ECS4810-12M Layer 2 Gigabit Ethernet Switch CLI Reference Guide Software Release v1.2.0.1 www.edge-core.
CLI Reference Guide ECS4810-12M Gigabit Ethernet Switch Layer 2 Gigabit Ethernet Switch with 12 Gigabit Combination Ports (RJ-45/SFP) ECS4810-12M E092016/ST-R05 149100000142A
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This guide is for network administrators who are responsible for operating and this Guide? maintaining network equipment.
How to Use This Guide For information on how to install the switch, see the following guide: Installation Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
How to Use This Guide Revision Date v1.2.0.
How to Use This Guide Revision Date Change Description v1.1.4.
How to Use This Guide Revision Date Change Description v1.1.4.
How to Use This Guide Revision v1.0.6.
Contents Section I How to Use This Guide 3 Contents 9 Figures 39 Tables 41 Getting Started 47 1 Initial Switch Configuration Connecting to the Switch 49 Configuration Options 49 Required Connections 50 Remote Connections 51 Basic Configuration 52 Console Connection 52 Setting Passwords 52 Setting an IP Address 53 Downloading a Configuration File Referenced by a DHCP Server 59 Enabling SNMP Management Access 61 Managing System Files 63 Saving or Restoring Configuration Setti
Contents Entering Commands 71 Keywords and Arguments 71 Minimum Abbreviation 71 Command Completion 71 Getting Help on Commands 72 Partial Keyword Lookup 74 Negating the Effect of Commands 74 Using Command History 74 Understanding Command Modes 74 Exec Commands 75 Configuration Commands 76 Command Line Processing 78 Showing Status Information 78 Output Modifiers 79 CLI Command Groups 79 3 General Commands 83 prompt 83 reload (Global Configuration) 84 enable 85 quit 86
Contents banner configure department 95 banner configure equipment-info 96 banner configure equipment-location 97 banner configure ip-lan 97 banner configure lp-number 98 banner configure manager-info 99 banner configure mux 99 banner configure note 100 show banner 101 System Status 101 show access-list tcam-utilization 102 show alarm 102 show alarm-status 103 show memory 104 show process cpu 104 show process cpu guard 105 show running-config 106 show startup-config 108
Contents upgrade opcode path 121 upgrade opcode reload 122 show upgrade 123 TFTP Configuration Commands 123 ip tftp retry 123 ip tftp timeout 124 Line 125 line 125 databits 126 exec-timeout 127 login 128 parity 129 password 129 password-thresh 130 silent-time 131 speed 131 stopbits 132 timeout login response 133 disconnect 133 terminal 134 show line 135 Event Logging 136 logging facility 136 logging history 137 logging host 138 logging on 138 logging trap
Contents logging sendmail source-email 145 show logging sendmail 146 Time 146 SNTP Commands 147 sntp client 147 sntp poll 148 sntp server 148 show sntp 149 Manual Configuration Commands 149 clock summer-time (date) 149 clock summer-time (predefined) 151 clock summer-time (recurring) 152 clock timezone 153 calendar set 154 show calendar 155 Time Range 155 time-range 155 absolute 156 periodic 157 show time-range 158 Synchronous Ethernet 158 synce 159 synce ethernet
Contents show cluster 172 show cluster members 173 show cluster candidates 173 5 SNMP Commands 175 General SNMP Commands 177 snmp-server 177 snmp-server community 178 snmp-server contact 178 snmp-server location 179 show snmp 179 SNMP Target Host Commands 180 snmp-server enable traps 180 snmp-server host 182 snmp-server enable port-traps mac-notification 184 show snmp-server enable port-traps 184 SNMPv3 Commands 185 snmp-server engine-id 185 snmp-server group 186 snmp-se
Contents 6 Remote Monitoring Commands 201 rmon alarm 202 rmon event 203 rmon collection history 204 rmon collection rmon1 205 show rmon alarms 206 show rmon events 206 show rmon history 206 show rmon statistics 207 7 Flow Sampling Commands 209 sflow owner 209 sflow polling instance 211 sflow sampling instance 212 show sflow 213 8 Authentication Commands 215 User Accounts 216 enable password 216 username 217 Authentication Sequence 218 authentication enable 218 authen
Contents tacacs-server timeout 227 show tacacs-server 227 AAA 228 aaa accounting dot1x 228 aaa accounting exec 229 aaa accounting update 230 aaa authorization exec 231 aaa group server 232 server 232 accounting dot1x 233 accounting exec 233 authorization exec 234 show accounting 235 Web Server 236 ip http port 236 ip http server 237 ip http secure-port 237 ip http secure-server 238 Telnet Server 239 ip telnet max-sessions 240 ip telnet port 240 ip telnet server 241
Contents show ssh 251 802.
Contents pppoe intermediate-agent trust 274 pppoe intermediate-agent vendor-tag strip 274 clear pppoe intermediate-agent statistics 275 show pppoe intermediate-agent info 275 show pppoe intermediate-agent statistics 276 9 General Security Measures Port Security 279 280 port security 280 show port security 282 Network Access (MAC Address Authentication) 284 network-access aging 285 network-access mac-filter 286 mac-authentication reauth-time 287 network-access dynamic-qos 287 netwo
Contents web-auth 301 web-auth re-authenticate (Port) 302 web-auth re-authenticate (IP) 302 show web-auth 303 show web-auth interface 303 show web-auth summary 304 DHCP Snooping 304 ip dhcp snooping 305 ip dhcp snooping information option 307 ip dhcp snooping information option encode no-subtype 308 ip dhcp snooping information option remote-id 309 ip dhcp snooping information policy 310 ip dhcp snooping verify mac-address 311 ip dhcp snooping vlan 311 ip dhcp snooping informati
Contents show ip arp inspection configuration 329 show ip arp inspection interface 329 show ip arp inspection log 330 show ip arp inspection statistics 330 show ip arp inspection vlan 330 Denial of Service Protection 331 dos-protection echo-chargen 332 dos-protection smurf 332 dos-protection tcp-flooding 333 dos-protection tcp-null-scan 333 dos-protection tcp-syn-fin-scan 334 dos-protection tcp-udp-port-zero 334 dos-protection tcp-xmas-scan 335 dos-protection udp-flooding 335 do
Contents ipv6 access-group 356 show ipv6 access-group 356 show ipv6 access-list 357 MAC ACLs 358 access-list mac 358 permit, deny (MAC ACL) 359 mac access-group 361 show mac access-group 362 show mac access-list 362 ARP ACLs 363 access-list arp 363 permit, deny (ARP ACL) 364 show access-list arp 365 ACL Information 365 clear access-list hardware counters 365 show access-group 366 show access-list 366 11 Interface Commands 369 Interface Configuration 370 interface 370
Contents show interfaces history 385 show interfaces status 388 show interfaces switchport 389 Transceiver Threshold Configuration 391 transceiver-monitor 391 transceiver-threshold-auto 391 transceiver-threshold current 392 transceiver-threshold rx-power 393 transceiver-threshold temperature 394 transceiver-threshold tx-power 395 transceiver-threshold voltage 396 show interfaces transceiver 397 show interfaces transceiver-threshold 398 Cable Diagnostics 399 test cable-diagnostic
Contents 13 Port Mirroring Commands Local Port Mirroring Commands 417 417 port monitor 417 show port monitor 419 RSPAN Mirroring Commands 420 rspan source 422 rspan destination 423 rspan remote vlan 424 no rspan session 425 show rspan 426 14 Congestion Control Commands Rate Limit Commands 427 427 rate-limit 428 Storm Control Commands 429 switchport packet-rate 429 Automatic Traffic Control Commands 430 Threshold Commands 433 auto-traffic-control apply-timer 433 auto-traffic-
Contents ATC Display Commands 443 show auto-traffic-control 443 show auto-traffic-control interface 444 15 UniDirectional Link Detection Commands 445 udld detection-interval 445 udld message-interval 446 udld recovery 447 udld recovery-interval 447 udld aggressive 448 udld port 449 show udld 450 16 Address Table Commands 453 mac-address-table aging-time 453 mac-address-table static 454 clear mac-address-table dynamic 455 show mac-address-table 455 show mac-address-table agin
Contents name 470 revision 471 spanning-tree bpdu-filter 471 spanning-tree bpdu-guard 472 spanning-tree cost 473 spanning-tree edge-port 474 spanning-tree link-type 475 spanning-tree loopback-detection 476 spanning-tree loopback-detection action 477 spanning-tree loopback-detection release-mode 477 spanning-tree loopback-detection trap 478 spanning-tree mst cost 479 spanning-tree mst port-priority 480 spanning-tree port-bpdu-flooding 481 spanning-tree port-priority 481 spannin
Contents propagate-tc 504 raps-def-mac 504 raps-without-vc 505 ring-port 507 rpl neighbor 508 rpl owner 509 version 509 wtr-timer 510 clear erps statistics 511 erps clear 511 erps forced-switch 512 erps manual-switch 514 show erps 516 19 VLAN Commands 521 GVRP and Bridge Extension Commands 522 bridge-ext gvrp 522 garp timer 523 switchport forbidden vlan 524 switchport gvrp 525 show bridge-ext 525 show garp timer 526 show gvrp configuration 526 Editing VLAN Groups
Contents Displaying VLAN Information show vlan 536 536 Configuring IEEE 802.
Contents show voice vlan 565 20 Class of Service Commands 567 Priority Commands (Layer 2) 567 queue mode 568 queue weight 569 switchport priority default 570 show queue mode 571 show queue weight 571 Priority Commands (Layer 3 and 4) 572 qos map cos-dscp 572 qos map dscp-cos 574 qos map dscp-mutation 575 qos map phb-queue 576 qos map trust-mode 577 show qos map cos-dscp 578 show qos map dscp-cos 578 show qos map dscp-mutation 579 show qos map phb-queue 580 show qos map t
Contents service-policy 600 show class-map 601 show policy-map 601 show policy-map interface 602 22 Multicast Filtering Commands 603 IGMP Snooping 604 ip igmp snooping 605 ip igmp snooping priority 606 ip igmp snooping proxy-reporting 607 ip igmp snooping querier 607 ip igmp snooping router-alert-option-check 608 ip igmp snooping router-port-expire-time 609 ip igmp rate-limit 609 ip igmp snooping tcn-flood 610 ip igmp snooping tcn-query-solicit 611 ip igmp snooping unregistere
Contents Static Multicast Routing 628 ip igmp snooping vlan mrouter IGMP Filtering and Throttling 628 629 ip igmp filter (Global Configuration) 630 ip igmp profile 630 ip igmp rate-limit 631 permit, deny 632 range 632 ip igmp authentication 633 ip igmp filter (Interface Configuration) 634 ip igmp max-groups 635 ip igmp max-groups action 636 ip multicast-data-drop 636 show ip igmp authentication 637 show ip igmp filter 638 show ip igmp profile 638 show ip igmp rate-limit 639
Contents show ipv6 mld snooping 651 show ipv6 mld snooping group 652 show ipv6 mld snooping group source-list 652 show ipv6 mld snooping mrouter 653 show ipv6 mld snooping statistics 654 MLD Filtering and Throttling 655 ipv6 mld filter (Global Configuration) 655 ipv6 mld profile 656 permit, deny 657 range 657 ipv6 mld filter (Interface Configuration) 658 ipv6 mld max-groups 658 ipv6 mld max-groups action 659 ipv6 mld query-drop 660 ipv6 multicast-data-drop 660 show ipv6 mld fi
Contents clear mrv statistics 676 show mvr 677 show mvr associated-profile 678 show mvr interface 678 show mvr members 680 show mvr profile 681 show mvr statistics 682 MVR for IPv6 687 mvr6 associated-profile 688 mvr6 domain 689 mvr6 priority 690 mvr6 profile 690 mvr6 proxy-query-interval 691 mvr6 proxy-switching 692 mvr6 robustness-value 693 mvr6 source-port-mode dynamic 694 mvr6 upstream-source-ip 694 mvr6 vlan 695 mvr6 immediate-leave 696 mvr6 type 697 mvr6 vlan g
Contents lldp refresh-interval 715 lldp reinit-delay 715 lldp tx-delay 716 lldp admin-status 717 lldp basic-tlv management-ip-address 717 lldp basic-tlv port-description 718 lldp basic-tlv system-capabilities 718 lldp basic-tlv system-description 719 lldp basic-tlv system-name 719 lldp dot1-tlv proto-ident 720 lldp dot1-tlv proto-vid 720 lldp dot1-tlv pvid 721 lldp dot1-tlv vlan-name 721 lldp dot3-tlv link-agg 722 lldp dot3-tlv mac-phy 722 lldp dot3-tlv max-frame 723 lldp me
Contents ethernet cfm enable 743 ma index name 744 ma index name-format 745 ethernet cfm mep 746 ethernet cfm port-enable 747 clear ethernet cfm ais mpid 747 show ethernet cfm configuration 748 show ethernet cfm md 749 show ethernet cfm ma 750 show ethernet cfm maintenance-points local 751 show ethernet cfm maintenance-points local detail mep 752 show ethernet cfm maintenance-points remote detail 753 Continuity Check Operations 755 ethernet cfm cc ma interval 755 ethernet cfm cc
Contents Fault Generator Operations 771 mep fault-notify alarm-time 771 mep fault-notify lowest-priority 772 mep fault-notify reset-time 773 show ethernet cfm fault-notify-generator 774 Delay Measure Operations ethernet cfm delay-measure two-way 25 OAM Commands 775 775 777 efm oam 778 efm oam critical-link-event 778 efm oam link-monitor frame 779 efm oam link-monitor frame threshold 780 efm oam link-monitor frame window 780 efm oam mode 781 clear efm oam counters 782 clear efm
Contents show hosts 796 27 DHCP Commands 799 DHCP Client 799 DHCP for IPv4 800 ip dhcp dynamic-provision 800 ip dhcp client class-id 801 ip dhcp restart client 803 show ip dhcp dynamic-provision 803 DHCP for IPv6 804 ipv6 dhcp client rapid-commit vlan 804 ipv6 dhcp restart client vlan 804 show ipv6 dhcp duid 806 show ipv6 dhcp vlan 806 DHCP Relay Option 82 807 ip dhcp relay server 807 ip dhcp relay information option 808 ip dhcp relay information policy 811 show ip dhcp re
Contents IPv6 Interface 823 Interface Address Configuration and Utilities 824 ipv6 default-gateway 824 ipv6 address 825 ipv6 address autoconfig 826 ipv6 address eui-64 828 ipv6 address link-local 829 ipv6 enable 831 ipv6 mtu 832 show ipv6 default-gateway 833 show ipv6 interface 833 show ipv6 mtu 835 show ipv6 traffic 836 clear ipv6 traffic 840 ping6 840 traceroute6 842 Neighbor Discovery 843 ipv6 hop-limit 843 ipv6 nd dad attempts 844 ipv6 nd ns-interval 845 ipv6 nd
Contents Section III show ipv6 nd snooping 857 show ipv6 nd snooping binding 857 show ipv6 nd snooping prefix 858 Appendices 859 A Troubleshooting 861 Problems Accessing the Management Interface 861 Using System Logs 862 B License Information 863 The GNU General Public License 863 Glossary 867 Command List 875 Index 883 – 38 –
Figures Figure 1: Storm Control by Limiting the Traffic Rate 432 Figure 2: Storm Control by Shutting Down a Port 433 Figure 3: Non-ERPS Device Protection 499 Figure 4: Sub-ring with Virtual Channel 506 Figure 5: Sub-ring without Virtual Channel 507 Figure 6: Configuring VLAN Trunking 535 Figure 7: Mapping QinQ Service VLAN to Customer VLAN 541 Figure 8: Configuring VLAN Translation 549 – 39 –
Figures – 40 –
Tables Table 1: Options 60, 66 and 67 Statements 60 Table 2: Options 55 and 124 Statements 60 Table 3: General Command Modes 75 Table 4: Configuration Command Modes 77 Table 5: Keystroke Commands 78 Table 6: Command Group Index 79 Table 7: General Commands 83 Table 8: System Management Commands 91 Table 9: Device Designation Commands 91 Table 10: Banner Commands 92 Table 11: System Status Commands 101 Table 12: show process cpu guard - display description 105 Table 13: Frame Size Co
Tables Table 30: show snmp engine-id - display description 190 Table 31: show snmp group - display description 191 Table 32: show snmp user - display description 192 Table 33: show snmp view - display description 193 Table 34: RMON Commands 201 Table 35: sFlow Commands 209 Table 36: Authentication Commands 215 Table 37: User Access Commands 216 Table 38: Default Login Settings 217 Table 39: Authentication Sequence Commands 218 Table 40: RADIUS Client Commands 220 Table 41: TACACS+ Cli
Tables Table 65: Access Control List Commands 343 Table 66: IPv4 ACL Commands 343 Table 67: IPv6 ACL Commands 350 Table 68: MAC ACL Commands 358 Table 69: ARP ACL Commands 363 Table 70: ACL Information Commands 365 Table 71: Interface Commands 369 Table 72: show interfaces counters - display description 382 Table 73: show interfaces switchport - display description 390 Table 74: Link Aggregation Commands 403 Table 75: show lacp counters - display description 413 Table 76: show lacp in
Tables Table 100: Commands for Configuring VLAN Interfaces 529 Table 101: Commands for Displaying VLAN Information 536 Table 102: 802.
