ECS5520 Series Software Release v1.2.9.204 CLI Reference Guide www.edge-core.
CLI Reference Guide ECS5520-18X L2+/L3 Lite 10G Top of Rack switch with 16 10GBASE-X SFP+ ports and 2 QSFP+ ports ECS5520-18T L2+/L3 Lite 10G Top of Rack switch with 16 10GBASE-T RJ-45 ports and 2 QSFP+ ports E062021-CS-R02
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment. Documentation This documentation is provided for general information purposes only.
Contents Section I How to Use This Guide 3 Contents 5 Tables 37 Getting Started 43 1 Initial Switch Configuration Connecting to the Switch 45 45 Configuration Options 45 Connecting to the Console Port 46 Logging Onto the Command Line Interface 47 Setting Passwords 47 Remote Connections 48 Configuring the Switch for Remote Management 49 Using the Craft Port or Network Interface 49 Setting an IP Address 49 Enabling SNMP Management Access 55 Managing System Files 57 Upgrading th
Contents Configuring NTP Section II 69 Command Line Interface 2 Using the Command Line Interface Accessing the CLI 71 73 73 Console Connection 73 Telnet Connection 74 Entering Commands 75 Keywords and Arguments 75 Minimum Abbreviation 75 Command Completion 75 Getting Help on Commands 76 Partial Keyword Lookup 78 Negating the Effect of Commands 78 Using Command History 78 Understanding Command Modes 78 Exec Commands 79 Configuration Commands 80 Command Line Processing 81 Sho
Contents 4 System Management Commands Device Designation 93 93 hostname 94 Banner Information 94 banner configure 95 banner configure company 96 banner configure dc-power-info 97 banner configure department 97 banner configure equipment-info 98 banner configure equipment-location 99 banner configure ip-lan 99 banner configure lp-number 100 banner configure manager-info 101 banner configure mux 101 banner configure note 102 show banner 103 System Status 103 show access-list t
Contents General Commands 117 boot system 117 copy 118 delete 122 dir 123 umount 124 whichboot 124 Automatic Code Upgrade Commands 125 upgrade opcode auto 125 upgrade opcode path 126 upgrade opcode reload 127 show upgrade 128 TFTP Configuration Commands 128 ip tftp retry 128 ip tftp timeout 129 show ip tftp 129 Line 130 line 131 databits 131 exec-timeout 132 login 133 parity 134 password 134 password-thresh 135 silent-time 136 speed 137 stopbits 137 time
Contents logging host 143 logging level 144 logging on 144 logging trap 145 clear log 146 show log 146 show logging 147 SMTP Alerts 149 logging sendmail 149 logging sendmail destination-email 149 logging sendmail host 150 logging sendmail level 151 logging sendmail source-email 151 show logging sendmail 152 Time 152 SNTP Commands 153 sntp client 153 sntp poll 154 sntp server 155 show sntp 155 NTP Commands 156 ntp authenticate 156 ntp authentication-key 157 ntp
Contents show calendar 167 Time Range 167 time-range 167 absolute 168 periodic 169 show time-range 170 5 SNMP Commands 171 General SNMP Commands 173 snmp-server 173 snmp-server community 173 snmp-server contact 174 snmp-server location 175 show snmp 175 SNMP Target Host Commands 176 snmp-server enable traps 176 snmp-server host 177 snmp-server enable port-traps link-up-down 179 snmp-server enable port-traps mac-notification 180 show snmp-server enable port-traps 180 SN
Contents Additional Trap Commands 192 memory 192 process cpu 193 process cpu guard 194 6 Remote Monitoring Commands 197 rmon alarm 198 rmon event 199 rmon collection history 200 rmon collection rmon1 201 show rmon alarms 202 show rmon events 202 show rmon history 203 show rmon statistics 203 7 Flow Sampling Commands 205 sflow owner 206 sflow polling instance 207 sflow sampling instance 208 show sflow 209 8 Authentication Commands 211 User Accounts and Privilege Levels
Contents radius-server retransmit 221 radius-server timeout 222 show radius-server 222 TACACS+ Client 223 tacacs-server host 223 tacacs-server key 224 tacacs-server encrypted-key 225 tacacs-server port 225 tacacs-server retransmit 226 tacacs-server timeout 226 show tacacs-server 227 AAA 227 aaa accounting commands 228 aaa accounting dot1x 229 aaa accounting exec 230 aaa accounting update 231 aaa authorization commands 231 aaa authorization exec 232 aaa group server 233
Contents ip telnet port 244 ip telnet server 244 telnet (client) 244 show ip telnet 245 Secure Shell 245 ip ssh authentication-retries 248 ip ssh server 248 ip ssh timeout 249 delete public-key 250 ip ssh crypto host-key generate 250 ip ssh crypto zeroize 251 ip ssh save host-key 252 show ip ssh 252 show public-key 252 show ssh 253 802.
Contents dot1x pae supplicant 265 dot1x timeout auth-period 266 dot1x timeout held-period 266 dot1x timeout start-period 267 Information Display Commands show dot1x 267 267 Management IP Filter 270 management 270 show management 271 PPPoE Intermediate Agent 272 pppoe intermediate-agent 272 pppoe intermediate-agent format-type 273 pppoe intermediate-agent port-enable 274 pppoe intermediate-agent port-format-type 275 pppoe intermediate-agent port-format-type remote-id-delimiter 276
Contents network-access link-detection 294 network-access link-detection link-down 295 network-access link-detection link-up 295 network-access link-detection link-up-down 296 network-access max-mac-count 297 network-access mode mac-authentication 297 network-access port-mac-filter 298 mac-authentication intrusion-action 299 mac-authentication max-mac-count 299 clear network-access 300 show network-access 300 show network-access mac-address-table 301 show network-access mac-filter
Contents ip dhcp snooping trust 321 clear ip dhcp snooping binding 322 clear ip dhcp snooping database flash 322 ip dhcp snooping database flash 322 show ip dhcp snooping 323 show ip dhcp snooping binding 323 DHCPv6 Snooping 324 ipv6 dhcp snooping 324 ipv6 dhcp snooping option remote-id 327 ipv6 dhcp snooping option remote-id policy 328 ipv6 dhcp snooping vlan 329 ipv6 dhcp snooping max-binding 330 ipv6 dhcp snooping trust 330 clear ipv6 dhcp snooping binding 331 clear ipv6 dhcp
Contents ip arp inspection log-buffer logs 349 ip arp inspection validate 350 ip arp inspection vlan 351 ip arp inspection limit 352 ip arp inspection trust 352 show ip arp inspection configuration 353 show ip arp inspection interface 353 show ip arp inspection log 354 show ip arp inspection statistics 354 show ip arp inspection vlan 355 Denial of Service Protection 355 dos-protection echo-chargen 356 dos-protection land 356 dos-protection smurf 357 dos-protection tcp-flooding
Contents show ip access-group 373 show ip access-list 373 IPv6 ACLs 374 access-list ipv6 374 permit, deny (Standard IPv6 ACL) 375 permit, deny (Extended IPv6 ACL) 376 ipv6 access-group 378 show ipv6 access-group 379 show ipv6 access-list 379 MAC ACLs 380 access-list mac 380 permit, deny (MAC ACL) 381 mac access-group 385 show mac access-group 385 show mac access-list 386 ARP ACLs 386 access-list arp 386 permit, deny (ARP ACL) 387 show access-list arp 388 ACL Informatio
Contents shutdown 401 speed-duplex 402 clear counters 403 hardware profile portmode 403 show hardware profile portmode 404 show discard 405 show interfaces brief 405 show interfaces counters 406 show interfaces history 410 show interfaces status 412 show interfaces switchport 413 Transceiver Threshold Configuration 415 transceiver-monitor 415 transceiver-threshold-auto 415 transceiver-threshold current 416 transceiver-threshold rx-power 417 transceiver-threshold temperature
Contents lacp admin-key (Ethernet Interface) 433 lacp port-priority 434 lacp system-priority 435 lacp admin-key (Port Channel) 436 lacp timeout 436 Trunk Status Display Commands 437 show lacp 437 show port-channel load-balance 441 MLAG Commands 441 mlag 442 mlag domain peer-link 443 mlag group member 443 show mlag 445 show mlag group 445 show mlag domain 446 13 Port Mirroring Commands Local Port Mirroring Commands 447 447 port monitor 447 show port monitor 449 RSPAN Mirr
Contents auto-traffic-control 464 auto-traffic-control action 465 auto-traffic-control alarm-clear-threshold 466 auto-traffic-control alarm-fire-threshold 467 auto-traffic-control auto-control-release 468 auto-traffic-control control-release 468 SNMP Trap Commands 469 snmp-server enable port-traps atc broadcast-alarm-clear 469 snmp-server enable port-traps atc broadcast-alarm-fire 469 snmp-server enable port-traps atc broadcast-control-apply 470 snmp-server enable port-traps atc broadca
Contents show mac-address-table count 487 show mac-address-table hash-lookup-depth 487 17 Spanning Tree Commands 489 spanning-tree 490 spanning-tree cisco-prestandard 491 spanning-tree forward-time 491 spanning-tree hello-time 492 spanning-tree max-age 493 spanning-tree mode 493 spanning-tree mst configuration 495 spanning-tree pathcost method 495 spanning-tree priority 496 spanning-tree system-bpdu-flooding 497 spanning-tree tc-prop 497 spanning-tree transmission-limit 498 ma
Contents spanning-tree root-guard 513 spanning-tree spanning-disabled 514 spanning-tree tc-prop-stop 514 spanning-tree loopback-detection release 515 spanning-tree protocol-migration 515 show spanning-tree 516 show spanning-tree mst configuration 518 show spanning-tree tc-prop 518 18 VLAN Commands 521 GVRP and Bridge Extension Commands 522 bridge-ext gvrp 522 garp timer 523 switchport forbidden vlan 524 switchport gvrp 525 show bridge-ext 525 show garp timer 526 show gvrp co
Contents switchport dot1q-tunnel priority map 541 switchport dot1q-tunnel service match cvid 542 show dot1q-tunnel service 544 show dot1q-tunnel 545 Configuring L2PT Tunneling 546 l2protocol-tunnel tunnel-dmac 546 switchport l2protocol-tunnel 549 show l2protocol-tunnel 550 Configuring VLAN Translation 550 switchport vlan-translation 550 show vlan-translation 552 Configuring Protocol-based VLANs 553 protocol-vlan protocol-group (Configuring Groups) 554 protocol-vlan protocol-group
Contents erps vlan-group 573 erps ring 573 erps instance 574 ring-port 575 exclusion-vlan 576 enable (ring) 576 enable (instance) 577 meg-level 577 control-vlan 578 rpl owner 579 rpl neighbor 580 wtr-timer 581 guard-timer 581 holdoff-timer 582 major-ring 583 propagate-tc 583 bpdu-tcn-notify 584 non-revertive 584 raps-def-mac 588 raps-without-vc 589 version 591 inclusion-vlan 592 physical-ring 593 erps forced-switch 593 erps manual-switch 595 erps clear 597
Contents show queue mode 607 show queue weight 607 Priority Commands (Layer 3 and 4) 608 qos map phb-queue 609 qos map cos-dscp 610 qos map dscp-mutation 611 qos map ip-prec-dscp 612 qos map trust-mode 613 show qos map cos-dscp 614 show qos map dscp-mutation 615 show qos map ip-prec-dscp 616 show qos map phb-queue 616 show qos map trust-mode 617 21 Quality of Service Commands 619 class-map 620 description 621 match 622 rename 623 policy-map 623 class 624 police flow
Contents 23 Multicast Filtering Commands IGMP Snooping 641 641 ip igmp snooping 643 ip igmp snooping mrouter-forward-mode dynamic 644 ip igmp snooping priority 644 ip igmp snooping proxy-reporting 645 ip igmp snooping querier 646 ip igmp snooping router-alert-option-check 646 ip igmp snooping router-port-expire-time 647 ip igmp snooping tcn-flood 647 ip igmp snooping tcn-query-solicit 648 ip igmp snooping unregistered-data-flood 649 ip igmp snooping unsolicited-report-interval 650 i
Contents IGMP Filtering and Throttling 668 ip igmp filter (Global Configuration) 669 ip igmp profile 669 permit, deny 670 range 670 ip igmp authentication 671 ip igmp filter (Interface Configuration) 673 ip igmp max-groups 673 ip igmp max-groups action 674 ip igmp query-drop 675 ip multicast-data-drop 675 show ip igmp authentication 676 show ip igmp filter 676 show ip igmp profile 677 show ip igmp query-drop 678 show ip igmp throttle interface 678 show ip multicast-data-drop
Contents show ipv6 mld snooping group source-list 692 show ipv6 mld snooping mrouter 692 show ipv6 mld snooping statistics 693 MLD Filtering and Throttling 697 ipv6 mld filter (Global Configuration) 698 ipv6 mld profile 698 permit, deny 699 range 699 ipv6 mld filter (Interface Configuration) 700 ipv6 mld max-groups 701 ipv6 mld max-groups action 702 ipv6 mld query-drop 702 ipv6 multicast-data-drop 703 show ipv6 mld filter 703 show ipv6 mld profile 704 show ipv6 mld query-drop
Contents show mvr interface 720 show mvr members 721 show mvr profile 723 show mvr statistics 723 24 LLDP Commands 729 lldp 731 lldp holdtime-multiplier 731 lldp med-fast-start-count 732 lldp notification-interval 732 lldp refresh-interval 733 lldp reinit-delay 733 lldp tx-delay 734 lldp admin-status 735 lldp basic-tlv management-ip-address 735 lldp basic-tlv management-ipv6-address 736 lldp basic-tlv port-description 737 lldp basic-tlv system-capabilities 737 lldp basic-t
Contents show lldp info local-device 749 show lldp info remote-device 750 show lldp info statistics 752 25 OAM Commands 753 efm oam 754 efm oam critical-link-event 754 efm oam link-monitor frame 755 efm oam link-monitor frame threshold 756 efm oam link-monitor frame window 756 efm oam mode 757 clear efm oam counters 758 clear efm oam event-log 758 efm oam remote-loopback 759 efm oam remote-loopback test 760 show efm oam counters interface 761 show efm oam event-log interface
Contents DHCP for IPv4 774 ip dhcp dynamic-provision 774 ip dhcp client class-id 775 ip dhcp restart client 777 show ip dhcp dynamic-provision 777 DHCP for IPv6 778 ipv6 dhcp client rapid-commit vlan 778 ipv6 dhcp restart client vlan 778 show ipv6 dhcp duid 780 show ipv6 dhcp vlan 780 DHCP Relay 781 DHCP Relay for IPv4 781 ip dhcp relay server 781 ip dhcp restart relay 782 DHCP Relay for IPv6 783 ipv6 dhcp relay destination 783 show ipv6 dhcp relay destination 784 DHCP Ser
Contents show ip dhcp binding 797 show ip dhcp 798 show ip dhcp pool 798 28 IP Interface Commands 801 IPv4 Interface 801 Basic IPv4 Configuration 802 ip address 802 ip default-gateway 804 show ip interface 805 show ip traffic 806 traceroute 807 ping 808 ARP Configuration 809 arp 809 arp timeout 810 ip proxy-arp 811 clear arp-cache 812 show arp 812 IPv6 Interface 813 Interface Address Configuration and Utilities 814 ipv6 default-gateway 814 ipv6 address 815 ipv6 a
Contents Neighbor Discovery 833 ipv6 hop-limit 833 ipv6 neighbor 834 ipv6 nd dad attempts 835 ipv6 nd managed-config-flag 837 ipv6 nd other-config-flag 837 ipv6 nd ns-interval 838 ipv6 nd raguard 839 show ipv6 nd raguard 840 ipv6 nd reachable-time 841 ipv6 nd prefix 841 ipv6 nd ra interval 843 ipv6 nd ra lifetime 844 ipv6 nd ra router-preference 844 ipv6 nd ra suppress 845 clear ipv6 neighbors 846 show ipv6 neighbors 846 show ipv6 nd prefix 847 ND Snooping 848 ipv6 nd
Contents IPv4 Commands 858 ip route 858 show ip route 859 show ip host-route 860 show ip route database 861 show ip route summary 861 show ip traffic 862 IPv6 Commands 863 ipv6 route 863 show ipv6 route 864 ECMP Commands 865 maximum-paths Section III 865 Appendices 867 A Troubleshooting 869 Problems Accessing the Management Interface 869 Using System Logs 870 B License Information 871 The GNU General Public License 871 List of Commands 875 – 35 –
Contents – 36 –
Tables Table 1: Options 60, 66 and 67 Statements 67 Table 2: Options 55 and 124 Statements 67 Table 3: General Command Modes 79 Table 4: Configuration Command Modes 81 Table 5: Keystroke Commands 81 Table 6: Command Group Index 83 Table 7: General Commands 85 Table 8: System Management Commands 93 Table 9: Device Designation Commands 93 Table 10: Banner Commands 94 Table 11: System Status Commands 103 Table 12: show access-list tcam-utilization - display description 105 Table 13: sh
Tables Table 30: show snmp group - display description 187 Table 31: show snmp user - display description 188 Table 32: show snmp view - display description 189 Table 33: RMON Commands 197 Table 34: sFlow Commands 205 Table 35: Authentication Commands 211 Table 36: User Access Commands 212 Table 37: Default Login Settings 214 Table 38: Authentication Sequence Commands 216 Table 39: RADIUS Client Commands 218 Table 40: TACACS+ Client Commands 223 Table 41: AAA Commands 227 Table 42:
Tables Table 65: Commands for Configuring Traffic Segmentation 362 Table 66: Traffic Segmentation Forwarding 362 Table 67: Access Control List Commands 367 Table 68: IPv4 ACL Commands 367 Table 69: IPv6 ACL Commands 374 Table 70: MAC ACL Commands 380 Table 71: ARP ACL Commands 386 Table 72: ACL Information Commands 389 Table 73: Interface Commands 393 Table 74: show interfaces counters - display description 407 Table 75: show interfaces switchport - display description 414 Table 76: L
Tables Table 100: L2 Protocol Tunnel Commands 546 Table 101: VLAN Translation Commands 550 Table 102: Protocol-based VLAN Commands 553 Table 103: IP Subnet VLAN Commands 557 Table 104: MAC Based VLAN Commands 559 Table 105: Voice VLAN Commands 561 Table 106: ERPS Commands 569 Table 107: ERPS Request/State Priority 594 Table 108: show erps statistics - detailed display description 599 Table 109: show erps r ing - summary display description 600 Table 110: Priority Commands 603 Table 1
Tables Table 135: show mvr interface - display description 720 Table 136: show mvr members - display description 722 Table 137: show mvr statistics input - display description 724 Table 138: show mvr statistics output - display description 724 Table 139: show mvr statistics query - display description 725 Table 140: show mvr statistics summary interface - display description 726 Table 141: show mvr statistics summary interface mvr vlan - description 727 Table 142: LLDP Commands 729 Table 14
Tables – 42 –
Section I Getting Started This section describes how to configure the switch for management access through the web interface or SNMP.
