snooping 1705 ipv6 nd snooping auto-detect 1706 ipv6 nd snooping auto-detect retransmit count 1707 ipv6 nd snooping auto-detect retransmit interval 1707 ipv6 nd snooping prefix timeout 1708 ipv6 nd snooping max-binding 1709 ipv6 nd snooping trust 1709 clear ipv6 nd snooping binding 1710 clear ipv6 nd snooping prefix 1710 show ipv6 nd snooping 1711 show ipv6 nd snooping binding 1711 show ipv6 nd snooping prefix 1711 50 VRRP COMMANDS 1713 vrrp aut
CONTENTS IPv6 Commands 1730 ipv6 route 1730 show ipv6 route 1731 Routing Information Protocol (RIP) 1733 router rip 1734 default-information originate 1734 default-metric 1735 distance 1736 maximum-prefix 1736 neighbor 1737 network 1738 passive-interface 1738 redistribute 1739 timers basic 1740 version 1741 ip rip authentication mode 1742 ip rip authentication string 1743 ip rip receive version 1744 ip rip receive-packet 1745 ip rip send version 1745 ip rip send-pack
CONTENTS auto-cost reference-bandwidth 1758 default-metric 1759 redistribute 1760 summary-address 1761 Area Configuration 1762 area nssa 1762 area stub 1764 area virtual-link 1765 network area 1768 Interface Configuration 1769 ip ospf authentication 1769 ip ospf authentication-key 1770 ip ospf cost 1771 ip ospf dead-interval 1772 ip ospf hello-interval 1772 ip ospf message-digest-key 1773 ip ospf priority 1774 ip ospf retransmit-interval 1775 ip ospf transmit-delay 1776
CONTENTS Route Metrics and Summaries 1797 area default-cost 1797 area range 1798 default-metric 1799 redistribute 1799 Area Configuration 1801 area stub 1801 area virtual-link 1802 ipv6 router ospf area 1804 ipv6 router ospf tag area 1805 Interface Configuration 1806 ipv6 ospf cost 1806 ipv6 ospf dead-interval 1807 ipv6 ospf hello-interval 1808 ipv6 ospf priority 1808 ipv6 ospf retransmit-interval 1809 ipv6 ospf transmit-delay 1810 passive-interface 1811 Display Informat
CONTENTS ip extcommunity-list 1836 ip prefix-list 1838 aggregate-address 1839 bgp client-to-client reflection 1840 bgp cluster-id 1841 bgp confederation identifier 1842 bgp confederation peer 1843 bgp dampening 1844 bgp enforce-first-as 1845 bgp fast-external-failover 1845 bgp log-neighbor-changes 1846 bgp network import-check 1846 bgp router-id 1847 bgp scan-time 1848 network 1848 redistribute 1849 timers bgp 1850 clear ip bgp 1851 clear ip bgp dampening 1852 Route Me
CONTENTS neighbor default-originate 1863 neighbor description 1864 neighbor distribute-list 1864 neighbor dont-capability-negotiate 1865 neighbor ebgp-multihop 1866 neighbor enforce-multihop 1866 neighbor filter-list 1867 neighbor interface 1868 neighbor maximum-prefix 1868 neighbor next-hop-self 1869 neighbor override-capability 1870 neighbor passive 1870 neighbor peer-group (Creating) 1871 neighbor peer-group (Group Members) 1872 neighbor port 1872 neighbor prefix-list 1873
CONTENTS show ip bgp community-list 1888 show ip bgp dampening 1888 show ip bgp filter-list 1890 show ip bgp neighbors 1890 show ip bgp paths 1892 show ip bgp prefix-list 1892 show ip bgp regexp 1893 show ip bgp route-map 1893 show ip bgp scan 1894 show ip bgp summary 1894 show ip community-list 1895 show ip extcommunity-list 1895 show ip prefix-list 1896 show ip prefix-list detail 1896 show ip prefix-list summary 1897 Policy-based Routing for BGP 1897 route-map 1899 call
CONTENTS set extcommunity 1912 set ip next-hop 1913 set local-preference 1914 set metric 1914 set origin 1915 set originator-id 1916 set pathlimit ttl 1916 set weight 1917 show route-map 1917 52 MULTICAST ROUTING COMMANDS 1919 General Multicast Routing 1919 IPv4 Commands 1919 ip multicast-routing 1919 show ip mroute 1920 IPv6 Commands 1922 ipv6 multicast-routing 1922 show ipv6 mroute 1923 Static Multicast Routing 1925 ip igmp snooping vlan mrouter 1925 show ip igmp sno
CONTENTS ip pim max-graft-retries 1937 ip pim state-refresh origination-interval 1937 PIM-SM Commands 1938 ip pim bsr-candidate 1938 ip pim register-rate-limit 1939 ip pim register-source 1940 ip pim rp-address 1941 ip pim rp-candidate 1942 ip pim spt-threshold 1944 ip pim dr-priority 1945 ip pim join-prune-interval 1946 clear ip pim bsr rp-set 1947 show ip pim bsr-router 1947 show ip pim rp mapping 1948 show ip pim rp-hash 1949 IPv6 PIM Commands PIM6 Shared Mode Commands 195
CONTENTS SECTION IV ipv6 pim rp-address 1964 ipv6 pim rp-candidate 1965 ipv6 pim spt-threshold 1967 ipv6 pim dr-priority 1968 ipv6 pim join-prune-interval 1969 clear ipv6 pim bsr rp-set 1970 show ipv6 pim bsr-router 1970 show ipv6 pim rp mapping 1971 show ipv6 pim rp-hash 1972 APPENDICES 1973 A SOFTWARE SPECIFICATIONS 1975 Software Features 1975 Management Features 1977 Standards 1977 Management Information Bases 1978 B TROUBLESHOOTING 1981 Problems Accessing the Management
CONTENTS – 64 –
FIGURES Figure 1: Home Page 124 Figure 2: Front Panel Indicators 125 Figure 3: System Information 150 Figure 4: General Switch Information 152 Figure 5: Configuring Support for Jumbo Frames 153 Figure 6: Displaying Bridge Extension Configuration 154 Figure 7: Copy Firmware 157 Figure 8: Saving the Running Configuration 158 Figure 9: Setting Start-Up Files 159 Figure 10: Displaying System Files 159 Figure 11: Configuring Automatic Code Upgrade 163 Figure 12: Manually Setting the System
FIGURES Figure 32: Configuring Local Port Mirroring 186 Figure 33: Configuring Local Port Mirroring 187 Figure 34: Displaying Local Port Mirror Sessions 188 Figure 35: Configuring Remote Port Mirroring 188 Figure 36: Configuring Remote Port Mirroring (Source) 191 Figure 37: Configuring Remote Port Mirroring (Intermediate) 192 Figure 38: Configuring Remote Port Mirroring (Destination) 192 Figure 39: Showing Port Statistics (Table) 195 Figure 40: Showing Port Statistics (Chart) 196 Figure 4
FIGURES Figure 68: Configuring VLAN Trunking 224 Figure 69: VLAN Compliant and VLAN Non-compliant Devices 226 Figure 70: Using GVRP 228 Figure 71: Creating Static VLANs 230 Figure 72: Modifying Settings for Static VLANs 230 Figure 73: Showing Static VLANs 231 Figure 74: Configuring Static Members by VLAN Index 234 Figure 75: Configuring Static VLAN Members by Interface 234 Figure 76: Configuring Static VLAN Members by Interface Range 235 Figure 77: Configuring Global Status of GVRP 237
FIGURES Figure 104: Displaying Static MAC Addresses 266 Figure 105: Setting the Address Aging Time 267 Figure 106: Displaying the Dynamic MAC Address Table 269 Figure 107: Clearing Entries in the Dynamic MAC Address Table 270 Figure 108: STP Root Ports and Designated Ports 272 Figure 109: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 273 Figure 110: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree 273 Figure 111: Configuring Port Loopback Detection 27
FIGURES Figure 140: Configuring DSCP to DSCP Internal Mapping 315 Figure 141: Showing DSCP to DSCP Internal Mapping 316 Figure 142: Configuring CoS to DSCP Internal Mapping 317 Figure 143: Showing CoS to DSCP Internal Mapping 318 Figure 144: Configuring DSCP to CoS Egress Mapping 319 Figure 145: Showing DSCP to CoS Egress Mapping 320 Figure 146: Configuring IP Precedence to DSCP Internal Mapping 322 Figure 147: Showing the IP Precedence to DSCP Internal Map 322 Figure 148: Configuring IP Po
FIGURES Figure 176: Configuring AAA Authorization Methods 362 Figure 177: Showing AAA Authorization Methods 362 Figure 178: Configuring AAA Authorization Methods for Exec Service 363 Figure 179: Displaying the Applied AAA Authorization Method 363 Figure 180: Configuring User Accounts 365 Figure 181: Showing User Accounts 365 Figure 182: Configuring Global Settings for Web Authentication 367 Figure 183: Configuring Interface Settings for Web Authentication 368 Figure 184: Configuring Global
FIGURES Figure 212: Configuring Global Settings for ARP Inspection 413 Figure 213: Configuring VLAN Settings for ARP Inspection 415 Figure 214: Configuring Interface Settings for ARP Inspection 416 Figure 215: Displaying Statistics for ARP Inspection 417 Figure 216: Displaying the ARP Inspection Log 418 Figure 217: Creating an IP Address Filter for Management Access 420 Figure 218: Showing IP Addresses Authorized for Management Access 420 Figure 219: Configuring Port Security 422 Figure 220
FIGURES Figure 248: Displaying Remote Device Information for LLDP (Port Details) 477 Figure 249: Displaying Remote Device Information for LLDP (End Node) 478 Figure 250: Displaying LLDP Device Statistics (General) 480 Figure 251: Displaying LLDP Device Statistics (Port) 480 Figure 252: Configuring Global Settings for SNMP 483 Figure 253: Configuring the Local Engine ID for SNMP 484 Figure 254: Configuring a Remote Engine ID for SNMP 485 Figure 255: Showing Remote Engine IDs for SNMP 486 Fig
FIGURES Figure 284: Showing Collected RMON Statistical Samples 518 Figure 285: Configuring a Switch Cluster 520 Figure 286: Configuring a Cluster Members 521 Figure 287: Showing Cluster Members 521 Figure 288: Showing Cluster Candidates 522 Figure 289: Managing a Cluster Member 523 Figure 290: ERPS Ring Components 524 Figure 291: Ring Interconnection Architecture (Multi-ring/Ladder Network) 526 Figure 292: Setting ERPS Global Status 528 Figure 293: Sub-ring with Virtual Channel 537 Figu
FIGURES Figure 320: Showing Detailed Information on Remote MEPs 581 Figure 321: Showing the Link Trace Cache 583 Figure 322: Showing Settings for the Fault Notification Generator 584 Figure 323: Showing Continuity Check Errors 585 Figure 324: Enabling OAM for Local Ports 588 Figure 325: Displaying Statistics for OAM Messages 589 Figure 326: Displaying the OAM Event Log 590 Figure 327: Displaying Status of Remote Interfaces 591 Figure 328: Running a Remote Loop Back Test 593 Figure 329: Di
FIGURES Figure 356: Adding Multicast Groups to an IGMP Filtering Profile 636 Figure 357: Showing the Groups Assigned to an IGMP Filtering Profile 636 Figure 358: Configuring IGMP Filtering and Throttling Interface Settings 638 Figure 359: Configuring General Settings for MLD Snooping 640 Figure 360: Configuring Immediate Leave for MLD Snooping 641 Figure 361: Configuring a Static Interface for an IPv6 Multicast Router 642 Figure 362: Showing Static Interfaces Attached an IPv6 Multicast Router
FIGURES Figure 392: Displaying MVR6 Group Address Profiles 680 Figure 393: Assigning an MVR6 Group Address Profile to a Domain 681 Figure 394: Showing MVR6 Group Address Profiles Assigned to a Domain 681 Figure 395: Configuring Interface Settings for MVR6 683 Figure 396: Assigning Static MVR6 Groups to a Port 685 Figure 397: Showing the Static MVR6 Groups Assigned to a Port 685 Figure 398: Displaying MVR6 Receiver Groups 686 Figure 399: Displaying MVR6 Statistics – Query 688 Figure 400: Dis
FIGURES Figure 428: Configuring Excluded Addresses on the DHCP Server 725 Figure 429: Showing Excluded Addresses on the DHCP Server 725 Figure 430: Configuring DHCP Server Address Pools (Network) 728 Figure 431: Configuring DHCP Server Address Pools (Host) 729 Figure 432: Showing Configured DHCP Server Address Pools 729 Figure 433: Shows Addresses Assigned by the DHCP Server 730 Figure 434: Enabling the UDP Helper 731 Figure 435: Specifying UDP Destination Ports 732 Figure 436: Showing the
FIGURES Figure 464: Showing Counters for Errors Found in VRRP Packets 767 Figure 465: Showing Counters for Errors Found in a VRRP Group 768 Figure 466: Configuring RIP 770 Figure 467: Configuring General Settings for RIP 774 Figure 468: Clearing Entries from the Routing Table 775 Figure 469: Adding Network Interfaces to RIP 776 Figure 470: Showing Network Interfaces Using RIP 777 Figure 471: Specifying a Passive RIP Interface 778 Figure 472: Showing Passive RIP Interfaces 778 Figure 473:
FIGURES Figure 500: Configuring Route Summaries for an Area Range 806 Figure 501: Showing Configured Route Summaries 807 Figure 502: Redistributing External Routes 807 Figure 503: Importing External Routes 809 Figure 504: Showing Imported External Route Types 809 Figure 505: Summarizing External Routes 810 Figure 506: Showing Summary Addresses for External Routes 811 Figure 507: Configuring Settings for All Interfaces Assigned to a VLAN 815 Figure 508: Configuring Settings for a Specific Ar
FIGURES Figure 536: Enabling PIMv6 Multicast Routing 850 Figure 537: Configuring PIMv6 Interface Settings (Dense Mode) 855 Figure 538: Configuring PIMv6 Interface Settings (Sparse Mode) 855 Figure 539: Showing PIMv6 Neighbors 856 Figure 540: Configuring Global Settings for PIM6-SM 858 Figure 541: Configuring a PIM6-SM BSR Candidate 859 Figure 542: Configuring a PIM6 Static Rendezvous Point 861 Figure 543: Showing PIM6 Static Rendezvous Points 861 Figure 544: Configuring a PIM6 RP Candidate
TABLES Table 1: Key Features 93 Table 2: System Defaults 102 Table 3: Options 60, 66 and 67 Statements 115 Table 4: Options 55 and 124 Statements 116 Table 5: Web Page Configuration Buttons 125 Table 6: Switch Main Menu 126 Table 7: Port Statistics 193 Table 8: LACP Port Counters 213 Table 9: LACP Internal Configuration Information 214 Table 10: LACP Remote Device Configuration Information 216 Table 11: Traffic Segmentation Forwarding 220 Table 12: Recommended STA Path Cost Range 283
TABLES Table 32: Remote Port Auto-Negotiation Advertised Capability 471 Table 33: SNMPv3 Security Models and Levels 481 Table 34: Supported Notification Messages 490 Table 35: ERPS Request/State Priority 545 Table 36: Remote MEP Priority Levels 557 Table 37: MEP Defect Descriptions 557 Table 38: OAM Operation State 586 Table 39: OAM Operation State 592 Table 40: Ethernet Multicast MAC Addresses 599 Table 41: UDP/IPv4 Destination Port Numbers 599 Table 42: UDP/IPv4 Multicast Addresses 5
TABLES Table 68: Event Logging Commands 933 Table 69: Logging Levels 934 Table 70: show logging flash/ram - display description 939 Table 71: show logging trap - display description 939 Table 72: Event Logging Commands 940 Table 73: Time Commands 944 Table 74: Predefined Summer-Time Parameters 953 Table 75: Time Range Commands 957 Table 76: PTP Commands 960 Table 77: Ethernet Multicast MAC Addresses 972 Table 78: UDP/IPv4 Destination Port Numbers 972 Table 79: UDP/IPv4 Multicast Addre
TABLES Table 104: HTTPS System Support 1054 Table 105: Telnet Server Commands 1055 Table 106: Secure Shell Commands 1057 Table 107: show ssh - display description 1066 Table 108: 802.
TABLES Table 140: Port Mirroring Commands 1229 Table 141: Mirror Port Commands 1229 Table 142: RSPAN Commands 1231 Table 143: Congestion Control Commands 1239 Table 144: Rate Limit Commands 1239 Table 145: Rate Limit Commands 1241 Table 146: ATC Commands 1243 Table 147: Loopback Detection Commands 1259 Table 148: UniDirectional Link Detection Commands 1265 Table 149: show udld - display description 1268 Table 150: Address Table Commands 1271 Table 151: Spanning Tree Commands 1277 Ta
TABLES Table 176: Mapping Per-hop Behavior to Drop Precedence 1394 Table 177: Mapping Internal PHB/Drop Precedence to CoS/CFI Values 1395 Table 178: Default Mapping of DSCP Values to Internal PHB/Drop Values 1397 Table 179: Default Mapping of IP Precedence to Internal PHB/Drop Values 1399 Table 180: Mapping Internal Per-hop Behavior to Hardware Queues 1399 Table 181: Quality of Service Commands 1407 Table 182: Multicast Filtering Commands 1425 Table 183: IGMP Snooping Commands 1426 Table 18
TABLES Table 212: LLDP Commands 1537 Table 213: LLDP MED Location CA Types 1550 Table 214: CFM Commands 1561 Table 215: show ethernet cfm configuration traps - display description 1575 Table 216: show ethernet cfm maintenance-points local detail mep - display 1578 Table 217: show ethernet cfm maintenance-points remote detail - display 1580 Table 218: show ethernet cfm errors - display description 1586 Table 219: show ethernet cfm linktrace-cache - display description 1594 Table 220: Remote
TABLES Table 248: IP Routing Commands 1723 Table 249: Global Routing Configuration Commands 1723 Table 250: show ip host-route - display description 1726 Table 251: Routing Information Protocol Commands 1733 Table 252: Open Shortest Path First Commands 1750 Table 253: show ip ospf - display description 1778 Table 254: show ip ospf database - display description 1781 Table 255: show ip ospf database summary - display description 1782 Table 256: show ip ospf database external - display descri
TABLES Table 284: show ip pim neighbor - display description 1936 Table 285: show ip pim bsr-router - display description 1948 Table 286: show ip pim rp mapping - display description 1949 Table 287: show ip pim rp-hash - display description 1949 Table 288: PIM-DM and PIM-SM Multicast Routing Commands 1950 Table 289: show ipv6 pim neighbor - display description 1958 Table 290: show ip pim bsr-router - display description 1971 Table 291: show ip pim rp mapping - display description 1972 Table
TABLES – 90 –
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 92 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching and Layer 3 routing. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Key Features Table 1: Key Features (Continued) Feature Description Address Table 32K MAC addresses in forwarding table, 1K static MAC addresses; 8K entries in ARP cache,256 static ARP entries; 512 static IP routes, 512 IP interfaces; 12K IPv4 entries in host table; 8K IPv4 entries in routing table; 6K IPv6 entries in host table; 4K IPv6 entries in routing table 1K L2 IPv4 multicast groups; 1K L3 IPv4 multicast groups (shared with IPv6); 1K L3 IPv6 multicast groups (shared with
CHAPTER 1 | Introduction Description of Software Features DESCRIPTION OF SOFTWARE FEATURES The switch provides a wide range of advanced performance enhancing features. Flow control eliminates the loss of packets due to bottlenecks caused by port saturation. Broadcast storm suppression prevents broadcast traffic storms from engulfing the network.
CHAPTER 1 | Introduction Description of Software Features dynamic configuration of local clients from a DHCP server located in a different network. PORT CONFIGURATION You can manually configure the speed, duplex mode, and flow control used on specific ports, or use auto-negotiation to detect the connection settings used by the attached device. Use full-duplex mode on ports whenever possible to double the throughput of switch connections.
CHAPTER 1 | Introduction Description of Software Features IP ADDRESS Access to insecure ports can be controlled using DHCP Snooping which FILTERING filters ingress traffic based on static IP addresses and addresses stored in the DHCP Snooping table. Traffic can also be restricted to specific source IP addresses or source IP/MAC address pairs based on static entries or entries stored in the DHCP Snooping table. IEEE 802.1D BRIDGE The switch supports IEEE 802.1D transparent bridging.
CHAPTER 1 | Introduction Description of Software Features CONNECTIVITY FAULT The switch provides connectivity fault monitoring for end-to-end MANAGEMENT connections within a designated service area by using continuity check messages which can detect faults in maintenance points, fault verification through loop back messages, and fault isolation with link trace messages. VIRTUAL LANS The switch supports up to 4094 VLANs.
CHAPTER 1 | Introduction Description of Software Features This switch also supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic can be prioritized based on the priority bits in the IP frame’s Type of Service (ToS) octet using DSCP, or IP Precedence or TCP/UDP port numbers. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
CHAPTER 1 | Introduction Description of Software Features OSPF – This approach uses a link state routing protocol to generate a shortest-path tree, then builds up its routing table based on this tree. OSPF produces a more stable network because the participating routers act on network changes predictably and simultaneously, converging on the best route more quickly than RIP. BGP – This protocol uses a path vector approach to connect autonomous systems (AS) on the Internet.
CHAPTER 1 | Introduction Description of Software Features MULTICAST FILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP Snooping and Query for IPv4, MLD Snooping and Query for IPv6, and IGMP at Layer 3 to manage multicast group registration.
CHAPTER 1 | Introduction System Defaults SYSTEM DEFAULTS The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file. The following table lists some of the basic system defaults.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Control Disabled Static Trunks None LACP (all ports) Disabled Rate Limiting Disabled Storm Control Broadcast: Enabled (500 packets/sec) Port Trunking Congestion Control Multicast: Disabled Unknown Unicast: Disabled OAM Status Disabled Address Table Aging Time 300 seconds Spanning Tree Algorithm Status Enabl
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default IP Settings Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. CONNECTING TO THE SWITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). NOTE: An IPv4 address for this switch is obtained via DHCP by default.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch 3. Make sure the terminal emulation software is set as follows: ■ Select the appropriate serial port (COM port 1 or COM port 2). ■ Set the baud rate to 115200 bps. ■ Set the data format to 8 data bits, 1 stop bit, and no parity. ■ Set flow control to none. ■ Set the emulation mode to VT100. ■ When using HyperTerminal, select Terminal keys, not Windows keys.
CHAPTER 2 | Initial Switch Configuration Basic Configuration default, but may be manually configured with an IPv4 or IPv6 address as described in the following sections. The Craft port can only be configured through the command line interface, and is specified with the name “craft” in the commands used to configure its IP address. BASIC CONFIGURATION CONSOLE The CLI program provides two different command levels — normal access CONNECTION level (Normal Exec) and privileged access level (Privileged Exec).
CHAPTER 2 | Initial Switch Configuration Basic Configuration 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS4660-28F is opened. To end the CLI session, enter [Exit].
CHAPTER 2 | Initial Switch Configuration Basic Configuration ASSIGNING AN IPV4 ADDRESS Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode.
CHAPTER 2 | Initial Switch Configuration Basic Configuration To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address ipv6-address/prefix-length,” where “prefix-length” indicates the address bits used to form the network portion of the address.
CHAPTER 2 | Initial Switch Configuration Basic Configuration DYNAMIC CONFIGURATION Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
CHAPTER 2 | Initial Switch Configuration Basic Configuration 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press . Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FB Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.
CHAPTER 2 | Initial Switch Configuration Basic Configuration DOWNLOADING A CONFIGURATION FILE REFERENCED BY A DHCP SERVER Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed.
CHAPTER 2 | Initial Switch Configuration Basic Configuration Table 4: Options 55 and 124 Statements Option Statement Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file).
CHAPTER 2 | Initial Switch Configuration Basic Configuration configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string. The switch provides a default MIB View (i.e.
CHAPTER 2 | Initial Switch Configuration Basic Configuration TRAP RECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
CHAPTER 2 | Initial Switch Configuration Managing System Files MANAGING SYSTEM FILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
CHAPTER 2 | Initial Switch Configuration Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startupconfig command always sets the new file as the startup file.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration ◆ "Multicast Routing" on page 825 – 122 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions). NOTE: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 5: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Information Description Page Displays port connection status 185 Mirror 186 Add Sets the source and target ports for mirroring 186 Show Shows the configured mirror sessions 186 Statistics Shows Interface, Etherlike, and RMON port statistics 192 Chart Shows Interface, Etherlike, and RMON port statistics 192 History 196 Add Configures a periodic sampling of statistic
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Trunk 207 Configure Configures connection settings 207 Show Displays port connection status 207 Show Member Shows the active members in a trunk 207 Statistics Shows Interface, Etherlike, and RMON port statistics 192 Chart Shows Interface, Etherlike, and RMON port statistics 192 Load Balance Sets the load-distribution method among ports in aggreg
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Display configured primary and community VLANs 239 Add Community VLAN Associates a community VLAN with a primary VLAN 240 Show Community VLAN Shows the community VLANs associated with a primary VLAN 240 Sets the private VLAN interface type, and associates the interfaces with a private VLAN 242 IEEE 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description STA Page Spanning Tree Algorithm Configure Global Configure Configures global bridge settings for STP, RSTP and MSTP 276 Show Information Displays STA values used for the bridge 281 Configure Configures interface settings for STA 282 Show Inform at on Displays interface settings for STA 286 Multiple Spanning Tree Algorithm 289 Configure Interface MSTP Configure
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Description Page Shows the CoS to DSCP mapping list 316 DSCP to CoS 318 Add Maps internal per-hop behavior and drop precedence value pairs 318 to CoS values used in tagged egress packets on a Layer 2 interface Show Shows the DSCP to CoS mapping list IP Precedence to DSCP 318 320 Add Maps IP precedence values in incoming packets to per-hop behavior and drop precedence value
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Configure Interface Description Page Configures VoIP traffic settings for ports, including the way in which a port is added to the Voice VLAN, filtering of non-VoIP packets, the method of detecting VoIP traffic, and the priority assigned to the voice traffic 345 Security 347 AAA Authentication, Authorization and Accounting System Authentication Configures authentication sequence – l
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Configure Interface Network Access Configure Global Description Page Enables Web Authentication for individual ports 367 MAC address-based network access authentication 368 Enables aging for authenticated MAC addresses, and sets the time period after which a connected MAC address must be reauthenticated 371 Configure Interface 372 General Enables MAC authentication on a port; set
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Add Rule Configures packet filtering based on IP or MAC addresses and other packet attributes 395 Show Rule Shows the rules specified for an ACL 395 Configure Interface 408 Configure Binds a port to the specified ACL and time range 408 Show Hardware Counters Shows statistics for ACL hardware counters 409 ARP Inspection 410 Configure General Enables inspect
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Administration 453 Log 454 System 454 Configure Global Stores error messages in local memory 454 Show System Logs Shows logged error messages 454 Remote Configures the logging of messages to a remote logging process 456 SMTP Sends an SMTP client message to a participating server 457 LLDP 458 Configure Global Configures global LLDP timing parameters 4
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Community Shows community strings and access mode 494 Add SNMPv3 Local User Configures SNMPv3 users on this switch 495 Show SNMPv3 Local User Shows SNMPv3 users configured on this switch 495 Change SNMPv3 Local User Group Assign a local user to a new group 495 Add SNMPv3 Remote User Configures SNMPv3 users from a remote device 497 Show SNMPv3 Remote Use
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Candidate Show Member ERPS Configure Global Description Page Shows candidate members 520 Shows cluster switch member; managed switch members 522 Ethernet Ring Protection Switching 523 Activates ERPS globally 527 Configure Domain 528 Add Creates an ERPS ring 528 Show Shows list of configured ERPS rings, status, and settings 528 Configure Details Configures ring parame
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Local MEP Shows the MEPs configured on this device 574 Show Local MEP Details Displays detailed CFM information about a specified local MEP in the continuity check database 575 Show Local MIP Shows the MIPs on this device discovered by the CFM protocol 577 Show Remote MEP Shows MEPs located on other devices which have been discovered through continuity check
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Routing Static Routes 753 Add Configures static routing entries 753 Show Shows static routing entries 753 Routing Table 755 Show Information Shows all routing entries, including local, static and dynamic routes 755 Configure ECMP Number Sets the maximum number of equal-cost paths to the same destination that can be installed in the routing table 757 Virtua
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page IP Service 713 DNS Domain Name Service General 713 Configure Global Enables DNS lookup; defines the default domain name appended to incomplete host names 713 Add Domain Name Defines a list of domain names that can be appended to incomplete host names 714 Show Domain Names Shows the configured domain name list 714 Add Name Server Specifies IP address of name
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page UDP Helper General 730 Enables UDP helper globally on the switch Forwarding 731 731 Add Specifies the UDP destination ports for which broadcast traffic will be forwarded 731 Show Shows the list of UDP ports to which broadcast traffic will be forwarded 731 Address 733 Add Specifies the servers to which designated UDP protocol packets are forwarded 733 Show
C HAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows configured IGMP filter profiles 634 Add Multicast Group Range Assigns multicast groups to selected profile 634 Show Multicast Group Range Shows multicast groups assigned to a profile 634 Assigns IGMP filter profiles to port interfaces and sets throttling action 636 Configure Interface Statistics 629 Show Query Statistics Shows statistics for query
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Multicast Routing General 825 Globally enables IPv4 multicast routing Information 828 829 Show Summary Shows each multicast route the switch has learned 829 Show Details Shows additional information for each multicast route the switch has learned, including RP address, upstream router, and downstream interfaces 829 IPv6 Multicast Routing General 825 Globally en
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Configure Domain Description Page Enables MVR for a domain, sets the MVR VLAN, forwarding priority, and upstream source IP 677 Configure Profile 678 Add Configures multicast stream addresses 678 Show Shows multicast stream addresses 678 Associate Profile 678 Add Maps an address profile to a domain 678 Show Shows addresses profile to domain mapping 678 Configures MVR inter
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Neighbor Address 778 Add Configures the router to directly exchange routing information with a static neighbor 778 Show Shows adjacent hosts or interfaces configured as a neighboring router 778 Redistribute 779 Add Imports external routing information from other routing domains (that is, protocols) into the autonomous system 779 Show Shows the external routi
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Show Information Description Page Shows statistics for each area, including SPF startups, ABR/ASBR count, LSA count, and LSA checksum 804 Area Range 805 Add Configures route summaries to advertise at an area boundary 805 Show Shows route summaries advertised at an area boundary 805 Modify Modifies route summaries advertised at an area boundary 805 Redistribute 807 Add Redis
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page RP Address 843 Add Sets a static address for an RP and the associated multicast group(s) 843 Show Shows the static addresses configured for each RP and the associated multicast groups 843 RP Candidate 845 Add Advertises the switch as an RP candidate to the BSR for the specified multicast groups 845 Show Shows the multicast groups for which this switch is adv
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface – 148 –
4 BASIC MANAGEMENT TASKS This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
CHAPTER 4 | Basic Management Tasks Displaying System Information PARAMETERS These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. ◆ System Up Time – Length of time the management agent has been up. ◆ System Name – Name assigned to the switch system. ◆ System Location – Specifies the system location. ◆ System Contact – Administrator responsible for the system.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions DISPLAYING HARDWARE/SOFTWARE VERSIONS Use the System > Switch page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. CLI REFERENCES ◆ "System Management Commands" on page 891 PARAMETERS The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports.
CHAPTER 4 | Basic Management Tasks Configuring Support for Jumbo Frames WEB INTERFACE To view hardware and software version information. 1. Click System, then Switch. Figure 4: General Switch Information CONFIGURING SUPPORT FOR JUMBO FRAMES Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames of up to 9216 bytes for Gigabit and 10 Gigabit Ethernet ports or trunks.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities PARAMETERS The following parameters are displayed: ◆ Jumbo Frame – Configures support for jumbo frames. (Default: Disabled) WEB INTERFACE To configure support for jumbo frames: 1. Click System, then Capability. 2. Enable or disable support for jumbo frames. 3. Click Apply.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities ◆ VLAN Learning – This switch uses Independent VLAN Learning (IVL), where each port maintains its own filtering database. ◆ Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs. ◆ Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port.
CHAPTER 4 | Basic Management Tasks Managing System Files MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP. By backing up a file to an FTP/TFTP server or management station, that file can later be downloaded to the switch to restore operation.
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ File Name – The file name should not contain slashes (\ or /), the leading letter of the file name should not be a period (.), and the maximum length for file names is 32 characters for files on the switch or 128 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) NOTE: Up to two copies of the system software (i.e., the runtime firmware) can be stored in the file directory on the switch.
CHAPTER 4 | Basic Management Tasks Managing System Files Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu. SAVING THE RUNNING Use the System > File (Copy) page to save the current configuration CONFIGURATION TO A settings to a local file on the switch. The configuration settings are not LOCAL FILE automatically saved by the system for subsequent use when the switch is rebooted.
CHAPTER 4 | Basic Management Tasks Managing System Files WEB INTERFACE To save the running configuration file: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select Running-Config from the Copy Type list. 4. Select the current startup file on the switch to overwrite or specify a new file name. 5. Then click Apply.
CHAPTER 4 | Basic Management Tasks Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. SHOWING Use the System > File (Show) page to show the files in the system SYSTEM FILES directory, or to delete a file. NOTE: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
CHAPTER 4 | Basic Management Tasks Managing System Files AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to OPERATION CODE automatically download an operation code file when a file newer than the UPGRADE currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
CHAPTER 4 | Basic Management Tasks Managing System Files ftp://[username[:password@]]host[/filedir]/ ■ ■ ■ ■ ftp:// – Defines FTP protocol for the server connection. username – Defines the user name for the FTP connection. If the user name is omitted, then “anonymous” is the assumed user name for the connection. password – Defines the password for the FTP connection.
CHAPTER 4 | Basic Management Tasks Managing System Files ■ ftp://switches:upgrade@192.168.0.1/switches/opcode/ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. WEB INTERFACE To configure automatic code upgrade: 1. Click System, then File. 2. Select Automatic Operation Code Upgrade from the Action list. 3. Mark the check box to enable Automatic Opcode Upgrade. 4.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE SYSTEM CLOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 12: Manually Setting the System Clock SETTING THE SNTP Use the System > Time (Configure General - SNTP) page to set the polling POLLING INTERVAL interval at which the switch will query the specified time servers. CLI REFERENCES ◆ "Time" on page 944 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 13: Setting the Polling Interval for SNTP CONFIGURING NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. CLI REFERENCES ◆ "Time" on page 944 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP CONFIGURING Use the System > Time (Configure Time Server) pages to specify the IP TIME SERVERS address for NTP/SNTP time servers, or to set the authentication key for NTP time servers. SPECIFYING SNTP TIME SERVERS Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers SPECIFYING NTP TIME SERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI REFERENCES ◆ "ntp server" on page 950 PARAMETERS The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List SPECIFYING NTP AUTHENTICATION KEYS Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
CHAPTER 4 | Basic Management Tasks Setting the System Clock WEB INTERFACE To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE Use the System > Time (Configure Time Zone) page to set the time zone. TIME ZONE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is west (before) or east (after) of UTC.
CHAPTER 4 | Basic Management Tasks Configuring the Console Port CONFIGURING THE CONSOLE PORT Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
CHAPTER 4 | Basic Management Tasks Configuring the Console Port NOTE: The password for the console connection can only be configured through the CLI (see "password" on page 928). NOTE: Password checking can be enabled or disabled for logging in to the console connection (see "login" on page 926). You can select authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts.
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings CONFIGURING TELNET SETTINGS Use the System > Telnet menu to configure parameters for accessing the CLI over a Telnet connection. You can access the onboard configuration program over the network using Telnet (i.e., a virtual terminal). Management access via Telnet can be enabled/disabled and other parameters set, including the TCP port number, time outs, and a password. Note that the password is only configurable through the CLI.
CHAPTER 4 | Basic Management Tasks Displaying CPU Utilization authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch. WEB INTERFACE To configure parameters for the console port: 1. Click System, then Telnet. 2. Specify the connection parameters as required. 3.
CHAPTER 4 | Basic Management Tasks Displaying Memory Utilization WEB INTERFACE To display CPU utilization: 1. Click System, then CPU Utilization. 2. Change the update interval if required. Note that the interval is changed as soon as a new setting is selected. Figure 23: Displaying CPU Utilization DISPLAYING MEMORY UTILIZATION Use the System > Memory Status page to display memory utilization parameters.
CHAPTER 4 | Basic Management Tasks Resetting the System WEB INTERFACE To display memory utilization: 1. Click System, then Memory Status. Figure 24: Displaying Memory Utilization RESETTING THE SYSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval.
CHAPTER 4 | Basic Management Tasks Resetting the System System Reload Configuration ◆ Reset Mode – Restarts the switch immediately or at the specified time(s). ■ ■ Immediately – Restarts the system immediately. In – Specifies an interval after which to reload the switch. (The specified time must be equal to or less than 24 days.) ■ ■ ■ ■ hours – The number of hours, combined with the minutes, before the switch resets.
CHAPTER 4 | Basic Management Tasks Resetting the System 3. For any option other than to reset immediately, fill in the required parameters 4. Click Apply. 5. When prompted, confirm that you want reset the switch.
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 180 –
5 INTERFACE CONFIGURATION This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration PORT CONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. CONFIGURING BY Use the Interface > Port > General (Configure by Port List) page to enable/ PORT LIST disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
CHAPTER 5 | Interface Configuration Port Configuration less than the configured port MTU, including the CRC at the end of the frame. ◆ For QinQ, the overall frame size is still calculated as described above, and does not add the length of the second tag to the frame. PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Type – Indicates the port type. (Options: 1000BASE SFP, 10GBASE XFP, 10GBASE SFP+) ◆ Name – Allows you to label an interface.
CHAPTER 5 | Interface Configuration Port Configuration 1000Base-SX/LX/LH (SFP) – 1000full 10GBase-SR/LR/ER (XFP/SFP+) - 10Gfull ◆ Speed/Duplex – Allows you to manually set the port speed and duplex mode. (i.e., with auto-negotiation disabled) ◆ Flow Control – Allows automatic or manual selection of flow control. ◆ MTU Size – The maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To configure port connection parameters: 1. Click Interface, Port, General. 2. Select Configure by Port Range from the Action List. 3. Enter to range of ports to which your configuration changes apply. 4. Modify the required interface settings. 5. Click Apply.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Autonegotiation – Shows if auto-negotiation is enabled or disabled. ◆ Oper Speed Duplex – Shows the current speed and duplex mode. ◆ Oper Flow Control – Shows the flow control type used. ◆ MTU Size – The maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. WEB INTERFACE To display port connection parameters: 1. Click Interface, Port, General. 2.
CHAPTER 5 | Interface Configuration Port Configuration destination port on this switch (remote port mirroring as described in "Configuring Remote Port Mirroring" on page 188). ◆ Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. ◆ When mirroring port traffic, the target port must be included in the same VLAN as the source port when using MSTP (see "Spanning Tree Algorithm" on page 271).
CHAPTER 5 | Interface Configuration Port Configuration To display the configured mirror sessions: 1. Click Interface, Port, Mirror. 2. Select Show from the Action List. Figure 34: Displaying Local Port Mirror Sessions CONFIGURING REMOTE Use the Interface > RSPAN page to mirror traffic from remote switches for PORT MIRRORING analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration COMMAND USAGE ◆ Traffic can be mirrored from one or more source ports to a destination port on the same switch (local port mirroring as described in "Configuring Local Port Mirroring" on page 186), or from one or more source ports on remote switches to a destination port on this switch (remote port mirroring as described in this section). ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1.
CHAPTER 5 | Interface Configuration Port Configuration still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally. ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Type – Specifies the traffic type to be mirrored remotely. (Options: Rx, Tx, Both) ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session.
CHAPTER 5 | Interface Configuration Port Configuration Figure 37: Configuring Remote Port Mirroring (Intermediate) Figure 38: Configuring Remote Port Mirroring (Destination) SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB.
CHAPTER 5 | Interface Configuration Port Configuration PARAMETERS These parameters are displayed: Table 7: Port Statistics Parameter Description Interface Statistics Received Octets The total number of octets received on the interface, including framing characters. Transmitted Octets The total number of octets transmitted out of the interface, including framing characters.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Frames Too Long A count of frames received on a particular interface that exceed the maximum permitted frame size. Alignment Errors The number of alignment errors (missynchronized data packets). FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Utilization Statistics Input Octets in kbits per second Number of octets entering this interface in kbits/second. Input Packets per second Number of packets entering this interface per second. Input Utilization The input utilization rate for this interface. Output Octets in kbits per second Number of octets leaving this interface in kbits/second.
CHAPTER 5 | Interface Configuration Port Configuration To show a chart of port statistics: 1. Click Interface, Port, Chart. 2. Select the statistics mode to display (Interface, Etherlike, RMON or All). 3. If Interface, Etherlike, RMON statistics mode is chosen, select a port from the drop-down list. If All (ports) statistics mode is chosen, select the statistics type to display.
CHAPTER 5 | Interface Configuration Port Configuration COMMAND USAGE For a description of the statistics displayed on these pages, see "Showing Port or Trunk Statistics" on page 192. PARAMETERS These parameters are displayed: Add ◆ Port – Port number. (Range: 1-28) ◆ History Name – Name of sample interval. (Range: 1-32 characters) ◆ Interval - The interval for sampling statistics. (Range: 1-86400 minutes) ◆ Requested Buckets - The number of samples to take.
CHAPTER 5 | Interface Configuration Port Configuration 3. Select an interface from the Port or Trunk list. 4. Enter the sample name, the interval, and the number of buckets requested. 5. Click Apply. Figure 41: Configuring a History Sample To show the configured entries for a history sample: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show from the Action menu. 3. Select an interface from the Port or Trunk list.
CHAPTER 5 | Interface Configuration Port Configuration Figure 43: Showing Status of Statistical History Sample To show statistics for the current interval of a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Current Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
CHAPTER 5 | Interface Configuration Port Configuration To show ingress or egress traffic statistics for a sample entry: 1. Click Interface, Port, Statistics, or Interface, Trunk, Statistics. 2. Select Show Details from the Action menu. 3. Select Input Previous Entry or Output Previous Entry from the options for Mode. 4. Select an interface from the Port or Trunk list. 5. Select an sampling entry from the Name list.
CHAPTER 5 | Interface Configuration Port Configuration for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters. WEB INTERFACE To display identifying information and functional parameters for optical transceivers: 1. Click Interface, Port, Transceiver. 2. Select a port from the scroll-down list.
CHAPTER 5 | Interface Configuration Port Configuration ◆ "transceiver-threshold voltage" on page 1210 ◆ "show interfaces transceiver-threshold" on page 1212 PARAMETERS These parameters are displayed: ◆ Port – Port number. (Range: 1-28) ◆ General – Information on connector type and vendor-related parameters. ◆ DDM Information – Information on temperature, supply voltage, laser bias current, laser power, and received optical power.
CHAPTER 5 | Interface Configuration Port Configuration Threshold values for alarm and warning messages can be configured as described below. ■ ■ A high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold.
CHAPTER 5 | Interface Configuration Trunk Configuration TRUNK CONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two devices. You can create up to 6 trunks at a time on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration CONFIGURING A Use the Interface > Trunk > Static page to create a trunk, assign member STATIC TRUNK ports, and configure the connection parameters.
CHAPTER 5 | Interface Configuration Trunk Configuration 5. Set the unit and port for the initial trunk member. 6. Click Apply. Figure 49: Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 51: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
CHAPTER 5 | Interface Configuration Trunk Configuration CLI REFERENCES ◆ "Link Aggregation Commands" on page 1215 COMMAND USAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
CHAPTER 5 | Interface Configuration Trunk Configuration the transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.
CHAPTER 5 | Interface Configuration Trunk Configuration NOTE: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. NOTE: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 55: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Show Member from the Action List. 4. Select a Trunk. Figure 57: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4.
CHAPTER 5 | Interface Configuration Trunk Configuration 3. Select Show from the Action List. Figure 59: Displaying Connection Parameters for Dynamic Trunks DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show PORT COUNTERS Information - Counters) page to display statistics for LACP protocol messages.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 60: Displaying LACP Port Counters DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Internal) page to display the configuration settings and FOR THE LOCAL SIDE operational state for the local side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. ◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. ◆ LACP-Activity – Activity control value with regard to this link. (0: Passive; 1: Active) WEB INTERFACE To display LACP settings and status for the local side: 1.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Neighbors) page to display the configuration settings and FOR THE REMOTE SIDE operational state for the remote side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 62: Displaying LACP Port Remote Information CONFIGURING Use the Interface > Trunk > Load Balance page to set the load-distribution LOAD BALANCING method used among ports in aggregated links. CLI REFERENCES ◆ "port channel load-balance" on page 992 COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. ■ ■ ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts.
CHAPTER 5 | Interface Configuration Traffic Segmentation Figure 63: Configuring Load Balancing TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation 3. Mark the Status check box, and set the required uplink-to-uplink mode. 4. Click Apply. Figure 64: Enabling Traffic Segmentation CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation ◆ A port can only be assigned to one traffic-segmentation session. ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
CHAPTER 5 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 66: Showing Traffic Segmentation Members VLAN TRUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
CHAPTER 5 | Interface Configuration VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see "Adding Static Members to VLANs" on page 231).
CHAPTER 5 | Interface Configuration VLAN Trunking Figure 68: Configuring VLAN Trunking – 224 –
6 VLAN CONFIGURATION This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ Private VLANs – Configures private VLANs, using primary for unrestricted upstream access and community groups which are restricted to other local group members or to the ports in the associated primary group. ◆ IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 70: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 7 8 15 16 14 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 188). ◆ L3 Interface – Sets the interface to support Layer 3 configuration, and reserves memory space required to maintain additional information about this interface type. This parameter must be enabled before you can assign an IP address to a VLAN (see "Setting the Switch’s IP Address (IP Version 4)" on page 691).
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 71: Creating Static VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name, operational status, or Layer 3 Interface status as required. 5. Click Apply.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list. Figure 73: Showing Static VLANs ADDING STATIC Use the VLAN > Static pages to configure port members for the selected MEMBERS TO VLANS VLAN index, interface, or a range of interfaces.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. ◆ PVID – VLAN ID assigned to untagged frames received on the interface. (Default: 1) If an interface is not a member of VLAN 1 and you assign its PVID to this VLAN, the interface will automatically be added to VLAN 1 as an untagged member.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs NOTE: VLAN 1 is the default untagged VLAN containing all ports on the switch. Edit Member by Interface All parameters are the same as those described under the preceding section for Edit Member by VLAN. Edit Member by Interface Range All parameters are the same as those described under the earlier section for Edit Member by VLAN, except for the items shown below. ◆ Port Range – Displays a list of ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 74: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3. Select a port or trunk configure. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 75: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required. Remember that the PVID, acceptable frame type, and ingress filtering parameters for each interface within the specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page. 6. Click Apply.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect (using the Configure General page). When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 77: Configuring Global Status of GVRP To configure GVRP status and timers on a port or trunk: 1. Click VLAN, Dynamic. 2. Select Configure Interface from the Step list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the GVRP status or timers for any interface. 5. Click Apply. Figure 78: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2.
CHAPTER 6 | VLAN Configuration Private VLANs Figure 79: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list. Figure 80: Showing the Members of a Dynamic VLAN PRIVATE VLANS Private VLANs provide port-based security and isolation of local ports contained within different private VLAN groups.
CHAPTER 6 | VLAN Configuration Private VLANs To configure primary/secondary associated groups, follow these steps: 1. Use the Configure VLAN (Add) page to designate one or more community VLANs, and the primary VLAN that will channel traffic outside of the VLAN groups. 2. Use the Configure VLAN (Add Community VLAN) page to map a community VLAN to the primary VLAN. 3. Use the Configure Interface page to set the port type to promiscuous (i.e., having access to all ports in the primary VLAN), or host (i.e.
CHAPTER 6 | VLAN Configuration Private VLANs Figure 81: Configuring Private VLANs To display a list of private VLANs in the web interface: 1. Click VLAN, Private. 2. Select Configure VLAN from the Step list. 3. Select Show from the Action list. Figure 82: Showing Private VLANs NOTE: All member ports must be removed from the VLAN before it can be deleted. ASSOCIATING Use the VLAN > Private (Configure VLAN - Add Community VLAN) page to PRIVATE VLANS associate each community VLAN with a primary VLAN.
CHAPTER 6 | VLAN Configuration Private VLANs WEB INTERFACE To associate a community VLAN with a primary VLAN in the web interface: 1. Click VLAN, Private. 2. Select Configure VLAN from the Step list. 3. Select Add Community VLAN from the Action list. 4. Select an entry from the Primary VLAN list. 5. Select an entry from the Community VLAN list to associate it with the selected primary VLAN. Note that a community VLAN can only be associated with one primary VLAN. 6. Click Apply.
CHAPTER 6 | VLAN Configuration Private VLANs CONFIGURING PRIVATE Use the VLAN > Private (Configure Interface) page to set the private VLAN VLAN INTERFACES interface type, and assign the interfaces to a private VLAN. CLI REFERENCES ◆ "switchport private-vlan mapping" on page 1370 ◆ "switchport private-vlan host-association" on page 1370 PARAMETERS These parameters are displayed in the web interface: ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 7. Click Apply. Figure 85: Configuring Interfaces for Private VLANs IEEE 802.1Q TUNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet. When a packet enters the trunk port on the service provider’s egress switch, the outer tag is again stripped for packet processing.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 3. After packet classification through the switching process, the packet is written to memory with one tag (an outer tag) or with two tags (both an outer tag and inner tag). 4. The switch sends the packet to the proper egress port. 5. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packets will have two tags.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 7. The switch sends the packet to the proper egress port. 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling 6. Configure the QinQ tunnel uplink port to Uplink mode (see "Adding an Interface to a QinQ Tunnel" on page 250). 7. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (see "Adding Static Members to VLANs" on page 231). ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to TUNNELING ON THE operate in IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 87: Enabling QinQ Tunneling CREATING Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to CVLAN TO SPVLAN SPVLAN mapping entry.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) WEB INTERFACE To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 88: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command. ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on TO A QINQ TUNNEL the switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs 4. Click Apply. Figure 90: Adding an Interface to a QinQ Tunnel PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 6 | VLAN Configuration Protocol VLANs CONFIGURING Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol PROTOCOL VLAN groups. GROUPS CLI REFERENCES ◆ "protocol-vlan protocol-group (Configuring Groups)" on page 1372 PARAMETERS These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 91: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 92: Displaying Protocol VLANs MAPPING Use the VLAN > Protocol (Configure Interface - Add) page to map a PROTOCOL GROUPS protocol group to a VLAN for each interface that will participate in the TO INTERFACES group.
