ES3528MV2 ES3528MV2-DC 28-Port Fast Ethernet Layer 2 Switch Management Guide www.edge-core.
M ANAGEMENT G UIDE ES3528MV2 FAST ETHERNET SWITCH Layer 2 Switch with 24 10/100BASE-TX (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP) ES3528MV2-DC FAST ETHERNET SWITCH Layer 2 Switch with DC power input with 24 10/100BASE-TX (RJ-45) Ports, and 4 Gigabit Combination Ports (RJ-45/SFP) ES3528MV2 ES3528MV2-DC E112013/ST-R03
ABOUT THIS GUIDE PURPOSE This guide gives specific information on how to operate and use the management functions of the switch. AUDIENCE The guide is intended for use by network administrators who are responsible for operating and maintaining network equipment; consequently, it assumes a basic working knowledge of general switch functions, the Internet Protocol (IP), and Simple Network Management Protocol (SNMP).
ABOUT THIS GUIDE REVISION HISTORY This section summarizes the changes in each revision of this guide. NOVEMBER 2013 REVISION This is the third version of this guide. This guide is valid for software release v1.4.0.0. It includes the following updates to the manual: ◆ Updated parameter ranges under "Configuring The Console Port" on page 139. ◆ Updated parameter ranges under "Configuring Telnet Settings" on page 140.
ABOUT THIS GUIDE ◆ Updated default settings and added “MED-Location Civic Address” parameter under "Configuring LLDP Interface Attributes" on page 427. ◆ Added the section "Configuring LLDP Interface Civic-Address" on page 430. ◆ Added parameters for Port Details under "Displaying LLDP Remote Device Information" on page 436. ◆ Updated entries in Table 31, "Supported Notification Messages," on page 456.
ABOUT THIS GUIDE ◆ Updated syntax for the command "delete" on page 723. ◆ Updated range for the command "exec-timeout" on page 730. ◆ Added the command "terminal" on page 737. ◆ Updated parameter options for the command "snmp-server enable traps" on page 778.
ABOUT THIS GUIDE ◆ Added the command "clear access-list hardware counters" on page 973. ◆ Updated description of parameters for the command "capabilities" on page 977. ◆ Added the command "discard" on page 979. ◆ Added description of seven new DDM commands beginning with"transceiver-threshold-auto" on page 989 and ending with "transceiver-threshold voltage" on page 995. ◆ Added the command "port channel load-balance" on page 1004. ◆ Added the command "lacp timeout" on page 1011.
ABOUT THIS GUIDE ◆ Added new section "MLD Snooping" on page 1239. ◆ Added new section "MLD Filtering and Throttling" on page 1249. ◆ Updated range for the command "mvr priority" on page 1262. ◆ Added commands "clear mrv groups dynamic" on page 1269 and "clear mrv statistics" on page 1270. ◆ Added commands "clear mvr6 groups dynamic" on page 1288 and "clear mvr6 statistics" on page 1288. ◆ Updated description of parameters for "ethernet cfm cc ma interval" on page 1339.
CONTENTS ABOUT THIS GUIDE SECTION I 5 CONTENTS 11 FIGURES 49 TABLES 61 GETTING STARTED 1 INTRODUCTION 69 Key Features 69 Description of Software Features 70 System Defaults 75 2 INITIAL SWITCH CONFIGURATION 79 Connecting to the Switch 79 Configuration Options 79 Required Connections 80 Remote Connections 81 Basic Configuration 81 Console Connection 81 Setting Passwords 82 Setting an IP Address 83 Downloading a Configuration File Referenced by a DHCP Server 89 Enabling S
CONTENTS Navigating the Web Browser Interface 98 Home Page 98 Configuration Options 99 Panel Display 99 Main Menu 100 4 BASIC MANAGEMENT TASKS 117 Displaying System Information 117 Displaying Hardware/Software Versions 118 Configuring Support for Jumbo Frames 120 Displaying Bridge Extension Capabilities 121 Managing System Files 122 Copying Files via FTP/TFTP or HTTP 122 Saving the Running Configuration to a Local File 124 Setting the Start-up File 125 Showing System Files 126