Section I | Getting Started – 44 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the ECS5520-18X is opened. To end the CLI session, enter [Exit].
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management Using the Craft Port or The Craft port is a dedicated for out-of-band management. In general, the Craft Network Interface port should be used to manage the switch for security reasons. Traffic on this port is segregated from normal network traffic on other switch ports and cannot be switched or routed to the operational network.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Assigning an IPv4 Address Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: ◆ IP address for the switch ◆ Network mask for this network ◆ Default gateway for the network To assign an IPv4 address to the switch, complete the following steps 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To configure an IPv6 link local address for the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. Type “ipv6 address” followed by up to 8 colon-separated 16-bit hexadecimal values for the ipv6-address similar to that shown in the example, followed by the “link-local” command parameter.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To generate an IPv6 global unicast address for the switch, complete the following steps: 1. From the global configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Dynamic Configuration Obtaining an IPv4 Address If you select the “bootp” or “dhcp” option, the system will immediately start broadcasting service requests. IP will be enabled but will not function until a BOOTP or DHCP reply has been received. Requests are broadcast every few minutes using exponential backoff until IP configuration information is obtained from a BOOTP or DHCP server.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-0C-00-00-FD Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.4 Mask: 255.255.255.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Console(config)#snmp-server community admin rw Console(config)#snmp-server community private Console(config)# Note: If you do not intend to support access to SNMP version 1 and 2c clients, we recommend that you delete both of the default community strings. If there are no community strings, then SNMP management access from SNMP v1 and v2c clients is disabled.
Chapter 1 | Initial Switch Configuration Managing System Files For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “SNMP Commands” on page 171 or to the Web Management Guide. Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, the web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files config, the system will reboot, and the settings will have to be copied from the running-config to a permanent file. Upgrading the The following example shows how to download new firmware to the switch and Operation Code activate it. The TFTP server could be any standards-compliant server running on Windows or Linux.
Chapter 1 | Initial Switch Configuration Managing System Files There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startup-config command always sets the new file as the startup file. To select a previously saved configuration file, use the boot system config: command.
Chapter 1 | Initial Switch Configuration Installing a Port License File Installing a Port License File The switch ports are disabled by default. The ports will only function when a port license is obtained from Edgecore and installed on the switch. To verify whether or not a port license is installed on the switch, enter the show interfaces brief command from the console port. If a port Status displays “License,” then you need to obtain and install a port license for those ports.
Chapter 1 | Initial Switch Configuration Installing a Port License File Jumbo Frame : Disabled System Fan: Force Fan Speed Full : Disabled Unit 1 Fan 1: Ok Fan 2: Ok Fan 1 speed: 6293 rpm Fan 2 speed: System Temperature: Unit 1 Temperature 1: 35 degrees 8837 rpm Temperature 2: Fan 3: Ok Fan 3 speed: 6279 rpm 26 degrees Unit 1 Main Power Status : Up Redundant Power Status : Not present To install a license, first verify that the switch is configured with a valid IP address (see “Setting an IP Addre
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Eth 1/15 Eth 1/16 Eth 1/17 Eth 1/18 Console# Down Down Down Down 1 1 1 1 0 0 0 0 10Gfull 10Gfull 40Gfull 40Gfull 10GBASE 10GBASE 40GBASE 40GBASE SFP+ SFP+ QSFP QSFP None None None None Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code code file when a file newer than the curr
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings notable exception in the list of case-sensitive Unix-like operating systems is Mac OS X, which by default is case-insensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://site9:billy@192.168.0.1/sm24/ Console(config)# 2.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings The following shows an example of the upgrade process. Console#dir File Name Type Startup Modify Time Size(bytes) -------------------------- -------------- ------- ------------------- ------Unit 1: ECS5520_V1.0.3.191.bix OpCode Y 2016-10-17 11:30:26 9027848 Factory_Default_Config.cfg Config N 2015-04-13 13:55:58 455 startup1.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server The general framework for this DHCP option is set out in RFC 2132 (Option 60). This information is used to convey configuration settings or other identification information about a client, but the specific string to use should be supplied by your service provider or network administrator.
Chapter 1 | Initial Switch Configuration Downloading a Configuration File and Other Parameters from a DHCP Server ◆ If the switch does not receive a DHCP response prior to completing the bootup process, it will continue to send a DHCP client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP.
Chapter 1 | Initial Switch Configuration Setting the System Clock #option option option option 66, 67 space dynamicProvision code width 1 length 1 hash size 2; dynamicProvision.tftp-server-name code 66 = text; dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following. Console(config)#clock summer-time SUMMER date 2 april 2013 0 0 30 june 2013 0 0 Console(config)# To display the clock configuration settings, enter the following command.
Chapter 1 | Initial Switch Configuration Setting the System Clock To configure NTP time synchronization, enter commands similar to the following. Console(config)#ntp client Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)#ntp authenticate Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “VLAN Commands” on page 521 ◆ “ERPS Commands” on page 569 ◆ “Class of Service Commands” on page 603 ◆ “Quality of Service Commands” on page 619 ◆ “Control Plane Commands” on page 637 ◆ “Multicast Filtering Commands” on page 641 ◆ “LLDP Commands” on page 729 ◆ “OAM Commands” on page 753 ◆ “Domain Name Service Commands” on page 765 ◆ “DHCP Commands” on page 773 ◆ “IP Interface Commands” on page 801 ◆ “IP Routing Commands” on page 857 – 72 –
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Note: You can only access the console interface through the Master unit in the stack. Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Chapter 2 | Using the Command Line Interface Accessing the CLI Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
Chapter 2 | Using the Command Line Interface Entering Commands Note: You can open up to eight sessions to the device via Telnet or SSH. Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help You can display a brief description of the help system by entering the help on Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows the power saving information Displays PPPoE configuration Shows current privilege level Device process P
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List Class Map DHCP IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
Chapter 2 | Using the Command Line Interface Entering Commands Table 5: Keystroke Commands (Continued) Keystroke Function Ctrl-F Shifts cursor to the right one character. Ctrl-K Deletes all characters from the cursor to the end of the line. Ctrl-L Repeats current command line on a new line. Ctrl-N Enters the next command line in the history buffer. Ctrl-P Enters the last command. Ctrl-R Repeats current command line on a new line. Ctrl-U Deletes from the cursor to the beginning of the line.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 569 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling 521 Class of Service Sets port priority for untagged fr
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Usage This command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a (Global Configuration) periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time.
Chapter 3 | General Commands Command Mode Privileged Exec, Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is respecified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See “copy” on page 118).
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (90) enable password (212) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program.
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the config
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 78. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2015. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 92 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure equipment-location Configures the Equipment Location information that is displayed by banner GC banner configure ip-lan Configures the IP and LAN information that is displayed by GC banner banner configure lp-number Configures the LP Number information that is displayed by GC banner banner configure manager- Configures the Manager contact information that is info
Chapter 4 | System Management Commands Banner Information phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edgecore Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply.
Chapter 4 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure equipment-info manufacturer-id ECS5520-18X floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edgecore Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands System Status show banner This command displays all banner information. Command Mode Privileged Exec Example Console#show banner Edgecore WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ECS5520-18X Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
Chapter 4 | System Management Commands System Status Table 11: System Status Commands (Continued) Command Function Mode show users Shows all active console and Telnet sessions, including user NE, PE name, idle time, and IP address of Telnet clients show version Displays version information for the system NE, PE show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correc
Chapter 4 | System Management Commands System Status 1 1 Console# 0 0 16 17 128 128 0 0 128 DE4 128 DEM Table 12: show access-list tcam-utilization - display description Field Description Pool Capability Code Abbreviation for processes shown in the TCAM List. Unit Stack unit identifier. Device Memory chip used for indicated pools. Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features.
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 13: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high-watermark, the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status FS HTTP_TD HW_WTDOG_TD IML_TX IP_SERVICE_GROU KEYGEN_TD L2_L4_PROCESS L2MCAST_GROUP L2MUX_GROUP L4_GROUP LACP_GROUP MSL_TD NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_PROC NSM_TD OSPF6_TD OSPF_TD PIM_GROUP PIM_PROC PIM_SM_TD POE_PROC RIP_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYS_MGMT_PROC SYSDRV SYSLOG_TD SYSMGMT_GROUP SYSTEM UDLD_GROUP WTDOG
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage Use the interface keyword to display configuration data for the specified interface.
Chapter 4 | System Management Commands System Status enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface ethernet 1/1 no negotiation ...
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (109) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show system System Description : ECS5520-18X System OID String : 1.3.6.1.4.1.259.10.1.51.102 System Information System Up Time : 0 days, 2 hours, 0 minutes, and 45.
Chapter 4 | System Management Commands System Status Table 14: show system – display description (Continued) Parameter Description System Up Time Length of time the management agent has been up. System Name Name assigned to the switch system. System Location Specifies the system location. System Contact Administrator responsible for the system. MAC Address MAC address assigned to this switch. Web Server/Port Shows administrative status of web server and UDP port number.
Chapter 4 | System Management Commands System Status Free space for compressed user config files: 434,008,064 Total space: 1,073,741,824 show arp: ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface --------------- ----------------- --------- ----------192.168.2.
Chapter 4 | System Management Commands System Status show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number Hardware Version EPLD Version Number of Ports Main Power Status Redundant Power Status Role Loader Version Linux Kernel Version Operation Code Version : : : : : : : : : : S123456 R0A 0.01 18 Up Not present Master 0.0.0.3 3.10.70 1.0.4.
Chapter 4 | System Management Commands Frame Size watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly. Syntax watchdog software {disable | enable} Default Setting Disabled Command Mode Privileged Exec Example Console#watchdog software disable Console# Frame Size This section describes commands used to configure the Ethernet frame size on the switch.
Chapter 4 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size. And for half-duplex connections, all devices in the collision domain would need to support jumbo frames.
Chapter 4 | System Management Commands File Management Table 17: Flash/File Commands Command Function Mode boot system Specifies the file or image used to start up the system GC copy Copies a code image or a switch configuration to or from flash memory or an FTP/SFTP/TFTP server PE delete Deletes a file or code image PE dir Displays a list of files in flash memory PE umount Unmount a removable USB device.
Chapter 4 | System Management Commands File Management Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type. ◆ If the file contains an error, it cannot be set as the default file. Example Console(config)#boot system config: startup Console(config)# Related Commands dir (123) whichboot (124) copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/FTPS/SFTP/TFTP server.
Chapter 4 | System Management Commands File Management running-config - Keyword that allows you to copy to/from the current running configuration. sftp - Keyword that copies a file to or from an SFTP server. startup-config - The configuration used for system initialization. tftp - Keyword that allows you to copy to/from a TFTP server. unit - Keyword that copies a file to/from a device unit. usbdisk - Keyword that copies a file to/from a USB device.
Chapter 4 | System Management Commands File Management ◆ When logging into a remote SFTP/FTPS server, the interface prompts for a user name and password configured on the remote server. If this is a first time connection, the system checks to see if the public key offered by the server matches one stored locally. If not, the server’s public key will be copied to the local system.
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
Chapter 4 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# This example shows how to copy a file from an SFTP server.
Chapter 4 | System Management Commands File Management Command Usage ◆ If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete file name test2.cfg Console# Related Commands dir (123) delete public-key (250) dir This command displays a list of files in flash memory.
Chapter 4 | System Management Commands File Management File information is shown below: Table 18: File Directory Information Column Heading Description File Name The name of the file. File Type File types: Operation Code, and Config file. Startup Shows if this file is used when the system is started. Modify Time The date and time the file was last modified. Size The length of the file in bytes.
Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: ECS5520-18X_V1.0.4.192.bix startup1.
Chapter 4 | System Management Commands File Management 3. It sets the new version as the startup image. 4. It then restarts the system to start using the new image. ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.
Chapter 4 | System Management Commands File Management ◆ The name for the new image stored on the TFTP server must be ECS5520.bix. However, note that file name is not to be included in this command. ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS5520.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (136) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (253) show users (113) terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history.
Chapter 4 | System Management Commands Line Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines. Console#terminal length 48 Console# show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet).
Chapter 4 | System Management Commands Event Logging Login Timeout Silent Time Console# : 300 sec. : Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging facility 19 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging level - One of the levels listed below. Messages sent include the selected level down to level 0. (Range: 0-7) Table 21: Logging Levels Level Severity Name Description 7 debugging Debugging messages 6 informational Informational messages only 5 notifications Normal but significant condition, such as cold start 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g.
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage ◆ Use this command more than once to build up a list of host IP addresses. ◆ The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging level This command sets the syslog logging severity level for user login and log out. Use the no form to set the logging level to the default value.
Chapter 4 | System Management Commands Event Logging Default Setting None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
Chapter 4 | System Management Commands Event Logging ◆ Using this command without a specified level also enables remote logging, but restores the minimum severity level to the default. Example Console(config)#logging trap level 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging Command Usage ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
Chapter 4 | System Management Commands Event Logging Flash Logging Configuration: History Logging in Flash : Level Errors (3) Console#show logging ram Global Configuration: Syslog Logging : Enabled Ram Logging Configuration: History Logging in RAM : Level Debugging (7) Console# Table 22: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts SMTP Alerts These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level - One of the system message levels (page 142). Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec Example Console#show logging sendmail SMTP Servers ----------------------------------------------192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses ----------------------------------------------ted@this-company.
Chapter 4 | System Management Commands Time Table 25: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE show ntp status Shows the status of time updates PE show ntp statistics peer
Chapter 4 | System Management Commands Time ◆ This command enables client time requests to time servers specified via the sntp server command. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2015 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. Syntax sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IPv4 or IPv6 address of a time server (NTP or SNTP).
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2015 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 : 137.92.140.90 : 137.92.140.99 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
Chapter 4 | System Management Commands Time ntp This command configures authentication keys and key numbers to use when NTP authentication-key authentication is enabled. Use the no form of the command to clear a specific authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number] number - The NTP authentication key ID number. (Range: 1-65533) md5 - Specifies that authentication is provided by using the message digest algorithm 5.
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command.
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. The client will poll all the time servers configured, the responses received are filtered and compared to determine the most reliable and accurate time update for the switch. ◆ You can configure up to 3 NTP servers on the switch.
Chapter 4 | System Management Commands Time NTP Status : Disabled NTP Authenticate Status : Enabled Last Update NTP Server : 0.0.0.0 Port: 0 Last Update Time : Jan 1 00:00:00 1970 UTC NTP Server 192.168.3.20 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console# show ntp status This command displays the current status of received time updates from an NTP peer.
Chapter 4 | System Management Commands Time Bogus Origin Duplicate Bad Dispersion Bad Reference Time Candidate Order Console# : : : : : 0 0 0 0 6 show ntp peer-status This command displays the status of connections to NTP peers. Syntax show ntp peer-status [ip-address | ipv6-address | hostname] ip-address - IP address of an NTP time server. ipv6-address - IPv6 address of an NTP time server. hostname - Host name of an NTP time server.
Chapter 4 | System Management Commands Time b-year- The year summer time will begin. b-hour - The hour summer time will begin. (Range: 0-23 hours) b-minute - The minute summer time will begin. (Range: 0-59 minutes) e-date - Day of the month when summer time will end. (Range: 1-31) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-year - The year summer time will end.
Chapter 4 | System Management Commands Time clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (155) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 4 | System Management Commands Time Range show calendar This command displays the system clock. Default Setting None Command Mode Normal Exec, Privileged Exec Example Console#show calendar Current Time Time Zone Summer Time Summer Time in Effect Console# : : : : May 13 14:08:18 2014 UTC, 08:00 Not configured No Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range Command Usage ◆ This command sets a time range for use by other functions, such as Access Control Lists. ◆ A maximum of eight rules can be configured for a time range. Example Console(config)#time-range r&d Console(config-time-range)# Related Commands Access Control Lists (367) absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time.
Chapter 4 | System Management Commands Time Range Example This example configures the time for the single occurrence of an event. Console(config)#time-range r&d Console(config-time-range)#absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console(config-time-range)# periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Time Range Example This example configures a time range for the periodic occurrence of an event. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 28: SNMP Commands (Continued) Command Function Mode show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter
Chapter 5 | SNMP Commands General SNMP Commands Table 28: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization GC alarm process cpu guard Sets the CPU utilization watermark and threshold GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilizat
Chapter 5 | SNMP Commands General SNMP Commands ro - Specifies read-only access. Authorized management stations are only able to retrieve MIB objects. rw - Specifies read/write access. Authorized management stations are able to both retrieve and modify MIB objects. Default Setting ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects.
Chapter 5 | SNMP Commands General SNMP Commands snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. ◆ The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
Chapter 5 | SNMP Commands SNMP Target Host Commands version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. port - Host UDP port to use.
Chapter 5 | SNMP Commands SNMP Target Host Commands 4. Allow the switch to send SNMP traps; i.e., notifications (page 176). 5. Specify the target host that will receive inform messages with the snmp-server host command as described in this section. To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 173). 2. Create a remote SNMPv3 user to use in the message exchange process 3. 4. 5. 6. (page 183). Create a view with the required notification messages (page 185).