Tables Table 135: show mvr statistics summary interface mvr vlan - description 686 Table 136: Multicast VLAN Registration for IPv6 Commands 687 Table 137: show mvr6 - display description 700 Table 138: show mvr6 interface - display description 702 Table 139: show mvr6 members - display description 704 Table 140: show mvr6 statistics input - display description 705 Table 141: show mvr6 statistics output - display description 706 Table 142: show mvr6 statistics query - display description 706
Tables Table 170: show ipv6 interface - display description 834 Table 171: show ipv6 mtu - display description 835 Table 172: show ipv6 traffic - display description 837 Table 173: show ipv6 neighbors - display description 849 Table 174: ND Snooping Commands 851 Table 175: Troubleshooting Chart 861 – 46 –
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 48 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4093 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch Note: Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see “Using the Command Line Interface” on page 69. For a list of all the CLI commands and detailed information on using the CLI, refer to “CLI Command Groups” on page 79.
Chapter 1 | Initial Switch Configuration Basic Configuration Basic Configuration Console Connection The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec). The commands available at the Normal Exec level are a limited subset of those available at the Privileged Exec level and allow you to only display information and use basic utilities.
Chapter 1 | Initial Switch Configuration Basic Configuration Username: admin Password: CLI session with the ECS4810-12M is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# Setting an IP Address You must establish IP address information for the switch to obtain management access through the network.
Chapter 1 | Initial Switch Configuration Basic Configuration Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode.
Chapter 1 | Initial Switch Configuration Basic Configuration To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter. Then press .
Chapter 1 | Initial Switch Configuration Basic Configuration To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. From the interface prompt, type “ipv6 address ipv6-address” or “ipv6 address ipv6-address/prefix-length,” where “prefix-length” indicates the address bits used to form the network portion of the address.
Chapter 1 | Initial Switch Configuration Basic Configuration Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Chapter 1 | Initial Switch Configuration Basic Configuration Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 70-72-CF-1C-BA-52 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.0 Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success.
Chapter 1 | Initial Switch Configuration Basic Configuration Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages. (DHCP for IPv6 will also be supported in future software releases.) To dynamically generate an IPv6 host address for the switch, complete the following steps: 1.
Chapter 1 | Initial Switch Configuration Basic Configuration Note the following DHCP client behavior: ◆ The bootup configuration file received from a TFTP server is stored on the switch with the original file name. If this file name already exists in the switch, the file is overwritten. ◆ If the name of the bootup configuration file is the same as the Factory Default Configuration file, the download procedure will be terminated, and the switch will not send any further DHCP client requests.
Chapter 1 | Initial Switch Configuration Basic Configuration The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.conf file). In the “Vendor class” section, the server will always send Option 66 and 67 to tell the switch to download the “test” configuration file from server 192.168.255.101. ddns-update-style ad-hoc; default-lease-time 600; max-lease-time 7200; log-facility local7; server-name "Server1"; Server-identifier 192.168.255.
Chapter 1 | Initial Switch Configuration Basic Configuration views to version 1 or 2c community strings that suit your specific security requirements (under "Setting SNMPv3 Views" in the Web Management Guide). Community Strings (for SNMP version 1 and 2c clients) Community strings are used to control management access to SNMP version 1 and 2c stations, as well as to authorize SNMP stations to receive trap messages from the switch.
Chapter 1 | Initial Switch Configuration Managing System Files where “host-address” is the IP address for the trap receiver, “community-string” specifies access rights for a version 1/2c host, or is the user name of a version 3 host, “version” indicates the SNMP client version, and “auth | noauth | priv” means that authentication, no authentication, or authentication and privacy is used for v3 clients. Then press .
Chapter 1 | Initial Switch Configuration Managing System Files selected as a system start-up file or can be uploaded via FTP/TFTP to a server for backup. The file named “Factory_Default_Config.cfg” contains all the system default settings and cannot be deleted from the system. If the system is booted with the factory default settings, the switch will also create a file named “startup1.
Chapter 1 | Initial Switch Configuration Managing System Files The maximum number of saved configuration files depends on available flash memory. The amount of available flash memory can be checked by using the dir command. To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startupconfig” and press . 2. Enter the name of the start-up file. Press .
Chapter 1 | Initial Switch Configuration Managing System Files – 66 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ "VLAN Commands" on page 521 ◆ "Class of Service Commands" on page 567 ◆ "Quality of Service Commands" on page 583 ◆ "Multicast Filtering Commands" on page 603 ◆ "LLDP Commands" on page 711 ◆ "CFM Commands" on page 735 ◆ "OAM Commands" on page 777 ◆ "Domain Name Service Commands" on page 789 ◆ "DHCP Commands" on page 799 ◆ "IP Interface Commands" on page 813 – 68 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power-save pppoe process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan synce system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows the power saving information Displays PPPoE configuration Device process Protocol-VLAN information Publ
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands current mode. The command classes and associated modes are displayed in the following table: Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
Chapter 2 | Using the Command Line Interface CLI Command Groups Console(config)#end Console#show ip igmp snooping mrouter VLAN M'cast Router Ports Type ---- ------------------- ------1 Eth 1/11 Static Console# Output Modifiers Some of the show commands include options for output modifiers.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description User Authentication Configures user names and passwords, logon access using 215 local or remote authentication, management access through the web server, Telnet server and Secure Shell; as well as port security, IEEE 802.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Connectivity Fault Management Configures connectivity monitoring using continuity check 735 messages, fault verification through loopback messages, and fault isolation by examining end-to-end connections between Provider Edge devices or between Customer Edge devices OAM Configures Operations, Administration and Maintenance 777 remote management tools required to moni
Chapter 2 | Using the Command Line Interface CLI Command Groups – 82 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
Chapter 3 | General Commands Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 115).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (88) enable password (216) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 74. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 90 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by GC banner under the
Chapter 4 | System Management Commands Banner Information The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edge-Core Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS4810-12M floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Normal Exec, Privileged Exec Example Console#show banner Edge-Core WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis Edge-Core - ECS4810-12M Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show tech-support Displays a detailed list of system settings designed to help PE technical support resolve configuration or functional problems show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging
Chapter 4 | System Management Commands System Status Command Mode Privileged Exec Command Usage The alarms supported by this switch include various external alarms which can be sent to the switch through hard-wired connections described in the Installation Guide. Refer to the Installation Guide for information on how to use the alarm relay contacts and external site alarm inputs.
Chapter 4 | System Management Commands System Status Example The following shows the message types displayed when no alarms are active, and another example when both minor and major alarms occur. Console#show alarm-status Unit 1 Asserted Alarm Input : [NONE] Current Major Alarm Status:[NONE] Current Minor Alarm Status:[NONE] Current Major Alarm Output Status:[INACTIVE] Current Minor Alarm Output Status:[INACTIVE] Console# show memory This command shows memory utilization parameters.
Chapter 4 | System Management Commands System Status CPU Utilization in the past 60 seconds Average Utilization : 23% Maximum Utilization : 28% Alarm Status Current Alarm Status : Off Last Alarm Start Time : Oct 4 09:45:45 2013 Last Alarm Duration Time : 10 seconds Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# Related Commands process cpu (197) show process cpu This command shows the CPU utilization watermark and threshold settings.
Chapter 4 | System Management Commands System Status Table 12: show process cpu guard - display description Field Description Minimum Threshold If packet flow has been stopped after exceeding the maximum threshold, normal flow will be restored after usaage falls beneath the minimum threshold. Trap Status Shows if an alarm message will be generated when utilization exceeds the high watermark or exceeds the maxmimum threshold.
Chapter 4 | System Management Commands System Status ■ ■ ■ ■ ■ ■ ■ VLAN configuration settings for each interface Multiple spanning tree instances (name and interfaces) IP address configured for management VLAN Layer 4 precedence settings Spanning tree settings Interface settings Any configured settings for the console port and Telnet Example Console#show running-config Building startup configuration. Please wait...
Chapter 4 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in nonvolatile memory. ◆ This command displays settings for key command modes.
Chapter 4 | System Management Commands System Status Example Console#show system System Description : ECS4810-12M System OID String : 1.3.6.1.4.1.259.10.1.11 System Information System Up Time : 0 days, 3 hours, 11 minutes, and 23.
Chapter 4 | System Management Commands System Status . . show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Example Console#show version Unit 1 Unit 1 Serial Number Hardware Version EPLD Version Number of Ports Main Power Status Redundant Power Status Role Loader Version Linux Kernel Version Boot ROM Version Operation Code Version : : : : : : : : : : : S123456 R0B 0.00 12 Active Inactive Master 1.0.0.8 2.6.22.18 1.0.0.0 1.1.4.10 Console# show watchdog This command shows if watchdog debugging is enabled.
Chapter 4 | System Management Commands Frame Size Frame Size This section describes commands used to configure the Ethernet frame size on the switch. Table 13: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for Layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
Chapter 4 | System Management Commands File Management File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Chapter 4 | System Management Commands File Management Table 14: Flash/File Commands (Continued) Command Function Mode ip tftp retry Specifies the number of times the switch can retry transmitting a request to a TFTP server GC ip tftp timeout Specifies the time the switch can wait for a response from a GC TFTP server before retransmitting a request or timing out for the last retry General Commands boot system This command specifies the file or image used to start up the system.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/ TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. ◆ For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate" in the Web Management Guide. For information on configuring the switch to use HTTPS for a secure connection, see the ip http secure-server command.
Chapter 4 | System Management Commands File Management The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming. \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server.
Chapter 4 | System Management Commands File Management Destination file name: BLANC.BIX Console# delete This command deletes a file or image. Syntax delete {file name filename | public-key username [dsa | rsa]} filename - Name of configuration file or code image. public-key - Keyword that allows you to delete a SSH key on the switch. (See “Secure Shell” on page 242.) username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type.
Chapter 4 | System Management Commands File Management dir This command displays a list of files in flash memory. Syntax dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3. It sets the new version as the startup image. 4.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ecs-runtime.bix. However, note that file name is not to be included in this command.
Chapter 4 | System Management Commands File Management Example This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ecs3510-28t.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections.
Chapter 4 | System Management Commands Line Example To specify 7 data bits, enter this command: Console(config-line)#databits 7 Console(config-line)# Related Commands parity (129) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line)#password-thresh 5 Console(config-line)# Related Commands silent-time (131) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported.
Chapter 4 | System Management Commands Line timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Example Console#disconnect 1 Console# Related Commands show ssh (251) show users (110) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting.
Chapter 4 | System Management Commands Line Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
Chapter 4 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - The UDP port number used by the remote server.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging on Console(config)# Related Commands logging history (137) logging trap (139) clear log (140) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). Default Setting Flash and RAM Command Mode Privileged Exec Example Console#clear log Console# Related Commands show log (140) show log This command displays the log messages stored in local memory.
Chapter 4 | System Management Commands Event Logging Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
Chapter 4 | System Management Commands SMTP Alerts Table 19: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command. History logging in RAM The message level(s) reported based on the logging history command. The following example displays settings for the trap function.
Chapter 4 | System Management Commands SMTP Alerts Table 21: Event Logging Commands (Continued) Command Function Mode logging sendmail destination-email Email recipients of alert messages GC logging sendmail source-email Email address used for “From” field of alert messages GC show logging sendmail Displays SMTP event handler settings NE, PE logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
Chapter 4 | System Management Commands SMTP Alerts ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. ◆ To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient. Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages.
Chapter 4 | System Management Commands Time show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP Source Email Address: bill@this-company.
Chapter 4 | System Management Commands Time SNTP Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests. Syntax [no] sntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The time acquired from time servers is used to record accurate dates and times for log events.
Chapter 4 | System Management Commands Time sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console# Related Commands sntp client (147) sntp poll (148) show sntp (149) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end.
Chapter 4 | System Management Commands Time Related Commands show sntp (149) clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | newzealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (149) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time offset - Summer-time offset from the regular time zone, in minutes. (Range: 0-99 minutes) Default Setting Disabled Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 4 | System Management Commands Time after-utc - Sets the local time zone after (west) of UTC. Default Setting None Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude.
Chapter 4 | System Management Commands Time Range Example This example shows how to set the system clock to 15:12:34, February 1st, 2002. Console#calendar set 15:12:34 1 February 2002 Console# show calendar This command displays the system clock.
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Global Configuration Command Usage This command sets a time range for use by other functions, such as Access Control Lists. Example Console(config)#time-range r&d Console(config-time-range)# Related Commands Access Control Lists (343) absolute This command sets the time range for the execution of a command. Use the no form to remove a previously specified time.
Chapter 4 | System Management Commands Time Range ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges. Example This example configures the time for the single occurrence of an event.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges. Example This example configures a time range for the periodic occurrence of an event.