CONTENTS Configuring Transceiver Thresholds 165 Performing Cable Diagnostics 168 Trunk Configuration 170 Configuring a Static Trunk 171 Configuring a Dynamic Trunk 173 Displaying LACP Port Counters 179 Displaying LACP Settings and Status for the Local Side 180 Displaying LACP Settings and Status for the Remote Side 182 Configuring Load Balancing 183 Saving Power 185 Traffic Segmentation 187 Enabling Traffic Segmentation 187 Configuring Uplink and Downlink Ports 188 VLAN Trunking
CONTENTS Configuring MAC Address Mirroring 8 SPANNING TREE ALGORITHM 234 237 Overview 237 Configuring Loopback Detection 240 Configuring Global Settings for STA 242 Displaying Global Settings for STA 247 Configuring Interface Settings for STA 248 Displaying Interface Settings for STA 252 Configuring Multiple Spanning Trees 255 Configuring Interface Settings for MSTP 259 9 CONGESTION CONTROL 261 Rate Limiting 261 Storm Control 262 Automatic Traffic Control 264 Setting the ATC Tim
CONTENTS 13 SECURITY MEASURES 307 AAA Authorization and Accounting 308 Configuring Local/Remote Logon Authentication 309 Configuring Remote Logon Authentication Servers 310 Configuring AAA Accounting 315 Configuring AAA Authorization 321 Configuring User Accounts 324 Web Authentication 326 Configuring Global Settings for Web Authentication 326 Configuring Interface Settings for Web Authentication 327 Network Access (MAC Address Authentication) 329 Configuring Global Settings for Netwo
CONTENTS ARP Inspection 372 Configuring Global Settings for ARP Inspection 373 Configuring VLAN Settings for ARP Inspection 375 Configuring Interface Settings for ARP Inspection 377 Displaying ARP Inspection Statistics 378 Displaying the ARP Inspection Log 379 Filtering IP Addresses for Management Access 380 Configuring Port Security 382 Configuring 802.1X Port Authentication 384 Configuring 802.1X Global Settings 386 Configuring Port Authenticator Settings for 802.
CONTENTS Displaying LLDP Local Device Information 432 Displaying LLDP Remote Device Information 436 Displaying Device Statistics 444 Simple Network Management Protocol 446 Configuring Global Settings for SNMP 448 Setting the Local Engine ID 449 Specifying a Remote Engine ID 450 Setting SNMPv3 Views 452 Configuring SNMPv3 Groups 455 Setting Community Access Strings 460 Configuring Local SNMPv3 Users 461 Configuring Remote SNMPv3 Users 463 Specifying Trap Managers 466 Creating SNMP
CONTENTS Transmitting Loop Back Messages 536 Transmitting Delay-Measure Requests 538 Displaying Local MEPs 540 Displaying Details for Local MEPs 541 Displaying Local MIPs 543 Displaying Remote MEPs 544 Displaying Details for Remote MEPs 545 Displaying the Link Trace Cache 547 Displaying Fault Notification Settings 549 Displaying Continuity Check Errors 550 OAM Configuration 551 Enabling OAM on Local Ports 551 Displaying Statistics for OAM Messages 554 Displaying the OAM Event Log
CONTENTS 16 IP SERVICES 589 Domain Name Service 589 Configuring General DNS Service Parameters 589 Configuring a List of Domain Names 590 Configuring a List of Name Servers 592 Configuring Static DNS Host to Address Entries 593 Displaying the DNS Cache 594 Dynamic Host Configuration Protocol 595 Specifying A DHCP Client Identifier 595 Configuring DHCP Relay Option 82 596 Configuring the PPPoE Intermediate Agent 600 Configuring PPPoE IA Global Settings 600 Configuring PPPoE IA Interf
CONTENTS Configuring MVR Domain Settings 646 Configuring MVR Group Address Profiles 647 Configuring MVR Interface Status 650 Assigning Static MVR Multicast Groups to Interfaces 652 Displaying MVR Receiver Groups 654 Displaying MVR Statistics 655 Multicast VLAN Registration for IPv6 SECTION III 659 Configuring MVR6 Global Settings 660 Configuring MVR6 Domain Settings 662 Configuring MVR6 Group Address Profiles 663 Configuring MVR6 Interface Status 666 Assigning Static MVR6 Multicast G