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps link-up-down Console(config)# snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the mac-notification default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------Eth 1/1 No Eth 1/2 No Eth 1/3 No . . . SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789” is equivalent to “0123456789” followed by 16 zeroes for a local engine ID. ◆ A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command. ◆ When privacy is selected, the DES 56-bit algorithm is used for data encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands auth - Uses SNMPv3 with authentication. md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password.) If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) priv - Uses SNMPv3 with privacy.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in the following table. Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp group Four default groups are provided – SNMPv1 read-only access and read/write access, and SNMPv2c read-only access and read/write access.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 30: show snmp group - display description (Continued) Field Description Read View The associated read view. Write View The associated write view. Notify View The associated notify view. Storage Type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Table 31: show snmp user - display description (Continued) Field Description Storage Type The storage type for this entry. Row Status The row status of this entry. SNMP remote user A user associated with an SNMP engine on a remote device. show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Notification logging is enabled by default, but will not start recording information until a logging profile specified by the snmp-server notify-filter command is enabled by the nlm command. ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1.
Chapter 5 | SNMP Commands Notification Log Commands RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
Chapter 5 | SNMP Commands Additional Trap Commands show nlm oper-status This command shows the operational status of configured notification logs. Command Mode Privileged Exec Example Console#show nlm oper-status Filter Name: A1 Oper-Status: Operational Console# show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60 Console# Related Commands show memory (105) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
Chapter 5 | SNMP Commands Additional Trap Commands – 196 –
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 204 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value [destination {ipv4-address | ipv6-address} [max-datagram-size max-datagram-size] [version {v4 | v5}] [port destination-udp-port ] [max-datagram-size max-datagram-size] [version {v4 | v5}]] [port destination-udp-port] no sflow owner owner-name owner-name - Name of the collector.
Chapter 7 | Flow Sampling Commands ◆ Once an owner is created, the sflow owner command can again be used to modify the owner’s port number. All other parameter values for the owner will be retained if the port is modified. ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) polling-interval - The time interval at which the sFlow process adds counter values to the sample datagram. (Range: 1-10000000 seconds, 0 disables this feature) Default Setting No sFlow polling instance is configured.
Chapter 7 | Flow Sampling Commands instance-id - An instance ID used to identify the sampling source. (Range: 1) owner-name - The associated receiver, to which the samples will be sent. (Range: 1-30 alphanumeric characters) sample-rate - The packet sampling rate, or the number of packets out of which one sample will be taken. (Range: 256-16777215 packets) max-header-size - The maximum size of the sFlow datagram header. (Range: 64-256 bytes) Default Setting No sFlow sampling instance id configured.
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Example Console#show sflow interface ethernet 1/2 Receiver Owner Name Receiver Timeout Receiver Destination Receiver Socket Port Maximum Datagram Size Datagram Version : : : : : : stat1 99633 sec 192.168.32.
8 Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 130), user authentication via a remote authentication server (page 211), and host access authentication for specific ports (page 254).
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 78 and “Configuration Commands” on page 80.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | Authentication Commands RADIUS Client port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default.
Chapter 8 | Authentication Commands RADIUS Client acct-port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands RADIUS Client Example Console(config)#radius-server key green Console(config)# radius-server This command sets the RADIUS encryption key to be sent in encrypted text. Use the encrypted-key no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Client radius Console# 1 TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting authentication port - 49 timeout - 5 seconds retransmit - 2 Command Mode Global Configuration Example Console(config)#tacacs-server 1 host 192.168.1.25 port 181 timeout 10 retransmit 5 key green Console(config)# tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the TACACS+ encryption key to be sent in encrypted text. Use encrypted-key the no form to restore the default. Syntax tacacs-server encrypted-key key-string no tacacs-server encrypted-key key-string - Encryption key sent in encrypted text and used to authenticate logon access for client. Enclose any character string using ASCII characters “A-Z” or “a-z”.
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 8 | Authentication Commands AAA show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times : 2 Timeout : 5 Server 1: Server IP Address Server Port Number Retransmit Times Timeout : : : : 10.11.12.
Chapter 8 | Authentication Commands AAA Table 41: AAA Commands (Continued) Command Function Mode accounting dot1x Applies an accounting method to an interface for 802.
Chapter 8 | Authentication Commands AAA Command Usage ◆ The accounting of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Example Console(config)#aaa accounting dot1x default start-stop group radius Console(config)# aaa accounting exec This command enables the accounting of requested Exec services for network access. Use the no form to disable the accounting service. Syntax aaa accounting exec {default | method-name} start-stop group {radius | tacacs+ |server-group} no aaa accounting exec {default | method-name} default - Specifies the default accounting method for service requests.
Chapter 8 | Authentication Commands AAA aaa accounting This command enables the sending of periodic updates to the accounting server. update Use the no form to disable accounting updates. Syntax aaa accounting update [periodic interval] no aaa accounting update interval - Sends an interim accounting record to the server at this interval.
Chapter 8 | Authentication Commands AAA Default Setting Authorization is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ The authorization of Exec mode commands is only supported by TACACS+ servers. ◆ Note that the default and method-name fields are only used to describe the authorization method(s) configured on the specified TACACS+ server, and do not actually send any information to the server about the methods to use.
Chapter 8 | Authentication Commands AAA Command Usage ◆ This command performs authorization to determine if a user is allowed to run an Exec shell for local console, Telnet, or SSH connections. ◆ AAA authentication must be enabled before authorization is enabled. ◆ If this command is issued without a specified named method, the default method list is applied to all interfaces or lines (where this authorization type applies), except those that have a named method explicitly defined.
Chapter 8 | Authentication Commands AAA Default Setting None Command Mode Server Group Configuration Command Usage ◆ When specifying the index for a RADIUS server, that server index must already be defined by the radius-server host command. ◆ When specifying the index for a TACACS+ server, that server index must already be defined by the tacacs-server host command. Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.
Chapter 8 | Authentication Commands AAA Syntax accounting commands level {default | list-name} no accounting commands level level - The privilege level for executing commands. (Range: 0-15) default - Specifies the default method list created with the aaa accounting commands command. list-name - Specifies a method list created with the aaa accounting commands command.
Chapter 8 | Authentication Commands AAA Console(config-line)#accounting exec default Console(config-line)# authorization This command applies an authorization method to entered CLI commands. Use the commands no form to disable authorization for entered CLI commands. Syntax authorization commands level {default | list-name} no authorization commands level level - The privilege level for executing commands.
Chapter 8 | Authentication Commands AAA Example Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
Chapter 8 | Authentication Commands AAA Interface Accounting Type Method List Group List Interface . . . Accounting Type Method List Group List Interface : vty : Commands 0 : default : tacacs+ : : Commands 15 : default : tacacs+ : Console# show authorization This command displays the current authorization settings per function and per port. Syntax show authorization [commands [level] | exec] commands - Displays command authorization information.
Chapter 8 | Authentication Commands Web Server Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | Authentication Commands Web Server Related Commands aaa authorization commands (231) ip http server (240) show system (111) ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server Related Commands ip http authentication (239) show system (111) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS.
Chapter 8 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 8 | Authentication Commands Telnet Server show system (111) Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 8 | Authentication Commands Secure Shell Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254... *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES User Access Verification Username: Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
Chapter 8 | Authentication Commands Secure Shell Table 45: Secure Shell Commands Command Function Mode ip ssh authentication-retries Specifies the number of retries allowed by a client GC ip ssh server Enables the SSH server on the switch GC ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public-key Copies the user’s public key from a TFTP server to the switch PE delete public-key Deletes the public key for the specified user PE disconnect Terminates a
Chapter 8 | Authentication Commands Secure Shell 108259132128902337654680172627257141342876294130119619556678259566410486957427 888146206519417467729848654686157177393901647793559423035774130980227370877945 4524083971752646358058176716709574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch.
Chapter 8 | Authentication Commands Secure Shell c. The client sends a signature generated using the private key to the switch. d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | Authentication Commands Secure Shell Default Setting Disabled Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | Authentication Commands Secure Shell Example Console(config)#ip ssh timeout 60 Console(config)# Related Commands exec-timeout (132) show ip ssh (252) delete public-key This command deletes the specified user’s public key. Syntax delete public-key username username – Name of an SSH user. (Range: 1-8 characters) Default Setting Deletes the RSA key. Command Mode Privileged Exec Example Console#delete public-key admin Console# ip ssh crypto This command generates the host key pair (i.e.
Chapter 8 | Authentication Commands Secure Shell ◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it. ◆ The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to it.
Chapter 8 | Authentication Commands Secure Shell ip ssh save host-key This command saves the host key from RAM to flash memory. Syntax ip ssh save host-key Default Setting Saves the RSA key. Command Mode Privileged Exec Example Console#ip ssh save host-key Console# Related Commands ip ssh crypto host-key generate (250) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server.
Chapter 8 | Authentication Commands Secure Shell Command Usage If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Chapter 8 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 47: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication Table 47: 802.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state through when dot1x is globally disabled. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x This command allows hosts (clients) to connect to an 802.1X-authorized port. Use operation-mode the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (261) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 258) has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity profile This command sets the dot1x supplicant user name and password. Use the no form to delete the identity settings. Syntax dot1x identity profile {username username | password password | encrypted-password encrypted-password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae supplicant This command enables dot1x supplicant mode on a port. Use the no form to disable dot1x supplicant mode on a port.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response from the auth-period authenticator. Use the no form to restore the default setting. Syntax dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending an start-period EAPOL start frame to the authenticator. Use the no form to restore the default setting. Syntax dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.1X Port Details – Displays the port access control parameters for each interface, including the following items: ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ◆ Reauthentication – Periodic re-authentication (page 260).
Chapter 8 | Authentication Commands 802.1X Port Authentication ◆ Reauthentication State Machine State – Current state (including initialize, reauthenticate). Example Console#show dot1x Global 802.1X Parameters System Auth Control : Enabled Authenticator Parameters: EAPOL Pass Through : Disabled 802.
Chapter 8 | Authentication Commands Management IP Filter Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# PPPoE Intermediate Agent This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Global Configuration Command Usage ◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Default Setting ◆ Access Node Identifier: IP address of the first IPv4 interface on the switch. ◆ Generic Error Message: PPPoE Discover packet too large to process. Try reducing the number of tags added. ◆ Vendor Identifier: 3561 (This is the enterprise number assigned to the Broadband Forum.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-enable Console(config-if)# pppoe intermediate- This command sets the circuit-id, remote-id, or remote-id delimiter for an interface. agent port-format- Use the no form to restore the default settings.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent ◆ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server. The tag contains the Line-ID of the customer line over which the discovery packet was received, entering the switch (or access node) where the intermediate agent resides.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example This command enables the delimiter for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-format-type remote-iddelimiter enable Console(config-if)# pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a agent trust PPPoE server. Use the no form to set an interface to untrusted mode.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage This command only applies to trusted interfaces. It is used to strip off vendorspecific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console#show pppoe intermediate-agent info PPPoE Intermediate Agent Global Status : Enabled PPPoE Intermediate Agent Vendor ID : 3561 PPPoE Intermediate Agent Admin Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Oper Access Node Identifier : 192.168.0.2 PPPoE Intermediate Agent Admin Generic Error Message : PPPoE Discover packet too large to process. Try reducing the number of tags added.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Table 50: show pppoe intermediate-agent statistics - display description Field Description Received PADI PPPoE Active Discovery Initiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted.
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Incoming traffic with source addresses not stored in the static address table, will be flooded. However, if a security function such as 802.
Chapter 9 | General Security Measures Port Security action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable port. max-mac-count address-count - The maximum number of MAC addresses that can be learned on a port.
Chapter 9 | General Security Measures Port Security number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out. ◆ MAC addresses that port security has learned, can be saved in the configuration file as static entries. See command port security mac-address-as-permanent.
Chapter 9 | General Security Measures Port Security ◆ If sticky MAC addresses are received on another secure port, then the port intrusion action is taken. Example Console(config-if)#port security mac-address sticky Console# port security Use this command to save the MAC addresses that port security has learned as mac-address-as- static entries. permanent Syntax port security mac-address-as-permanent [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) only source MAC address entries in MAC Filter table can be learned as secure MAC addresses.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 54: Network Access Commands (Continued) Command Function Mode mac-authentication reauth-time Sets the time period after which a connected MAC address must be re-authenticated GC network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN IC network-access lin
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) addresses when using a mask, and then to assign these addresses to one or more ports with the network-access port-mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Disabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# :
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out.
Chapter 9 | General Security Measures Web Authentication Web Authentication Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the limit for failed web authentication login attempts. After login-attempts the limit is reached, the switch refuses further login attempts until the quiet time expires. Use the no form to restore the default. Syntax web-auth login-attempts count no web-auth login-attempts count - The limit of allowed failed login attempts.
Chapter 9 | General Security Measures Web Authentication web-auth This command defines the amount of time a web-authentication session remains session-timeout valid. When the session timeout has been reached, the host is logged off and must re-authenticate itself the next time data transmission takes place. Use the no form to restore the default. Syntax web-auth session-timeout timeout no web-auth session timeout timeout - The amount of time that an authenticated session remains valid.
Chapter 9 | General Security Measures Web Authentication web-auth This command enables web authentication for an interface. Use the no form to restore the default. Syntax [no] web-auth Default Setting Disabled Command Mode Interface Configuration Command Usage Both web-auth system-auth-control for the switch and web-auth for a port must be enabled for the web authentication feature to be active.
Chapter 9 | General Security Measures Web Authentication web-auth re- This command ends the web authentication session associated with the authenticate (IP) designated IP address and forces the user to re-authenticate. Syntax web-auth re-authenticate interface interface ip interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication show web-auth This command displays interface-specific web authentication parameters and interface statistics. Syntax show web-auth interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) Command Mode Privileged Exec Example Console#show web-auth interface ethernet 1/2 Web Auth Status : Enabled Host Summary IP address --------------1.1.1.1 1.1.1.
Chapter 9 | General Security Measures DHCPv4 Snooping DHCPv4 Snooping DHCPv4 snooping allows a switch to protect a network from rogue DHCPv4 servers or other devices which send port-related information to a DHCPv4 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv4 snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. ■ If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled (as specified by the ip dhcp snooping verify mac-address command).
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch. Use the no form without any keywords to disable this function.
Chapter 9 | General Security Measures DHCPv4 Snooping This example enables the DHCP Snooping Information Option. Console(config)#ip dhcp snooping information option Console(config)# ip dhcp snooping This command disables the use of sub-type and sub-length fields for the information option circuit-ID (CID) and remote-ID (RID) in Option 82 information generated by the encode no-subtype switch. Use the no form to enable the use of these fields.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ ◆ The ip dhcp snooping information option circuit-id command can be used to modify the default settings described above. The format for TR101 option 82 is: “ eth /[:]”. Note that the SID (Switch ID) is always 0. By default the PVID is added to the end of the TR101 field for untagged packets. For tagged packets, the VLAN ID is always added.
Chapter 9 | General Security Measures DHCPv4 Snooping mac-address - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU). ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the board identifier used in Option 82 information based on information option TR-101 syntax. Use the no form to remove the board identifier. tr101 board-id Syntax ip dhcp snooping information option tr101 board-id board-id no ip dhcp snooping information option tr101 board-id board-id – TR101 Board ID.
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings. circuit-id Syntax ip dhcp snooping information option circuit-id string string | {tr101 {node-identifier {ip | sysname} | no-vlan-field} no dhcp snooping information option circuit-id [tr101 no-vlan-field] string - An arbitrary string inserted into the circuit identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the maximum number of DHCP clients supported on port 1 to 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping max-number 2 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (310) ip dhcp snooping vlan (318) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ip dhcp snooping binding [mac-address vlan vlan-id] mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures DHCPv4 Snooping Example Console#ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping table will be dropped. ◆ When enabled, DHCPv6 messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCPv6 snooping.
Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet ■ If a DHCP server packet is received on an untrusted port, drop this packet and add a log entry in the system. ■ If a DHCPv6 Reply packet is received from a server on a trusted port, it will be processed in the following manner: a. Check if IPv6 address in IA option is found in binding table: ■ If yes, continue to C. ■ If not, continue to B. b.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (329) ipv6 dhcp snooping trust (330) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping remove option 37 information in incoming DHCPv6 packets. Packets are processed as follows: ◆ ■ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Chapter 9 | General Security Measures DHCPv6 Snooping these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information. Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN.
Chapter 9 | General Security Measures DHCPv6 Snooping Related Commands ipv6 dhcp snooping (324) ipv6 dhcp snooping trust (330) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting. Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding count - Maximum number of entries.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ When DHCPv6 snooping is enabled globally using the ipv6 dhcp snooping command, and enabled on a VLAN with ipv6 dhcp snooping vlan command, DHCPv6 packet filtering will be performed on any untrusted ports within the VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears statistical counters for DHCPv6 snooping client, server and snooping statistics relay packets. Command Mode Privileged Exec Example Console(config)#clear ipv6 dhcp snooping statistics Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 61: IPv4 Source Guard Commands (Continued) Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 324).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (324) ipv6 dhcp snooping vlan (329) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. ■ If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
Chapter 9 | General Security Measures ARP Inspection Eth 1/5 Eth 1/6 . . . SIP Disabled 1 5 show ipv6 source- This command shows the IPv6 source guard binding table. guard binding Syntax show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 324) static - Shows static entries configured with the ipv6 source-guard binding command.
Chapter 9 | General Security Measures ARP Inspection This section describes commands used to configure ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine. ◆ When ARP Inspection is disabled globally, it becomes inactive for all VLANs, including those where ARP Inspection is enabled.
Chapter 9 | General Security Measures ARP Inspection Command Usage ◆ ARP ACLs are configured with the commands described under “ARP ACLs” on page 386. ◆ If static mode is enabled, the switch compares ARP packets to the specified ARP ACLs. Packets matching an IP-to-MAC address binding in a permit or deny rule are processed accordingly. Packets not matching any of the ACL rules are dropped. Address bindings in the DHCP snooping database are not checked.