CHAPTER 6 | VLAN Configuration Protocol VLANs ◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: ■ ■ ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 93: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs WEB INTERFACE To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Add from the Action list. 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation 6. Click Apply. Figure 97: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list. Figure 98: Showing MAC-Based VLANs CONFIGURING VLAN TRANSLATION Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation to 100 to map VLAN 10 to VLAN 100 for upstream traffic entering port 1, and VLAN 100 to VLAN 10 for downstream traffic leaving port 1 as shown below. Figure 99: Configuring VLAN Translation (VLAN 10) (VLAN 100) (VLAN 100) 1 downstream upstream 2 (VLAN 10) ◆ The maximum number of VLAN translation entries is 8 per port, and up to 96 for the system.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation Figure 100: Configuring VLAN Translation To show the mapping entries for VLANs translation: 1. Click VLAN, Translation. 2. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation – 262 –
7 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
CHAPTER 7 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ ■ 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 424). Security Status (see "Configuring Port Security" on page 420) is enabled on the same interface. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
CHAPTER 7 | Address Table Settings Setting Static Addresses SETTING STATIC ADDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
CHAPTER 7 | Address Table Settings Setting Static Addresses WEB INTERFACE To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 103: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
CHAPTER 7 | Address Table Settings Changing the Aging Time CHANGING THE AGING TIME Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI REFERENCES ◆ "mac-address-table aging-time" on page 1271 PARAMETERS These parameters are displayed: ◆ Aging Status – Enables/disables the function. ◆ Aging Time – The time after which a learned entry is discarded.
CHAPTER 7 | Address Table Settings Displaying the Dynamic Address Table DISPLAYING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table Figure 106: Displaying the Dynamic MAC Address Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table Figure 107: Clearing Entries in the Dynamic MAC Address Table – 270 –
8 SPANNING TREE ALGORITHM This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
CHAPTER 8 | Spanning Tree Algorithm Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 8 | Spanning Tree Algorithm Overview Figure 109: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree IST (for this Region) MST 1 Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 289). An MST Region may contain multiple MSTP Instances.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection CONFIGURING LOOPBACK DETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection ◆ Shutdown Interval – The duration to shut down the interface. (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA CONFIGURING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1277 COMMAND USAGE ◆ Spanning Tree Protocol1 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. PARAMETERS These parameters are displayed: Basic Configuration of Global Settings ◆ Spanning Tree Status – Enables/disables STA on this switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ◆ Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface. ■ ■ ◆ Long: Specifies 32-bit based values that range from 1-200,000,000. (This is the default.) Short: Specifies 16-bit based values that range from 1-65535.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Configuration Settings for MSTP ◆ Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. ◆ Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST. ◆ Region Revision2 – The revision for this MSTI. (Range: 0-65535; Default: 0) ◆ Region Name2 – The name for this MSTI.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 112: Configuring Global Settings for STA (STP) Figure 113: Configuring Global Settings for STA (RSTP) – 280 –
CHAPTER 8 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 114: Configuring Global Settings for STA (MSTP) DISPLAYING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA CLI REFERENCES ◆ "Spanning Tree Commands" on page 1277 PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 276) or when spanning tree is disabled on specific port.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 13: Default STA Path Costs ◆ Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 Admin Link Type – The link type attached to this interface. ■ Point-to-Point – A connection to exactly one other bridge. ■ Shared – A connection to two or more bridges.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: ■ ■ ■ ■ If spanning tree mode is set to STP (page 276), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting. If loopback detection is enabled (page 274) and a loopback BPDU is detected, the interface cannot function as an edge port until the loopback state is released.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 116: Configuring Interface Settings for STA DISPLAYING INTERFACE SETTINGS FOR STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI REFERENCES ◆ "show spanning-tree" on page 1302 PARAMETERS These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ ■ ■ A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 117: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B WEB INTERFACE To display interface settings for STA: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees CONFIGURING MULTIPLE SPANNING TREES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1277 COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees WEB INTERFACE To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 121: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP CONFIGURING INTERFACE SETTINGS FOR MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1277 PARAMETERS These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 283. The default path costs are listed in Table 13 on page 284. WEB INTERFACE To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply.
9 CONGESTION CONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
CHAPTER 9 | Congestion Control Storm Control ◆ Rate – Sets the rate limit level. (Range: 64 - 1,000,000 kbits per second for Gigabit Ethernet ports; 64 - 10,000,000 kbits per second for 10 Gigabit Ethernet ports) WEB INTERFACE To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for the individual ports,. 5. Click Apply.
CHAPTER 9 | Congestion Control Storm Control ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port.
CHAPTER 9 | Congestion Control Automatic Traffic Control 5. Click Apply. Figure 128: Configuring Storm Control AUTOMATIC TRAFFIC CONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI REFERENCES ◆ "Automatic Traffic Control Commands" on page 1207 COMMAND USAGE ATC includes storm control for broadcast or multicast traffic.
CHAPTER 9 | Congestion Control Automatic Traffic Control The key elements of this diagram are described below: ◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
CHAPTER 9 | Congestion Control Automatic Traffic Control SETTING THE Use the Traffic > Auto Traffic Control (Configure Global) page to set the ATC TIMERS time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 131: Configuring ATC Timers CONFIGURING ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the THRESHOLDS AND storm control mode (broadcast or multicast), the traffic thresholds, the RESPONSES control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 129 on page 298. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
CHAPTER 9 | Congestion Control Automatic Traffic Control WEB INTERFACE To configure the response timers for automatic storm control: 1. Click Traffic, Automatic Traffic Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
CHAPTER 9 | Congestion Control Automatic Traffic Control – 304 –
10 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CHAPTER 10 | Class of Service Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface.
CHAPTER 10 | Class of Service Layer 2 Queue Settings COMMAND USAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. ◆ WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
CHAPTER 10 | Class of Service Layer 2 Queue Settings weighted service for the remaining queues. Use this parameter to specify the queues assigned to use strict priority. (Default: Disabled) ◆ Weight – Sets a weight for each queue which is used by the WRR scheduler. (Range: 1-15; Default: Weights 1, 2, 4, 6, 8, 10, 12 and 14 are assigned to queues 0 - 7 respectively) WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Select a port or trunk. 3. Set the queue mode. 4.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Figure 136: Setting the Queue Mode (Strict and WRR) MAPPING COS VALUES Use the Traffic > Priority > PHB to Queue page to specify the hardware TO EGRESS QUEUES output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values" on page 316).
CHAPTER 10 | Class of Service Layer 2 Queue Settings Table 15: CoS Priority Levels Priority Level Traffic Type 1 Background 2 (Spare) 0 (default) Best Effort 3 Excellent Effort 4 Controlled Load 5 Video, less than 100 milliseconds latency and jitter 6 Voice, less than 10 milliseconds latency and jitter 7 Network Control CLI REFERENCES ◆ "qos map phb-queue" on page 1399 COMMAND USAGE ◆ Egress packets are placed into the hardware queues according to the mapping defined by this command.
CHAPTER 10 | Class of Service Layer 2 Queue Settings 4. Map an internal PHB to a hardware queue. Depending on how an ingress packet is processed internally based on its CoS value, and the assigned output queue, the mapping done on this page can effectively determine the service priority for different traffic classes. 5. Click Apply. Figure 137: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings LAYER 3/4 PRIORITY SETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings ◆ If the QoS mapping mode is set to CoS, and the ingress packet type is IPv4, then priority processing will be based on the CoS and CFI values in the ingress packet. For an untagged packet, the default port priority (see page 305) is used for priority processing. PARAMETERS These parameters are displayed: ◆ Interface – Specifies a port or trunk. ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings MAPPING INGRESS DSCP VALUES TO INTERNAL DSCP VALUES Use the Traffic > Priority > DSCP to DSCP page to map DSCP values in incoming packets to per-hop behavior and drop precedence values for internal priority processing. The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Table 17: Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1 0 1 2 3 4 5 6 7 8 9 0 0,0 0,1 0,0 0,3 0,0 0,1 0,0 0,3 1,0 1,1 1 1,0 1,3 1,0 1,1 1,0 1,3 2,0 2,1 2,0 2,3 2 2,0 2,1 2,0 2,3 3,0 3,1 3,0 3,3 3.0 3,1 3 3,0 3,3 4,0 4,1 4,0 4,3 4,0 4,1 4.0 4,3 4 5,0 5,1 5,0 5,3 5,0 5,1 6,0 5,3 6,0 6,1 5 6,0 6,3 6,0 6,1 6,0 6,3 7,0 7,1 7.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings 3. Select a port. Figure 141: Showing DSCP to DSCP Internal Mapping MAPPING Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in COS PRIORITIES incoming packets to per-hop behavior and drop precedence values for TO INTERNAL priority processing. DSCP VALUES CLI REFERENCES ◆ "qos map cos-dscp" on page 1393 COMMAND USAGE ◆ The default mapping of CoS to PHB values is shown in Table 18 on page 317.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings ◆ CFI – Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) ◆ PHB – Per-hop behavior, or the priority used for this router hop. (Range: 0-7) ◆ Drop Precedence – Drop precedence used for controlling traffic congestion.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port. Figure 143: Showing CoS to DSCP Internal Mapping MAPPING INTERNAL Use the Traffic > Priority > DSCP to CoS page to map internal per-hop DSCP VALUES TO behavior and drop precedence value pairs to CoS values used in tagged EGRESS COS VALUES egress packets on a Layer 2 interface.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings ◆ CoS – Class-of-Service value. (Range: 0-7) ◆ CFI – Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the DSCP to CoS egress map in the web interface: 1. Click Traffic, Priority, DSCP to CoS. 1. Select Show from the Action list. 2. Select a port. Figure 145: Showing DSCP to CoS Egress Mapping MAPPING IP PRECEDENCE VALUES TO INTERNAL DSCP VALUES Use the Traffic > Priority > IP Precedence to DSCP page to map IP precedence values in incoming packets to per-hop behavior and drop precedence values for priority processing.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings CLI REFERENCES ◆ "qos map ip-prec-dscp" on page 1398 COMMAND USAGE ◆ Enter per-hop behavior and drop precedence for any of the IP Precedence values 0 - 7. ◆ If the priority mapping mode is set the IP Precedence and the ingress packet type is IPv4, then the IP Precedence-to-PHB/Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 146: Configuring IP Precedence to DSCP Internal Mapping To show the IP Precedence to internal PHB/drop precedence map in the web interface: 1. Click Traffic, Priority, IP Precedence to DSCP. 2. Select Show from the Action list. 3. Select a port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings MAPPING IP PORT Use the Traffic > Priority > IP Port to DSCP page to map network PRIORITY TO INTERNAL applications designated by a TCP/UDP destination port number in the frame DSCP VALUES header to per-hop behavior and drop precedence values for internal priority processing. CLI REFERENCES ◆ "qos map ip-port-dscp" on page 1398 COMMAND USAGE ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Figure 148: Configuring IP Port Number to DSCP Internal Mapping To show the TCP/UDP port number to per-hop behavior and drop precedence map in the web interface: 1. Click Traffic, Priority, IP Port to DSCP. 2. Select Show from the Action list. 3. Select a port.
11 QUALITY OF SERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
CHAPTER 11 | Quality of Service Configuring a Class Map COMMAND USAGE To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, or a CoS value. 3.
CHAPTER 11 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
CHAPTER 11 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 151: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 153: Showing the Rules for a Class Map CREATING QOS POLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
CHAPTER 11 | Quality of Service Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
CHAPTER 11 | Quality of Service Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: ■ ■ ■ If the packet has been precolored as green and Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else If the packet has been precolored as yellow or green and if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red
CHAPTER 11 | Quality of Service Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: ■ If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■ the packet is green and both Tp and Tc are decremented by B.
CHAPTER 11 | Quality of Service Creating QoS Policies ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Violate – Specifies whether the traffic that exceeds the excess burst size (BE) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the peak information rate (PIR) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63). Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 155: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies Figure 156: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port ATTACHING A POLICY MAP TO A PORT Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI REFERENCES ◆ "Quality of Service Commands" on page 1407 COMMAND USAGE ◆ First define a class map, define a policy map, and then bind the service policy to the required interface. PARAMETERS These parameters are displayed: ◆ Port – Specifies a port. ◆ Ingress – Applies the selected rule to ingress traffic.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port – 340 –
12 VOIP TRAFFIC CONFIGURATION This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic CONFIGURING VOIP TRAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI Figure 159: Configuring a Voice VLAN CONFIGURING TELEPHONY OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI 5. Select a mask from the pull-down list to define a MAC address range. 6. Enter a description for the devices. 7. Click Apply. Figure 160: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports CONFIGURING VOIP TRAFFIC PORTS Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority. You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports ■ LLDP – Uses LLDP (IEEE 802.1AB) to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See "Link Layer Discovery Protocol" on page 458 for more information on LLDP. ◆ Priority – Defines a CoS priority for port traffic on the Voice VLAN.
13 SECURITY MEASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the source address cannot be identified via DHCPv4 snooping nor static source bindings. ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 349. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ■ ■ ■ Local – User authentication is performed only locally by the switch. RADIUS – User authentication is performed using a RADIUS server only. TACACS – User authentication is performed using a TACACS+ server only. [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. WEB INTERFACE To configure the method(s) of controlling management access: 1.
CHAPTER 13 | Security Measures AAA Authorization and Accounting RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a more reliable connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ■ ■ ■ ■ ◆ Authentication Timeout – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) Authentication Retries – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) Set Key – Mark this box to set or modify the encryption key.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Configure Group ◆ Server Type – Select RADIUS or TACACS+ server. ◆ Group Name - Defines a name for the RADIUS or TACACS+ server group. (Range: 1-64 characters) ◆ Sequence at Priority - Specifies the server and sequence to use for the group. (Range: 1-5 for RADIUS; 1 for TACACS) When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 349).
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 166: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers. No information is sent to the servers about the method to use.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Show Information – Statistics ◆ User Name - Displays a registered user name. ◆ Accounting Type - Displays the accounting service. ◆ Interface - Displays the receive port number through which this user accessed the switch. ◆ Time Elapsed - Displays the length of time this entry has been active. WEB INTERFACE To configure global settings for AAA accounting: 1. Click Security, AAA, Accounting. 2.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Exec). 4. Enter the required accounting method. 5. Click Apply. Figure 172: Configuring AAA Accounting Service for 802.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary. Figure 174: Displaying a Summary of Applied AAA Accounting Methods To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ AAA authentication through a RADIUS or TACACS+ server must be enabled before authorization is enabled. PARAMETERS These parameters are displayed: Configure Method ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections. ◆ Method Name – Specifies an authorization method for service requests.
CHAPTER 13 | Security Measures AAA Authorization and Accounting WEB INTERFACE To configure the authorization method applied to the Exec service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Specify the name of the authorization method and server group name. 4. Click Apply. Figure 176: Configuring AAA Authorization Methods To show the authorization method applied to the EXEC service type and the assigned server group: 1.
CHAPTER 13 | Security Measures Configuring User Accounts 3. Enter the required authorization method. 4. Click Apply. Figure 178: Configuring AAA Authorization Methods for Exec Service To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list.
CHAPTER 13 | Security Measures Configuring User Accounts PARAMETERS These parameters are displayed: ◆ User Name – The name of the user. (Maximum length: 32 characters; maximum number of users: 16) ◆ Access Level – Specifies the user level. (Options: 0 - Normal, 15 - Privileged) The encrypted password is required for compatibility with legacy password settings (i.e.
CHAPTER 13 | Security Measures Web Authentication Figure 180: Configuring User Accounts To show user accounts: 1. Click Security, User Accounts. 2. Select Show from the Action list. Figure 181: Showing User Accounts WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical.
CHAPTER 13 | Security Measures Web Authentication NOTE: RADIUS authentication must be activated and configured properly for the web authentication feature to work properly. (See "Configuring Local/Remote Logon Authentication" on page 349.) NOTE: Web authentication cannot be configured on trunk ports. CONFIGURING GLOBAL Use the Security > Web Authentication (Configure Global) page to edit the SETTINGS FOR WEB global parameters for web authentication.
CHAPTER 13 | Security Measures Web Authentication Figure 182: Configuring Global Settings for Web Authentication CONFIGURING Use the Security > Web Authentication (Configure Interface) page to INTERFACE SETTINGS enable web authentication on a port, and display information for any FOR WEB connected hosts. AUTHENTICATION CLI REFERENCES ◆ "Web Authentication" on page 1109 PARAMETERS These parameters are displayed: ◆ Port – Indicates the port being configured.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) 4. Mark the check box for any host addresses that need to be reauthenticated, and click Re-authenticate. Figure 183: Configuring Interface Settings for Web Authentication NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) authenticated. On the RADIUS server, PAP user name and passwords must be configured in the MAC address format XX-XX-XX-XX-XX-XX (all in upper case). ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) For example, the attribute “service-policy-in=pp1;rate-limitinput=100” specifies that the diffserv profile name is “pp1,” and the ingress rate limit profile value is 100 kbps. ◆ If duplicate profiles are passed in the Filter-ID attribute, then only the first profile is used. For example, if the attribute is “service-policy-in=p1;service-policyin=p2”, then the switch applies only the DiffServ profile “p1.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) CONFIGURING GLOBAL SETTINGS FOR NETWORK ACCESS MAC address authentication is configured on a per-port basis, however there are two configurable parameters that apply globally to all ports on the switch. Use the Security > Network Access (Configure Global) page to configure MAC address authentication aging and reauthentication time.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) Figure 184: Configuring Global Settings for Network Access CONFIGURING Use the Security > Network Access (Configure Interface - General) page to NETWORK ACCESS configure MAC authentication on switch ports, including enabling address FOR PORTS authentication, setting the maximum MAC count, and enabling dynamic VLAN or dynamic QoS assignments.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ Dynamic VLAN – Enables dynamic VLAN assignment for an authenticated port. When enabled, any VLAN identifiers returned by the RADIUS server through the 802.1X authentication process are applied to the port, providing the VLANs have already been created on the switch. (GVRP is not used to create the VLANs.) (Default: Enabled) The VLAN settings specified by the first authenticated MAC address are implemented for a port.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) Figure 185: Configuring Interface Settings for Network Access CONFIGURING Use the Security > Network Access (Configure Interface - Link Detection) PORT LINK DETECTION page to send an SNMP trap and/or shut down a port when a link event occurs.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF; Default: FFFFFFFFFFFF) WEB INTERFACE To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table. INFORMATION Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
CHAPTER 13 | Security Measures Configuring HTTPS Figure 189: Showing Addresses Authenticated for Network Access CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable SETTINGS FOR HTTPS HTTPS and specify the UDP port used for this service.
CHAPTER 13 | Security Measures Configuring HTTPS ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. ◆ The following web browsers and operating systems currently support HTTPS: Table 23: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 6.
CHAPTER 13 | Security Measures Configuring HTTPS REPLACING THE Use the Security > HTTPS (Copy Certificate) page to replace the default DEFAULT SECURE-SITE secure-site certificate. CERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To replace the default secure-site certificate: 1. Click Security, HTTPS. 2. Select Copy Certificate from the Step list. 3. Fill in the TFTP server, certificate and private key file name, and private password. 4. Click Apply. Figure 191: Downloading the Secure-Site Certificate CONFIGURING THE SECURE SHELL The Berkeley-standard includes remote access tools originally designed for Unix systems.
CHAPTER 13 | Security Measures Configuring the Secure Shell COMMAND USAGE The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified on the System Authentication page (page 349).
CHAPTER 13 | Security Measures Configuring the Secure Shell 5. Enable SSH Service – On the SSH Settings page, enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed.
CHAPTER 13 | Security Measures Configuring the Secure Shell checks whether the signature is correct. If both checks succeed, the client is authenticated. NOTE: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. NOTE: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch.
CHAPTER 13 | Security Measures Configuring the Secure Shell WEB INTERFACE To configure the SSH server: 1. Click Security, SSH. 2. Select Configure Global from the Step list. 3. Enable the SSH server. 4. Adjust the authentication parameters as required. 5. Click Apply.
CHAPTER 13 | Security Measures Configuring the Secure Shell client to select either DES (56-bit) or 3DES (168-bit) for data encryption. NOTE: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory) to flash memory. Otherwise, the host key pair is stored to RAM by default. Note that you must select this item prior to generating the host-key pair.
CHAPTER 13 | Security Measures Configuring the Secure Shell To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the host-key type to clear. 5. Click Clear. Figure 194: Showing the SSH Host Key Pair IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a PUBLIC KEYS user’s public key to the switch.
CHAPTER 13 | Security Measures Configuring the Secure Shell The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. ◆ TFTP Server IP Address – The IP address of the TFTP server that contains the public key file you wish to import.
CHAPTER 13 | Security Measures Access Control Lists To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
CHAPTER 13 | Security Measures Access Control Lists COMMAND USAGE The following restrictions apply to ACLs: ◆ The maximum number of ACLs is 256. ◆ The maximum number of rules per ACL is 96. ◆ An ACL can have up to 96 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20. ◆ The maximum number of rules (Access Control Entries, or ACEs) stated above is the worst case scenario.
CHAPTER 13 | Security Measures Access Control Lists SETTING A Use the Security > ACL (Configure Time Range) page to sets a time range TIME RANGE during which ACL functions are applied. CLI REFERENCES ◆ "Time Range" on page 957 COMMAND USAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
CHAPTER 13 | Security Measures Access Control Lists Figure 197: Setting the Name of a Time Range To show a list of time ranges: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show from the Action list. Figure 198: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5.
CHAPTER 13 | Security Measures Access Control Lists Figure 199: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 13 | Security Measures Access Control Lists SHOWING Use the Security > ACL (Configure ACL - Show TCAM) page to show TCAM UTILIZATION utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
CHAPTER 13 | Security Measures Access Control Lists Figure 201: Showing TCAM Utilization SETTING THE ACL Use the Security > ACL (Configure ACL - Add) page to create an ACL. NAME AND TYPE CLI REFERENCES ◆ "access-list ip" on page 1164 ◆ "show ip access-list" on page 1169 PARAMETERS These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To configure the name and type of an ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add from the Action list. 4. Fill in the ACL Name field, and select the ACL type. 5. Click Apply. Figure 202: Creating an ACL To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to STANDARD IPV4 ACL configure a Standard IPv4 ACL. CLI REFERENCES ◆ "permit, deny (Standard IP ACL)" on page 1165 ◆ "show ip access-list" on page 1169 ◆ "Time Range" on page 957 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists 9. Click Apply. Figure 204: Configuring a Standard IPv4 ACL CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to EXTENDED IPV4 ACL configure an Extended IPv4 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv4 ACL)" on page 1166 ◆ "show ip access-list" on page 1169 ◆ "Time Range" on page 957 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source/Destination Port Bit Mask – Decimal number representing the port bits to match. (Range: 0-65535) ◆ Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: Others) ◆ Service Type – Packet priority settings based on the following criteria: ■ ToS – Type of Service level. (Range: 0-15) ■ Precedence – IP precedence level.
CHAPTER 13 | Security Measures Access Control Lists 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or IP). 8. If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. 9. Set any other required criteria, such as service type, protocol type, or control code. 10. Click Apply.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source Address Type – Specifies the source IP address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any) ◆ Source IPv6 Address – An IPv6 source address or network class.
CHAPTER 13 | Security Measures Access Control Lists Figure 206: Configuring a Standard IPv6 ACL CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page EXTENDED IPV6 ACL to configure an Extended IPv6 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv6 ACL)" on page 1172 ◆ "show ipv6 access-list" on page 1175 ◆ "Time Range" on page 957 PARAMETERS These parameters are displayed in the web interface: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Next Header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value.
CHAPTER 13 | Security Measures Access Control Lists 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8. If you select “Host,” enter a specific address. If you select “IPv6-prefix,” enter a subnet address and prefix length. 9. Set any other required criteria, such as DSCP, next header type, or flow label. 10. Click Apply.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source/Destination Address Type – Use “Any” to include all possible addresses, “Host” to indicate a specific MAC address, or “MAC” to specify an address range with the Address and Bit Mask fields. (Options: Any, Host, MAC; Default: Any) ◆ Source/Destination MAC Address – Source or destination MAC address. ◆ Source/Destination Bit Mask – Hexadecimal mask for source or destination MAC address.
CHAPTER 13 | Security Measures Access Control Lists 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-5566). If you select “MAC,” enter a base address and a hexadecimal bit mask for an address range. 9. Set any other required criteria, such as VID, Ethernet type, or packet format. 10. Click Apply. Figure 208: Configuring a MAC ACL CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ARP ACL ACLs based on ARP message addresses.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source/Destination IP Address Type – Specifies the source or destination IPv4 address. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IP” to specify a range of addresses with the Address and Mask fields. (Options: Any, Host, IP; Default: Any) ◆ Source/Destination IP Address – Source or destination IP address.
CHAPTER 13 | Security Measures Access Control Lists Figure 209: Configuring a ARP ACL BINDING A PORT TO AN After configuring ACLs, use the Security > ACL (Configure Interface) page ACCESS CONTROL to bind the ports that need to filter traffic to the appropriate ACLs. You can LIST assign one IP access list and one MAC access list to any port.
CHAPTER 13 | Security Measures Access Control Lists 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 210: Binding a Port to an ACL SHOWING ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) HARDWARE COUNTERS page to show statistics for ACL hardware counters. CLI REFERENCES ◆ "show access-list" on page 1185 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-12) ◆ Type – ACL type.
CHAPTER 13 | Security Measures ARP Inspection ◆ Clear Counter – Clears hit counter for rules in specified ACL. WEB INTERFACE To show statistics for ACL hardware counters: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Show Hardware Counters from the Action list. 4. Select a port. 5. Select ingress or egress traffic.
CHAPTER 13 | Security Measures ARP Inspection COMMAND USAGE Enabling & Disabling ARP Inspection ◆ ARP Inspection is controlled on a global and VLAN basis. ◆ By default, ARP Inspection is disabled both globally and on all VLANs. ◆ ■ If ARP Inspection is globally enabled, then it becomes active only on the VLANs where it has been enabled.
CHAPTER 13 | Security Measures ARP Inspection with different MAC addresses are classified as invalid and are dropped. ■ ■ IP – Checks the ARP body for invalid and unexpected IP addresses. These addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
CHAPTER 13 | Security Measures ARP Inspection ■ ■ Allow Zeros – Allows sender IP address to be 0.0.0.0. Src-MAC – Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. ◆ Log Message Number – The maximum number of entries saved in a log message. (Range: 0-256; Default: 5) ◆ Log Interval – The interval at which log messages are sent.
CHAPTER 13 | Security Measures ARP Inspection ◆ ARP Inspection ACLs are configured within the ARP ACL configuration page (see page 406). ◆ ARP Inspection ACLs can be applied to any configured VLAN. ◆ ARP Inspection uses the DHCP snooping bindings database for the list of valid IP-to-MAC address bindings. ARP ACLs take precedence over entries in the DHCP snooping bindings database. The switch first compares ARP packets to any specified ARP ACLs.
CHAPTER 13 | Security Measures ARP Inspection Figure 213: Configuring VLAN Settings for ARP Inspection CONFIGURING Use the Security > ARP Inspection (Configure Interface) page to specify INTERFACE SETTINGS the ports that require ARP inspection, and to adjust the packet inspection FOR ARP INSPECTION rate. CLI REFERENCES ◆ "ARP Inspection" on page 1145 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To configure interface settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure Interface from the Step list. 3. Specify any untrusted ports which require ARP inspection, and adjust the packet inspection rate. 4. Click Apply.
CHAPTER 13 | Security Measures ARP Inspection Table 24: ARP Inspection Statistics (Continued) Parameter Description ARP packets dropped by additional validation (IP) Count of ARP packets that failed the IP address test. ARP packets dropped by ARP ACLs Count of ARP packets that failed validation against ARP ACL rules. ARP packets dropped by DHCP snooping Count of packets that failed validation against the DHCP Snooping Binding database. WEB INTERFACE To display statistics for ARP Inspection: 1.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access Table 25: ARP Inspection Log (Continued) Parameter Description Src. IP Address The source IP address in the packet. Dst. IP Address The destination IP address in the packet. Src. MAC Address The source MAC address in the packet. Dst. MAC Address The destination MAC address in the packet. WEB INTERFACE To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access ◆ When entering addresses for the same group (i.e., SNMP, web or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges. ◆ You cannot delete an individual address from a specified range. You must delete the entire range, and reenter the addresses.
CHAPTER 13 | Security Measures Configuring Port Security Figure 217: Creating an IP Address Filter for Management Access To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list.
CHAPTER 13 | Security Measures Configuring Port Security ◆ To configure the maximum number of address entries which can be learned on a port, specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs for frames received on the port. When the port has reached the maximum number of MAC addresses, the port will stop learning new addresses.
CHAPTER 13 | Security Measures Configuring Port Security ■ ◆ Trap and Shutdown: Send an SNMP trap message and disable the port. Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0-1024, where 0 means disabled) The maximum address count is effective when port security is enabled or disabled. ◆ Current MAC Count – The number of MAC addresses currently associated with this interface.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication CONFIGURING 802.1X PORT AUTHENTICATION Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication The operation of 802.1X on the switch requires the following: ◆ The switch must have an IP address assigned. ◆ RADIUS authentication must be enabled on the switch and the IP address of the RADIUS server specified. ◆ 802.1X must be enabled globally for the switch. ◆ Each switch port that will be used must be set to dot1X “Auto” mode.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Default – Sets all configurable 802.1X global and port settings to their default values. WEB INTERFACE To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. 4. Click Apply Figure 221: Configuring Global Settings for 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication PARAMETERS These parameters are displayed: ◆ Port – Port number. ◆ Status – Indicates if authentication is enabled or disabled on the port. The status is disabled if the control mode is set to Force-Authorized. ◆ Authorized – Displays the 802.1X authorization status of connected clients. ◆ ◆ ■ Yes – Connected client is authorized. ■ N/A – Connected client is not authorized, or port is not connected.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ Max Request – Sets the maximum number of times the switch port will retransmit an EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) ◆ Quiet Period – Sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Supplicant List ◆ Supplicant – MAC address of authorized client. Authenticator PAE State Machine ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). ◆ Reauth Count – Number of times connecting state is re-entered.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Figure 222: Configuring Interface Settings for 802.1X Port Authenticator DISPLAYING Use the Security > Port Authentication (Show Statistics) page to display 802.1X STATISTICS statistics for dot1x protocol exchanges for any port. CLI REFERENCES ◆ "show dot1x" on page 1076 PARAMETERS These parameters are displayed: Table 26: 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Table 26: 802.1X Statistics (Continued) Parameter Description Rx Last EAPOLSrc The source MAC address carried in the most recent EAPOL frame received by this Authenticator. Rx EAP Resp/Id The number of EAP Resp/Id frames that have been received by this Authenticator. Rx EAP Resp/Oth The number of valid EAP Response frames (other than Resp/ Id frames) that have been received by this Authenticator.
CHAPTER 13 | Security Measures DoS Protection WEB INTERFACE To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. Figure 223: Showing Statistics for 802.1X Port Authenticator DOS PROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
CHAPTER 13 | Security Measures IPv4 Source Guard port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP NULL scan. (Default: Enabled) ◆ TCP SYN/FIN Scan – A TCP SYN/FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
CHAPTER 13 | Security Measures IPv4 Source Guard CONFIGURING Use the Security > IP Source Guard > Port Configuration page to set the PORTS FOR filtering type based on source IP address, or source IP address and MAC IP SOURCE GUARD address pairs. IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
CHAPTER 13 | Security Measures IPv4 Source Guard PARAMETERS These parameters are displayed: ◆ ◆ Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) ■ None – Disables IP source guard filtering on the port. ■ SIP – Enables traffic filtering based on IP addresses stored in the binding table.
CHAPTER 13 | Security Measures IPv4 Source Guard CONFIGURING Use the Security > IP Source Guard > Static Configuration page to bind a STATIC BINDINGS FOR static address to a port. Table entries include a MAC address, IP address, IP SOURCE GUARD lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
CHAPTER 13 | Security Measures IPv4 Source Guard ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.) WEB INTERFACE To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4.
CHAPTER 13 | Security Measures IPv4 Source Guard DISPLAYING INFORMATION FOR DYNAMIC IPV4 SOURCE GUARD BINDINGS Use the Security > IP Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI REFERENCES ◆ "show ip dhcp snooping binding" on page 1126 PARAMETERS These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address.
CHAPTER 13 | Security Measures IPv6 Source Guard Figure 228: Showing the IP Source Guard Binding Table IPV6 SOURCE GUARD IPv6 Source Guard is a security feature that filters IPv6 traffic on nonrouted, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see the DHCPv6 Snooping commands on page 1126).
CHAPTER 13 | Security Measures IPv6 Source Guard snooping or DHCPv6 snooping, or static addresses configured in the source guard binding table. The port allows only IPv6 traffic with a matching entry in the binding table and denies all other IPv6 traffic. ◆ Table entries include a MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6Binding), VLAN identifier, and port identifier.
CHAPTER 13 | Security Measures IPv6 Source Guard ■ ■ ■ ■ This parameter sets the maximum number of IPv6 global unicast source IPv6 address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping (see the DHCPv6 Snooping commands), and static entries set by IPv6 Source Guard (see "Configuring Static Bindings for IPv6 Source Guard" on page 440).
CHAPTER 13 | Security Measures IPv6 Source Guard COMMAND USAGE ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number. ◆ Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table.
CHAPTER 13 | Security Measures IPv6 Source Guard ◆ IPv6 Address – IPv6 address corresponding to the client. ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding. WEB INTERFACE To configure static bindings for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port.
CHAPTER 13 | Security Measures IPv6 Source Guard DISPLAYING INFORMATION FOR DYNAMIC IPV6 SOURCE GUARD BINDINGS Use the Security > IPv6 Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI REFERENCES ◆ "show ipv6 source-guard binding" on page 1145 PARAMETERS These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
CHAPTER 13 | Security Measures DHCP Snooping ■ ■ ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled.
CHAPTER 13 | Security Measures DHCP Snooping the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. ◆ If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering rules).
CHAPTER 13 | Security Measures DHCP Snooping ■ ◆ string - An arbitrary string inserted into the remote identifier field. (Range: 1-32 characters) DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ ■ ■ Drop – Drops the client’s request packet instead of relaying it. Keep – Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or VLAN disable DHCP snooping on specific VLANs. CONFIGURATION CLI REFERENCES ◆ "ip dhcp snooping vlan" on page 1121 COMMAND USAGE ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
CHAPTER 13 | Security Measures DHCP Snooping CONFIGURING PORTS Use the IP Service > DHCP > Snooping (Configure Interface) page to FOR DHCP SNOOPING configure switch ports as trusted or untrusted. CLI REFERENCES ◆ "ip dhcp snooping trust" on page 1123 COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
CHAPTER 13 | Security Measures DHCP Snooping Figure 235: Configuring the Port Mode for DHCP Snooping DISPLAYING DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display SNOOPING BINDING entries in the binding table. INFORMATION CLI REFERENCES ◆ "show ip dhcp snooping binding" on page 1126 PARAMETERS These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client.
CHAPTER 13 | Security Measures DHCP Snooping WEB INTERFACE To display the binding table for DHCP Snooping: 1. Click IP Service, DHCP, Snooping. 2. Select Show Information from the Step list. 3. Use the Store or Clear function if required.
CHAPTER 13 | Security Measures DHCP Snooping – 452 –
14 BASIC ADMINISTRATION PROTOCOLS This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. SYSTEM LOG Use the Administration > Log > System (Configure Global) page to enable CONFIGURATION or disable event logging, and specify which levels are logged to RAM or flash memory.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) NOTE: The Flash Level must be equal to or less than the RAM Level. NOTE: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging Figure 238: Showing Error Messages Logged to System Memory REMOTE LOG Use the Administration > Log > Remote page to send log messages to CONFIGURATION syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging WEB INTERFACE To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond. WEB INTERFACE To configure SMTP alert messages: 1. Click Administration, Log, SMTP.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol CONFIGURING Use the Administration > LLDP (Configure Interface) page to specify the LLDP INTERFACE message attributes for individual interfaces, including whether messages ATTRIBUTES are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ■ ■ ◆ MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. MED TLVs – Configures general information included in the MED TLV field of advertised messages. ■ ◆ Max Frame Size – The maximum frame size.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To configure LLDP interface attributes: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 4. Click Apply.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 28: LLDP MED Location CA Types ◆ CA Type Description CA Value Example 1 National subdivisions (state, canton, province) California 2 County, parish Orange 3 City, township Irvine 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 243: Configuring the Civic Address for an LLDP Interface DISPLAYING LLDP Use the Administration > LLDP (Show Local Device Information) page to LOCAL DEVICE display information about the switch, such as its MAC address, chassis ID, INFORMATION management IP address, and port information.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command. ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. Table 30: System Capabilities ID Basis Reference Other — Repeater IETF RFC 2108 Bridge IETF RFC 2674 WLAN Access Point IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 244: Displaying Local Device Information for LLDP (General) Figure 245: Displaying Local Device Information for LLDP (Port) Figure 246: Displaying Local Device Information for LLDP (Port Details) – 469 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol DISPLAYING LLDP Use the Administration > LLDP (Show Remote Device Information) page to REMOTE DEVICE display information about devices connected directly to the switch’s ports INFORMATION which are advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted. ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 30, "System Capabilities," on page 467.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 30, "System Capabilities," on page 467.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 32: Remote Port Auto-Negotiation Advertised Capability Bit Capability 3 100BASE-T4 4 100BASE-TX half duplex mode 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duple
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol points and others, will be classified according to their power requirements. Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Current Capabilities – The set of capabilities that define the primary function(s) of the port which are currently enabled.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol the other items and described under “Configuring LLDP Interface Civic-Address.” ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 248: Displaying Remote Device Information for LLDP (Port Details) – 477 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 249: Displaying Remote Device Information for LLDP (End Node) DISPLAYING Use the Administration > LLDP (Show Device Statistics) page to display DEVICE STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 250: Displaying LLDP Device Statistics (General) Figure 251: Displaying LLDP Device Statistics (Port) SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: ◆ Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps8 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) ◆ Link-up and Link-down Traps8 – Issues a notification message whenever a port link is established or broken.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. PARAMETERS These parameters are displayed: ◆ Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. (See "Configuring Remote SNMPv3 Users" on page 497.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 255: Showing Remote Engine IDs for SNMP SETTING Use the Administration > SNMP (Configure View) page to configure SNMPV3 VIEWS SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5. Click Apply Figure 256: Creating an SNMP View To show the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 258: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Show OID Subtree from the Action list. 4. Select a view name from the list of existing views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3 SNMPV3 GROUPS group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.10.2.1.0.40 This trap is sent when an incorrect IP address is rejected by the IP Filter. swSmtpConnFailureTrap 1.3.6.1.4.1.259.10.1.10.2.1.0.41 This trap is triggered if the SMTP system cannot open a connection to the mail server successfully. swMainBoardVerMismatchNotificaiton 1.3.6.1.4.1.259.10.1.10.2.1.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 34: Supported Notification Messages (Continued) Model Level Group autoUpgradeTrap 1.3.6.1.4.1.259.10.1.10.2.1.0.104 This trap is sent when auto upgrade is executed. swCpuUtiRisingNotification 1.3.6.1.4.1.259.10.1.10.2.1.0.107 This notification indicates that the CPU utilization has risen from cpuUtiFallingThreshold to cpuUtiRisingThreshold. swCpuUtiFallingNotification 1.3.6.1.4.1.259.10.1.10.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 260: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to ACCESS STRINGS configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 265: Showing Local SNMPv3 Users CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: ■ ■ ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. AuthPriv – SNMP communications use both authentication and encryption.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 266: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SPECIFYING Use the Administration > SNMP (Configure Trap) page to specify the host TRAP MANAGERS devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: SNMP Version 1 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) ◆ Community String – Specifies a valid community string for the new trap manager entry.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IPv4 or IPv6 address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. ◆ Notification Type ■ ■ ◆ Traps – Notifications are sent as trap messages. Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 270: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 271: Showing Trap Managers CREATING SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to NOTIFICATION LOGS create an SNMP notification log.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 272: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 273: Showing SNMP Notification Logs SHOWING Use the Administration > SNMP (Show Statistics) page to show counters SNMP STATISTICS for SNMP input and output protocol data units.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Illegal operation for community name supplied – The total number of SNMP messages delivered to the SNMP entity which represented an SNMP operation which was not allowed by the SNMP community named in the message. ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list. Figure 274: Showing SNMP Statistics REMOTE MONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring CONFIGURING Use the Administration > RMON (Configure Global - Add - Alarm) page to RMON ALARMS define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Falling Threshold – If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm. Figure 276: Showing Configured RMON Alarms CONFIGURING Use the Administration > RMON (Configure Global - Add - Event) page to RMON EVENTS set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Type – Specifies the type of event to initiate: ■ ■ ■ ■ ◆ None – No event is generated. Log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration" on page 454). Trap – Sends a trap message to all configured trap managers (see "Specifying Trap Managers" on page 500).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 277: Configuring an RMON Event To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring COMMAND USAGE ◆ Each index number equates to a port on the switch. ◆ If history collection is already enabled on an interface, the entry must be deleted before any changes can be made. ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 7. Click Apply Figure 279: Configuring an RMON History Sample To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 280: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 281: Showing Collected RMON History Samples CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics) STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 3. Select Add from the Action list. 4. Click Statistics. 5. Select a port from the list as the data source. 6. Enter an index number, and the name of the owner for this entry 7. Click Apply Figure 282: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5.
CHAPTER 14 | Basic Administration Protocols Switch Clustering To show collected RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 284: Showing Collected RMON Statistical Samples SWITCH CLUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit.
CHAPTER 14 | Basic Administration Protocols Switch Clustering information between the Commander and potential Candidates or active Members through VLAN 4094. ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. ◆ There can be up to 100 candidates and 36 member switches in one cluster.
CHAPTER 14 | Basic Administration Protocols Switch Clustering ◆ Number of Members – The current number of Member switches in the cluster. ◆ Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members. WEB INTERFACE To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4.
CHAPTER 14 | Basic Administration Protocols Switch Clustering WEB INTERFACE To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 286: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Switch Clustering To show cluster candidates: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Show Candidate from the Action list. Figure 288: Showing Cluster Candidates MANAGING CLUSTER Use the Administration > Cluster (Show Member) page to manage another MEMBERS switch in the cluster.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 289: Managing a Cluster Member ETHERNET RING PROTECTION SWITCHING NOTE: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching blocked to traffic. One designated node, the RPL owner, is responsible for blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching by one or more interconnection points, and is based on the following criteria: ◆ The R-APS channels are not shared across Ethernet Ring interconnections. ◆ On each ring port, each traffic channel and each R-APS channel are controlled (e.g., for blocking or flushing) by the Ethernet Ring Protection Control Process (ERP Control Process) of only one ring. ◆ Each Major Ring or Sub-Ring must have its own RPL.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 291: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition ring node B ring node C RPL ring node A Signal Fail Condition RPL Owner Node for ERP1 ring node B RPL ERP1 ERP1 ring link (ERP1) ring link (ERP1) ring node D ring node C ERP2 ring node F FAILURE ring node A RPL Owner Node for ERP1 ring node D ERP2 ring node E RPL Owner Node for ERP2 RPL ring node F ring node E RPL
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching 6. Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. 7. Enable an ERPS ring (Configure Domain – Configure Details): Before an ERPS ring can work, it must be enabled.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To globally enable ERPS on the switch: 1. Click Administration, ERPS. 2. Select Configure Global from the Step list. 3. Mark the ERPS Status check box. 4. Click Apply. Figure 292: Setting ERPS Global Status ERPS RING Use the Administration > ERPS (Configure Domain) pages to configure CONFIGURATION ERPS rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Show ◆ Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆ Ver – Shows the ERPS version. ◆ MEG Level – The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching (R-APS) information. ◆ Control VLAN – Shows the Control VLAN ID.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Local FS – Shows if a forced switch command was issued on this interface. ◆ Local MS – Shows if a manual switch command was issued on this interface. ◆ MEP – The CFM MEP used to monitor the status on this link. ◆ RPL – Shows if this node is connected to the RPL. Configure Details ◆ Domain Name – Name of a configured ERPS ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently. If set to version 1, MS and FS operator commands are filtered, and the switch set to revertive mode. The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ ■ ■ ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the Forced Switch or Manual Switch commands on the Configure Operation page). The east and west connections to the ring must be specified for all ring nodes.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching over both ring ports, informing that no request is present at this ring node and initiates a guard timer. When another recovered ring node (or nodes) holding the link block receives this message, it compares the Node ID information with its own Node ID. If the received R-APS (NR) message has the higher priority, this ring node unblocks its ring ports. Otherwise, the block remains unchanged.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery for Forced Switching – A Forced Switch command is removed by issuing the Clear command (Configure Operation page) to the same ring node where Forced Switch mode is in effect. The clear command removes any existing local operator commands, and triggers reversion if the ring is in revertive behavior mode.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as result of an operator command.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery with non-revertive mode is handled as follows: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. b.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ ■ A sub-ring may be attached to a primary ring with or without a virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching No R-APS messages are inserted or extracted by other rings or subrings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/Ring IDs for the ring interconnection. Furthermore, protection switching time for a sub-ring is independent from the configuration or topology of the interconnected rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching that defect will be reported to the protection switching mechanism. The reported defect need not be the same one that started the timer. ◆ Guard Timer – The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ West/East – Connects to next ring node to the west/east. Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To create an ERPS ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Add from the Action list. 4. Enter a name and optional identifier for the ring. 5. Click Apply. Figure 295: Creating an ERPS Ring To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 296: Creating an ERPS Ring To show the configure ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS FORCED AND Use the Administration > ERPS (Configure Operation) page to block a ring MANUAL MODE port using Forced Switch or Manual Switch commands. OPERATIONS CLI REFERENCES ◆ "erps forced-switch" on page 1327 ◆ "erps manual-switch" on page 1329 ◆ "erps clear" on page 1327 PARAMETERS These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS. R-APS (FS) messages are continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the Manual Switch command triggers protection switching as follows: a.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and nonrevertive mode is described under the Revertive parameter.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 298: Blocking an ERPS Ring Port CONNECTIVITY FAULT MANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 300: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1561 PARAMETERS These parameters are displayed: Global Configuration ◆ CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled9, and a CCM is received from a remote MEP that is not configured in the static list10. WEB INTERFACE To configure global settings for CFM: 1. Click Administration, CFM. 2. Select Configure Global from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING CFM processes are enabled by default for all physical interfaces, both ports INTERFACES FOR CFM and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI REFERENCES ◆ "ethernet cfm port-enable" on page 1572 COMMAND USAGE ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1561 COMMAND USAGE Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: Creating a Maintenance Domain ◆ MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 3. Select Add from the Action list. 4. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply. Figure 303: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5. Specify the MEP archive hold and MEP fault notification parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 555). ◆ Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points" on page 565). ◆ For a detailed description of the MIP types, refer to the Command Usage section under "Configuring CFM Maintenance Domains" on page 555.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: ■ ■ ■ Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit – MIPs can be created for this MA only on bridge ports through which the MA’s VID can pass, and only if a maintenance end point (MEP) is created at some lower MA Level.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level ◆ AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) WEB INTERFACE To create a maintenance association: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4. Select an entry from the MD Index list. Figure 307: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 308: Configuring Detailed Settings for Maintenance Associations CONFIGURING Use the Administration > CFM (Configure MEP – Add) page to configure MAINTENANCE Maintenance End Points (MEPs). MEPs, also called Domain Service Access END POINTS Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management and receives them from, the direction of the internal bridge relay mechanism. If the Up option is not selected, then the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium. ◆ Interface – Indicates a port or trunk. WEB INTERFACE To configure a maintenance end point: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 4. Select an entry from MD Index and MA Index. Figure 310: Showing Maintenance End Points CONFIGURING REMOTE Use the Administration > CFM (Configure Remote MEP – Add) page to MAINTENANCE specify remote maintenance end points (MEPs) set on other CFM-enabled END POINTS devices within a common MA. Remote MEPs can be added to a static list in this manner to verify that each entry has been properly configured and is operational.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ MEP ID – Identifier for a maintenance end point which exists on another CFM-enabled device within the same MA. (Range: 1-8191) WEB INTERFACE To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3. Select Add from the Action list. 4. Select an entry from MD Index and MA Index. 5.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 312: Showing Remote Maintenance End Points TRANSMITTING LINK Use the Administration > CFM (Transmit Link Trace) page to transmit link TRACE MESSAGES trace messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). CLI REFERENCES ◆ "CFM Commands" on page 1561 COMMAND USAGE ◆ LTMs can be targeted to MEPs, not MIPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) ◆ Target ◆ ■ MEP ID – The identifier of a remote MEP that is the target of a link trace message.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management TRANSMITTING LOOP Use the Administration > CFM (Transmit Loopback) page to transmit BACK MESSAGES Loopback Messages (LBMs). These messages can be used to isolate or verify connectivity faults by submitting a request to a target node (i.e., a remote MEP or MIP) to echo the message back to the source.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To transmit loopback messages: 1. Click Administration, CFM. 2. Select Transmit Loopback from the Step list. 3. Select an entry from MD Index and MA Index. 4. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the loopback message is to be sent. 5. Click Apply.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Frame delay measurement can be made only for two-way measurements, where the MEP transmits a frame with DM request information with the TxTimeStampf (Timestamp at the time of sending a frame with DM request information), and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information, RxTimeStampf (Timestamp at the time of receiving a frame with DM request information
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To transmit delay-measure messages: 1. Click Administration, CFM. 2. Select Transmit Delay Measure from the Step list. 3. Select an entry from MD Index and MA Index. 4. Specify the source MEP, the target MEP using either its MEP identifier or MAC address, set the number of times the delay-measure message is to be sent, the interval, and the timeout. 5. Click Apply.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Level – Authorized maintenance level for this domain. ◆ Direction – Direction in which the MEP communicates CFM messages: ■ ■ Down indicates that the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MD Name – The maintenance domain for this entry. ◆ MA Name – Maintenance association to which this remote MEP belongs. ◆ MA Name Format – The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID. ◆ Level – Maintenance level of the local maintenance point. ◆ Direction – The direction in which the MEP faces on the Bridge port (up or down).