CONTENTS reload (Global Configuration) 692 enable 693 quit 694 show history 694 configure 695 disable 696 reload (Privileged Exec) 696 show reload 697 end 697 exit 697 20 SYSTEM MANAGEMENT COMMANDS Device Designation 699 699 hostname 700 Banner Information 700 banner configure 701 banner configure company 702 banner configure dc-power-info 703 banner configure department 703 banner configure equipment-info 704 banner configure equipment-location 705 banner configure ip
CONTENTS show watchdog 716 watchdog software 716 Frame Size 717 jumbo frame 717 File Management 718 General Commands 719 boot system 719 copy 720 delete 723 dir 724 whichboot 725 Automatic Code Upgrade Commands 725 upgrade opcode auto 725 upgrade opcode path 726 upgrade opcode reload 727 show upgrade 728 Line 728 line 729 databits 730 exec-timeout 730 login 731 parity 732 password 733 password-thresh 734 silent-time 734 speed 735 stopbits 736 timeout log
CONTENTS logging trap 742 clear log 743 show log 743 show logging 744 SMTP Alerts 746 logging sendmail 746 logging sendmail host 746 logging sendmail level 747 logging sendmail destination-email 748 logging sendmail source-email 748 show logging sendmail 749 Time 749 SNTP Commands 750 sntp client 750 sntp poll 751 sntp server 752 show sntp 752 NTP Commands 753 ntp authenticate 753 ntp authentication-key 753 ntp client 754 ntp server 755 show ntp 756 Manual Confi
CONTENTS Switch Clustering 766 cluster 767 cluster commander 767 cluster ip-pool 768 cluster member 769 rcommand 769 show cluster 770 show cluster members 770 show cluster candidates 771 21 SNMP COMMANDS 773 General SNMP Commands 775 snmp-server 775 snmp-server community 775 snmp-server contact 776 snmp-server location 776 show snmp 777 SNMP Target Host Commands 778 snmp-server enable traps 778 snmp-server host 779 snmp-server enable port-traps mac-notification 781 s
CONTENTS Additional Trap Commands 793 memory 793 process cpu 794 22 REMOTE MONITORING COMMANDS 795 rmon alarm 796 rmon event 797 rmon collection history 798 rmon collection rmon1 799 show rmon alarms 800 show rmon events 800 show rmon history 800 show rmon statistics 801 23 FLOW SAMPLING COMMANDS 803 sflow owner 803 sflow polling instance 805 sflow sampling instance 806 show sflow 807 24 AUTHENTICATION COMMANDS User Accounts and Privilege Levels 809 810 enable password
CONTENTS tacacs-server key 821 tacacs-server port 822 tacacs-server retransmit 822 tacacs-server timeout 823 show tacacs-server 823 AAA 824 aaa accounting commands 824 aaa accounting dot1x 825 aaa accounting exec 826 aaa accounting update 827 aaa authorization exec 828 aaa group server 829 server 829 accounting dot1x 830 accounting commands 830 accounting exec 831 authorization exec 831 show accounting 832 Web Server 833 ip http port 833 ip http server 834 ip http s
CONTENTS ip ssh save host-key 846 show ip ssh 846 show public-key 846 show ssh 847 802.
CONTENTS pppoe intermediate-agent port-enable 867 pppoe intermediate-agent port-format-type 867 pppoe intermediate-agent trust 868 pppoe intermediate-agent vendor-tag strip 869 clear pppoe intermediate-agent statistics 869 show pppoe intermediate-agent info 870 show pppoe intermediate-agent statistics 871 25 GENERAL SECURITY MEASURES Port Security 873 874 mac-learning 874 port security 875 port security mac-address-as-permanent 877 show port security 877 Network Access (MAC Address
CONTENTS web-auth session-timeout 895 web-auth system-auth-control 896 web-auth 896 web-auth re-authenticate (Port) 897 web-auth re-authenticate (IP) 897 show web-auth 898 show web-auth interface 898 show web-auth summary 899 DHCPv4 Snooping 899 ip dhcp snooping 900 ip dhcp snooping information option 902 ip dhcp snooping information policy 903 ip dhcp snooping limit rate 904 ip dhcp snooping verify mac-address 904 ip dhcp snooping vlan 905 ip dhcp snooping information option