Chapter 9 | General Security Measures ARP Inspection ◆ If multiple, identical invalid ARP packets are received consecutively on the same VLAN, then the logging facility will only generate one entry in the log buffer and one corresponding system message. ◆ The maximum number of entries that can be stored in the log buffer is determined by the message-number parameter. If the log buffer fills up before a message is sent, the oldest entry will be replaced with the newest one.
Chapter 9 | General Security Measures ARP Inspection Command Usage By default, ARP Inspection only checks the IP-to-MAC address bindings specified in an ARP ACL or in the DHCP Snooping database. Example Console(config)#ip arp inspection validate dst-mac Console(config)# ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection vlan 1,2 Console(config)# ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Command Mode Interface Configuration (Port, Static Aggregation) Command Usage Packets arriving on untrusted ports are subject to any configured ARP Inspection and additional validation checks. Packets arriving on trusted ports bypass all of these checks, and are forwarded according to normal switching rules.
Chapter 9 | General Security Measures ARP Inspection Example Console#show ip arp inspection interface ethernet 1/1 Port Number ------------Eth 1/1 Console# Trust Status -------------------Trusted Rate Limit (pps) -----------------------------150 show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components.
Chapter 9 | General Security Measures Denial of Service Protection show ip arp inspection This command shows the configuration settings for VLANs, including ARP vlan Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ARP ACL validation is completed. Syntax show ip arp inspection vlan [vlan-id | vlan-range] vlan-id - VLAN ID.
Chapter 9 | General Security Measures Denial of Service Protection Table 64: DoS Protection Commands (Continued) Command Function Mode dos-protection tcp-syn-fin-scan Protects against DoS TCP-SYN/FIN-scan attacks GC dos-protection tcp-udp-port-zero Protects against attacks which set the Layer 4 source GC or destination port to zero dos-protection tcp-xmas-scan Protects against DoS TCP-XMAS-scan attacks GC dos-protection udp-flooding Protects against DoS UDP-flooding attacks GC dos-protection
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection land Console(config)# dos-protection smurf This command protects against DoS smurf attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
Chapter 9 | General Security Measures Denial of Service Protection rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP NULL tcp-null-scan scan message is used to identify listening TCP ports.
Chapter 9 | General Security Measures Denial of Service Protection Default Setting Disabled Command Mode Global Configuration Example Console(config)#dos-protection tcp-syn-fin-scan Console(config)# dos-protection This command protects against DoS attacks in which the TCP or UDP source port or tcp-udp-port-zero destination port is set to zero. This technique may be used as a form of DoS attack, or it may just indicate a problem with the source device.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection tcp-xmas-scan Console(config)# dos-protection This command protects against DoS UDP-flooding attacks in which a perpetrator udp-flooding sends a large number of UDP packets (with or without a spoofed-Source IP) to random ports on a remote host. The target will determine that application is listening at that port, and reply with an ICMP Destination Unreachable packet.
Chapter 9 | General Security Measures Port-based Traffic Segmentation rate – Maximum allowed rate. (Range: 64-2000 kbits/second) Default Setting Disabled, 1000 kbits/second Command Mode Global Configuration Example Console(config)#dos-protection win-nuke bit-rate-in-kilo 65 Console(config)# show dos-protection This command shows the configuration settings for the DoS protection commands.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 65: Commands for Configuring Traffic Segmentation Command Function Mode traffic-segmentation Enables traffic segmentation GC traffic-segmentation session Creates a client session GC traffic-segmentation uplink/ downlink Configures uplink/downlink ports for client sessions GC traffic-segmentation uplink-to-uplink Specifies whether or not traffic can be forwarded between uplink ports assigned to different client sessions
Chapter 9 | General Security Measures Port-based Traffic Segmentation Table 66: Traffic Segmentation Forwarding (Continued) Destination Source Session #1 Downlinks Session #1 Uplinks Session #2 Downlinks Session #2 Uplinks Normal Ports Session #2 Downlink Ports Blocking Blocking Blocking Forwarding Blocking Session #2 Uplink Ports Blocking Blocking/ Forwarding* Forwarding Forwarding Forwarding Normal Ports Forwarding Forwarding Forwarding Forwarding Forwarding * The forwarding stat
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode. Example Console(config)#traffic-segmentation session 1 Console(config)# traffic-segmentation This command configures the uplink and down-link ports for a segmented group of uplink/downlink ports. Use the no form to remove a port from the segmented group.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. Example This example enables traffic segmentation, and then sets port 10 as the uplink and ports 5-8 as downlinks.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments. traffic-segmentation Syntax show traffic-segmentation [session session-id] session-id – Traffic segmentation session.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs bitmask – Dotted decimal number representing the address bits to match. host – Keyword followed by a specific IP address. time-range-name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Standard IPv4 ACL Command Usage ◆ New rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
Chapter 10 | Access Control Lists IPv4 ACLs [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] {permit | deny} [icmp | tcp | udp ] {any | source address-bitmask | host source} {any | destination address-bitmask | host destination} [precedence precedence] [dscp dscp] [source-port sport [bitmask]] [destination-port dport [port-bitmask]] [icmp-type icmp-type] [control-flag control-flags flag-bitmask] [time-range time-range-name] no {permit | deny} [icmp |
Chapter 10 | Access Control Lists IPv4 ACLs Command Mode Extended IPv4 ACL Command Usage ◆ All new rules are appended to the end of the list. ◆ Address bit masks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period. The binary mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.
Chapter 10 | Access Control Lists IPv4 ACLs This permits all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any controlflag 2 2 Console(config-ext-acl)# Related Commands access-list ip (368) Time Range (167) ip access-group This command binds an IPv4 ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists IPv4 ACLs show ip access-group This command shows the ports assigned to IP ACLs. Command Mode Privileged Exec Example Console#show ip access-group Interface ethernet 1/2 IP access-list david in Console# show ip access-list This command displays the rules for configured IPv4 ACLs. Syntax show ip access-list {standard | extended} [acl-name] standard – Specifies a standard IP ACL. extended – Specifies an extended IP ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv6 ACLs IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ An ACL can contain up to 64 rules. Example Console(config)#access-list ipv6 standard david Console(config-std-ipv6-acl)# Related Commands permit, deny (Standard IPv6 ACL) (375) permit, deny (Extended IPv6 ACL) (376) ipv6 access-group (378) show ipv6 access-list (379) permit, deny This command adds a rule to a Standard IPv6 ACL. The rule sets a filter condition for (Standard IPv6 ACL) packets emanating from the specified source.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64. Console(config-std-ipv6-acl)#permit host 2009:DB9:2229::79 Console(config-std-ipv6-acl)#permit 2009:DB9:2229:5::/64 Console(config-std-ipv6-acl)# Related Commands access-list ipv6 (374) Time Range (167) permit, deny This command adds a rule to an Extended IPv6 ACL.
Chapter 10 | Access Control Lists IPv6 ACLs be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 10 | Access Control Lists IPv6 ACLs Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit any 2009:db90:2229::79/8 Console(config-ext-ipv6-acl)# This allows packets to any destination address when the DSCP value is 5. Console(config-ext-ipv6-acl)#permit any any dscp 5 Console(config-ext-ipv6-acl)# This allows any packets sent from any source to any destination when the next header is 43.
Chapter 10 | Access Control Lists IPv6 ACLs Command Usage If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (379) Time Range (167) show ipv6 This command shows the ports assigned to IPv6 ACLs.
Chapter 10 | Access Control Lists MAC ACLs permit 2009:DB9:2229:5::/64 Console# Related Commands permit, deny (Standard IPv6 ACL) (375) permit, deny (Extended IPv6 ACL) (376) ipv6 access-group (378) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports.
Chapter 10 | Access Control Lists MAC ACLs Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 2048 rules.
Chapter 10 | Access Control Lists MAC ACLs [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-port dport [port-bitmask]] Note: The default is for Ethernet II packets.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} untagged-eth2 {any | host source | source address} {any | host destination | destination address} [ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask}] [ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}] [ethertype ethertype [ethertype-bitmask]] [protocol protocol] [l4-source-port sport [port-bitmask]] [l4-destination-p
Chapter 10 | Access Control Lists MAC ACLs vid – VLAN ID. (Range: 1-4094) vid-bitmask6 – VLAN bitmask. (Range: 1-4095) ethertype – A specific Ethernet protocol number. (Range: 0-ffff hex) ethertype-bitmask6 – Protocol bitmask. (Range: 0-ffff hex) protocol - IP protocol or IPv6 next header. (Range: 0-255) For information on next headers, see permit, deny (Extended IPv6 ACL). sport7 – Protocol source port number. (Range: 0-65535) dport7 – Protocol destination port number.
Chapter 10 | Access Control Lists MAC ACLs mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port. Syntax mac access-group acl-name {in | out} [time-range time-range-name] [counter] no mac access-group acl-name {in | out} acl-name – Name of the ACL. (Maximum length: 32 characters) in – Indicates that this list applies to ingress packets. out – Indicates that this list applies to egress packets. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists ARP ACLs Related Commands mac access-group (385) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs acl-name – Name of the ACL. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule.
Chapter 10 | Access Control Lists ARP ACLs {any | host destination-ip | destination-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [any | host destination-mac | destination-mac mac-address-bitmask] [log] source-ip – Source IP address. destination-ip – Destination IP address with bitmask. ip-address-bitmask8 – IPv4 number representing the address bits to match. source-mac – Source MAC address. destination-mac – Destination MAC address range with bitmask.
Chapter 10 | Access Control Lists ACL Information Example Console#show access-list arp ARP access-list factory: permit response ip any 192.168.0.0 255.255.0.0 mac any any Console# Related Commands permit, deny (387) ACL Information This section describes commands used to display ACL information.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/1 IP access-list ex1 in IP access-list ex1 out Interface ethernet 1/2 IPv6 access-list i6ex in IPv6 access-list i6ex out Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information permit TCP 192.168.1.0 255.255.255.0 any destination-port 80 permit TCP 192.168.1.0 255.255.255.0 any control-flag 2 2 permit 10.7.1.1 255.255.255.0 any MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 permit any any VID 1 ethertype 0000 cos 1 1 IP extended access-list A6: permit any any DSCP 5 permit any any next-header 43 permit any 2009:db90:2229::79/8 ARP access-list arp1: permit response ip any 192.168.0.0 255.255.0.
Chapter 10 | Access Control Lists ACL Information – 392 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Table 73: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sets thresholds for transceiver current which can be used to trigger an
Chapter 11 | Interface Commands Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. Syntax interface interface no interface interface [port-channel channel-id | vlan vlan-id] interface craft - Management port on the front panel. ethernet unit/port-list unit - Unit identifier.
Chapter 11 | Interface Commands capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
Chapter 11 | Interface Commands alias This command configures an alias name for the interface. Use the no form to remove the alias name. Syntax alias string no alias string - A mnemonic name to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The alias is displayed in the running-configuration file.
Chapter 11 | Interface Commands Command Usage The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. Example The following example adds a description to port 4. Console(config)#interface ethernet 1/4 Console(config-if)#description RD-SW#3 Console(config-if)# discard This command discards CDP or PVST packets.
Chapter 11 | Interface Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation. Example The following example enables flow control on port 5.
Chapter 11 | Interface Commands Example This example sets a interval of 15 minutes for sampling standard statistical values on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#history 15min 15 10 Console(config-if)# media-type This command forces the transceiver mode to use for SFP+ ports. Use the no form to restore the default mode. Syntax media-type sfp-forced [mode] no media-type sfp-forced - Forces transceiver mode for the SFP/SFP+ port. mode 1000sfp - Always uses 1000BASE SFP mode.
Chapter 11 | Interface Commands Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command.
Chapter 11 | Interface Commands Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
Chapter 11 | Interface Commands clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Command Usage Statistics are only initialized for a power reset. This command sets the base value for displayed statistics to zero for the current management session.
Chapter 11 | Interface Commands 1x40g - Configures the port as a single 40G port. 4x10g - Configures the port as four 10G ports. reset - Configures port mode to the default setting. Default Setting The example under the show hardware profile portmode command shows the default settings for this switch.
Chapter 11 | Interface Commands show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port CDP PVST -------- ------- ------Eth 1/ 1 No No Eth 1/ 2 No No Eth 1/ 3 No No Eth 1/ 4 No No Eth 1/ 5 No No Eth 1/ 6 No No . . .
Chapter 11 | Interface Commands . . show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 802 Packet Size <= 64 Octets 83 Packet Size 65 to 127 Octets 99 Packet Size 128 to 255 Octets 25 Packet Size 256 to 511 Octets 6 Packet Size 512 to 1023 Octets 0 Packet Size 1024 to 1518 Octets ===== Port Utilization (recent 300 seconds) =====
Chapter 11 | Interface Commands Table 74: show interfaces counters - display description (Continued) Parameter Description Multicast Input The number of packets, delivered by this sub-layer to a higher (sub)layer, which were addressed to a multicast address at this sub-layer. Multicast Output The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent.
Chapter 11 | Interface Commands Table 74: show interfaces counters - display description (Continued) Parameter Description Packets The total number of packets (bad, broadcast and multicast) received. Broadcast Packets The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. Multicast Packets The total number of good packets received that were directed to this multicast address.
Chapter 11 | Interface Commands show interfaces This command displays periodic sampling of statistics, including the sampling history interval, number of samples, and counter values. Syntax show interfaces history [interface [name [current | previous index count] [input | output]]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4094) name - Name of sample as defined in the history command.
Chapter 11 | Interface Commands 00d 04:15:00 0.00 3201 0 31 6 Errors ------------0 % Octets Output Unicast Multicast Broadcast ------ --------------- ------------- ------------- ------------0.00 716 4 2 0 Discards Errors ------------- ------------0 0 Previous Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 00:00:00 0.00 52248 0 560 120 00d 00:15:00 0.00 51278 0 549 99 00d 00:30:00 0.
Chapter 11 | Interface Commands show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Table 75: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 459). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 459).
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Use the no form to restore the default settings. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver current at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold current low-alarm 100 Console(config-if)#transceiver-threshold rx-power high-alarm 700 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the received signal rx-power which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power received at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver temperature at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold temperature low-alarm 97 Console(config-if)#transceiver-threshold temperature high-alarm -83 Console# transceiver-threshold This command sets thresholds for the transceiver power level of the transmitted tx-power signal which can be used to trigger an alarm or warning message.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the signal power transmitted at port 9. Console(config)interface ethernet 1/9 Console(config-if)#transceiver-threshold tx-power low-alarm -4000 Console(config-if)#transceiver-threshold tx-power high-alarm 820 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message. Use the no form to restore the default settings.
Chapter 11 | Interface Commands Example The following example sets alarm thresholds for the transceiver voltage at port 9.
Chapter 11 | Interface Commands DDM Information Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 35.64 degree C 3.25 V 12.13 mA 2.36 dBm -24.20 dBm Low Alarm ------------45.00 2.90 1.00 -11.50 -23.98 Low Warning ------------40.00 3.00 3.00 -10.50 -23.01 High Warning -----------85.00 3.60 50.00 -2.00 -1.00 High Alarm -----------90.00 3.70 60.00 -1.00 0.
Chapter 11 | Interface Commands ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# Low Alarm ------------123.00 3.10 6.00 -12.00 -21.50 Low Warning -----------0.00 3.15 7.00 -11.50 -21.00 High Warning -----------70.00 3.45 90.00 -9.50 -3.50 High Alarm -----------75.00 3.50 100.00 -9.00 -3.00 Cable Diagnostics test cable-diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults (short, open, etc.
Chapter 11 | Interface Commands Example Console#test cable-diagnostics interface ethernet 1/24 Console# show This command shows the results of a cable diagnostics test. cable-diagnostics Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands UN: Unknown Port Type Link Status -------- ---- -------Eth 1/ 7 GE Up Console# Pair A Pair B Pair C Pair D Last meters meters meters meters Updated -------- -------- -------- -------- ----------------OK (8) OK (8) OK (8) OK (8) 2019-07-16 11:54:24 Power Savings power-save This command enables power savings mode on the specified port. Use the no form to disable this feature.
Chapter 11 | Interface Commands ◆ When the power-save command is enabled and traffic is reduced there is a reduction in power. For example, factory hardware component testing has shown significant power reduction >10%-45%10 are realized when 1000M Ethernet ports operate at slower rates from 300 to 0 Mbps. Note: Power savings can only be implemented on Ethernet ports using twistedpair cabling.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
Chapter 12 | Link Aggregation Commands Table 76: Link Aggregation Commands Command Function Mode show mlag Shows MLAG configuration settings PE show mlag group Shows MLAG group settings PE show mlag group Shows MLAG domain settings PE Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 8 ports.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands port-channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} no port-channel load-balance dst-ip - Load balancing based on destination IP address. dst-mac - Load balancing based on destination MAC address.
Chapter 12 | Link Aggregation Commands router trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-ip: All traffic with the same source IP address is output on the same link in a trunk.
Chapter 12 | Link Aggregation Commands Example The following example creates trunk 1 and then adds port 10: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Chapter 12 | Link Aggregation Commands Console#show interfaces status port-channel 1 Information of Trunk 1 Basic Information: Port Type : 10GBASE SFP+ MAC Address : 12-34-12-34-12-3F Configuration: Name : Port Admin : Up Speed-duplex : 10Gfull Broadcast Storm : Enabled Broadcast Storm Limit : 500 packets/second Multicast Storm : Disabled Multicast Storm Limit : 500 packets/second Unknown Unicast Storm : Disabled Unknown Unicast Storm Limit : 500 packets/second Storm Threshold Resolution : 1 packets/second
Chapter 12 | Link Aggregation Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ An LACP trunk cannot be instantiated if both sides are set to passive. Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor mode passive Console(config-if)# lacp admin-key This command configures a port's LACP administration key. Use the no form to (Ethernet Interface) restore the default setting.