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 5. Select a MEP ID. Figure 317: Showing Detailed Information on Local MEPs DISPLAYING Use the Administration > CFM > Show Information (Show Local MIP) page LOCAL MIPS to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show information for the MIPs discovered by the CFM protocol: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MIP from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show information for remote MEPs: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Remote MEP from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Age of Last CC Message – Length of time the last CCM message about this MEP has been in the CCM database. ◆ Frame Loss – Percentage of transmitted frames lost. ◆ CC Packet Statistics – The number of CCM packets received successfully and those with errors. ◆ Port State – Port states include: ■ Up – The port is functioning normally. ■ Blocked – The port has been blocked by the Spanning Tree Protocol.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 320: Showing Detailed Information on Remote MEPs DISPLAYING THE Use the Administration > CFM > Show Information (Show Link Trace LINK TRACE CACHE Cache) page to show information about link trace operations launched from this device.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Ingress Action – Action taken on the ingress port: ■ ■ ■ ■ ◆ ◆ IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false. This value could be returned, for example, by an operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational parameter to be false.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 321: Showing the Link Trace Cache DISPLAYING FAULT Use the Administration > CFM > Show Information (Show Fault Notification NOTIFICATION Generator) page to display configuration settings for the fault notification SETTINGS generator. CLI REFERENCES ◆ "show ethernet cfm fault-notify-generator" on page 1599 PARAMETERS These parameters are displayed: ◆ MEP ID – Maintenance end point identifier.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ ■ VIDS – MA x is associated with a specific VID list12, an MEP is configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port. ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities.
CHAPTER 14 | Basic Administration Protocols OAM Configuration CLI REFERENCES ◆ "OAM Commands" on page 1603 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ Critical Link Event – Controls reporting of critical link events to its OAM peer. ■ Dying Gasp – If an unrecoverable condition occurs, the local OAM entity (i.e., this switch) indicates this by immediately sending a trap message. (Default: Enabled) Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset.
CHAPTER 14 | Basic Administration Protocols OAM Configuration reported by the switch. Specify whether errored frame link events will be reported, as well as the required window size and threshold. 3. Click Apply. Figure 324: Enabling OAM for Local Ports DISPLAYING Use the Administration > OAM > Counters page to display statistics for the STATISTICS FOR various types of OAM messages passed across each port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 325: Displaying Statistics for OAM Messages DISPLAYING THE Use the Administration > OAM > Event Log page to display link events for OAM EVENT LOG the selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration Figure 326: Displaying the OAM Event Log DISPLAYING Use the Administration > OAM > Remote Interface page to display THE STATUS OF information about attached OAM-enabled devices. REMOTE INTERFACES CLI REFERENCES ◆ "show efm oam status remote interface" on page 1613 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ MAC Address – MAC address of the OAM peer.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 327: Displaying Status of Remote Interfaces CONFIGURING Use the Administration > OAM > Remote Loopback (Remote Loopback A REMOTE Test) page to initiate a loop back test to the peer device attached to the LOOP BACK TEST selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration PARAMETERS These parameters are displayed: Loopback Mode of Remote Device ◆ Port – Port identifier. (Range: 1-28) ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. This attribute must be enabled before starting the loopback test. ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packets Number – Number of packets to send.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To initiate a loop back test to the peer device attached to the selected port: 1. Click Administration, OAM, Remote Loop Back. 2. Select Remote Loopback Test from the Action list. 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
CHAPTER 14 | Basic Administration Protocols PTP Configuration WEB INTERFACE To display the results of remote loop back testing for each port for which this information is available: 1. Click Administration, OAM, Remote Loop Back. 2. Select Show Test Result from the Action list. Figure 329: Displaying the Results of Remote Loop Back Testing PTP CONFIGURATION Precision Time Protocol (PTP) provides high-precision time synchronization at an accuracy within the sub-microsecond range.
CHAPTER 14 | Basic Administration Protocols PTP Configuration CONFIGURING GLOBAL Use the Sync > PTP (Configure Global) page to set the operating mode, SETTINGS FOR PTP adjustment to received Sync messages, the preference level used to select the master clock, and clock synchronization domain to which the switch is assigned.
CHAPTER 14 | Basic Administration Protocols PTP Configuration time are not necessarily the same for all paths through the switch or for successive messages crossing the same path. Setting the switch to end-to-end transparent mode makes it synchronize all ports with the grand master clock connected to the switch. The switch corrects PTP message time stamps for the delay incurred passing through it. This option causes less jitter and error accumulation than that incurred when using boundary mode.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ■ ■ ■ ■ ◆ Variance – A clock's estimate of its stability based on observation of its performance against the PTP reference. Quality – Clock quality based on expected timing deviation, technology used to implement the clock, or location in a stratum schema. Identifier – A universally unique numeric identifier for the clock. This is typically constructed based on a device's MAC address.
CHAPTER 14 | Basic Administration Protocols PTP Configuration 4. Click Apply. Figure 330: Configuring Global Settings for PTP CONFIGURING Use the Sync > PTP (Configure Interface) page to set the interface-level INTERFACE SETTINGS administrative state, delay mechanism, transport mode, and timing FOR PTP attributes.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ◆ Delay Mechanism – Sets the delay measurement method for a boundary clock to one of the following options: ■ ■ ◆ End-to-End – This method measures the residence time required for PTP event messages to cross from the input port to the output port, and adjusts the time stamp to compensate for this delay.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ■ IPv6 UDP – PTP messages are transmitted using UDP over IPv6. When using UDP over IPv6 as a transport mechanism, the following UDP destination ports are reserved values assigned to PTP.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ◆ Announce Receipt Timeout – Sets the transmit timeout for PTP announcement messages. This parameter indicates the number of PTP announce message intervals which have to expire without the receipt of a announce message before the session times out. (Range: 2-10; Default: 3) ◆ Log Min Pdelay Req Interval – Sets the peer delay request message transmit interval.
CHAPTER 14 | Basic Administration Protocols PTP Configuration 3. Select Port or Trunk from the Interface options. 4. Set the operational state for each port, the message transport mechanism, and the timing attributes. 5. Click Apply. Figure 331: Configuring Interface Settings for PTP SHOWING PTP Use the Sync > PTP (Show PTP Information) page to show the default data INFORMATION settings, current data set, parent data set, time properties, and portrelated data.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ■ Offset Scaled Log Variance – An attribute defining the stability of the clock. ◆ Priority1 – A preference level used in selecting the master clock. ◆ Priority2 – A secondary preference level used in selecting the master clock. ◆ Domain Number – PTP clock synchronization domain. ◆ Slave Only – Shows if this device is operating in slave-only mode. (This operation mode is not supported by this device.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ◆ Grandmaster Priority2 – A secondary preference level used in selecting the grand master clock. Time Properties ◆ Current UTC Offset – Current offset between TAI (International Atomic Time) and UTC (Coordinated Universal Time). ◆ Current UTC Offset Valid – Indicates if the current UTC offset is known to be correct. ◆ Leap59 – Indicates if the last minute of the UTC day contains 59 seconds.
CHAPTER 14 | Basic Administration Protocols PTP Configuration ■ ■ ■ ■ ■ Log Announce Interval – Announcement message transmit interval (log value). Log Sync Interval – Synchronization message transmit interval (log value). Delay Mechanism – Time delay measurement method (end-to-end or peer-to-peer). Log Min Pdelay Req. Interval – Peer delay request message transmit interval. Version Number – PTP version number (1 or 2). WEB INTERFACE To display default data and negotiated settings for PTP: 1.
CHAPTER 14 | Basic Administration Protocols PTP Configuration Figure 333: Displaying PTP Information (Current Data) Figure 334: Displaying PTP Information (Parent Data) Figure 335: Displaying PTP Information (Time Properties) – 606 –
CHAPTER 14 | Basic Administration Protocols PTP Configuration Figure 336: Displaying PTP Information (Port Data) SHOWING PTP Use the Sync > PTP (Show PTP Foreign Master) page to show PTP FOREIGN MASTER announcements from neighbors. CLI REFERENCES ◆ "show ptp foreign-master" on page 974 PARAMETERS These parameters are displayed: ◆ Interface – Interface through which this message was received.
CHAPTER 14 | Basic Administration Protocols PTP Configuration WEB INTERFACE To show PTP announcements from neighbors: 1. Click Sync, PTP. 2. Select Show PTP Foreign Master from the Step list.
15 MULTICAST FILTERING This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters for IPv4. ◆ Filtering and Throttling – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface for IPv4. ◆ MLD Snooping – Configures snooping and query parameters for IPv6. ◆ Layer 3 IGMP – Configures IGMP query used with multicast routing.
CHAPTER 15 | Multicast Filtering Overview Figure 338: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
CHAPTER 15 | Multicast Filtering IGMP Protocol IGMP PROTOCOL The Internet Group Management Protocol (IGMP) runs between hosts and their immediately adjacent multicast router/switch. IGMP is a multicast host registration protocol that allows any host to inform its local router that it wants to receive transmissions addressed to a specific multicast group. A router, or multicast-enabled switch, can periodically ask their hosts if they want to receive multicast traffic.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) When using IGMPv3 snooping, service requests from IGMP Version 1, 2 or 3 hosts are all forwarded to the upstream router as IGMPv3 reports. The primary enhancement provided by IGMPv3 snooping is in keeping track of information about the specific multicast sources which downstream IGMPv3 hosts have requested or refused.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) IGMP Snooping with Proxy Reporting – The switch supports last leave, and query suppression (as defined in DSL Forum TR-101, April 2006): ◆ When proxy reporting is disabled, all IGMP reports received by the switch are forwarded natively to the upstream multicast routers. ◆ Last Leave: Intercepts, absorbs and summarizes IGMP leaves coming from IGMP hosts.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) NOTE: Multicast routers use this information from IGMP snooping and query reports, along with a multicast routing protocol such as PIM, to support IP multicasting across the Internet. PARAMETERS These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive packet loss on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Forwarding Priority – Assigns a CoS priority to all multicast traffic. (Range: 0-7, where 7 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 340: Configuring General Settings for IGMP Snooping SPECIFYING STATIC INTERFACES FOR AN IPV4 MULTICAST ROUTER Use the Multicast > IGMP Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an IPv4 interface to a multicast router/switch. Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Type (Show Current Multicast Router) – Shows if this entry is static or dynamic. ◆ Expire (Show Current Multicast Router) – Time until this dynamic entry expires. WEB INTERFACE To specify a static interface attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 342: Showing Static Interfaces Attached an IPv4 Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol (such as PIM) to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) CLI REFERENCES ◆ "ip igmp snooping vlan static" on page 1442 COMMAND USAGE ◆ Static multicast addresses are never aged out. ◆ When a multicast address is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. PARAMETERS These parameters are displayed: ◆ VLAN – Specifies the VLAN which is to propagate the multicast service.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the static interfaces assigned to an IPv4 multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) NOTE: The default values recommended in the MRD draft are implemented in the switch. Multicast Router Discovery uses the following three message types to discover multicast routers: ◆ Multicast Router Advertisement – Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) PARAMETERS These parameters are displayed: ◆ VLAN – ID of configured VLANs. (Range: 1-4094) ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic on the indicated VLAN interface to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Proxy Reporting – Enables IGMP Snooping with Proxy Reporting. (Default: Based on global setting) When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Last Member Query Count – The number of IGMP proxy groupspecific or group-and-source-specific query messages that are sent out before the system assumes there are no more local members. (Range: 1-255; Default: 2) This attribute will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 346: Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) FILTERING IGMP Use the Multicast > IGMP Snooping > Interface page to configure an QUERY PACKETS AND interface to drop IGMP query packets or multicast data packets. MULTICAST DATA CLI REFERENCES ◆ "ip igmp query-drop" on page 1455 ◆ "ip multicast-data-drop" on page 1455 PARAMETERS These parameters are displayed: ◆ IGMP Query Drop – Configures an interface to drop any IGMP query packets received on the specified interface.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) DISPLAYING Use the Multicast > IGMP Snooping > Forwarding Entry page to display the MULTICAST GROUPS forwarding entries learned through IGMP Snooping. DISCOVERED BY IGMP SNOOPING CLI REFERENCES ◆ "show ip igmp snooping group" on page 1443 COMMAND USAGE To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 613).
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) WEB INTERFACE To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. 2. Select the VLAN for which to display this information. Figure 349: Showing Multicast Groups Learned by IGMP Snooping DISPLAYING IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP SNOOPING STATISTICS snooping protocol-related statistics for the specified interface.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) WEB INTERFACE To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Query Statistics from the Action list. 3. Select a VLAN. Figure 350: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3.
CHAPTER 15 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 351: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups FILTERING AND THROTTLING IGMP GROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 353: Enabling IGMP Filtering and Throttling CONFIGURING IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page FILTER PROFILES to create an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups WEB INTERFACE To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 354: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply. Figure 356: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4.
CHAPTER 15 | Multicast Filtering Filtering and Throttling IGMP Groups reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 358: Configuring IGMP Filtering and Throttling Interface Settings MLD SNOOPING (SNOOPING AND QUERY FOR IPV6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 359: Configuring General Settings for MLD Snooping SETTING IMMEDIATE Use the Multicast > MLD Snooping > Interface page to configure LEAVE STATUS FOR Immediate Leave status for a VLAN. MLD SNOOPING PER INTERFACE CLI REFERENCES ◆ "ipv6 mld snooping vlan immediate-leave" on page 1476 PARAMETERS These parameters are displayed: ◆ VLAN – A VLAN identification number.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 360: Configuring Immediate Leave for MLD Snooping SPECIFYING STATIC INTERFACES FOR AN IPV6 MULTICAST ROUTER Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to an IPv6 multicast router/ switch. Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 361: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ASSIGNING Use the Multicast > MLD Snooping > MLD Member (Add Static Member) INTERFACES TO IPV6 page to statically assign an IPv6 multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters" on page 638).
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 364: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 15 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 366: Showing Current Interfaces Assigned to an IPv6 Multicast Service SHOWING MLD Use the Multicast > MLD Snooping > Group Information page to display SNOOPING GROUPS known multicast groups, member ports, the means by which each group AND SOURCE LIST was learned, and the corresponding source list.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ Exclude List – Sources included on the router’s exclude list. WEB INTERFACE To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) NOTE: Multicast Routing Discovery (MRD) is used to discover which interfaces are attached to multicast routers. (For a description of this protocol, see “Multicast Router Discovery” on page 621.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) the proxy devices independent of the multicast routing protocols used by core routers. IGMP proxy routing uses a tree topology, where the root of the tree is connected to a complete multicast infrastructure (with the upstream interface connected to the Internet as shown in the figure above).
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ The system periodically checks the multicast route table for (*,G) anysource multicast forwarding entries. When changes occur in the downstream IGMP groups, an IGMP state change report is created and sent to the upstream router.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) CONFIGURING Use the Multicast > IGMP > Interface page to configure interface settings IGMP INTERFACE for IGMP. PARAMETERS The switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. The hosts may respond with several types of IP multicast messages.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) the QRV field does not contain a declared robustness value, the switch will set the robustness variable to the value statically configured by this command. If the QRV exceeds 7, the maximum value of the QRV field, the robustness value is set to zero, meaning that this device will not advertise a QRV in any query messages it subsequently sends. ◆ Query Interval – Configures the frequency at which host query messages are sent.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) WEB INTERFACE To configure IGMP interface settings: 1. Click Multicast, IGMP, Interface. 2. Select each interface that will support IGMP (Layer 3), and set the required IGMP parameters. 3. Click Apply. Figure 370: Configuring IGMP Interface Settings CONFIGURING STATIC Use the Multicast > IGMP > Static Group page to manually propagate IGMP GROUP traffic from specific multicast groups onto the specified VLAN interface.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ The switch supports a maximum of 64 static group entries. PARAMETERS These parameters are displayed: ◆ VLAN – VLAN interface to assign as a static member of the specified multicast group. (Range: 1-4094) ◆ Static Group Address – An IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 239.255.255.255.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) Figure 372: Showing Static IGMP Groups DISPLAYING When IGMP (Layer 3) is enabled on the switch, use the Multicast > IGMP > MULTICAST GROUP Group Information pages to display the current multicast groups learned INFORMATION through IGMP. When IGMP (Layer 3) is disabled and IGMP (Layer 2) is enabled, the active multicast groups can be viewed on the Multicast > IGMP Snooping > Forwarding Entry page (see page 628).
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) ◆ V1 Timer – The time remaining until the switch assumes that there are no longer any IGMP Version 1 members on the IP subnet attached to this interface. ■ ■ If the switch receives an IGMP Version 1 Membership Report, it sets a timer to note that there are Version 1 hosts present which are members of the group for which it heard the report.
CHAPTER 15 | Multicast Filtering Layer 3 IGMP (Query used with Multicast Routing) WEB INTERFACE To display the current multicast groups learned through IGMP: 1. Click Multicast, IGMP, Group Information. 2. Select Show Information from the Action list. 3. Select a VLAN. The selected entry must be a configured IP interface. Figure 373: Displaying Multicast Groups Learned from IGMP (Information) To display detailed information about the current multicast groups learned through IGMP: 1.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 MULTICAST VLAN REGISTRATION FOR IPV4 Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 group to the participating interfaces (see "Assigning Static MVR Multicast Groups to Interfaces" on page 667). ◆ Although MVR operates on the underlying mechanism of IGMP snooping, the two features operate independently of each other. One can be enabled or disabled without affecting the behavior of the other.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ■ ■ ◆ ■ ◆ When a receiver port receives a query message, it will be dropped. Robustness Value – Configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. (Range: 1-255; Default: 1) ■ ◆ When a source port receives a query message, it will be forwarded to all downstream receiver ports.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To configure global settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Global from the Step list. 3. Set the status for MVR proxy switching, the robustness value used for report and query messages, the proxy query interval, and source port mode. 4. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 source port with a valid link has been configured (see "Configuring MVR Interface Status" on page 665). ◆ MVR Current Learned Groups – The number of MVR groups currently assigned to this domain. ◆ Forwarding Priority – The CoS priority assigned to all multicast traffic forwarded into this domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 CONFIGURING MVR Use the Multicast > MVR (Configure Profile and Associate Profile) pages to GROUP ADDRESS assign the multicast group address for required services to one or more PROFILES MVR domains. CLI REFERENCES ◆ "MVR for IPv4" on page 1478 COMMAND USAGE ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To configure an MVR group address profile: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. 5. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4. Select a domain from the scroll-down list, and enter the name of a group profile. 5. Click Apply. Figure 380: Assigning an MVR Group Address Profile to a Domain To show the MVR group address profiles assigned to a domain: 1. Click Multicast, MVR. 2.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 CONFIGURING MVR Use the Multicast > MVR (Configure Interface) page to configure each INTERFACE STATUS interface that participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Type – The following interface types are supported: ■ ■ ■ Source – An uplink port that can send and receive multicast data for the groups assigned to the MVR VLAN. Note that the source port must be manually configured as a member of the MVR VLAN (see "Adding Static Members to VLANs" on page 231). Receiver – A subscriber port that can receive multicast data sent through the MVR VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 382: Configuring Interface Settings for MVR ASSIGNING Use the Multicast > MVR (Configure Static Group Member) page to STATIC MVR statically bind multicast groups to a port which will receive long-term MULTICAST GROUPS multicast streams associated with a stable set of hosts.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To assign a static MVR group to an interface: 1. Click Multicast, MVR. 2. Select Configure Static Group Member from the Step list. 3. Select Add from the Action list. 4. Select an MVR domain. 5. Select a VLAN and interface to receive the multicast stream, and then enter the multicast group address. 6. Click Apply.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups on each interface. CLI REFERENCES ◆ "show mvr members" on page 1492 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Group IP Address – Multicast groups assigned to the MVR VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 DISPLAYING Use the Multicast > MVR > Show Statistics pages to display MVR protocolMVR STATISTICS related statistics for the specified interface. CLI REFERENCES ◆ "show mvr statistics" on page 1494 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages received on this interface. ◆ Drop – The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received. ◆ Join Success – The number of times a multicast group was successfully joined.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port. Figure 388: Displaying MVR Statistics – Port MULTICAST VLAN REGISTRATION FOR IPV6 MVR6 functions in a manner similar to that described for MRV (see "Multicast VLAN Registration for IPv4" on page 657).
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see "Assigning Static MVR6 Multicast Groups to Interfaces" on page 684). CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Global) page to configure proxy GLOBAL SETTINGS switching and the robustness variable.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 groups, and the number of times group-specific queries are sent to downstream receiver ports. ■ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ ■ ◆ This parameter only takes effect when MVR6 proxy switching is enabled. This parameter sets the general query interval at which active receiver ports send out general queries.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 389: Configuring Global Settings for MVR6 CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 DOMAIN SETTINGS globally on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI REFERENCES ◆ "MVR for IPv6" on page 1496 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Upstream Source IPv6 – The source IPv6 address assigned to all MVR6 control packets sent upstream on the specified domain. This parameter must be a full IPv6 address including the network prefix and host address bits. By default, all MVR6 reports sent upstream use a null source IP address. All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 COMMAND USAGE ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR6 VLAN. Any multicast data associated with an MVR6 group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group. ◆ MLD snooping and MVR6 share a maximum number of 1024 groups.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 4. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. 5. Click Apply. Figure 391: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 393: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Receiver ports should not be statically configured as a member of the MVR6 VLAN. If so configured, its MVR6 status will be inactive. Also, note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see"Adding Static Members to VLANs" on page 231). ◆ One or more interfaces may be configured as MVR6 source ports.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ MVR6 Status – Shows the MVR6 status. MVR6 status for source ports is “Active” if MVR6 is globally enabled on the switch. MVR6 status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ASSIGNING STATIC Use the Multicast > MVR6 (Configure Static Group Member) page to MVR6 MULTICAST statically bind multicast groups to a port which will receive long-term GROUPS TO multicast streams associated with a stable set of hosts. INTERFACES CLI REFERENCES ◆ "mvr6 vlan group" on page 1505 COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this configuration page.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 396: Assigning Static MVR6 Groups to a Port To show the static MVR6 groups assigned to an interface: 1. Click Multicast, MVR6. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ VLAN – The VLAN through which the service is received. Note that this may be different from the MVR6 VLAN if the group address has been statically assigned. ◆ Port – Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned (these entries are marked as “Source”).
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier. (Range: 1-8) Query Statistics ◆ Querier IPv6 Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 Output Statistics ◆ Report – The number of MLD membership reports sent from this interface. ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. WEB INTERFACE To display statistics for MVR6 query-related messages: 1.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
CHAPTER 15 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
16 IP CONFIGURATION This chapter describes how to configure an initial IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address, or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) COMMAND USAGE ◆ This section describes how to configure a single local interface for initial access to the switch. To configure multiple IP interfaces, set up an IP interface for each VLAN. ◆ Once an IP address has been assigned to an interface, routing between different interfaces on the switch is enabled.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) ◆ Subnet Mask – This mask identifies the host address bits used for routing to specific subnets. (Default: None) ◆ Restart DHCP – Requests a new IP address from the DHCP server. WEB INTERFACE To set a static IPv4 address for the switch: 1. Click IP, General, Routing Interface. 2. Select Add Address from the Action list. 3.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 403: Configuring a Dynamic IPv4 Address NOTE: The switch will also broadcast a request for IP configuration settings on each power reset. NOTE: If you lose the management connection, make a console connection to the switch and enter “show ip interface” to determine the new switch address. Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) To show the IPv4 address configured for an interface: 1. Click IP, General, Routing Interface. 2. Select Show Address from the Action list. 3. Select an entry from the VLAN list.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) CONFIGURING THE Use the IP > IPv6 Configuration (Configure Global) page to configure an IPV6 DEFAULT IPv6 default gateway for the switch. GATEWAY CLI REFERENCES ◆ "ipv6 default-gateway" on page 1664 PARAMETERS These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router to use when no routing information is known about an IPv6 address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) CONFIGURING IPV6 Use the IP > IPv6 Configuration (Configure Interface) page to configure INTERFACE SETTINGS general IPv6 settings for the selected VLAN, including explicit configuration of a link local interface address, the MTU size, and neighbor discovery protocol settings for duplicate address detection and the neighbor solicitation interval.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ■ ■ ◆ ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. All devices on the same physical medium must use the same MTU in order to operate correctly. IPv6 must be enabled on an interface before the MTU can be set. If an IPv6 address has not been assigned to the switch, “N/A” is displayed in the MTU field.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) When a non-default value is configured, the specified interval is used both for router advertisements and by the router itself. ◆ ND Reachable-Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds) Default: 30000 milliseconds is used for neighbor discovery operations, 0 milliseconds is advertised in router advertisements.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) 6. Click Apply. Figure 406: Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Select RA Guard mode. 4. Enable RA Guard for untrusted interfaces. 5. Click Apply.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) COMMAND USAGE ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ The switch must always be configured with a link-local address.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) by a forward slash, and a decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). ■ EUI-64 (Extended Universal Identifier) – Configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To configure an IPv6 address: 1. Click IP, IPv6 Configuration. 2. Select Add IPv6 Address from the Action list. 3. Specify the VLAN to configure, select the address type, and then enter an IPv6 address and prefix length. 4. Click Apply. Figure 408: Configuring an IPv6 Address SHOWING Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the IPV6 ADDRESSES IPv6 addresses assigned to an interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) A node is also required to compute and join the associated solicitednode multicast addresses for every unicast and anycast address it is assigned. IPv6 addresses that differ only in the high-order bits, e.g. due to multiple high-order prefixes associated with different aggregations, will map to the same solicited-node address, thereby reducing the number of multicast addresses a node must join.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show neighboring IPv6 devices: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Neighbors from the Action list. Figure 410: Showing IPv6 Neighbors SHOWING Use the IP > IPv6 Configuration (Show Statistics) page to display statistics IPV6 STATISTICS about IPv6 traffic passing through this switch.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) PARAMETERS These parameters are displayed: Table 46: Show IPv6 Statistics - display description Field Description IPv6 Statistics IPv6 Received Total The total number of input datagrams received by the interface, including those received in error.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 46: Show IPv6 Statistics - display description (Continued) Field Description IPv6 Transmitted Forwards Datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 46: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Advertisement Messages The number of ICMP Neighbor Advertisement messages received by the interface. Redirect Messages The number of Redirect messages received by the interface. Group Membership Query Messages The number of ICMPv6 Group Membership Query messages received by the interface.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 46: Show IPv6 Statistics - display description (Continued) Field Description No Port Errors The total number of received UDP datagrams for which there was no application at the destination port. Other Errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. Output The total number of UDP datagrams sent from this entity.
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 412: Showing IPv6 Statistics (ICMPv6) Figure 413: Showing IPv6 Statistics (UDP) – 711 –
CHAPTER 16 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
17 IP SERVICES This chapter describes the following IP services: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface. ◆ DHCP Relay – Enables DHCP relay service, and defines the servers to which client requests are forwarded. ◆ DHCP Server – Configures address to be allocated to networks or specific hosts.
CHAPTER 17 | IP Services Domain Name Service COMMAND USAGE ◆ To enable DNS service on this switch, enable domain lookup status, and configure one or more name servers (see "Configuring a List of Name Servers" on page 716). PARAMETERS These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names.
CHAPTER 17 | IP Services Domain Name Service ◆ If there is no domain list, the default domain name is used (see "Configuring General DNS Service Parameters" on page 713). If there is a domain list, the system will search it for a corresponding entry. If none is found, it will use the default domain name.
CHAPTER 17 | IP Services Domain Name Service To show the list domain names: 1. Click IP Service, DNS. 2. Select Show Domain Names from the Action list. Figure 417: Showing the List of Domain Names for DNS CONFIGURING A LIST Use the IP Service > DNS - General (Add Name Server) page to configure a OF NAME SERVERS list of name servers to be tried in sequential order.
CHAPTER 17 | IP Services Domain Name Service 4. Click Apply. Figure 418: Configuring a List of Name Servers for DNS To show the list name servers: 1. Click IP Service, DNS. 2. Select Show Name Servers from the Action list. Figure 419: Showing the List of Name Servers for DNS CONFIGURING Use the IP Service > DNS - Static Host Table (Add) page to manually STATIC DNS HOST TO configure static entries in the DNS table that are used to map domain ADDRESS ENTRIES names to IP addresses.
CHAPTER 17 | IP Services Domain Name Service WEB INTERFACE To configure static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Add from the Action list. 3. Enter a host name and the corresponding address. 4. Click Apply. Figure 420: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol client can try each address in succession, until it establishes a connection with the target device. PARAMETERS These parameters are displayed: ◆ No. – The entry number for each resource record. ◆ Flag – The flag is always “4” indicating a cache entry and therefore unreliable. ◆ Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol SPECIFYING A DHCP Use the IP Service > DHCP > Client page to specify the DHCP client CLIENT IDENTIFIER identifier for a VLAN interface. CLI REFERENCES ◆ "ip dhcp client class-id" on page 1625 COMMAND USAGE ◆ The class identifier is used identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol PARAMETERS These parameters are displayed: ◆ VLAN – ID of configured VLAN. ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: ■ Default – The default string is ECS4660-28F. ■ Text – A text string. (Range: 1-32 characters) ■ Hex – A hexadecimal value. (Range: 1-64 characters) WEB INTERFACE To configure a DHCP client identifier: 1. Click IP Service, DHCP, Client. 2.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Figure 424: Layer 3 DHCP Relay Service Provides IP address compatible with switch segment to which client is attached DHCP Server CLI REFERENCES ◆ "ip dhcp relay server" on page 1629 ◆ "ip dhcp restart relay" on page 1630 COMMAND USAGE ◆ You must specify the IP address for at least one DHCP server. Otherwise, the switch’s DHCP relay agent will not forward client requests to a DHCP server.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Figure 425: Configuring DHCP Relay Service CONFIGURING THE This switch includes a Dynamic Host Configuration Protocol (DHCP) server DHCP SERVER that can assign temporary IP addresses to any attached host requesting service.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ENABLING THE SERVER Use the IP Service > DHCP > Server (Configure Global) page to enable the DHCP Server. CLI REFERENCES ◆ "service dhcp" on page 1634 PARAMETERS These parameters are displayed: ◆ DHCP Server – Enables or disables the DHCP server on this switch. (Default: Disabled) WEB INTERFACE To enable the DHCP server: 1. Click IP Service, DHCP, Server. 2. Select Configure Global from the Step list. 3. Mark the Enabled box. 4. Click Apply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol NOTE: Be sure you exclude the address for this switch and other key network devices. WEB INTERFACE To configure IP addresses excluded for DHCP clients: 1. Click IP Service, DHCP, Server. 2. Select Configure Excluded Addresses from the Step list. 3. Select Add from the Action list. 4. Enter a single address or an address range. 5. Click Apply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol CONFIGURING ADDRESS POOLS Use the IP Service > DHCP > Server (Configure Pool – Add) page configure IP address pools for each IP interface that will provide addresses to attached clients via the DHCP server. CLI REFERENCES ◆ "DHCP Server" on page 1632 COMMAND USAGE ◆ First configure address pools for the network interfaces. Then you can manually bind an address to a specific client if required.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol ◆ Subnet Mask – The bit combination that identifies the network (or subnet) and the host portion of the DHCP address pool. Setting Parameters for a Static Host ◆ IP – The IP address to assign to the host. ◆ Subnet Mask – Specifies the network mask of the client. ◆ Client-Identifier – A unique designation for the client device, either a text string (1-15 characters) or hexadecimal value.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol 3. Select Add from the Action list. 4. Set the pool Type to Network or Host. 5. Enter the IP address and subnet mask for a network pool or host. If configuring a static binding for a host, enter the client identifier or hardware address for the host device. Configure the optional parameters such as a gateway server and DNS server. 6. Click Apply.
CHAPTER 17 | IP Services Dynamic Host Configuration Protocol Figure 431: Configuring DHCP Server Address Pools (Host) To show the configured DHCP address pools: 1. Click IP Service, DHCP, Server. 2. Select Configure Pool from the Step list. 3. Select Show from the Action list.
CHAPTER 17 | IP Services Forwarding UDP Service Requests DISPLAYING ADDRESS BINDINGS Use the IP Service > DHCP > Server (Show IP Binding) page display the host devices which have acquired an IP address from this switch’s DHCP server. CLI REFERENCES ◆ "show ip dhcp binding" on page 1644 PARAMETERS These parameters are displayed: ◆ IP Address – IP address assigned to host. ◆ MAC Address – MAC address of host. ◆ Lease Time – Duration that this IP address can be used by the host.
CHAPTER 17 | IP Services Forwarding UDP Service Requests to forward broadcast packets for specified UDP application ports to remote servers located in another network segment.
CHAPTER 17 | IP Services Forwarding UDP Service Requests PARAMETERS These parameters are displayed: ◆ Destination UDP Port – UDP application port for which UDP service requests are forwarded.
CHAPTER 17 | IP Services Forwarding UDP Service Requests Figure 436: Showing the UDP Destination Ports SPECIFYING THE Use the IP Service > UDP Helper > Address page to specify the application TARGET SERVER OR server or subnet (indicated by a directed broadcast address) to which SUBNET designated UDP broadcast packets are forwarded. CLI REFERENCES ◆ "ip helper-address" on page 1661 COMMAND USAGE ◆ Up to 20 helper addresses can be specified.
CHAPTER 17 | IP Services Forwarding UDP Service Requests PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN identifier (Range: 1-4094) ◆ IP Address – Host address or directed broadcast address to which UDP broadcast packets are forwarded. (Range: 1-65535) WEB INTERFACE To specify the target server or subnet for forwarding UDP request packets: 1. Click IP Service, UDP Helper, Address. 2. Select Add from the Action list. 3.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent CONFIGURING THE PPPOE INTERMEDIATE AGENT This section describes how to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent ◆ Operational Generic Error Message – The configured generic error message. WEB INTERFACE To configure global settings for PPPoE IA: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Configure Global from the Step list. 3. Enable the PPPoE IA on the switch, set the access node identifier, and set the generic error message. 4. Click Apply.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent ■ ◆ At least one trusted interface must be configured on the switch for the PPPoE IA to function. Vendor Tag Strip – Enables the stripping of vendor tags from PPPoE Discovery packets sent from a PPPoE server. (Default: Disabled) This parameter only applies to trusted interfaces.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent Figure 440: Configuring Interface Settings for PPPoE Intermediate Agent g SHOWING PPPOE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to STATISTICS show statistics on PPPoE IA protocol messages. CLI REFERENCES ◆ "show pppoe intermediate-agent statistics" on page 1087 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent WEB INTERFACE To show statistics for PPPoE IA protocol messages: 1. Click IP Service, PPPoE Intermediate Agent. 2. Select Show Statistics from the Step list. 3. Select Port or Trunk interface type.
CHAPTER 17 | IP Services Configuring the PPPoE Intermediate Agent – 740 –
18 GENERAL IP ROUTING This chapter provides information on network functions including: ◆ Ping – Sends ping message to another node on the network. ◆ Trace – Sends ICMP echo request packets to another node on the network. ◆ Address Resolution Protocol – Describes how to configure ARP aging time, proxy ARP, or static addresses. Also shows how to display dynamic entries in the ARP cache. ◆ Static Routes – Configures static routes to other network segments.
CHAPTER 18 | General IP Routing IP Routing and Switching Each VLAN represents a virtual interface to Layer 3. You just need to provide the network address for each virtual interface, and the traffic between different subnetworks will be routed by Layer 3 switching.
CHAPTER 18 | General IP Routing IP Routing and Switching If the destination node is on the same subnetwork as the source network, then the packet can be transmitted directly without the help of a router. However, if the MAC address is not yet known to the switch, an Address Resolution Protocol (ARP) packet with the destination IP address is broadcast to get the destination MAC address from the destination node. The IP packet can then be sent directly with the destination MAC address.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces ROUTING PROTOCOLS The switch supports both static and dynamic routing. ◆ Static routing requires routing information to be stored in the switch either manually or when a connection is set up by an application outside the switch. ◆ Dynamic routing uses a routing protocol to exchange routing information, calculate routing tables, and respond to changes in the status or loading of the network.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces If the switch is configured to advertise itself as the default gateway, a routing protocol must still be used to determine the next hop router for any unknown destinations, i.e., packets that do not match any routing table entry. If another router is designated as the default gateway, then the switch will pass packets to this router for any unknown hosts or subnets.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. WEB INTERFACE To ping another device on the network: 1. Click IP, General, Ping. 2. Specify the target device and ping parameters. 3. Click Apply. Figure 443: Pinging a Network Device USING THE TRACE Use the IP > General > Trace Route page to show the route packets take to ROUTE FUNCTION the specified destination.
CHAPTER 18 | General IP Routing Configuring IP Routing Interfaces ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The trace route function first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the round-trip time for each message.
CHAPTER 18 | General IP Routing Address Resolution Protocol ADDRESS RESOLUTION PROTOCOL If IP routing is enabled (page 769), the router uses its routing tables to make routing decisions, and uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address.
CHAPTER 18 | General IP Routing Address Resolution Protocol When a node in the attached subnetwork does not have routing or a default gateway configured, Proxy ARP can be used to forward ARP requests to a remote subnetwork. When the router receives an ARP request for a remote network and Proxy ARP is enabled, it determines if it has the best route to the remote network, and then answers the ARP request by sending its own MAC address to the requesting node.
CHAPTER 18 | General IP Routing Address Resolution Protocol 4. Click Apply. Figure 446: Configuring General Settings for ARP CONFIGURING STATIC For devices that do not respond to ARP requests or do not respond in a ARP ADDRESSES timely manner, traffic will be dropped because the IP address cannot be mapped to a physical address. If this occurs, use the IP > ARP (Configure Static Address – Add) page to manually map an IP address to the corresponding physical address in the ARP cache.
CHAPTER 18 | General IP Routing Address Resolution Protocol ◆ MAC Address – MAC address statically mapped to the corresponding IP address. (Valid MAC addresses are hexadecimal numbers in the format: xx-xx-xx-xx-xx-xx) WEB INTERFACE To map an IP address to the corresponding physical address in the ARP cache using the web interface: 1. Click IP, ARP. 2. Select Configure Static Address from the Step List. 3. Select Add from the Action List. 4. Enter the IP address and the corresponding MAC address. 5.
CHAPTER 18 | General IP Routing Address Resolution Protocol DISPLAYING Use the IP > ARP (Show Information) page to display dynamic or local DYNAMIC OR LOCAL entries in the ARP cache. The ARP cache contains static entries, and entries ARP ENTRIES for local interfaces, including subnet, host, and broadcast addresses. However, most entries will be dynamically learned through replies to broadcast messages.
CHAPTER 18 | General IP Routing Configuring Static Routes DISPLAYING Use the IP > ARP (Show Information) page to display statistics for ARP ARP STATISTICS messages crossing all interfaces on this router. CLI REFERENCES ◆ "show ip traffic" on page 1728 PARAMETERS These parameters are displayed: Table 51: ARP Statistics Parameter Description Received Request Number of ARP Request packets received by the router. Received Reply Number of ARP Reply packets received by the router.
CHAPTER 18 | General IP Routing Configuring Static Routes changes in network topology, so you should only configure a small number of stable routes to ensure network accessibility. CLI REFERENCES ◆ "ip route" on page 1724 COMMAND USAGE ◆ Up to 256 static routes can be configured. ◆ Up to eight equal-cost multipaths (ECMP) can be configured for static routing (see "Equal-cost Multipath Routing" on page 757).
CHAPTER 18 | General IP Routing Displaying the Routing Table Figure 452: Configuring Static Routes To display static routes: 1. Click IP, Routing, Static Routes. 2. Select Show from the Action List. Figure 453: Displaying Static Routes DISPLAYING THE ROUTING TABLE Use the IP > Routing > Routing Table (Show Information) page to display all routes that can be accessed via local network interfaces, through static routes, or through a dynamically learned route.
CHAPTER 18 | General IP Routing Displaying the Routing Table network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base – RIB), which holds all routing information received from routing peers. The FIB contains unique paths only. It does not contain any secondary paths. A FIB entry consists of the minimum amount of information necessary to make a forwarding decision on a particular packet.
CHAPTER 18 | General IP Routing Equal-cost Multipath Routing Figure 454: Displaying the Routing Table EQUAL-COST MULTIPATH ROUTING Use the IP > Routing > Routing Table (Configure ECMP Number) page to configure the maximum number of equal-cost paths that can transmit traffic to the same destination. The Equal-cost Multipath routing algorithm is a technique that supports load sharing over multiple equal-cost paths for data passing to the same destination.
CHAPTER 18 | General IP Routing Equal-cost Multipath Routing ◆ The routing table can only have up to 8 equal-cost multipaths for static routing and 8 for dynamic routing for a common destination. However, the system supports up to 256 total ECMP entries in ASIC for fast switching, with any additional entries handled by software routing.
19 CONFIGURING ROUTER REDUNDANCY Router redundancy protocols use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 458: Several Virtual Master Routers Configured for Mutual Backup and Load Sharing Router 1 Router 2 VRID 23 (Master) IP(R1) = 192.168.1.3 IP(VR23) = 192.168.1.3 VR Priority = 255 VRID 23 (Backup) IP(R1) = 192.168.1.5 IP(VR23) = 192.168.1.3 VR Priority = 100 VRID 25 (Backup) IP(R1) = 192.168.1.3 IP(VR25) = 192.168.1.5 VR Priority = 100 VRID 25 (Master) IP(R1) = 192.168.1.5 IP(VR25) = 192.168.1.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups priority. In cases where the configured priority is the same on several group members, then the master router with the highest IP address is selected from this group. ◆ If you have multiple secondary addresses configured on the current VLAN interface, you can add any of these addresses to the virtual router group. ◆ The interfaces of all routers participating in a virtual router group must be within the same IP subnet.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups ◆ VLAN – ID of a VLAN configured with an IP interface. (Range: 1-4094; Default: 1) Adding a Virtual IP Address ◆ VLAN ID – ID of a VLAN configured with an IP interface. (Range: 1-4094) ◆ VRID – VRRP group identifier. (Range: 1-255) ◆ IP Address – Virtual IP address for this group. Use the IP address of a real interface on this router to make it the master virtual router for the group.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups ◆ Authentication Mode – Authentication mode used to verify VRRP packets received from other routers. (Options: None, Simple Text; Default: None) If simple text authentication is selected, then you must also enter an authentication string. All routers in the same VRRP group must be set to the same authentication mode, and be configured with the same authentication string. Plain text authentication does not provide any real security.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 459: Configuring the VRRP Group ID To show the configured VRRP groups: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Show from the Action List. Figure 460: Showing Configured VRRP Groups To configure the virtual router address for a VRRP group: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Add IP Address from the Action List. 4.
CHAPTER 19 | Configuring Router Redundancy Configuring VRRP Groups Figure 461: Setting the Virtual Router Address for a VRRP Group To show the virtual IP address assigned to a VRRP group: 1. Click IP, VRRP. 2. Select Configure Group ID from the Step List. 3. Select Show IP Addresses from the Action List. 4. Select a VLAN, and a VRRP group identifier. Figure 462: Showing the Virtual Addresses Assigned to VRRP Groups To configure detailed settings for a VRRP group: 1. Click IP, VRRP. 2.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Global Statistics Figure 463: Configuring Detailed Settings for a VRRP Group DISPLAYING VRRP GLOBAL STATISTICS Use the IP > VRRP (Show Statistics – Global Statistics) page to display counters for errors found in VRRP protocol packets.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Group Statistics Figure 464: Showing Counters for Errors Found in VRRP Packets DISPLAYING VRRP GROUP STATISTICS Use the IP > VRRP (Show Statistics – Group Statistics) page to display counters for VRRP protocol events and errors that have occurred on a specific VRRP interface. CLI REFERENCES ◆ "show vrrp interface counters" on page 1721 PARAMETERS These parameters are displayed: ◆ VLAN ID – VLAN configured with an IP interface.
CHAPTER 19 | Configuring Router Redundancy Displaying VRRP Group Statistics Table 52: VRRP Group Statistics (Continued) Parameter Description Received Invalid Type VRRP Packets Number of VRRP packets received by the virtual router with an invalid value in the “type” field. Received Error Address List VRRP Packets Number of packets received for which the address list does not match the locally configured list for the virtual router.
20 UNICAST ROUTING This chapter describes how to configure the following unicast routing protocols: RIP – Configures Routing Information Protocol. OSPFv2 – Configures Open Shortest Path First (Version 2) for IPv4. OVERVIEW This switch can route unicast traffic to different subnetworks using the Routing Information Protocol (RIP) or Open Shortest Path First (OSPF) protocol. It supports RIP, RIP-2 and OSPFv2 dynamic routing in the web management interface.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol subnetworks by connecting to one port from each available VLAN on the network. CONFIGURING THE ROUTING INFORMATION PROTOCOL The RIP protocol is the most widely used routing protocol. The RIP protocol uses a distance-vector-based approach to routing. Routes are determined on the basis of minimizing the distance vector, or hop count, which serves as a rough estimate of transmission cost.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol networks. Moreover, RIP (version 1) wastes valuable network bandwidth by propagating routing information via broadcasts; it also considers too few network variables to make the best routing decision. CONFIGURING Use the Routing Protocol > RIP > General (Configure) page to configure GENERAL PROTOCOL general settings and the basic timers. SETTINGS RIP is used to specify how routers exchange routing information.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol any VLAN interface not previously set to a specific receive or send version is set to the following default values: ◆ ■ Receive: Accepts RIPv1 or RIPv2 packets. ■ Send: Route information is broadcast to other routers with RIPv2. RIP Default Metric – Sets the default metric assigned to external routes imported from other protocols.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Number of Route Changes – The number of route changes made to the IP route database by RIP. ◆ Number of Queries – The number of responses sent to RIP queries from other systems. Basic Timer Settings NOTE: The timers must be set to the same values for all routers in the network. ◆ Update – Sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 467: Configuring General Settings for RIP CLEARING Use the Routing Protocol > RIP > General (Clear Route) page to clear ENTRIES FROM THE entries from the routing table based on route type or a specific network ROUTING TABLE address. CLI REFERENCES ◆ "clear ip rip route" on page 1748 COMMAND USAGE ◆ Clearing “All” types deletes all routes in the RIP table.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Clear Route By Network – Clears a specific route based on its IP address and prefix length. ■ ■ Network IP Address – Deletes all related entries for the specified network address. Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address. WEB INTERFACE To clear entries from the routing table RIP: 1. Click Routing Protocol, RIP, General. 2.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol PARAMETERS These parameters are displayed: ◆ ◆ By Address – Adds a network to the RIP routing process. ■ Subnet Address – IP address of a network directly connected to this router. (Default: No networks are specified) ■ Prefix Length – A decimal value indicating how many contiguous bits (from the left) of the address comprise the network portion of the address.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 470: Showing Network Interfaces Using RIP SPECIFYING Use the Routing Protocol > RIP > Passive Interface (Add) page to stop RIP PASSIVE INTERFACES from sending routing updates on the specified interface. CLI REFERENCES ◆ "passive-interface" on page 1738 COMMAND USAGE ◆ Network interfaces can be configured to stop RIP broadcast and multicast messages from being sent.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 471: Specifying a Passive RIP Interface To show the passive RIP interfaces: 1. Click Routing Protocol, RIP, Passive Interface. 2. Select Show from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol 3. Add the address of any static neighbors which may not readily to discovered through RIP. 4. Click Apply. Figure 473: Specifying a Static RIP Neighbor To show static RIP neighbors: 1. Click Routing Protocol, RIP, Neighbor Address. 2. Select Show from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Metric – Metric assigned to all external routes for the specified protocol. (Range: 0-16; Default: the default metric as described under "Configuring General Protocol Settings" on page 771.) A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 476: Showing External Routes Redistributed into RIP SPECIFYING AN Use the Routing Protocol > RIP > Distance (Add) page to define an ADMINISTRATIVE administrative distance for external routes learned from other routing DISTANCE protocols.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol 4. Click Apply. Figure 477: Setting the Distance Assigned to External Routes To show the distance assigned to external routes learned from other routing protocols: 1. Click Routing Protocol, RIP, Distance. 2. Select Show from the Action list.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ The Send Version can be specified based on these options: ■ ■ ■ ◆ Use “RIPv1” or “RIPv2” if all routers in the local network are based on RIPv1 or RIPv2, respectively. Use “RIPv1 Compatible” to propagate route information by broadcasting to other routers on the network using the RIPv2 advertisement list, instead of multicasting as normally required by RIPv2.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol PARAMETERS These parameters are displayed: ◆ VLAN ID – Layer 3 VLAN interface. This interface must be configured with an IP address and have an active link. (Range: 1-4094) ◆ Send Version – The RIP version to send on an interface. ■ RIPv1: Sends only RIPv1 packets. ■ RIPv2: Sends only RIPv2 packets. ■ RIPv1 Compatible: Route information is broadcast to other routers with RIPv2. ■ Do Not Send: Does not transmit RIP updates.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol ◆ Authentication Key – Specifies the key to use for authenticating RIPv2 packets. For authentication to function properly, both the sending and receiving interface must use the same password. (Range: 1-16 characters, case sensitive) ◆ Instability Prevention – Specifies the method used to reduce the convergence time when the network topology changes, and to prevent RIP protocol messages from looping back to the source router.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol To show the network interface settings configured for RIP: 1. Click Routing Protocol, RIP, Interface. 2. Select Show from the Action list. Figure 480: Showing RIP Network Interface Settings DISPLAYING RIP Use the Routing Protocol > RIP > Statistics (Show Interface Information) INTERFACE SETTINGS page to display information about RIP interface configuration settings.