Chapter 4 | System Management Commands Synchronous Ethernet Table 25: Sync-E Commands Command Function Mode synce Enables SyncE on all ports that support SyncE GC synce ethernet Enables SyncE on a port that supports SyncE GC synce ethernet clock-source Manually sets a port as a clock source or candidate clock source at the specified priority GC synce auto-clock-sourceselecting Automatically selects the clock-source port with the highest priority GC synce force-clock-sourceselecting Sets the
Chapter 4 | System Management Commands Synchronous Ethernet processing delays. However, both SyncE and PTP may be used in combination to achieve a high level of frequency synchronization with a common defined time. ◆ SyncE delivers a high level of frequency accuracy, but cannot deliver time-ofday information (i.e., GMT). Conversely, PTP supports time-of-day information required by billing and service level agreements.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ This command can enable SyncE on trunk member but not on a trunk. ◆ SyncE can only be enabled on two ports at the same time. Example Console(config)#syncd ethernet 1/28 Console(config)# synce ethernet clock- This command manually sets a port as a clock source, or as a candidate clock source source at the specified priority when using automatic clock source selection. Use the no form to remove a port as a clock source.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ If SyncE has locked the clock source and the clock source becomes invalid, SyncE will operate in holdover mode, switching over to the local reference clock if all available clock source signals fail. If SyncE has never locked the clock source and no valid clock source exists, SyncE will operate in free-run mode. If SyncE locked the clock source, SyncE will operate in locked mode.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ If revertive switching is enabled, the active clock source port will be changed when a clock source port with a higher priority becomes available. If revertive switching is disabled, the active clock source port will not be changed unless the current active clock source becomes invalid.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ If SyncE has been enabled on more than one port, the switch will choose the clock source port based on the current clock source port status and priority. ◆ A port can be forced to be the clock source port regardless of the clock’s signal status.
Chapter 4 | System Management Commands Synchronous Ethernet ◆ The clock source port will not itself send out SSM. The other SSM-enabled ports will only send out SSM if received on the clock source port. SSM will be sent out of the other SSM-enabled ports once a second. If SSM has not been received on the clock source port after five seconds, the other SSM-enabled ports will stop sending SSM until a new clock source is selected.
Chapter 4 | System Management Commands Synchronous Ethernet Example Console(config)#synce Console(config)#synce Console(config)#synce Console(config)#synce Console(config)# ssm ssm ssm ssm ethernet ethernet ethernet ethernet 1/9 1/10 1/11 1/12 synce clk-src-ssm This command uses SSM to select the clock source according to the SSM quality level, priority and port number. Use the no form to disable this function.
Chapter 4 | System Management Commands Synchronous Ethernet Example Console#show synce SyncE Status: Port Status Clock Source --------- -------- -----------Eth 1/ 9 Enabled No Eth 1/10 Enabled No Eth 1/11 Enabled No Eth 1/12 Enabled No SyncE Clock Source Selection Mode: SSM SyncE Active Clock Source Locked: No SyncE Clock Source Status: Port Priority Active Clock Source --------- -------- ------------------Eth 1/ 7 1 Yes Eth 1/ 8 2 No SyncE SSM Port --------Eth 1/ 9 Eth 1/10 Eth 1/11 Eth 1/12 Console Cloc
Chapter 4 | System Management Commands Switch Clustering Table 27: show sync - display description for sync (Continued) Field Description Port Port identifier Status Shows if reception/transmission of SSM is enabled or disabled Priority The selection priority determined by the manual configuration or default setting Tx SSM Shows transmitted Quality Level message type: ◆ QL-NONE: This port is not transmitting SSM or timeout information ◆ QL-EEC1: Transmitting QL-EEC1* messages ◆ QL-EEC2: Transmitti
Chapter 4 | System Management Commands Switch Clustering Using Switch Clustering ◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster. The management station can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses.
Chapter 4 | System Management Commands Switch Clustering Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 36 member switches in one cluster. ◆ A switch can only be a Member of one cluster.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.
Chapter 4 | System Management Commands Switch Clustering Default Setting No Members Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 36. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID : 1 Role : Active member IP Address : 10.254.254.
Chapter 4 | System Management Commands Switch Clustering – 174 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE Notification Log Commands ATC Trap Commands snm
Chapter 5 | SNMP Commands General SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode transceiver-threshold tx-power Sends a trap when the power level of the transmitted signal IC (Port) power outside the specified thresholds transceiver-threshold voltage Sends a trap when the transceiver voltage falls outside the IC (Port) specified thresholds Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising
Chapter 5 | SNMP Commands General SNMP Commands snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protoco l.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (179) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Link-up-down : MAC-notification MAC-notification Enabled Enabled : Disabled interval : 1 second(s) SNMP Communities : 1. public, and the access level is read-only 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands interval - Specifies the interval between issuing two consecutive traps. (Range: 1-3600 seconds; Default: 1 second) Default Setting Issue authentication and link-up-down traps. Other traps are disabled. Command Mode Global Configuration Command Usage If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled. ◆ Some notification types cannot be controlled with the snmp-server enable traps command. For example, some notification types are always enabled. ◆ Notifications are issued by the switch as trap messages by default.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (180) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 31: show snmp group - display description (Continued) Field Description Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 32: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.
Chapter 5 | SNMP Commands Additional Trap Commands Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (104) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 200 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [eventindex] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01 Received 77671 octets, 1077 packets, 61 broadcast and 978 multicast packets, 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions.
Chapter 6 | Remote Monitoring Commands – 208 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands timeout-value - The length of time the sFlow interface is available to send samples to a receiver, after which the owner and associated polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector.
Chapter 7 | Flow Sampling Commands Example This example shows an sflow collector being created on the switch. Console(config)#sflow owner stat_server1 timeout 100 destination 192.168.220.225 port 22500 max-datagram-size 512 version v5 Console(config)# This example shows how to modify the sFlow port number for an already configured collector.
Chapter 7 | Flow Sampling Commands Example This example sets the polling interval to 10 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow polling-interval 10 Console(config-if)# sflow sampling This command enables an sFlow data source instance for a specific interface that instance takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
Chapter 7 | Flow Sampling Commands Example This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 100. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 100 max-header-size 200 Console# The following command removes a sampling data source from Ethernet interface 1/1.
Chapter 7 | Flow Sampling Commands – 214 –
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts User Accounts The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 125), user authentication via a remote authentication server (page 215), and host access authentication for specific ports (page 252).
Chapter 8 | Authentication Commands User Accounts Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (85) authentication enable (218) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level. Use the no form to remove a user name.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows how the set the access level and password for a user. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Do not use blank spaces in the string. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : 1812 1813 2 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server. (Range: 1) host-ip-address - IP address of a TACACS+ server.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands AAA TACACS+ Server Group: Group Name Member Index ------------------------- ------------tacacs+ 1 Console# AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 42: AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802.
Chapter 8 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands AAA Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 8 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
Chapter 8 | Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line.
Chapter 8 | Authentication Commands AAA show accounting This command displays the current accounting settings per function and per port. Syntax show accounting [[dot1x [statistics [username user-name | interface interface]] | exec [statistics] | statistics] level - Displays command accounting information for a specifiable command level. dot1x - Displays dot1x accounting information. exec - Displays Exec accounting records. statistics - Displays accounting records.
Chapter 8 | Authentication Commands Web Server Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function. Syntax [no] ip http server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip http server Console(config)# Related Commands ip http port (236) show system (108) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface.
Chapter 8 | Authentication Commands Web Server Example Console(config)#ip http secure-port 1000 Console(config)# Related Commands ip http secure-server (238) show system (108) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
Chapter 8 | Authentication Commands Telnet Server The following web browsers and operating systems currently support HTTPS: Table 44: HTTPS System Support Web Browser Operating System Internet Explorer 11 or later Windows 7, 8, 10 Mozilla Firefox 40 or later Windows 7, 8, 10, Linux Google Chrome 45 or later Windows 7, 8, 10 ◆ To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” in the Web Management Guide. Also refer to the copy tftp httpscertificate command.
Chapter 8 | Authentication Commands Telnet Server ip telnet max-sessions This command specifies the maximum number of Telnet sessions that can simultaneously connect to this system. Use the no from to restore the default setting. Syntax ip telnet max-sessions session-count no ip telnet max-sessions session-count - The maximum number of allowed Telnet session.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet port 123 Console(config)# ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. Syntax [no] ip telnet server Default Setting Enabled Command Mode Global Configuration Example Console(config)#ip telnet server Console(config)# telnet (client) This command accesses a remote device using a Telnet connection.
Chapter 8 | Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server.
Chapter 8 | Authentication Commands Secure Shell Table 46: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Chapter 8 | Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Chapter 8 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
Chapter 8 | Authentication Commands Secure Shell Example Console#delete public-key admin dsa Console# ip ssh crypto host-key This command generates the host key pair (i.e., public and private). generate Syntax ip ssh crypto host-key generate [dsa | rsa] dsa – DSA (Version 2) key type. rsa – RSA (Version 1) key type. Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.
Chapter 8 | Authentication Commands Secure Shell ip ssh crypto zeroize This command clears the host key from memory (i.e. RAM). Syntax ip ssh crypto zeroize [dsa | rsa] dsa – DSA key type. rsa – RSA key type. Default Setting Clears both the DSA and RSA key. Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory.
Chapter 8 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (248) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host.
Chapter 8 | Authentication Commands Secure Shell 185490002831341625008348718449522087429212255691665655296328163516964040831 5547660664151657116381 DSA: ssh-dss AAAB3NzaC1kc3MAAACBAPWKZTPbsRIB8ydEXcxM3dyV/yrDbKStIlnzD/Dg0h2Hxc YV44sXZ2JXhamLK6P8bvuiyacWbUW/a4PAtp1KMSdqsKeh3hKoA3vRRSy1N2XFfAKxl5fwFfv JlPdOkFgzLGMinvSNYQwiQXbKTBH0Z4mUZpE85PWxDZMaCNBPjBrRAAAAFQChb4vsdfQGNIjwbv wrNLaQ77isiwAAAIEAsy5YWDC99ebYHNRj5kh47wY4i8cZvH+/p9cnrfwFTMU01VFDly3IR 2G395NLy5Qd7ZDxfA9mCOfT/yyEfbobMJZi8oGCstSNOxrZZVnMqWrTYfdrKX7
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 48: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 48: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x eapol- This command passes EAPOL frames through to all ports in STP forwarding state pass-through when dot1x is globally disabled. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication mac-based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. Default Single-host Command Mode Interface Configuration Command Usage ◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto” by the dot1x port-control command.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x This command enables periodic re-authentication for a specified port. Use the no re-authentication form to disable re-authentication.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout This command sets the time period after which a connected client must be rere-authperiod authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Command Usage This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Command Mode Privileged Exec Command Usage The re-authentication process verifies the connected client’s user ID and password on the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication parameters must be set when this switch passes client authentication requests to another authenticator on the network (see the dot1x pae supplicant command).
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Usage ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the identity profile parameters (see dot1x identity profile command) which identify this switch as a supplicant, and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator using this command.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending its held-period credentials to find a new an authenticator. Use the no form to reset the default. Syntax dot1x timeout held-period seconds no dot1x timeout held-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication ■ ■ ■ ■ ■ ■ ■ ■ ◆ Authenticator PAE State Machine ■ ■ ■ ◆ State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized). Reauth Count– Number of times connecting state is re-entered. Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session.
Chapter 8 | Authentication Commands 802.1X Port Authentication Eth 1/ 2 Disabled . . . Eth 1/11 Disabled Eth 1/12 Enabled Single-Host Force-Authorized Yes Single-Host Single-Host Force-Authorized Auto Yes Yes 802.1X Port Details 802.1X Authenticator is enabled on port 1/1 802.1X Supplicant is disabled on port 1/1 . . . Console#show dot1x interface ethernet 1/10 802.
Chapter 8 | Authentication Commands Management IP Filter Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# PPPoE Intermediate Agent This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Global Configuration Command Usage ◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage ◆ The switch uses the access-node-identifier to generate the circuit-id for PPPoE discovery stage packets sent to the BRAS, but does not modify the source or destination MAC address of these PPPoE discovery packets. ◆ These messages are forwarded to all trusted ports designated by the pppoe intermediate-agent trust command.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets the circuit-id or remote-id for an interface. Use the no form to intermediate-agent restore the default settings. port-format-type Syntax pppoe intermediate-agent port-format-type {circuit-id | remote-id} idstring circuit-id - String identifying the circuit identifier (or interface) on this switch to which the user is connected.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent pppoe This command sets an interface to trusted mode to indicate that it is connected to a intermediate-agent PPPoE server. Use the no form to set an interface to untrusted mode. trust Syntax [no] pppoe intermediate-agent trust Default Setting Untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Set any interfaces connecting the switch to a PPPoE Server as trusted.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent PPPoE Intermediate Agent Oper Access Node Identifier : 192.168.2.14 PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Intermediate Agent Oper Generic Errnr Mdssage : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 51: show pppoe intermediate-agent statistics - display description (Continued) Field Description PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent – 278 –
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Related Commands show interfaces status (388) shutdown (377) mac-address-table static (454) show port security This command displays port security status and the secure address count. Syntax show port security [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier (Range: 1) port - Port number.
Chapter 9 | General Security Measures Port Security Table 54: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆ Shutdown – Port is shut down due to a response to a port security violation. ◆ Intrusion Action The configured intrusion response.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : 2Disabled : 00-10-22-00-00-01 : 2010/7/29 15:13:03 Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 55: Network Access Commands (Continued) Command Function Mode show network-access mac-address-table Displays information for entries in the secure MAC address table PE show network-access mac-filter Displays information for entries in the MAC filter tables PE network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this mac-filter command to remove the specified MAC address. Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table. (Range: 1-64) mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated. Use the no form of this command to restore the default value. Syntax mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 56: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate (kbps) rate-limit-input=100 (kbps) rate-limit-output=rate (kbps) rate-limit-output=200 (kbps) 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan” to be effective (see the dot1x intrusion-action command). ◆ EA port can only be assigned to the guest VLAN in case of failed authentication, if switchport mode is set to Hybrid.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access link- Use this command to detect link-up events. When detected, the switch can shut detection link-up down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) no network-access link-detection action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access mode Use this command to enable network access authentication on a port. Use the no mac-authentication form of this command to disable network access authentication.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the specified MAC address filter. Use the no form of port-mac-filter this command to disable the specified MAC address filter. Syntax network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the maximum number of MAC addresses that can be max-mac-count authenticated on a port via MAC authentication. Use the no form of this command to restore the default. Syntax mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of MAC-authenticated MAC addresses allowed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#clear network-access mac-address-table interface ethernet 1/1 Console# show network-access Use this command to display the MAC authentication settings for port interfaces. Syntax show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Default Setting Displays the settings for all interfaces.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) show network-access Use this command to display secure MAC address table entries. mac-address-table Syntax show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Web Authentication show network-access Use this command to display information for entries in the MAC filter tables. mac-filter Syntax show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) Default Setting Displays all filters.
Chapter 9 | General Security Measures Web Authentication Table 57: Web Authentication (Continued) Command Function Mode web-auth system-auth-control Enables web authentication globally for the switch GC web-auth Enables web authentication for an interface IC web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate PE web-auth re-authenticate (IP) Ends the web authentication session associated with the PE designated IP address and f
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication web-auth This command globally enables web authentication for the switch. Use the no form system-auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth This command ends all web authentication sessions connected to the port and re-authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters and interface statistics.
Chapter 9 | General Security Measures DHCP Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control Port Status --------1/ 1 Disabled 1/ 2 Enabled 1/ 3 Disabled 1/ 4 Disabled 1/ 5 Disabled . . .
Chapter 9 | General Security Measures DHCP Snooping Table 58: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption IC ip dhcp snooping trust Configures the specified interface as trusted IC clear ip dhcp snooping binding Clears DHCP snooping binding table entries from RAM PE clear ip dhcp snooping database flash Removes all dynamically learned snooping entries from f
Chapter 9 | General Security Measures DHCP Snooping ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table.
Chapter 9 | General Security Measures DHCP Snooping Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (311) ip dhcp snooping trust (313) ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 9 | General Security Measures DHCP Snooping Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 9 | General Security Measures DHCP Snooping Default Setting Enabled Command Mode Global Configuration Command Usage See the Command Usage section under the ip dhcp snooping information option circuit-id command for a description of how these fields are included in TR-101 syntax. Example This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID).