Chapter 12 | Link Aggregation Commands Note: Configuring the partner admin-key does not affect remote or local switch operation. The local switch just records the partner admin-key for user reference. ◆ If the admin key is not set, the actor’s operational key is determined by port's link speed (40G - 6, 10G - 5). Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor admin-key 120 Console(config-if)# lacp port-priority This command configures LACP port priority.
Chapter 12 | Link Aggregation Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#lacp actor port-priority 128 lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
Chapter 12 | Link Aggregation Commands lacp admin-key This command configures a port channel's LACP administration key. Use the no (Port Channel) form to restore the default setting. Syntax lacp admin-key key no lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
Chapter 12 | Link Aggregation Commands Command Usage ◆ The timeout configured by this command is set in the LACP timeout bit of the Actor State field in transmitted LACPDUs. When the partner switch receives an LACPDU set with a short timeout from the actor switch, the partner adjusts the transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds.
Chapter 12 | Link Aggregation Commands LACPDU Received MarkerPDU Sent MarkerPDU Received MarkerResponsePDU Sent MarkerResponsePDU Received Unknown Packet Received Illegal Packet Received : : : : : : : 6 0 0 0 0 0 0 . . . Table 77: show lacp counters - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. LACPDUs Sent Number of valid LACPDUs transmitted from this channel group.
Chapter 12 | Link Aggregation Commands Table 78: show lacp internal - display description (Continued) Field Description Admin Key Current administrative value of the key for the aggregation port. Oper Key Current operational value of the key for the aggregation port. Timeout Time to wait for the next LACPDU before deleting partner port information. Periodic Time The number of seconds between periodic LACPDU transmissions. System Priority LACP system priority assigned to this port channel.
Chapter 12 | Link Aggregation Commands Table 79: show lacp neighbors - display description Field Description Port Channel The LACP port channel trunk number. Member Port The Ethernet interface that is a member of the LACP port-channel trunk. Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port ID Current administrative value of the port number for the protocol Partner.
Chapter 12 | Link Aggregation Commands show port-channel This command shows the load-distribution method used on aggregated links. load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console MLAG Commands A multi-chassis link aggregation group (MLAG) is a pair of links that terminate on two cooperating switches and appear as an ordinary link aggregation group (LAG).
Chapter 12 | Link Aggregation Commands ◆ The MLAG ID, associated MLAG domain ID and MLAG member must be configured using the mlag group member command. The associated MLAG domain may be nonexistent, which causes MLAG to be inactive locally. ◆ For a port to be configured as MLAG peer link or member: ■ STP status of the port must be disabled. ■ LACP status of the port must be disabled. ■ The port must not be any type of traffic segmentation port.
Chapter 12 | Link Aggregation Commands mlag domain This command configures an MLAG domain. Use the no form to remove the MLAG peer-link domain. Syntax mlag domain domain-id peer-link interface no mlag domain domain-id domain-id – Domain identifier. (Range: 1-16 characters) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 12 | Link Aggregation Commands interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) Command Mode Global Configuration Command Usage An MLAG domain can have two and only two MLAG devices. (See Figure 1.) ◆ ◆ An MLAG domain may have many MLAGs. ◆ An MLAG can belong to one and only one MLAG domain. ◆ The associated MLAG domain may be nonexistent, which causes the MLAG to be inactive locally.
Chapter 12 | Link Aggregation Commands Figure 2: MLAG Peer Operation ◆ When the MLAG peer member is down or nonexistent, learned MAC addresses are synced through the peer link for the MLAG will be removed automatically. Example Console(config)#mlag group 1 domain 1 member ethernet 1/1 Console(config)# show mlag This command shows MLAG configuration settings.
Chapter 12 | Link Aggregation Commands show mlag domain The command shows MLAG domain settings. Command Mode Privileged Exec Syntax show mlag domain domain-id domain-id – Domain identifier.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands both - Mirror both received and transmitted packets. vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands ◆ You can create multiple mirror sessions, but all sessions must share the same destination port. ◆ The destination port cannot be a trunk or trunk member port. ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands acl-name – Name of the ACL. (Maximum length: 32 characters, no spaces or other special characters) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: 1. Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) 2. Use the rspan source command to specify the interfaces and the traffic type (RX, TX or both) to be monitored. 3. Use the rspan destination command to specify the destination port for the traffic mirrored by an RSPAN session. 4.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. rspan source Use this command to specify the source port and traffic type to be mirrored remotely.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 Console(config)#rspan session 1 source interface ethernet 1/3 Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned. Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/2 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1-3) Three sessions are allowed, including both local and remote mirroring, using different VLANs for RSPAN sessions.
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 84: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# Related Commands show interfaces switchport (413) Automatic Traffic Control Commands Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 87: ATC Commands (Continued) Command Function Mode snmp-server enable Sends a trap when broadcast traffic exceeds the port-traps atc broadcast- upper threshold for automatic storm control and control-apply the apply timer expires IC (Port) snmp-server enable Sends a trap when broadcast traffic falls beneath port-traps atc broadcast- the lower threshold after a storm control response control-release has been triggered and
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands ◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Threshold Commands auto-traffic-control This command sets the time at which to apply the control response after ingress apply-timer traffic has exceeded the upper threshold. Use the no form to restore the default setting. Syntax auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 5-900 seconds) Default Setting 900 seconds Command Mode Global Configuration Command Usage This command sets the delay after which the control response can be terminated.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example This example enables automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# auto-traffic-control This command sets the control action to limit ingress traffic or shut down the action offending port. Use the no form to restore the default setting.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example This example sets the control response for broadcast traffic on port 1.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a storm alarm-fire-threshold control response is triggered after the apply timer expires.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command automatically releases a control response of rate-limiting after the auto-control-release time specified in the auto-traffic-control release-timer command has expired. Syntax auto-traffic-control {broadcast | multicast} auto-control-release broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage This command can be used to manually stop a control response of rate-limiting or port shutdown any time after the specified action has been triggered.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper threshold for port-traps atc automatic storm control and the apply timer expires. Use the no form to disable broadcast-control- this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease Console(config-if)# Related Commands auto-traffic-control alarm-clear-threshold (466) auto-traffic-control action (465) auto-traffic-control release-timer (463) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower threshold port-traps atc after a storm control response
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) snmp-server enable This command sends a trap when multicast traffic exceeds the upper threshold for port-traps atc automatic storm control and the apply timer expires. Use the no form to disable multicast-control- this trap.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease Console(config-if)# Related Commands auto-traffic-control alarm-clear-threshold (466) auto-traffic-control action (465) auto-traffic-control release-timer (463) ATC Display Commands show auto-traffic- This command shows global configuration settings for automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information -----------------------------------------------------------------------Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 128 Alarm Clear Threshold(Kpps):128 128 Trap Storm Fire: Disabled Disabled Trap Storm Clear: Disabled Disabled Tr
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Enabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands none - No action is taken. shutdown - Shuts down the interface. Default Setting Shut down Command Mode Global Configuration Command Usage ◆ When a port receives a control frame sent by itself, this means that the port is in a looped state, and the VLAN in the frame payload is also in looped state. The looped port is therefore shut down.
Chapter 15 | Loopback Detection Commands Example Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback detection transmit-interval control frames. Use the no form to restore the default setting. Syntax loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. Example Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
Chapter 15 | Loopback Detection Commands Command Usage Although global action may be set to None, this command will still display the configured Detection Port Admin State and Information Oper State.
16 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command sets the hash lookup depth used when searching the MAC address hash-lookup-depth table. Use the no form to restore the default setting. Syntax mac-address-table hash-lookup-depth depth no mac-address-table hash-lookup-depth depth - The depth used in the hash lookup process.
Chapter 16 | Address Table Commands port-channel channel-id (Range: 1-12) vlan-id - VLAN ID (Range: 1-4094) action delete-on-reset - Assignment lasts until the switch is reset. permanent - Assignment is permanent. Default Setting No static addresses are defined. The default lifetime is permanent. Command Mode Global Configuration Command Usage The static address for a host device can be assigned to a specific port within a specific VLAN. Use this command to add static addresses to the MAC Address Table.
Chapter 16 | Address Table Commands clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Syntax clear mac-address-table dynamic [[all] | [address mac-address [mask]] | [interface interface] | [vlan vlan-id]] all - all learned entries address mac-address - MAC address. mask - Bits to match in the address. interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands show mac-address- This command shows the aging time for entries in the address table. table aging-time Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging Status : Enabled Aging Time: 300 sec. Console# show mac-address- This command shows the hash table algorithm configured and activated by the table hash-algorithm switch.
Chapter 16 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of table count available MAC addresses for the overall system or for an interface. Syntax show mac-address-table count [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | Address Table Commands Example Console#show mac-address-table hash-lookup-depth Configured Hash Lookup Depth: 4 Activated Hash Lookup Depth: 4 Console# – 488 –
17 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 17 | Spanning Tree Commands Table 90: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopback-detection Enables BPDU loopback detection for a port IC spanning-tree loopbackdetection action Configures the response for loopback detection to block user traffic or shut down the interface IC spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopback-detection trap Enables BPDU loopback SNMP trap notification for
Chapter 17 | Spanning Tree Commands Command Usage ◆ The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STAcompliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
Chapter 17 | Spanning Tree Commands Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
Chapter 17 | Spanning Tree Commands Default Setting rstp Command Mode Global Configuration Command Usage ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
Chapter 17 | Spanning Tree Commands spanning-tree This command changes to Multiple Spanning Tree (MST) configuration mode. mst configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 17 | Spanning Tree Commands (page 504) takes precedence over port priority (page 512). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP). Specifically, the long method can be applied to STP since this mode is supported by a backward compatible mode of RSTP. Example Console(config)#spanning-tree pathcost method long Console(config)# spanning-tree priority This command configures the spanning tree priority globally for this switch.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures how the system floods BPDUs to other ports when system-bpdu-flooding spanning tree is disabled globally on the switch or disabled on specific ports. Use the no form to restore the default. Syntax spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other spanning-tree disabled ports on the switch.
Chapter 17 | Spanning Tree Commands Default Setting All ports and trunks belong to a common group. Command Mode Global Configuration Command Usage A port can only belong to one group. When an interface is added to a group, it is removed from the default group. When a TCN BPDU or BPDU with the TC flag set is received on an interface, that interface will only notify members in same group to propagate this topology change.
Chapter 17 | Spanning Tree Commands max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form of the command to set the number of hops to the default value. Syntax max-hops hop-number no max-hops hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols.
Chapter 17 | Spanning Tree Commands Command Mode MST Configuration Command Usage ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
Chapter 17 | Spanning Tree Commands RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form of the command to set the name to the default name. Syntax name name no name name - Name of multiple spanning tree region.
Chapter 17 | Spanning Tree Commands no revision number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 501) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# Related Commands spanning-tree edge-port (505) spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree edge-port (505) spanning-tree spanning-disabled (514) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
Chapter 17 | Spanning Tree Commands Command Usage ◆ This command is used by the Spanning Tree Algorithm to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 495) is set to short, the maximum value for path cost is 65,535.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)# spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link.
Chapter 17 | Spanning Tree Commands spanning-tree This command enables the detection and response to Spanning Tree loopback loopback-detection BPDU packets on the port. Use the no form to disable this feature. Syntax [no] spanning-tree loopback-detection Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.
Chapter 17 | Spanning Tree Commands selected interface will be automatically enabled when the shutdown interval has expired. ◆ If an interface is shut down by this command, and the release mode is set to “manual,” the interface can be re-enabled using the spanning-tree loopback-detection release command.
Chapter 17 | Spanning Tree Commands ◆ When configured for manual release mode, then a link down / up event will not release the port from the discarding state. It can only be released using the spanning-tree loopback-detection release command. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection release-mode manual Console(config-if)# spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree restricted-tcn spanning-tree This command configures the path cost on a spanning instance in the Multiple mst cost Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance-id cost cost no spanning-tree mst instance-id cost instance-id - Instance identifier of the spanning tree. (Range: 0-4094) cost - Path cost for an interface.
Chapter 17 | Spanning Tree Commands Related Commands spanning-tree mst port-priority (511) spanning-tree This command configures the interface priority on a spanning instance in the mst port-priority Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree mst instance-id port-priority priority no spanning-tree mst instance-id port-priority instance-id - Instance identifier of the spanning tree. (Range: 0-4094) priority - Priority for an interface.
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When enabled, BPDUs are flooded to all other spanning-tree disabled ports on the switch or within the receiving port's native VLAN as specified by the spanning-tree system-bpdu-flooding command. ◆ The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port by the spanning-tree port-bpdu-flooding command.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree port-priority 0 Related Commands spanning-tree cost (504) spanning-tree This command prevents a designated port13 from taking superior BPDUs into root-guard account and allowing a new STP root port to be elected. Use the no form to disable this feature.
Chapter 17 | Spanning Tree Commands spanning-tree This command disables the spanning tree algorithm for the specified interface. Use spanning-disabled the no form to re-enable the spanning tree algorithm for the specified interface.
Chapter 17 | Spanning Tree Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#spanning-tree tc-prop-stop Console(config-if)# spanning-tree This command manually releases a port placed in discarding state by loopbackloopback-detection detection. release Syntax spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocolmigration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Chapter 17 | Spanning Tree Commands ◆ Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST). ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces.
Chapter 17 | Spanning Tree Commands Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status TC Propagate Stop Restricted TCN : : : : : : : : : Disabled Block Disabled Disabled Disabled 300 Disabled Disabled Disabled . . . This example shows a brief summary of global and interface setting for the spanning tree.
Chapter 17 | Spanning Tree Commands Syntax show spanning-tree tc-prop [group group-id] group-id - Group identifier.
Chapter 17 | Spanning Tree Commands – 520 –
18 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands Related Commands show garp timer (526) switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands Table 95: show bridge-ext - display description Field Description Maximum Supported VLAN Numbers The maximum number of VLANs supported on this switch. Maximum The maximum configurable VLAN identifier supported on this switch. Supported VLAN ID Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP (GARP Multicast Registration Protocol).
Chapter 18 | VLAN Commands Editing VLAN Groups Example Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# Related Commands garp timer (523) show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | VLAN Commands Editing VLAN Groups vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage ◆ Use the VLAN database command mode to add, change, and delete VLANs. After finishing configuration changes, you can display the VLAN settings by entering the show vlan command.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces rspan - Keyword to create a VLAN used for mirroring traffic from remote switches. The VLAN used for RSPAN cannot include VLAN 1 (the switch’s default VLAN). Nor should it include VLAN 4093 (which is used for switch clustering). Configuring VLAN 4093 for other purposes may cause problems in the Clustering operation. For more information on configuring RSPAN through the CLI, see “RSPAN Mirroring Commands” on page 450.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Table 97: Commands for Configuring VLAN Interfaces (Continued) Command Function Mode switchport forbidden vlan Configures forbidden VLANs for an interface IC switchport gvrp Enables GVRP for an interface IC switchport ingress-filtering Enables ingress filtering on an interface IC switchport mode Configures VLAN membership mode for an interface IC switchport native vlan Configures the PVID (native VLAN) of an interface IC vlan-trunking
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (401) interface (395) vlan (528) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed. The interface is added as an untagged member if switchport mode is set to hybrid or access, or as an tagged member if switchport mode is set to trunk. Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs. (Range: 1-4094).
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to restore ingress-filtering the default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When changing the PVID for a port using access mode, the port will automatically join the new PVID VLAN and leave the VLAN which it had joined before. ◆ When using Access mode, and an interface is assigned to a new VLAN, its PVID is automatically set to the identifier for that VLAN.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Figure 5: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags. However, by enabling VLAN trunking on the intermediate switch ports along the path connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B.
Chapter 18 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 98: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling 6. Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid Use this command to set the global setting for the QinQ outer tag ethertype field. Use the no form of the command to set the ethertype field to the default value. Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number. (Range: 800-ffff hex) Default Setting The ethertype is set to 0x8100 Command Mode Global Configuration Command Usage Use the dot1q-tunnel tpid command to set the global custom 802.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling differentiated service pathways to follow across the service provider’s network for traffic arriving from specified inbound customer VLANs. ◆ Note that all customer interfaces should be configured as access interfaces (that is, a user-to-network interface) and service provider interfaces as uplink interfaces (that is, a network-to-network interface). Use the dot1q-tunnel tpid uplink command to set an interface to access or uplink mode.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 100 match cvid 10 Console(config-if)#switchport dot1q-tunnel service 200 match cvid 20 Console(config-if)#switchport dot1q-tunnel service 300 match cvid 30 6.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Console(config)#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 3 10 100 Console# show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Eth 1/ 6 1 100 Console# Related Commands dot1q-tunnel tpid (540) Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Command Usage ◆ When L2PT is not used, protocol packets (such as STP) are flooded to 802.1Q access ports on the same edge switch, but filtered from 802.1Q tunnel ports. This creates disconnected protocol domains in the customer’s network. ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling ■ ■ L2PT is disabled on the port, the frame is decapsulated and processed locally by the switch if the protocol is supported. with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported.
Chapter 18 | VLAN Commands Configuring L2PT Tunneling Example Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. l2protocol-tunnel Use the no form to disable L2PT for the specified protocol.
Chapter 18 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
Chapter 18 | VLAN Commands Configuring VLAN Translation ingress - specifies ingress only egress - specifies egress only original-vlan - The original VLAN ID. (Range: 1-4094) new-vlan - The new VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port.
Chapter 18 | VLAN Commands Configuring VLAN Translation Console(config-vlan)#vlan 100 media ethernet state active Console(config-vlan)#exit Console(config)#interface ethernet 1/1,2 Console(config-if)#switchport allowed vlan add 10 tagged Console(config-if)#switchport allowed vlan add 100 tagged Console(config-if)#interface ethernet 1/1 Console(config-if)#switchport vlan-translation 10 100 Console(config-if)#end Console#show vlan-translation Ingress VLAN Translation Interface Old VID New VID --------- -----
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs Eth 1/ 2 Console# 200 10 Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs access can be regained by removing the offending Protocol VLAN rule via the console. Alternately, the switch can be power-cycled, however all unsaved configuration changes will be lost. protocol-vlan This command creates a protocol group, or adds specific protocols to a group. Use protocol-group the no form to remove a protocol group.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs vlan-id - VLAN to which matching protocol traffic is forwarded. (Range: 1-4094) priority - The priority assigned to untagged ingress traffic. (Range: 0-7, where 7 is the highest priority) Default Setting No protocol groups are mapped for any interface. Priority: 0 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ When creating a protocol-based VLAN, only assign interfaces via this command.