CONTENTS ip source-guard max-binding 923 ip source-guard mode 924 clear ip source-guard binding blocked 924 show ip source-guard 925 show ip source-guard binding 925 IPv6 Source Guard 926 ipv6 source-guard binding 926 ipv6 source-guard 928 ipv6 source-guard max-binding 929 show ipv6 source-guard 930 show ipv6 source-guard binding 931 ARP Inspection 931 ip arp inspection 932 ip arp inspection filter 933 ip arp inspection log-buffer logs 934 ip arp inspection validate 935 ip a
CONTENTS traffic-segmentation session 946 traffic-segmentation uplink/downlink 947 traffic-segmentation uplink-to-uplink 948 show traffic-segmentation 949 26 ACCESS CONTROL LISTS IPv4 ACLs 951 951 access-list ip 952 permit, deny (Standard IP ACL) 953 permit, deny (Extended IPv4 ACL) 954 ip access-group 956 show ip access-group 957 show ip access-list 957 IPv6 ACLs 958 access-list ipv6 958 permit, deny (Standard IPv6 ACL) 959 permit, deny (Extended IPv6 ACL) 960 ipv6 access-gro
CONTENTS alias 977 capabilities 977 description 978 discard 979 flowcontrol 980 media-type 981 negotiation 981 shutdown 982 speed-duplex 983 clear counters 984 show discard 984 show interfaces brief 985 show interfaces counters 985 show interfaces status 987 show interfaces switchport 988 Transceiver Threshold Configuration 989 transceiver-threshold-auto 989 transceiver-monitor 990 transceiver-threshold current 990 transceiver-threshold rx-power 992 transceiver-thres
CONTENTS Dynamic Configuration Commands 1006 lacp 1006 lacp admin-key (Ethernet Interface) 1008 lacp port-priority 1009 lacp system-priority 1010 lacp admin-key (Port Channel) 1010 lacp timeout 1011 Trunk Status Display Commands 1012 show lacp 1012 show port-channel load-balance 1015 29 PORT MIRRORING COMMANDS Local Port Mirroring Commands 1017 1017 port monitor 1017 show port monitor 1019 RSPAN Mirroring Commands 1020 rspan source 1022 rspan destination 1023 rspan remote vl
CONTENTS SNMP Trap Commands 1040 snmp-server enable port-traps atc broadcast-alarm-clear 1040 snmp-server enable port-traps atc broadcast-alarm-fire 1040 snmp-server enable port-traps atc broadcast-control-apply 1041 snmp-server enable port-traps atc broadcast-control-release 1041 snmp-server enable port-traps atc multicast-alarm-clear 1042 snmp-server enable port-traps atc multicast-alarm-fire 1042 snmp-server enable port-traps atc multicast-control-apply 1043 snmp-server enable port-traps
CONTENTS spanning-tree hello-time 1068 spanning-tree max-age 1069 spanning-tree mode 1069 spanning-tree pathcost method 1071 spanning-tree priority 1071 spanning-tree mst configuration 1072 spanning-tree system-bpdu-flooding 1073 spanning-tree transmission-limit 1073 max-hops 1074 mst priority 1074 mst vlan 1075 name 1076 revision 1076 spanning-tree bpdu-filter 1077 spanning-tree bpdu-guard 1078 spanning-tree cost 1079 spanning-tree edge-port 1080 spanning-tree link-type
CONTENTS control-vlan 1096 enable 1097 guard-timer 1098 holdoff-timer 1098 major-domain 1099 meg-level 1100 mep-monitor 1100 node-id 1101 non-erps-dev-protect 1102 non-revertive 1103 propagate-tc 1107 raps-def-mac 1108 raps-without-vc 1108 ring-port 1110 rpl neighbor 1111 rpl owner 1112 version 1113 wtr-timer 1114 clear erps statistics 1114 erps clear 1115 erps forced-switch 1115 erps manual-switch 1117 show erps 1119 36 VLAN COMMANDS 1125 GVRP and Bridge Ext
CONTENTS Configuring VLAN Interfaces 1133 interface vlan 1133 switchport acceptable-frame-types 1134 switchport allowed vlan 1135 switchport ingress-filtering 1136 switchport mode 1136 switchport native vlan 1137 vlan-trunking 1138 Displaying VLAN Information 1139 show vlan 1139 Configuring IEEE 802.