Chapter 9 | General Security Measures DHCP Snooping Command Usage The format for TR101 option 82 is: “ eth /[:]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added. Use the ip dhcp snooping information option remote-id tr101 no-vlan-field command to remove the VLAN ID from the end of the TR101 field for untagged packets.
Chapter 9 | General Security Measures DHCP Snooping Example Console(config)#ip dhcp snooping information policy drop Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header. Use the no form to disable this function.
Chapter 9 | General Security Measures DHCP Snooping Command Mode Global Configuration Command Usage ◆ When DHCP snooping is enabled globally using the ip dhcp snooping command, and enabled on a VLAN with this command, DHCP packet filtering will be performed on any untrusted ports within the VLAN as specified by the ip dhcp snooping trust command.
Chapter 9 | General Security Measures DHCP Snooping Command Usage section under the ip dhcp snooping information option command. ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 59: Option 82 information 82 3-69 opt82 opt-len 1 1-67 x1 x2 sub-opt1 string-len x3 x4 x5 x63 R-124 string The circuit identifier used by this switch starts at sub-option1 and goes to the end of the R-124 string.
Chapter 9 | General Security Measures DHCP Snooping Default Setting All interfaces are untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
Chapter 9 | General Security Measures DHCP Snooping clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures IP Source Guard show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Verify Source MAC-Address: enabled Interface Trusted Circuit-ID mode ---------- ---------- ----------,---, Eth 1/1 No VLAN-Unit-Port Eth 1/2 No VLAN-Unit-Port Eth 1/3 No VLAN-Unit-Port Eth 1/4 No VLAN-Unit-Port Eth 1/5 No VLAN-Unit-Port Circuit-ID Value ------------------------------------------ . . .
Chapter 9 | General Security Measures IP Source Guard Table 60: IP Source Guard Commands Command Function Mode ip source-guard max-binding Sets the maximum number of entries that can be bound IC to an interface show ip source-guard Shows whether source guard is enabled or disabled on each interface show ip source-guard binding Shows the source guard binding table PE PE ip source-guard This command adds a static address to the source-guard binding table.
Chapter 9 | General Security Measures IP Source Guard ◆ An entry with same MAC address and a diferent VLAN ID cannot be added to the binding table . ◆ Static bindings are processed as follows: ■ ■ ◆ A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true: ■ If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding.
Chapter 9 | General Security Measures IP Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IP Source Guard sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IP Source Guard discovered by DHCP snooping and static entries set by the ip source-guard command. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard max-binding 1 Console(config-if)# show ip source-guard This command shows whether source guard is enabled or disabled on each interface.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip source-guard binding MAC Address IP Address Type VLAN Interface ----------------- --------------- -------------- --------- --------00-10-b5-f4-d0-01 10.2.44.96 static-acl 1 Eth 1/1 Console# ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection Table 61: ARP Inspection Commands (Continued) Command Function Mode show ip arp inspection statistics Shows statistics about the number of ARP packets processed, or dropped for various reasons PE show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is completed PE ip arp inspection This command enables ARP Inspection gl
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. . Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection log- This command sets the maximum number of entries saved in a log message, and buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [src-mac]] | ip [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses.
Chapter 9 | General Security Measures ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command. ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
Chapter 9 | General Security Measures ARP Inspection Default Setting 15 Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ This command applies to both trusted and untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Denial of Service Protection Command Usage Enter this command to display the configuration settings for all VLANs, or display the settings for a specific VLAN by entering the VLAN identifier.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS echo/chargen attacks in which the echo echo-chargen service repeats anything sent to it, and the chargen (character generator) service generates a continuous stream of data. When used together, they create an infinite loop and result in a denial-of-service. Use the no form without the bit rate parameter to disable this feature, or with the bit rate parameter to restore the defautl rate limit.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-flooding attacks in which a perpetrator tcp-flooding sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a target and never returns ACK packets. These half-open connections will bind resources on the target, and no new connections can be made, resulting in a denial of service.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-SYN/FIN-scan attacks in which a TCP SYN/ tcp-syn-fin-scan FIN scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain SYN (synchronize) and FIN (finish) flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS tcp-xmas-scan scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
Chapter 9 | General Security Measures Denial of Service Protection dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
Chapter 9 | General Security Measures Port-based Traffic Segmentation – 342 –
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-16 characters) Default Setting None Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list.
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Interface Configuration (Ethernet) Command Usage ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (349) Time Range (155) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (345) ip access-group (348) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 64 rules.
Chapter 10 | Access Control Lists IPv6 ACLs prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128) time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list.
Chapter 10 | Access Control Lists IPv6 ACLs permit, deny This command adds a rule to an Extended IPv6 ACL. The rule sets a filter condition (Extended IPv6 ACL) for packets with specific source or destination IP addresses, or next header type. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv6 ACLs destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43..
Chapter 10 | Access Control Lists IPv6 ACLs ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port. Syntax ipv6 access-group acl-name {in | out} [time-range time-range-name] [counter] no ipv6 access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands ipv6 access-group (356) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (359) mac access-group (361) show mac access-list (362) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Chapter 10 | Access Control Lists MAC ACLs {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [time-range time-range-name] no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.
Chapter 10 | Access Control Lists MAC ACLs ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: ■ ■ ■ 0800 - IP 0806 - ARP 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800.
Chapter 10 | Access Control Lists MAC ACLs Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands show mac access-list (362) Time Range (155) show mac This command shows the ports assigned to MAC ACLs.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule. Syntax [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
Chapter 10 | Access Control Lists ACL Information Related Commands access-list arp (363) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#clear access-list hardware counters Console# show access-group This command shows the port assignments of ACLs.
Chapter 10 | Access Control Lists ACL Information mac – Shows ingress or egress rules for MAC ACLs. tcam-utilization – Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl-name – Name of the ACL. (Maximum length: 32 characters) Command Mode Privileged Exec Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.
Chapter 10 | Access Control Lists ACL Information – 368 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Interface Configuration Table 71: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sends a trap when the transceiver current falls
Chapter 11 | Interface Commands Interface Configuration port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4094) Default Setting None Command Mode Global Configuration Command Usage The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP.
Chapter 11 | Interface Commands Interface Configuration Example The following example adds an alias to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#alias finance Console(config-if)# capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands Interface Configuration Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)#capabilities flowcontrol Console(config-if)# Related Commands negotiation (376) speed-duplex (378) flowcontrol (374) description This command adds a description to an interface.
Chapter 11 | Interface Commands Interface Configuration discard This command discards CDP or PVST packets. Use the no form to forward the specified packet type to other ports configured the same way.
Chapter 11 | Interface Commands Interface Configuration ◆ To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. ◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command.
Chapter 11 | Interface Commands Interface Configuration Example This example sets a interval of 15 minutes for sampling standard statisical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)# media-type This command forces the port type selected for combination ports. Use the no form to restore the default mode.
Chapter 11 | Interface Commands Interface Configuration Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
Chapter 11 | Interface Commands Interface Configuration Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
Chapter 11 | Interface Commands Interface Configuration Example The following example configures port 5 to 100 Mbps, half-duplex operation. Console(config)#interface ethernet 1/5 Console(config-if)#speed-duplex 100half Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (376) capabilities (372) clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Interface Configuration show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port CDP PVST -------- ------- ------Eth 1/ 1 Default Default Eth 1/ 2 Default Default Eth 1/ 3 Default Default Eth 1/ 4 Default Default Eth 1/ 5 Default Default Eth 1/ 6 Default Default . . .
Chapter 11 | Interface Commands Interface Configuration Eth 1/ 6 . . . Down 1 0 Auto 100TX show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4094) Default Setting Shows the counters for all interfaces.
Chapter 11 | Interface Commands Interface Configuration 0 0 0 0 0 0 0 0 Excessive Collisions Internal Mac Transmit Errors Internal Mac Receive Errors Frames Too Long Carrier Sense Errors Symbol Errors Pause Frames Input Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Discard Output The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Carrier Sense Errors The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame. Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 72: show interfaces counters - display description (Continued) Parameter Description Utilization Statistics Octets input per second Number of octets entering this interface in kbits per second. Packets input per second Number of packets entering this interface in packets per second. Input utilization The input utilization rate for this interface. Octets output per second Number of octets leaving this interface in kbits per second.
Chapter 11 | Interface Commands Interface Configuration Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" in the Web Management Guide. Example This example shows the statistics recorded for all named entries in the sampling table.
Chapter 11 | Interface Commands Interface Configuration Interval Buckets Requested Buckets Granted Status : : : : 1440 minute(s) 7 0 Active Current Entries Start Time Octets Input Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:00:01 1563328011 8391643 4440171 241090 Discards Errors Unknown Proto ------------- ------------- ------------0 0 0 Octets Output Unicast Multicast Broadcast --------------- ------------- ------------- ------------8896498997
Chapter 11 | Interface Commands Interface Configuration Start Time Octets Input Discards Errors Unknown Proto ------------ --------------- ------------- ------------- ------------00d 00:05:37 1400912 0 0 0 00d 00:06:37 1566090 0 0 0 00d 00:07:37 1754781 0 0 0 Start Time Octets Output Unicast Multicast Broadcast ------------ --------------- ------------- ------------- ------------00d 00:05:37 6827866 10563 2042 30 00d 00:06:37 7572668 12040 2362 30 00d 00:07:37 8548505 13380 2879 30 Start Time Octets Output
Chapter 11 | Interface Commands Interface Configuration Broadcast Storm : Enabled Broadcast Storm Limit : 64 kbits/second Multicast Storm : Disabled Multisast Storm Limit : 64 kbits/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 64 kbits/second Flow Control : Disabled VLAN Trtnking : Disabled LACP : Disabled Media Type : SFP preferred auto Current Status: Link Status : Up Port Operation Status : Up Operapion Speed-duplex : 100full Up Time : 0w 0d 7h 40m 23s (27623 seconds) Flow Contr
Chapter 11 | Interface Commands Interface Configuration Egress Rate Limit VLAN Membership Mode Ingress Rule Acceptable Frame Type Native VLAN Priority for Untagged Traffic GVRP Status Allowed VLAN Forbidden VLAN 802.1Q Tunnel Status 802.1Q Tunnel Mode 802.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | lowwarning} threshold-value no transceiver-threshold current high-alarm – Sets the high current threshold for an alarm message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver current at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold current low-alarm 100 Console(config-if)#transceiver-threshold rx-power high-alarm 700 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the received signal rx-power which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver temperature at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power transmitted at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold tx-power low-alarm 8 Console(config-if)#transceiver-threshold tx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 37.86 degree C 3.30 V 13.11 mA -6.61 dBm -40.00 dBm Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.
Chapter 11 | Interface Commands Cable Diagnostics Example Console#show interfaces transceiver-threshold ethernet 1/12 Information of Eth 1/12 DDM Thresholds Transceiver-monitor : Disabled Transceiver-threshold-auto : Disabled Low Alarm Low Warning High Warning ---------------------- ------------ -----------Temperature(Celsius) -123.00 0.00 70.00 Voltage(Volts) 3.10 3.15 3.45 Current(mA) 6.00 7.00 90.00 TxPower(dBm) -12.00 -11.50 -9.50 RxPower(dBm) -21.50 -21.00 -3.50 Console# High Alarm -----------75.
Chapter 11 | Interface Commands Cable Diagnostics Example Console#test cable-diagnostics interface ethernet 1/10 Console# show cable- This command shows the results of a cable diagnostics test. diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Power Savings Example Console#show cable-diagnostics interface ethernet 1/10 TF: Test failed OK: OK ON: Open ST: Short IE: Impedance error NC: No cable NT: Not tested NS: Not supported UN: Unknown Port Type Link Status -------- ---- -------Eth 1/2 GE Down Pair A meters -------NC (0) Pair B meters -------NC (0) Pair C meters -------NC (0) Pair D meters -------NC (0) Last Updated ------------------2000-12-31 08:28:59 Console# Power Savings power-save This command enab
Chapter 11 | Interface Commands Power Savings detected, the switch automatically turns off the transmitter, and most of the receive circuitry (entering Sleep Mode). In this mode, the low-power energy-detection circuit continuously checks for energy on the cable. If none is detected, the MAC interface is also powered down to save additional energy. If energy is detected, the switch immediately turns on both the transmitter and receiver functions, and powers up the MAC interface.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Default Setting src-dst-mac Command Mode Global Configuration Command Usage ◆ This command applies to all static and dynamic trunks on the switch.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. Syntax channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-12) Default Setting The current port will be added to this trunk. Command Mode Interface Configuration (Ethernet) Command Usage ◆ When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Command Usage ◆ The ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting. Syntax lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port channel's LACP administration key string. Use the (Port Channel) no form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Command Mode Interface Configuration (Port Channel) Command Usage ◆ The timeout configured by this command is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Example Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Sent : 12 LACPDUs Received : 6 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 76: show lacp internal - display description (Continued) Field Description LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 77: show lacp neighbors - display description Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner. Partner Oper Port Number Operational port number assigned to this aggregation port by the port’s protocol partner.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands show port-channel This command shows the load-distribution method used on aggregated links.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ When mirroring VLAN traffic or packets based on a source MAC address, the target port cannot be set to the same target port as that used for basic port mirroring. ◆ You can create multiple mirror sessions, but all sessions must share the same destination port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands RSPAN uplink ports cannot be configured to use IEEE 802.1X Port Authentication, but RSPAN source ports and destination ports can be configured to use it ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ The source port and destination port cannot be configured on the same switch. Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ The source port and destination port cannot be configured on the same switch. ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring. If local mirroring is enabled with the port monitor command, then no session can be configured for RSPAN.
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 82: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 85: ATC Commands (Continued) Command Function Mode auto-traffic-control release-timer Sets the time at which to release the control GC response after ingress traffic has fallen beneath the lower threshold auto-traffic-control* Enables automatic traffic control for broadcast or multicast storms auto-traffic-control action Sets the control action to limit ingress traffic or shut IC (Port) down the offending port auto-t
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command manually releases a control response. control-release Syntax auto-traffic-control {broadcast | multicast} control-release interface interface broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic. interface ethernet unit/port-list unit - Unit identifier.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (435) auto-traffic-control alarm-clear-threshold (436) snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control. Use the no form to disable this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (437) auto-traffic-control apply-timer (433) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (435) auto-traffic-control alarm-clear-threshold (436) snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (437) auto-traffic-control apply-timer (433) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
15 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 15 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 15 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 15 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 15 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 15 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 15 | UniDirectional Link Detection Commands Table 87: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Disabled port, Advertisement - Single nei
Chapter 15 | UniDirectional Link Detection Commands – 452 –
16 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 16 | Address Table Commands mac-address-table This command maps a static address to a destination port in a VLAN. Use the no static form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands clear This command removes any learned entries from the forwarding database. mac-address-table dynamic Default Setting None Command Mode Privileged Exec Command Usage Even if a hash collision for a MAC address is resolved, entries in the collision MAC address table are not removed until this command is issued to reset the table, or the system is reset.
Chapter 16 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ ■ Learn - Dynamic address entries Config - Static entry Security - Port Security ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
Chapter 16 | Address Table Commands show This command shows the number of MAC addresses used and the number of mac-address-table available MAC addresses for the overall system or for an interface. count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands – 458 –
17 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 17 | Spanning Tree Commands Table 89: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopback-detection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in
Chapter 17 | Spanning Tree Commands between any two stations on the network, and provide backup links which automatically take over when a primary link goes down. Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with Cisco cisco-prestandard prestandard versions. Use the no form to restore the default setting.