Chapter 18 | VLAN Commands Configuring Protocol-based VLANs group-id - Group identifier for a protocol group. (Range: 1-2147483647) sort-by-type - Sort display information by frame type and protocol type. Default Setting All protocol groups are displayed.
Chapter 18 | VLAN Commands Configuring IP Subnet VLANs Configuring IP Subnet VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
Chapter 18 | VLAN Commands Configuring IP Subnet VLANs ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame. If no mapping is found, the PVID of the receiving port is assigned to the frame. ◆ The IP subnet cannot be a broadcast or multicast IP address.
Chapter 18 | VLAN Commands Configuring MAC Based VLANs Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When MAC-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the MAC address-to-VLAN mapping table.
Chapter 18 | VLAN Commands Configuring MAC Based VLANs ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last. ◆ The binary equivalent mask matching the characters in the front of the first non-zero character must all be 1s (e.g., 111, i.e., it cannot be 101 or 001...).
Chapter 18 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 18 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 18 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 18 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "A new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 18 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 18 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command). MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 729 for more information on LLDP.
Chapter 18 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 18 | VLAN Commands Configuring Voice VLANs – 568 –
19 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 19 | ERPS Commands Table 106: ERPS Commands (Continued) Command Function Mode raps-def-mac Sets the switch’s MAC address to be used as the node identifier ERPS Inst in R-APS messages raps-without-vc Terminates the R-APS channel at the primary ring to sub-ring interconnection nodes ERPS Inst version Specifies compatibility with ERPS version 1 or 2 ERPS Inst inclusion-vlan Specifies the VLAN groups to be included in the ERPS protection ERPS Inst ring.
Chapter 19 | ERPS Commands 6. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, the holdofftimer command to filter out intermittent link faults, and the wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 7. Configure the ERPS Control VLAN (CVLAN): Use the control-vlan command to create the VLAN used to pass R-APS ring maintenance commands.
Chapter 19 | ERPS Commands Example Console(config)#erps Console(config)# Related Commands enable (ring) (576) erps node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax erps node-id mac-address no erps node-id mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 19 | ERPS Commands erps vlan-group This command creates or modifies an ERPS VLAN group. Use the no form of this command to remove VLANs from a VLAN group or to delete a VLAN group. Syntax erps vlan-group vlan-group-name {add|remove} vlan-list no erps vlan-group vlan-group-name vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). add – Adds VLANs to a group. remove – Deletes VLANs from a group.
Chapter 19 | ERPS Commands Command Usage ◆ The switch can support ERPS rings up to half the number of physical ports on the switch. Example Console(config)#erps ring campus1 Console(config-erps-ring)# erps instance This command creates an ERPS instance and enters ERPS instance configuration mode. Use the no form to delete an ERPS instance. Syntax erps instance instance-name [id ring-id] no erps instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 19 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface no ring-port {east | west} east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | ERPS Commands exclusion-vlan Use this command to specify VLAN groups that are to be on the exclusion list of a physical ERPS ring. Use the no form of the command to remove VLAN groups from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters) Default Setting None Command Mode ERPS Ring Configuration Command Usage ◆ VLANs that are on the exclusion list are not protected by the ERPS ring.
Chapter 19 | ERPS Commands ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps-ring)#enable Console(config-erps-ring)# Related Commands erps (571) enable (instance) This command activates the current ERPS instance. Use the no form to disable the current instance.
Chapter 19 | ERPS Commands no meg-level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 1 Command Mode ERPS Instance Configuration Command Usage ◆ This parameter is used to ensure that received R-APS PDUs are directed for this instance. A unique level should be configured for each local instance if there are many R-APS PDUs passing through this switch.
Chapter 19 | ERPS Commands ◆ ■ The Control VLAN must not be configured as a Layer 3 interface (with an IP address), nor as a dynamic VLAN (with GVRP enabled). ■ In addition, only ring ports may be added to the Control VLAN. No other ports can be members of this VLAN. ■ Also, the ring ports of the Control VLAN must be tagged. Once the instance has been activated with the enable (instance) command, the configuration of the control VLAN cannot be modified.
Chapter 19 | ERPS Commands Example Console(config-erps-inst)#rpl owner Console(config-erps-inst)# rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting.
Chapter 19 | ERPS Commands wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting. Syntax wtr-timer minutes no wtr-timer minutes - The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
Chapter 19 | ERPS Commands Command Usage The guard timer duration should be greater than the maximum expected forwarding delay for an R-APS message to pass around the ring. A side-effect of the guard timer is that during its duration, a node will be unaware of new or existing ring requests transmitted from other nodes. Example Console(config-erps-inst)#guard-timer 300 Console(config-erps-inst)# holdoff-timer This command sets the timer to filter out intermittent link faults.
Chapter 19 | ERPS Commands major-ring This command specifies the ERPS ring used for sending control packets. Use the no form to remove the current setting. Syntax major-ring instance-name no major-ring instance-name - Name of the ERPS instance used for sending control packets. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage ◆ ERPS control packets can only be sent on one instance.
Chapter 19 | ERPS Commands Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring. When the major ring receives this kind of message from a secondary ring, it can clear the MAC addresses on its ring ports to help the secondary ring restore its connections more quickly through protection switching. ◆ When the MAC addresses are cleared, data traffic may flood onto the major ring.
Chapter 19 | ERPS Commands Default Setting Disabled Command Mode ERPS Instance Configuration Command Usage ◆ Revertive behavior allows the switch to automatically return the RPL from Protection state to Idle state through the exchange of protocol messages. Non-revertive behavior for Protection, Forced Switch, and Manual Switch states are basically the same. Non-revertive behavior requires the erps clear command to used to return the RPL from Protection state to Idle state.
Chapter 19 | ERPS Commands it is an R-APS (NR, RB) message without a DNF (do not flush) indication, all ring nodes flush the FDB. ■ Recovery with Non-revertive Mode – In non-revertive operation, the ring does not automatically revert when all ring links and ring nodes have recovered and no external requests are active. Non-revertive operation is handled in the following way: a. The RPL Owner Node does not generate a response on reception of an R-APS (NR) messages. b.
Chapter 19 | ERPS Commands channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes the FDB. d. The acceptance of the R-APS (NR, RB) message causes all ring nodes to unblock any blocked non-RPL that does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command.
Chapter 19 | ERPS Commands APS (MS) message is ignored due to the higher priority of the WTB running signal. b. When the WTB timer expires, it generates the WTB expire signal. The RPL Owner Node, upon reception of this signal, initiates reversion by blocking the traffic channel on the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
Chapter 19 | ERPS Commands Command Usage ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”. ◆ If this command is disabled, the following strings are used as the node identifier: ■ ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] Example Console(config-erps-inst)#raps-def-mac Console(config-erps-inst)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes.
Chapter 19 | ERPS Commands Note that the R-APS virtual channel requires a certain amount of bandwidth to forward R-APS messages on the interconnected Ethernet network where a subring is attached. Also note that the protection switching time of the sub-ring may be affected if R-APS messages traverse a long distance over an R-APS virtual channel.
Chapter 19 | ERPS Commands Figure 9: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Example Console(config-erps-inst)#raps-without-vc Console(config-erps-inst)# version This command specifies compatibility with ERPS version 1 or 2. Syntax version {1 | 2} no version 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
Chapter 19 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 19 | ERPS Commands physical-ring Use this command to associate an ERPS instance with an existing physical ring. Use the no form of the command to removed the association. Syntax physical-ring ring-name no physical-ring ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage The physical ring name must first be defined using the erps ring command.
Chapter 19 | ERPS Commands continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command (see Table 107 on page 594). The R-APS (FS) message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d.
Chapter 19 | ERPS Commands Table 107: ERPS Request/State Priority (Continued) Request / State and Status Type WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote * Priority lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
Chapter 19 | ERPS Commands a. If no other higher priority commands exist, the ring node, where a manual switch command was issued, blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS.
Chapter 19 | ERPS Commands Example Console#erps manual-switch instance r&d west Console# erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under nonrevertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. Syntax erps clear instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 19 | ERPS Commands Command Mode Privileged Exec Example Console#clear erps statistics instance r&d Console# show erps statistics This command displays statistics information for all configured instances, or for a specified instance. Syntax show erps statistics [instance instance-name]] instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) Command Mode Privileged Exec Example This example displays statistics for all configured ERPS instances.
Chapter 19 | ERPS Commands Table 108: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 19 | ERPS Commands Console# This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ring ERPS Status : Enabled ERPS node-id : B8-6A-97-41-F3-83 Number of ERPS Ring : 2 Ring ID Enabled West I/F EAST I/F ------------ --- ------- --------- --------test1 1 No campus1 2 Yes Eth 1/1 Eth 1/3 Console# Table 109: show erps r ing - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch.
Chapter 19 | ERPS Commands This example displays a summary of all the ERPS instances configured on the switch.
Chapter 19 | ERPS Commands – 602 –
20 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 8 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (604) show queue weight (607) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 20 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (413) show queue mode This command shows the current queue mode.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) 7 14 ... Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ... phb7 no map phb-queue phb0 ... phb7 phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) queue-id - The ID of the priority queue.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map cos-dscp phb drop-precedence from cos0 cfi0...cos7 cfi7 no qos map cos-dscp cos0 cfi0...cos7 cfi7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used to control traffic congestion. ◆ The specified mapping applies to all interfaces.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 115: Default Mapping of DSCP Values to Internal PHB/Drop Values The ingress DSCP is composed of ingress-dscp10 (most significant digit in the left column) and ingress-dscp1 (least significant digit in the top row (in other words, ingress-dscp = ingress-dscp10 * 10 + ingress-dscp1); and the corresponding internal-dscp is shown at the intersecting cell in the table.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) phb - Per-hop behavior, or the priority used for this router hop. (Range: 0-7) drop-precedence - Drop precedence used for controlling traffic congestion.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ If the QoS mapping mode is set to DSCP with this command, and the ingress packet type is IPv4, then priority processing will be based on the DSCP value in the ingress packet. ◆ If the QoS mapping mode is set to DSCP, and a non-IP packet is received, the packet's CoS and CFI (Canonical Format Indicator) values are used for priority processing if the packet is tagged.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) CoS-DSCP map.(x,y),x: phb,y: drop precedence: CoS : CFI 0 1 --------------------------------0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) Console# show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress IP precedence to internal DSCP map. ip-prec-dscp Syntax show qos map ip-prec-dscp interface interface interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map phb-queue interface ethernet 1/5 Information of Eth 1/5 PHB-queue map: PHB: 0 1 2 3 4 5 6 7 ------------------------------------------------------queue: 2 0 1 3 4 5 6 7 Console# show qos map This command shows the QoS mapping mode. trust-mode Syntax show qos map trust-mode interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Class of Service Commands Priority Commands (Layer 3 and 4) – 618 –
21 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 21 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 21 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 623). The policy map is then bound by a service policy to an interface (page 634). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 21 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 21 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 21 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 623) before assigning it to a Policy Map.
Chapter 21 | Quality of Service Commands ◆ ■ set cos command sets the class of service value in matching packets. (This modifies packet priority in the VLAN tag.) ■ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Chapter 21 | Quality of Service Commands Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option.
Chapter 21 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
Chapter 21 | Quality of Service Commands ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 21 | Quality of Service Commands Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conformaction transmit exceed-action 0 violate-action drop Console(config-pmap-c)# police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Chapter 21 | Quality of Service Commands Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).
Chapter 21 | Quality of Service Commands which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Chapter 21 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 21 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 21 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 21 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 21 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
22 Control Plane Commands Network control packets that are received by the switch are handled by the CPU. This traffic can potentially overwhelm the switch CPU and impact the overall system performance. To prevent the switch CPU from receiving too much traffic, QoS class maps and policy maps can be defined and applied as a service policy to ingress traffic on the CPU’s “control-plane” interface. For details on configuring QoS class maps and policy maps, see “Quality of Service Commands” on page 619.
Chapter 22 | Control Plane Commands service-policy This command applies a QoS policy map defined by the policy-map command to the ingress side of the control-plane interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to the control-plane interface.
Chapter 22 | Control Plane Commands Example Console#show policy-map control-plane input Console# show policy-map control-plane input class cp-class hardware counters Service-policy cpu-rate-limit-policy Class-map cp-class Receive Packets: 95 Drop Packets: 0 Console# – 639 –
Chapter 22 | Control Plane Commands – 640 –
23 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 120: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occurs GC ip igmp snooping tcn-query-solicit Sends an IGMP Query Solicitation when a Spanning Tree topology change occurs GC ip igmp snooping unregistered-data-flood Floods unregistered multicast traffic into th
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 120: IGMP Snooping Commands (Continued) Command Function Mode clear ip igmp snooping statistics Clears IGMP snooping statistics PE show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statisti
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures multicast router ports to forward multicast streams only mrouter-forward- when multicast groups are joined. Use the no form to disable it. mode dynamic Syntax ip igmp snooping mrouter-forward dynamic no ip igmp snooping mrouter-forward Default Setting Disabled Command Mode Global Configuration Example The following example enables IGMP dynamic forwarding.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN. disable - Disable on the specified VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables the switch as an IGMP querier. Use the no form to disable it. querier Syntax [no] ip igmp snooping querier Default Setting Disabled Command Mode Global Configuration Command Usage IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ ◆ If enabled, the switch will serve as querier if elected.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping router-alert-option-check Console(config)# ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port- default. expire-time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 23 | Multicast Filtering Commands IGMP Snooping by default, a switch in a VLAN (with IGMP snooping enabled) that receives a Bridge Protocol Data Unit (BPDU) with the TC bit set (by the root bridge) will enter into “multicast flooding mode” for a period of time until the topology has stabilized and the new locations of all multicast receivers are learned.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ When the root bridge in a spanning tree receives a topology change notification for a VLAN where IGMP snooping is enabled, it issues a global IGMP leave message (query solicitation). When a switch receives this solicitation, it floods it to all ports in the VLAN where the spanning tree change occurred. When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when report suppression/proxy reporting is enabled. Use interval the no form to restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping version-exclusive Console(config)# ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled (page 645). Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and proxy-address report messages used by IGMP proxy reporting. Use the no form to restore the default source address.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 23 | Multicast Filtering Commands IGMP Snooping 2006). If proxy reporting is enabled (see ip igmp snooping proxy-reporting), report suppression will still be enabled, regardless of the configuration setting for the report suppression command. ◆ IGMP reports are relayed to the router port only when necessary; that is, when the first user joins a multicast group, and once only per multicast group in response to an IGMP query.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 228.0.0.15 ethernet 1/5 Console(config)# ip igmp snooping This command enables immediate leave processing on the interface. Use the no immediate-leave form to restore the default.
Chapter 23 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears IGMP snooping statistics. snooping statistics Syntax clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Querier : Disabled VLAN 1: -------IGMP Snooping IGMP Snooping Running Status Version Version Exclusive Immediate Leave Last Member Query Interval Last Member Query Count General Query Suppression Query Interval Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : : : : : : : : : : Enabled Inactive Using global Version (2) Using global status (Disabled) Disabled 10 (unit: 1/10s) 2 Disabled 125 100 (unit: 1/
Chapter 23 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1. Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port). P - Port counts (number of ports join the group).
Chapter 23 | Multicast Filtering Commands IGMP Snooping 1 Eth 1/10 Console# Static show ip igmp This command shows IGMP snooping protocol statistics for the specified interface. snooping statistics Syntax show ip igmp snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id]} input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface.
Chapter 23 | Multicast Filtering Commands IGMP Snooping Table 121: show ip igmp snooping statistics input - display description Field Description G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 23 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : None Other Querier Expire : 0(m):0(s) Other Querier Uptime : 0(h):0(m):0(s) Self Querier : 192.168.2.12 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 0 General Query Sent : 0 Specific Query Received : 0 Specific Query Sent : 0 Warn Rate Limit : 0 sec.
Chapter 23 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 124: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping vlan This command statically configures a (Layer 2) multicast router port on the mrouter specified VLAN.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)# permit, deny This command sets the access mode for an IGMP filter profile.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#range 239.2.3.1 239.2.3.100 Console(config-igmp-profile)# ip igmp This command enables IGMP authentication on the specified interface.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ◆ If the interface leaves the group and subsequently rejoins the same group, the join report needs to again be authenticated. ◆ When receiving an IGMP v3 report message, the switch will send the access request to the RADIUS server only when the record type is either IS_EX or TO_EX, and the source list is empty. Other types of packets will not initiate RADIUS authentication.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command assigns an IGMP filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax ip igmp filter profile-number no ip igmp filter profile-number - An IGMP filter profile number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace” (see the ip igmp max-groups action command). If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp query-drop This command drops any received IGMP query packets. Use the no form to restore the default setting. Syntax [no] ip igmp query-drop [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to drop any query packets received on the specified interface.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command displays the interface settings for IGMP authentication. authentication Syntax show ip igmp authentication interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Privileged Exec Example Console#show ip igmp filter IGMP Filter enabled Console#show ip igmp filter interface ethernet 1/1 Ethernet 1/1 information --------------------------------IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp query-drop [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 1024 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast data multicast-data-drop packets.
Chapter 23 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 127: MLD Snooping Commands (Continued) Command Function Mode clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6 mld snooping Displays MLD Snooping configuration PE show ipv6 mld snooping group Displays the learned groups PE show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage ◆ When proxy reporting is enabled with this command, reports received from downstream hosts are summarized and used to build internal membership states. Proxy-reporting devices may use the IPv6 address configured on this VLAN or Source IP address from received report message as source address when forwarding any summarized reports upstream.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default. Syntax ipv6 mld snooping query-interval interval no ipv6 mld snooping query-interval interval - The interval between sending MLD general queries.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping query-max-response-time 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 23 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited MLD snooping reports when proxy reporting is enabled. Use the no interval form to restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command statically configures an IPv6 multicast router port. Use the no form vlan mrouter to remove the configuration. Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) port-channel channel-id (Range: 1-12) Default Setting No static multicast router ports are configured.