CHAPTER 20 | Unicast Routing Configuring the Routing Information Protocol Figure 481: Showing RIP Interface Settings DISPLAYING PEER Use the Routing Protocol > RIP > Statistics (Show Peer Information) page ROUTER INFORMATION to display information on neighboring RIP routers. CLI REFERENCES ◆ "show ip protocols rip" on page 1748 PARAMETERS These parameters are displayed: ◆ Peer Address – IP address of a neighboring RIP router. ◆ Update Time – Last time a route update was received from this peer.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) RESETTING Use the Routing Protocol > RIP > Statistics (Reset Statistics) page to reset RIP STATISTICS all statistics for RIP protocol messages. CLI REFERENCES ◆ no comparable command WEB INTERFACE To reset RIP statistics: 1. Click Routing Protocol, RIP, Statistics. 2. Select Reset Statistics from the Action list. 3. Click Reset.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 484: Configuring OSPF isolated area stub ABR ABR virtual link backbone ABR ABR normal area ASBR NSSA Autonomous System A ASBR ASBR Router external network Autonomous System B COMMAND USAGE ◆ OSPF looks at more than just the simple hop count. When adding the shortest path to any node into the tree, the optimal path is chosen on the basis of delay, throughput and connectivity.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ■ ■ You can further optimize the exchange of OSPF traffic by specifying an area range that covers a large number of subnetwork addresses. This is an important technique for limiting the amount of traffic exchanged between Area Border Routers (ABRs). And finally, you must specify a virtual link to any OSPF area that is not physically attached to the OSPF backbone.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1751 ◆ "network area" on page 1768 COMMAND USAGE ◆ Specify an Area ID and the corresponding network address range for each OSPF broadcast area. Each area identifies a logical group of OSPF routers that actively exchange Link State Advertisements (LSAs) to ensure that they share an identical view of the network topology. ◆ Each area must be connected to a backbone area.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) WEB INTERFACE To define an OSPF area and the interfaces that operate within this area: 1. Click Routing Protocol, OSPF, Network Area. 2. Select Add from the Action list. 3. Configure a backbone area that is contiguous with all the other areas in the network, and configure an area for all of the other OSPF interfaces. 4.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 488: Showing OSPF Process Identifiers CONFIGURING To implement dynamic OSPF routing, first assign VLAN groups to each IP GENERAL PROTOCOL subnet to which this router will be attached (as described in the preceding SETTINGS section), then use the Routing Protocol > OSPF > System (Configure) page to assign an Router ID to this device, and set the other basic protocol parameters.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Auto Cost – Calculates the cost for an interface by dividing the reference bandwidth by the interface bandwidth. The reference bandwidth is defined in Mbits per second. (Range: 1-4294967) By default, the cost is 0.1 for Gigabit ports, and 0.01 for 10 Gigabit ports. A higher reference bandwidth can be used for aggregate links to indicate preferred use as a lower cost interface.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 489: AS Boundary Router AS 1 ◆ ASBR ASBR AS 2 Advertise Default Route14 – The router can advertise a default external route into the autonomous system (AS). (Options: Not Always, Always; Default: Not Always) ■ Always – The router will advertise itself as a default external route for the local AS, even if a default external route does not actually exist.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 490: Configure General Settings for OSPF DISPLAYING Use the Routing Protocol > OSPF > System (Show) page to display general ADMINISTRATIVE administrative settings and statistics for OSPF.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Table 53: OSPF System Information (Continued) Parameter Description ABR Status (Area Border Router) Indicates if this router connects directly to networks in two or more areas. An area border router runs a separate copy of the Shortest Path First algorithm, maintaining a separate routing database for each area.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ADDING AN Use the Routing Protocol > OSPF > Area (Configure Area – Add Area) page NSSA OR STUB to add a not-so-stubby area (NSSA) or a stubby area (Stub). CLI REFERENCES ◆ "router ospf" on page 1751 ◆ "area stub" on page 1764 ◆ "area nssa" on page 1762 COMMAND USAGE ◆ This router supports up to 5 stubs or NSSAs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the NSSA or stubs added to the specified OSPF domain: 1. Click Routing Protocol, OSPF, Area. 2. Select Configure Area from the Step list. 3. Select Show Area from the Action list. 4. Select a Process ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1751 ◆ "area default-cost" on page 1756 ◆ "area nssa" on page 1762 COMMAND USAGE ◆ Before creating an NSSA, first specify the address range for the area (see "Defining Network Areas Based on Addresses" on page 790). Then create an NSSA as described under "Adding an NSSA or Stub" on page 798.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Redistribute – Disable this option when the router is an NSSA Area Border Router (ABR) and routes only need to be imported into normal areas (see "Redistributing External Routes" on page 807), but not into the NSSA. In other words, redistribution should be disabled to prevent the NSSA ABR from advertising external routing information (learned through routers in other areas) into the NSSA.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 5. Click Apply Figure 495: Configuring Protocol Settings for an NSSA CONFIGURING Use the Routing Protocol > OSPF > Area (Configure Area – Configure Stub STUB SETTINGS Area) page to configure protocol settings for a stub. A stub does not accept external routing information.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ A stub can have multiple ABRs or exit points. However, all of the exit points and local routers must contain the same external routing data so that the exit point does not need to be determined for each external destination. PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 790). ◆ Area ID – Identifier for a stub.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 497: Configuring Protocol Settings for a Stub DISPLAYING Use the Routing Protocol > OSPF > Area (Show Information) page to INFORMATION ON protocol information on NSSA and Stub areas. NSSA AND STUB AREAS CLI REFERENCES ◆ "show ip ospf" on page 1777 PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 790).
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 498: Displaying Information on NSSA and Stub Areas CONFIGURING An OSPF area can include a large number of nodes. If the Area Border AREA RANGES Router (ABR) has to advertise route information for each of these nodes, (ROUTE SUMMARIZATION this wastes a lot of bandwidth and processor time.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 790). ◆ Area ID – Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address, or also as a four octet unsigned integer ranging from 0-4294967295. ◆ Range Network – Base address for the routes to summarize.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 3. Select the process ID. Figure 501: Showing Configured Route Summaries REDISTRIBUTING Use the Routing Protocol > OSPF > Redistribute (Add) page to import EXTERNAL ROUTES external routing information from other routing protocols, static routes, or directly connected routes into the autonomous system, and to generate AS-external-LSAs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Protocol Type – Specifies the external routing protocol type for which routing information is to be redistributed into the local routing domain. (Options: RIP, Static; Default: RIP) ◆ Metric Type – Indicates the method used to calculate external route costs.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) Figure 503: Importing External Routes To show the imported external route types: 1. Click Routing Protocol, OSPF, Redistribute. 2. Select Show from the Action list. 3. Select the process ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) CLI REFERENCES ◆ "router ospf" on page 1751 ◆ "summary-address" on page 1761 COMMAND USAGE ◆ If you are not sure what address ranges to consolidate, first enable external route redistribution via the Redistribute configuration screen, view the routes imported into the routing table, and then configure one or more summary addresses to reduce the size of the routing table and consolidate these external routes for adv
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the summary addresses for external routes: 1. Click Routing Protocol, OSPF, Summary Address. 2. Select Show from the Action list. 3. Select the process ID. Figure 506: Showing Summary Addresses for External Routes CONFIGURING You should specify a routing interface for any local subnet that needs to OSPF INTERFACES communicate with other network segments located on this router or elsewhere in the network.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ IP Address – Address of the interfaces assigned to a VLAN on the Network Area (Add) page. This parameter only applies to the Configure by Address page. ◆ Cost – Sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. (Range: 1-65535; Default: 1) The interface cost indicates the overhead required to send packets across a certain interface.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Transmit Delay – Sets the estimated time to send a link-state update packet over an interface. (Range: 1-65535 seconds; Default: 1 second) LSAs have their age incremented by this delay before transmission. You should consider both the transmission and propagation delays for an interface when estimating this delay. Set the transmit delay according to link speed, using larger values for lower-speed links.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) the OSPF header when routing protocol packets are originated by this device. A different password can be assigned to each network interface, but the password must be used consistently on all neighboring routers throughout a network (that is, autonomous system). All neighboring routers in the same network with the same password will exchange routing data.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) WEB INTERFACE To configure OSPF interface for all areas assigned to a VLAN: 1. Click Routing Protocol, OSPF, Interface. 2. Select Configure by VLAN from the Action list. 3. Specify the VLAN ID, and configure the required interface settings. 4. Click Apply.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To configure interface settings for a specific area assigned to a VLAN: 1. Click Routing Protocol, OSPF, Interface. 2. Select Configure by Address from the Action list. 3. Specify the VLAN ID, enter the address assigned to an area, and configure the required interface settings. 4. Click Apply.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) To show the configuration settings for OSPF interfaces: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show from the Action list. 3. Select the VLAN ID. Figure 509: Showing OSPF Interfaces To show the MD5 authentication keys configured for an interface: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) to the common transit area, and specify a neighboring ABR at the other endpoint connecting the common transit area to the backbone itself. (Note that you cannot configure a virtual link that runs through a stub or NSSA.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) One of the ABRs must be next to the isolated area and the transit area at one end of the link, while the other ABR must be next to the transit area and backbone at the other end of the link. WEB INTERFACE To create a virtual link: 1. Click Routing Protocol, OSPF, Virtual Link. 2. Select Add from the Action list. 3. Specify the process ID, the Area ID, and Neighbor router ID. 4. Click Apply.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 3. Specify the process ID, then modify the protocol timers and authentication settings as required. 4. Click Apply. Figure 514: Configuring Detailed Settings for a Virtual Link To show the MD5 authentication keys configured for a virtual link: 1. Click Routing Protocol, OSPF, Interface. 2. Select Show MD5 Key from the Action list. 3. Select the VLAN ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) reliable flooding. You can show information about different LSAs stored in this router’s database, which may include any of the following types: ◆ Router (Type 1) – All routers in an OSPF area originate Router LSAs that describe the state and cost of its active interfaces and neighbors.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) ◆ Adv Router – IP address of the advertising router. ◆ Age – Age of LSA (in seconds). ◆ Sequence – Sequence number of LSA (used to detect older duplicate LSAs). ◆ Checksum – Checksum of the complete contents of the LSA. WEB INTERFACE To display information in the link state database: 1. Click Routing Protocol, OSPF, Information. 2. Click LSDB. 3. Select the process identifier. 4.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) DISPLAYING Use the Routing Protocol > OSPF > Information (Neighbor) page to display INFORMATION ON information about neighboring routers on each interface. NEIGHBORING ROUTERS CLI REFERENCES ◆ "show ip ospf neighbor" on page 1787 PARAMETERS These parameters are displayed: ◆ Process ID – Process ID as configured in the Network Area configuration screen (see page 790). ◆ ID – Neighbor’s router ID.
CHAPTER 20 | Unicast Routing Configuring the Open Shortest Path First Protocol (Version 2) 3. Select the process identifier.
21 MULTICAST ROUTING This chapter describes the following multicast routing topics: ◆ Enabling Multicast Routing Globally – Describes how to globally enable multicast routing. ◆ Displaying the Multicast Routing Table – Describes how to display the multicast routing table. ◆ Configuring PIM for IPv4 – Describes how to configure PIM-DM and PIM-SM for IPv4. ◆ Configuring PIMv6 for IPv6 – Describes how to configure PIM-DM and PIM-SM (Version 6) for IPv6.
CHAPTER 21 | Multicast Routing Overview PIM-DM is a simple multicast routing protocol that uses flood and prune to build a source-routed multicast delivery tree for each multicast sourcegroup pair. As mentioned above, it does not maintain it’s own routing table, but instead, uses the routing table provided by whatever unicast routing protocol is enabled on the router interface.
CHAPTER 21 | Multicast Routing Overview group addresses. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR and all the routers receiving these messages use the same hash algorithm to elect an RP for each multicast group. If each router is properly configured, the results of the election process will be the same for each router. Each elected RP then starts to serve as the root of a shared distribution tree for one or more multicast groups.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing data transmission delays. The switch can also be configured to use SPT only for specific multicast groups, or to disable the change over to SPT for specific groups. CONFIGURING GLOBAL SETTINGS FOR MULTICAST ROUTING To use multicast routing on this router, first globally enable multicast routing as described in this section, then specify the interfaces that will employ multicast routing protocols (PIM-DM or PIM-SM).
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing WEB INTERFACE (IPV6) To enable IPv6 multicast routing: 1. Click Multicast, IPv6 Multicast Routing, General. 2. Enable Multicast Forwarding Status. 3. Click Apply.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing that a pseudo interface is being used to receive PIM-SM register packets. This can occur for the Rendezvous Point (RP), which is the root of the Reverse Path Tree (RPT). In this case, any VLAN receiving register packets will be converted into the register interface. ◆ Owner – The associated multicast protocol (PIM-DM, PIM-SM, IGMP Proxy for PIMv4, MLD Proxy for PIMv6).
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing ■ Join SPT – The rate of traffic arriving over the shared tree has exceeded the SPT-threshold for this group. If the SPT flag is set for (*,G) entries, the next (S,G) packet received will cause the router to join the shortest path tree. If the SPT flag is set for (S,G), the router immediately joins the shortest path tree.
CHAPTER 21 | Multicast Routing Configuring Global Settings for Multicast Routing Figure 521: Displaying Detailed Entries from IPv4 Multicast Routing Table WEB INTERFACE (IPV6) To display the multicast routing table: 1. Click Multicast, IPv6 Multicast Routing, Information. 2. Select Show Summary from the Action List. Figure 522: Displaying the IPv6 Multicast Routing Table To display detailed information on a specific flow in multicast routing table: 1.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 523: Displaying Detailed Entries from IPv6 Multicast Routing Table CONFIGURING PIM FOR IPV4 This section describes how to configure PIM-DM and PIM-SM for IPv4. ENABLING PIM Use the Routing Protocol > PIM > General page to enable IPv4 PIM routing GLOBALLY globally on the router. CLI REFERENCES ◆ "router pim" on page 1928 COMMAND USAGE ◆ This feature enables PIM-DM and PIM-SM globally for the router.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 524: Enabling PIM Multicast Routing CONFIGURING PIM Use the Routing Protocol > PIM > Interface page configure the routing INTERFACE SETTINGS protocol’s functional attributes for each interface. CLI REFERENCES ◆ "IPv4 PIM Commands" on page 1927 COMMAND USAGE ◆ Most of the attributes on this page are common to both PIM-DM and PIM-SM. Select Dense or Sparse Mode to display the common attributes, as well as those applicable to the selected mode.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 PARAMETERS These parameters are displayed: Common Attributes ◆ VLAN – Layer 3 VLAN interface. (Range: 1-4094) ◆ Mode – PIM routing mode. (Options: Dense, Sparse, None) ◆ IP Address – Primary IP address assigned to the selected VLAN. ◆ Hello Holdtime – Sets the interval to wait for hello messages from a neighboring PIM router before declaring it dead.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 state and the pending RPT prune state for this (source, group) pair until the join/prune interval timer expires. ◆ LAN Prune Delay – Causes this device to inform downstream routers of how long it will wait before pruning a flow after receiving a prune request.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Dense-Mode Attributes ◆ Graft Retry Interval – The time to wait for a Graft acknowledgement before resending a Graft message. (Range: 1-10 seconds; Default: 3 seconds) A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 By default, the switch sends join/prune messages every 60 seconds to inform other PIM-SM routers about clients who want to join or leave a multicast group. Use the same join/prune message interval on all PIM-SM routers in the same PIM-SM domain, otherwise the routing protocol’s performance will be adversely affected.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 526: Configuring PIM Interface Settings (Sparse Mode) DISPLAYING Use the Routing Protocol > PIM > Neighbor page to display all neighboring PIM NEIGHBOR PIM routers. INFORMATION CLI REFERENCES ◆ "show ip pim neighbor" on page 1936 PARAMETERS These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 WEB INTERFACE To display neighboring PIM routers: 1. Click Routing Protocol, PIM, Neighbor. Figure 527: Showing PIM Neighbors CONFIGURING GLOBAL Use the Routing Protocol > PIM > SM (Configure Global) page to configure PIM-SM SETTINGS the rate at which register messages are sent, the source of register messages, and switchover to the Shortest Path Tree (SPT).
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 first packet from a new multicast group to its receivers. Afterwards, it calculates the shortest path tree (SPT) directly between the receiver and source, and then uses the SPT to send all subsequent packets from the source to the receiver instead of using the shared tree. Note that when the SPT threshold is not set by this command, the PIM leaf router will join the shortest path tree immediately after receiving the first packet from a new source.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 CONFIGURING A Use the Routing Protocol > PIM > SM (BSR Candidate) page to configure PIM BSR CANDIDATE the switch as a Bootstrap Router (BSR) candidate. CLI REFERENCES ◆ "ip pim bsr-candidate" on page 1938 COMMAND USAGE ◆ When this router is configured as a BSR candidate, it starts sending bootstrap messages to all of its PIM-SM neighbors. The primary IP address of the designated VLAN is sent as the candidate’s BSR address.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 WEB INTERFACE To configure the switch as a BSR candidate: 1. Click Routing Protocol, PIM, PIM-SM. 2. Select BSR Candidate from the Step list. 3. Specify the VLAN interface for which this router is bidding to become the BSR, the hash mask length that will subsequently be used for RP selection if this router is selected as the BSR, and the priority for BSR selection. 4. Click Apply.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ◆ All routers within the same PIM-SM domain must be configured with the same RP(s). Selecting an RP through the dynamic election process is therefore preferable for most situations. Using the dynamic RP election process also allows a backup RP to automatically take over if the active RP router becomes unavailable.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 Figure 531: Showing PIM Static Rendezvous Points CONFIGURING A Use the Routing Protocol > PIM > SM (RP Candidate) page to configure the PIM RP CANDIDATE switch to advertise itself as a Rendezvous Point (RP) candidate to the bootstrap router (BSR).
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 PARAMETERS These parameters are displayed: ◆ VLAN – Identifier of configured VLAN interface. (Range: 1-4094) ◆ Interval – The interval at which this device advertises itself as an RP candidate. (Range: 60-16383 seconds; Default: 60 seconds) ◆ Priority – Priority used by the candidate RP in the election process. The RP candidate with the largest priority is preferred.
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 To display settings for an RP candidate: 1. Click Routing Protocol, PIM, PIM-SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list. Figure 533: Showing Settings for a PIM RP Candidate DISPLAYING THE Use the Routing Protocol > PIM > SM (Show Information – Show BSR PIM BSR ROUTER Router) page to display Information about the bootstrap router (BSR).
CHAPTER 21 | Multicast Routing Configuring PIM for IPv4 ■ ■ ■ ■ ■ Accept Any – The router does not know of an active BSR, and will accept the first bootstrap message it sees as giving the new BSR's identity and the RP-set. Accept Preferred – The router knows the identity of the current BSR, and is using the RP-set provided by that BSR. Only bootstrap messages from that BSR or from a C-BSR with higher weight than the current BSR will be accepted. Candidate BSR – Bidding in election process.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ RP Address – IP address of the RP for the listed multicast group. ◆ Information Source – RP that advertised the mapping, how the RP was selected (Static or Bootstrap), and the priority used in the bidding process. ◆ Uptime – The time this RP has been up and running ◆ Expire – The time before this entry will be removed. WEB INTERFACE To display the RPs mapped to multicast groups: 1. Click Multicast, Multicast Routing, SM. 2.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ To use multicast routing, MLD proxy cannot be enabled on any interface of the device (see "MLD Proxy Routing" on page 1533). WEB INTERFACE To enable PIMv6 multicast routing: 1. Click Routing Protocol, PIM6, General. 2. Enable PIM6 Routing Protocol. 3. Click Apply.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 determines that there are no group members or downstream routers, or when a prune message is received from a downstream router. PIM6-SM ◆ A PIM6-SM interface is used to forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 If the hello holdtime is already configured, and the hello interval is set to a value longer than the hello holdtime, this command will fail. ◆ Join/Prune Holdtime – Sets the hold time for the prune state. (Range: 1-65535 seconds; Default: 210 seconds) ■ ■ ◆ PIM-DM: The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM-DM interfaces on the router.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 want to continue receiving the flow referenced in a LAN prune delay message, then the propagation delay represents the time required for the LAN prune delay message to be propagated down from the upstream router to all downstream routers attached to the same VLAN interface. ◆ Trigger Hello Delay – The maximum time before transmitting a triggered PIM Hello message after the router is rebooted or PIM is enabled on an interface.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 the LAN, then only one of these routers is elected as the DR, and acts on behalf of these hosts, sending periodic Join/Prune messages toward a group-specific RP for each group. A single DR is elected per interface (LAN or otherwise) using a simple election process. The router with the highest priority configured on an interface is elected as the DR.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 537: Configuring PIMv6 Interface Settings (Dense Mode) Figure 538: Configuring PIMv6 Interface Settings (Sparse Mode) – 855 –
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 DISPLAYING Use the Routing Protocol > PIM6 > Neighbor page to display all PIM6 NEIGHBOR neighboring PIMv6 routers. INFORMATION CLI REFERENCES ◆ "show ipv6 pim neighbor" on page 1958 PARAMETERS These parameters are displayed: ◆ Address – IP address of the next-hop router. ◆ VLAN – VLAN that is attached to this neighbor. ◆ Uptime – The duration this entry has been active. ◆ Expire – The time before this entry will be removed.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 exceeding the limit are dropped, some receivers may experience data packet loss within the first few seconds in which register messages are sent from bursty sources. ◆ Register Source – Configures the IP source address of a register message to an address other than the outgoing interface address of the DR that leads back toward the RP.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 540: Configuring Global Settings for PIM6-SM CONFIGURING Use the Routing Protocol > PIM6 > SM (BSR Candidate) page to configure A PIM6 BSR the switch as a Bootstrap Router (BSR) candidate. CANDIDATE CLI REFERENCES ◆ "ipv6 pim bsr-candidate" on page 1961 COMMAND USAGE ◆ When this router is configured as a BSR candidate, it starts sending bootstrap messages to all of its PIM6-SM neighbors.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 length is less than 32, then only the first portion of the hash is used, and a single RP will be defined for multiple groups. (Range: 0-32; Default: 10) ◆ Priority – Priority used by the candidate bootstrap router in the election process. The BSR candidate with the largest priority is preferred. If the priority values are the same, the candidate with the larger IP address is elected to be the BSR.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ If an IP address is specified that was previously used for an RP, then the older entry is replaced. ◆ Multiple RPs can be defined for different groups or group ranges. If a group is matched by more than one entry, the router will use the RP associated with the longer group prefix length. If the prefix lengths are the same, then the static RP with the highest IP address is chosen.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 542: Configuring a PIM6 Static Rendezvous Point To display static rendezvous points: 1. Click Routing Protocol, PIM6, PIM6-SM. 2. Select RP Address from the Step list. 3. Select Show from the Action list.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ■ ■ ■ Select those with the highest priority (lowest priority value). Compute hash value based on the group address, RP address, priority, and hash mask included in the bootstrap messages. If there is a tie, use the candidate RP with the highest IP address. ◆ This distributed election process provides faster convergence and minimal disruption when an RP fails. It also serves to provide load balancing by distributing groups across multiple RPs.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 Figure 544: Configuring a PIM6 RP Candidate To display settings for an RP candidate: 1. Click Routing Protocol, PIM6, PIM6-SM. 2. Select RP Candidate from the Step list. 3. Select Show from the Action list. 4. Select an interface from the VLAN list.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 ◆ Expire – The time before the BSR is declared down. ◆ Role – Candidate or non-candidate BSR. ◆ State16 – Operation state of BSR includes: ■ No information – No information is stored for this device. ■ Accept Any – The router does not know of an active BSR, and will accept the first bootstrap message it sees as giving the new BSR's identity and the RP-set.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 DISPLAYING Use the Routing Protocol > PIM6 > SM (Show Information – Show RP RP MAPPING Mapping) page to display active RPs and associated multicast routing entries. CLI REFERENCES ◆ "show ipv6 pim rp mapping" on page 1971 PARAMETERS These parameters are displayed: ◆ Groups – A multicast group address. ◆ RP Address – IP address of the RP for the listed multicast group.
CHAPTER 21 | Multicast Routing Configuring PIMv6 for IPv6 – 866 –
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
SECTION III | Command Line Interface ◆ "VLAN Commands" on page 1337 ◆ "Class of Service Commands" on page 1387 ◆ "Quality of Service Commands" on page 1407 ◆ "Multicast Filtering Commands" on page 1425 ◆ "LLDP Commands" on page 1537 ◆ "CFM Commands" on page 1561 ◆ "OAM Commands" on page 1603 ◆ "Domain Name Service Commands" on page 1615 ◆ "DHCP Commands" on page 1625 ◆ "IP Interface Commands" on page 1647 ◆ "VRRP Commands" on page 1713 ◆ "IP Routing Commands" on page 1723 ◆ "Multic
22 USING THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). ACCESSING THE CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
CHAPTER 22 | Using the Command Line Interface Accessing the CLI TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
CHAPTER 22 | Using the Command Line Interface Entering Commands NOTE: You can open up to eight sessions to the device via Telnet or SSH. ENTERING COMMANDS This section describes how to enter CLI commands. KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify ARGUMENTS a command, and arguments specify configuration parameters.
CHAPTER 22 | Using the Command Line Interface Entering Commands GETTING HELP You can display a brief description of the help system by entering the help ON COMMANDS command. You can also display command syntax by using the “?” character to list keywords or parameters. SHOWING COMMANDS If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
CHAPTER 22 | Using the Command Line Interface Entering Commands pppoe process protocol-vlan ptp public-key qos queue radius-server reload rmon route-map rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan synce system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice vrrp watchdog web-auth Console#show Displays PPPoE configuration Device process Protocol-VLAN information Displays PTP information Publi
CHAPTER 22 | Using the Command Line Interface Entering Commands PARTIAL KEYWORD If you terminate a partial keyword with a question mark, alternatives that LOOKUP match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
CHAPTER 22 | Using the Command Line Interface Entering Commands Table 54: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map DHCP ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Route Map Router Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
CHAPTER 22 | Using the Command Line Interface Entering Commands CONFIGURATION Configuration commands are privileged level commands used to modify COMMANDS switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
CHAPTER 22 | Using the Command Line Interface Entering Commands VLAN Configuration - Includes the command to create VLAN groups. ◆ To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands.
CHAPTER 22 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# COMMAND LINE Commands are not case sensitive. You can abbreviate commands and PROCESSING parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
CHAPTER 22 | Using the Command Line Interface CLI Command Groups CLI COMMAND GROUPS The system commands can be broken down into the functional groups shown below.
CHAPTER 22 | Using the Command Line Interface CLI Command Groups Table 57: Command Group Index (Continued) Command Group Description Page Spanning Tree Configures Spanning Tree settings for the switch 1277 ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 1305 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and
CHAPTER 22 | Using the Command Line Interface CLI Command Groups IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) RC (Router Configuration) RM (Route Map Configuration) VC (VLAN Database Configuration) – 881 –
CHAPTER 22 | Using the Command Line Interface CLI Command Groups – 882 –
23 GENERAL COMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions.
CHAPTER 23 | General Commands EXAMPLE Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified (Global Configuration) delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
CHAPTER 23 | General Commands COMMAND USAGE ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See "copy" on page 914).
CHAPTER 23 | General Commands EXAMPLE Console>enable Password: [privileged level password] Console# RELATED COMMANDS disable (888) enable password (1032) quit This command exits the configuration program. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program.
CHAPTER 23 | General Commands EXAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the confi
CHAPTER 23 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes" on page 874. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
CHAPTER 23 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. COMMAND MODE Privileged Exec EXAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
CHAPTER 23 | General Commands EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 890 –
24 SYSTEM MANAGEMENT COMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
CHAPTER 24 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. SYNTAX hostname name no hostname name - The name of this host.
CHAPTER 24 | System Management Commands Banner Information Table 61: Banner Commands (Continued) Command Function Mode banner configure manager-info Configures the Manager contact information that is displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading GC show banner Displays all banner information NE, PE banner configure This co
CHAPTER 24 | System Management Commands Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information. Console(config)# banner configure This command is used to configure company information displayed in the company banner.
CHAPTER 24 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the dc-power-info banner. Use the no form to restore the default setting. SYNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
CHAPTER 24 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 24 | System Management Commands Banner Information EXAMPLE Console(config)#banner configure equipment-info manufacturer-id ECS4660-28F floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information equipment-location displayed in the banner. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. EXAMPLE Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
CHAPTER 24 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information manager-info displayed in the banner. Use the no form to restore the default setting. SYNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
CHAPTER 24 | System Management Commands Banner Information DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 24 | System Management Commands System Status show banner This command displays all banner information. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show banner Edge-Core WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis Edge-Core - ECS4660-28F Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.
CHAPTER 24 | System Management Commands System Status Table 62: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of
CHAPTER 24 | System Management Commands System Status switch through hard-wired connections described in the Installation Guide. Refer to the Installation Guide for information on how to use the alarm relay contacts and external site alarm inputs. ◆ Major alarms include the failure of all fans, both thermal detectors exceeding 65°C, or an invalid power module being installed. Minor alarms include the failure of one or two fans, or when a second power module is installed but it is not functioning.
CHAPTER 24 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
CHAPTER 24 | System Management Commands System Status ■ ■ ■ ■ Multiple spanning tree instances (name and interfaces) IP address configured for management VLAN Interface settings Any configured settings for the console port and Telnet EXAMPLE Console#show running-config Building startup configuration. Please wait...
CHAPTER 24 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory. ◆ This command displays settings for key command modes.
CHAPTER 24 | System Management Commands System Status ◆ There are two thermal detectors in the switch The first detector is near the air flow intake vents. The second detector is near the switch ASIC and CPU. EXAMPLE Console#show system System Description : ECS4660-28F System OID String : 1.3.6.1.4.1.259.10.1.10 System Information System Up Time : 0 days, 5 hours, 44 minutes, and 42.
CHAPTER 24 | System Management Commands System Status System Name: System Location: System Contact: MAC Address (Unit1): Web Server: Web Server Port: Web Secure Server: Web Secure Server Port: Telnet Server: Telnet Server Port: Jumbo Frame: . . . [NONE] [NONE] [NONE] 00-12-CF-61-24-2F Enabled 80 Enabled 443 Enable 23 Disabled show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client.
CHAPTER 24 | System Management Commands System Status show version This command displays hardware and software version information for the system. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE See "Displaying Hardware/Software Versions" on page 151 for detailed information on the items displayed by this command.
CHAPTER 24 | System Management Commands Fan Control COMMAND MODE Privileged Exec EXAMPLE Console#watchdog Console# FAN CONTROL This section describes the command used to force fan speed. Table 63: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed GC show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed.
CHAPTER 24 | System Management Commands Frame Size jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it. SYNTAX [no] jumbo frame DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks of up to 9216 bytes.
CHAPTER 24 | System Management Commands File Management FILE MANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
CHAPTER 24 | System Management Commands General Commands General Commands boot system This command specifies the file or image used to start up the system. SYNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ A colon (:) is required after the specified file type.
CHAPTER 24 | System Management Commands General Commands copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
CHAPTER 24 | System Management Commands General Commands ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help.
CHAPTER 24 | System Management Commands General Commands The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
CHAPTER 24 | System Management Commands General Commands This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete This command deletes a file, image, or public key.
CHAPTER 24 | System Management Commands General Commands EXAMPLE This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete file name test2.cfg Console# RELATED COMMANDS dir (918) delete public-key (1062) dir This command displays a list of files in flash memory. SYNTAX dir {boot-rom: | config: | opcode: | usbdisk:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file.
CHAPTER 24 | System Management Commands General Commands EXAMPLE The following example shows how to display all file information: Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ---------Unit 1: ECS4660-28F_V1.2.1.4.bix OpCode N 2012-06-25 10:40:53 21627592 ECS4660-28F_V1.2.1.5.bix OpCode Y 2001-01-06 14:35:12 21627592 Factory_Default_Config.cfg Config N 2010-12-27 02:42:32 455 startup1.
CHAPTER 24 | System Management Commands Automatic Code Upgrade Commands EXAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modify Time Size(bytes) -------------------------------- ------- ------- ------------------- ----------Unit 1: ECS4660_V1.0.0.0.bix OpCode Y 2011-11-28 09:25:30 17732136 startup1.
CHAPTER 24 | System Management Commands Automatic Code Upgrade Commands ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. EXAMPLE Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . .
CHAPTER 24 | System Management Commands Automatic Code Upgrade Commands ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.
CHAPTER 24 | System Management Commands Line show upgrade This command shows the opcode upgrade configuration settings. COMMAND MODE Privileged Exec EXAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4600_28F.bix Console# LINE You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port.
CHAPTER 24 | System Management Commands Line Table 67: Line Commands (Continued) Command Function Mode disconnect Terminates a line connection PE show line Displays a terminal line's parameters NE, PE * These commands only apply to the serial port. line This command identifies a specific line for configuration, and to process subsequent line configuration commands. SYNTAX line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
CHAPTER 24 | System Management Commands Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. SYNTAX databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.
CHAPTER 24 | System Management Commands Line COMMAND USAGE ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
CHAPTER 24 | System Management Commands Line ◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. EXAMPLE Console(config-line)#login local Console(config-line)# RELATED COMMANDS username (1033) password (928) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Line password This command specifies the password for a line. Use the no form to remove the password. SYNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) DEFAULT SETTING No password is specified.
CHAPTER 24 | System Management Commands Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. SYNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) DEFAULT SETTING The default value is three attempts.
CHAPTER 24 | System Management Commands Line COMMAND MODE Line Configuration EXAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# RELATED COMMANDS password-thresh (929) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. SYNTAX speed bps no speed bps - Baud rate in bits per second.
CHAPTER 24 | System Management Commands Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Line ◆ Using the command without specifying a timeout restores the default setting. EXAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. SYNTAX disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection.
CHAPTER 24 | System Management Commands Event Logging EXAMPLE To show all lines, enter this command: Console#show line Console Configuration: Password Threshold : 3 times Inactive Timeout : Disabled Login Timeout : Disabled Silent Time : Disabled Baud Rate : Auto Data Bits : 8 Parity : None Stop Bits : 1 VTY Configuration: Password Threshold Inactive Timeout Login Timeout Silent Time Console# : : : : 3 times 600 seconds 300 sec.
CHAPTER 24 | System Management Commands Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. SYNTAX logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
CHAPTER 24 | System Management Commands Event Logging Table 69: Logging Levels (Continued) Level Severity Name Description 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g.
CHAPTER 24 | System Management Commands Event Logging EXAMPLE Console(config)#logging host 10.1.0.3 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process. SYNTAX [no] logging on DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The logging process controls error messages saved to switch memory or sent to remote syslog servers.
CHAPTER 24 | System Management Commands Event Logging DEFAULT SETTING Disabled Level 7 COMMAND MODE Global Configuration COMMAND USAGE ◆ Using this command with a specified level enables remote logging and sets the minimum severity level to be saved. ◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. EXAMPLE Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer.
CHAPTER 24 | System Management Commands Event Logging show log This command displays the log messages stored in local memory. SYNTAX show log {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
CHAPTER 24 | System Management Commands Event Logging trap - Displays settings for the trap function. DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0).
CHAPTER 24 | System Management Commands SMTP Alerts Table 71: show logging trap - display description (Continued) Field Description REMOTELOG facility type The facility type for remote logging of syslog messages as specified in the logging facility command. REMOTELOG level type The severity threshold for syslog messages sent to a remote server as specified in the logging trap command. REMOTELOG server IP address The address of syslog servers as specified in the logging host command.
CHAPTER 24 | System Management Commands SMTP Alerts logging sendmail This command specifies SMTP servers that will be sent alert messages. Use host the no form to remove an SMTP server. SYNTAX [no] logging sendmail host ip-address ip-address - IPv4 or IPv6 address of an SMTP server that will be sent alert messages for event handling. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ You can specify up to three SMTP servers for event handing.
CHAPTER 24 | System Management Commands SMTP Alerts COMMAND MODE Global Configuration COMMAND USAGE The specified level indicates an event threshold. All events at this level or higher will be sent to the configured email recipients. (For example, using Level 7 will report all events from level 7 to level 0.) EXAMPLE This example will send email alerts for system errors from level 3 through 0.
CHAPTER 24 | System Management Commands SMTP Alerts logging sendmail This command sets the email address used for the “From” field in alert source-email messages. Use the no form to restore the default value. SYNTAX logging sendmail source-email email-address no logging sendmail source-email email-address - The source email address used in alert messages.
CHAPTER 24 | System Management Commands Time TIME The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
CHAPTER 24 | System Management Commands SNTP Commands SNTP Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. SYNTAX [no] sntp client DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ The time acquired from time servers is used to record accurate dates and times for log events.
CHAPTER 24 | System Management Commands SNTP Commands sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. SYNTAX sntp poll seconds no sntp poll seconds - Interval between time requests.
CHAPTER 24 | System Management Commands NTP Commands EXAMPLE Console(config)#sntp server 10.1.0.19 Console# RELATED COMMANDS sntp client (945) sntp poll (946) show sntp (947) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
CHAPTER 24 | System Management Commands NTP Commands their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client. EXAMPLE Console(config)#ntp authenticate Console(config)# RELATED COMMANDS ntp authentication-key (948) ntp This command configures authentication keys and key numbers to use authentication-key when NTP authentication is enabled.
CHAPTER 24 | System Management Commands NTP Commands EXAMPLE Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# RELATED COMMANDS ntp authenticate (947) ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.
CHAPTER 24 | System Management Commands NTP Commands ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. SYNTAX ntp server ip-address [key key-number] no ntp server [ip-address] ip-address - IP address of an NTP time server. key-number - The number of an authentication key to use in communications with the server.
CHAPTER 24 | System Management Commands Manual Configuration Commands show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
CHAPTER 24 | System Management Commands Manual Configuration Commands e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end. e-hour - The hour summer time will end. (Range: 0-23 hours) e-minute - The minute summer time will end.
CHAPTER 24 | System Management Commands Manual Configuration Commands clock summer-time This command configures the summer time (daylight savings time) status (predefined) and settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. SYNTAX clock summer-time name predefined [australia | europe | newzealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
CHAPTER 24 | System Management Commands Manual Configuration Commands clock summer-time This command allows the user to manually configure the start, end, and (recurring) offset times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
CHAPTER 24 | System Management Commands Manual Configuration Commands Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone. To display a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone.
CHAPTER 24 | System Management Commands Manual Configuration Commands EXAMPLE Console(config)#clock timezone Japan hours 8 minute 0 after-UTC Console(config)# RELATED COMMANDS show sntp (947) calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. SYNTAX calendar set hour min sec {day month year | month day year} hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute.
CHAPTER 24 | System Management Commands Time Range show calendar This command displays the system clock. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show calendar 14:13:38 August 19 2011 Console# TIME RANGE This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
CHAPTER 24 | System Management Commands Time Range EXAMPLE Console(config)#time-range r&d Console(config-time-range)# RELATED COMMANDS Access Control Lists (1163) absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time. SYNTAX absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute hour - Hour in 24-hour format. (Range: 0-23) minute - Minute.
CHAPTER 24 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
CHAPTER 24 | System Management Commands Precision Time Protocol show time-range This command shows configured time ranges. SYNTAX show time-range [name] name - Name of the time range.
CHAPTER 24 | System Management Commands Precision Time Protocol Table 76: PTP Commands (Continued) Command Function Mode ptp log-min-delayrequest-interval Sets the delay request message transmit interval IC ptp log-min-pdelayrequest-interval Sets the peer delay request message transmit interval IC ptp log-sync-interval Sets the synchronization message transmit interval IC ptp port-enable Enables PTP capability on a port IC ptp transport Sets the message transport method to Ethernet, IPv4 UDP
CHAPTER 24 | System Management Commands Precision Time Protocol ptp domain-number This command specifies the PTP clock synchronization domain to which the switch belongs. Use the no form to restore the default setting. SYNTAX ptp domain-number domain-number no ptp domain-number domain-number – The PTP domain number. (Range: 0-255) DEFAULT SETTING 0 COMMAND MODE Global Configuration COMMAND USAGE ◆ A domain is a set of clocks that synchronize to one another using PTP.
CHAPTER 24 | System Management Commands Precision Time Protocol EXAMPLE Console(config)#ptp e-latency 10 Console(config)# ptp in-latency This command specifies the ingress latency added to the timestamp. Use the no form to restore the default setting. SYNTAX ptp in-latency latency no ptp in-latency latency – The ingress latency added the actual timestamp.
CHAPTER 24 | System Management Commands Precision Time Protocol the output port, and adjusts the time stamp to compensate for this delay. The value of the correction update and checksums are specific to each output port and message since the residence time are not necessarily the same for all paths through the switch or for successive messages crossing the same path.
CHAPTER 24 | System Management Commands Precision Time Protocol ptp priority1 This command sets a preference level used in selecting the master clock. Use the no form to restore the default setting. SYNTAX ptp priority1 priority-value no ptp priority1 priority-value – Slave devices use the priority1 value when selecting a master clock.
CHAPTER 24 | System Management Commands Precision Time Protocol EXAMPLE Console(config)#ptp priority1 64 Console(config)# ptp priority2 This command sets a secondary preference level used in selecting the master clock. Use the no form to restore the default setting. SYNTAX ptp priority2 priority-value no ptp priority2 priority-value – Slave devices use the priority2 value when selecting a master clock.
CHAPTER 24 | System Management Commands Precision Time Protocol EXAMPLE Console(config)#ptp announce-receipt-timeout 10 Console(config)# RELATED COMMANDS ptp log-announce-interval (968) ptp delay- This command sets the delay measurement method for a boundary clock to mechanism peer-to-peer or end-to-end mode. Use the no form to restore the default setting.
CHAPTER 24 | System Management Commands Precision Time Protocol ptp log-announce- This command sets the announcement message transmit interval. Use the interval no form to restore the default setting. SYNTAX ptp log-announce-interval interval-value no ptp log-announce-interval interval-value – The interval for PTP announcement messages.
CHAPTER 24 | System Management Commands Precision Time Protocol ptp log-min-delay- This command sets the delay request message transmit interval. Use the request-interval no form to restore the default setting. SYNTAX ptp log-min-delay-request-interval interval-value no ptp log-min-delay-request-interval interval-value – The minimum interval between delay request messages sent by a slave clock to a specific port on the master clock.
CHAPTER 24 | System Management Commands Precision Time Protocol DEFAULT SETTING 0 (1 second) COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The log base 2 settings equate to the following values: ◆ ■ 0 – 1 packet every second ■ 1 – 1 packet every 2 seconds ■ 2 – 1 packet every 4 seconds ■ 3 – 1 packet every 8 seconds ■ 4 – 1 packet every 16 seconds ■ 5 – 1 packet every 32 seconds This command is only applicable for interfaces which are set to use the peer-to-pee
CHAPTER 24 | System Management Commands Precision Time Protocol ◆ Synchronization messages are used to synchronize clocks within the same PTP domain. A boundary or transparent clock in slave state will synchronize to its master in the synchronization hierarchy established by the best master clock algorithm. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ptp log-sync-interval 1 Console(config-if)# ptp port-enable This command enables PTP capability on a port.
CHAPTER 24 | System Management Commands Precision Time Protocol COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When using Ethernet as the transport mechanism, PTP messages use Ethernet formatted packets with the 88F7 Ethertype. PTP messages use MAC addresses as specified below.
CHAPTER 24 | System Management Commands Precision Time Protocol When using UDP over IPv6 as a transport mechanism, PTP messages use the multicast addresses as specified below.
CHAPTER 24 | System Management Commands Precision Time Protocol show ptp This command shows PTP configuration settings. configuration SYNTAX show ptp configuration [interface] interface ethernet unit/port-list unit - Stack unit. (Range: 1) port-list - Physical port number or list of port numbers. Separate nonconsecutive port numbers with a comma and no spaces; or use a hyphen to designate a range of port numbers.
CHAPTER 24 | System Management Commands Precision Time Protocol EXAMPLE Console#show ptp foreign-master ethernet 1/1 Port Master Identity Master Clock Quality Pri1 Pri2 Valid -------- -------------------------- ---------------------- ---- ---- ----Eth 1/ 1 00:00:22:00:13:23:00:00 2 C1: 251 Ac: 254 Va:-1 0 0 Yes Pch 2 00:00:22:00:13:23:00:00 2 C1: 251 Ac: 254 Va:-1 0 0 No Console(config-if)# Best ---Yes No Table 82: show ptp foreign-mater - display description Field Description Port Interface through w
CHAPTER 24 | System Management Commands Precision Time Protocol no spaces; or use a hyphen to designate a range of port numbers. (Range: 1-28) port-channel channel-id (Range: 1-8) COMMAND MODE Privileged Exec EXAMPLE This example shows PTP configuration settings, negotiated settings, and default values for a boundary clock.
CHAPTER 24 | System Management Commands Precision Time Protocol . . . Boundary Clock Port State Log Min Delay Req. Interval Peer Mean Path Delay Announce Receipt Timeout Log Announce Interval Log Sync Interval Delay Mechanism Log Min Pdelay Req. Interval Version Number : : : : : : : : : : Master 0 0 sec. 0 nano sec. 3 1 0 Peer to Peer 0 2 Table 83: show ptp information - display description for boundary clock Field Description Default Data Set Two Step Flag Shows if this device is a two-step clock.
CHAPTER 24 | System Management Commands Precision Time Protocol Table 83: show ptp information - display description for boundary clock Field Description Grandmaster Identity A unique 8-octet array based on the IEEE EUI-64 assigned numbers Grandmaster Clock Quality Clock Class An attribute defining the clock’s International Atomic Time (TAI) traceability.
CHAPTER 24 | System Management Commands Synchronous Ethernet This example shows PTP configuration settings, negotiated settings, and default values for a transparent clock.
CHAPTER 24 | System Management Commands Synchronous Ethernet synce This command enables SyncE on all ports that support SyncE. Use the no form to disable SyncE on all ports that support SyncE. SYNTAX [no] synce DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ This command enables SyncE on ports 25-28. It does not configure any of these port to be the clock source. ◆ SyncE must be enabled on a port before the clock selection method can be set.
CHAPTER 24 | System Management Commands Synchronous Ethernet EXAMPLE Console(config)#synce Console(config)#exit Console#show synce SyncE Status: Port Status Clock Source --------- -------- -----------Eth 1/25 Enabled No Eth 1/26 Enabled No Eth 1/27 Enabled No Eth 1/28 Enabled No ... synce ethernet This command enables SyncE on a port that supports SyncE. Use the no form to disable SyncE on a port. SYNTAX [no] synce ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 24 | System Management Commands Synchronous Ethernet synce ethernet This command manually sets a port as a clock source, or as a candidate clock-source clock source at the specified priority when using automatic clock source selection. Use the no form to remove a port as a clock source. SYNTAX synce ethernet unit/port clock-source [priority priority] no synce synce ethernet unit/port clock-source unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 24 | System Management Commands Synchronous Ethernet EXAMPLE Console(config)#synce ethernet 1/25 clock-source priority 1 Console(config)# synce auto-clock- This command automatically selects the clock source port with the highest source-selecting priority. Use the no form to disable automatic clock source selection. SYNTAX [no] synce auto-clock-source-selecting [revertive-switching] auto-clock-source-selecting - Chooses the clock source port based on current clock-source port status and priority.
CHAPTER 24 | System Management Commands Synchronous Ethernet EXAMPLE Console(config)#synce auto-clock-source-selecting revertive-switching Console(config)#end Console#show synce SyncE Status: Port Status Clock Source --------- -------- -----------Eth 1/25 Enabled Yes Eth 1/26 Disabled No Eth 1/27 Disabled No Eth 1/28 Disabled No SyncE Clock Source Selection Mode: Auto SyncE Active Clock Source Locked: No SyncE Clock Source Status: Port Priority Active Clock Source --------- -------- ------------------Eth 1
CHAPTER 24 | System Management Commands Synchronous Ethernet synce ssm ethernet This command configures a port to receive/send Synchronization Status Messages (SSM), and sets the priority used for this port in clock source port selection. Use the no form to stop using clock selection based on SSM. SYNTAX synce ssm ethernet unit/port [priority priority] no synce ssm [ethernet unit/port] unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 24 | System Management Commands Synchronous Ethernet ◆ If the switch is changed from SSM mode to Manual mode, and a port has been chosen as the active clock source in SSM mode, this port will still be the active clock source in Manual mode. If no clock source port has been selected in SSM mode, the local clock will be used as the active clock source.
CHAPTER 24 | System Management Commands Synchronous Ethernet COMMAND MODE Global Configuration COMMAND USAGE ◆ Use this command to configure the clock source according to the SSM Quality Level (QL), port priority (as defined under the synce ssm ethernet command), and port number. If the SSM QL received on more than one port is the same, the clock source port is selected according to priority.
CHAPTER 24 | System Management Commands Synchronous Ethernet Table 87: show sync - display description for sync Field Description SyncE Status Port Port identifier Status Shows if SyncE is enabled or disabled Clock Source Shows if port is configured as a clock source candidate SyncE Clock Source Selection Mode SyncE Active Clock Source Locked Shows the clock source selection method: ◆ Manual – Manual mode (see synce or synce ethernet command) ◆ Auto – Automatic mode (see synce auto-clocksource
CHAPTER 24 | System Management Commands Switch Clustering SWITCH CLUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
CHAPTER 24 | System Management Commands Switch Clustering cluster This command enables clustering on the switch. Use the no form to disable clustering. SYNTAX [no] cluster DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
CHAPTER 24 | System Management Commands Switch Clustering COMMAND USAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. ◆ Cluster Member switches can be managed through a Telnet connection to the Commander.
CHAPTER 24 | System Management Commands Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. SYNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
CHAPTER 24 | System Management Commands Switch Clustering EXAMPLE Console#rcommand id 1 CLI session with the ECS4660-28F is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration. COMMAND MODE Privileged Exec EXAMPLE Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster This command shows the current switch cluster members.
CHAPTER 24 | System Management Commands Switch Clustering show cluster This command shows the discovered Candidate switches in the network.
25 SNMP COMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
CHAPTER 25 | SNMP Commands Table 89: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views PE Notification Log Commands nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE ATC Trap Commands snmp-server enable port- Sends a trap when broa
CHAPTER 25 | SNMP Commands General SNMP Commands Table 89: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization alarm GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters PE Additional Trap Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all
CHAPTER 25 | SNMP Commands General SNMP Commands DEFAULT SETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server community alpha rw Console(config)# snmp-server This command sets the system contact string. Use the no form to remove contact the system contact information.
CHAPTER 25 | SNMP Commands General SNMP Commands DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server location WC-19 Console(config)# RELATED COMMANDS snmp-server contact (998) show snmp This command can be used to check the status of SNMP communications.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands snmp-server This command enables this device to send Simple Network Management enable traps Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. ◆ The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands page 480 for further information about these authentication and encryption options. port - Host UDP port to use. (Range: 1-65535; Default: 162) DEFAULT SETTING Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162 COMMAND MODE Global Configuration COMMAND USAGE ◆ If you do not enter an snmp-server host command, no notifications are sent.
CHAPTER 25 | SNMP Commands SNMP Target Host Commands To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 997). 2. Create a local SNMPv3 user to use in the message exchange 3. 4. 5. 6. process (page 1007). Create a view with the required notification messages (page 1008). Create a group that includes the required notify view (page 1006). Allow the switch to send SNMP traps; i.e., notifications (page 1000).