Chapter 17 | Spanning Tree Commands Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 17 | Spanning Tree Commands spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.
Chapter 17 | Spanning Tree Commands ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic.
Chapter 17 | Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
Chapter 17 | Spanning Tree Commands revision (471) max-hops (468) spanning-tree system- This command configures the system to flood BPDUs to all other ports on the bpdu-flooding switch or just to all other ports in the same VLAN when spanning tree is disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
Chapter 17 | Spanning Tree Commands Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
Chapter 17 | Spanning Tree Commands mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance-id priority priority no mst instance-id priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority of the a spanning tree instance.
Chapter 17 | Spanning Tree Commands Default Setting none Command Mode MST Configuration Command Usage ◆ Use this command to group VLANs into spanning tree instances. MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance.
Chapter 17 | Spanning Tree Commands Example Console(config-mstp)#name R&D Console(config-mstp)# Related Commands revision (471) revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This command stops all Bridge Protocol Data Units (BPDUs) from being transmitted on configured edge ports to save CPU processing time. This function is designed to work in conjunction with edge ports which should only connect end stations to the switch, and therefore do not need to process BPDUs.
Chapter 17 | Spanning Tree Commands Command Usage ◆ An edge port should only be connected to end nodes which do not generate BPDUs. If a BPDU is received on an edge port, this indicates an invalid network configuration, or that the switch may be under attack by a hacker. If an interface is shut down by BPDU Guard, it must be manually re-enabled using the no spanning-tree spanning-disabled command if the auto-recovery interval is not specified.
Chapter 17 | Spanning Tree Commands cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 91: Default STA Path Costs Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (IEEE 802.
Chapter 17 | Spanning Tree Commands Command Usage ◆ You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 17 | Spanning Tree Commands ◆ RSTP only works on point-to-point links between two bridges. If you designate a port as a shared link, RSTP is forbidden. Since MSTP is an extension of RSTP, this same restriction applies. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree link-type point-to-point spanning-tree This command enables the detection and response to Spanning Tree loopback loopback-detection BPDU packets on the port. Use the no form to disable this feature.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the response for loopback detection to block user traffic loopback-detection or shut down the interface. Use the no form to restore the default. action Syntax spanning-tree loopback-detection action {block | shutdown duration} no spanning-tree loopback-detection action block - Blocks user traffic. shutdown - Shuts down the interface. duration - The duration to shut down the interface.
Chapter 17 | Spanning Tree Commands Default Setting auto Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If the port is configured for automatic loopback release, then the port will only be returned to the forwarding state if one of the following conditions is satisfied: ■ The port receives any other BPDU except for it’s own, or; ■ The port’s link status changes to link down and then link up again, or; ■ The port ceases to receive it’s own BPDUs in a forward delay interva
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap spanning-tree This command configures the path cost on a spanning instance in the Multiple mst cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (480) spanning-tree This command configures the interface priority on a spanning instance in the mst port-priority Multiple Spanning Tree. Use the no form to restore the default.
Chapter 17 | Spanning Tree Commands spanning-tree This command floods BPDUs to other ports when spanning tree is disabled globally port-bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 17 | Spanning Tree Commands ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. ◆ The criteria used for determining the port role is based on root bridge ID, root path cost, designated bridge, designated port, port priority, and port number, in that order and as applicable to the role under question.
Chapter 17 | Spanning Tree Commands ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree This command disables the spanning tree algorithm for the specified interface.
Chapter 17 | Spanning Tree Commands Command Usage Use this command to release an interface from discarding state if loopback detection release mode is set to “manual” by the spanning-tree loopback-detection release-mode command and BPDU loopback occurs. Example Console#spanning-tree loopback-detection release ethernet 1/1 Console# spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface.
Chapter 17 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance-id | brief | stp-enabled-only] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Spanning Tree Commands Example Console#show spanning-tree Spanning Tree Information --------------------------------------------------------------Spanning Tree Mode : MSTP Spanning Tree Enabled/Disabled : Enabled Instance : 0 VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max.
Chapter 17 | Spanning Tree Commands This example shows a brief summary of global and interface setting for the spanning tree. Console#show spanning-tree brief Spanning Tree Mode : Spanning Tree Enabled/Disabled : Designated Root : Current Root Port : Current Root Cost : RSTP Enabled 32768.0000E89382A0 0 0 Interface Pri Designated Designated Oper STP Role State Oper Bridge ID Port ID Cost Status Edge --------- --- --------------------- ---------- -------- ------ ---- ----- --Eth 1/ 1 128 32768.
Chapter 17 | Spanning Tree Commands – 488 –
18 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 18 | ERPS Commands Table 92: ERPS Commands (Continued) Command Function Mode clear erps statistics Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health protocol messages PE erps clear Manually clears protection state which has been invoked by a Forced PE Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode erps forced-switch Blocks the specified ring port PE
Chapter 18 | ERPS Commands 6. Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work. 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command.
Chapter 18 | ERPS Commands ring-id - ERPS ring identifier used in R-APS messages. (Range: 1-255) Default Setting None Command Mode Global Configuration Command Usage ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 6 ERPS rings can be configured on the switch. ◆ R-APS information is carried in an R-APS PDUs.
Chapter 18 | ERPS Commands ◆ ◆ The following restrictions are recommended to avoid creating a loop in the network or other problems which may occur under some situations: ■ The Control VLAN must not be configured as a Layer 3 interface (with an IP address), a dynamic VLAN (with GVRP enabled), nor as a private VLAN. ■ In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN. ■ Also, the ring ports of the Control VLAN must be tagged.
Chapter 18 | ERPS Commands Example Console(config-erps)#enable Console(config-erps)# Related Commands erps (491) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Chapter 18 | ERPS Commands Default Setting 0 milliseconds Command Mode ERPS Configuration Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer.
Chapter 18 | ERPS Commands secondary ring (or sub-domain) which can have only one physical ring port. This command will therefore fail if the east port is already configured (see the ring-port command). Example Console(config-erps)#major-domain rd0 Console(config-erps)# meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting.
Chapter 18 | ERPS Commands mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east. west - Connects to next ring node to the west. mpid – Maintenance end point identifier.
Chapter 18 | ERPS Commands Related Commands ethernet cfm domain (741) ethernet cfm mep (746) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 18 | ERPS Commands non-erps-dev-protect This command sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through SF messages. Use the no form to disable this feature. Syntax [no] non-erps-dev-protect Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link.
Chapter 18 | ERPS Commands forwarding database and unblock previously blocked ports. The ring is now returned to Idle state. Example Console(config-erps)#non-erps-dev-protect Console(config-erps)# non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode.
Chapter 18 | ERPS Commands ■ Recovery with Revertive Mode – When all ring links and ring nodes have recovered and no external requests are active, reversion is handled in the following way: a. The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTR (Wait-to-Restore) timer. b. The WTR timer is cancelled if during the WTR period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c.
Chapter 18 | ERPS Commands is present at this ring node. The ring nodes stop transmitting R-APS (NR) messages when they accept an RAPS (NR, RB) message, or when another higher priority request is received. If the ring node where the Forced Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message over both ring ports.
Chapter 18 | ERPS Commands as a result of ring protection reversion, or until there is another higher priority request (e.g., an SF condition) in the ring. The Ethernet Ring Node where the Manual Switch was cleared continuously transmits the R-APS (NR) message on both ring ports, informing that no request is present at this ring node. The ring nodes stop transmitting R-APS (NR) messages when they accept an RAPS (NR, RB) message, or when another higher priority request is received.
Chapter 18 | ERPS Commands Example Console(config-erps)#non-revertive Console(config-erps)# propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring.
Chapter 18 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
Chapter 18 | ERPS Commands into the interconnected network can be uniquely distinguished from those of other interconnected ring R-APS messages. This can be achieved by, for example, by using separate VIDs for the virtual channels of different sub-rings. Note that the R-APS virtual channel requires a certain amount of bandwidth to forward R-APS messages on the interconnected Ethernet network where a subring is attached.
Chapter 18 | ERPS Commands Figure 5: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Example Console(config-erps)#raps-without-vc Console(config-erps)# ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east.
Chapter 18 | ERPS Commands ◆ If a port channel (static trunk) is specified as a ring port, it can not be destroyed before it is removed from the domain configuration. ◆ A static trunk will be treated as a signal fault, if it contains no member ports or all of its member ports are in signal fault. ◆ If a static trunk is configured as a ring port prior to assigning any member ports, spanning tree will be disabled for the first member port assigned to the static trunk.
Chapter 18 | ERPS Commands Example Console(config-erps)#rpl neighbor Console(config-erps)# rpl owner This command configures a ring node to be the Ring Protection Link (RPL) owner. Use the no form to restore the default setting. Syntax rpl owner no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring.
Chapter 18 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ In addition to the basic features provided by version 1, version 2 also supports: ■ Multi-ring/ladder network support ■ Revertive/Non-revertive recovery ■ Forced Switch (FS) and Manual Switch (MS) commands for manually blocking a particular ring port ■ Flush FDB (forwarding database) logic which reduces amount of flush FDB operations in the ring ■ Support of multiple ERP instances on a single ring ◆ Version 2 is backward
Chapter 18 | ERPS Commands Command Mode ERPS Configuration Command Usage If the switch goes into ring protection state due to a signal failure, after the failure condition is cleared, the RPL owner will start the wait-to-restore timer and wait until it expires to verify that the ring has stabilized before blocking the RPL and returning to the Idle (normal operating) state.
Chapter 18 | ERPS Commands Command Usage ◆ Two steps are required to make a ring operating in non-revertive mode return to Idle state from forced switch or manual switch state: 1. Issue an erps clear command to remove the forced switch command on the node where a local forced switch command is active. 2. Issue an erps clear command on the RPL owner node to trigger the reversion. ◆ The erps clear command will also stop the WTR and WTB delay timers and reset their values.
Chapter 18 | ERPS Commands R-APS (FS) message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d. The ring node accepting an R-APS (FS) message, without any local higher priority requests stops transmission of R-APS messages. e.
Chapter 18 | ERPS Commands Table 93: ERPS Request/State Priority (Continued) Request / State and Status Type WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote * Priority lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
Chapter 18 | ERPS Commands on the ring port to which the command was issued, and unblocks the other ring port. b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS. R-APS (MS) message are continuously transmitted by this ring node while the local MS command is the ring node’s highest priority command (see Table 93 on page 513).
Chapter 18 | ERPS Commands Example Console#erps manual-switch domain r&d west Console# show erps This command displays status information for all configured rings, or for a specified ring Syntax show erps [domain ring-name] [statistics] domain - Keyword to display ERPS ring configuration settings. ring-name - Name of a specific ERPS ring. (Range: 1-32 characters) statistics - Keyword to display ERPS ring statistics.
Chapter 18 | ERPS Commands Table 94: show erps - summary display description (Continued) Field Description MEL The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching (R-APS) information. Ctrl VLAN Shows the Control VLAN ID. State Shows the following ERPS states: Init – The ERPS ring has started but has not yet determined the status of the ring. Idle – If all nodes in a ring are in this state, it means that all the links in the ring are up.
Chapter 18 | ERPS Commands Holdoff Guard WTB WTR WTB Expire WTR Expire -------- ------- ------- ------- ---------- ---------0 ms 500 ms 5500 ms 5 min W/E ---West East Interface --------Eth 1/ 1 Eth 1/ 3 Port State ---------Blocking Forwarding Local SF -------No No Local FS -------No No Local MS MEP -------- ---No No RPL --Yes No Console# Table 94 on page 516 describes most of the parameters shown by show erps domain command. The following table includes the remaining parameters.
Chapter 18 | ERPS Commands EVENT HEALTH ---------- ---------Sent 0 0 Received 0 0 Ignored 0 0 Interface Local SF ------------ ---------(E) Eth 1/ 3 0 SF ---------Sent 0 Received 0 Ignored 0 EVENT ---------Sent 0 Received 0 Ignored 0 Console# Local Clear SF -------------0 NR NR-RB FS MS ---------- ---------- ---------- ---------62 948 0 0 0 0 0 0 0 0 0 0 HEALTH ---------0 0 0 Table 96: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which
Chapter 18 | ERPS Commands – 520 –
19 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (526) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Chapter 19 | VLAN Commands GVRP and Bridge Extension Commands show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) Default Setting Shows all GARP timers.
Chapter 19 | VLAN Commands Editing VLAN Groups Example Console#show gvrp configuration ethernet 1/7 Eth 1/ 7: GVRP Configuration : Disabled Console# Editing VLAN Groups Table 99: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Chapter 19 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (536) Configuring VLAN Interfaces Table 100: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an inter
Chapter 19 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (377) interface (370) vlan (528) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport This command configures VLAN groups on the selected interface. Use the no form allowed vlan to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 19 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 6: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
Chapter 19 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 101: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. ◆ IGMP Snooping should not be enabled on a tunnel access port.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command creates a CVLAN to SPVLAN mapping entry. Use the no form to dot1q-tunnel service delete a VLAN mapping entry. match cvid Syntax switchport dot1q-tunnel service svid match cvid cvid svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID).
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300. Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 100,200,300 tagged switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel port.
Chapter 19 | VLAN Commands Configuring IEEE 802.1Q Tunneling Related Commands show interfaces switchport (389) show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number. (Range: 1-12) port-channel channel-id (Range: 1-12) svid - VLAN ID for the outer VLAN tag (SPVID).
Chapter 19 | VLAN Commands Configuring L2PT Tunneling Related Commands switchport dot1q-tunnel mode (539) Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 19 | VLAN Commands Configuring L2PT Tunneling ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network. In this way, normally segregated network segments can be configured to function inside a common protocol domain.
Chapter 19 | VLAN Commands Configuring L2PT Tunneling ■ with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported.
Chapter 19 | VLAN Commands Configuring L2PT Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 19 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 19 | VLAN Commands Configuring VLAN Translation Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Interface Old VID New VID --------- ------- ------Eth 1/ 1 10 100 Console# show vlan-translation This command displays the configuration settings for VLAN translation. Syntax show vlan-translation [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs .
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group. (Configuring Groups) Syntax protocol-vlan protocol-group group-id [{add | remove} frame-type frame protocol-type protocol] no protocol-vlan protocol-group group-id group-id - Group identifier of this protocol group. (Range: 1-2147483647) frame13 - Frame type used by this protocol.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command. If you assign interfaces using any of the other VLAN commands (such as the vlan command), these interfaces will admit traffic of any protocol type into the associated VLAN.
Chapter 19 | VLAN Commands Configuring Protocol-based VLANs Command Mode Privileged Exec Example This shows protocol group 1 configured for IP over Ethernet: Console#show protocol-vlan protocol-group Protocol Group ID Frame Type Protocol Type ----------------- ---------- ------------1 Ethernet 08 00 1 Ethernet 08 06 Console# show interfaces This command shows the mapping from protocol groups to VLANs for the selected protocol-vlan interfaces.
Chapter 19 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 19 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. Command Mode Privileged Exec Command Usage ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. Example The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
Chapter 19 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. Syntax mac-vlan mac-address mac-address vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example displays all configured MAC address-based VLANs. Console#show mac-vlan MAC Address VLAN ID ----------------- -------00-00-00-11-22-33 10 Console# Priority -------0 Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.