CONTENTS voice vlan aging 1162 voice vlan mac-address 1163 switchport voice vlan 1164 switchport voice vlan priority 1165 switchport voice vlan rule 1165 switchport voice vlan security 1166 show voice vlan 1167 37 CLASS OF SERVICE COMMANDS 1169 Priority Commands (Layer 2) 1169 queue mode 1170 queue weight 1171 switchport priority default 1172 show queue mode 1173 show queue weight 1173 Priority Commands (Layer 3 and 4) 1174 qos map cos-dscp 1174 qos map dscp-mutation 1176
CONTENTS service-policy 1199 show class-map 1199 show policy-map 1200 show policy-map interface 1201 39 MULTICAST FILTERING COMMANDS IGMP Snooping 1203 1204 ip igmp snooping 1205 ip igmp snooping priority 1206 ip igmp snooping proxy-reporting 1206 ip igmp snooping querier 1207 ip igmp snooping router-alert-option-check 1207 ip igmp snooping router-port-expire-time 1208 ip igmp snooping tcn-flood 1209 ip igmp snooping tcn-query-solicit 1210 ip igmp snooping unregistered-data-flood
CONTENTS IGMP Filtering and Throttling 1227 ip igmp filter (Global Configuration) 1228 ip igmp profile 1229 permit, deny 1229 range 1230 ip igmp authentication 1230 ip igmp filter (Interface Configuration) 1232 ip igmp max-groups 1233 ip igmp max-groups action 1233 ip igmp query-drop 1234 ip multicast-data-drop 1234 show ip igmp authentication 1235 show ip igmp filter 1236 show ip igmp profile 1236 show ip igmp query-drop 1237 show ip igmp throttle interface 1237 show ip mul
CONTENTS MLD Filtering and Throttling 1249 ipv6 mld filter (Global Configuration) 1250 ipv6 mld profile 1251 permit, deny 1251 range 1252 ipv6 mld filter (Interface Configuration) 1252 ipv6 mld max-groups 1253 ipv6 mld max-groups action 1254 ipv6 mld query-drop 1254 ipv6 multicast-data-drop 1255 show ipv6 mld filter 1255 show ipv6 mld profile 1256 show ipv6 mld query-drop 1256 show ipv6 mld throttle interface 1257 MVR for IPv4 1258 mvr 1259 mvr associated-profile 1259 mvr
CONTENTS show mvr statistics MVR for IPv6 1275 1277 mvr6 associated-profile 1278 mvr6 domain 1279 mvr6 profile 1279 mvr6 proxy-query-interval 1280 mvr6 proxy-switching 1281 mvr6 robustness-value 1282 mvr6 source-port-mode dynamic 1283 mvr6 upstream-source-ip 1283 mvr6 vlan 1284 mvr6 immediate-leave 1285 mvr6 type 1285 mvr6 vlan group 1287 clear mvr6 groups dynamic 1288 clear mvr6 statistics 1288 show mvr6 1289 show mvr6 associated-profile 1290 show mvr6 interface 1290 sh
CONTENTS lldp dot1-tlv proto-ident 1304 lldp dot1-tlv proto-vid 1305 lldp dot1-tlv pvid 1305 lldp dot1-tlv vlan-name 1306 lldp dot3-tlv link-agg 1306 lldp dot3-tlv mac-phy 1307 lldp dot3-tlv max-frame 1307 lldp med-location civic-addr 1308 lldp med-notification 1309 lldp med-tlv inventory 1310 lldp med-tlv location 1311 lldp med-tlv med-cap 1311 lldp med-tlv network-policy 1312 lldp notification 1312 show lldp config 1313 show lldp info local-device 1314 show lldp info remot
CONTENTS show ethernet cfm maintenance-points remote detail Continuity Check Operations 1337 1339 ethernet cfm cc ma interval 1339 ethernet cfm cc enable 1340 snmp-server enable traps ethernet cfm cc 1341 mep archive-hold-time 1342 clear ethernet cfm maintenance-points remote 1342 clear ethernet cfm errors 1343 show ethernet cfm errors 1343 Cross Check Operations 1344 ethernet cfm mep crosscheck start-delay 1344 snmp-server enable traps ethernet cfm crosscheck 1345 mep crosscheck mpid
CONTENTS efm oam link-monitor frame window efm oam mode 1364 1365 clear efm oam counters 1366 clear efm oam event-log 1366 efm oam remote-loopback 1367 efm oam remote-loopback test 1368 show efm oam counters interface 1369 show efm oam event-log interface 1369 show efm oam remote-loopback interface 1371 show efm oam status interface 1371 show efm oam status remote interface 1372 43 DOMAIN NAME SERVICE COMMANDS 1373 ip domain-list 1373 ip domain-lookup 1374 ip domain-name 1375 ip
CONTENTS ip dhcp relay information policy 1393 show ip dhcp relay 1394 45 IP INTERFACE COMMANDS IPv4 Interface 1395 1395 Basic IPv4 Configuration 1396 ip address 1396 ip default-gateway 1398 show ip default-gateway 1398 show ip interface 1399 show ip traffic 1399 traceroute 1400 ping 1401 ARP Configuration 1402 arp timeout 1403 clear arp-cache 1403 show arp 1404 IPv6 Interface 1404 Interface Address Configuration and Utilities 1405 ipv6 default-gateway 1405 ipv6 address