CHAPTER 25 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# show snmp-server This command shows if SNMP traps are enabled or disabled for the enable port-traps specified interfaces. SYNTAX show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 25 | SNMP Commands SNMPv3 Commands DEFAULT SETTING A unique engine ID is automatically generated by the switch based on its MAC address. COMMAND MODE Global Configuration COMMAND USAGE ◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
CHAPTER 25 | SNMP Commands SNMPv3 Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. SYNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
CHAPTER 25 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
CHAPTER 25 | SNMP Commands SNMPv3 Commands ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch. ◆ The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.
CHAPTER 25 | SNMP Commands SNMPv3 Commands COMMAND USAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. EXAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
CHAPTER 25 | SNMP Commands SNMPv3 Commands Table 90: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. show snmp group Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/write access.
CHAPTER 25 | SNMP Commands SNMPv3 Commands Table 91: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
CHAPTER 25 | SNMP Commands Notification Log Commands show snmp view This command shows information on the SNMP views. COMMAND MODE Privileged Exec EXAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 93: show snmp view - display description Field Description View Name Name of an SNMP view.
CHAPTER 25 | SNMP Commands Notification Log Commands ◆ Disabling logging with this command does not delete the entries stored in the notification log. EXAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server This command creates an SNMP notification log. Use the no form to notify-filter remove this log. SYNTAX [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
CHAPTER 25 | SNMP Commands Notification Log Commands ◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and nlm command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged. ◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014).
CHAPTER 25 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
CHAPTER 25 | SNMP Commands Additional Trap Commands process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. SYNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for CPU utilization alarm expressed in percentage.
26 REMOTE MONITORING COMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 26 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. SYNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
CHAPTER 26 | Remote Monitoring Commands ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. EXAMPLE Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 26 | Remote Monitoring Commands ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. EXAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use history the no form to disable periodic sampling.
CHAPTER 26 | Remote Monitoring Commands show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
CHAPTER 26 | Remote Monitoring Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# show rmon alarms This command shows the settings for all configured alarms. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 26 | Remote Monitoring Commands 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 . . . show rmon This command shows the information collected for all configured entries in statistics the statistics group. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
CHAPTER 26 | Remote Monitoring Commands – 1024 –
27 FLOW SAMPLING COMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
CHAPTER 27 | Flow Sampling Commands timeout-value - The length of time the sFlow interface is available to send samples to a receiver, after which the owner and associated polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector.
CHAPTER 27 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow sampling This command enables an sFlow data source instance for a specific instance interface that takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
CHAPTER 27 | Flow Sampling Commands EXAMPLE This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 100. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 100 max-header-size 200 Console# The following command removes a sampling data source from Ethernet interface 1/1.
CHAPTER 27 | Flow Sampling Commands COMMAND USAGE This command enables a polling data source and configures the interval at which counter values are added to the sample datagram. EXAMPLE This example sets the polling interval to 10 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow polling-interval 10 Console(config-if)# show sflow This command shows the global and interface settings for the sFlow process.
CHAPTER 27 | Flow Sampling Commands – 1030 –
28 AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access19 to the data ports.
CHAPTER 28 | Authentication Commands User Accounts USER ACCOUNTS The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 923), user authentication via a remote authentication server (page 1031), and host access authentication for specific ports (page 1067).
CHAPTER 28 | Authentication Commands User Accounts EXAMPLE Console(config)#enable password level 15 0 admin Console(config)# RELATED COMMANDS enable (885) authentication enable (1034) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
CHAPTER 28 | Authentication Commands Authentication Sequence EXAMPLE This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# AUTHENTICATION SEQUENCE Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
CHAPTER 28 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
CHAPTER 28 | Authentication Commands RADIUS Client “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
CHAPTER 28 | Authentication Commands RADIUS Client COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to auth-port restore the default. SYNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
CHAPTER 28 | Authentication Commands RADIUS Client key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 28 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the retransmit default. SYNTAX radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
CHAPTER 28 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
CHAPTER 28 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. SYNTAX tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
CHAPTER 28 | Authentication Commands TACACS+ Client COMMAND MODE Global Configuration EXAMPLE Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. SYNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
CHAPTER 28 | Authentication Commands TACACS+ Client EXAMPLE Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server This command sets the interval between transmitting authentication timeout requests to the TACACS+ server. Use the no form to restore the default. SYNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 28 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 102: AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802.
CHAPTER 28 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 28 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 28 | Authentication Commands AAA ◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting. EXAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form exec to disable the authorization service.
CHAPTER 28 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. SYNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
CHAPTER 28 | Authentication Commands AAA EXAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. SYNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
CHAPTER 28 | Authentication Commands AAA EXAMPLE Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
CHAPTER 28 | Authentication Commands Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 28 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. SYNTAX ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
CHAPTER 28 | Authentication Commands Web Server ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. SYNTAX ip http secure-port port_number no ip http secure-port port_number – The UDP port used for HTTPS. (Range: 1-65535) DEFAULT SETTING 443 COMMAND MODE Global Configuration COMMAND USAGE ◆ You cannot configure the HTTP and HTTPS servers to use the same port.
CHAPTER 28 | Authentication Commands Web Server COMMAND USAGE ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆ When you start HTTPS, the connection is established in this way: ◆ ■ The client authenticates the server using the server’s digital certificate.
CHAPTER 28 | Authentication Commands Telnet Server TELNET SERVER This section describes commands used to configure Telnet management access to the switch.
CHAPTER 28 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. SYNTAX ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
CHAPTER 28 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# SECURE SHELL This section describes the commands used to configure the SSH server.
CHAPTER 28 | Authentication Commands Secure Shell Table 106: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
CHAPTER 28 | Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
CHAPTER 28 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. NOTE: The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
CHAPTER 28 | Authentication Commands Secure Shell COMMAND MODE Global Configuration COMMAND USAGE ◆ The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
CHAPTER 28 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. SYNTAX ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) DEFAULT SETTING 10 seconds COMMAND MODE Global Configuration COMMAND USAGE The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
CHAPTER 28 | Authentication Commands Secure Shell EXAMPLE Console#delete public-key admin dsa Console# ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate SYNTAX ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. DEFAULT SETTING Generates both the DSA and RSA key pairs. COMMAND MODE Privileged Exec COMMAND USAGE ◆ The switch uses only RSA Version 1 for SSHv1.
CHAPTER 28 | Authentication Commands Secure Shell ip ssh This command clears the host key from memory (i.e. RAM). crypto zeroize SYNTAX ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. DEFAULT SETTING Clears both the DSA and RSA key. COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
CHAPTER 28 | Authentication Commands Secure Shell RELATED COMMANDS ip ssh crypto host-key generate (1063) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. COMMAND MODE Privileged Exec EXAMPLE Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
CHAPTER 28 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrK
CHAPTER 28 | Authentication Commands 802.1X Port Authentication 802.1X PORT AUTHENTICATION The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 108: 802.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x global and port settings to their default values. COMMAND MODE Global Configuration EXAMPLE Console(config)#dot1x default Console(config)# dot1x This command passes EAPOL frames through to all ports in STP forwarding eapol-pass-through state when dot1x is globally disabled. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x This command enables IEEE 802.1X port authentication globally on the system-auth-control switch. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x This command sets the maximum number of times that the switch sends max-reauth-req an EAP-request/identity frame to the client before restarting the authentication process. Use the no form to restore the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized operation-mode port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. SYNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# RELATED COMMANDS dot1x timeout re-authperiod (1073) dot1x timeout This command sets the time that a switch port waits after the maximum quiet-period request count (see page 1070) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a supp-timeout response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. SYNTAX dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication DEFAULT 30 seconds COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x This command forces re-authentication on all ports or a specific interface. re-authenticate SYNTAX dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication Display Information Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. SYNTAX show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 28 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ■ ■ ◆ Authenticator State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
CHAPTER 28 | Authentication Commands Management IP Filter 802.1X Port Details 802.1X Authenticator is enabled on port 1/1 802.1X Supplicant is disabled on port 1/1 . . . 802.
CHAPTER 28 | Authentication Commands Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. SYNTAX [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] all-client - Adds IP address(es) to all groups. http-client - Adds IP address(es) to the web group. snmp-client - Adds IP address(es) to the SNMP group.
CHAPTER 28 | Authentication Commands Management IP Filter show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. SYNTAX show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups. http-client - Displays IP addresses for the web group. snmp-client - Displays IP addresses for the SNMP group. telnet-client - Displays IP addresses for the Telnet group.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent PPPOE INTERMEDIATE AGENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent designated by the pppoe intermediate-agent trust command. The BRAS detects the presence of the subscriber’s circuit-Id tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NASport-Id attribute in PPP authentication and AAA accounting requests to a RADIUS server.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# pppoe This command enables the PPPoE IA on an interface. Use the no form to intermediate-agent disable this feature.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent COMMAND USAGE ◆ The PPPoE server extracts the Line-Id tag from PPPoE discovery stage messages, and uses the Circuit-Id field of that tag as a NAS-Port-Id attribute in AAA access and accounting requests. ◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console(config)#int ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# pppoe This command enables the stripping of vendor tags from PPPoE Discovery intermediate-agent packets sent from a PPPoE server. Use the no form to disable this feature.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console#clear pppoe intermediate-agent statistics Console# show pppoe This command displays configuration settings for the PPPoE Intermediate intermediate-agent Agent. info SYNTAX show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent show pppoe This command displays statistics for the PPPoE Intermediate Agent. intermediate-agent statistics SYNTAX show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 28 | Authentication Commands PPPoE Intermediate Agent – 1088 –
29 GENERAL SECURITY MEASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
CHAPTER 29 | General Security Measures Port Security PORT SECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
CHAPTER 29 | General Security Measures Port Security the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.1X Port Authentication has been globally enabled on the switch with the dot1x system-auth-control command, or if MAC Address Security has been enabled by the port security command on the same interface. EXAMPLE The following example disables MAC address learning for port 2.
CHAPTER 29 | General Security Measures Port Security COMMAND USAGE ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
CHAPTER 29 | General Security Measures Port Security RELATED COMMANDS show interfaces status (1202) shutdown (1194) mac-address-table static (1272) port security This command saves the MAC addresses that port security has learned as mac-address-as- static entries. permanent SYNTAX port security mac-address-as-permanent [interface interface] interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 29 | General Security Measures Port Security COMMAND MODE Privileged Exec EXAMPLE This example shows the port security settings and number of secure addresses for all ports.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) MAC address entries in MAC Filter table can be learned as secure MAC addresses.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) Table 115: Network Access Commands (Continued) Command Function Mode mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated GC network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan IC Specifies the guest VLAN network-access
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) COMMAND USAGE ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the macaddress-table aging-time command.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) ◆ There is no limitation on the number of entries that can entered in a filter table. EXAMPLE Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66 Console(config)# mac-authentication Use this command to set the time period after which a connected MAC reauth-time address must be re-authenticated. Use the no form of this command to restore the default value.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration COMMAND USAGE ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an dynamic-vlan authenticated port. Use the no form to disable dynamic VLAN assignment. SYNTAX [no] network-access dynamic-vlan DEFAULT SETTING Enabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ The VLAN to be used as the guest VLAN must be defined and set as active (See the vlan database command). ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command).
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to detect link-down events. When detected, the switch link-detection can shut down the port, send an SNMP trap, or both. Use the no form of link-down this command to disable this feature. SYNTAX network-access link-detection link-down action [shutdown | trap | trap-and-shutdown] no network-access link-detection action - Response to take when port security is violated.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access Use this command to detect link-up and link-down events. When either link-detection event is detected, the switch can shut down the port, send an SNMP trap, link-up-down or both. Use the no form of this command to disable this feature.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) COMMAND MODE Interface Configuration COMMAND USAGE The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID” attribute. The VLAN list can contain multiple VLAN identifiers in the format “1u,2t,” where “u” indicates untagged VLAN and “t” tagged VLAN.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC intrusion-action authentication failure. Use the no form of this command to restore the default.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) clear Use this command to clear entries from the secure MAC addresses table. network-access SYNTAX clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry. (Format: xx-xx-xxxx-xx-xx) interface - Specifies a port interface.
CHAPTER 29 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# : : : : : : : : : : : Disabl
CHAPTER 29 | General Security Measures Web Authentication 00-00-00 to 00-00-01-FF-FF-FF to be displayed. All other MACs would be filtered out. EXAMPLE Console#show network-access mac-address-table ---- ----------------- --------------- --------Port MAC-Address RADIUS-Server Attribute ---- ----------------- --------------- --------1/1 00-00-01-02-03-04 172.155.120.17 Static 1/1 00-00-01-02-03-05 172.155.120.17 Dynamic 1/1 00-00-01-02-03-06 172.155.120.17 Static 1/3 00-00-01-02-03-07 172.155.120.
CHAPTER 29 | General Security Measures Web Authentication NOTE: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see "Authentication Sequence" on page 1034). NOTE: Web authentication cannot be configured on trunk ports.
CHAPTER 29 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding quiet-period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. SYNTAX web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
CHAPTER 29 | General Security Measures Web Authentication EXAMPLE Console(config)#web-auth session-timeout 1800 Console(config)# web-auth This command globally enables web authentication for the switch. Use the system-auth-control no form to restore the default.
CHAPTER 29 | General Security Measures Web Authentication web-auth This command ends all web authentication sessions connected to the port re-authenticate (Port) and forces the users to re-authenticate. SYNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 29 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters interface and statistics.
CHAPTER 29 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters summary and statistics. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
CHAPTER 29 | General Security Measures DHCPv4 Snooping Table 118: DHCP Snooping Commands (Continued) Command Function Mode show ip dhcp snooping Shows the DHCP snooping configuration settings PE show ip dhcp snooping binding Shows the DHCP snooping binding table entries PE ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: ■ ■ ■ ■ If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the information option switch, and specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
CHAPTER 29 | General Security Measures DHCPv4 Snooping just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/ remove option 82 information in incoming DCHP packets but not relay them.
CHAPTER 29 | General Security Measures DHCPv4 Snooping policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information. EXAMPLE Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP verify mac-address packet against the source MAC address in the Ethernet header. Use the no form to disable this function.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping on the specified VLAN. Use the no vlan form to restore the default setting.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id SYNTAX ip dhcp snooping information option circuit-id string string no dhcp snooping information option circuit-id string - An arbitrary string inserted into the circuit identifier field.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ■ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. EXAMPLE This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)# ip dhcp snooping This command configures the specified interface as trusted.
CHAPTER 29 | General Security Measures DHCPv4 Snooping EXAMPLE This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# RELATED COMMANDS ip dhcp snooping (1116) ip dhcp snooping vlan (1121) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use snooping binding this command without any optional keywords to clear all entries from the binding table.
CHAPTER 29 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash database flash memory. COMMAND MODE Privileged Exec COMMAND USAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
CHAPTER 29 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
CHAPTER 29 | General Security Measures DHCPv6 Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
CHAPTER 29 | General Security Measures DHCPv6 Snooping If a DHCPv6 packet from a client passes the filtering criteria above, it will only be forwarded to trusted ports in the same VLAN. DHCP Server Packet ■ ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: A.
CHAPTER 29 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the vlan no form to restore the default setting. SYNTAX [no] ipv6 dhcp snooping vlan {vlan-id | vlan-range} vlan-id - ID of a configured VLAN (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 29 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in max-binding the binding database for an interface. Use the no form to restore the default setting. SYNTAX ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
CHAPTER 29 | General Security Measures DHCPv6 Snooping untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
CHAPTER 29 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, snooping statistics server and relay packets. COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
CHAPTER 29 | General Security Measures IPv4 Source Guard show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and snooping statistics relay packets.
CHAPTER 29 | General Security Measures IPv4 Source Guard ip source-guard This command adds a static address to the source-guard ACL or MAC binding address binding table. Use the no form to remove a static entry. SYNTAX ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id mode - Specifies the binding mode. acl - Adds binding to ACL table.
CHAPTER 29 | General Security Measures IPv4 Source Guard ■ ■ If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
CHAPTER 29 | General Security Measures IPv4 Source Guard ◆ Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port. Use the “sip” option to check the VLAN ID, source IP address, and port number against all entries in the binding table. Use the “sip-mac” option to check these same parameters, plus the source MAC address. Use the no ip source guard command to disable this function on the selected port.
CHAPTER 29 | General Security Measures IPv4 Source Guard RELATED COMMANDS ip source-guard binding (1134) ip dhcp snooping (1116) ip dhcp snooping vlan (1121) ip source-guard This command sets the maximum number of entries that can be bound to max-binding an interface. Use the no form to restore the default setting. SYNTAX ip source-guard [mode {acl | mac}] max-binding number no ip source-guard [mode {acl | mac}] max-binding mode - Specifies the learning mode.
CHAPTER 29 | General Security Measures IPv4 Source Guard ip source-guard This command sets the source-guard learning mode to search for mode addresses in the ACL binding table or the MAC address binding table. Use the no form to restore the default setting. SYNTAX ip source-guard mode {acl | mac} no ip source-guard mode mode - Specifies the learning mode. acl - Searches for addresses in the ACL table. mac - Searches for addresses in the MAC address table.
CHAPTER 29 | General Security Measures IPv4 Source Guard EXAMPLE This command clears the blocked record table. Console(config)#clear ip source-guard binding blocked Console(config)# show ip This command shows whether source guard is enabled or disabled on each source-guard interface. COMMAND MODE Privileged Exec EXAMPLE Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
CHAPTER 29 | General Security Measures IPv6 Source Guard EXAMPLE Console#show ip source-guard binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------- --------- --------00-ab-11-cd-23-45 192.168.0.
CHAPTER 29 | General Security Measures IPv6 Source Guard interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) DEFAULT SETTING No configured entries COMMAND MODE Global Configuration COMMAND USAGE ◆ Table entries include an associated MAC address, IPv6 global unicast address, lease time, entry type (Static-IP-SG-Binding, Dynamic-NDBinding, Dynamic-DHCPv6-Binding), VLAN identifier, and port identifier.
CHAPTER 29 | General Security Measures IPv6 Source Guard RELATED COMMANDS ipv6 source-guard (1142) ipv6 dhcp snooping (1126) ipv6 dhcp snooping vlan (1129) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
CHAPTER 29 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ ■ If ND snooping and DHCPv6 snooping are disabled, IP source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If ND snooping or DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, and port number.
CHAPTER 29 | General Security Measures IPv6 Source Guard COMMAND USAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
CHAPTER 29 | General Security Measures ARP Inspection show ipv6 This command shows the source guard binding table. source-guard binding SYNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 1126) static - Shows static entries configured with the ipv6 source-guard binding command.
CHAPTER 29 | General Security Measures ARP Inspection Table 123: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port IC ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection IC show ip arp inspection configuration Displays the global configuration settings for ARP Inspection PE show ip arp inspection interface Shows the trust status and inspection rate limit for ports PE sho
CHAPTER 29 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. EXAMPLE Console(config)#ip arp inspection Console(config)# ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use filter the no form to remove an ACL binding.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# ip arp inspection This command sets the maximum number of entries saved in a log log-buffer logs message, and the rate at which these messages are sent. Use the no form to restore the default settings.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting.
CHAPTER 29 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection for a specified VLAN or range of vlan VLANs. Use the no form to disable this function. SYNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 29 | General Security Measures ARP Inspection ip arp inspection This command sets a rate limit for the ARP packets received on a port. Use limit the no form to restore the default setting. SYNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
CHAPTER 29 | General Security Measures ARP Inspection EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp This command displays the global configuration settings for ARP inspection Inspection.
CHAPTER 29 | General Security Measures ARP Inspection show ip arp This command shows information about entries stored in the log, including inspection log the associated VLAN, port, and address components. COMMAND MODE Privileged Exec EXAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
CHAPTER 29 | General Security Measures Denial of Service Protection EXAMPLE Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static DENIAL OF SERVICE PROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 29 | General Security Measures Denial of Service Protection EXAMPLE Console(config)#dos-protection land Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP tcp-null-scan NULL scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
CHAPTER 29 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-xmas-scan in which a so-called tcp-xmas-scan TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation CONFIGURING PORT-BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation COMMAND MODE Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation show This command displays the configured traffic segments.
CHAPTER 29 | General Security Measures Configuring Port-based Traffic Segmentation – 1162 –
30 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
CHAPTER 30 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter (Standard IP ACL) condition for packets emanating from the specified source. Use the no form to remove a rule. SYNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
CHAPTER 30 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter (Extended IPv4 ACL) condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
CHAPTER 30 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-30 characters) DEFAULT SETTING None COMMAND MODE Extended IPv4 ACL COMMAND USAGE ◆ All new rules are appended to the end of the list.
CHAPTER 30 | Access Control Lists IPv4 ACLs EXAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
CHAPTER 30 | Access Control Lists IPv4 ACLs COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. EXAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# RELATED COMMANDS show ip access-list (1169) Time Range (957) show ip This command shows the ports assigned to IP ACLs.
CHAPTER 30 | Access Control Lists IPv6 ACLs EXAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# RELATED COMMANDS permit, deny (1165) ip access-group (1168) IPV6 ACLS The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
CHAPTER 30 | Access Control Lists IPv6 ACLs COMMAND MODE Global Configuration COMMAND USAGE ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 64 rules.
CHAPTER 30 | Access Control Lists IPv6 ACLs DEFAULT SETTING None COMMAND MODE Standard IPv6 ACL COMMAND USAGE New rules are appended to the end of the list. EXAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
CHAPTER 30 | Access Control Lists IPv6 ACLs flow-label – A label for packets belonging to a particular traffic “flow” for which the sender requests special handling by IPv6 routers, such as non-default quality of service or “real-time” service (see RFC 2460). (Range: 0-16777215) next-header – Identifies the type of header immediately following the IPv6 header. (Range: 0-255) time-range-name - Name of the time range.
CHAPTER 30 | Access Control Lists IPv6 ACLs EXAMPLE This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent to the destination 2009:DB9:2229::79/48 when the flow label is 43.
CHAPTER 30 | Access Control Lists IPv6 ACLs DEFAULT SETTING None COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. EXAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# RELATED COMMANDS show ipv6 access-list (1175) Time Range (957) show ipv6 This command shows the ports assigned to IPv6 ACLs.
CHAPTER 30 | Access Control Lists MAC ACLs EXAMPLE Console#show ipv6 access-list standard IPv6 standard access-list david: permit host 2009:DB9:2229::79 permit 2009:DB9:2229:5::/64 Console# MAC ACLS The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
CHAPTER 30 | Access Control Lists MAC ACLs ◆ An ACL can contain up to 128 rules. EXAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# RELATED COMMANDS permit, deny (1177) mac access-group (1179) show mac access-list (1180) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching (MAC ACL) a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
CHAPTER 30 | Access Control Lists MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.
CHAPTER 30 | Access Control Lists MAC ACLs ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: ■ ■ ■ 0800 - IP 0806 - ARP 8137 - IPX EXAMPLE This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
CHAPTER 30 | Access Control Lists MAC ACLs RELATED COMMANDS show mac access-list (1180) Time Range (957) show mac This command shows the ports assigned to MAC ACLs. access-group COMMAND MODE Privileged Exec EXAMPLE Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# RELATED COMMANDS mac access-group (1179) show mac This command displays the rules for configured MAC ACLs. access-list SYNTAX show mac access-list [acl-name] acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists ARP ACLs ARP ACLS The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
CHAPTER 30 | Access Control Lists ARP ACLs permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching (ARP ACL) a specified source or destination address in ARP messages. Use the no form to remove a rule. SYNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
CHAPTER 30 | Access Control Lists ARP ACLs EXAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# RELATED COMMANDS access-list arp (1181) show access-list This command displays the rules for configured ARP ACLs. arp SYNTAX show access-list arp [acl-name] acl-name – Name of the ACL.
CHAPTER 30 | Access Control Lists ACL Information ACL INFORMATION This section describes commands used to display ACL information. Table 132: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
CHAPTER 30 | Access Control Lists ACL Information MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. SYNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.
CHAPTER 30 | Access Control Lists ACL Information – 1186 –
31 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
CHAPTER 31 | Interface Commands Interface Configuration Table 133: Interface Commands (Continued) Command Function Mode transceiver-threshold rx-power Sends a trap when the power level of the received signal power falls outside the specified thresholds IC transceiver-threshold temperature Sends a trap when the transceiver temperature falls outside the specified thresholds IC transceiver-threshold tx-power Sends a trap when the power level of the transmitted signal power outside the specified thre
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# alias This command configures an alias name for the interface. Use the no form to remove the alias name. SYNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
CHAPTER 31 | Interface Commands Interface Configuration DEFAULT SETTING 100Base-FX (SFP) – 100full 1000BASE-SX/LX/LH (SFP): 1000full 10GBASE-SR/LR/ER (XFP/SFP+): 10Gfull COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ 100Base-FX (SFP) connections are fixed at 100Mbps, full duplex; 1000BASE-SFP connections at 1000Mbps, full duplex; and 10GBASE-XFP and 10GBASE-SFP+ connections at 10G, full duplex.
CHAPTER 31 | Interface Commands Interface Configuration COMMAND USAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. EXAMPLE The following example adds a description to port 4.
CHAPTER 31 | Interface Commands Interface Configuration DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation.
CHAPTER 31 | Interface Commands Interface Configuration 1day - 1 day interval, 7 buckets COMMAND MODE Interface Configuration (Ethernet, Port Channel) EXAMPLE This example sets a interval of 15 minutes for sampling standard statisical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)# media-type This command forces the transceiver mode to use for SFP ports. Use the no form to restore the default mode.
CHAPTER 31 | Interface Commands Interface Configuration negotiation This command enables auto-negotiation for a given interface. Use the no form to disable auto-negotiation. SYNTAX [no] negotiation DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
CHAPTER 31 | Interface Commands Interface Configuration COMMAND USAGE This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. EXAMPLE The following example disables port 5.
CHAPTER 31 | Interface Commands Interface Configuration ◆ For other traffic types, calculation of overall frame size is basically the same, including the additional header fields SA(6) + DA(6) + Type(2) + VLAN-Tag(4) (for tagged packets, for untaqged packets, the 4-byte field will not be added by switch), and the payload. This should all be less than the configured port MTU, including the CRC at the end of the frame.
CHAPTER 31 | Interface Commands Interface Configuration statistics displayed will show the absolute value accumulated since the last power reset. EXAMPLE The following example clears statistics on port 5. Console#clear counters ethernet 1/5 Console# show discard This command displays whether or not CDP and PVST packets are being discarded. COMMAND MODE Privileged Exec EXAMPLE In this example, “Default” means that the packets are not discarded.
CHAPTER 31 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters SYNTAX show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) DEFAULT SETTING Shows the counters for all interfaces.
CHAPTER 31 | Interface Commands Interface Configuration 0 Symbol Errors 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Oct
CHAPTER 31 | Interface Commands Interface Configuration DEFAULT SETTING Shows historical statistics for all interfaces, intervals, ingress traffic, and egress traffic. COMMAND MODE Privileged Exec COMMAND USAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 192. EXAMPLE This example shows the statistics recorded for all named entries in the sampling table.
CHAPTER 31 | Interface Commands Interface Configuration Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------648387890 819696 358285 8921 Discards Errors ------------- ------------0 0 Interface Name Interval Buckets Requested Buckets Granted Status : : : : : : Eth 1/ 1 1day 1440 minute(s) 7 0 Active Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:00:01 1563328011
CHAPTER 31 | Interface Commands Interface Configuration Discards Errors ------------- ------------0 0 Previous Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 9381 1895 50 00d 00:06:37 1566090 10660 2195 50 00d 00:07:37 1754781 11786 2674 59 Start Time Octets Input Discards Errors Unknown Proto ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 0 0 0 00d 00:06:37 1566
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE Console#show interfaces status ethernet 1/1 Information of Eth 1/1 Basic Information: Port Type : 1000Base SFP MAC Address : 00-00-0C-00-00-FE Configuration: Name : Port Admin : Up Speed-duplex : Auto Capabilities : 1000full Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Multicast Storm : Disabled Multicast Storm Limit : 262143 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 262143 packets/s
CHAPTER 31 | Interface Commands Interface Configuration EXAMPLE This example shows the configuration setting for port 1.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration Table 134: show interfaces switchport - display description (Continued) Field Description Allowed VLAN Shows the VLANs this interface has joined, where “(u)” indicates untagged and “(t)” indicates tagged (page 1347). Forbidden VLAN Shows the VLANs this interface can not dynamically join via GVRP (page 1340). Private-VLAN Mode Shows the private VLAN mode as host, promiscuous, or none (1369).
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration transceiver- This command sends a trap when any of the transceiver’s operational threshold-monitor values fall outside of specified thresholds. Use the no form to disable trap messages.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration the current value is greater than or equal to the threshold, and the last sample value was less than the threshold. After a rising event has been generated, another such event will not be generated until the sampled value has fallen below the high threshold and reaches the low threshold.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING High Alarm: -3.00 dBm HIgh Warning: -3.50 dBm Low Warning: -21.00 dBm Low Alarm: -21.50 dBm COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING High Alarm: 75.00 °C HIgh Warning: 70.00 °C Low Alarm: -123.00 °C Low Warning: 0.00 °C COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration Low Warning: -21.00 dBm Low Alarm: -21.50 dBm COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-threshold-monitor command are sent to any management station configured by the snmp-server host command.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration EXAMPLE Console#show interfaces transceiver ethernet 1/25 Information of Eth 1/25 Connector Type : LC Fiber Type : Multimode 50um (M5), Multimode 62.5um (M6) Eth Compliance Codes : 1000BASE-SX Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name : FINISAR CORP. Vendor PN : FTLF8519P2BNL Vendor Rev : A Vendor SN : PFS4U5F Date Code : 09-07-02 DDM Info Temperature : 11.54 degree C Vcc : 3.25 V Bias Current : 7.21 mA TX Power : -4.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration supply voltage, laser bias current, laser power, received optical power, and related alarm thresholds. ◆ The DDM thresholds displayed by this command only apply to ports which have a DDM-compliant transceiver inserted.
CHAPTER 31 | Interface Commands Transceiver Threshold Configuration – 1214 –
32 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 8 trunks.
CHAPTER 32 | Link Aggregation Commands Manual Configuration Commands ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
CHAPTER 32 | Link Aggregation Commands Manual Configuration Commands DEFAULT SETTING src-dst-ip COMMAND MODE Global Configuration COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. SYNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-8) DEFAULT SETTING The current port will be added to this trunk. COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands COMMAND USAGE ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no (Ethernet Interface) form to restore the default setting. SYNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
CHAPTER 32 | Link Aggregation Commands Dynamic Configuration Commands DEFAULT SETTING 0 COMMAND MODE Interface Configuration (Port Channel) COMMAND USAGE ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port. ◆ When a dynamic port-channel is torn down, the configured timeout value will be retained.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands EXAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Sent : 12 LACPDUs Received : 6 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands Table 137: show lacp internal - display description (Continued) Field Description LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands Table 138: show lacp neighbors - display description (Continued) Field Description Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner. Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner.
CHAPTER 32 | Link Aggregation Commands Trunk Status Display Commands show port-channel This command shows the load-distribution method used on aggregated load-balance links.
33 PORT MIRRORING COMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
CHAPTER 33 | Port Mirroring Commands Local Port Mirroring Commands DEFAULT SETTING ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. COMMAND MODE Interface Configuration (Ethernet, destination port) COMMAND USAGE ◆ You can mirror traffic from any source port to a destination port for real-time analysis.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. DEFAULT SETTING Shows all sessions. COMMAND MODE Privileged Exec COMMAND USAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands EXAMPLE The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands EXAMPLE The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the switchport allowed vlan command. Nor can GVRP dynamically add port members to an RSPAN VLAN.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands Only two mirror sessions are allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then there is only one session available for RSPAN.
CHAPTER 33 | Port Mirroring Commands RSPAN Mirroring Commands – 1238 –
34 CONGESTION CONTROL COMMANDS The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 143: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
CHAPTER 34 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. SYNTAX rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
CHAPTER 34 | Congestion Control Commands Storm Control Commands STORM CONTROL COMMANDS Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
CHAPTER 34 | Congestion Control Commands Storm Control Commands COMMAND USAGE ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE The following example blocks unknown multicast traffic on port 5: Console(config)#interface ethernet 1/5 Console(config-if)#switchport switchport block multicast Console(config-if)# AUTOMATIC TRAFFIC CONTROL COMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands Table 146: ATC Commands (Continued) Command Function Mode snmp-server enable port-traps atc multicast-alarm-clear Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered IC (Port) snmp-server enable port-traps atc multicast-alarm-fire Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control IC (Port) snmp-server enable port-t
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged. ◆ Alarm Clear Threshold – The lower threshold beneath which a control response can be automatically terminated after the release timer expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands Threshold Commands auto-traffic-control This command sets the time at which to apply the control response after apply-timer ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting. SYNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) DEFAULT SETTING 900 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the delay after which the control response can be terminated.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example enables automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# auto-traffic-control This command sets the control action to limit ingress traffic or shut down action the offending port. Use the no form to restore the default setting.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example sets the control response for broadcast traffic on port 1.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a alarm-fire-threshold storm control response is triggered after the apply timer expires.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command automatically releases a control response of rate-limiting auto-control-release after the time specified in the auto-traffic-control release-timer command has expired. SYNTAX auto-traffic-control {broadcast | multicast} auto-controlrelease broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release Console#(config-if) SNMP Trap Commands snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered. Use the no broadcast-alarm- form to disable this trap.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (1250) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the broadcast-control- no form to disable this trap.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (1249) auto-traffic-control action (1248) auto-traffic-control release-timer (1246) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower port-traps atc threshold after a storm control respo
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (1250) snmp-server enable This command sends a trap when multicast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the multicast-control- no form to disable this trap.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (1249) auto-traffic-control action (1248) auto-traffic-control release-timer (1246) ATC Display Commands show auto-traffic- This command shows global configuration settings for automatic storm control control.
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information -----------------------------------------------------------------------Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 128 Alarm Clear Threshold(Kpps):128 128 Trap Storm Fire: Disabled Disabled Trap Storm Clear: Disabled Disabled Tr
CHAPTER 34 | Congestion Control Commands Automatic Traffic Control Commands – 1258 –
35 LOOPBACK DETECTION COMMANDS The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
CHAPTER 35 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. SYNTAX [no] loopback-detection DEFAULT SETTING Disabled COMMAND MODE Global Configuration Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
CHAPTER 35 | Loopback Detection Commands COMMAND USAGE ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
CHAPTER 35 | Loopback Detection Commands EXAMPLE Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback transmit-interval detection control frames. Use the no form to restore the default setting. SYNTAX loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
CHAPTER 35 | Loopback Detection Commands COMMAND MODE Global Configuration COMMAND USAGE Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. EXAMPLE Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
CHAPTER 35 | Loopback Detection Commands Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
36 UNIDIRECTIONAL LINK DETECTION COMMANDS The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
CHAPTER 36 | UniDirectional Link Detection Commands If the link is deemed anything other than bidirectional at the end of the detection phase, this curve becomes a flat line with a fixed value of Mfast (7 seconds). If the link is instead deemed bidirectional, the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady-state transmissions. Mslow is the value configured by this command.
CHAPTER 36 | UniDirectional Link Detection Commands problem. Because this type of detection can be event-less, and lack of information cannot always be associated to an actual malfunction of the link, this mode is optional and is recommended only in certain scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible). EXAMPLE This example enables UDLD aggressive mode on port 1.
CHAPTER 36 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. SYNTAX show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 36 | UniDirectional Link Detection Commands Table 149: show udld - display description (Continued) Field Description Port State Shows the UDLD port state (Unknown, Bidirectional, Unidirectional, Transmit-to-receive loop, Mismatch with neighbor state reported, Neighbor's echo is empty) The state is Unknown if the link is down or not connected to a UDLDcapable device. The state is Bidirectional if the link has a normal two-way connection to a UDLD-capable device.
CHAPTER 36 | UniDirectional Link Detection Commands – 1270 –
37 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
CHAPTER 37 | Address Table Commands EXAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use static the no form to remove an address. SYNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 37 | Address Table Commands EXAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
CHAPTER 37 | Address Table Commands COMMAND USAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ Learn - Dynamic address entries Config - Static entry ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
CHAPTER 37 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number table count of available MAC addresses for the overall system or for an interface. SYNTAX show mac-address-table count [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 37 | Address Table Commands – 1276 –
38 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
CHAPTER 38 | Spanning Tree Commands Table 151: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst port-priority Configures the priority of an instance in the MST IC spanning-tree port-bpduflooding Floods BPDUs to other ports when global spanning tree is disabled IC spanning-tree port-priority Con
CHAPTER 38 | Spanning Tree Commands EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally forward-time for this switch. Use the no form to restore the default. SYNTAX spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
CHAPTER 38 | Spanning Tree Commands DEFAULT SETTING 2 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the time interval (in seconds) at which the root device transmits a configuration message. EXAMPLE Console(config)#spanning-tree hello-time 5 Console(config)# RELATED COMMANDS spanning-tree forward-time (1279) spanning-tree max-age (1280) spanning-tree This command configures the spanning tree bridge maximum age globally max-age for this switch.
CHAPTER 38 | Spanning Tree Commands RELATED COMMANDS spanning-tree forward-time (1279) spanning-tree hello-time (1279) spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. SYNTAX spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
CHAPTER 38 | Spanning Tree Commands ■ ■ A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments. Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
CHAPTER 38 | Spanning Tree Commands spanning-tree This command configures the spanning tree priority globally for this switch. priority Use the no form to restore the default. SYNTAX spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
CHAPTER 38 | Spanning Tree Commands revision (1288) max-hops (1285) spanning-tree This command configures the system to flood BPDUs to all other ports on system-bpdu- the switch or just to all other ports in the same VLAN when spanning tree is flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default.
CHAPTER 38 | Spanning Tree Commands COMMAND USAGE This command limits the maximum transmission rate for BPDUs. EXAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. SYNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
CHAPTER 38 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. SYNTAX mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
CHAPTER 38 | Spanning Tree Commands COMMAND MODE MST Configuration COMMAND USAGE ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
CHAPTER 38 | Spanning Tree Commands EXAMPLE Console(config-mstp)#name R&D Console(config-mstp)# RELATED COMMANDS revision (1288) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. SYNTAX revision number number - Revision number of the spanning tree.
CHAPTER 38 | Spanning Tree Commands COMMAND USAGE ◆ This command filters all Bridge Protocol Data Units (BPDUs) received on an interface to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
CHAPTER 38 | Spanning Tree Commands be manually re-enabled using the no spanning-tree spanning-disabled command if the auto-recovery interval is not specified. ◆ Before enabling BPDU Guard, the interface must be configured as an edge port with the spanning-tree edge-port command. Also note that if the edge port attribute is disabled on an interface, BPDU Guard will also be disabled on that interface.
CHAPTER 38 | Spanning Tree Commands Table 153: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.1D-2004) Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 10G Ethernet 1,000 1,000 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices.
CHAPTER 38 | Spanning Tree Commands devices such as workstations or servers, retains the current forwarding database to reduce the amount of frame flooding required to rebuild address tables during reconfiguration events, does not cause the spanning tree to initiate reconfiguration when the interface changes state, and also overcomes other STA-related time out problems. However, remember that Edge Port should only be enabled for ports connected to an end-node device.
CHAPTER 38 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback-detection loopback BPDU packets on the port. Use the no form to disable this feature. SYNTAX [no] spanning-tree loopback-detection DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
CHAPTER 38 | Spanning Tree Commands command, the selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanningtree loopback-detection release command.
CHAPTER 38 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback loopback-detection BPDU detections.
CHAPTER 38 | Spanning Tree Commands shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. The default path costs are listed in Table 153 on page 1291. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Each spanning-tree instance is associated with a unique set of VLAN IDs.
CHAPTER 38 | Spanning Tree Commands COMMAND USAGE ◆ This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled.
CHAPTER 38 | Spanning Tree Commands spanning-tree This command configures the priority for the specified interface. Use the port-priority no form to restore the default. SYNTAX spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) DEFAULT SETTING 128 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm.
CHAPTER 38 | Spanning Tree Commands COMMAND USAGE ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆ When Root Guard is enabled, and the switch receives a superior BPDU on this port, it is set to the Discarding state until it stops receiving superior BPDUs for a fixed recovery period. While in the discarding state, no traffic is forwarded across the port.
CHAPTER 38 | Spanning Tree Commands spanning-tree This command stops the propagation of topology change notifications tc-prop-stop (TCN). Use the no form to allow propagation of TCN messages. SYNTAX [no] spanning-tree tc-prop-stop DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ When this command is enabled on an interface, topology change information originating from the interface will still be propagated.
CHAPTER 38 | Spanning Tree Commands EXAMPLE Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the protocol-migration selected interface. SYNTAX spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 38 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). SYNTAX show spanning-tree [interface | mst instance-id] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 38 | Spanning Tree Commands VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.0001ECF8D8C6 Current Root Port : 21 Current Root Cost : 100000 Number of Topology Changes : 5 Last Topology Change Time (sec.
CHAPTER 38 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
39 ERPS COMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
CHAPTER 39 | ERPS Commands Table 154: ERPS Commands(Continued) Command Function Mode erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode PE erps forcedswitch Blocks the specified ring port PE erps manualswitch Blocks the specified ring port, in the absence of a failure or an erps forced-switch command P
CHAPTER 39 | ERPS Commands 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command. When configuration is completed and the ring enabled, R-APS messages will start flowing in the control VLAN, and normal traffic will begin to flow in the data VLANs. To stop a ring, it can be disabled on any node using the no enable command. 8.
CHAPTER 39 | ERPS Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 6 ERPS rings can be configured on the switch. ◆ R-APS information is carried in an R-APS PDUs. The last octet of the MAC address is designated as the Ring ID (01-19-A7-00-00-[Ring ID]).
CHAPTER 39 | ERPS Commands ◆ Once the ring has been activated with the enable command, the configuration of the control VLAN cannot be modified. Use the no enable command to stop the ERPS ring before making any configuration changes to the control VLAN.
CHAPTER 39 | ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. SYNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
CHAPTER 39 | ERPS Commands server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero. Instead, the hold-off timer will be started. When the timer expires, whether a defect still exists or not, the timer will be checked.
CHAPTER 39 | ERPS Commands meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. SYNTAX meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) DEFAULT SETTING 1 COMMAND MODE ERPS Configuration COMMAND USAGE ◆ This parameter is used to ensure that received R-APS PDUs are directed for this ring.
CHAPTER 39 | ERPS Commands DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE ◆ If this command is used to monitor the link status of an ERPS node with CFM continuity check messages, then the MEG level set by the meglevel command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs. ◆ To ensure complete monitoring of a ring node, use the mep-monitor command to specify the CFM MEPs used to monitor both the east and west ports of the ring node.
CHAPTER 39 | ERPS Commands For example, a node that has one ring port in SF condition and detects that the condition has been cleared, will continuously transmit R-APS (NR) messages with its own Node ID as priority information over both ring ports, informing its neighbors that no request is present at this node. When another recovered node holding the link blocked receives this message, it compares the Node ID information with its own.
CHAPTER 39 | ERPS Commands RPL A B blocked C D blocked fault X non-ERPS E F RPL Owner X non-ERPS When non-ERPS device protection is enabled on the ring, the ring ports on the RPL owner node and non-owner nodes will not be blocked when signal loss is detected by CCM loss events. ◆ When non-ERPS device protection is enabled on an RPL owner node, it will send non-standard health-check packets to poll the ring health when it enters the protection state.
CHAPTER 39 | ERPS Commands the erps clear command to used to return the RPL from Protection state to Idle state. ◆ Recovery for Protection Switching – A ring node that has one or more ring ports in an SF (Signal Fail) condition, upon detecting the SF condition cleared, keeps at least one of its ring ports blocked for the traffic channel and for the R-APS channel, until the RPL is blocked as a result of ring protection reversion, or until there is another higher priority request (e.g.
CHAPTER 39 | ERPS Commands c. When the operator issues the erps clear command for nonrevertive mode at the RPL Owner Node, the non-revertive operation is cleared, the RPL Owner Node blocks its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d. Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB.
CHAPTER 39 | ERPS Commands ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS(NR) message and in the absence of any other higher priority request does not perform any action. b. Then, after the operator issues the erps clear command at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message on both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
CHAPTER 39 | ERPS Commands condition. If it is an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. b.
CHAPTER 39 | ERPS Commands EXAMPLE Console(config-erps)#propagate-tc Console(config-erps)# raps-def-mac This command sets the switch’s MAC address to be used as the node identifier in R-APS messages. Use the no form to use the node identifier specified in the G8032 standards. SYNTAX [no] raps-def-mac DEFAULT SETTING Enabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
CHAPTER 39 | ERPS Commands COMMAND USAGE ◆ A sub-ring may be attached to a primary ring with or without a virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology. If a virtual channel is not used to cross the intermediate Ethernet network, data in the traffic channel will still flow across the network, but the all R-APS messages will be terminated at the interconnection points.
CHAPTER 39 | ERPS Commands No R-APS messages are inserted or extracted by other rings or subrings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/ Ring IDs for the ring interconnection. Furthermore, protection switching time for a sub-ring is independent from the configuration or topology of the interconnected rings.
CHAPTER 39 | ERPS Commands COMMAND USAGE ◆ Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction. ◆ Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk.
CHAPTER 39 | ERPS Commands of the RPL. If the switch is set as the RPL neighbor for an ERPS domain, the east ring port is set as the other end of the RPL. ◆ The east and west connections to the ring must be specified for all ring nodes using the ring-port command. When this switch is configured as the RPL neighbor, the east ring port is set as being connected to the RPL. ◆ Note that is not mandatory to declare a RPL neighbor.
CHAPTER 39 | ERPS Commands version This command specifies compatibility with ERPS version 1 or 2. SYNTAX version {1 | 2} 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
CHAPTER 39 | ERPS Commands wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting. SYNTAX wtr-timer minutes minutes - The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
CHAPTER 39 | ERPS Commands erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. SYNTAX erps clear domain ring-name ring-name - Name of a specific ERPS ring.
CHAPTER 39 | ERPS Commands COMMAND USAGE ◆ A ring with no pending request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the erps forced-switch command triggers protection switching as follows: a. The ring node where a forced switch command was issued blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b.
CHAPTER 39 | ERPS Commands Table 155: ERPS Request/State Priority (Continued) Request / State and Status Type R-APS (FS) remote | local SF* local | local clear SF local | R-APS (SF) remote | R-APS (MS) remote | MS local | WTR Expires local | WTR Running local | WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote lowest * Priority If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored.
CHAPTER 39 | ERPS Commands COMMAND MODE Privileged Exec COMMAND USAGE ◆ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the erps manual-switch command triggers protection switching as follows: a.
CHAPTER 39 | ERPS Commands c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ◆ Recovery for manual switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
CHAPTER 39 | ERPS Commands Table 156: show erps - summary display description Field Description Node Information ERPS Status Shows whether ERPS is enabled on the switch. Number of ERPS Domains Shows the number of ERPS rings configured on the switch. Domain Displays the name of each ring followed by a brief list of status information ID ERPS ring identifier used in R-APS messages. Enabled Shows if the specified ring is enabled. Ver Shows the ERPS version.
CHAPTER 39 | ERPS Commands This example displays detailed information for the specified ERPS ring.
CHAPTER 39 | ERPS Commands Table 157: show erps domain - detailed display description (Continued) Field Description WTB Expire The time before the wait-to-block timer expires. WTR Expire The time before the wait-to-restore timer expires. This example displays statistics for all configured ERPS rings.
CHAPTER 39 | ERPS Commands Table 158: show erps statistics - detailed display description (Continued) Field Description EVENT Any request/state message, excluding FS, SF, MS, and NR HEALTH The number of non-standard health-check messages – 1335 –
CHAPTER 39 | ERPS Commands – 1336 –
40 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
CHAPTER 40 | VLAN Commands GVRP and Bridge Extension Commands GVRP AND BRIDGE EXTENSION COMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
CHAPTER 40 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. SYNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
CHAPTER 40 | VLAN Commands GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the forbidden vlan list of forbidden VLANs. SYNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CHAPTER 40 | VLAN Commands GVRP and Bridge Extension Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE See "Displaying Bridge Extension Capabilities" on page 153 for a description of the displayed items.
CHAPTER 40 | VLAN Commands GVRP and Bridge Extension Commands EXAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# RELATED COMMANDS garp timer (1339) show gvrp This command shows if GVRP is enabled. configuration SYNTAX show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 40 | VLAN Commands Editing VLAN Groups EDITING VLAN GROUPS Table 161: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
CHAPTER 40 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. SYNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces COMMAND USAGE ◆ Creating a “normal” VLAN with the vlan command initializes it as a Layer 2 interface. To change it to a Layer 3 interface, use the interface command to enter interface configuration for the desired VLAN, enter any Layer 3 configuration commands, and save the configuration settings. ◆ To change a Layer 3 normal VLAN back to a Layer 2 VLAN, use the no interface command.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to restrict the traffic received on port 1 to tagged frames: Console(config)#interface ethernet 1/1 Console(config-if)#switchport acceptable-frame-types tagged Console(config-if)# RELATED COMMANDS switchport mode (1349) switchport This command configures VLAN groups on the selected interface. Use the allowed vlan no form to restore the default.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. SYNTAX switchport mode {hybrid | trunk | private-vlan} no switchport mode hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces switchport This command configures the PVID (i.e., default VLAN ID) for a port. Use native vlan the no form to restore the default. SYNTAX switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
CHAPTER 40 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 552: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
CHAPTER 40 | VLAN Commands Displaying VLAN Information DISPLAYING VLAN INFORMATION This section describes commands used to display VLAN information. Table 163: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan Shows VLAN information NE, PE show vlan This command shows VLAN information.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console# CONFIGURING IEEE 802.1Q TUNNELING IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customerspecific VLAN IDs.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no dot1q-tunnel mode form to disable QinQ on the interface. SYNTAX switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command creates a CVLAN to SPVLAN mapping entry. Use the no dot1q-tunnel form to delete a VLAN mapping entry. service match cvid SYNTAX switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID). (Range: 1-4094) remove-ctag - Removes the customer’s VLAN tag.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling EXAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to SVLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Verify configuration settings. Console#show dot1q-tunnel service 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 1 10 100 Eth 1/ 1 20 200 Eth 1/ 1 30 300 Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300.
CHAPTER 40 | VLAN Commands Configuring IEEE 802.1Q Tunneling ◆ The specified ethertype only applies to ports configured in Uplink mode using the switchport dot1q-tunnel mode command. If the port is in normal mode (i.e, unspecified), the TPID is always 8100. If the port is in Access mode, received packets are processes as untagged packets.