Chapter 19 | VLAN Commands Configuring Voice VLANs Command Mode Global Configuration Command Usage ◆ When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN.
Chapter 19 | VLAN Commands Configuring Voice VLANs The VoIP aging time starts to count down when the OUI’s MAC address expires from the MAC address table. Therefore, the MAC address aging time should be added to the overall aging time. For example, if you configure the MAC address table aging time to 30 seconds, and voice VLAN aging time to 5 minutes, then after 5.5 minutes, a port will be removed from the voice VLAN when VoIP traffic is no longer received on the port.
Chapter 19 | VLAN Commands Configuring Voice VLANs be configured on the switch so that traffic from these devices is recognized as VoIP. ◆ Setting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range. Setting FF-FF-FF-FF-FF-FF specifies a single MAC address. Example The following example adds a MAC OUI to the OUI Telephony list.
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example sets port 1 to Voice VLAN auto mode. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan auto Console(config-if)# switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value.
Chapter 19 | VLAN Commands Configuring Voice VLANs Default Setting OUI: Enabled LLDP: Disabled Command Mode Interface Configuration Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on.
Chapter 19 | VLAN Commands Configuring Voice VLANs Example The following example enables security filtering on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#switchport voice vlan security Console(config-if)# show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 19 | VLAN Commands Configuring Voice VLANs Console#show voice vlan oui OUI Address Mask ----------------- ----------------00-12-34-56-78-9A FF-FF-FF-00-00-00 00-11-22-33-44-55 FF-FF-FF-00-00-00 00-98-76-54-32-10 FF-FF-FF-FF-FF-FF Console# – 566 – Description -----------------------------old phones new phones Chris' phone
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (568) show queue weight (571) switchport This command sets a priority for incoming untagged frames. Use the no form to priority default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (389) show queue mode This command shows the current queue mode.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Default Setting Table 112: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS Command Mode Global Configuration Command Usage ◆ The default mapping of CoS to PHB values shown in Table 112 is based on the recommended settings in IEEE 802.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface. Use the no form to restore the default settings. Syntax qos map dscp-cos cos-value cfi-value from phb0 drop-precedence0 ... phb7 drop-precedence7 no map ip dscp phb0 drop-precedence0 ... phb7 drop-precedence7 cos-value - CoS value in ingress packets.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map dscp-cos 1 0 Console(config-if)# from 1 2 qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ...
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces. ◆ This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a queue identifier, followed by the keyword “from” and then up to eight internal per-hop behavior values separated by spaces. ◆ Egress packets are placed into the hardware queues according to the mapping defined by this command. Example Console(config)##qos map phb-queue 0 from 1 2 3 Console(config)# qos map trust-mode This command sets QoS mapping to DSCP or CoS.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example This example sets the QoS priority mapping mode to use DSCP based on the conditions described in the Command Usage section. Console(config)#interface ge1/1 Console(config-if)#qos map trust-mode dscp Console(config-if)# show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) port - Port number. (Range: 1-12) Command Mode Privileged Exec Command Usage This map is only used if the packet is forwarded with a 8021.Q tag.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Console#show qos map dscp-mutation interface ethernet 1/5 Information of Eth 1/5 DSCP mutation map.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console# – 581 –
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) – 582 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands Table 116: Quality of Service Commands (Continued) Command Function Mode show policy-map Displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations PE show policy-map interface Displays the configuration of all classes configured for all service policies on the specified interface PE To create a service policy for a specific category of ingress traffic, follow these steps: 1.
Chapter 21 | Quality of Service Commands Default Setting match-any Command Mode Global Configuration Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 588). The policy map is then bound by a service policy to an interface (page 600).
Chapter 21 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | source-port interface| vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 116 characters) cos - A Class of Service value.
Chapter 21 | Quality of Service Commands Example This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
Chapter 21 | Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Chapter 21 | Quality of Service Commands bundle This command sets the maximum flow rate for a group of traffic flows. Use the no form to remove a bundle. Syntax bundle index bundle-rate class-map1 class-map2 [class-map3... class-map5] index - Index for group of class maps. (Range: 1-3) bundle-rate - Maximum flow rate for a group of traffic flows. (Range: 0-1,000,000 kbps) class-map - Name of a class map.
Chapter 21 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: ◆ ■ set phb command sets the per-hop behavior value in matching packets. (This modifies packet priority for internal processing only.
Chapter 21 | Quality of Service Commands police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. Syntax [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
Chapter 21 | Quality of Service Commands ■ Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else else the packet is red and Tc is not decremented.
Chapter 21 | Quality of Service Commands violate-action - Action to take when rate exceeds the BE. (There are not enough tokens in bucket BE to service the packet, the packet is set red.) transmit - Transmits without taking any action. drop - Drops packet as required by exceed-action or violate-action. new-dscp - Differentiated Service Code Point (DSCP) value. (Range: 0-63) Default Setting None Command Mode Policy Map Class Configuration Command Usage You can configure up to 16 policers (i.e.
Chapter 21 | Quality of Service Commands When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode: ■ ■ ■ If Tc(t)-B 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented.
Chapter 21 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
Chapter 21 | Quality of Service Commands ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP). ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed
Chapter 21 | Quality of Service Commands set cos This command modifies the class of service (CoS) value for a matching packet (as specified by the match command) in the packet’s VLAN tag. Use the no form to remove this setting. Syntax [no] set cos cos-value cos-value - Class of Service value. (Range: 0-7) Default Setting None Command Mode Policy Map Class Configuration Command Usage ◆ The set cos command is used to set the CoS value in the VLAN tag for matching packets.
Chapter 21 | Quality of Service Commands Command Mode Policy Map Class Configuration Command Usage The set ip dscp command is used to set the priority values in the packet’s ToS field for matching packets.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-32 characters) Default Setting Displays all class maps.
Chapter 21 | Quality of Service Commands Example Console#show policy-map Policy Map rd-policy Description: class rd-class set PHB 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set PHB 3 Console# show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface {input | output} interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
22 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 118: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan query-resp-intvl Configures the maximum time the system waits for a response to general queries GC ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version diff
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. Example Console(config)#ip igmp snooping querier Console(config)# ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router router-alert-option- Alert option.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port- default. expire-time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage Membership reports exceeding the configured limits for the interface are dropped. This command can be used to prevent DoS attacks. Example Console(config)#ip igmp rate-limit rate 100 interface ethernet 1/1 Console(config)# ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs. Use the no form to disable flooding.
Chapter 22 | Multicast Filtering Commands IGMP Snooping channels. The root bridge also sends an unsolicited Multicast Router Discover (MRD) request to quickly locate the multicast routers in this VLAN. The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the unregistered- no form to drop unregistered multicast traffic. data-flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration Command Usage Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol version-exclusive packets) which use a version different to that currently configured by the ip igmp snooping version command. Use the no form to disable this feature.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-andlast-memb-query- source-specific query messages that are sent out before the system assumes there count are no more local members. Use the no form to restore the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Default Setting 10 (1 second) Command Mode Global Configuration Command Usage ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP group-specific or group-andsource-specific query message, and starts a timer.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ◆ Advertisements are sent by routers to advertise that IP multicast forwarding is enabled. These messages are sent unsolicited periodically on all router interfaces on which multicast forwarding is enabled. They are sent upon the expiration of a periodic timer, as a part of a router's start up procedure, during the restart of a multicast forwarding interface, and on receipt of a solicitation message.
Chapter 22 | Multicast Filtering Commands IGMP Snooping To resolve this problem, the source address in proxied IGMP query and report messages can be replaced with any valid unicast address (other than the router's own address) using this command. Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ An IGMP general query message is sent by the switch at the interval specified by this command. When this message is received by downstream hosts, all receivers build an IGMP report for the multicast groups they have joined. ◆ This command applies when the switch is serving as the querier (page 607), or as a proxy host when IGMP snooping proxy reporting is enabled (page 607).
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command adds a port to a multicast group. Use the no form to remove the static port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example Console#clear ip igmp snooping groups dynamic Console# clear ip igmp This command clears IGMP snooping statistics. snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP Snooping Router Port Expire Time Router Alert Check Router Port Mode TCN Flood TCN Query Solicit Unregistered Data Flood 802.
Chapter 22 | Multicast Filtering Commands IGMP Snooping sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries. vlan-id - VLAN ID (1-4094) Default Setting None Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type Expire ---- ------------------- ------- -------1 Eth 1/4 Dynamic 0:4:28 1 Eth 1/10 Static Console# show ip igmp This command shows IGMP snooping protocol statistics for the specified interface.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 119: show ip igmp snooping statistics input - display description Field Description Interface Shows interface. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
Chapter 22 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : 192.168.2.13 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 0 General Query Sent : 0 Specific Query Received : 0 Specific Query Sent : 0 Warn Rate Limit : 0 sec.
Chapter 22 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 122: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping vlan This command statically configures a (Layer 2) multicast router port on the mrouter specified VLAN.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling permit, deny This command sets the access mode for an IGMP filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting Deny Command Mode IGMP Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.1.1.1 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface. When authentication enabled and an IGMP JOIN request is received, an authentication request is sent to a configured RADIUS server. Use the no form to disable IGMP authentication.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling IS_EX (MODE_IS_EXCLUDE) - Indicates that the interface’s filter mode is EXCLUDE for the specified multicast address. The Source Address fields in this Group Record contain the interface's source list for the specified multicast address, if not empty. TO_EX (CHANGE_TO_EXCLUDE_MODE) - Indicates that the interface has changed to EXCLUDE filter mode for the specified multicast address.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration Command Usage ◆ The IGMP filtering profile must first be created with the ip igmp profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp max-groups 10 Console(config-if)# ip igmp This command sets the IGMP throttling action for an interface on the switch. max-groups action Syntax ip igmp max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). Example Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp This command displays the interface settings for IGMP authentication.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp rate- This command shows the maximum rate at which IGMP membership reports can limit be sent from an interface. Syntax show ip igmp rate-limit [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip multicast-data-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4.
Chapter 22 | Multicast Filtering Commands MLD Snooping Table 125: MLD Snooping Commands (Continued) Command Function Mode ipv6 mld snooping unsolicited-report-interval Specifies how often the upstream interface should GC transmit unsolicited IGMP reports (when proxy reporting is enabled) ipv6 mld snooping version Configures the MLD Snooping version GC ipv6 mld snooping vlan immediate-leave Removes a member port of an IPv6 multicast service if a leave packet is received at that port and MLD immedia
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ipv6 mld snooping proxy-reporting Default Setting Disabled Command Mode Global Configuration Command Usage When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the router-port-expire- default. time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD snooping version. Use the no form to restore version the default. Syntax ipv6 mld snooping version {1 | 2} 1 - MLD version 1. 2 - MLD version 2.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows how to enable MLD immediate leave. Console(config)#ipv6 mld snooping immediate-leave Console(config)# ipv6 mld snooping This command statically configures an IPv6 multicast router port. Use the no form vlan mrouter to remove the configuration. Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Snooping MLD Snooping Version Console# : Version 2 show ipv6 mld This command shows known multicast groups, member ports, and the means by snooping group which each group was learned.
Chapter 22 | Multicast Filtering Commands MLD Snooping Filter Mode (if exclude filter mode) Filter Timer elapse Request List Exclude List (if include filter mode) Include List : Include : 10 sec. : ::01:02:03:04, ::01:02:03:05, ::01:02:03:06, ::01:02:03:07 : ::02:02:03:04, ::02:02:03:05, ::02:02:03:06, ::02:02:03:07 : ::02:02:03:04, ::02:02:03:05, ::02:02:03:06, ::02:02:03:06 Option: Filter Mode: Include, Exclude Console# show ipv6 mld This command shows MLD Snooping multicast router information.
Chapter 22 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface. snooping statistics Syntax show ipv6 mld snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id] | summary interface interface} interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The MLD filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and MLD throttling limits the number of simultaneous multicast groups a port can join.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, MLD join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the MLD join report is forwarded as normal. If a requested multicast group is denied, the MLD join report is dropped.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling permit, deny This command sets the access mode for an MLD filter profile. Use the no form to delete a profile number. Syntax {permit | deny} Default Setting deny Command Mode MLD Profile Configuration Command Usage ◆ Each profile has only one access mode; either permit or deny. ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config-mld-profile)#range ff01::0101 ff01::0202 Console(config-mld-profile)# ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax [no] ipv6 mld filter profile-number profile-number - An MLD filter profile number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups action replace Console(config-if)# ipv6 mld query-drop This command drops any received MLD query packets. Use the no form to restore the default setting.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling show ipv6 mld filter This command displays the global and interface settings for MLD filtering. Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Console#show ipv6 mld profile 5 MLD Profile 19 Deny Range ff05::101 ff05::103 show ipv6 mld This command shows if the specified interface is configured to drop MLD query query-drop packets. Syntax show ipv6 mld query-drop interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Table 127: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr interface Shows MVR settings for interfaces attached to the MVR VLAN PE show mvr members Shows information about the current number of entries in PE the forwarding database, or detailed information about a specific multicast address show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the
Chapter 22 | Multicast Filtering Commands MVR for IPv4 mvr associated-profile This command binds the MVR group addresses specified in a profile to an MVR domain. Use the no form of this command to remove the binding. Syntax [no] mvr domain domain-id associated-profile profile-name domain-id - An independent multicast domain. (Range: 1-5) profile-name - The name of a profile containing one or more MVR group addresses.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Example The following example enables MVR for domain 1: Console(config)#mvr domain 1 Console(config)# mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting. Syntax mvr priority priority no mvr priority priority - The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) end-ip-address - Ending IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) Default Setting No profiles are defined Command Mode Global Configuration Command Usage ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Command Usage This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. Example This example sets the proxy query interval for MVR proxy switching.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 ■ Any membership reports received from receiver/source ports are forwarded to all source ports. ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Example The following example enable MVR proxy switching.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 mvr source-port-mode This command configures the switch to only forward multicast streams which the dynamic source port has dynamically joined. Use the no form to restore the default setting. Syntax [no] mvr source-port-mode dynamic Default Setting Forwards all multicast streams which have been specified in a profile and bound to a domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Example Console(config)#mvr domain 1 upstream-source-ip 192.168.0.3 Console(config)# mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr [domain domain-id] vlan vlan-id no mvr [domain domain-id] vlan domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] immediate-leave domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Console(config-if)#mvr domain 1 type receiver Console(config-if)# mvr vlan group This command statically binds a multicast group to a port which will receive longterm multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] vlan vlan-id group ip-address domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 clear mrv groups This command clears multicast group information dynamically learned through dynamic MVR. Syntax clear mrv groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MRV. Statically configured multicast address are not cleared. Example Console#clear mrv groups dynamic Console# clear mrv statistics This command clears MVR statistics.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all MVR domains.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Table 128: show mvr - display description (Continued) Field Description MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Current Learned Groups The current number of MVR group addresses MVR Upstream Source IP The source IP address assigned to all upstream control packets. show mvr This command shows the profiles bound the specified domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Flag: H - immediate leave by host ip Port Type Status Immediate -------- -------- ------------------- ------------Eth 1/ 1 Source Active/Forwarding Eth 1/ 2 Receiver Inactive/Discarding Disabled Eth1/ 3 Source Inactive/Discarding Eth1/ 1 Receiver Active/Forwarding Disabled Eth1/ 4 Console# Receiver A
Chapter 22 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port. Syntax show mvr [domain domain-id] members [ip-address | host-ip-address [interface] | sort-by-port [interface]]] domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port). P - Port counts (number of ports joined to group). Uptime: Group elapsed time; Expire: Group remain time. Expire : Group remaining time (m:s).