Chapter 23 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove vlan static the port. Syntax [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping clear ipv6 mld This command clears MLD snooping statistics. snooping statistics Syntax clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Multicast Filtering Commands MLD Snooping Router Port Expiry Time Unsolicit Report Interval Immediate Leave Immediate Leave By Host Unknown Flood Behavior MLD Snooping Version : : : : : : 300 sec 400 sec Disabled on all VLAN Disabled on all VLAN To Router Port Version 2 VLAN Group IPv6 Address Port ---- --------------------------------------- --------1 ff05:0:1:2:3:4:5:6 Eth 1/1 Console#show ipv6 mld snooping vlan VLAN 1 Immediate Leave : Disabled Unknown Flood Behavior : To Router Port Con
Chapter 23 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which snooping group each group was learned, and the corresponding source list. source-list Syntax show ipv6 mld snooping group source-list [ipv6-address | vlan vlan-id] ipv6-address - An IPv6 address of a multicast group.
Chapter 23 | Multicast Filtering Commands MLD Snooping Example Console#show ipv6 mld snooping mrouter vlan 1 VLAN Multicast Router Port Type Expire ---- --------------------- --------- -----1 Eth 1/ 2 Static Console# show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping Table 128: show ipv6 MLD snooping statistics input - display description Field Description Interface The unit/port or VLAN interface. Report The number of MLD membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface.
Chapter 23 | Multicast Filtering Commands MLD Snooping Self Querier Expire Time Self Querier UpTime General Query Received General Query Sent Specific Query Received Specific Query Sent Console# : : : : : : 1(m):49(s) 0(h):9(m):6(s) 0 6 0 0 Table 130: show ipv6 MLD snooping statistics query - display description Field Description Other Querier Address IP address of remote querier on this interface. Other Querier Expire Time after which remote querier is assumed to have expired.
Chapter 23 | Multicast Filtering Commands MLD Snooping Filter Drop : 0 Source Port Drop: 0 Others Drop : 0 Console# Table 131: show ipv6 MLD snooping statistics summary - display description Field Description Number of Groups Number of active MLD groups active on the specified interface. Physical Interface (Port/Trunk) Querier: Transmit General The number of general queries sent from this interface. Group Specific The number of group specific queries sent from this interface.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Table 131: show ipv6 MLD snooping statistics summary - display description Field Description Host Addr The link-local or global IPv6 address that is assigned on that VLAN. Unsolicit Expire The number of group leaves resulting from timeouts instead of explicit leave messages. MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration Command Usage MLD filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface. Each profile has only one access mode; either permit or deny.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Syntax [no] range low-ipv6-address high-ipv6-address low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range. high-ipv6-address - A valid IPv6 address (X:X:X:X::X) for the end of a multicast group range. Default Setting None Command Mode MLD Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19 Console(config-if)# ipv6 mld max-groups This command configures the maximum number of MLD groups that an interface can join. Use the no form to restore the default setting. Syntax ipv6 mld max-groups number no ipv6 mld max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. Use the action no form of the command to set the action to the default. Syntax ipv6 mld max-groups action {deny | replace} no ipv6 mld max-groups action deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface. Use the multicast-data-drop no form of the command to disable multicast data drop.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld profile This command displays MLD filtering profiles created on the switch. Syntax show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
Chapter 23 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling. interface Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 133: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr members Shows information about the current number of entries in PE the forwarding database, or detailed information about a specific multicast address show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for the specified interface PE mvr This command enables Multicast VLAN Registration (MVR)
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (708) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) end-ip-address - Ending IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. Example This example sets the proxy query interval for MVR proxy switching.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ When MVR proxy switching is disabled: ■ Any membership reports received from receiver/source ports are forwarded to all source ports. ■ When a source port receives a query message, it will be forwarded to all downstream receiver ports. ■ When a receiver port receives a query message, it will be dropped. Example The following example enable MVR proxy switching.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Related Commands mvr proxy-switching (710) mvr source-port- This command configures the switch to forward only multicast streams that a mode source port has dynamically joined or to forward all multicast groups. Use the no form to restore the default setting. Syntax mvr source-port-mode {dynamic | forward} no mvr source-port-mode dynamic - Configures source ports to only forward dynamically-joined MVR group multicast streams.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 mvr upstream- This command configures the source IP address assigned to all MVR control packets source-ip sent upstream on all domains or on a specified domain. Use the no form to restore the default setting. Syntax mvr [domain domain-id] upstream-source-ip source-ip-address no mvr [domain domain-id] upstream-source-ip domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ The VLAN specified by this command must be an existing VLAN configured with the vlan command. ◆ MVR source ports can be configured as members of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command, but MVR receiver ports should not be statically configured as members of this VLAN.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to the same interface. ◆ Immediate leave does not apply to multicast groups which have been statically assigned to a port with the mvr vlan group command. Example The following enables immediate leave on a receiver port.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. Example The following configures one source port and several receiver ports on the switch.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command. ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 port-channel channel-id (Range: 1-12) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear mvr statistics Console# show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 134: show mvr - display description (Continued) Field Description MVR Proxy Query Interval Shows the interval at which the receiver port sends out general queries MVR Source Port Mode Shows if the switch forwards all multicast streams, or only those which the source port has dynamically joined MVR Domain An independent multicast domain. MVR Config Status Shows if MVR is globally enabled on the switch.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. Syntax show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all attached interfaces.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 00:00:09:17 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port).
Chapter 23 | Multicast Filtering Commands MVR for IPv4 show mvr profile This command shows all configured MVR profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr profile MVR Profile Name Start IP Addr. End IP Addr. -------------------- --------------- --------------rd 228.1.23.1 228.1.23.10 testing 228.2.23.1 228.2.23.10 Console# show mvr statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Example The following shows MVR protocol-related statistics received: Console#show mvr domain 1 statistics input MVR Domain : 1 , MVR VLAN: 2 Input Statistics: Interface Report Leave G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 1 2 0 0 2 2 20 9 Console# Table 137: show mvr statistics input - display
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 138: show mvr statistics output - display description (Continued) Field Description Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 139: show mvr statistics query - display description (Continued) Field Description Warn Rate Limit Count down from 15 seconds after receiving a Query different from the configured version. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 140: show mvr statistics summary interface - display description Field Description Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully. Filter Drop Number of report/leave messages dropped by IGMP filter. Source Port Drop Number of report/leave messages dropped by MVR source port. Others Drop Number of report/leave messages dropped for other reasons.
Chapter 23 | Multicast Filtering Commands MVR for IPv4 Table 141: show mvr statistics summary interface mvr vlan - description Field Description General Number of general queries sent from receiver port. Group Specific Number of group specific queries sent from receiver port. Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured by IGMP version 1, 2 or 3.
24 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 24 | LLDP Commands Table 142: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-capabilities Configures an LLDP-enabled port to advertise its system capabilities IC lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1
Chapter 24 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP advertisements. holdtime-multiplier Use the no form to restore the default setting.
Chapter 24 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit during med-fast-start-count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 24 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
Chapter 24 | LLDP Commands Command Mode Global Configuration Command Usage When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. Example Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
Chapter 24 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
Chapter 24 | LLDP Commands ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV. ◆ Every management address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifier (VID) associated with the management address reported by this TLV.
Chapter 24 | LLDP Commands Neither the IPv4 address nor the IPv6 address of a VLAN interface is configured. The CPU MAC address (or device MAC address) will be sent in the Management Address TLV of the LLDP PDU transmitted. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv management-ipv6-address Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its port description. port-description Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled. The information advertised by this TLV is described in IEEE 802.1AB. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-capabilities Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-description description.
Chapter 24 | LLDP Commands Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-name Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise the supported proto-ident protocols. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 553). Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv proto-vid Console(config-if)# lldp dot1-tlv pvid This command configures an LLDP-enabled port to advertise its default VLAN ID. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See “switchport allowed vlan” on page 531 and “protocol-vlan protocolgroup (Configuring Interfaces)” on page 554. Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot1-tlv vlan-name Console(config-if)# lldp dot3-tlv link-agg This command configures an LLDP-enabled port to advertise link aggregation capabilities. Use the no form to disable this feature.
Chapter 24 | LLDP Commands Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv mac-phy Console(config-if)# lldp dot3-tlv This command configures an LLDP-enabled port to advertise its maximum frame max-frame size. Use the no form to disable this feature.
Chapter 24 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location civic-addr identification details. Use the no form to restore the default settings. Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
Chapter 24 | LLDP Commands Table 143: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be
Chapter 24 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDPEXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 24 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature.
Chapter 24 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 24 | LLDP Commands proto-vlan proto-ident 802.3 specific TLVs Advertised : mac-phy link-agg max-frame MED Notification Status : Disabled MED Enabled TLVs Advertised : med-cap network-policy location inventory MED Location Identification Location Data Format : Civic Address LCI Country Name : DK What : 2 - DHCP Client CA Type 1 : 12 CA Type 13 : 13 Console# show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device.
Chapter 24 | LLDP Commands . Console#show lldp info local-device detail ethernet 1/1 LLDP Local Port Information Detail Port : Eth 1/1 Port ID Type : MAC Address Port ID : 00-12-CF-DA-FC-E9 Port Description : Ethernet Port on unit 1, port 1 MED Capability : LLDP-MED Capabilities Network Policy Location Identification Inventory Console# show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port.
Chapter 24 | LLDP Commands Enabled Capabilities : Bridge Management Address : 192.168.0.
Chapter 24 | LLDP Commands Software Revision Serial Number Manufacture Name Model Name Asset ID Console# : : : : : 1.2.6.0 S123456 Prye VP101 340937 show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
25 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 25 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 25 | OAM Commands Command Usage ◆ Critical events are vendor-specific and may include various failures, such as abnormal voltage fluctuations, out-of-range temperature detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down.
Chapter 25 | OAM Commands efm oam link-monitor This command sets the threshold for errored frame link events. Use the no form to frame threshold restore the default setting. Syntax efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
Chapter 25 | OAM Commands exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. Example This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
Chapter 25 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message types. counters Syntax clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached CPE. remote-loopback Syntax efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) Default Setting None Command Mode Privileged Exec Command Usage OAM remote loop back can be used for fault localization and link performance testing.
Chapter 25 | OAM Commands efm oam remote- This command performs a remote loopback test, sending a specified number of loopback test packets. Syntax efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-18) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
Chapter 25 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface Syntax show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Example Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
Chapter 25 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface Syntax show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 25 | OAM Commands Link Monitor (Errored Frame) : Enabled Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam status This command displays information about attached OAM-enabl
26 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 26 | Domain Name Service Commands DNS Commands DNS Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 26 | Domain Name Service Commands DNS Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 26 | Domain Name Service Commands DNS Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 26 | Domain Name Service Commands DNS Commands Command Usage Use the no ip host command to clear static entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.
Chapter 26 | Domain Name Service Commands DNS Commands 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (768) ip domain-lookup (767) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 26 | Domain Name Service Commands DNS Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.
Chapter 26 | Domain Name Service Commands DNS Commands Table 146: show dns cache - display description Field Description No. The entry number for each resource record. Flag The flag is always “4” indicating a cache entry and therefore unreliable. Type This field includes “Host” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
27 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp This command enables dynamic provisioning via DHCP. Use the no form to disable dynamic-provision this feature. Syntax [no] ip dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage DHCPD is the daemon used by Linux to dynamically configure TCP/IP information for client systems. To support DHCP option 66/67, you have to add corresponding statements to the configuration file of DHCPD.
Chapter 27 | DHCP Commands DHCP Client 2. Define the conditions in class section: class "OPT66_67" { # for option 66/67 # option 124 match if option vendor-class-identifier = "Edgecore"; # option 55 option dhcp-parameter-request-list 1,66,67; # option 66 option tftp-server-name "192.168.1.1"; # option 67 option bootfile-name "dhcp_config.cfg"; } shared-network Sample2 { subnet 192.168.1.0 netmask 255.255.255.0 { } pool { allow members of "OPT66_67"; range 192.168.1.10 192.168.1.
Chapter 27 | DHCP Commands DHCP Client ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return. ◆ The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 27 | DHCP Commands DHCP Client ip dhcp restart client This command submits a DHCP client request. Default Setting None Command Mode Privileged Exec Command Usage ◆ This command issues a DHCP client request for any IP interface that has been set to DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
Chapter 27 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange rapid-commit vlan for all DHCPv6 client requests submitted from the specified interface. Use the no form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 27 | DHCP Commands DHCP Client Default Setting None Command Mode Privileged Exec Command Usage ◆ This command starts the DHCPv6 client process if it is not yet running by submitting requests for configuration information through the specified interface(s). When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address auto-configuration.
Chapter 27 | DHCP Commands DHCP Client Example The following command submits a client request on VLAN 1. Console#ipv6 dhcp restart client vlan 1 Console# Related Commands ipv6 address autoconfig (817) show ipv6 dhcp duid This command shows the DHCP Unique Identifier for this switch. Command Mode Privileged Exec Command Usage DHCPv6 clients and servers are identified by a DHCP Unique Identifier (DUID) included in the client identifier and server identifier options.
Chapter 27 | DHCP Commands DHCP Relay List of known servers: Server address : FE80::250:FCFF:FEF9:A494 DUID : 0001-0001-48CFB0D5-F48F2A006801 Server address : FE80::250:FCFF:FEF9:A405 DUID : 0001-0001-38CF5AB0-F48F2A003917 Console# Related Commands ipv6 address (815) DHCP Relay This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 27 | DHCP Commands DHCP Relay Usage Guidelines ◆ DHCP relay service applies to DHCP client requests received on the specified VLAN. ◆ This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to a DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Relay Command Usage This command is used to configure DHCP relay functions for host devices attached to the switch. If DHCP relay service is enabled, and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located. Then, the switch forwards the packet to the DHCP server on another network.
Chapter 27 | DHCP Commands DHCP Relay Command Mode Interface Configuration (VLAN) Usage Guidelines ◆ You must specify the IPv6 address for at least one DHCPv6 server or another relay agent, or the VLAN to which to multicast a relay message. Otherwise, the switch’s DHCPv6 relay agent will not forward client requests. This command enables DHCPv6 relay service for the VLAN from which the command is entered. ◆ Up to five destination addresses may be defined using consecutive commands.
Chapter 27 | DHCP Commands DHCP Server Example Console#show ipv6 dhcp relay destination interface vlan 1 DHCP relay destination : VLAN 1 : Unicast : 2001:DB8:3000:3000::42 Console# DHCP Server This section describes commands used to configure client address pools for the DHCP service.
Chapter 27 | DHCP Commands DHCP Server * These commands are used for manually binding an address to a client. ip dhcp This command specifies IP addresses that the DHCP server should not assign to excluded-address DHCP clients. Use the no form to remove the excluded IP addresses. Syntax [no] ip dhcp excluded-address low-address [high-address] low-address - An excluded IP address, or the first IP address in an excluded address range. high-address - The last IP address in an excluded address range.
Chapter 27 | DHCP Commands DHCP Server host address per pool). However, note that any address specified in a host command must fall within the range of a configured network address pool. Example Console(config)#ip dhcp pool R&D Console(config-dhcp)# Related Commands network (794) host (791) service dhcp This command enables the DHCP server on this switch. Use the no form to disable the DHCP server.
Chapter 27 | DHCP Commands DHCP Server Command Mode DHCP Pool Configuration Example Console(config-dhcp)#bootfile wme.bat Console(config-dhcp)# Related Commands next-server (795) client-identifier This command specifies the client identifier of a DHCP client. Use the no form to remove the client identifier. Syntax client-identifier {text text | hex hex} no client-identifier text - A text string. (Range: 1-32 characters) hex - The hexadecimal value.
Chapter 27 | DHCP Commands DHCP Server default-router This command specifies default routers for a DHCP pool. Use the no form to remove the default routers. Syntax default-router { address1 [address2] | bootfile filename} no default-router address1 - Specifies the IP address of the primary router. address2 - Specifies the IP address of an alternate router. bootfile filename - specifies the boot file name.
Chapter 27 | DHCP Commands DHCP Server Usage Guidelines ◆ If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. ◆ Servers are listed in order of preference (starting with address1 as the most preferred server). Example Console(config-dhcp)#dns-server 10.1.1.253 192.168.3.19 Console(config-dhcp)# domain-name This command specifies the domain name for a DHCP client. Use the no form to remove the domain name.
Chapter 27 | DHCP Commands DHCP Server • • ethernet ieee802 Default Setting If no type is specified, the default protocol is Ethernet. Command Mode DHCP Pool Configuration Command Usage This command identifies a DHCP or BOOTP client to bind to an address specified in the host command. BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 27 | DHCP Commands DHCP Server network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. ◆ When searching for a manual binding, the switch compares the client identifier for DHCP clients, and then compares the hardware address for DHCP or BOOTP clients.
Chapter 27 | DHCP Commands DHCP Server Command Modes DHCP Pool Configuration Example The following example leases an address to clients using this pool for 7 days. Console(config-dhcp)#lease 7 Console(config-dhcp)# netbios-name-server This command configures NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft DHCP clients. Use the no form to remove the NetBIOS name server list.
Chapter 27 | DHCP Commands DHCP Server netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
Chapter 27 | DHCP Commands DHCP Server the request was not forwarded by a relay server), the switch searches for a network pool matching the interface through which the client request was received. It then searches for a manually configured host address that falls within the matching network pool. If no manually configured host address is found, it assigns an address from the matching network address pool. However, if no matching address pool is found the request is ignored.