CHAPTER 40 | VLAN Commands Configuring L2CP Tunneling Console#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID Remove C-Tag -------- ----------- ----- -----------Eth 1/ 5 1 100 Disabled Eth 1/ 6 1 100 Enabled Console# RELATED COMMANDS switchport dot1q-tunnel mode (1355) CONFIGURING L2CP TUNNELING This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
CHAPTER 40 | VLAN Commands Configuring L2CP Tunneling ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network. In this way, normally segregated network segments can be configured to function inside a common protocol domain.
CHAPTER 40 | VLAN Commands Configuring L2CP Tunneling ■ with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported. Processing Cisco-compatible protocol packets ◆ When a Cisco-compatible L2PT packet is received on an uplink port, and ■ ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
CHAPTER 40 | VLAN Commands Configuring L2CP Tunneling EXAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified l2protocol-tunnel protocol. Use the no form to disable L2PT for the specified protocol.
CHAPTER 40 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
CHAPTER 40 | VLAN Commands Configuring VLAN Translation COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
CHAPTER 40 | VLAN Commands Configuring Private VLANs Console# show This command displays the configuration settings for VLAN translation. vlan-translation SYNTAX show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 40 | VLAN Commands Configuring Private VLANs .
CHAPTER 40 | VLAN Commands Configuring Private VLANs community - A VLAN in which traffic is restricted to host members in the same VLAN and to promiscuous ports in the associate primary VLAN. primary - A VLAN which can contain one or more community VLANs, and serves to channel traffic between community VLANs and other locations.
CHAPTER 40 | VLAN Commands Configuring Private VLANs COMMAND MODE VLAN Configuration COMMAND USAGE Secondary VLANs provide security for group members. The associated primary VLAN provides a common interface for access to other network resources within the primary VLAN (e.g., servers configured with promiscuous ports) and to resources outside of the primary VLAN (via promiscuous ports).
CHAPTER 40 | VLAN Commands Configuring Private VLANs switchport Use this command to associate an interface with a secondary VLAN. Use private-vlan the no form to remove this association. host-association SYNTAX switchport private-vlan host-association secondary-vlan-id no switchport private-vlan host-association secondary-vlan-id - ID of secondary (i.e., community) VLAN.
CHAPTER 40 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#switchport private-vlan mapping 2 Console(config-if)# show vlan Use this command to show the private VLAN configuration settings on this private-vlan switch. SYNTAX show vlan private-vlan [community | primary] community – Displays all community VLANs, along with their associated primary VLAN and assigned host interfaces.
CHAPTER 40 | VLAN Commands Configuring Protocol-based VLANs Table 168: Protocol-based VLAN Commands Command Function Mode protocol-vlan protocol-group Create a protocol group, specifying the supported protocols GC protocol-vlan protocol-group Maps a protocol group to a VLAN IC show protocol-vlan protocol-group Shows the configuration of protocol groups PE show interfaces protocol-vlan protocol-group Shows the interfaces mapped to a protocol group and the corresponding VLAN PE To configure pr
CHAPTER 40 | VLAN Commands Configuring Protocol-based VLANs COMMAND MODE Global Configuration EXAMPLE The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan This command maps a protocol group to a VLAN for the current interface.
CHAPTER 40 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan This command shows the frame and protocol type associated with protocol protocol-group groups.
CHAPTER 40 | VLAN Commands Configuring IP Subnet VLANs DEFAULT SETTING The mapping for all interfaces is displayed. COMMAND MODE Privileged Exec EXAMPLE This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# CONFIGURING IP SUBNET VLANS When using IEEE 802.
CHAPTER 40 | VLAN Commands Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. SYNTAX subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
CHAPTER 40 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. EXAMPLE The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
CHAPTER 40 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. SYNTAX mac-vlan mac-address mac-address vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
C HAPTER 4 0 | VLAN Commands Configuring Voice VLANs EXAMPLE The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC Address VLAN ID ----------------- -------00-00-00-11-22-33 10 Console# Priority -------0 CONFIGURING VOICE VLANS The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs COMMAND MODE Global Configuration COMMAND USAGE ◆ When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs The Remaining Age starts to count down when the OUI’s MAC address expires from the MAC address table. Therefore, the MAC address aging time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and the voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs EXAMPLE The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description A new phone Console(config)# switchport This command specifies the Voice VLAN mode for ports. Use the no form to voice vlan disable the Voice VLAN feature on the port.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs switchport voice This command specifies a CoS priority for VoIP traffic on a port. Use the no vlan priority form to restore the default priority on a port. SYNTAX switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) DEFAULT SETTING 6 COMMAND MODE Interface Configuration COMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See "LLDP Commands" on page 1537 for more information on LLDP. EXAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. SYNTAX show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
CHAPTER 40 | VLAN Commands Configuring Voice VLANs – 1386 –
41 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# RELATED COMMANDS queue mode (1388) show queue weight (1391) switchport This command sets a priority for incoming untagged frames. Use the no priority default form to restore the default value.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# RELATED COMMANDS show interfaces switchport (1203) show queue mode This command shows the current queue mode. SYNTAX show queue mode interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE Console#show queue weight Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . PRIORITY COMMANDS (LAYER 3 AND 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 174: Priority Commands (Layer 3 and 4) Command Function Mode show qos map phb-queue Shows internal per-hop behavior to hardware queue map PE show qos map trust-mode Shows the QoS mapping mode PE * The default settings used for mapping priority values to internal DSCP values and back to the hardware queues are designed to optimize priority services for the majority of network applications.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) COMMAND USAGE ◆ The default mapping of CoS to PHB values shown in Table 175 is based on the recommended settings in IEEE 802.1p for mapping CoS values to output queues. ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight CoS/ CFI paired values separated by spaces. ◆ If a packet arrives with a 802.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) COMMAND MODE Interface Configuration (Port) COMMAND USAGE ◆ Enter a drop precedence, followed by the keyword “from” and then up to four per-hop behavior values separated by spaces. This command only applies to Layer 2 untagged ingress packets. The drop precedence for any priority tagged ingress packets will be based on the other corresponding QoS mapping schemes described in those sections.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 177: Mapping Internal PHB/Drop Precedence to CoS/CFI Values Drop Precedence 0 (green) 1 (red) 3 (yellow) 5 (5,0) (5,0) (5,0) 6 (6,0) (6,0) (6,0) 7 (7,0) (7,0) (7,0) Per-hop Behavior COMMAND MODE Interface Configuration (Port) COMMAND USAGE ◆ Enter a CoS/CFI value pair, followed by the keyword “from” and then four internal per-hop behavior and drop precedence value pairs separated by spaces.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING. Table 178: Default Mapping of DSCP Values to Internal PHB/Drop Values ingressdscp1 0 1 2 3 4 5 6 7 8 9 0 0,0 0,1 0,0 0,3 0,0 0,1 0,0 0,3 1,0 1,1 1 1,0 1,3 1,0 1,1 1,0 1,3 2,0 2,1 2,0 2,3 2 2,0 2,1 2,0 2,3 3,0 3,1 3,0 3,3 3.0 3,1 3 3,0 3,3 4,0 4,1 4,0 4,3 4,0 4,1 4.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps the destination TCP/UDP destination port in incoming ip-port-dscp packets to per-hop behavior and drop precedence values for priority processing. Use the no form to remove the mapped values for a TCP/UDP port. SYNTAX qos map ip-port-dscp {tcp | udp} port-number to phb dropprecedence no qos map cos-dscp {tcp | udp} port-number phb - Per-hop behavior, or the priority used for this router hop.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING Table 179: Default Mapping of IP Precedence to Internal PHB/Drop Values IP Precedence Value 0 1 2 3 4 5 6 7 Per-hop Behavior 0 1 2 3 4 5 6 7 Drop Precedence 0 0 0 0 0 0 0 0 COMMAND MODE Interface Configuration (Port) COMMAND USAGE ◆ Enter up to eight paired values for per-hop behavior and drop precedence separated by spaces.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) COMMAND USAGE ◆ Enter a queue identifier, followed by the keyword “from” and then up to eight internal per-hop behavior values separated by spaces. ◆ Egress packets are placed into the hardware queues according to the mapping defined by this command. EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) For an untagged packet, the default port priority (see page 1390) is used for priority processing. EXAMPLE This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface ge1/1 Console(config-if)#qos map trust-mode dscp Console(config-if)# show qos map This command shows ingress CoS/CFI to internal DSCP map.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the internal DSCP to egress CoS map, which converts dscp-cos internal PHB/Drop Precedence to CoS values. SYNTAX show qos map dscp-cos interface interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-28) COMMAND MODE Privileged Exec COMMAND USAGE This map is only used if the packet is forwarded with a 8021.Q tag.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress IP precedence to internal DSCP map. ip-prec-dscp SYNTAX show qos map ip-prec-dscp interface interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 PHB-queue map: PHB: 0 1 2 3 4 5 6 7 ------------------------------------------------------queue: 2 0 1 3 4 5 6 7 Console# show qos map This command shows the QoS mapping mode. trust-mode SYNTAX show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 41 | Class of Service Commands Priority Commands (Layer 3 and 4) – 1406 –
42 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 42 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, or a CoS value. 3.
CHAPTER 42 | Quality of Service Commands COMMAND USAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 1411). The policy map is then bound by a service policy to an interface (page 1421). A service policy defines packet classification, service tagging, and bandwidth policing.
CHAPTER 42 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. SYNTAX [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
CHAPTER 42 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
CHAPTER 42 | Quality of Service Commands COMMAND USAGE ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 1411) before assigning it to a Policy Map.
CHAPTER 42 | Quality of Service Commands ■ ◆ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
CHAPTER 42 | Quality of Service Commands COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. ◆ Policing is based on a token bucket, where bucket depth (i.e.
CHAPTER 42 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. SYNTAX [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
CHAPTER 42 | Quality of Service Commands ◆ The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters – Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion.
CHAPTER 42 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police srtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the excess burst rate to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets
CHAPTER 42 | Quality of Service Commands violate-action - Action to take when rate exceeds the PIR. (There are not enough tokens in bucket BP to service the packet, the packet is set red.) drop - Drops packet as required by exceed-action or violate-action. transmit - Transmits without taking any action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) DEFAULT SETTING None COMMAND MODE Policy Map Class Configuration COMMAND USAGE ◆ You can configure up to 16 policers (i.e.
CHAPTER 42 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode: ■ ■ ■ If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B.
CHAPTER 42 | Quality of Service Commands COMMAND USAGE ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets. ◆ The set cos and set phb command function at the same level of priority. Therefore setting either of these commands will overwrite any action already configured by the other command.
CHAPTER 42 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 42 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. SYNTAX show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) DEFAULT SETTING Displays all class maps.
CHAPTER 42 | Quality of Service Commands Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console# show policy-map This command displays the service policy assigned to the specified interface interface. SYNTAX show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 42 | Quality of Service Commands – 1424 –
43 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping IGMP SNOOPING This section describes commands used to configure IGMP snooping on the switch.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping Table 183: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to priority restore the default setting. SYNTAX ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree tcn-flood topology change notification (TCN) occurs. Use the no form to disable flooding. SYNTAX [no] ip igmp snooping tcn-flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query tcn-query-solicit solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to version restore the default.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Global: Disabled VLAN: Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. ◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command immediately deletes a member port of a multicast service if vlan immediate- a leave packet is received at that port and immediate-leave is enabled for leave the parent VLAN. Use the no form to restore the default.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the number of IGMP proxy group-specific or vlan last-memb- group-and-source-specific query messages that are sent out before the query-count system assumes there are no more local members. Use the no form to restore the default.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP groupspecific or group-and-source-specific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. ◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN. EXAMPLE This example disables sending of multicast router solicitation messages on VLAN 1.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ◆ This command applies when the switch is serving as the querier (page 1429), or as a proxy host when IGMP snooping proxy reporting is enabled (page 1428). EXAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping This command configures the maximum time the system waits for a vlan query-resp- response to general queries. Use the no form to restore the default.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE This command displays global and VLAN-specific IGMP configuration settings. See "Configuring IGMP Snooping and Query Parameters" on page 613 for a description of the displayed items.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping igmpsnp - Display only entries learned through IGMP snooping. sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries. vlan-id - VLAN ID (1-4094) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER, depending on selected options. EXAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1.
CHAPTER 43 | Multicast Filtering Commands IGMP Snooping query - Displays IGMP snooping-related statistics.
CHAPTER 43 | Multicast Filtering Commands Static Multicast Routing Table 185: show ip igmp snooping statistics output - display description Field Description G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Querier IP Address : 192.168.1.
CHAPTER 43 | Multicast Filtering Commands Static Multicast Routing ip igmp snooping This command statically configures a (Layer 2) multicast router port on the vlan mrouter specified VLAN. Use the no form to remove the configuration. SYNTAX [no] ip igmp snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND MODE Privileged Exec COMMAND USAGE Multicast router port types displayed include Static or Dynamic. EXAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling Table 188: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE show ip multicast-datadrop Shows if the interface is configured to drop multicast data packets PE ip igmp filter This command globally enables IGMP filtering and thr
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. SYNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. SYNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces. Console(config)#interface ethernet 1/1-28 Console(config-if)#ip igmp authentication Console# RELATED COMMANDS show ip igmp authentication ip igmp filter This command assigns an IGMP filtering profile to an interface on the (Interface Configuration) switch. Use the no form to remove a profile from an interface.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. SYNTAX ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp This command displays the interface settings for IGMP authentication.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. SYNTAX show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query-drop query packets. SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 43 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays information for all interfaces. EXAMPLE Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast-data-drop multicast data packets.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping. SYNTAX [no] ipv6 mld snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration EXAMPLE The following example enables MLD Snooping: Console(config)#ipv6 mld snooping Console(config)# ipv6 mld snooping This command allows the switch to act as the querier for MLDv2 snooping. querier Use the no form to disable this feature.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general query-interval queries. Use the no form to restore the default. SYNTAX ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping EXAMPLE Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the robustness no form to restore the default value. SYNTAX ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping COMMAND USAGE The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. EXAMPLE Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. unknown-multicast Use the no form to restore the default.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD snooping version. Use the no form to version restore the default. SYNTAX ipv6 mld snooping version {1 | 2} 1 - MLD version 1. 2 - MLD version 2. DEFAULT SETTING Version 2 COMMAND MODE Global Configuration EXAMPLE Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command statically configures an IPv6 multicast router port.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping EXAMPLE The following shows how to configure port 1 as a multicast router port within VLAN 1: Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping COMMAND MODE Global Configuration COMMAND USAGE ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface.
CHAPTER 43 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, and the snooping group means by which each group was learned.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling Option: Filter Mode: Include, Exclude Console# show ipv6 mld This command shows MLD Snooping multicast router information. snooping mrouter SYNTAX show ipv6 mld snooping mrouter vlan vlan-id vlan-id - A VLAN identification number.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling Table 191: MLD Filtering and Throttling Commands (Continued) Command Function Mode show ipv6 mld filter Displays the MLD filtering status PE show ipv6 mld profile Displays MLD profiles and settings PE show ipv6 mld query-drop Shows if the interface is configured to drop MLD query packets PE show ipv6 mld throttle interface Displays the MLD throttling setting for interfaces PE ipv6 mld filter This command globally enables
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. SYNTAX [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number. (Range: 1-4294967295) DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console(config)#ipv6 mld profile 19 Console(config-mld-profile)#permit Console(config-mld-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. SYNTAX [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND USAGE ◆ The MLD filtering profile must first be created with the ipv6 mld profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups 10 Console(config-if)# ipv6 mld This command sets the MLD throttling action for an interface on the switch. max-groups action SYNTAX ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND USAGE This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data guard mode on a port multicast-data-drop interface.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld This command displays MLD filtering profiles created on the switch. profile SYNTAX show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
CHAPTER 43 | Multicast Filtering Commands MLD Filtering and Throttling DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces. EXAMPLE Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld This command displays the interface settings for MLD throttling. throttle interface SYNTAX show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 MVR FOR IPV4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 Table 192: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address PE show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Global Configuration EXAMPLE The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# RELATED COMMANDS mvr profile (1481) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr domain domain-id domain-id - An independent multicast domain.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. SYNTAX mvr profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING 125 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. EXAMPLE This example sets the proxy query interval for MVR proxy switching.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function. SYNTAX [no] mvr proxy-switching DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 RELATED COMMANDS mvr robustness-value (1484) mvr This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting. SYNTAX mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 COMMAND USAGE ◆ By default, the switch forwards any multicast streams within the address range set by a profile, and bound to a domain. The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 ◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN. ◆ One or more interfaces may be configured as MVR source ports.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this command. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 MVR MVR MVR MVR . . . Running Status Multicast VLAN Current Learned Groups Upstream Source IP : : : : Active 1 10 192.168.0.3 Table 193: show mvr - display description Field Description MVR 802.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 testing Console# 228.2.23.1 228.2.23.10 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. SYNTAX show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays configuration settings for all attached interfaces.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port. SYNTAX show mvr [domain domain-id] members [ip-address | host-ip-address [interface] | sort-by-port [interface]]] domain-id - An independent multicast domain.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port). P - Port counts (number of ports joined to group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 show mvr statistics This command shows MVR protocol-related statistics for the specified interface. SYNTAX show mvr statistics {input | output} [interface interface] show mvr domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv4 Table 196: show mvr statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 Table 198: show mvr statistics query - display description (Continued) Field Description General Query Sent The number of general queries sent from this interface. Specific Query Received The number of specific queries received on this interface. Specific Query Sent The number of specific queries sent from this interface. Number of Reports Sent The number of reports sent from this interface.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 Table 199: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode clear mvr6 statistics Clears the MVR statistics globally or on a per-interface basis.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 mvr6 domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr6 domain domain-id domain-id - An independent multicast domain.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated with an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 mvr6 This command enables MVR proxy switching, where the source port acts as proxy-switching a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 RELATED COMMANDS mvr6 robustness-value (1501) mvr6 This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting. SYNTAX mvr6 robustness-value value no mvr6 robustness-value value - The robustness used for all interfaces.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ By default, the switch forwards any multicast streams within the address range set by a profile, and bound to a domain. The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr6 source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 leave multicast groups using the standard rules for multicast filtering (see "MLD Snooping Commands" on page 1469). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see the switchport mode command). ◆ One or more interfaces may be configured as MVR source ports.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this command. The assigned address must fall within the range set by the mvr6 associated-profile command. ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 clear mvr6 statistics Use this command to clear the MVR6 statistics. SYNTAX clear mvr6 statistics [interface {ethernet unit/port | port-channel channel-id | vlan vlan-id}] ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-8) vlan vlan-id (Range: 1-4094) COMMAND MODE Privileged Exec COMMAND USAGE If the interface option is not used then all MVR6 statistics are cleared.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 MVR6 Proxy Query Interval MVR6 Source Port Mode MVR6 MVR6 MVR6 MVR6 MVR6 MVR6 . . . Domain : Config Status : Running Status : Multicast VLAN : Current Learned Groups : Upstream Source IP : : 125(sec.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd FF00::1 FF00::9 Console# show mvr6 interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 show mvr6 This command shows information about the current number of entries in members the forwarding database, or detailed information about a specific multicast address. SYNTAX show mvr6 [domain domain-id] members [ip-address] domain-id - An independent multicast domain. (Range: 1-5) ip-address - IPv6 address for an MVR multicast group. DEFAULT SETTING Displays configuration settings for all domains and all forwarding entries.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 Table 202: show mvr6 members - display description Field Description Group Address Multicast group address. VLAN VLAN to which this address is forwarded. Port Port to which this address is forwarded. Up time Time that this multicast group has been known. Expire The time until this entry expires. Count The number of times this address has been learned by MVR (MLD snooping). show mvr6 profile This command shows all configured MVR profiles.
CHAPTER 43 | Multicast Filtering Commands MVR for IPv6 DEFAULT SETTING Displays statistics for all domains.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) Table 204: show mvr6 statistics output - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) ip igmp This command enables IGMP on a VLAN interface. Use the no form of this command to disable IGMP on the specified interface. SYNTAX [no] ip igmp DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ IGMP (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ip igmp command. ◆ When a multicast routing protocol, such as PIM, is enabled, IGMP is also enabled.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) ip igmp last- This command configures the frequency at which to send IGMP groupmember-query- specific or IGMPv3 group-source-specific query messages in response to interval receiving a group-specific or group-source-specific leave message. Use the no form to restore the default setting.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) COMMAND USAGE ◆ IGMPv1 does not support a configurable maximum response time for query messages. It is fixed at 10 seconds for IGMPv1. ◆ By varying the Maximum Response Interval, the burstiness of IGMP messages passed on the subnet can be tuned; where larger values make the traffic less bursty, as host responses are spread out over a larger interval.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) and 3, the designated querier is the lowest IP-addressed multicast router on the subnet. EXAMPLE The following shows how to configure the query interval to 100 seconds. Console(config-if)#ip igmp query-interval 100 Console(config-if)# RELATED COMMANDS ip igmp max-resp-interval (1515) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) ip igmp static-group This command configures the router to be a static member of a multicast group on the specified VLAN interface. Use the no form to remove the static mapping. SYNTAX ip igmp static-group group-address [source source-address] no ip igmp static-group group-address - IP multicast group address. (The group addresses specified cannot be in the range of 224.0.0.1 - 239.255.255.255.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) ip igmp version This command configures the IGMP version used on an interface. Use the no form of this command to restore the default. SYNTAX ip igmp version {1 | 2 | 3} no ip igmp version 1 - IGMP Version 1 2 - IGMP Version 2 3 - IGMP Version 3 DEFAULT SETTING IGMP Version 2 COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ All routers on the subnet must support the same version.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) COMMAND USAGE Enter the address for a multicast group to delete all entries for the specified group. Enter the interface option to delete all multicast groups for the specified interface. Enter no options to clear all multicast groups from the cache. EXAMPLE The following example clears all multicast group entries for VLAN 1.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) 224.0.17.17 Console# 1 192.168.1.10 0:0:1 0:4:19 0:0:0 Table 206: show ip igmp groups - display description Field Description Group Address IP multicast group address with subscribers directly attached or downstream from the switch. Interface VLAN The interface on the switch that has received traffic directed to the multicast group address.
CHAPTER 43 | Multicast Filtering Commands IGMP (Layer 3) Table 207: show ip igmp groups detail - display description Field Description Group mode In INCLUDE mode, reception of packets sent to the specified multicast address is requested only from those IP source addresses listed in the source-list parameter.
CHAPTER 43 | Multicast Filtering Commands IGMP Proxy Routing Joined Groups : Static Groups : switch# IGMP PROXY ROUTING This section describes commands used to configure IGMP Proxy Routing on the switch.
CHAPTER 43 | Multicast Filtering Commands IGMP Proxy Routing COMMAND USAGE ◆ When IGMP proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions. ◆ Interfaces with IGMP enabled, but not located in the direction of the multicast tree root are known as downstream or router interfaces.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) DEFAULT SETTING 400 seconds COMMAND MODE Interface Configuration (VLAN) EXAMPLE The following example sets the interval for sending unsolicited IGMP reports to 5 seconds. switch(config)#interface vlan switch(config-if)#ip igmp proxy unsolicited-report-interval 5 switch(config)# MLD (LAYER 3) This section describes commands used to configure Layer 3 Multicast Listener Discovery (MLD) on the switch.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE MLD (including query functions) can be enabled for specific VLAN interfaces at Layer 3 through the ipv6 mld command.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) intervals defined by this command. If no response is received after this period, the switch stops forwarding for the group, source or channel. EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 mld last-member-query-response-interval 20 Console(config-if)# ipv6 mld This command configures the maximum response time advertised in MLD max-resp-interval queries. Use the no form of this command to restore the default setting.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld This command configures the frequency at which host query messages are query-interval sent. Use the no form to restore the default. SYNTAX ipv6 mld query-interval seconds no ipv6 mld query-interval seconds - The frequency at which the switch sends MLD host-query messages.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The robustness value is used to compensate for expected packet lose on a link. It indicates the number of refresh packets related to the current MLD state which might be lost without having to terminate that state. ◆ Routers adopt the robustness value from the most recently received query.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) ◆ Use the no form of this command without specifying a group address to delete all any-source and source-specific multicast entries. ◆ Use the no form of this command to delete a static group without specifying the source address to delete all any-source and sourcespecific multicast entries for the specified group. ◆ The switch supports a maximum of 64 static group entries.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) EXAMPLE Console(config-if)#ipv6 mld version 1 Console(config-if)# clear ipv6 mld group This command deletes entries from the MLD cache. SYNTAX clear ipv6 mld group [group-address | interface interface] group-address - IPv6 address of the multicast group. interface vlan vlan-id - VLAN ID. (Range: 1-4094) DEFAULT SETTING Deletes all entries in the cache if no options are selected.
CHAPTER 43 | Multicast Filtering Commands MLD (Layer 3) COMMAND MODE Privileged Exec COMMAND USAGE To display information about multicast groups, MLD must first be enabled on the interface to which a group has been assigned using the ipv6 mld command, and multicast routing must be enabled globally on the system using the ip multicast-routing command. EXAMPLE The following shows options for displaying MLD group information.
CHAPTER 43 | Multicast Filtering Commands MLD Proxy Routing show ipv6 mld This command shows multicast information for the specified interface. interface SYNTAX show ipv6 mld interface [interface] interface vlan vlan-id - VLAN ID. (Range: 1-4094) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE The following example shows the MLD configuration for VLAN 1, as well as the device currently serving as the MLD querier for active multicast services on this interface.
CHAPTER 43 | Multicast Filtering Commands MLD Proxy Routing To enable MLD proxy service, follow these steps: 1. Use the ipv6 multicast-routing command to enable IP multicasting globally on the router. 2. Use the ipv6 mld proxy command to enable MLD proxy on the upstream interface that is attached to an upstream multicast router. 3. Use the ipv6 mld command to enable MLD on the downstream interfaces from which to forward MLD membership reports. 4.
CHAPTER 43 | Multicast Filtering Commands MLD Proxy Routing ◆ Only one upstream interface is supported on the system. ◆ MLD and MLD proxy cannot be enabled on the same interface. ◆ A maximum of 1024 multicast streams are supported. EXAMPLE The following example enables multicast routing globally on the switch, configures VLAN 2 as a downstream interface, and then VLAN 1 as the upstream interface.
CHAPTER 43 | Multicast Filtering Commands MLD Proxy Routing – 1536 –
44 LLDP COMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
CHAPTER 44 | LLDP Commands Table 212: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port-based protocol related VLAN information IC lldp dot1-tlv pvid* Configures an LLDP-enabled port to advertise its default VLAN ID IC lldp dot1-tlv v
CHAPTER 44 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. SYNTAX [no] lldp DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP holdtime-multiplier advertisements. Use the no form to restore the default setting.
CHAPTER 44 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit med-fast-start-count during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. SYNTAX lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
CHAPTER 44 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
CHAPTER 44 | LLDP Commands COMMAND MODE Global Configuration COMMAND USAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. EXAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
CHAPTER 44 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. SYNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
CHAPTER 44 | LLDP Commands enterprise specific or other starting points for the search, such as the Interface or Entity MIB. ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 44 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-capabilities DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
CHAPTER 44 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-name name. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
CHAPTER 44 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise port-based proto-vid protocol VLAN information. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv proto-vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the port-based protocol VLANs configured on this interface (see "Configuring Protocol-based VLANs" on page 1371).
CHAPTER 44 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN vlan-name name. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv vlan-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the name of all VLANs to which this interface has been assigned. See "switchport allowed vlan" on page 1347 and "protocolvlan protocol-group (Configuring Interfaces)" on page 1373.
CHAPTER 44 | LLDP Commands lldp dot3-tlv This command configures an LLDP-enabled port to advertise its MAC and mac-phy physical layer capabilities. Use the no form to disable this feature. SYNTAX [no] lldp dot3-tlv mac-phy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
CHAPTER 44 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its civic-addr location identification details. Use the no form to restore the default settings. SYNTAX lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 44 | LLDP Commands Table 213: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
CHAPTER 44 | LLDP Commands COMMAND USAGE ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command.
CHAPTER 44 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises location identification details.
CHAPTER 44 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network-policy network policy configuration. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv network-policy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
CHAPTER 44 | LLDP Commands An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. SYNTAX show lldp config [detail interface] detail - Shows configuration summary.
CHAPTER 44 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.
CHAPTER 44 | LLDP Commands EXAMPLE Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : ECS4600-28F System Capabilities Support : Bridge, Router System Capabilities Enabled : Bridge, Router Management Address : 192.168.0.
CHAPTER 44 | LLDP Commands EXAMPLE Note that an IP phone or other end-node device which advertises LLDPMED capabilities must be connected to the switch for information to be displayed in the “LLDP-MED Capability” and other related fields.
CHAPTER 44 | LLDP Commands Location Identification : Location Data Format Country Name What Extended Power via MDI : Power Type Power Source Power Priority Power Value Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID : Civic Address LCI : TW : 2 : : : : PSE Unknown Unknown 0 Watts : R01 : 1.2.2.1 : 1.2.2.1 : : : : Console# The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. ..
CHAPTER 44 | LLDP Commands show lldp info This command shows statistics based on traffic received through all statistics attached LLDP-enabled interfaces. SYNTAX show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
45 CFM COMMANDS Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between Provider Edge devices or between Customer Edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
CHAPTER 45 | CFM Commands Table 214: CFM Commands (Continued) Command Function Mode ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages IC ethernet cfm port-enable Enables CFM processing on an interface IC clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including gl
CHAPTER 45 | CFM Commands Table 214: CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache Enables caching of CFM data learned through link trace messages GC ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace
CHAPTER 45 | CFM Commands Defining CFM Structures 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6. Enable CFM on the local MEPs with the ethernet cfm port-enable command. 7. Enable continuity check operations with the ethernet cfm cc enable command. 8. Enable cross-check operations with the ethernet cfm mep crosscheck command.
CHAPTER 45 | CFM Commands Defining CFM Structures EXAMPLE This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. SYNTAX [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
CHAPTER 45 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use period the no form to restore the default setting. SYNTAX ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 45 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ For multipoint connectivity, a MEP cannot determine the specific maintenance level entity that has encountered defect conditions upon receiving a frame with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information.
CHAPTER 45 | CFM Commands Defining CFM Structures pass, and only if a maintenance end point (MEP) is created at some lower MA Level. none – No MIP can be created for any MA configured in this domain. DEFAULT SETTING No maintenance domains are configured. No MIPs are created for any MA in the specified domain. COMMAND MODE Global Configuration COMMAND USAGE ◆ A domain can only be configured with one name.
CHAPTER 45 | CFM Commands Defining CFM Structures Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command.
CHAPTER 45 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
CHAPTER 45 | CFM Commands Defining CFM Structures EXAMPLE This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#ma index 1 name rd vlan 1 mip-creation default Console(config-ether-cfm)# ma index This command specifies the name format for the maintenance association name-format as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
CHAPTER 45 | CFM Commands Defining CFM Structures ma-name – Maintenance association name. (Range: 1-44 alphanumeric characters) up – Indicates that the MEP faces inward toward the switch crossconnect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
CHAPTER 45 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command. ◆ If a MEP has been configured on an interface with the ethernet cfm mep command, it must first be deleted before CFM can be disabled on that interface. ◆ When CFM is disabled, hardware resources previously used for CFM processing on that interface are released, and all CFM frames entering that interface are forwarded as normal data traffic.
CHAPTER 45 | CFM Commands Defining CFM Structures show ethernet cfm This command displays CFM configuration settings, including global configuration settings, SNMP traps, and interface settings. SYNTAX show ethernet cfm configuration {global | traps | interface interface} global – Displays global settings including CFM global status, crosscheck start delay, and link trace parameters. traps – Displays the status of all continuity check and cross-check traps.
CHAPTER 45 | CFM Commands Defining CFM Structures Table 215: show ethernet cfm configuration traps - display description Field Description CC MEP Up Trap Sends a trap if a remote MEP is discovered and added to the local database, the port state of a previously discovered remote MEP changes, or a CCM is received from a remote MEP which as an expired entry in the archived database.
CHAPTER 45 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the configured maintenance associations. ma SYNTAX show ethernet cfm ma [level level] level – Maintenance level. (Range: 0-7) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE For a description of the values displayed in the CC Interval field, refer to the ethernet cfm cc ma interval command. EXAMPLE This example shows all configured maintenance associations.
CHAPTER 45 | CFM Commands Defining CFM Structures DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the mep keyword with this command to display the MEPs configured on this device as DSAPs through the ethernet cfm mep command. ◆ Using the mip keyword with this command to display the MIPs generated on this device by the CFM protocol when the mip-creation method is set to either “default” or “explicit” by the ethernet cfm domain command or the ma index name command.
CHAPTER 45 | CFM Commands Defining CFM Structures EXAMPLE This example shows detailed information about the local MEP on port 1.
CHAPTER 45 | CFM Commands Defining CFM Structures Table 216: show ethernet cfm maintenance-points local detail mep - display Field Description Suppress Alarm Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions.
CHAPTER 45 | CFM Commands Defining CFM Structures CC Lifetime Age of Last CC Message Frame Loss CC Packet Statistics Port State Interface State : : : : : : 645 seconds 2 seconds 137 647/1 Up Up Crosscheck Status : Enabled Console# Table 217: show ethernet cfm maintenance-points remote detail - display Field Description MAC Address MAC address of the remote maintenance point.
CHAPTER 45 | CFM Commands Continuity Check Operations Continuity Check Operations ethernet cfm cc ma This command sets the transmission delay between continuity check interval messages (CCMs). Use the no form to restore the default settings. SYNTAX ethernet cfm cc md domain-name ma ma-name interval interval-level no ethernet cfm cc ma ma-name interval domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 45 | CFM Commands Continuity Check Operations ethernet cfm cc This command enables the transmission of continuity check messages enable (CCMs) within a specified maintenance association. Use the no form to disable the transmission of these messages. SYNTAX [no] ethernet cfm cc enable md domain-name ma ma-name domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 45 | CFM Commands Continuity Check Operations snmp-server enable This command enables SNMP traps for CFM continuity check events. Use traps ethernet cfm the no form to disable these traps. cc SYNTAX [no] snmp-server enable traps ethernet cfm cc [config | loop | mep-down | mep-up] config – Sends a trap if this device receives a CCM with the same MPID as its own but with a different source MAC address, indicating that a CFM configuration error exists.
CHAPTER 45 | CFM Commands Continuity Check Operations mep This command sets the time that data from a missing MEP is retained in archive-hold-time the continuity check message (CCM) database before being purged. Use the no form to restore the default setting. SYNTAX mep archive-hold-time hold-time hold-time – The time to retain data for a missing MEP.
CHAPTER 45 | CFM Commands Continuity Check Operations EXAMPLE Console#clear ethernet cfm maintenance-points remote domain voip Console# clear ethernet cfm This command clears continuity check errors logged for the specified errors maintenance domain or maintenance level. SYNTAX clear ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Maintenance level.
CHAPTER 45 | CFM Commands Cross Check Operations EXAMPLE Console#show ethernet cfm Level VLAN MPID Interface ----- ---- ---- --------5 2 40 Eth 1/1 Console# errors Remote MAC Reason MA Name ----------------- ---------------- ---------------ab.2f.9c.00.05.01 LEAK provider_1_2 Table 218: show ethernet cfm errors - display description Field Description Level Maintenance level associated with this entry. VLAN VLAN in which this error occurred. MPID Identifier of remote MEP.
CHAPTER 45 | CFM Commands Cross Check Operations COMMAND MODE Global Configuration COMMAND USAGE ◆ This command sets the delay that a device waits for a remote MEP to come up, and it starts cross-checking the list of statically configure remote MEPs in the local maintenance domain against the MEPs learned through CCMs. ◆ The cross-check start delay should be configured to a value greater than or equal to the continuity check message interval to avoid generating unnecessary traps.
CHAPTER 45 | CFM Commands Cross Check Operations remote MEP configured in the static list (with the mep crosscheck mpid command). ◆ A mep-unknown trap is sent if cross-checking is enabled, and a CCM is received from a remote MEP that is not configured in the static list. ◆ A ma-up trap is sent if cross-checking is enabled, and a CCM is received from all remote MEPs configured in the static list for this maintenance association.
CHAPTER 45 | CFM Commands Cross Check Operations EXAMPLE This example defines a static MEP for the specified maintenance association.
CHAPTER 45 | CFM Commands Link Trace Operations show ethernet cfm This command displays information about remote MEPs statically maintenance-points configured in a cross-check list. remote crosscheck SYNTAX show ethernet cfm maintenance-points remote crosscheck [domain domain-name | mpid mpid] domain-name – Domain name. (Range: 1-43 alphanumeric characters) mpid – Maintenance end point identifier.
CHAPTER 45 | CFM Commands Link Trace Operations ◆ Link trace responses are returned from each MIP along the path and from the target MEP. Information stored in the cache includes the maintenance domain name, MA name, MEPID, sequence number, and TTL value. EXAMPLE This example enables link trace caching. Console(config)#ethernet cfm linktrace cache Console(config)# ethernet cfm This command sets the hold time for CFM link trace cache entries.
CHAPTER 45 | CFM Commands Link Trace Operations DEFAULT SETTING 100 entries COMMAND MODE Global Configuration COMMAND USAGE ◆ Before setting the cache size, the cache must first be enabled with the ethernet cfm linktrace cache command. ◆ If the cache reaches the maximum number of specified entries, or the size is set to a value less than the current number of stored entries, no new entries are added.
CHAPTER 45 | CFM Commands Link Trace Operations COMMAND MODE Privileged Exec COMMAND USAGE ◆ Link trace messages can be targeted to MEPs, not MIPs. Before sending a link trace message, be sure you have configured the target MEP for the specified MA. ◆ If the MAC address of target MEP has not been learned by any local MEP, then the linktrace may fail. Use the show ethernet cfm maintenance-points remote crosscheck command to verify that a MAC address has been learned for the target MEP.
CHAPTER 45 | CFM Commands Link Trace Operations show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache COMMAND MODE Privileged Exec EXAMPLE Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.6 Not Forwarded Console# Ingress MAC Egress MAC ----------------00-12-CF-12-12-2D Ing. Action Relay Egr.
CHAPTER 45 | CFM Commands Loopback Operations Loopback Operations ethernet cfm This command sends CFM loopback messages to a MAC address for a MEP loopback or MIP. SYNTAX ethernet cfm loopback {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [count transmit-count] [size packet-size] destination-mpid – The identifier of a MEP that is the target of the loopback message.
CHAPTER 45 | CFM Commands Fault Generator Operations When using the command line or web interface, the source MEP used by to send a loopback message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. ◆ EXAMPLE This example sends a loopback message to the specified remote MEP.
CHAPTER 45 | CFM Commands Fault Generator Operations mep fault-notify This command sets the lowest priority defect that is allowed to generate a lowest-priority fault alarm. Use the no form to restore the default setting. SYNTAX mep fault-notify lowest-priority priority no fault-notify lowest-priority priority – Lowest priority default allowed to generate a fault alarm.
CHAPTER 45 | CFM Commands Fault Generator Operations Table 221: MEP Defect Descriptions Field Description DefMACstatus Either some remote MEP is reporting its Interface Status TLV as not isUp, or all remote MEPs are reporting a Port Status TLV that contains some value other than psUp. DefRemoteCCM The MEP is not receiving valid CCMs from at least one of the remote MEPs. DefErrorCCM The MEP has received at least one invalid CCM whose CCM Interval has not yet timed out.
CHAPTER 45 | CFM Commands Fault Generator Operations show ethernet cfm This command displays configuration settings for the fault notification fault-notify- generator. generator SYNTAX show ethernet cfm fault-notify-generator mep mpid mpid – Maintenance end point identifier. (Range: 1-8191) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the fault notification settings configured for one MEP.
CHAPTER 45 | CFM Commands Delay Measure Operations Delay Measure Operations ethernet cfm This command sends periodic delay-measure requests to a specified MEP delay-measure within a maintenance association.
CHAPTER 45 | CFM Commands Delay Measure Operations ◆ Frame delay measurement can be made only for two-way measurements, where the MEP transmits a frame with DM request information with the TxTimeStampf (Timestamp at the time of sending a frame with DM request information), and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information, RxTimeStampf (Timestamp at the time of receiving a frame with DM request information), and TxTimeStampb (Tim
CHAPTER 45 | CFM Commands Delay Measure Operations – 1602 –
46 OAM COMMANDS The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
CHAPTER 46 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. SYNTAX [no] efm oam DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
CHAPTER 46 | OAM Commands detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. NOTE: When system power fails, the switch will always send a dying gasp trap message prior to power down.
CHAPTER 46 | OAM Commands DEFAULT SETTING 1 COMMAND MODE Interface Configuration COMMAND USAGE If this feature is enabled, an event notification message is sent if the threshold is reached or exceeded within the period specified by the efm oam link-monitor frame window command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period.
CHAPTER 46 | OAM Commands efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting. SYNTAX efm oam mode {active | passive} no efm oam mode active - All OAM functions are enabled. passive - All OAM functions are enabled, except for OAM discovery, and sending loopback control OAMPDUs. DEFAULT SETTING Active COMMAND MODE Interface Configuration COMMAND USAGE When set to active mode, the selected interface will initiate the OAM discovery process.
CHAPTER 46 | OAM Commands RELATED COMMANDS show efm oam counters interface (1610) clear efm oam This command clears all entries from the OAM event log for the specified event-log port. SYNTAX clear efm oam event-log [interface-list] unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 46 | OAM Commands efm oam remote-loopback test command to start sending test packets. Then use the efm oam remote loopback stop command to terminate testing (if test packets are still being sent) and to terminate loop back test mode. ◆ The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode. During a remote loopback test, the remote OAM entity loops back every frame except for OAMPDUs and pause frames.
CHAPTER 46 | OAM Commands ◆ OAM remote loopback can be used for fault localization and link performance testing. Statistics from both the local and remote DTE can be queried and compared at any time during loopback testing. ◆ A summary of the test is displayed after it is finished. EXAMPLE Console#efm oam remote-loopback test 1/1 Loopback test is processing, press ESC to suspend. ... Port OAM loopback Tx OAM loopback Rx Loss Rate ---- --------------- --------------- --------1/2 1990 1016 48.
CHAPTER 46 | OAM Commands show efm oam This command displays the OAM event log for the specified port(s) or for all event-log interface ports that have logs. show efm oam event-log interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 46 | OAM Commands This command can show OAM dying gasp changes for link partner as shown in this example. Console#show efm oam event-log interface 1/1 <--- When dying gasp happens and the switch get these packets, it will log this event in OAM event-log.
CHAPTER 46 | OAM Commands show efm oam This command displays OAM configuration settings and event counters. status interface SYNTAX show efm oam status interface [interface-list] [brief] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports. (Range: 1-28) brief - Displays a brief list of OAM configuration states.
CHAPTER 46 | OAM Commands COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show efm oam status remote interface 1/1 Port MAC Address OUI Remote Unidirectional Loopback ---- ----------------- ------ -------- -------------1/1 00-12-CF-6A-07-F6 000084 Enabled Disabled Console# – 1614 – Link Monitor ------Enabled MIB Variable Retrieval -----------Disabled
47 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
CHAPTER 47 | Domain Name Service Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
CHAPTER 47 | Domain Name Service Commands ◆ If all name servers are deleted, DNS will automatically be disabled. EXAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
CHAPTER 47 | Domain Name Service Commands Domain Name List: Name Server List: Console# RELATED COMMANDS ip domain-list (1615) ip name-server (1619) ip domain-lookup (1616) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. SYNTAX [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
CHAPTER 47 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. SYNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
CHAPTER 47 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. SYNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 47 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. SYNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. EXAMPLE This example clears all dynamic entries from the DNS table.
CHAPTER 47 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. COMMAND MODE Privileged Exec EXAMPLE Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 225: show dns cache - display description Field Description No.
CHAPTER 47 | Domain Name Service Commands Table 226: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
CHAPTER 47 | Domain Name Service Commands – 1624 –
48 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface on this switch can be configured to automatically obtain an IPv4 address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network, or it can be configured to provide DHCP service directly to any client.
CHAPTER 48 | DHCP Commands DHCP Client hex - A hexadecimal value. (Range: 1-64 characters) DEFAULT SETTING Class identifier option enabled, with the name ECS4660-28F COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Use this command without any keyword to restore the default setting. ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
CHAPTER 48 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. EXAMPLE Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572 Console(config-if)# RELATED COMMANDS ip dhcp restart client (1627) ip dhcp restart client This command submits a BOOTP or DHCP client request.
CHAPTER 48 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message rapid-commit vlan exchange for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. SYNTAX [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
CHAPTER 48 | DHCP Commands DHCP Relay DHCP RELAY This section describes commands used to configure DHCP relay functions for host devices attached to the switch.
CHAPTER 48 | DHCP Commands DHCP Relay ◆ You must specify the IP address for at least one active DHCP server. Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference.
CHAPTER 48 | DHCP Commands DHCP Relay RELATED COMMANDS ip dhcp relay server (1629) DHCP Relay for IPv6 ipv6 dhcp relay This command specifies the destination address or VLAN to which client destination messages are forwarded for DHCP service. Use the no form to remove an entry. SYNTAX [no] ipv6 dhcp relay destination {ipv6-address | multicast {all | vlan vlan-id}} ipv6-address - A full IPv6 address including the network prefix and host address bits.
CHAPTER 48 | DHCP Commands DHCP Server EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination 2001:0DB8:3000:3000::42 Console(config-if)# show ipv6 dhcp This command shows the destination addresses or VLAN to which client relay destination messages are forwarded for DHCP relay service. SYNTAX show ipv6 dhcp relay destination interface [vlan vlan-id] vlan-id - ID of configured VLAN.
CHAPTER 48 | DHCP Commands DHCP Server Table 232: DHCP Server Commands (Continued) Command Function Mode lease Sets the duration an IP address is assigned to a DHCP client DC netbios-name-server Configures NetBIOS Windows Internet Naming Service (WINS) name servers available to Microsoft DHCP clients DC netbios-node-type Configures NetBIOS node type for Microsoft DHCP clients DC network Configures the subnet number and mask for a DHCP address pool DC next-server Configures the next server i
CHAPTER 48 | DHCP Commands DHCP Server ip dhcp pool This command configures a DHCP address pool and enter DHCP Pool Configuration mode. Use the no form to remove the address pool. SYNTAX [no] ip dhcp pool name name - A string or integer. (Range: 1-8 characters) DEFAULT SETTING DHCP address pools are not configured. COMMAND MODE Global Configuration USAGE GUIDELINES ◆ After executing this command, the switch changes to DHCP Pool Configuration mode, identified by the (config-dhcp)# prompt.
CHAPTER 48 | DHCP Commands DHCP Server COMMAND USAGE If the DHCP server is running, you must restart it to implement any configuration changes. EXAMPLE Console(config)#service dhcp Console(config)# bootfile This command specifies the name of the default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified with the next-server command. Use the no form to delete the boot image name.
CHAPTER 48 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration COMMAND USAGE ◆ This command identifies a DHCP client to bind to an address specified in the host command. If both a client identifier and hardware address are configured for a host address, the client identifier takes precedence over the hardware address in the search procedure. ◆ BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
CHAPTER 48 | DHCP Commands DHCP Server dns-server This command specifies the Domain Name System (DNS) IP servers available to a DHCP client. Use the no form to remove the DNS server list. SYNTAX dns-server address1 [address2] no dns-server address1 - Specifies the IP address of the primary DNS server. address2 - Specifies the IP address of the alternate DNS server.
CHAPTER 48 | DHCP Commands DHCP Server hardware-address This command specifies the hardware address of a DHCP client. This command is valid for manual bindings only. Use the no form to remove the hardware address. SYNTAX hardware-address hardware-address type no hardware-address hardware-address - Specifies the MAC address of the client device.
CHAPTER 48 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES ◆ Host addresses must fall within the range specified for an existing network pool. ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e.
CHAPTER 48 | DHCP Commands DHCP Server hours - Specifies the number of hours in the lease. A days value must be supplied before you can configure hours. (Range: 0-23) minutes - Specifies the number of minutes in the lease. A days and hours value must be supplied before you can configure minutes. (Range: 0-59) infinite - Specifies that the lease time is unlimited. This option is normally used for addresses manually bound to a BOOTP client via the host command.
CHAPTER 48 | DHCP Commands DHCP Server EXAMPLE Console(config-dhcp)#netbios-name-server 10.1.0.33 10.1.0.34 Console(config-dhcp)# RELATED COMMANDS netbios-node-type (1641) netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
CHAPTER 48 | DHCP Commands DHCP Server COMMAND MODE DHCP Pool Configuration USAGE GUIDELINES ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e., the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received.
CHAPTER 48 | DHCP Commands DHCP Server EXAMPLE Console(config-dhcp)#next-server 10.1.0.21 Console(config-dhcp)# RELATED COMMANDS bootfile (1635) clear ip dhcp This command deletes an automatic address binding from the DHCP server binding database. SYNTAX clear ip dhcp binding {address | *} address - The address of the binding to clear. * - Clears all automatic bindings. DEFAULT SETTING None COMMAND MODE Privileged Exec USAGE GUIDELINES ◆ An address specifies the client’s IP address.
CHAPTER 48 | DHCP Commands DHCP Server show ip dhcp This command displays a brief list of DHCP address pools configured on the switch. COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp This command displays address bindings on the DHCP server.
CHAPTER 48 | DHCP Commands DHCP Server DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp pool Pool name : R&D Pool type : Network Network address Subnet mask : 192.168.0.1 : 255.255.255.0 Boot file : Client identifier mode : Hex Client identifier : Default router : 0.0.0.0 0.0.0.0 DNS server : 0.0.0.0 0.0.0.0 Domain name : Hardware type : None Hardware address : 00-00-00-00-00-00 Lease time : infinite Netbios name server : 0.0.0.0 0.0.0.
CHAPTER 48 | DHCP Commands DHCP Server – 1646 –
49 IP INTERFACE COMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 49 | IP Interface Commands IPv4 Interface BASIC IPV4 This section describes commands used to configure IP addresses for VLAN CONFIGURATION interfaces on the switch.
CHAPTER 49 | IP Interface Commands IPv4 Interface and subnetwork numbers of the segment that is connected to that interface, and allows you to send IP packets to or from the router. ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs.