Chapter 22 | Multicast Filtering Commands MVR for IPv4 show mvr statistics This command shows MVR protocol-related statistics for the specified interface. Syntax show mvr [domain domain-id] statistics input [interface interface] | output [interface interface] | query | summary interface [interface | mvr-vlan] domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 Table 131: show mvr statistics input - display description (Continued) Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 The following shows MVR query-related statistics: Console#show mvr domain 1 statistics query Domain 1: Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : None Self Querier Expire : 0(m):30(s) Self Querier Uptime : 0(h):9(m):55(s) General Query Received : 0 General Query Sent : 8 Specific Query Received : 0 Specific Query Sent : 3 Warn Rate Limit : 0 sec.
Chapter 22 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for an interface: Console#show mvr domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Transmit : Transmit : General : 0 Report : 7 Group Specific : 0 Leave : 4 Recieved : Recieved : General : 0 Report : 0 Group Specific : 0 Leave : 0 V1 Warning Count: 0 Join Success : 0 V2 Warning Count: 0 Filter Drop : 0 V3 Warning Count: 0 Source Port Drop: 0 Others
Chapter 22 | Multicast Filtering Commands MVR for IPv4 The following shows MVR summary statistics for the MVR VLAN: Console#show mvr domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Other Querier : None Host IP Addr : 192.168.0.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Table 135: show mvr statistics summary interface mvr vlan - description Field Description Unsolicit Expire Expiration time for unsolicit reports sent out from source port Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Table 136: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode mvr6 source-port-mode dynamic Configures the switch to only forward multicast streams which the source port has dynamcially joined GC mvr6 upstream-source-ip Configures the source IP address assigned to all control packets sent upstream GC mvr6 vlan Specifies the VLAN through which MVR6 multicast data is received GC mvr6 immediate-leave Enables immed
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Command Usage MRV6 domains can be associated with more than one MVR6 profile. But since MVR6 domains cannot share the group range, an MRV6 profile can only be associated with one MVR6 domain. Example The following an MVR6 group address profile to domain 1: Console(config)#mvr6 domain 1 associated-profile rd Console(config)# mvr6 domain This command enables Multicast VLAN Registration (MVR6) for a specific domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 mvr6 priority This command assigns a priority to all multicast traffic in the MVR6 VLAN. Use the no form of this command to restore the default setting. Syntax mvr6 priority priority no mvr6 priority priority - The CoS priority assigned to all multicast traffic forwarded into the MVR6 VLAN.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated with an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. ◆ IGMP snooping and MVR share a maximum number of 1024 groups.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Example This example sets the proxy query interval for MVR6. Console(config)#mvr6 proxy-query-interval 1000 Console(config)# mvr6 proxy-switching This command enables MVR6 proxy switching, where the source port acts as a host, and the receiver port acts as an MVR6 router with querier service enabled. Use the no form to disable this function.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Example The following example enable MVR6 proxy switching.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 mvr6 This command configures the switch to only forward multicast streams which the source-port-mode source port has dynamically joined. Use the no form to restore the default setting. dynamic Syntax [no] mvr6 source-port-mode dynamic Default Setting Forwards all multicast streams which have been specified in a profile and bound to a domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 mvr6 immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr6 domain domain-id immediate-leave domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 mvr6 type This command configures an interface as an MVR6 receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr6 domain domain-id type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Example The following configures one source port and several receiver ports on the switch.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Example The following statically assigns a multicast group to a receiver port: Console(config)#interface ethernet 1/2 Console(config-if)#mvr6 domain 1 type receiver Console(config-if)#mvr6 domain 1 vlan 2 group ff00::1 Console(config-if)# clear mvr6 groups This command clears multicast group information dynamically learned through dynamic MVR6. Syntax clear mvr6 groups dynamic [domain domain-id] domain-id - An independent multicast domain.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Command Usage If the interface option is not used then all MVR6 statistics are cleared. Otherwise using the interface option will only clear MVR6 statistics for the specified interface.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Table 137: show mvr6 - display description (Continued) Field Description MVR6 Robustness Value Shows the number of reports or query messages sent when proxy switching is enabled MVR6 Proxy Query Interval The interval at which the receiver port sends out general queries MVR6 Source Port Mode Shows if the switch only forwards multicast streams which the source port has dynamically joined or always forwards multicast streams Domain An independent m
Chapter 22 | Multicast Filtering Commands MVR for IPv6 show mvr6 interface This command shows MVR6 configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr6 [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 show mvr6 members This command shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address. Syntax show mvr6 [domain domain-id] members [ip-address] domain-id - An independent multicast domain. (Range: 1-5) ip-address - IPv6 address for an MVR6 multicast group. Default Setting Displays configuration settings for all domains and all forwarding entries.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Table 139: show mvr6 members - display description Field Description Group Address Multicast group address. VLAN VLAN to which this address is forwarded. Port Port to which this address is forwarded. Up time Time that this multicast group has been known. Expire The time until this entry expires. Count The number of times this address has been learned by MVR6 (MLD snooping).
Chapter 22 | Multicast Filtering Commands MVR for IPv6 summary - Displays MVR6 summary information. mvr vlan - Displays summary statistics for the MVR6 VLAN. Default Setting Displays statistics for all domains.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 MVLAN 2 Console# 7 2 3 0 0 0 Table 141: show mvr6 statistics output - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 The following shows MVR6 summary statistics for an interface: Console#show mvr6 domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Transmit : Transmit : General : 0 Report : 7 Group Specific : 0 Leave : 4 Recieved : Recieved : General : 0 Report : 0 Group Specific : 0 Leave : 0 Join Success : 0 Filter Drop : 0 Source Port Drop: 0 Others Drop : 0 Console# Table 143: show mvr6 statistics summary
Chapter 22 | Multicast Filtering Commands MVR for IPv6 The following shows MVR6 summary statistics for the MVR6 VLAN: Console#show mvr6 domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: 0 Querier: : Report & Leave: : Other Addr : None Host Addr : None Other Expire : 0(m): 0(s) Unsolicit Expire : 0 sec Other Uptime : 0(h): 0(m): 0(s) Self Addr : None Self Expire : 0(m): 0(s) Self Uptime : 0(h): 0(m): 0(s) Transmit : Transmit : General : 0 Report : 0 Group Specific : 0 Leave : 0 Reci
Chapter 22 | Multicast Filtering Commands MVR for IPv6 Table 144: show mvr6 statistics summary interface mvr vlan - description Field Description Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter.
Chapter 22 | Multicast Filtering Commands MVR for IPv6 – 710 –
23 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 23 | LLDP Commands Table 145: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port- IC based protocol related VLAN information
Chapter 23 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packets no lldp med-fast-start-count seconds - Amount of packets.
Chapter 23 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 23 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 23 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 23 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols.
Chapter 23 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 550). Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 531 and “protocol-vlan protocol-group (Configuring Interfaces)” on page 552. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 23 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 23 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 23 | LLDP Commands Table 146: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 charact
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command.
Chapter 23 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 23 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature. Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
Chapter 23 | LLDP Commands therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. Syntax show lldp config [detail interface] detail - Shows configuration summary.
Chapter 23 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised : port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised : port-vid vlan-name proto-vlan proto-ident 802.
Chapter 23 | LLDP Commands Chassis Type : MAC Address Chassis ID : 70-72-CF-32-DD-CD System Name : System Description : ECS4810-12M System Capabilities Support : Bridge System Capabilities Enabled : Bridge Management Address : 192.168.0.
Chapter 23 | LLDP Commands Example Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the LLDP-MED Capability” and other related fields.
Chapter 23 | LLDP Commands Current Capabilities Location Identification : Location Data Format Country Name What Extended Power via MDI : Power Type Power Source Power Priority Power Value Inventory : Hardware Revision Firmware Revision Software Revision Serial Number Manufacture Name Model Name Asset ID Inventory : LLDP-MED Capabilities Location Identification Extended Power via MDI - PSE Inventory : Civic Address LCI : TW : 2 : : : : PSE Unknown Unknown 0 Watts : : : : : : : R0A 1.2.6.0 1.2.6.
Chapter 23 | LLDP Commands LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- -----------------Eth 1/1 235 234 0 Eth 1/2 0 428 0 Eth 1/3 0 0 0 Eth 1/4 8 9 0 Eth 1/5 0 0 0 . . .
24 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 24 | CFM Commands Table 147: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 24 | CFM Commands Table 147: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 24 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 24 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 24 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 24 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 24 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 24 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 24 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 24 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 24 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 24 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.) ---------------------100 show ethernet cfm ma This command displays the configured maintenance associations. Syntax show ethernet cfm ma [level level] level – Maintenance level.
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domainname | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 24 | CFM Commands Defining CFM Structures Table 149: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 24 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 24 | CFM Commands Continuity Check Operations Table 150: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 24 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 24 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 24 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (763) mep This command sets the time that data from a missing MEP is retained in the archive-hold-time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 24 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 24 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 24 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 24 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 24 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 24 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 24 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 24 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting. Syntax ethernet cfm linktrace cache size entries entries – The number of link trace responses stored in the link trace cache.
Chapter 24 | CFM Commands Link Trace Operations ethernet cfm linktrace This command sends CFM link trace messages to the MAC address of a remote MEP. Syntax ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [ttl number] destination-mpid – The identifier of a remote MEP that is the target of the link trace message.
Chapter 24 | CFM Commands Link Trace Operations ◆ When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. Example This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#linktrace ethernet dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm This command clears link trace messages logged on this device.
Chapter 24 | CFM Commands Link Trace Operations Table 152: show ethernet cfm linktrace-cache - display description (Continued) (Continued) Field Description Egress MAC MAC address of the egress port on the target device. Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
Chapter 24 | CFM Commands Loopback Operations Loopback Operations ethernet cfm This command sends CFM loopback messages to a MAC address for a MEP or MIP. loopback Syntax ethernet cfm loopback {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [count transmit-count] [pattern padding-value] [priority priority-value] [size packet-size] destination-mpid – The identifier of a MEP that is the target of the loopback message.
Chapter 24 | CFM Commands Fault Generator Operations messages can also used to confirm the successful restoration or initiation of connectivity. The receiving maintenance point should respond to the loop back message with a loopback reply. ◆ When using the command line or web interface, the source MEP used by to send a loopback message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user.
Chapter 24 | CFM Commands Fault Generator Operations mep fault-notify This command sets the lowest priority defect that is allowed to generate a fault lowest-priority alarm. Use the no form to restore the default setting. Syntax mep fault-notify lowest-priority priority no fault-notify lowest-priority priority – Lowest priority default allowed to generate a fault alarm.
Chapter 24 | CFM Commands Fault Generator Operations Table 154: MEP Defect Descriptions Field Description DefMACstatus Either some remote MEP is reporting its Interface Status TLV as not isUp, or all remote MEPs are reporting a Port Status TLV that contains some value other than psUp. DefRemoteCCM The MEP is not receiving valid CCMs from at least one of the remote MEPs. DefErrorCCM The MEP has received at least one invalid CCM whose CCM Interval has not yet timed out.
Chapter 24 | CFM Commands Fault Generator Operations show ethernet cfm This command displays configuration settings for the fault notification generator. fault-notify-generator Syntax show ethernet cfm fault-notify-generator mep mpid mpid – Maintenance end point identifier. (Range: 1-8191) Default Setting None Command Mode Privileged Exec Example This example shows the fault notification settings configured for one MEP.
Chapter 24 | CFM Commands Delay Measure Operations Delay Measure Operations ethernet cfm This command sends periodic delay-measure requests to a specified MEP within a delay-measure maintenance association.
Chapter 24 | CFM Commands Delay Measure Operations ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA., and expects to receive DM frames back from it.
25 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 25 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 25 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 25 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 25 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 25 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 25 | OAM Commands efm oam $$$ This command performs a remote loopback test, sending a specified number remote-loopback test of packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-12) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 25 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 25 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
26 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 26 | Domain Name Service Commands Command Mode Global Configuration Command Usage ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Chapter 26 | Domain Name Service Commands Command Usage ◆ At least one name server must be specified before DNS can be enabled. ◆ If all name servers are deleted, DNS will automatically be disabled. Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
Chapter 26 | Domain Name Service Commands Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (789) ip name-server (793) ip domain-lookup (790) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. Syntax [no] ip host name address name - Name of an IPv4 host. (Range: 1-127 characters) address - Corresponding IPv4 address.
Chapter 26 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. Syntax [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
Chapter 26 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colonseparated 16-bit hexadecimal values.
Chapter 26 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-127 characters) * - Removes all entries. Default Setting None Command Mode Privileged Exec Command Usage Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. Example This example clears all dynamic entries from the DNS table.
Chapter 26 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 158: show dns cache - display description Field Description No.
Chapter 26 | Domain Name Service Commands Table 159: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
Chapter 26 | Domain Name Service Commands – 798 –
27 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP for IPv4 DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 27 | DHCP Commands DHCP for IPv4 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "SMC"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 27 | DHCP Commands DHCP for IPv4 ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 27 | DHCP Commands DHCP for IPv4 ip dhcp restart client This command submits a BOOTP or DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 27 | DHCP Commands DHCP for IPv6 DHCP for IPv6 ipv6 dhcp client rapid- This command specifies the Rapid Commit option for DHCPv6 message exchange commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-id vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 27 | DHCP Commands DHCP for IPv6 Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 27 | DHCP Commands DHCP for IPv6 Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (826) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 27 | DHCP Commands DHCP Relay Option 82 List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# DHCP Relay Option 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 27 | DHCP Commands DHCP Relay Option 82 another network. When the server receives the DHCP request, it allocates a free IP address for the DHCP client from its defined scope for the DHCP client’s subnet, and sends a DHCP response back to the DHCP relay agent (i.e., this switch). This switch then passes the DHCP response received from the server to the client. ◆ You must specify the IP address for at least one active DHCP server.
Chapter 27 | DHCP Commands DHCP Relay Option 82 Command Mode Global Configuration Usage Guidelines ◆ Using this command with or without any keywords will enable DHCP Option 82 information relay. You must also specify the IP address for at least one active DHCP server (with the ip dhcp relay server command). Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server.
Chapter 27 | DHCP Commands DHCP Relay Option 82 ◆ DHCP reply packets received by the relay agent are handled as follows: When the relay agent receives a DHCP reply packet with Option 82 information over the management VLAN, it first ensures that the packet is destined for itself. ◆ ■ If the RID in the DHCP reply packet is not identical with that configured on the switch, the option 82 information is retained, and the packet is flooded onto the VLAN through which it was received.
Chapter 27 | DHCP Commands DHCP Relay Option 82 Example This example enables Option 82, and sets the frame format of the remote ID for the option to use the MAC address of the switch’s CPU.
Chapter 27 | DHCP Commands DHCP Relay Option 82 Example This example sets the Option 82 policy to keep the client information in the request packet received by the relay agent, and forward this packet on to the DHCP server. Console(config)#ip dhcp relay information policy keep Console(config)# Related Commands ip dhcp relay information option (808) ip dhcp relay server (807) ip dhcp snooping (305) show ip dhcp relay This command displays the configuration settings for DHCP relay service.
28 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 28 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ An IP address must be assigned to this device to gain management access over the network or to connect the switch to existing IP subnets. A specific IP address can be manually configured, or the switch can be directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format is not be accepted by the configuration program.