CONTENTS ipv6 nd reachable-time 1427 clear ipv6 neighbors 1428 show ipv6 nd raguard 1428 show ipv6 neighbors 1429 ND Snooping SECTION IV 1430 ipv6 nd snooping 1431 ipv6 nd snooping auto-detect 1432 ipv6 nd snooping auto-detect retransmit count 1433 ipv6 nd snooping auto-detect retransmit interval 1434 ipv6 nd snooping prefix timeout 1434 ipv6 nd snooping max-binding 1435 ipv6 nd snooping trust 1435 clear ipv6 nd snooping binding 1436 clear ipv6 nd snooping prefix 1436 show ipv6
CONTENTS – 48 –
FIGURES Figure 1: Home Page 98 Figure 2: Front Panel Indicators 99 Figure 3: System Information 118 Figure 4: General Switch Information 119 Figure 5: Configuring Support for Jumbo Frames 120 Figure 6: Displaying Bridge Extension Configuration 122 Figure 7: Copy Firmware 124 Figure 8: Saving the Running Configuration 125 Figure 9: Setting Start-Up Files 126 Figure 10: Displaying System Files 126 Figure 11: Configuring Automatic Code Upgrade 130 Figure 12: Manually Setting the System C
FIGURES Figure 32: Configuring Local Port Mirroring 154 Figure 33: Configuring Local Port Mirroring 155 Figure 34: Displaying Local Port Mirror Sessions 156 Figure 35: Configuring Remote Port Mirroring 156 Figure 36: Configuring Remote Port Mirroring (Source) 159 Figure 37: Configuring Remote Port Mirroring (Intermediate) 159 Figure 38: Configuring Remote Port Mirroring (Destination) 160 Figure 39: Showing Port Statistics (Table) 163 Figure 40: Showing Port Statistics (Chart) 164 Figure 4
FIGURES Figure 68: Creating Static VLANs 197 Figure 69: Modifying Settings for Static VLANs 198 Figure 70: Showing Static VLANs 198 Figure 71: Configuring Static Members by VLAN Index 201 Figure 72: Configuring Static VLAN Members by Interface 202 Figure 73: Configuring Static VLAN Members by Interface Range 202 Figure 74: Configuring Global Status of GVRP 204 Figure 75: Configuring GVRP for an Interface 205 Figure 76: Showing Dynamic VLANs Registered on the Switch 205 Figure 77: Showing
FIGURES Figure 104: STP Root Ports and Designated Ports 238 Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree 239 Figure 106: Common Internal Spanning Tree, Common Spanning Tree, Internal Spanning Tree 239 Figure 107: Configuring Port Loopback Detection 241 Figure 108: Configuring Global Settings for STA (STP) 246 Figure 109: Configuring Global Settings for STA (RSTP) 246 Figure 110: Configuring Global Settings for STA (MSTP) 247 Figure 111: Displaying Global Settings fo
FIGURES Figure 140: Configuring a Class Map 287 Figure 141: Showing Class Maps 288 Figure 142: Adding Rules to a Class Map 288 Figure 143: Showing the Rules for a Class Map 289 Figure 144: Configuring a Policy Map 296 Figure 145: Showing Policy Maps 297 Figure 146: Adding Rules to a Policy Map 298 Figure 147: Showing the Rules for a Policy Map 298 Figure 148: Attaching a Policy Map to a Port 299 Figure 149: Configuring a Voice VLAN 303 Figure 150: Configuring an OUI Telephony List 304
FIGURES Figure 176: Configuring Interface Settings for Network Access 334 Figure 177: Configuring Link Detection for Network Access 335 Figure 178: Configuring a MAC Address Filter for Network Access 336 Figure 179: Showing the MAC Address Filter Table for Network Access 336 Figure 180: Showing Addresses Authenticated for Network Access 338 Figure 181: Configuring HTTPS 340 Figure 182: Downloading the Secure-Site Certificate 341 Figure 183: Configuring the SSH Server 345 Figure 184: Generat
FIGURES Figure 212: Configuring Port Security 384 Figure 213: Configuring Port Security 385 Figure 214: Configuring Global Settings for 802.1X Port Authentication 387 Figure 215: Configuring Interface Settings for 802.1X Port Authenticator 391 Figure 216: Configuring Interface Settings for 802.1X Port Supplicant 393 Figure 217: Showing Statistics for 802.1X Port Authenticator 395 Figure 218: Showing Statistics for 802.