CHAPTER 49 | IP Interface Commands IPv4 Interface This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address ip address 10.2.2.1/24 Console(config-if)# RELATED COMMANDS ip dhcp restart client (1627) ip default-gateway (1650) ipv6 address (1665) ip default-gateway This command specifies the default gateway for destinations not found in the local routing tables. Use the no form to remove a default gateway.
CHAPTER 49 | IP Interface Commands IPv4 Interface EXAMPLE The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.
CHAPTER 49 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
CHAPTER 49 | IP Interface Commands IPv4 Interface input errors 4 output Console# traceroute This command shows the route packets take to the specified destination. SYNTAX traceroute host host - IP address or alias of the host. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the traceroute command to determine the path taken to reach a specified destination.
CHAPTER 49 | IP Interface Commands IPv4 Interface EXAMPLE Console#traceroute 192.168.0.1 Press "ESC" to abort. Traceroute to 192.168.0.1, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 10 ms <10 ms <10 ms 192.168.0.1 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. SYNTAX ping host [count count] [size size] host - IP address or IP alias of the host.
CHAPTER 49 | IP Interface Commands IPv4 Interface page 1616). If necessary, local devices can also be specified in the DNS static host table (see page 1618). EXAMPLE Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
CHAPTER 49 | IP Interface Commands IPv4 Interface COMMAND MODE Global Configuration COMMAND USAGE ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128. ◆ You may need to enter a static entry in the cache if there is no response to an ARP broadcast message.
CHAPTER 49 | IP Interface Commands IPv4 Interface ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. EXAMPLE This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds). Console(config)#arp timeout 900 Console(config)# ip proxy-arp This command enables proxy Address Resolution Protocol (ARP). Use the no form to disable proxy ARP.
CHAPTER 49 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. COMMAND MODE Privileged Exec EXAMPLE This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Are you sure to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
CHAPTER 49 | IP Interface Commands IPv4 Interface 10.1.0.255 145.30.20.23 FF-FF-FF-FF-FF-FF other 09-50-40-30-20-10 dynamic VLAN1 VLAN3 Total entry : 5 Console# UDP HELPER User Datagram Protocol (UDP) Helper allows host applications to forward CONFIGURATION UDP broadcast packets from this switch to another part of the network. This section describes the commands used to configure UDP Helper.
CHAPTER 49 | IP Interface Commands IPv4 Interface COMMAND USAGE Up to 100 UDP ports can be specified with this command for forwarding to one or more remote servers. EXAMPLE This example enables forwarding for DHCPv6 UDP packets. Console(config)#ip forward-protocol udp 547 Console(config)# ip helper This command enables UDP helper globally on the switch. Use the no form to disable this feature.
CHAPTER 49 | IP Interface Commands IPv4 Interface ip helper-address This command specifies the application server or subnet (indicated by a directed broadcast address) to which designated UDP broadcast packets are forwarded. Use the no form to remove a UDP helper address. SYNTAX [no] ip helper-address ip-address ip-address - Host address or directed broadcast address to which UDP broadcast packets are forwarded.
CHAPTER 49 | IP Interface Commands IPv4 Interface EXAMPLE This example indicates that designated UDP broadcast packets are to be forwarded to the directed broadcast address of 192.168.2.255. Console(config)#interface vlan 1 Console(config-if)#ip helper-address 192.168.2.255 Console(config-if)# show ip helper This command displays configuration settings for UDP helper.
CHAPTER 49 | IP Interface Commands IPv6 Interface IPV6 INTERFACE This switch supports the following IPv6 interface commands.
CHAPTER 49 | IP Interface Commands IPv6 Interface Table 238: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd prefix Configures the IPv6 prefixes to include in router advertisements IC ipv6 nd ra interval Configures the interval between the transmission of router advertisements on an interface IC ipv6 nd ra lifetime Configures the router lifetime value used in router advertisements sent from an interface IC ipv6 nd ra router-preference Configures the default router prefer
CHAPTER 49 | IP Interface Commands IPv6 Interface ◆ An IPv6 default gateway should be defined if the destination has been assigned an IPv6 address that is located in a different IP segment. ◆ An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the router.
CHAPTER 49 | IP Interface Commands IPv6 Interface link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) ◆ When configuring a global IPv6 address for a static tunnel, the link-local address generated by this command is the 32-bit IPv4 address of the underlying source interface, with the bytes in the same order in which they would appear in the header of an IPv4 packet, padded at the left with zeros to a total of 64 bits.
CHAPTER 49 | IP Interface Commands IPv6 Interface ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
CHAPTER 49 | IP Interface Commands IPv6 Interface ◆ For example, if a device had an EUI-48 address of 28-9F-18-1C-82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE1C-82-35.
CHAPTER 49 | IP Interface Commands IPv6 Interface ipv6 address This command configures an IPv6 link-local address for an interface and link-local enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. SYNTAX ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
CHAPTER 49 | IP Interface Commands IPv6 Interface FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# RELATED COMMANDS ipv6 enable (1670) show ipv6 interface (1672) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address.
CHAPTER 49 | IP Interface Commands IPv6 Interface Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 49 | IP Interface Commands IPv6 Interface EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# RELATED COMMANDS show ipv6 mtu (1674) jumbo frame (911) show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces.
CHAPTER 49 | IP Interface Commands IPv6 Interface ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# Table 239: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
CHAPTER 49 | IP Interface Commands IPv6 Interface This example displays a brief summary of IPv6 addresses configured on the switch.
CHAPTER 49 | IP Interface Commands IPv6 Interface show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
CHAPTER 49 | IP Interface Commands IPv6 Interface 1 neighbor solicit messages neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages multicast listener discovery version 2 reports UDP Statistics: input no port errors other errors output Console# Table 241: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by
CHAPTER 49 | IP Interface Commands IPv6 Interface Table 241: show ipv6 traffic - display description (Continued) Field Description reassembly succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
CHAPTER 49 | IP Interface Commands IPv6 Interface Table 241: show ipv6 traffic - display description (Continued) Field Description echo request messages The number of ICMP Echo (request) messages received by the interface. echo reply messages The number of ICMP Echo Reply messages received by the interface. router solicit messages The number of ICMP Router Solicit messages received by the interface.
CHAPTER 49 | IP Interface Commands IPv6 Interface Table 241: show ipv6 traffic - display description (Continued) Field Description group membership response messages The number of ICMPv6 Group Membership Response messages sent. group membership reduction messages The number of ICMPv6 Group Membership Reduction messages sent. multicast listener discovery version 2 reports The number of MLDv2 reports sent by the interface.
CHAPTER 49 | IP Interface Commands IPv6 Interface size - Number of bytes in a packet. (Range: 48-18024 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information. DEFAULT SETTING count: 5 size: 100 bytes COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path.
CHAPTER 49 | IP Interface Commands IPv6 Interface traceroute6 This command shows the route packets take to the specified destination. SYNTAX traceroute6 {ipv6-address | host-name} [max-failures failure-count] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 49 | IP Interface Commands IPv6 Interface EXAMPLE Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1/64 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination. Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------1 <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed.
CHAPTER 49 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. SYNTAX ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 mtu ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
CHAPTER 49 | IP Interface Commands IPv6 Interface EXAMPLE The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Age Link-layer Addr State VLAN 2009:DB9:2229::80 956 12-34-11-11-43-21 R 1 2009:DB9:2229::81 Permanent 30-65-14-01-11-86 R 1
CHAPTER 49 | IP Interface Commands IPv6 Interface IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses. ◆ If a duplicate address is detected, it is set to “duplicate” state, and a warning message is sent to the console. If a duplicate link-local address is detected, IPv6 processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used.
CHAPTER 49 | IP Interface Commands IPv6 Interface DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The “managed-address configuration” flag tells hosts that they should use stateful autoconfiguration to obtain addresses from a DHCPv6 server.
CHAPTER 49 | IP Interface Commands IPv6 Interface COMMAND USAGE ◆ The “other-stateful-configuration” flag tells hosts that they should use stateful autoconfiguration to obtain information other than addresses from a DHCPv6 server.
CHAPTER 49 | IP Interface Commands IPv6 Interface ◆ Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router. EXAMPLE The following sets the interval between sending neighbor solicitation messages to 30000 milliseconds: Console(config)#interface vlan 1 Console(config)#pv6 nd ns-interval 30000 Console(config)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
CHAPTER 49 | IP Interface Commands IPv6 Interface network, may lead to bogus RAs being sent, which in turn can cause operational problems for hosts on the network. ◆ This command can be used to block RAs and Router Redirect (RR) messages on the specified interface. Determine which interfaces are connected to known routers, and enable RA Guard on all other untrusted interfaces.
CHAPTER 49 | IP Interface Commands IPv6 Interface ipv6 nd prefix This command configures the IPv6 prefixes to include in router advertisements. Use the no form to remove a prefix. SYNTAX ipv6 nd prefix ipv6-address/prefix-length {default | [valid-lifetime preferred-lifetime [no-autoconfig | off-link]]} no ipv6 nd prefix ipv6-address/prefix-length ipv6-address - An IPv6 address including the network prefix and host address bits.
CHAPTER 49 | IP Interface Commands IPv6 Interface ◆ Do not include the link-local prefix in the list of advertised prefixes. EXAMPLE The following configures a network prefix with a valid lifetime of 1000 seconds, and a preferred lifetime of 900 seconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd prefix 2011:0DBF::/35 1000 900 Console(config)# ipv6 nd ra interval This command configures the interval between the transmission of IPv6 router advertisements on an interface.
CHAPTER 49 | IP Interface Commands IPv6 Interface ipv6 nd ra lifetime This command configures the router lifetime value used in IPv6 router advertisements sent from an interface. Use the no form to restore the default setting. SYNTAX ipv6 nd ra lifetime lifetime no ipv6 nd ra lifetime lifetime - Router lifetime.
CHAPTER 49 | IP Interface Commands IPv6 Interface DEFAULT SETTING medium COMMAND USAGE Default router preference may be used to prioritize routers which provide equivalent, but not equal-cost, routing, and policy dictates that hosts should prefer one of the routers.
CHAPTER 49 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. COMMAND MODE Privileged Exec EXAMPLE The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 nd This command displays the configuration setting for RA Guard. raguard SYNTAX show ipv6 nd raguard [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 49 | IP Interface Commands IPv6 Interface be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. DEFAULT SETTING All IPv6 neighbor discovery cache entries are displayed.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels RELATED COMMANDS show mac-address-table (1273) IPV6 TO IPV4 TUNNELS This switch supports connection between isolated IPv6 nodes over IPv4 networks using manually configured tunnels (RFC 2893), as well as the connection of isolated IPv6 domains over IPv4 clouds without explicit tunnel configuration (RFC 3056).
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels 6. For “configured” tunnel mode, specify the IPv4 address of the far end of the tunnel using the tunnel destination command. 7. Bind the tunnel to a VLAN with the tunnel source vlan command. 8. Assign an IPv6 global unicast address to the tunnel using the ipv6 address command. 9.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel destination This command sets the IPv4 address of a tunnel destination (or far end- point of a tunnel). Use the no form to remove the assigned IPv4 address. SYNTAX tunnel destination ip-address no tunnel destination ip-address - IPv4 address of the device at the far end of the tunnel.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels packets (by ensuring an IPv4 MTU of at least 1300 bytes is used) or by preventing frequent changes to IPv4 routing. ◆ Packets delivered to transport protocols on the decapsulating node should not be subject to ingress filtering. For bidirectionally configured tunnels this is done by verifying that the source address is the IPv4 address of the other end of the tunnel.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels The 6to4 mechanism is typically implemented almost entirely in routers bordering between IPv4 and IPv6 domains. The tunnel end-point address of a 6to4 tunnel is dynamically determined by the tunnel source (local end-point node) via the IPv6 6to4 address of the packet sent from IPv6 6to4 hosts. The 6to4 endpoint address is constructed using “2002:Public IPv4 Address::/48” as the IPv6 address prefix.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel end-point IPv4 address. This eliminates the need to explicitly configure the tunnel end-point address. ◆ The two tunneling techniques – configured and automatic – differ primarily in how they determine the tunnel end-point address. Most of the underlying mechanisms are the same: ■ ■ The entry node of the tunnel (the encapsulating node) creates an encapsulating IPv4 header and transmits the encapsulated packet.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels tunnel ttl This command configures the TTL (Time to Live) value stored in the IPv4 header of a packet used for tunneling IPv6 traffic. Use the no form to restore the default value. SYNTAX tunnel ttl ttl-value no tunnel ttl ttl-value - The TTL value of the IPv4 encapsulating packet.
CHAPTER 49 | IP Interface Commands IPv6 to IPv4 Tunnels The following example shows the interface status of the configured tunnels. Console#show ipv6 interface VLAN 1 is up IPv6 is stale. Link-local address: (None) Global unicast address(es): (None) Joined group address(es): FF02::1:2 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 2.
CHAPTER 49 | IP Interface Commands ND Snooping ND SNOOPING Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table. These tables can be used for stateless address autoconfiguration or for address filtering by IPv6 Source Guard. ND snooping maintains a binding table in the process of neighbor discovery. When it receives an Neighbor Solicitation (NS) packet from a host, it creates a new binding.
CHAPTER 49 | IP Interface Commands ND Snooping ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of VLANs. Use the no form to disable this feature. SYNTAX [no] ipv6 nd snooping [vlan {vlan-id | vlan-range}] vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 49 | IP Interface Commands ND Snooping ■ ■ If an RA message is received in response to the original NS message (indicating a duplicate address) before the dynamic binding timeout period expires, the entry is deleted. Otherwise, when the timeout expires, the entry is dropped if the auto-detection process is not enabled. If the auto-detection process is enabled, the switch periodically sends an NS message to determine is the client still exists.
CHAPTER 49 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the number of times the auto-detection process sends auto-detect an NS message to determine if a dynamic user binding is still valid. Use the retransmit count no form to restore the default setting. SYNTAX ipv6 nd snooping auto-detect retransmit count retransmit-times no ipv6 nd snooping auto-detect retransmit count retransmit-times – The number of times to send an NS message to determine if a client still exists.
CHAPTER 49 | IP Interface Commands ND Snooping COMMAND USAGE The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping auto-detect retransmit count command) x the retransmit interval. Based on the default settings, this is 3 seconds.
CHAPTER 49 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the max-binding dynamic user binding table which can be bound to a port. Use the no form to restore the default setting. SYNTAX ipv6 nd snooping max-binding max-bindings no ipv6 nd snooping max-binding max-bindings – The maximum number of address entries in the dynamic user binding table which can be bound to a port.
CHAPTER 49 | IP Interface Commands ND Snooping EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table.
CHAPTER 49 | IP Interface Commands ND Snooping show ipv6 nd This command shows the configuration settings for ND snooping.
CHAPTER 49 | IP Interface Commands ND Snooping COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 nd snooping prefix Prefix entry timeout: 100 (second) Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------2001:b000:: 64 2592000 100 1 Eth 1/1 2001:: 64 600 34 2 Eth 1/2 Console# – 1712 –
50 VRRP COMMANDS Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load. The primary goal of router redundancy is to allow a host device which has been configured with a fixed gateway to maintain network connectivity in case the primary gateway goes down.
CHAPTER 50 | VRRP Commands vrrp authentication This command specifies the key used to authenticate VRRP packets received from other routers. Use the no form to prevent authentication. SYNTAX vrrp group authentication key no vrrp group authentication group - Identifies the virtual router group. (Range: 1-255) key - Authentication string. (Range: 1-8 alphanumeric characters) DEFAULT SETTING No key is defined.
CHAPTER 50 | VRRP Commands COMMAND MODE Interface (VLAN) COMMAND USAGE ◆ The interfaces of all routers participating in a virtual router group must be within the same IP subnet. ◆ If the IP address assigned to the virtual router with this command is already configured as the primary address on this interface, this router is considered the Owner, and will assume the role of the Master virtual router in the group.
CHAPTER 50 | VRRP Commands COMMAND USAGE ◆ If preempt is enabled, and this backup router has a priority higher than the current acting master, it will take over as the new master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master. ◆ The delay can give additional time to receive an advertisement message from the current master before taking control.
CHAPTER 50 | VRRP Commands ◆ If the backup preempt function is enabled with the vrrp preempt command, and a backup router with a priority higher than the current acting master comes on line, this backup router will take over as the new acting master. However, note that if the original master (i.e., the owner of the VRRP IP address) comes back on line, it will always resume control as the master.
CHAPTER 50 | VRRP Commands EXAMPLE Console(config-if)#vrrp 1 timers advertise 5 Console(config-if)# clear vrrp interface This command clears VRRP system statistics for the specified group and counters interface. clear vrrp group interface interface counters group - Identifies a VRRP group. (Range: 1-255) interface - Identifier of configured VLAN interface.
CHAPTER 50 | VRRP Commands COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router. ◆ Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on this router. ◆ Specify a group number to display status information for a specific group EXAMPLE This example displays the full listing of status information for all groups.
CHAPTER 50 | VRRP Commands Table 246: show vrrp - display description (Continued) Field Description Master Advertisement interval The advertisement interval configured on the VRRP master. Master down interval The down interval configured on the VRRP master (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups.
CHAPTER 50 | VRRP Commands EXAMPLE This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 Vlan 1 - Group 1, State Master Virtual IP Address 192.168.1.6 Virtual MAC Address 00-00-5E-00-01-01 Advertisement Interval 5 sec Preemption Enabled Min Delay 10 sec Priority 1 Authentication SimpleText Authentication Key bluebird Master Router 192.168.1.
CHAPTER 50 | VRRP Commands show vrrp router This command displays counters for errors found in VRRP protocol packets. counters COMMAND MODE Privileged Exec EXAMPLE Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number.
51 IP ROUTING COMMANDS After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
CHAPTER 51 | IP Routing Commands Global Routing Configuration Table 249: Global Routing Configuration Commands (Continued) Command Function Mode show ip route summary Displays summary information for the routing table PE show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE ipv6 route Configures static routes GC show ipv6 route Displays specified entries in the routing table PE IPv6 Commands IPv4 Commands ip route This command configures static routes.
CHAPTER 51 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP, OSPF or BGP updates periodically sent by the router if this feature is enabled by the RIP, OSPF or BGP redistribute command (see page 1739, page 1760, page 1849 respectively).
CHAPTER 51 | IP Routing Commands Global Routing Configuration show ip host-route This command displays the interface associated with known routes. COMMAND MODE Privileged Exec EXAMPLE Console#show ip host-route IP Address MAC Address VLAN Port --------------- ----------------- ---- ------192.168.0.99 00-E0-29-94-34-64 1 1/1 192.168.1.250 00-00-30-01-01-01 3 1/ 1 10.2.48.2 00-00-30-01-01-02 1 1/ 1 10.2.5.6 00-00-30-01-01-03 1 1/ 2 10.3.9.
CHAPTER 51 | IP Routing Commands Global Routing Configuration COMMAND MODE Privileged Exec COMMAND USAGE ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
CHAPTER 51 | IP Routing Commands Global Routing Configuration Information Base (see Command Usage under the show ip route command). EXAMPLE Console#show ip route database Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info C C *> 127.0.0.
CHAPTER 51 | IP Routing Commands Global Routing Configuration IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent outpu
CHAPTER 51 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. SYNTAX [no] ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance] | tunnel interface-number} destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host. This must be a full IPv6 address including the network prefix and host address bits.
CHAPTER 51 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆ Static routes are included in RIP, OSPF and BGP updates periodically sent by the router if this feature is enabled by the RIP, OSPF or BGP redistribute command (see page 1739, page 1760, page 1849 respectively.
CHAPTER 51 | IP Routing Commands Global Routing Configuration COMMAND MODE Privileged Exec COMMAND USAGE ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) ROUTING INFORMATION PROTOCOL (RIP) .
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) router rip This command enables Routing Information Protocol (RIP) routing for all IP interfaces on the router. Use the no form to disable it. SYNTAX [no] router rip COMMAND MODE Global Configuration DEFAULT SETTING Disabled COMMAND USAGE ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) RELATED COMMANDS ip route (1724) redistribute (1739) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to external routes.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. SYNTAX [no] distance distance network-address netmask distance - Administrative distance for external routes. External routes are routes for which the best path is learned from a neighbor external to the local RIP autonomous system.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) COMMAND MODE Router Configuration COMMAND USAGE All the learned RIP routes may not be copied to the hardware tables in ASIC for fast data forwarding because of hardware resource limitations. EXAMPLE Console(config-router)#maximum-prefix 1024 Console(config-router)# neighbor This command defines a neighboring router with which this router will exchange routing information. Use the no form to remove an entry.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. SYNTAX [no] network {ip-address netmask | vlan vlan-id} ip-address – IP address of a network directly connected to this router. netmask - Network mask for the route. This mask identifies the network address bits used for the associated routing entries. vlan-id - VLAN ID.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) COMMAND USAGE ◆ If this command is used to stop sending routing updates on an interface, the attached subnet will still continue to be advertised to other interfaces, and updates from other routers on that interface will continue to be received and processed. ◆ Use this command in conjunction with the neighbor command to control the routing updates sent to specific neighbors.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) ◆ It is advisable to use a low metric when redistributing routes from another protocol into RIP. Using a high metric limits the usefulness of external routes redistributed into RIP. For example, if a metric of 10 is defined for redistributed routes, these routes can only be advertised to routers up to 5 hops away, at which point the metric exceeds the maximum hop count of 15.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) COMMAND MODE Router Configuration COMMAND USAGE ◆ The update timer sets the rate at which updates are sent. This is the fundamental timer used to control all basic RIP processes. ◆ The timeout timer is the time after which there have been no update messages that a route is declared dead. The route is marked inaccessible (i.e., the metric set to infinite) and advertised as unreachable. However, packets are still forwarded on this route.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) COMMAND USAGE ◆ When this command is used to specify a global RIP version, any VLAN interface not previously set by the ip rip receive version or ip rip send version command will use the global RIP version setting. ◆ When the no form of this command is used to restore the default value, any VLAN interface not previously set by the ip rip receive version or ip rip send version command will be set to the default send or receive version.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) ◆ For authentication to function properly, both the sending and receiving interface must be configured with the same password or authentication key. ◆ MD5 is a one-way hash algorithm is that takes the authentication key and produces a 128 bit message digest or “fingerprint.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) EXAMPLE This example sets an authentication password of “small” to verify incoming routing messages and to tag outgoing routing messages. Console(config)#interface vlan 1 Console(config-if)#ip rip authentication string small Console(config-if)# RELATED COMMANDS ip rip authentication mode (1742) ip rip receive This command specifies a RIP version to receive on an interface. Use the version no form to restore the default value.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) RELATED COMMANDS version (1741) ip rip receive-packet This command configures the interface to receive RIP packets. Use the no form to disable this feature. SYNTAX [no] ip rip receive-packet DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (VLAN) DEFAULT SETTING Enabled COMMAND USAGE Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the send version based on these options: ■ Use version 1 or version 2 if all routers in the local network are based on RIPv1 or RIPv2, respectively.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip rip send-packet Console(config-if)# RELATED COMMANDS ip rip receive-packet (1745) ip rip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable this function. SYNTAX ip rip split-horizon [poisoned] no rip ip split-horizon poisoned - Enables poison-reverse on the current interface.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) clear ip rip route This command clears specified data from the RIP routing table. SYNTAX clear ip rip route {ip-address netmask | all | connected | ospf | rip | static} ip-address - IP address of a route entry. netmask - Network mask for the route. This mask identifies the network address bits used for the associated routing entries. all - Deletes all entries from the routing table. connected - Deletes all currently connected entries.
CHAPTER 51 | IP Routing Commands Routing Information Protocol (RIP) Incoming update filter list for all interface is not set Default redistribution metric is 1 Redistributing: Default version control: send version by interface set,receive version by interface set Interface Send Recv VLAN1 1-compatible 1 2 Routing for Networks: 10.0.0.0/24 Routing Information Sources: Gateway Distance Last Update Bad Packets Bad Routes 10.0.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) OPEN SHORTEST PATH FIRST (OSPFV2) .
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 252: Open Shortest Path First Commands (Continued) Command Function Mode ip ospf retransmit-interval Specifies the time between resending a link-state advertisement IC ip ospf transmit-delay Estimates time to send a link-state update packet over an interface IC passive-interface Suppresses OSPF routing traffic on the specified interface RC show ip ospf Displays general information about the routing processes PE show ip
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console(config)#router ospf Console(config-router)# RELATED COMMANDS network area (1768) compatible rfc1583 This command calculates summary route costs using RFC 1583 (early OSPFv2). Use the no form to calculate costs using RFC 2328 (OSPFv2).
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) default-information This command generates a default external route into an autonomous originate system. Use the no form to disable this feature. SYNTAX default-information originate [always] [metric interface-metric] [metric-type metric-type] no default-information originate [always | metric | metric-type] always - Always advertise itself as a default external route for the local AS regardless of whether the router has a default route.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) comparing Type 2 routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. ◆ This command should not be used to generate a default route for a stub or NSSA. To generate a default route for these area types, use the area stub or area nssa commands. EXAMPLE This example assigns a metric of 20 to the default external route advertised into an autonomous system, sending it as a Type 2 external metric.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected. EXAMPLE Console(config-router)#router-id 10.1.1.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) clear ip ospf This command clears and restarts the OSPF routing process. Specify the process process ID to clear a particular OSPF process. When no process ID is specified, this command clears all running OSPF processes. SYNTAX clear ip ospf [process-id] process process-id - Specifies the routing process ID. (Range: 1-65535) DEFAULT SETTING Clears all routing processes.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console(config-router)#area 10.3.9.0 default-cost 10 Console(config-router)# RELATED COMMANDS area stub (1764) area nssa (1762) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. SYNTAX [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# auto-cost reference- Use this command to calculate the default metrics for an interface based bandwidth on bandwidth. Use the no form to automatically assign costs based on interface type.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) router, it adds the internal cost to the external route metric. In other words, the cost of the route from any router within the AS is equal to the cost associated with reaching the advertising ASBR, plus the cost of the external route. When a Type 2 LSA is received by a router, it only uses the external route metric to determine route cost.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a summary address for all routes contained in 192.168.x.x. Console(config-router)#summary-address 192.168.0.0 255.255.0.0 Console(config-router)# RELATED COMMANDS area range (1798) redistribute (1799) Area Configuration area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) other areas within the AS for an NSSA ABR, or to areas outside the AS for an NSSA ASBR. metric-value - Metric assigned to Type-7 default LSAs. (Range: 0-16777214: Default: 1) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. COMMAND MODE Router Configuration DEFAULT SETTING No NSSA is configured.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a stub area 10.3.0.0, and assigns all interfaces with class B addresses 10.3.x.x to the NSSA. It also instructs the router to generate external LSAs into the NSSA when it is an NSSA ABR or NSSA ASBR. Console(config-router)#area 10.3.0.0 nssa default-information-originate Console(config-router)#network 10.3.0.0 255.255.0.0 area 10.2.0.0 Console(config-router)# area stub This command defines a stub area.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example creates a stub area 10.2.0.0, and assigns all interfaces with class B addresses 10.2.x.x to the stub. Console(config-router)#area 10.2.0.0 stub Console(config-router)#network 10.2.0.0 0.255.255.255 area 10.2.0.0 Console(config-router)# RELATED COMMANDS area default-cost (1756) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) value must be the same for all routers attached to an autonomous system. (Range: 1-65535 seconds; Default: 4 x hello interval, or 40 seconds) hello-interval seconds - Specifies the transmit delay between sending hello packets. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase the routing traffic. This value must be the same for all routers attached to an autonomous system.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) DEFAULT SETTING area-id: None router-id: None hello-interval: 10 seconds retransmit-interval: 5 seconds transmit-delay: 1 second dead-interval: 40 seconds authentication-key: None message-digest-key: None COMMAND USAGE ◆ All areas must be connected to a backbone area (0.0.0.0) to maintain routing connectivity throughout the autonomous system. If it not possible to physically connect an area to the backbone, you can use a virtual link.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) network area This command defines an OSPF area and the interfaces that operate within this area. Use the no form to disable OSPF for a specified interface. SYNTAX [no] network ip-address netmask area area-id ip-address - Address of the interfaces to add to the area. netmask - Network mask of the address range to add to the area. area-id - Area to which the specified address or range is assigned.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Interface Configuration ip ospf This command specifies the authentication type used for an interface. authentication Enter this command without any optional parameters to specify plain text (or simple password) authentication. Use the no form to restore the default of no authentication. SYNTAX ip ospf [ip-address] authentication [message-digest | null] no ip ospf [ip-address] authentication ip-address - IP address of the interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ The plain-text authentication-key, or the MD5 key-id and key, must be used consistently throughout the autonomous system. EXAMPLE This example enables message-digest authentication for the specified interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE This example sets a password for the specified interface. Console(config)#interface vlan 1 Console(config-if)#ip ospf authentication-key badboy Console(config-if)# RELATED COMMANDS ip ospf authentication (1769) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. SYNTAX ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval ip-address - This parameter can be used to indicate a specific IP address connected to the current interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network. (Range: 1-65535) COMMAND MODE Interface Configuration (VLAN) DEFAULT SETTING 10 seconds COMMAND USAGE Hello packets are used to inform other routers that the sending router is still active.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) packets. Neighbor routers must use the same key identifier and key value. ◆ When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ Set the priority to zero to prevent a router from being elected as a DR or BDR. If set to any value other than zero, the router with the highest priority will become the DR and the router with the next highest priority becomes the BDR. If two or more routers are tied with the same highest priority, the router with the higher ID will be elected.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ip ospf retransmit-interval 7 Console(config-if)# ip ospf This command sets the estimated time to send a link-state update packet transmit-delay over an interface. Use the no form to restore the default value.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. SYNTAX [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID. (Range: 1-4094) ip-address - An IPv4 address configured on this interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 LSDB database overflow limit is 20480 Number of LSA originated 1 Number of LSA received 0 Number of areas attached to this router: 1 Area 192.168.1.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 253: show ip ospf - display description (Continued) Field Description Number of areas The number of configured areas attached to this router.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf This command shows information about different OSPF Link State database Advertisements (LSAs) stored in this router’s database. SYNTAX show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID 192.168.0.2 ADV Router 192.168.0.2 Age Seq# CkSum 225 0x80000001 0x9c0f AS External Link States Link ID 0.0.0.0 0.0.0.0 ADV Router 192.168.0.2 192.168.0.3 Age Seq# CkSum Route 487 0x80000001 0xd491 E2 0.0.0.0/0 0 222 0x80000001 0xce96 E2 0.0.0.0/0 0 Tag Console# Table 254: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF process ID and router ID.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 255: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID Interface address of the autonomous system boundary router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detec
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) External Route Tag: 0 Console# Table 256: show ip ospf database external - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type AS External Links - LSA describes routes to destinations outside the AS (including default external routes for the AS) Link State ID IP network number (External Network Number) Advertising Router Adv
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 257: show ip ospf database network - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Network Link - LSA describes the routers attached to the network Link State ID Interface address of the designated router Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older dup
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 258: show ip ospf database router - display description (Continued) Field Description Link State ID Router ID of the router that originated the LSA Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Link connected to Link-state type, including transit network, st
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 259: show ip ospf database summary - display description (Continued) Field Description Advertising Router Advertising router ID LS Sequence Number Sequence number of LSA (used to detect older duplicate LSAs) Checksum Checksum of the complete contents of the LSA Length The length of the LSA in bytes Network Mask Destination network’s IP address mask Metrics Cost of the link show ip ospf This command displays summary infor
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 260: show ip ospf interface - display description (Continued) Field Description Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ Disabled – OSPF not enabled on this interface ◆ Down – OSPF is enabled on this interface, but interface is down ◆ Loopback – This is a loopback interface ◆ Waiting – Router is t
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) EXAMPLE Console#show ip ospf neighbor ID Pri State Address Interface --------------- ------ ---------------- --------------- -------------192.168.0.3 1 FULL/BDR 192.168.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv2) IA 172.16.10.0/24 [30] via 10.10.11.50, VLAN2, Area 0.0.0.0 E2 192.168.0.0/16 [10/20] via 10.10.11.50, VLAN2 Console# show ip ospf This command displays detailed information about virtual links. virtual-links SYNTAX show ip ospf virtual-links COMMAND MODE Privileged Exec EXAMPLE Console#show ip ospf virtual-links Virtual Link VLINK1 to router 192.168.0.2 is up Transit area 0.0.0.1 via interface VLAN1 Local address 192.168.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) show ip protocols This command displays OSPF process parameters. ospf SYNTAX show ip protocols ospf COMMAND MODE Privileged Exec EXAMPLE Console#show ip protocols ospf Routing Protocol is "ospf 200" Redistributing: rip Routing for Networks: 192.30.30.0/24 192.40.40.0/24 Routing for Summary Address: 192.168.1.0/24 192.168.3.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 264: Open Shortest Path First Commands (Version 3) (Continued) Command Function Mode timers spf Configures the delay after a topology change and the hold time between consecutive SPF calculations RC Route Metrics and Summaries area default-cost Sets the cost for a default summary route sent into a stub RC area range Summarizes routes advertised by an ABR RC default-metric Sets the default metric for external routes import
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) General Guidelines Follow these basic steps to configure OSPFv3: 1. Assign an IPv6 link-local address to each VLAN interface that will participate in an OSPF routing process. You can automatically generate a link-local address using the ipv6 enable command, or manually assign an address to an interface using the ipv6 address link-local command. 2.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) EXAMPLE Console(config)#router ipv6 ospf tag 0 Console(config-router)#end Console#show ipv6 ospf Routing Process "ospf r&d" with ID 192.168.0.2 Process uptime is 1 hour 34 minutes Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of incoming concurrent DD exchange neighbors 0/5 Number of outgoing concurrent DD exchange neighbors 0/5 Number of external LSA 0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) ■ ■ IBM Interpretation: A router is considered to be an ABR if it has more than one actively attached area and the backbone area is configured. Standard Interpretation: A router is considered to be an ABR if it is attached to two or more areas. It does not have to be attached to the backbone area. ◆ To successfully route traffic to inter-area and AS external destinations, an ABR must be connected to the backbone.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND MODE Router Configuration DEFAULT SETTING 5 COMMAND USAGE ◆ This limit applies separately to the number of neighbors to which DD packets can be concurrently sent, and to the number of neighbors from which DD packets can be concurrently received.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ The current routing process will not be enabled until a Router ID is configured with this command. EXAMPLE Console(config-router)#router-id 10.1.1.1 Console(config-router)# RELATED COMMANDS router ipv6 ospf (1792) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Route Metrics and Summaries area default-cost This command specifies a cost for the default summary route sent into a stub from an Area Border Router (ABR). Use the no form to remove the assigned default cost. SYNTAX area area-id default-cost cost no area area-id default-cost area-id - Identifies the stub. (The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. SYNTAX [no] area area-id range ipv6-prefix/prefix-length {advertise | not-advertise} area-id - Identifies an area for which the routes are summarized. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. SYNTAX default-metric metric-value no default-metric metric-value – Metric assigned to all external routes imported from other protocols.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal route metric to external route metric. COMMAND MODE Router Configuration DEFAULT SETTING redistribution - none metric-value - 20 type-metric - 2 COMMAND USAGE ◆ This command is used to import routes learned from other routing protocols into the OSPF domain, and to generate AS-external-LSAs.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Area Configuration area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword. SYNTAX [no] area area-id stub [no-summary] area-id - Identifies the stub area. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) RELATED COMMANDS area default-cost (1797) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND MODE Router Configuration DEFAULT SETTING area-id: None router-id: None hello-interval: 10 seconds retransmit-interval: 5 seconds transmit-delay: 1 second dead-interval: 40 seconds COMMAND USAGE ◆ All areas must be connected to a backbone area (0.0.0.0) to maintain routing connectivity throughout the autonomous system. If it not possible to physically connect an area to the backbone, you can use a virtual link.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf This command binds an OSPF area to the selected interface. Use the no area form to remove an OSPF area, disable an OSPF process, or remove an instance identifier from an interface. SYNTAX [no] ipv6 router ospf area area-id [tag process-name | instance-id instance-id] area-id - Area to bind to the current Layer 3 interface. An OSPF area identifies a group of routers that share common routing information.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Console(config-if)#ipv6 router ospf area 0 tag 0 instance-id 0 Console(config-if)# RELATED COMMANDS router ipv6 ospf (1792) router-id (1795) ipv6 router ospf tag area (1805) ipv6 router ospf This command binds an OSPF area to the selected interface and process. tag area Use the no form to remove the specified area from an interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) EXAMPLE This example assigns area 0.0.0.1 to the currently selected interface under routing process “1.” Console(config)#interface vlan 1 Console(config-if)#ipv6 router ospf tag 1 area 0.0.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf cost 10 Console(config-if)# ipv6 ospf This command sets the interval at which hello packets are not seen before dead-interval neighbors declare the router down. Use the no form to restore the default value.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf This command specifies the interval between sending hello packets on an hello-interval interface. Use the no form to restore the default value. SYNTAX ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface. This interval must be set to the same value for all routers on the network.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) COMMAND MODE Interface Configuration (VLAN) DEFAULT SETTING 1 COMMAND USAGE ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information. If for any reason the DR fails, the BDR takes over this role.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) DEFAULT SETTING 5 seconds COMMAND USAGE ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic. Note that this value should be larger for virtual links.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) receive them. To avoid this problem, use the transmit delay to force the router to wait a specified interval between transmissions. EXAMPLE Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Display Information show ipv6 ospf This command shows basic information about the routing configuration. COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 265: show ip ospf - display description (Continued) Field Description Checksum The sum of the LS checksums of opaque link-state advertisements contained in the link-state database. Number of LSA received The number of link-state advertisements that have been received. Number of areas The number of configured areas attached to this router. attached to this router Area Information Area The area identifier.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 266: show ip ospf database - display description Field Description OSPF Router Process with ID OSPF router ID and process ID. The router ID uniquely identifies the router in the autonomous system. By convention, this is normally set to one of the router's IP interface addresses. Link State ID This field identifies the piece of the routing domain that is being described by the advertisement.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 267: show ip ospf interface - display description (Continued) Field Description Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) State ◆ Backup – Backup Designated Router ◆ Down – OSPF is enabled on this interface, but interface is down ◆ DR – Designated Router ◆ DROther – Interface is on a multiaccess network, b
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) EXAMPLE Console#show ipv6 ospf neighbor ID Pri State Interface ID Interface --------------- ------ ---------------- --------------- -------------192.168.0.
CHAPTER 51 | IP Routing Commands Open Shortest Path First (OSPFv3) C ? C ? 2001:DB8:2222:7272::/64, VLAN1 FE80::/64, VLAN1 inactive FE80::/64, VLAN1 FF00::/8, VLAN1 inactive Console# show ipv6 ospf This command displays detailed information about virtual links. virtual-links SYNTAX show ipv6 ospf [tag process-id] virtual-links process-id - The ID of the router process for which information will be displayed.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 269: show ipv6 ospf virtual-links - display description Field Description Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down – Connection down Attempt – Connection down, but attempting contact (for non-broadcast networks) Init – Have received Hello packet, but communications not yet established Two-way – Bidirectional communications established ExStar
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 555: Connections for Internal and External BGP Router AS100 Router iBGP Router Router eBG eBG P Router P Router eBGP AS200 AS300 Router iBGP Router Router Router iBGP Router Router External BGP – eBGP interconnects different ASs through border routers, or eBGP peers. These peering routers are commonly connected over a WAN link using a single physical path.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) available path, the peer keeps a copy of it in its routing table so that if path information for that prefix changes (such as if the current best available path is withdrawn), it can be used to calculate a new best available path. BGP cannot detect routes and provide reachability information.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ LOCAL_PREF – This local preference attribute is similar to that of the MED, but within an AS. It sets a metric which is used between BGP speakers within an AS. It can help in selecting an outgoing BGP when an AS has connectivity to multiple ASes or multiple BGP routes even with the same next hop AS. ◆ ATOMIC_AGGREGATE – This attribute indicates that the routes were created by aggregating more specific routes.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) 4. Choose the path with the shortest AS_PATH. If the value of this attribute is the same for more than one candidate, go to the next step. Note that this attribute may be disabled in the selection process using the bgp bestpath as-path ignore command. 5. Choose the path with the lowest ORIGIN (IGP < EGP < Incomplete). If the value of this criteria is the same for more than one candidate, go to the next step. 6.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) zero by both peers, a BGP session can be kept open without generating KEEPALIVE messages. ROUTE AGGREGATION AND DISSEMINATION In the Internet, the number of destinations is larger than most routing protocols can manage. It is not possible for routers to track every possible destination in their routing tables. To overcome this problem BGP relies on route aggregation, whereby multiple destinations are combined in a single advertisement.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) ROUTE REFLECTORS Route reflection designates one or more iBGP speakers as router concentrators or route reflectors, which are allowed to re-advertise routing information within the same autonomous system. It also clusters a subset of iBGP speakers with each route reflector (also known as route reflector clients), and adds several new attributes to help detect routing loops.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) If there is only one route reflector in a cluster, that router would still have to process the same number of routing messages that would be required if it were in a fully meshed network. It is therefore preferable to use more than one route reflector in a cluster to reduce the overall number of iBGP sessions a single reflector has to handle.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) CONFEDERATIONS Confederations simply divides an autonomous system into smaller groups. It splits up an AS into multiple sub-ASes, where full mesh connections are maintained only within each sub-As, and sub-ASes are connected by eBGP. The overall AS is known as a confederation, while the sub-ASes may also be referred to as member ASes.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Configuration Guidelines 1. Use the bgp confederation identifier command to configures the identifier for a confederation containing smaller multiple internal autonomous systems. 2. Use the bgp confederation peer command to add an internal peer autonomous system to a confederation. ROUTE SERVERS Route Servers are used to relay routes received from remote ASes to client routers, as well as to relay routes between client routers.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) few seconds later, repeatedly. Since routing information is propagated to other downstream speakers, there is a ripple effect that creates a cascading storm of updates through the ASes. This causes instability in the routing tables, as well as the computational overhead required to compute the best path, and an increase in convergence time. Route damping provides a relief mechanism to minimize the effects of route flapping.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 270: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode bgp client-to-client reflection Configures route reflection between clients via route reflector RC bgp cluster-id Configures cluster identifier for multiple route reflectors in the same cluster RC bgp confederation identifier Configures the identifier for a confederation containing smaller multiple internal autonomous systems RC bgp confedera
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 270: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode distance Sets the administrative distance for a specified external BGP (eBGP) route RC distance bgp Sets the administrative distance for BGP external, internal, and local routes RC neighbor activate Enables exchange of routing information with a neighboring router or peer group RC neighbor advertisementinterval Configures the interval betwee
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 270: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode neighbor remote-as Configures a neighbor and its AS number, identifying the neighbor as a local AS member RC neighbor remove-private-as Removes private autonomous system numbers from outbound routing updates to an external neighbor RC neighbor route-map Specifies the route mapping policy for inbound/ outbound routing updates for specified neigh
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 270: Border Gateway Protocol Commands – Version 4 (Continued) Command Function Mode show ip bgp scan Shows BGP scan status PE show ip bgp summary Shows summary information for all connections PE show ip community-list Shows routes permitted by a community list PE show ip extcommunity-list Shows routes permitted by an extended community list PE show ip prefix-list Shows the specified prefix list PE show ip prefix-list d
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console(config)#router bgp 100 Console(config-router)# RELATED COMMANDS network (1848) ip as-path This command configures an autonomous system path access list. Use the access-list no form with only the access list name to disable its use, or with all parameters to remove a path attribute from the access list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE The regular expression in this example uses symbols which instruct the filter to match the character or null string at the beginning and end of an input string. Console(config-router)#ip as-path access-list RD deny ^100$ Console(config-router)# RELATED COMMANDS neighbor filter-list (1867) match as-path (1902) ip community-list This command configures a community access list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) no-advertise – Routes with this community attribute are not advertised to any internal or external peer. no-export – Routes with this community attribute are advertised only to peers in the same autonomous system or to other subautonomous systems within a confederation. These routes are not advertised to external peers. 100-500 – Expanded community list number that identifies one or more groups of communities.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE This example configures a named standard community list LN that permits routes with community value 100:10, denoting that they come from autonomous system 100 and network 10. Console(config)#ip community-list standard LN permit 100:10 Console(config)# RELATED COMMANDS neighbor send-community (1878) match community (1902) ip extcommunity-list This command configures an extended community access list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) separated by one colon. The 2-byte network number can range from 0 to 65535. One or more community numbers can be entered, separated by a space. Up to 3 community numbers are supported. 100-500 – Expanded community list number that identifies one or more groups of communities. expanded community-list-name – Name of expanded access list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE This example configures a named standard community list LR that permits routes with the route target 100:20, denoting that they destined for the autonomous system 100 and network 20. Console(config)#ip extcommunity-list standard LP permit soo 100:20 Console(config)# RELATED COMMANDS neighbor filter-list (1867) match extcommunity (1903) ip prefix-list This command configures an IP address prefix list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Prefix lists are checked starting from the lowest sequence number and continues through the list until a match is found. Once an entry is found that covers a network, the permit or deny statement is applied to that network, and the search process stops. ◆ At least one “permit” statement should be included when more than one entry is defined.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ Using this command without any keywords will create an aggregate entry in the routing table if any more specific routes are available in the specified range. The aggregate route does not include any individual route attributes (e.g., AS-Path or Community). It is advertised as coming from this autonomous system and has the atomic aggregate attribute set to indicate that some information may be missing.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ Route reflection from this device is enabled by default, but is only functional if a client has been configured with the neighbor route-reflector-client command. ◆ Route reflection is not required if all of the routers in an AS are fully meshed as normally required by interior BGP. However, to make interior BGP more scalable, route reflection or confederations can be used.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ A cluster of clients will usually have a single route reflector (RR). In that case, the cluster can be identified by the BGP Identifier of the RR. However, this represents a single point of failure. This command is used to designate multiple route reflectors used within the same cluster so that they can recognize updates from other peer route reflectors and discard them to prevent loopbacks.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) dividing up a large AS into several smaller ASes, where only the peers in the same smaller AS are fully meshed, thus reducing the number of required connections and routing traffic. ◆ Even though different local confederation peers may have external BGP (eBGP) sessions, they exchange routing information among themselves as if they were iBGP peers. Next hop, Multi Exit Discriminator (MED), and local preference information is preserved.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE This example divides AS 600 into four smaller ASes 101-104, and assigns a neighboring router as a member of the sub-AS 101. Console(config-router)#bgp confederation identifier 600 Console(config-router)#bgp confederation peer 101 Console(config-router)#bgp confederation peer 102 Console(config-router)#bgp confederation peer 103 Console(config-router)#bgp confederation peer 104 Console(config-router)#neighbor 192.168.0.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Penalties are cumulative, and the penalty for the route is stored in the BGP routing table until it exceeds the suppress limit. At that point, the route state changes to damped. ◆ Note that route dampening only applies to external BGP routes.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ This command immediately resets the connection for directly adjacent external peers if the interface goes down for any reason other than TCP timeout. ◆ If fast external failover is disabled, the routing process waits until the default hold timer expires to reset the session.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE By default, BGP will advertise a route regardless of the Interior Gateway Protocol (IGP) in use. This command forces the router to verify the existence of the next hop for an advertised route, and to ensure that the route is accessible to an IGP. EXAMPLE Console(config-router)#bgp network import-check Console(config-router)# bgp router-id This command sets the router ID for this device. Use the no form to remove this ID.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp scan-time This command sets the interval at which to validate next hop information for BGP routes. Use the no form to restore the default setting. SYNTAX bgp scan-time scan-time no bgp scan-time scan-time – Next hop validation interval.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING No networks are configured. COMMAND USAGE ◆ Use this command to specify the networks to advertise to BGP neighbors. BGP networks can be learned from directly connected routes, dynamic routing, or static route sources. ◆ BGP only sends and receives updates on interfaces specified by this command. If a network is not specified, the interfaces in that network will not be advertised in any BGP updates.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND MODE Router Configuration DEFAULT SETTING No redistribution is configured. COMMAND USAGE ◆ Use this command to advertise routes that are learned by some other means, such as from another routing protocol or static routing entries. Since all internal routes are maintained by interior gateway protocols such as RIP and OSPF, careful filtering should be used to ensure that only routes that need to be advertised reach the Internet.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighboring router is advertising a hold-time equal to, or greater than, that configured on this device. EXAMPLE Console(config-router)#timers bgp 60 200 Console(config-router)# clear ip bgp This command clears connections using hard or soft re-configuration. SYNTAX clear ip bgp {* | as-number | external | peer-group group-name | neighbor-address} [in [prefix-list] | out | soft [in | out]] * – All BGP peering sessions.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ To generate new inbound updates from stored information without resetting peer sessions, you must preconfigure the local router using the neighbor capability orf prefix-list command, which causes the router to store all received updates. Note that storing updates is memory intensive and should only be applied to critical links. Outbound soft configuration requires no memory or preconfiguration.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Metrics and Selection bgp always- This command allows comparison of the Multi Exit Discriminator (MED) for compare-med paths advertised from neighbors in different autonomous systems. Use the no form to disable this feature.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING Disabled EXAMPLE Console(config-router)#bgp bestpath as-path ignore Console(config-router)# bgp bestpath This command compare confederation AS path length in addition to compare-confed- external AS path length in the selection of a path. Use the no form to aspath disable this feature.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console(config-router)#bgp bestpath compare-routerid Console(config-router)# bgp bestpath med This command enables comparison of the Multi Exit Discriminator (MED) attribute for paths learned from confederation peers, and the treatment of a route when the MED is missing. Use the no form to disable this feature. SYNTAX [no] bgp bestpath med {[confed] [missing-as-worst]} confed – Compare MED in confederation path.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING 100 COMMAND USAGE Local preference is a discretionary attribute applied to a route during the BGP best path selection process. It is exchanged only between iBGP peers, and used to determine local policy.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console(config-router)#bgp deterministic-med Console(config-router)# distance This command sets the administrative distance for a specified external BGP (eBGP) routes. Use the no form to restore the default setting. SYNTAX distance distance ip-address netmask [access-list-name] no distance ip-address netmask distance – Administrative distance for an eBGP route. (Range: 1-255) ip-address – IP address of a route entry.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) distance bgp This command sets the administrative distance for external BGP, internal BGP, and local routes. Use the no form to restore the default settings. SYNTAX distance bgp ebgp-distance ibgp-distance local-distance no distance bgp ebgp-distance – Administrative distance for eBGP routes. (Range: 1-255) ibgp-distance – Administrative distance for iBGP routes. (Range: 1-255) local-distance – Administrative distance for local routes.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Neighbor Configuration neighbor activate This command enables the exchange of routing information with a neighboring router or peer group. Use the no form to disable the exchange of routing information. SYNTAX [no] neighbor {ip-address | group-name} activate ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE This command can be used to reduce route flapping. However, the bgp dampening command can provide more precise control of route flapping. EXAMPLE Console(config-router)#neighbor 10.1.1.64 advertisement-interval 20 Console(config-router)# neighbor allowas-in This command configures the number of times the AS path for a received route can contain the same AS number. Use the no form to restore the default setting.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures certain route attributes to be kept unchanged for attribute-unchanged transparent transmission to the specified neighbor. Use the no form to disable this feature. SYNTAX [no] neighbor {ip-address | group-name} attribute-unchanged [as-path] [med] [next-hop] ip-address – IP address of a neighbor.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ BGP normally requires a router to terminate a peering session if it receives an OPEN message with an unrecognized optional parameter. This command allows new capabilities to be introduced gracefully, without requiring a peering session to be terminated if a negotiated capability is unknown.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command allows the local router to send a default route to a neighbor. default-originate Use the no form to disable this feature. SYNTAX neighbor {ip-address | group-name} default-originate [route-map map-name] no neighbor {ip-address | group-name} default-originate ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the description of a neighbor or peer group. Use description the no form to remove a description. SYNTAX neighbor {ip-address | group-name} description description no neighbor {ip-address | group-name} description ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command. description – Descriptive string.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ If the specified access list for input or output mode does not exist, all input or output route updates will be filtered. ◆ The neighbor prefix-list and the neighbor distribute-list commands are mutually exclusive for a BGP peer. That is, only one of these commands may be applied in the inbound or outbound direction. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command allows eBGP neighbors to exist in different segments, and ebgp-multihop configures the maximum hop count (TTL). Use the no form to restore the default setting. SYNTAX neighbor {ip-address | group-name} ebgp-multihop [count] no neighbor {ip-address | group-name} ebgp-multihop ip-address – IP address of a neighbor.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING Not enforced COMMAND USAGE By default, the multi-hop check is only performed on iBGP and eBGP nondirect routes. This command can be used to force the router to perform the multi-hop check on directly connected routes as well. In other words, the router will not perform the next-hop direct-connect check the specified neighbor. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Console(config-router)#neighbor 10.1.1.66 filter-list ASPF out Console(config-router)# neighbor interface This command specifies the interface to a neighbor. Use the no form to remove this configuration setting. SYNTAX neighbor ip-address interface vlan vlan-id no neighbor ip-address interface ip-address – IP address of a neighbor. vlan-id - VLAN ID.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND MODE Router Configuration DEFAULT SETTING No limit is set DEFAULT USAGE ◆ This command is used to control the maximum number of route prefixes that can be sent by a neighbor. It provides a method to reserve resources for other processes, or to prevent malicious attacks.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) in same AS will not be able to talk with routers outside of the AS if they are not directly connected with each other. The neighbor next-hopself command can be used to configure an iBGP router which is directly connected with an eBGP neighbor so that other iBGP routers in the same AS can talk with eBGP routers outside the AS. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING Disabled COMMAND USAGE This command configures the local router so that it remains in Active state, waiting for an inbound connection request from a neighbor, and not initiating any outbound connections with the neighbor via an Open message. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command assigns routers to a peer group. Use the no form to remove peer-group a group member. (Group Members) SYNTAX [no] neighbor ip-address peer-group group-name ip-address – IP address of a neighbor. group-name – A BGP peer group. COMMAND MODE Router Configuration DEFAULT SETTING No group members are defined. COMMAND USAGE To create a peer group, use the neighbor group-name peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor prefix-list This command configures prefix restrictions applied in inbound/outbound route updates to/from specified neighbors. Use the no form to remove the neighbor binding for a prefix list. SYNTAX neighbor {ip-address | group-name} prefix-list list-name {in | out} no neighbor {ip-address | group-name} prefix-list {in | out} ip-address – IP address of a neighbor.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor remote-as This command configures a neighbor and its AS number, identifying the neighbor as an iBGP or eBGP peer. Use the no form to remove a neighbor. SYNTAX neighbor {ip-address | group-name} remote-as as-number no neighbor {ip-address | group-name} remote-as ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING Disabled COMMAND USAGE ◆ This command only applies to eBGP neighbors. It is used to avoid passing an internal AS number to an external AS. Internal AS numbers range from 64512-65535, and should not be sent to the Internet since they are not valid external AS numbers. ◆ This configuration only takes effect when the AS Path attribute of a route contains only internal AS numbers.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ First, use route-map command to create a route map, and the match and set commands to configure the route attributes to act upon. Then use this command to specify neighbors to which the route map is applied. ◆ If the specified route map does not exist, all input/output route updates will be filtered. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures this router as a route server and the specified route-server-client neighbor as its client. Use the no form to disable the route server for the specified neighbor. SYNTAX [no] neighbor {ip-address | group-name} route-server-client ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the router to send community attributes to a send-community neighbor in peering messages. Use the no form to stop sending this attribute to a neighbor. SYNTAX [no] neighbor {ip-address | group-name} send-community [both | extended | standard] ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) DEFAULT SETTING None COMMAND USAGE ◆ This command terminates any active sessions for the specified neighbor, and removes any associated routing information. ◆ Use the show ip bgp summary command display the neighbors which have been administratively shut down. Entries with in an Idle (Admin) state have been disabled by the neighbor shutdown command. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ To use soft reconfiguration, without preconfiguration, both BGP neighbors must support the soft route refresh capability advertised in open messages sent when a BGP session is established. To see if a BGP router supports this capability, use the show ip bgp neighbors command. EXAMPLE Console(config-router)#neighbor 11.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) hold-time – The maximum interval after which a neighbor is declared dead if a keep-alive or update message has not been received. (Range: 0, 3-65535 seconds) COMMAND MODE Router Configuration DEFAULT SETTING Keep Alive time: 60 seconds Hold time: 180 seconds COMMAND USAGE ◆ This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE This command sets the time to wait before attempting to reconnect to a BGP neighbor after having failed to connect. During the idle time specified by the Connect Retry timer, the remote BGP peer can actively establish a BGP session with the local router. EXAMPLE Console(config-router)#neighbor 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command specifies the interface to use for a TCP connection, instead update-source of using the nearest interface. Use the no form to use the default interface. SYNTAX [no] neighbor {ip-address | group-name} update-source interface vlan vlan-id ip-address – IP address of a neighbor. group-name – A BGP peer group containing a list of neighboring routers configured with the neighbor peer-group command. vlan-id - VLAN ID.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) COMMAND USAGE ◆ Use this command to specify a weight for all the routes learned from a neighbor. The route with the highest weight gets preference over other routes to the same network. ◆ Weights assigned using the set weight command override those assigned by this command. EXAMPLE Console(config-router)#neighbor 10.1.1.66 weight 500 Console(config-router)# Display Information show ip bgp This command shows entries in the routing table.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 271: show ip bgp - display description (Continued) Field Status codes Origin codes Description Status of table entry includes these values: ◆ s – Entry is suppressed. ◆ d – Entry is dampened. ◆ h – Entry history ◆ * – Entry is valid ◆ > – Best entry for that network ◆ i – Entry learned via internal BGP (iBGP). ◆ r – Entry is Routing Information Base (RIB) failure ◆ S – Entry is stale. ◆ R – Entry removed.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes which use classless interdomain routing cidr-ony network masks. SYNTAX show ip bgp cidr-only COMMAND MODE Privileged Exec EXAMPLE This example shows routes that do not match the natural A, B, C or D network masks defined for the earliest IP networks. Console#show ip bgp cidr-only BGP table version is 0, local router ID is 192.168.0.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) autonomous systems within a confederation. These routes are not advertised to external peers. exact-match – Displays only routes that match the specified communities exactly. COMMAND MODE Privileged Exec EXAMPLE Console#show ip bgp community BGP table version is 0, local router ID is 192.168.0.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows the routes matching a community-list. community-list SYNTAX show ip bgp community-list {1-99 | 100-500 | community-list-name} [exact-match] 1-99 – Standard community list number that identifies one or more groups of communities. 100-500 – Expanded community list number that identifies one or more groups of communities. community-list-name – Name of standard or expanded access list.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE In the following example, “From” indicates the peer that advertised this path, while “Reuse” is the time after which the path will be made available. Console#show ip bgp dampening dampened-paths BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network *d 100.1.3.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes matching the specified filter list. filter-list SYNTAX show ip bgp filter-list access-list-name access-list-name – Name of a list of autonomous system paths as defined by the ip as-path access-list command. (Maximum length: 16 characters, no spaces or other special characters) COMMAND MODE Privileged Exec EXAMPLE Console#show ip bgp filter-list rd BGP table version is 0, local router ID is 192.168.0.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Neighbor capabilities: 4 Byte AS: advertised and received Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 1 0 Notifications: 0 0 Updates: 1 1 Keepalives: 2 1 Route Refresh: 0 0 Capability: 0 0 Total: 4 2 Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Community attribute sent to this
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 274: show ip bgp - display description (Continued) Field Description Foreign host/port IP address and TCP port of the neighbor BGP speaker. Nexthop IP address of next system via which packets are forwarded to the destination network. Read thread The read status for the socket connection with this neighbor. Write thread The write status for the socket connection with this neighbor.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console#show ip bgp prefix-list rd BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network * 100.1.1.0/24 *> Console# Next Hop 10.1.1.66 10.1.1.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console#show ip bgp route-map rd BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, > best, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network * 100.1.1.0/24 *> Console# Next Hop 10.1.1.64 10.1.1.68 Metric LocPrf Weight Path 0 0 500 100 600 ? 0 0 300 ? show ip bgp scan This command shows BGP scan status.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) Neighbor 192.168.0.3 V 4 AS MsgRcvd MsgSent 200 166 168 TblVer 0 InQ OutQ Up/Down State/PfxRcd 0 0 02:45:00 1 Total number of neighbors 1 Console# show ip This command shows routes permitted by a community list. community-list SYNTAX show ip community-list [1-99 | 100-500 | community-list-name] 1-99 – Standard community list number that identifies one or more groups of communities.