Chapter 28 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (803) ip default-gateway (816) ipv6 address (825) ip default-gateway This command specifies the default gateway through which this switch can reach other subnetworks. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 28 | IP Interface Commands IPv4 Interface Example Console#show ip default-gateway IP default gateway 10.1.0.254 Console# Related Commands ip default-gateway (816) show ipv6 default-gateway (833) show ip interface This command displays the settings of an IPv4 interface. Command Mode Privileged Exec Example Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 70-72-CF-59-8F-40 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.2.13 Mask: 255.255.255.
Chapter 28 | IP Interface Commands IPv4 Interface 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messag
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded. ◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message.
Chapter 28 | IP Interface Commands IPv4 Interface ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 32-512) The actual packet size will be eight bytes larger than the size specified because the switch adds header information.
Chapter 28 | IP Interface Commands IPv4 Interface Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 10 ms, Average = 8 ms Console# Related Commands interface (370) ARP Configuration This section describes commands used to configure the Address Resolution Protocol (ARP) on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds). Console(config)#arp timeout 900 Console(config)# clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Table 169: IPv6 Configuration Commands (Continued) Command Function Mode clear ipv6 neighbors Deletes all dynamic entries in the IPv6 neighbor discovery PE cache show ipv6 nd raguard Displays the configuration setting for RA Guard show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gat
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Example The following example defines a default gateway for this device: Console(config)#ipv6 default-gateway FE80::269:3EF9:FE19:6780%1 Console(config)# Related Commands show ipv6 default-gateway (833) ip default-gateway (816) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities ◆ If a duplicate address is detected, a warning message is sent to the console. Example This example specifies a full IPv6 address and prefix length. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::72/96 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e., company id) and the rest of the address, resulting in a modified EUI-64 interface identifier of 2A-9F-18-FF-FE-1C-82-35.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Default Setting No IPv6 addresses are defined Command Mode Interface Configuration (VLAN) Command Usage ◆ The specified address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Related Commands ipv6 enable (831) show ipv6 interface (833) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities ND ND ND ND advertised retransmit interval is 0 milliseconds reachable time is 30000 milliseconds advertised reachable time is 0 milliseconds advertised router lifetime is 1800 seconds Console# Related Commands ipv6 address link-local (829) show ipv6 interface (833) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Related Commands show ipv6 mtu (835) jumbo frame (112) show ipv6 This command displays the current IPv6 default gateway.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Table 170: show ipv6 interface - display description (Continued) Field Description ND advertised reachable time The reachable time is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value. ND advertised router lifetime The length of time during which the prefix is valid for on-link determination.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities show ipv6 traffic This command displays statistics about IPv6 traffic passing through this switch.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages UDP Statistics: input no port errors other errors output Console# Table 172: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in er
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Table 172: show ipv6 traffic - display description (Continued) Field Description reassembly succeeded The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Table 172: show ipv6 traffic - display description (Continued) Field Description parameter problem message The number of ICMP Parameter Problem messages received by the interface. echo request messages The number of ICMP Echo (request) messages received by the interface. echo reply messages The number of ICMP Echo Reply messages received by the interface.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Table 172: show ipv6 traffic - display description (Continued) Field Description group membership reduction messages The number of ICMPv6 Group Membership Reduction messages sent. UDP Statistics input The total number of UDP datagrams delivered to UDP users. no port errors The total number of received UDP datagrams for which there was no application at the destination port.
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities Default Setting count: 5 size: 32 bytes Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
Chapter 28 | IP Interface Commands Interface Address Configuration and Utilities traceroute6 This command shows the route packets take to the specified destination. Syntax traceroute6 {ipv6-address | host-name} [max-failures failure-count] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 28 | IP Interface Commands Neighbor Discovery Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination. Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------1 <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed.
Chapter 28 | IP Interface Commands Neighbor Discovery ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
Chapter 28 | IP Interface Commands Neighbor Discovery Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 28 | IP Interface Commands Neighbor Discovery Command Usage ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations.
Chapter 28 | IP Interface Commands Neighbor Discovery Command Usage ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
Chapter 28 | IP Interface Commands Neighbor Discovery ◆ Setting the time limit to 0 means that the configured time is unspecified by this router. Example The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd reachable-time 1000 Console(config)# clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache.
Chapter 28 | IP Interface Commands Neighbor Discovery show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4093) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 28 | IP Interface Commands ND Snooping Table 173: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 28 | IP Interface Commands ND Snooping This section describes commands used to configure ND Snooping.
Chapter 28 | IP Interface Commands ND Snooping Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
Chapter 28 | IP Interface Commands ND Snooping ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 28 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect retransmit count 5 Console(config)# ipv6 nd snooping This command sets the interval between which the auto-detection process sends auto-detect NS messages to determine if a dynamic user binding is still valid. Use the no form to retransmit interval restore the default setting.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage If ND snooping is enabled and an RA message is received on a trusted interface, the switch will add an entry in the prefix table based upon the Prefix Information contained in the message. If an RA message is not received for a table entry with the same prefix for the specified timeout period, the entry is deleted.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ In general, interfaces facing toward to the network core, or toward routers supporting the Network Discovery protocol, are configured as trusted interfaces. ◆ RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination. ◆ NS messages received from a trusted interface are forwarded toward their destination.
Chapter 28 | IP Interface Commands ND Snooping Example Console#clear ipv6 nd snooping prefix Console#show ipv6 nd snooping prefix Prefix entry timeout: (seconds) Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------Console# show ipv6 nd This command shows the configuration settings for ND snooping.
Chapter 28 | IP Interface Commands ND Snooping show ipv6 nd This command shows all entries in the address prefix table. snooping prefix Syntax show ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 861 ◆ “License Information” on page 863 – 859 –
Section III | Appendices – 860 –
A Troubleshooting Problems Accessing the Management Interface Table 175: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Cannot access the onboard configuration program via a serial port connection ◆ Forgot or lost the password ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DiffServ Differentiated Services provides quality of service on large networks by employing a welldefined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
Glossary GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
Glossary IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Glossary MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken. MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, also called a message digest. MIB Management Information Base. An acronym for Management Information Base. It is a set of database objects that contains information about a specific device.
Glossary Port Authentication See IEEE 802.1X. Port Mirroring A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. Port Trunk Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lower-speed physical links.
Glossary SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.
Glossary XModem A protocol used to transfer files between devices. Data is grouped in 128-byte blocks and error-corrected.
Command List A aaa accounting dot1x 228 aaa accounting exec 229 aaa accounting update 230 aaa authorization exec 231 aaa group server 232 absolute 156 access-list arp 363 access-list ip 344 access-list ipv6 350 access-list mac 358 accounting dot1x 233 accounting exec 233 alias 371 arp timeout 821 authentication enable 218 authentication login 219 authorization exec 234 auto-traffic-control 435 auto-traffic-control action 435 auto-traffic-control alarm-clear-threshold 436 auto-traffic-control alarm-fire-thr
Command List dir 119 disable 88 discard 374 disconnect 133 dos-protection echo-chargen 332 dos-protection smurf 332 dos-protection tcp-flooding 333 dos-protection tcp-null-scan 333 dos-protection tcp-syn-fin-scan 334 dos-protection tcp-udp-port-zero 334 dos-protection tcp-xmas-scan 335 dos-protection udp-flooding 335 dos-protection win-nuke 336 dot1q-tunnel system-tunnel-control 538 dot1x default 253 dot1x eapol-pass-through 254 dot1x identity profile 261 dot1x intrusion-action 255 dot1x max-reauth-req 255
Command List ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip dhcp snooping trust 313 dhcp snooping verify mac-address 311 dhcp snooping vlan 311 domain-list 789 domain-lookup 790 domain-name 791 host 792 http port 236 http secure-port 237 http secure-server 238 http server 237 igmp authentication 633 igmp filter (Global Configuration) 630 igmp filter (Interface Configuration) 634 i
Command List lldp admin-status 717 lldp basic-tlv management-ip-address 717 lldp basic-tlv port-description 718 lldp basic-tlv system-capabilities 718 lldp basic-tlv system-description 719 lldp basic-tlv system-name 719 lldp dot1-tlv proto-ident 720 lldp dot1-tlv proto-vid 720 lldp dot1-tlv pvid 721 lldp dot1-tlv vlan-name 721 lldp dot3-tlv link-agg 722 lldp dot3-tlv mac-phy 722 lldp dot3-tlv max-frame 723 lldp holdtime-multiplier 713 lldp med-fast-start-count 714 lldp med-location civic-addr 724 lldp med-
Command List password-thresh 130 periodic 157 permit, deny 632 permit, deny 657 permit, deny (ARP ACL) 364 permit, deny (Extended IPv4 ACL) 346 permit, deny (Extended IPv6 ACL) 353 permit, deny (MAC ACL) 359 permit, deny (Standard IP ACL) 345 permit, deny (Standard IPv6 ACL) 351 ping 820 ping6 840 police flow 591 police srtcm-color 592 police trtcm-color 595 policy-map 588 port channel load-balance 404 port monitor 417 port security 280 power-save 401 pppoe intermediate-agent 270 pppoe intermediate-agent f
Command List show ethernet cfm fault-notify-generator 774 show ethernet cfm linktrace-cache 768 show ethernet cfm ma 750 show ethernet cfm maintenance-points local 751 show ethernet cfm maintenance-points local detail mep 752 show ethernet cfm maintenance-points remote crosscheck 764 show ethernet cfm maintenance-points remote detail 753 show ethernet cfm md 749 show garp timer 526 show gvrp configuration 526 show history 86 show hosts 796 show interfaces brief 380 show interfaces counters 381 show interfa
Command List show protocol-vlan protocol-group 553 show public-key 250 show qos map cos-dscp 578 show qos map dscp-cos 578 show qos map dscp-mutation 579 show qos map phb-queue 580 show qos map trust-mode 580 show queue mode 571 show queue weight 571 show radius-server 224 show reload 89 show rmon alarms 206 show rmon events 206 show rmon history 206 show rmon statistics 207 show rspan 426 show running-config 106 show sflow 213 show snmp 179 show snmp engine-id 190 show snmp group 191 show snmp notify-filt
Command List switchport allowed vlan 531 switchport dot1q-tunnel mode 539 switchport dot1q-tunnel service match cvid switchport dot1q-tunnel tpid 542 switchport forbidden vlan 524 switchport gvrp 525 switchport ingress-filtering 532 switchport l2protocol-tunnel 547 switchport mode 533 switchport native vlan 534 switchport packet-rate 429 switchport priority default 570 switchport vlan-translation 548 switchport voice vlan priority 563 switchport voice vlan rule 563 switchport voice vlan security 564 switch
Index Numerics 802.1Q tunnel 537 access 539 configuration, guidelines 537 configuration, limitations 538 CVID to SVID map 540 ethernet type 542 interface configuration 539–542 mode selection 539 status, configuring 538 TPID 542 uplink 539 802.1X authenticator, configuring 255–261 global settings 253–254 port authentication 252, 254 port authentication accounting 233 supplicant, configuring 261–264 A AAA accounting 802.
Index selecting protocol based on message format 484 shut down port on receipt 472 bridge extension capabilities, displaying 525 broadcast storm, threshold 429 C cable diagnostics 399 CDP discard 374 CFM continuity check errors 759, 760 continuity check messages 499, 735, 755, 756 cross-check errors 757, 761, 763 cross-check message 735, 761, 763, 764 cross-check start delay 761 delay measure 775 domain service access point 742 fault isolation 735, 767 fault notification 735, 771, 772, 773 fault notificat
Index DiffServ 583 binding policy to interface 600 bundle rate for class map groups 589 bundle, grouping class maps 589 class map 584, 589 class map, description 585 classifying QoS traffic 586 color aware, srTCM 592 color aware, trTCM 595 color blind, srTCM 592 color blind, trTCM 595 committed burst size 591, 592, 595 committed information rate 591, 592, 595 configuring 583 conforming traffic, configuring response 591, 592, 595 description 585 excess burst size 592 metering, configuring 591 peak burst siz
Index firmware displaying version 110 upgrading 115 upgrading automatically 120 upgrading with FTP or TFP 115 version, displaying 110 G gateway, IPv4 default 816 gateway, IPv6 default 824 general security measures 279 GNU license 863 GVRP enabling 522 global setting 522 interface configuration 525 H hardware version, displaying 110 HTTP, web server 237 HTTPS 238 configuring 238 replacing SSL certificate 115 secure-site certificate 115 UDP port, configuring 237 HTTPS, secure server 238 I IEEE 802.
Index IPv6 address dynamic configuration (global unicast) 58, 826 dynamic configuration (link-local) 58, 831 EUI format 828 EUI-64 setting 828 explicit configuration 831 global unicast 825 link-local 827, 829 manual configuration (global unicast) 54, 825 manual configuration (link-local) 54, 829 setting 53, 825 IPv6 statistics 836 J jumbo frame 112 K key private 242 public 242 user public, importing 115, 118 key pair host 242 host, generating 248 L LACP configuration 403 group attributes, configuring 41
Index memory utiilzation, setting trap 196 MEP archive, CFM 758 mirror port configuring 417 configuring local traffic 417 configuring remote traffic 420 MLD filter profiles, configuration 656 filtering & throttling 655 filtering & throttling, configuring profile 657 filtering & throttling, creating profile 656 filtering & throttling, enabling 655 filtering & throttling, interface configuration 658–659 filtering & throttling, status 655 MLD snooping 641 configuring 641 enabling 642 immediate leave 648 immed
Index port configuration 293 reauthentication 287 secure MAC information 297, 298 O OAM active mode 781 displaying settings and status 785–788 enabling on switch ports 778 errored frame link events 779–780 event log, displaying 785 message statistics, displaying 785 mode selection 781 passive mode 781 remote device information, displaying 788 remote loop back test 784 setting to active mode 781 setting to passive mode 781 Operations, Administration and Maintenance See OAM P password, line 129 passwords 5
Index R RADIUS logon authentication 220 settings 220 rate limit port 428 setting 427 remote engine ID 185 remote logging 139 remote maintenance end point, CFM 752, 753, 758, 762 Remote Monitoring See RMON rename, DiffServ 587 restarting the system 84, 88, 89 at scheduled times 84 RMON 201 alarm, displaying settings 206 alarm, setting thresholds 202 commands 201 event settings, displaying 206 response to alarm setting 203 statistics history, collection 204 statistics history, displaying 206 statistics, coll
Index transmission limit 467 startup files creating 115 displaying 108, 120 setting 114 static addresses, setting 454 statistics ARP 817 history for port 385 history for trunk 385 ICMP 817 IP 817 port 381 TCP 817 UDP 817 VLAN 381 STP 464 Also see STA summary, accounting 235 summer time, setting 149–152 switch clustering, for management 168 switch settings restoring 113 saving 113 SyncE automatic clock source selection 162 clock source selection 161 clock source selection, forced 163 clock source selection,
Index interface configuration 530–534 IP subnet-based 555 MAC-based 557 mirroring 417 port members, displaying 536 protocol 550 protocol, configuring 550 protocol, configuring groups 552 protocol, configuring interfaces 552 protocol, group configuration 552 protocol, interface configuration 552 PVID 534 statistics 381 tag swapping 548 translation, customer and service provider 548 tunneling unknown groups 534 voice 559 voice VLANs 559 detecting VoIP devices 559 enabling for ports 562–564 identifying client
ECS4810-12M E092016/ST-R05 149100000142A