FIGURES Figure 248: Configuring the Local Engine ID for SNMP 450 Figure 249: Configuring a Remote Engine ID for SNMP 451 Figure 250: Showing Remote Engine IDs for SNMP 452 Figure 251: Creating an SNMP View 453 Figure 252: Showing SNMP Views 453 Figure 253: Adding an OID Subtree to an SNMP View 454 Figure 254: Showing the OID Subtree Configured for SNMP Views 454 Figure 255: Creating an SNMP Group 459 Figure 256: Showing SNMP Groups 459 Figure 257: Setting Community Access Strings 460 Fi
FIGURES Figure 284: Managing a Cluster Member 489 Figure 285: ERPS Ring Components 490 Figure 286: Ring Interconnection Architecture (Multi-ring/Ladder Network) 492 Figure 287: Setting ERPS Global Status 494 Figure 288: Sub-ring with Virtual Channel 503 Figure 289: Sub-ring without Virtual Channel 504 Figure 290: Creating an ERPS Ring 508 Figure 291: Creating an ERPS Ring 509 Figure 292: Showing Configured ERPS Rings 509 Figure 293: Blocking an ERPS Ring Port 514 Figure 294: Single CFM
FIGURES Figure 320: Displaying Statistics for OAM Messages 555 Figure 321: Displaying the OAM Event Log 556 Figure 322: Displaying Status of Remote Interfaces 557 Figure 323: Running a Remote Loop Back Test 559 Figure 324: Displaying the Results of Remote Loop Back Testing 560 Figure 325: Pinging a Network Device 562 Figure 326: Tracing the Route to a Network Device 564 Figure 327: Setting the ARP Timeout 565 Figure 328: Displaying ARP Entries 566 Figure 329: Configuring the IPv4 Default
FIGURES Figure 356: Showing PPPoE Intermediate Agent Statistics 605 Figure 357: Multicast Filtering Concept 608 Figure 358: Configuring General Settings for IGMP Snooping 614 Figure 359: Configuring a Static Interface for a Multicast Router 615 Figure 360: Showing Static Interfaces Attached a Multicast Router 615 Figure 361: Showing Current Interfaces Attached a Multicast Router 616 Figure 362: Assigning an Interface to a Multicast Service 617 Figure 363: Showing Static Interfaces Assigned to
FIGURES Figure 392: Showing the MVR Group Address Profiles Assigned to a Domain 650 Figure 393: Configuring Interface Settings for MVR 652 Figure 394: Assigning Static MVR Groups to a Port 653 Figure 395: Showing the Static MVR Groups Assigned to a Port 654 Figure 396: Displaying MVR Receiver Groups 655 Figure 397: Displaying MVR Statistics – Query 657 Figure 398: Displaying MVR Statistics – VLAN 658 Figure 399: Displaying MVR Statistics – Port 659 Figure 400: Configuring Global Settings fo
TABLES Table 1: Key Features 69 Table 2: System Defaults 75 Table 3: Options 60, 66 and 67 Statements 89 Table 4: Options 55 and 124 Statements 90 Table 5: Web Page Configuration Buttons 99 Table 6: Switch Main Menu 100 Table 7: Port Statistics 160 Table 8: LACP Port Counters 179 Table 9: LACP Internal Configuration Information 180 Table 10: LACP Remote Device Configuration Information 182 Table 11: Traffic Segmentation Forwarding 188 Table 12: Recommended STA Path Cost Range 249 Ta
TABLES Table 32: ERPS Request/State Priority 511 Table 33: Remote MEP Priority Levels 523 Table 34: MEP Defect Descriptions 523 Table 35: OAM Operation State 552 Table 36: OAM Operation State 558 Table 37: Address Resolution Protocol 564 Table 38: Show IPv6 Neighbors - display description 580 Table 39: Show IPv6 Statistics - display description 582 Table 40: Show MTU - display description 587 Table 41: General Command Modes 685 Table 42: Configuration Command Modes 687 Table 43: Keyst
TABLES Table 68: RMON Commands 795 Table 69: sFlow Commands 803 Table 70: Authentication Commands 809 Table 71: User Access Commands 810 Table 72: Default Login Settings 811 Table 73: Authentication Sequence Commands 813 Table 74: RADIUS Client Commands 816 Table 75: TACACS+ Client Commands 820 Table 76: AAA Commands 824 Table 77: Web Server Commands 833 Table 78: HTTPS System Support 836 Table 79: Telnet Server Commands 836 Table 80: Secure Shell Commands 838 Table 81: show ssh -
TABLES Table 104: MAC ACL Commands 964 Table 105: ARP ACL Commands 970 Table 106: ACL Information Commands 973 Table 107: Interface Commands 975 Table 108: show interfaces switchport - display description 989 Table 109: Link Aggregation Commands 1003 Table 110: show lacp counters - display description 1013 Table 111: show lacp internal - display description 1013 Table 112: show lacp neighbors - display description 1014 Table 113: show lacp sysid - display description 1015 Table 114: Por
TABLES Table 140: VLAN Translation Commands 1151 Table 141: Protocol-based VLAN Commands 1153 Table 142: IP Subnet VLAN Commands 1157 Table 143: MAC Based VLAN Commands 1159 Table 144: Voice VLAN Commands 1161 Table 145: Priority Commands 1169 Table 146: Priority Commands (Layer 2) 1169 Table 147: Priority Commands (Layer 3 and 4) 1174 Table 148: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 1175 Table 149: Default Mapping of DSCP Values to Internal PHB/Drop Values 1176 Tab
TABLES Table 176: LLDP MED Location CA Types 1308 Table 177: CFM Commands 1319 Table 178: show ethernet cfm configuration traps - display description 1333 Table 179: show ethernet cfm maintenance-points local detail mep - display 1336 Table 180: show ethernet cfm maintenance-points remote detail - display 1338 Table 181: show ethernet cfm errors - display description 1344 Table 182: show ethernet cfm linktrace-cache - display description 1352 Table 183: Remote MEP Priority Levels 1355 Table
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
SECTION I | Getting Started – 68 –
1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment.