Chapter 27 | DHCP Commands DHCP Server option Use this command to enable DHCP options. Use the no form of the command to disable DHCP options. Syntax option code {ascii word | hex hex-value | ip-address address1[address2 [address3[ address 4]]]} code - A DHCP option code (Range: 0-254). ascii word - ASCII character string representing a network device (Range: 148 ASCII characters). hex hex-value - A concatenated hex number string of up to 4 IPv4 addresses in hex format each representing a network device.
Chapter 27 | DHCP Commands DHCP Server Command Mode Privileged Exec Usage Guidelines ◆ An address specifies the client’s IP address. If no ip address is specified, the DHCP server clears all automatic bindings. ◆ Use the no host command to delete a manual binding. ◆ This command is normally used after modifying the address pool, or after moving DHCP service to another device. Example.
Chapter 27 | DHCP Commands DHCP Server show ip dhcp This command displays DHCP address pools configured on the switch. Command Mode Privileged Exec Example Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp pool This command displays the detailed configuration information of DHCP address pools on the switch.
Chapter 27 | DHCP Commands DHCP Server – 799 –
Chapter 27 | DHCP Commands DHCP Server – 800 –
28 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated. The IPv4 address for VLAN 1 on this switch is set to 192.168.2.
Chapter 28 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users. Then assign the ports associated with each of these VLANs. ◆ An IP address must be assigned to this device to gain management access over the network or to connect the router to existing IP subnets.
Chapter 28 | IP Interface Commands IPv4 Interface Related Commands ip dhcp restart client (777) ip default-gateway (804) ipv6 address (815) ip default-gateway This command specifies the default gateway for destinations not found in local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 28 | IP Interface Commands IPv4 Interface C 192.168.2.0/24 is directly connected, VLAN1 Console(config)# Related Commands ip address (802) ip route (858) ipv6 default-gateway (814) show ip interface This command displays the settings of an IPv4 interface.
Chapter 28 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 28 | IP Interface Commands IPv4 Interface input errors 9897 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 28 | IP Interface Commands IPv4 Interface Example Console#traceroute 192.168.0.99 Press "ESC" to abort. Traceroute to 192.168.0.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms <10 ms <10 ms 192.168.0.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host.
Chapter 28 | IP Interface Commands IPv4 Interface ◆ When pinging a host name, be sure the DNS server has been defined (page 769) and host name-to-address translation enabled (page 767). If necessary, local devices can also be specified in the DNS static host table (page 768). Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.
Chapter 28 | IP Interface Commands IPv4 Interface Default Setting No default entries Command Mode Global Configuration Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 128.
Chapter 28 | IP Interface Commands IPv4 Interface Command Usage ◆ When a ARP entry expires, it is deleted from the cache and an ARP request packet is sent to re-establish the MAC address. ◆ The aging time determines how long dynamic entries remain in the cache. If the timeout is too short, the router may tie up resources by repeating ARP requests for addresses recently flushed from the table. Example This example sets the ARP cache timeout for 15 minutes (i.e., 900 seconds).
Chapter 28 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)? Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 28 | IP Interface Commands IPv6 Interface Table 158: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd raguard Blocks incoming Router Advertisement and Router Redirect packets IC ipv6 nd reachable-time Configures the amount of time that a remote IPv6 node is IC considered reachable after some reachability confirmation event has occurred ipv6 nd prefix Configures the IPv6 prefixes to include in router advertisements ipv6 nd ra interval minimum-interval [maximum-interval
Chapter 28 | IP Interface Commands IPv6 Interface ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ To connect to a larger network with multiple subnets, you must configure a global unicast address. This address can be manually configured with this command, or it can be automatically configured using the ipv6 address autoconfig command. ◆ If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 address This command enables stateless autoconfiguration of IPv6 addresses on an autoconfig interface and enables IPv6 on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages; the host portion is based on the modified EUI-64 form of the interface identifier (i.e., the switch’s MAC address). Use the no form to remove the address generated by this command.
Chapter 28 | IP Interface Commands IPv6 Interface Console# Related Commands ipv6 address (815) show ipv6 interface (823) ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ IPv6 addresses are 16 bytes long, of which the bottom 8 bytes typically form a unique host identifier based on the device’s MAC address. The EUI-64 specification is designed for devices that use an extended 8-byte MAC address.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 address link-local This command configures an IPv6 link-local address for an interface and enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. Syntax ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 28 | IP Interface Commands IPv6 Interface IPv6 is enabled Link-local address: fe80::269:3ef9:fe19:6779%1/64 Global unicast address(es): 2001:db8:0:1:7272:cfff:fe83:3466/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff19:6779 ff02::1:ff00:72 ff02::1:ff83:3466 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ All devices on the same physical medium must use the same MTU in order to operate correctly. ◆ IPv6 must be enabled on an interface before the MTU can be set.
Chapter 28 | IP Interface Commands IPv6 Interface FF01::1/16 FF02::1/16 FF02::1:FF00:1/104 FF02::1:FF11:6770/104 FF02::1:FF32:2120/104 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 28 | IP Interface Commands IPv6 Interface Table 159: show ipv6 interface - display description (Continued) Field Description ND advertised reachable time The reachable time is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value. ND advertised router lifetime The length of time during which the prefix is valid for on-link determination.
Chapter 28 | IP Interface Commands IPv6 Interface Table 160: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path. Since Time since an ICMP packet-too-big message was received from this destination. Destination Address Address which sent an ICMP packet-too-big message. * No information is displayed if an IPv6 address has not been assigned to the switch.
Chapter 28 | IP Interface Commands IPv6 Interface neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages ICMPv6 sent 6 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 3 neighbor solicit messages neighbor advertisement messages redirect messages group
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. delivers The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP).
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description ICMPv6 Statistics ICMPv6 received input The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.
Chapter 28 | IP Interface Commands IPv6 Interface Table 161: show ipv6 traffic - display description (Continued) Field Description echo reply messages The number of ICMP Echo Reply messages sent by the interface. router solicit messages The number of ICMP Router Solicitation messages sent by the interface. router advertisement messages The number of ICMP Router Advertisement messages sent by the interface.
Chapter 28 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. Syntax ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 28 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 3 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# traceroute6 This command shows the route packets take to the specified destination.
Chapter 28 | IP Interface Commands IPv6 Interface prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. Example Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. Syntax ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 neighbor ipv6-address vlan vlan-id ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
Chapter 28 | IP Interface Commands IPv6 Interface Example The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Age Link-layer Addr State VLAN 2009:DB9:2229::80 956 12-34-11-11-43-21 R 1 2009:DB9:2229::81 Permanent 30-65-14-01-11-86 R 1
Chapter 28 | IP Interface Commands IPv6 Interface in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses. ◆ If a duplicate address is detected, it is set to “duplicate” state, and a warning message is sent to the console. If a duplicate link-local address is detected, IPv6 processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 nd This command configures IPv6 router advertisements to indicate to attached hosts managed-config-flag that they can use stateful autoconfiguration to obtain addresses. Use the no form to clear this flag from router advertisements.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage ◆ The “other-stateful-configuration” flag tells hosts that they should use stateful autoconfiguration to obtain information other than addresses from a DHCPv6 server.
Chapter 28 | IP Interface Commands IPv6 Interface ◆ This command specifies the interval between transmitting neighbor solicitation messages when resolving an address, or when probing the reachability of a neighbor. Therefore, avoid using very short intervals for normal IPv6 operations. ◆ Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router.Setting the neighbor solicitation interval to 0 means that the configured time is unspecified by this router.
Chapter 28 | IP Interface Commands IPv6 Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time milliseconds - The time that a node can be considered reachable after receiving confirmation of reachability.
Chapter 28 | IP Interface Commands IPv6 Interface no ipv6 nd prefix ipv6-address/prefix-length ipv6-address - An IPv6 address including the network prefix and host address bits. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). default - Uses default values for remaining parameters. valid-lifetime - The amount of time that the specified IPv6 prefix is advertised as being valid.
Chapter 28 | IP Interface Commands IPv6 Interface Example The following configures a network prefix with a valid lifetime of 1000 seconds, and a preferred lifetime of 900 seconds: Console(config)#interface vlan 1 Console(config)#ipv6 nd prefix 2011:0DBF::/35 1000 900 Console(config)# ipv6 nd ra interval This command configures the interval between the transmission of IPv6 router advertisements on an interface. Use the no form to restore the default interval.
Chapter 28 | IP Interface Commands IPv6 Interface ipv6 nd ra lifetime This command configures the router lifetime value used in IPv6 router advertisements sent from an interface. Use the no form to restore the default setting. Syntax ipv6 nd ra lifetime lifetime no ipv6 nd ra lifetime lifetime - Router lifetime.
Chapter 28 | IP Interface Commands IPv6 Interface Default Setting medium Command Usage Default router preference may be used to prioritize routers which provide equivalent, but not equal-cost, routing, and policy dictates that hosts should prefer one of the routers.
Chapter 28 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache.
Chapter 28 | IP Interface Commands IPv6 Interface Table 162: show ipv6 neighbors - display description (Continued) Field Description Link-layer Addr Physical layer MAC address. State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 28 | IP Interface Commands ND Snooping Example The following shows all neighbor discovery IPv6 prefixes for VLAN 1: Console#show ipv6 nd prefix vlan 1 Ipv6 Neighbor Discovery Prefix Information. VLAN Name IPv6 Prefix Valid Lifetime Preferred Lifetime On-link Flag Autonomous Flag : DefaultVlan : : : : : 2011:dbf::/35 2592000 604800 On On Console# ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table.
Chapter 28 | IP Interface Commands ND Snooping Table 163: ND Snooping Commands (Continued) Command Function Mode ipv6 nd snooping auto-detect Sets the interval between sending NS messages to retransmit interval determine if a binding is still valid GC ipv6 nd snooping prefix timeout Sets the time to wait for an RA message before deleting an entry in the prefix table GC ipv6 nd snooping max-binding Sets the maximum number of address entries which can IC be bound to a port ipv6 nd snooping trust C
Chapter 28 | IP Interface Commands ND Snooping according to the Prefix Information option in the RA message. The prefix table records prefix, prefix length, valid lifetime, as well as the VLAN and port interface which received the message. ■ ◆ If an RA message is not received updating a table entry with the same prefix for a specified timeout period, the entry is deleted.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage If auto-detection is enabled, the switch periodically sends an NS message to determine is a client listed in the dynamic binding table still exists. If it does not receive an RA message in response after the configured timeout, the entry is dropped. If the switch receives an RA message before the timeout expires, it resets the lifetime for the dynamic binding, and the auto-detection process resumes.
Chapter 28 | IP Interface Commands ND Snooping Syntax ipv6 nd snooping auto-detect retransmit interval retransmit-interval no ipv6 nd snooping auto-detect retransmit interval retransmit-interval – The interval between which the switch sends an NS message to determine if a client still exists.
Chapter 28 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping prefix timeout 200 Console(config)# ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user max-binding binding table which can be bound to a port. Use the no form to restore the default setting.
Chapter 28 | IP Interface Commands ND Snooping ◆ RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination. ◆ NS messages received from a trusted interface are forwarded toward their destination. Nothing is added to the dynamic user binding table. Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 nd snooping trust Console(config-if)# clear ipv6 nd This command clears all entries in the dynamic user address binding table.
Chapter 28 | IP Interface Commands ND Snooping show ipv6 nd This command shows the configuration settings for ND snooping.
Chapter 28 | IP Interface Commands ND Snooping Command Mode Privileged Exec Example Console#show ipv6 nd snooping prefix Prefix entry timeout: 100 (second) Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------2001:b000:: 64 2592000 100 1 Eth 1/1 2001:: 64 600 34 2 Eth 1/2 Console# – 856 –
28 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. To forward traffic to devices on other subnetworks, configure fixed paths with static routing commands. This section includes commands for static routing. These commands are used to connect between different local subnetworks or to connect the router to the enterprise network.
Chapter 28 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask next-hop | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 28 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. See show ip route database. static – Displays all static entries.
Chapter 28 | IP Routing Commands Global Routing Configuration C 192.168.2.0/24 is directly connected, VLAN1 Console# The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes. The RIB contains the set of all available routes from which optimal entries are selected for use by the Forwarding Information Base (see Command Usage under the show ip route command).
Chapter 28 | IP Routing Commands Global Routing Configuration Console# Table 190: show ip host-route - display description Field Description IP Address IP address of the destination network, subnetwork, or host. MAC Address The physical layer address associated with the IP address. VLAN The VLAN that connects to this IP address. Port The port that connects to this IP address. show ip route This command displays entries in the Routing Information Base (RIB).
Chapter 28 | IP Routing Commands Global Routing Configuration Console#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 8 Connected 2 Total 2 Console# show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 28 | IP Routing Commands Global Routing Configuration source quench messages address mask request messages address mask reply messages UDP Statistics: 2 input no port errors other errors output TCP Statistics: 4698 input input errors 5867 output Console# IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes.
Chapter 28 | IP Routing Commands Global Routing Configuration ◆ If an administrative distance is defined for a static route, and the same destination can be reached through a dynamic route at a lower administration distance, then the dynamic route will be used. ◆ The default distance of 1 will take precedence over any other type of route, except for local routes.
Chapter 28 | IP Routing Commands Global Routing Configuration changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB. The FIB is distinct from the routing table (or, Routing Information Base), which holds all routing information received from routing peers. The forwarding information base contains unique paths only. It does not contain any secondary paths.
Chapter 28 | IP Routing Commands Global Routing Configuration Example Console(config)#maximum-paths 8 Console(config)# – 866 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 869 ◆ “License Information” on page 871 – 867 –
Section III | Appendices – 868 –
A Troubleshooting Problems Accessing the Management Interface Table 191: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
List of Commands aaa accounting commands 228 aaa accounting dot1x 229 aaa accounting exec 230 aaa accounting update 231 aaa authorization commands 231 aaa authorization exec 232 aaa group server 233 absolute 168 access-list arp 386 access-list ip 368 access-list ipv6 374 access-list mac 380 accounting commands 234 accounting dot1x 234 accounting exec 235 alias 397 arp 809 arp timeout 810 authentication enable 216 authentication login 217 authorization commands 236 authorization exec 236 auto-traffic-contro
List of Commands dir 123 disable 90 discard 398 disconnect 138 dns-server 789 domain-name 790 dos-protection echo-chargen 356 dos-protection land 356 dos-protection smurf 357 dos-protection tcp-flooding 357 dos-protection tcp-null-scan 358 dos-protection tcp-syn-fin-scan 358 dos-protection tcp-udp-port-zero 359 dos-protection tcp-xmas-scan 359 dos-protection udp-flooding 360 dos-protection win-nuke 360 dot1q-tunnel system-tunnel-control 539 dot1q-tunnel tpid 540 dot1x default 255 dot1x eapol-pass-through 2
List of Commands ip http authentication 239 ip http port 240 ip http secure-port 241 ip http secure-server 241 ip http server 240 ip igmp authentication 671 ip igmp filter (Global Configuration) 669 ip igmp filter (Interface Configuration) 673 ip igmp max-groups 673 ip igmp max-groups action 674 ip igmp profile 669 ip igmp query-drop 675 ip igmp snooping 643 ip igmp snooping immediate-leave 660 ip igmp snooping mrouter-forward-mode dynamic 644 ip igmp snooping priority 644 ip igmp snooping proxy-reporting
List of Commands ipv6 nd snooping auto-detect retransmit count 851 ipv6 nd snooping auto-detect retransmit interval 851 ipv6 nd snooping max-binding 853 ipv6 nd snooping prefix timeout 852 ipv6 nd snooping trust 853 ipv6 neighbor 834 ipv6 route 863 ipv6 source-guard 343 ipv6 source-guard binding 341 ipv6 source-guard max-binding 344 jumbo frame 115 l2protocol-tunnel tunnel-dmac 546 lacp 431 lacp actor/partner mode (Ethernet Interface) 432 lacp admin-key (Ethernet Interface) 433 lacp admin-key (Port Channel
List of Commands network-access aging 289 network-access dynamic-qos 291 network-access dynamic-vlan 293 network-access guest-vlan 294 network-access link-detection 294 network-access link-detection link-down 295 network-access link-detection link-up 295 network-access link-detection link-up-down 296 network-access mac-filter 290 network-access max-mac-count 297 network-access mode mac-authentication 297 network-access port-mac-filter 298 next-server 795 nlm 189 no rspan session 455 non-revertive 584 ntp a
List of Commands show access-list tcam-utilization 104 show accounting 237 show arp 812 show authorization 238 show auto-traffic-control 473 show auto-traffic-control interface 473 show banner 103 show bridge-ext 525 show cable-diagnostics 424 show calendar 167 show class-map 634 show discard 405 show dns 771 show dns cache 771 show dos-protection 361 show dot1q-tunnel 545 show dot1q-tunnel service 544 show dot1x 267 show efm oam counters interface 761 show efm oam event-log interface 761 show efm oam remo
List of Commands show lldp info statistics 752 show log 146 show logging 147 show logging sendmail 152 show loopback-detection 479 show mac access-group 385 show mac access-list 386 show mac-address-table 485 show mac-address-table aging-time 486 show mac-address-table count 487 show mac-address-table hash-algorithm 486 show mac-address-table hash-lookup-depth 487 show mac-vlan 560 show management 271 show memory 105 show mlag 445 show mlag domain 446 show mlag group 445 show mvr 718 show mvr associated-pr
List of Commands snmp-server enable port-traps atc multicast-control-apply 472 snmp-server enable port-traps atc multicast-controlrelease 472 snmp-server enable port-traps link-up-down 179 snmp-server enable port-traps mac-notification 180 snmp-server enable traps 176 snmp-server engine-id 181 snmp-server group 182 snmp-server host 177 snmp-server location 175 snmp-server notify-filter 190 snmp-server user 183 snmp-server view 185 sntp client 153 sntp poll 154 sntp server 155 spanning-tree 490 spanning-tre
List of Commands web-auth login-attempts 304 web-auth quiet-period 304 web-auth re-authenticate (IP) 307 web-auth re-authenticate (Port) 306 web-auth session-timeout 305 web-auth system-auth-control 305 whichboot 124 wtr-timer 581 – 883 –
List of Commands – 884 –