CHAPTER 51 | IP Routing Commands Border Gateway Protocol (BGPv4) EXAMPLE Console#show ip extcommunity-list rd Named extended community standard list rd permit RT:192.168.0.0:10 Console# show ip prefix-list This command shows the specified prefix list. SYNTAX show ip prefix-list [prefix-list-name [ip-address netmask [first-match | longer] | seq sequence-number]] prefix-list-name – Name of prefix list.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console#show ip prefix-list detail rd ip prefix-list rd: count: 1, range entries: 0, sequences: 5 - 5 seq 5 deny 10.0.0.0/8 ge 14 le 22 (hit count: 0, refcount: 0) Console# show ip prefix-list This command shows summary information for the specified prefix list. summary SYNTAX show ip prefix-list summary [prefix-list-name] prefix-list-name – Name of prefix list.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP is used to determine the packet’s next hop. Although route redistribution is protocol-independent, some of the route-map match and set commands defined in this section are specific to BGP. Like matches in the same route map subblock are filtered with “or” semantics. If any one match clause is matched in the entire route map subblock, this match is treated as a successful match. Dissimilar match clauses are filtered with “and” semantics.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP Table 276: Policy-based Routing Configuration Commands (Continued) Command Function Mode set community Sets the community attributes of routing messages RM set extcommunity Sets the extended community attributes of routing messages RM set ip next-hop Sets the next-hop for a routing message RM set local-preference Sets the priority within the local AS for a routing message RM set metric Sets the metric value of a route to externa
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP ◆ If the match criteria are not met, and the permit keyword specified, the next route map with the same map-name is tested. If a route passes none of the match criteria for the set of route maps sharing the same name, it is not policy routed by that set. ◆ If the match criteria are met for the route map and the deny keyword specified, the packet is not policy routed, and no further route maps sharing the same map-name are examined.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map r1 permit 1 Console(config-route-map)#match as-path 60 Console(config-route-map)#set weight 30 Console(config-route-map)#call FD Console(config-route-map)# continue This command goes to a route-map entry with a higher sequence number after a successful match occurs. Use the no form to remove this entry from a route map.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 1 Console(config-route-map)#description AS-Path rule Console(config-route-map)#match as-path 60 Console(config-route-map)#set weight 30 Console(config-route-map)# match as-path This command sets a BGP autonomous system path access list to match. Use the no form to remove this entry from a route map. SYNTAX [no] match as-path access-list-name access-list-name – Name of the access list.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP community-list-name – Name of standard or expanded community list. (Maximum length: 32 characters, no spaces or other special characters) exact-match – Must exactly match the specified community list. All and only those communities specified must be present. COMMAND MODE Route Map COMMAND USAGE This command matches the community attributes of the BGP routing message following the rules specified with the ip community-list command.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP match ip address This command specifies the destination addresses to be matched in a standard access list, an extended access list, or a prefix list. Use the no form to remove this entry from a route map. SYNTAX match ip address {access-list-name | prefix-list prefix-list-name} no match ip address access-list-name – Name of standard or extended access list.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 5 Console(config-route-map)#match ip next-hop rd-next-hops Console(config-route-map)#set weight 30 Console(config-route-map)# match ip This command specifies the source of routing messages advertised by route-source routers and access servers to be matched in a standard access list, an extended access list, or a prefix list. Use the no form to remove this entry from a route map.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 7 Console(config-route-map)#match metric 60 Console(config-route-map)#set weight 30 Console(config-route-map)# match origin This command sets the originating protocol to match in routing messages. Use the no form to remove this entry from a route map. SYNTAX match origin {egp | igp | incomplete} no match origin egp – Routes learned from exterior gateway protocols.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP These longer prefixes may be advertised in addition to an aggregate, even when the aggregate advertisement is sufficient for basic reachability. This type of inter-domain traffic engineering is a widely used phenomenon that is contributing to growth in the size of the global routing table. Traffic engineering via longer prefixes is only effective when the longer prefixes have a different next hop from the less specific prefix.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 9 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set weight 30 Console(config-route-map)# on-match This command sets the next entry to go to when this entry matches. Use the no form to remove this entry from a route map. SYNTAX on-match peer {goto sequence-number | next} no on-match peer {goto | next} goto – On match, go to specified entry.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP COMMAND USAGE Aggregate routes advertised to a neighbor contain an aggregator attribute. This attribute contains an AS number and IP address. The AS number is the creator's AS number (or confed ID in a confederation) and an IP address which is the creator’s router-id.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP set This command indicates the loss of some information in the route atomic-aggregate aggregation process. Use the no form to remove this entry from a route map.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 10 Console(config-route-map)#match peer 192.168.0.77 Console(config-route-map)#set comm-list 10:01 delete Console(config-route-map)#exit Console(config)#route-map RD permit 11 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set comm-list 20:01 delete Console(config-route-map)# set community This command sets the community attributes of routing messages.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP COMMAND MODE Route Map EXAMPLE Console(config)#route-map RD permit 11 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set community 10:01 Console(config-route-map)#exit Console(config)#route-map RD permit 12 Console(config-route-map)#match peer 192.168.0.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP ◆ The route target (RT) attribute is used to identify sites that may receive routes tagged with a specific route target. Using this attribute allows that route to be placed in per-site forwarding tables used for routing traffic received from the corresponding sites. ◆ The site of origin (SOO) attribute is used to identify the site from which the provider edge (PE) router learned the route.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 14 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set ip next-hop 192.168.0.254 Console(config-route-map)# set local-preference This command sets the priority within the local AS for a routing message. Use the no form to remove this entry from a route map.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP COMMAND MODE Route Map COMMAND USAGE ◆ Lower metric values indicate a higher priority. ◆ This command can modify the current metric for a route using the “+” or “-” keywords. ◆ The metric applies to external routers in the inter-autonomous system. To specify the metric for the local AS, use the set local-preference command. ◆ This path metric is normally only compared with neighbors in the local AS.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console(config)#route-map RD permit 16 Console(config-route-map)#match peer 192.168.0.99 Console(config-route-map)#set origin egp Console(config-route-map)# set originator-id This command sets the IP address of the routing message’s originator. Use the no form to remove this entry from a route map.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP the connections to the destination network are relatively stable, the hop count can be restricted to force traffic to follow an alternate path. This method may be used to avoid less heavily congested paths or to route traffic through a preferred provider. EXAMPLE Console(config)#route-map RD permit 18 Console(config-route-map)#match peer 192.168.0.
CHAPTER 51 | IP Routing Commands Policy-based Routing for BGP EXAMPLE Console#show route-map RD route-map RD, permit, sequence 1 Match clauses: peer 102.168.0.
52 MULTICAST ROUTING COMMANDS Multicast routers can use various kinds of multicast routing protocols to deliver IP multicast packets across different subnetworks. This router supports Protocol Independent Multicasting (PIM). (Note that IGMP will be enabled for any interface that is using multicast routing.
CHAPTER 52 | Multicast Routing Commands General Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ This command is used to enable IPv4 multicast routing globally for the router. A specific multicast routing protocol also needs to be enabled on the interfaces that will support multicast routing using the router pim command, and then specify the interfaces that will support multicast routing using the ip pim dense-mode or ip pim sparse-mode commands.
CHAPTER 52 | Multicast Routing Commands General Multicast Routing EXAMPLE This example shows detailed multicast information for a specified group/ source pair Console#show ip mroute 224.0.255.3 192.111.46.8 IP Multicast Forwarding is enabled. IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Channel, C - Connected, P - Pruned, F - Register flag, R - RPT-bit set, T - SPT-bit set, J - Join SPT Interface state: F - Forwarding, P - Pruned, L - Local (192.168.2.1, 224.0.17.
CHAPTER 52 | Multicast Routing Commands General Multicast Routing Table 279: show ip mroute - display description (Continued) Field Description RPF neighbor IP address of the multicast router immediately upstream for this group. Outgoing interface list and flags The interface(s) on which multicast subscribers have been recorded. The flags associated with each interface indicate: ◆ F (Register flag) - This device is registering for a multicast source. ◆ P (Pruned) - This route has been terminated.
CHAPTER 52 | Multicast Routing Commands General Multicast Routing EXAMPLE Console(config)#ipv6 multicast-routing Console(config)# show ipv6 mroute This command displays the IPv6 multicast routing table. SYNTAX show ipv6 mroute [group-address source] [summary] group-address - An IPv6 multicast group address with subscribers directly attached or downstream from this router. source - The IPv6 subnetwork at the root of the multicast delivery tree. This subnetwork contains a known multicast source.
CHAPTER 52 | Multicast Routing Commands General Multicast Routing Table 280: show ip mroute - display description Field Description Flags The flags associated with this entry: ◆ D (Dense) - PIM Dense mode in use. ◆ S (Sparse) - PIM Sparse mode in use. ◆ s (SSM) - A multicast group with the range of IP addresses used for PIM-SSM. ◆ C (Connected) - A member of the multicast group is present on this interface. ◆ P (Pruned) - This route has been terminated.
CHAPTER 52 | Multicast Routing Commands Static Multicast Routing This example lists all entries in the multicast table in summary form: Console#show ipv6 mroute summary IP Multicast Forwarding is disabled IP Multicast Routing Table (Summary) Flags: F - Forwarding, P - Pruned, D - PIM-DM, S – PIM-SM, V – DVMRP, M - MLD Group Source Interface Flag ------------------------------ ------------------------------ ---------- ---FF02::0101 FE80::0101 VLAN 4096 DF Total Entry is 1 Console# STATIC MULTICAST ROUTING
CHAPTER 52 | Multicast Routing Commands Static Multicast Routing COMMAND USAGE Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing PIM MULTICAST ROUTING This section describes the PIM commands used for IPv4 and IPv6. Note that PIM can run on an IPv4 network and PIM6 on an IPv6 network simultaneously. Also note that Internet Group Management Protocol (IGMP) is used for IPv4 networks and Multicast Listener Discovery (MLD) for IPv6 networks. Table 282: IPv4 and IPv6 PIM Commands Command Group Function IPv4 PIM Commands Configures multicast routing for IPv4 PIM.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Table 283: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode ip pim bsr-candidate Configures the switch as a Bootstrap Router (BSR) candidate GC ip pim register-rate-limit Configures the rate at which register messages are sent by the Designated Router (DR) GC ip pim register-source Configure the IP source address of a register message to an address other than the outgoing interface address of the designate
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing EXAMPLE Console(config)#router pim Console(config)#exit Console#show ip pim interface PIM is enabled. VLAN 1 is up. PIM Mode : Dense Mode IP Address : 192.168.0.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing determines that there are no group members or downstream routers, or when a prune message is received from a downstream router. ◆ Sparse-mode interfaces forward multicast traffic only if a join message is received from a downstream router or if group members are directly connected to the interface.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE The ip pim hello-holdtime should be greater than the value of ip pim hello-interval (1931). EXAMPLE Console(config-if)#ip pim hello-holdtime 210 Console(config-if)# ip pim hello-interval This command configures the frequency at which PIM hello messages are transmitted. Use the no form to restore the default value. SYNTAX ip pim hello-interval seconds no pim hello-interval seconds - Interval between sending PIM hello messages.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE The multicast interface that first receives a multicast stream from a particular source forwards this traffic to all other PIM interfaces on the router. If there are no requesting groups on that interface, the leaf node sends a prune message upstream and enters a prune state for this multicast stream.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing RELATED COMMANDS ip pim override-interval (1933) ip pim propagation-delay (1934) ip pim This command configures the override interval, or the time it takes a override-interval downstream router to respond to a lan-prune-delay message. Use the no form to restore the default setting.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ip pim This command configures the propagation delay required for a LAN prune propagation-delay delay message to reach downstream routers. Use the no form to restore the default setting. ip pim propagation-delay milliseconds no ip pim propagation-delay milliseconds - The time required for a lan-prune-delay message to reach downstream routers attached to the same VLAN interface.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ When a router first starts or PIM is enabled on an interface, the hello delay is set to random value between 0 and the trigger-hello-delay. This prevents synchronization of Hello messages on multi-access links if multiple routers are powered on simultaneously.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing show ip pim This command displays information about PIM neighbors. neighbor SYNTAX show ip pim neighbor [interface vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) DEFAULT SETTING Displays information for all known PIM neighbors. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show ip pim neighbor Neighbor Address VLAN Interface Uptime (sec.) Expiration Time (sec) ---------------- -------------- ------------- --------------------192.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE A graft message is sent by a router to cancel a prune state. When a router receives a graft message, it must respond with an graft acknowledgement message. If this acknowledgement message is lost, the router that sent the graft message will resend it a number of times (as defined by the ip pim max-graft-retries command).
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ The pruned state times out approximately every three minutes and the entire PIM-DM network is reflooded with multicast packets and prune messages. The state refresh feature keeps the pruned state from timing out by periodically forwarding a control message down the distribution tree, refreshing the prune state on the outgoing interfaces of each router in the tree.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ When the ip pim bsr-candidate command is entered, the router starts sending bootstrap messages to all of its PIM-SM neighbors. The IP address of the designated VLAN is sent as the candidate’s BSR address. Each neighbor receiving the bootstrap message compares the BSR address with the address from previous messages.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE This command can be used to relieve the load on the Designated Router (DR) and RP. However, because register messages exceeding the limit are dropped, some receivers may experience data packet loss within the first few seconds in which register messages are sent from bursty sources. EXAMPLE This example sets the register rate limit to 500 pps.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ip pim rp-address This command sets a static address for the Rendezvous Point (RP) for a particular multicast group. Use the no form to remove an RP address or an RP address for a specific group. SYNTAX [no] ip pim rp-address rp-address [group-prefix group-address mask] rp-address - Static IP address of the router that will be an RP for the specified multicast group(s). group-address - An IP multicast group address.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing EXAMPLE In the following example, the first PIM-SM command just specifies the RP address 192.168.1.1 to indicate that it will be used to service all multicast groups. The second PIM-SM command includes the multicast groups to be serviced by the RP. Console(config)#ip pim rp-address 192.168.1.1 Console(config)#ip pim rp-address 192.168.2.1 group-prefix 224.9.0.0 255.255.0.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Global Configuration COMMAND USAGE ◆ When the ip pim rp-candidate command is entered, the router periodically sends PIMv2 messages to the BSR advertising itself as a candidate RP for the specified group addresses. The IP address of the designated VLAN is sent as the candidate’s RP address. The BSR places information about all of the candidate RPs in subsequent bootstrap messages.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ip pim spt-threshold This command prevents the last-hop PIM router from switching to Shortest Path Source Tree (SPT) mode. Use the no form to allow the router to switch over to SPT mode. SYNTAX ip pim spt-threshold infinity [group-prefix group-address mask] no ip pim spt-threshold infinity group-address - An IP multicast group address. If a group address is not specified, the command applies to all multicast groups.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ip pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting. SYNTAX ip pim dr-priority priority-value no ip pim dr-priority priority-value - Priority advertised by a router when bidding to become the DR.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Console# ip pim This command sets the join/prune timer. Use the no form to restore the join-prune-interval default setting. SYNTAX ip pim join-prune-interval seconds no ip pim join-prune-interval seconds - The interval at which join/prune messages are sent.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Propagation Delay Override Interval DR Priority Join/Prune Interval : : : : 500 ms 2500 ms 20 80 sec Console# clear ip pim This command clears multicast group to RP mapping entries learned bsr rp-set through the PIMv2 bootstrap router (BSR). COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command can be used to update entries in the static multicast forwarding table immediately after making configuration changes to the RP.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR Table 285: show ip pim bsr-router - display description Field Description BSR Address IP address of interface configured as the BSR. Uptime The time this BSR has been up and running. BSR Priority Priority assigned to this interface for use in the BSR election process. Hash Mask Length The number of significant bits used in the multicast group comparison mask.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Table 286: show ip pim rp mapping - display description Field Description Groups The multicast group address, mask length managed by the RP.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing IPV6 PIM COMMANDS This section describes commands used to configure IPv6 PIM dynamic multicast routing on the switch.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Table 288: PIM-DM and PIM-SM Multicast Routing Commands (Continued) Command Function Mode show ipv6 pim bsr-router Displays information about the BSR PE show ipv6 pim rp mapping Displays active RPs and associated multicast routing entries PE show ipv6 pim rp-hash Displays the RP used for the specified multicast group PE PIM6 Shared Mode Commands router pim6 This command enables IPv6 Protocol-Independent Multicast routing globally on
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ To fully enable PIM, you need to enable multicast routing globally for the router with the ipv6 multicast-routing command, enable PIM globally for the router with the router pim6 command, and also enable PIM-DM or PIM-SM for each interface that will participate in multicast routing with this command.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Graft Retry Interval Max Graft Retries State Refresh Ori Int : 3 sec : 3 : 60 sec Console# ipv6 pim This command configures the interval to wait for hello messages from a hello-holdtime neighboring PIM router before declaring it dead. Use the no form to restore the default value. SYNTAX ipv6 pim hello-holdtime seconds no ipv6 pim hello-interval seconds - The hold time for PIM hello messages.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND USAGE Hello messages are sent to neighboring PIM routers from which this device has received probes, and are used to verify whether or not these neighbors are still active members of the multicast tree. EXAMPLE Console(config-if)#ipv6 pim hello-interval 60 Console(config-if)# ipv6 pim This command configures the hold time for the prune state. Use the no join-prune-holdtime form to restore the default value.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing COMMAND MODE Interface Configuration (VLAN) COMMAND USAGE ◆ When other downstream routers on the same VLAN are notified that this upstream router has received a prune request, they must send a Join to override the prune before the prune delay expires if they want to continue receiving the flow. The message generated by this command effectively prompts any downstream neighbors with hosts receiving the flow to reply with a Join message.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing message, then the override interval represents the time required for the downstream router to process the message and then respond by sending a Join message back to the upstream router to ensure that the flow is not terminated.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the maximum time before transmitting a trigger-hello-delay triggered PIM Hello message after the router is rebooted or PIM is enabled on an interface. Use the no form to restore the default value. SYNTAX ipv6 pim trigger-hello-delay seconds no ipv6 pim trigger-hello-delay seconds - The maximum time before sending a triggered PIM Hello message.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing EXAMPLE Console#show ip pim interface vlan 1 PIM is enabled. VLAN 1 is up.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Table 289: show ipv6 pim neighbor - display description (Continued) Field Description DR The designated PIM6-SM router. If multicast hosts are directly connected to the LAN, then only one of these routers is elected as the DR, and acts on behalf of these hosts, sending periodic Join/ Prune messages toward a group-specific RP for each group.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command configures the maximum number of times to resend a Graft max-graft-retries message if it has not been acknowledged. Use the no form to restore the default value. SYNTAX ipv6 pim max-graft-retries retries no ipv6 pim max-graft-retries retries - The maximum number of times to resend a Graft.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ◆ This command is only effectively for interfaces of first hop, PIM-DM routers that are directly connected to sources of multicast groups. EXAMPLE Console(config-if)#ipv6 pim state-refresh origination-interval 30 Console(config-if)# PIM6-SM Commands ipv6 pim This command configures the switch as a Bootstrap Router (BSR) bsr-candidate candidate. Use the no form to restore the default value.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ◆ This router will continue to be the BSR until it receives a bootstrap message from another candidate with a higher priority (or a higher IP address if the priorities are the same). ◆ To improve failover recovery, it is advisable to select at least two core routers in diverse locations, each to serve as both a candidate BSR and candidate RP. It is also preferable to set up one of these routers as both the primary BSR and RP.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing EXAMPLE This example sets the register rate limit to 500 pps. Console(config)#ipv6 pim register-rate-limit 500 Console(config)# ipv6 pim This command configures the IP source address of a register message to register-source an address other than the outgoing interface address of the designated router (DR) that leads back toward the rendezvous point (RP). Use the no form to restore the default setting.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ipv6 pim rp-address This command sets a static address for the Rendezvous Point (RP) for a particular multicast group. Use the no form to remove an RP address or an RP address for a specific group. SYNTAX [no] ipv6 pim rp-address rp-address [group-prefix group-prefix] rp-address - Static IPv6 address of the router that will be an RP for the specified multicast group(s). group-prefix - An IPv6 network prefix for a multicast group.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing EXAMPLE In the following example, the first PIM-SM command just specifies the RP address 192.168.1.1 to indicate that it will be used to service all multicast groups. The second PIM-SM command includes the multicast groups to be serviced by the RP.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing candidate RP for the specified group addresses. The IP address of the designated VLAN is sent as the candidate’s RP address. The BSR places information about all of the candidate RPs in subsequent bootstrap messages. The BSR uses the RP-election hash algorithm to select an active RP for each group range. The el6ection process is performed by the BSR only for its own use.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ipv6 pim This command prevents the last-hop PIM router from switching to Shortest spt-threshold Path Source Tree (SPT) mode. Use the no form to allow the router to switch over to SPT mode. SYNTAX ipv6 pim spt-threshold infinity [group-prefix group-prefix] no ipv6 pim spt-threshold infinity group-prefix - An IPv6 network prefix for a multicast group. If a group address is not specified, the command applies to all multicast groups.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing ipv6 pim dr-priority This command sets the priority value for a Designated Router (DR) candidate. Use the no form to restore the default setting. SYNTAX ipv6 pim dr-priority priority-value no ipv6 pim dr-priority priority-value - Priority advertised by a router when bidding to become the DR.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Console# ipv6 pim This command sets the join/prune timer. Use the no form to restore the join-prune-interval default setting. SYNTAX ipv6 pim join-prune-interval seconds no ipv6 pim join-prune-interval seconds - The interval at which join/prune messages are sent.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Propagation Delay Override Interval DR Priority Join/Prune Interval : : : : 500 ms 2500 ms 1 220 sec Console# clear ipv6 pim This command clears multicast group to RP mapping entries learned bsr rp-set through the PIMv2 bootstrap router (BSR). COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command can be used to update entries in the static multicast forwarding table immediately after making configuration changes to the RP.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing State Console# : Elected BSR Table 290: show ip pim bsr-router - display description Field Description BSR Address IP address of interface configured as the BSR. Uptime The time this BSR has been up and running. BSR Priority Priority assigned to this interface for use in the BSR election process. Hash Mask Length The number of significant bits used in the multicast group comparison mask.
CHAPTER 52 | Multicast Routing Commands PIM Multicast Routing Table 291: show ip pim rp mapping - display description Field Description Groups The multicast group address, mask length managed by the RP.
SECTION IV APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 1975 ◆ "Troubleshooting" on page 1981 ◆ "License Information" on page 1983 – 1973 –
SECTION IV | Appendices – 1974 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port AUTHENTICATION Security, IP Filter CLIENT ACCESS Access Control Lists (2048 rules), Port Authentication (802.
APPENDIX A | Software Specifications Software Features VLAN SUPPORT Up to 4094 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Management Features MANAGEMENT FEATURES IN-BAND MANAGEMENT Telnet, web-based HTTP or HTTPS, SNMP manager, or Secure Shell OUT-OF-BAND RS-232 DB-9 console port MANAGEMENT SOFTWARE LOADING HTTP, FTP or TFTP in-band, or XModem out-of-band SNMP Management access via MIB database Trap management to specified hosts RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) STANDARDS Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.
APPENDIX A | Software Specifications Management Information Bases IGMPv3 (RFC 3376) - partial support IGMP Proxy (RFC 4541) IPv4 IGMP (RFC 3228) MLD Snooping (RFC 4541) NTP (RFC 1305) OSPF (RFC 2328, 2178, 1587) OSPFv3 (RFC 2740) PIM-SM (RFC 4601) PIM-DM (RFC 3973) RADIUS+ (RFC 2618) RIPv1 (RFC 1058) RIPv2 (RFC 2453) RIPv2, extension (RFC 1724) RMON (RFC 2819 groups 1,2,3,9) SNMP (RFC 1157) SNMPv2c (RFC 1901, 2571) SNMPv3 (RFC DRAFT 2273, 2576, 3410, 3411, 3413, 3414, 3415) SNTP (RFC 2030) SSH (Version 2.
APPENDIX A | Software Specifications Management Information Bases IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.3ad) MAU MIB (RFC 3636) MIB II (RFC 1213) OSPF MIB (RFC 1850) OSPFv3 MIB (draft-ietf-ospf-ospfv3-mib-15.txt) P-Bridge MIB (RFC 2674P) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Power Ethernet MIB (RFC 3621) Private MIB Q-Bridge MIB (RFC 2674Q) QinQ Tunneling (IEEE 802.
APPENDIX A | Software Specifications Management Information Bases – 1980 –
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 293: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License 4.
APPENDIX C | License Information The GNU General Public License practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 9.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DHCP SNOOPING A technique used to enhance network security by snooping on DHCP server messages to track the physical location of hosts, ensure that hosts only use the IP addresses assigned to them, and ensure that only authorized DHCP servers are accessible. DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built.
GLOSSARY GARP Generic Attribute Registration Protocol. GARP is a protocol that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment so that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations. Formerly called Group Address Registration Protocol. GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups.
GLOSSARY IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. IEEE 802.3AC Defines frame extensions for VLAN tagging. IEEE 802.3X Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. (Now incorporated in IEEE 802.3-2002) IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services.
GLOSSARY LACP Link Aggregation Control Protocol. Allows ports to automatically negotiate a trunked link with LACP-configured ports on another device. LAYER 2 Data Link layer in the ISO 7-Layer Data Communications Protocol. This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses. LAYER 3 Network layer in the ISO 7-Layer Data Communications Protocol. This layer handles the routing functions for data moving from one open system to another.
GLOSSARY MVR Multicast VLAN Registration is a method of using a single network-wide multicast VLAN to transmit common services, such as such as television channels or video-on-demand, across a service-provider’s network. MVR simplifies the configuration of multicast services by using a common VLAN for distribution, while still preserving security and data isolation for subscribers residing in both the MVR VLAN and other standard or private VLAN groups.
GLOSSARY QOS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow. RADIUS Remote Authentication Dial-in User Service.
GLOSSARY TACACS+ Terminal Access Controller Access Control System Plus. TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACS-compliant devices on the network. TCP/IP Transmission Control Protocol/Internet Protocol. Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. TELNET Defines a remote communication facility for interfacing to a terminal device over TCP/IP.
COMMAND LIST A aaa accounting dot1x 1044 aaa accounting exec 1045 aaa accounting update 1046 aaa authorization exec 1047 aaa group server 1048 abr-type 1793 absolute 958 access-list arp 1181 access-list ip 1164 access-list ipv6 1170 access-list mac 1176 accounting dot1x 1049 accounting exec 1049 aggregate-address 1839 alias 1189 area default-cost 1756 area default-cost 1797 area nssa 1762 area range 1757 area range 1798 area stub 1764 area stub 1801 area virtual-link 1765 area virtual-link 1802 arp 1655 ar
COMMAND LIST clear ethernet cfm linktrace-cache 1593 clear ethernet cfm maintenance-points remote 1584 clear host 1621 clear ip bgp 1851 clear ip bgp dampening 1852 clear ip dhcp binding 1643 clear ip dhcp snooping binding 1124 clear ip dhcp snooping database flash 1124 clear ip igmp group 1519 clear ip ospf process 1756 clear ip pim bsr rp-set 1947 clear ip rip route 1748 clear ip source-guard binding blocked 1138 clear ipv6 dhcp snooping binding 1131 clear ipv6 dhcp snooping statistics 1132 clear ipv6 ml
COMMAND LIST ethernet cfm ais suppress alarm 1566 ethernet cfm cc enable 1582 ethernet cfm cc ma interval 1581 ethernet cfm delay-measure two-way 1600 ethernet cfm domain 1567 ethernet cfm enable 1569 ethernet cfm linktrace 1592 ethernet cfm linktrace cache 1590 ethernet cfm linktrace cache hold-time 1591 ethernet cfm linktrace cache size 1591 ethernet cfm loopback 1595 ethernet cfm mep 1571 ethernet cfm mep crosscheck 1589 ethernet cfm mep crosscheck start-delay 1586 ethernet cfm port-enable 1572 exec-tim
COMMAND LIST ip igmp snooping unsolicited-reportinterval 1433 ip igmp snooping version 1434 ip igmp snooping version-exclusive 1434 ip igmp snooping vlan general-querysuppression 1435 ip igmp snooping vlan immediate-leave 1436 ip igmp snooping vlan last-membquery-count 1437 ip igmp snooping vlan last-membquery-intvl 1437 ip igmp snooping vlan mrd 1438 ip igmp snooping vlan mrouter 1447 ip igmp snooping vlan mrouter 1925 ip igmp snooping vlan proxy-address 1439 ip igmp snooping vlan query-interval 1440 ip i
COMMAND LIST ipv6 mld snooping robustness 1463 ipv6 mld snooping router-portexpire-time 1463 ipv6 mld snooping unknown-multicast mode 1464 ipv6 mld snooping version 1465 ipv6 mld snooping vlan immediateleave 1466 ipv6 mld snooping vlan mrouter 1465 ipv6 mld snooping vlan static 1466 ipv6 mld static-group 1529 ipv6 mld version 1530 ipv6 mtu 1671 ipv6 multicast-data-drop 1475 ipv6 multicast-routing 1922 ipv6 nd dad attempts 1684 ipv6 nd managed-config-flag 1685 ipv6 nd ns-interval 1687 ipv6 nd other-config-f
COMMAND LIST logging sendmail 940 logging sendmail destination-email 942 logging sendmail host 941 logging sendmail level 941 logging sendmail source-email 943 logging trap 936 login 926 loopback detection trap 1262 loopback-detection 1260 loopback-detection action 1260 loopback-detection recover-time 1261 loopback-detection release 1263 loopback-detection transmit-interval 1262 M ma index name 1570 ma index name-format 1571 mac access-group 1179 mac-address-table aging-time 1271 mac-address-table static
COMMAND LIST neighbor route-server-client 1877 neighbor send-community 1878 neighbor shutdown 1878 neighbor soft-reconfiguration inbound 1879 neighbor strict-capability-match 1880 neighbor timers 1880 neighbor timers connect 1881 neighbor unsuppress-map 1882 neighbor update-source 1883 neighbor weight 1883 netbios-name-server 1640 netbios-node-type 1641 network 1641 network 1738 network 1848 network area 1768 network-access aging 1096 network-access dynamic-qos 1098 network-access dynamic-vlan 1100 network
COMMAND LIST Q S qos map cos-dscp 1393 qos map default-drop-precedence 1394 qos map dscp-cos 1395 qos map dscp-mutation 1396 qos map ip-port-dscp 1398 qos map ip-prec-dscp 1398 qos map phb-queue 1399 qos map trust-mode 1400 queue mode 1388 queue weight 1389 quit 886 server 1048 service dhcp 1634 service-policy 1421 set aggregator as 1908 set as-path 1909 set atomic-aggregate 1910 set comm-list delete 1910 set community 1911 set cos 1419 set extcommunity 1912 set ip next-hop 1913 set local-preference 191
COMMAND LIST show ethernet cfm fault-notifygenerator 1599 show ethernet cfm linktrace-cache 1594 show ethernet cfm ma 1576 show ethernet cfm maintenance-points local 1576 show ethernet cfm maintenance-points local detail mep 1577 show ethernet cfm maintenance-points remote crosscheck 1590 show ethernet cfm maintenance-points remote detail 1579 show ethernet cfm md 1575 show garp timer 1341 show gvrp configuration 1342 show history 886 show hosts 1622 show interfaces brief 1197 show interfaces counters 1198
COMMAND LIST show ipv6 mld snooping mrouter 1469 show ipv6 mld throttle interface 1477 show ipv6 mld snooping 1467 show ipv6 mroute 1923 show ipv6 mtu 1674 show ipv6 nd raguard 1694 show ipv6 nd snooping 1711 show ipv6 nd snooping binding 1711 show ipv6 nd snooping prefix 1711 show ipv6 neighbors 1694 show ipv6 ospf 1812 show ipv6 ospf database 1813 show ipv6 ospf interface 1814 show ipv6 ospf neighbor 1815 show ipv6 ospf route 1816 show ipv6 ospf virtual-links 1817 show ipv6 pim bsr-router 1970 show ipv6
COMMAND LIST show time-range 960 show traffic-segmentation 1161 show udld 1268 show upgrade 923 show users 908 show version 909 show vlan 1352 show vlan private-vlan 1371 show vlan-translation 1366 show voice vlan 1385 show vrrp 1718 show vrrp interface 1720 show vrrp interface counters 1721 show vrrp router counters 1722 show watchdog 909 show web-auth 1114 show web-auth interface 1114 show web-auth summary 1115 shutdown 1194 silent-time 929 snmp-server 997 snmp-server community 997 snmp-server contact 99
COMMAND LIST switchport voice vlan 1382 switchport voice vlan rule 1383 switchport voice vlan security 1384 synce 980 synce auto-clock-source-selecting 983 synce clk-src-ssm 986 synce ethernet 981 synce ethernet clock-source 982 synce force-clock-source-selecting 984 synce ssm ethernet 985 T tacacs-server host 1041 tacacs-server key 1041 tacacs-server port 1042 tacacs-server retransmit 1042 tacacs-server timeout 1043 timeout login response 931 time-range 957 timers basic 1740 timers bgp 1850 timers spf 17
INDEX NUMERICS 802.1Q tunnel 243, 1353 access 250, 1355 configuration, guidelines 246, 1353 configuration, limitations 246, 1354 CVID to SVID map 248, 1356 description 243 ethernet type 247, 1358 interface configuration 250, 1355–1358 mode selection 250, 1355 status, configuring 247, 1354 TPID 247, 1358 uplink 250, 1355 802.1X authenticator, configuring 425, 1069–1075 global settings 424, 1068–1069 port authentication 423, 1067, 1069 port authentication accounting 355, 356, 1049 A AAA accounting 802.
INDEX extended community list 1836 external BGP 1819 internal BGP 1819 IP prefix list 1838 message types 1822 multihop for eBGP neighbors 1866 neighbor configuration 1859 neighbor peer group 1871, 1872 neighbor route map 1875 path attributes 1820 policy-based routing 1897 route map, configuring 1899 route map, neighbor 1875 route metrics 1853 route reflection 1840 route reflector client 1876 route reflectors 1824 route selection 1853 route server client 1877 route servers 1827 router ID 1847 BOOTP 692, 164
INDEX CPU status 175, 904 utilization, showing 175, 904 CPU utilization, setting trap 1016 cross-check errors, CFM 1583, 1587, 1589 cross-check message, CFM 548, 551, 1561, 1586, 1587, 1588, 1589, 1590 cross-check start delay, CFM 552, 1586 CVLAN to SPVLAN map 248, 1356 D Daylight Savings Time See summer time default IPv4 gateway, configuration 1650 default IPv6 gateway, configuration 696, 1664 default priority, ingress port 305, 1390 default settings, system 102 delay measure request, CFM 572, 1600 desig
INDEX dynamic addresses clearing 269, 1273 displaying 268, 1273 Dynamic Host Configuration Protocol See DHCP dynamic QoS assignment 369, 373, 1098 dynamic VLAN assignment 368, 373, 1100 exec settings accounting 355, 1049 authorization 361, 1047, 1050 external BGP 1819 F E ECMP, maximum paths 757, 1725 edge port, STA 284, 287, 1291 encryption DSA 385, 387, 1063 RSA 385, 387, 1063 engine ID 483, 484, 1004 ERPS block ring port, manually 1327, 1329 configuration guidelines 526, 1306 control VLAN 531, 1308 d
INDEX IGMP clearing groups 1519 enabling per interface 650, 1514 filter profiles, binding to interface 636, 1453 filter profiles, configuration 634, 1450 filter, interface configuration 636, 1453–1454 filter, parameters 634, 636, 1449–1454 filtering & throttling 633, 1448 filtering & throttling, enabling 633, 1449 filtering & throttling, interface configuration 636, 1451–1455 filtering & throttling, status 633, 1449 filtering, configuring profile 634, 1450, 1451 filtering, creating profile 634, 1450 filter
INDEX IPv6 address dynamic configuration (link-local) 114, 697, 1670 EUI format 702, 1667 EUI-64 setting 702, 1667 explicit configuration 697, 1670 global unicast 701, 1665 link-local 702, 1669 manual configuration (global unicast) 110, 701, 1665 manual configuration (link-local) 110, 702, 1669 setting 109, 695, 1665 IPv6 source guard configuring static entries 440, 1140 setting filter criteria 438 setting maximum bindings 439, 1143 IPv6/v4 tunnel 1696 IPv4 destination, configured 1698 mode, configured or
INDEX main menu, web interface 126 maintenance association, CFM 548, 560, 1561, 1570, 1576 maintenance domain, CFM 548, 549, 555, 1561, 1567, 1575 maintenance end point, CFM 549, 551, 556, 561, 565, 574, 575, 1569, 1571, 1576 maintenance intermediate point, CFM 549, 556, 577, 1567, 1568, 1570, 1576 maintenance level, CFM 549, 550, 1567 maintenance point, CFM 548, 1561, 1576 management access, filtering per address 418, 1079 management access, IP filter 418, 1078, 1079 Management Information Bases (MIBs) 19
INDEX interface status, displaying 666, 1489 IP for control packets sent upstream 661, 1485 proxy query interval 659, 1481 proxy switching 658, 1483 receiver groups, displaying 669, 1492 robust value for proxy switching 659, 1484 setting interface type 666, 1487 setting multicast domain 660, 665, 1480 setting multicast groups 662, 1479, 1481 setting multicast priority 661, 1482 source port mode 659, 1484 specifying a domain 660, 665, 1480 specifying a VLAN 660, 1479, 1486 specifying priority 661, 1482 stat
INDEX router ID 793, 1754 router priority 812, 1774 routing table, displaying 820, 1788 SPF timers 794, 1755 stub 798, 802, 1764 transit area 790, 791, 800, 802, 817, 818, 1765 transmit delay over interface 813, 1776 virtual link 817, 1765 virtual links, displaying 819, 1789 OSPFv3 1790 ABR route summary 1798 area border router 1798 backbone 1804, 1805 configuration settings, displaying 1812 enabling 1792 general settings 1790 interface summary information, displaying 1814 LSA database, displaying 1813 nei
INDEX rendezvous point 859, 1964, 1965 RP candidate 861, 1965 RP candidate, advertising 861, 1965 RP mapping, displaying 865, 1971 shared tree 857, 1967 shortest path tree 857, 1967 SPT threshold 857, 1967 static RP, configuring 859, 1964 policing traffic, QoS policy 329, 333 policy map description 332, 1409 DiffServ 329, 1411 port authentication 423, 1067, 1069 port priority configuring 305, 1387 default ingress 305, 1390 STA 283, 1296, 1298 port security, configuring 420, 1090 ports autonegotiation 183,
INDEX R RADIUS logon authentication 351, 1036 settings 351, 1036 rate limit port 295, 1240 setting 295, 1239 register rate limit, PIM-SM 840, 1939 register rate limit, PIMv6-SM 856, 1962 remote engine ID 484, 1004 remote logging 456, 936 remote maintenance end point, CFM 551, 560, 567, 575, 578, 579, 1577, 1579, 1584, 1588 Remote Monitoring See RMON rename, DiffServ 1411 rendezvous point PIM-SM 843, 1941, 1942 PIMv6-SM 859, 1964, 1965 restarting the system 177, 884, 888, 889 at scheduled times 177, 884 RIP
INDEX SNTP setting the system clock 165, 945–947 specifying servers 167, 946 software displaying version 151, 909 downloading 155, 914 version, displaying 151, 909 Spanning Tree Protocol See STA specifications, software 1975 SPT threshold, PIM-SM 840, 1944 SPT threshold, PIMv6-SM 857, 1967 srTCM police meter 334, 1415 QoS policy 330, 1415 SSH 381, 1057 authentication retries 384, 1060 configuring 381, 1058 downloading public keys for clients 387, 914, 917 generating host key pair 385, 1063 server, configur
INDEX trTCM police meter 335, 1417 QoS policy 331, 1417 trunk configuration 204, 1215 LACP 207, 1215, 1218 load balancing 1216 static 205, 1218 tunneling unknown VLANs, VLAN trunking 222, 1350 two rate three color meter See trTCM Type Length Value See LLDP TLV U UDP helper 730, 1659 application port 731, 1659 application server 733, 1661 description 730 destination port 731, 1659 enabling 731, 1660 forward destination 733, 1661 target subnet 733, 1661 UDP ports 731, 1659 unicast routing 769, 1723 ECMP 757
ECS4660-28F E102013/ST-R03 149100000140A