CHAPTER 1 | Introduction Description of Software Features Table 1: Key Features (Continued) Feature Description Store-and-Forward Switching Supported to ensure wire-speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP, Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Trees (MSTP) Virtual LANs Up to 4094 using IEEE 802.
CHAPTER 1 | Introduction Description of Software Features 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication server to verify the client’s right to access the network via an authentication server (i.e., RADIUS or TACACS+ server).
CHAPTER 1 | Introduction Description of Software Features STORM CONTROL Broadcast, multicast and unknown unicast storm suppression prevents traffic from overwhelming the network.When enabled on a port, the level of traffic passing through the port is restricted. If traffic rises above a predefined threshold, it will be throttled until the level falls back beneath the threshold. STATIC MAC A static address can be assigned to a specific interface on this switch.
CHAPTER 1 | Introduction Description of Software Features 802.1D STP standard. It is intended as a complete replacement for STP, but can still interoperate with switches running the older standard by automatically reconfiguring ports to STP-compliant mode if they detect STP protocol messages from attached devices. ◆ Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) – This protocol is a direct extension of RSTP. It can provide an independent spanning tree for different VLANs.
CHAPTER 1 | Introduction Description of Software Features frames when they enter the service provider’s network, and then stripping the tags when the frames leave the network. TRAFFIC This switch prioritizes each packet based on the required level of service, PRIORITIZATION using eight priority queues with strict priority, Weighted Round Robin (WRR), or a combination of strict and weighted queuing. It uses IEEE 802.1p and 802.
CHAPTER 1 | Introduction System Defaults LINK LAYER LLDP is used to discover basic information about neighboring devices DISCOVERY PROTOCOL within the local broadcast domain. LLDP is a Layer 2 protocol that advertises information about the sending device and collects information gathered from neighboring network nodes it discovers. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Authentication (continued) IP Filtering Disabled DHCP Snooping Disabled Web Management HTTP Server Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Server Port 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); p
CHAPTER 1 | Introduction System Defaults Table 2: System Defaults (Continued) Function Parameter Default Traffic Prioritization Ingress Port Priority 0 Queue Mode WRR Queue Weight Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 Class of Service Enabled IP Precedence Priority Disabled IP DSCP Priority Disabled Management. VLAN VLAN 1 IP Address DHCP assigned Subnet Mask 255.255.255.0 Default Gateway 0.0.0.
CHAPTER 1 | Introduction System Defaults – 78 –
2 INITIAL SWITCH CONFIGURATION This chapter includes information on connecting to the switch and basic configuration procedures. CONNECTING TO THE SWITCH The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a webbased interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). NOTE: An IPv4 address for this switch is obtained via DHCP by default.
CHAPTER 2 | Initial Switch Configuration Connecting to the Switch ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
CHAPTER 2 | Initial Switch Configuration Basic Configuration NOTE: Once you have set up the terminal correctly, the console login screen will be displayed. For a description of how to use the CLI, see "Using the Command Line Interface" on page 679. For a list of all the CLI commands and detailed information on using the CLI, refer to "CLI Command Groups" on page 689.
CHAPTER 2 | Initial Switch Configuration Basic Configuration CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. To initiate your console connection, press . The “User Access Verification” procedure starts. 2. At the User Name prompt, enter “admin.” 3. At the Password prompt, also enter “admin.” (The password characters are not displayed on the console screen.) 4.
CHAPTER 2 | Initial Switch Configuration Basic Configuration SETTING AN IP You must establish IP address information for the switch to obtain ADDRESS management access through the network. This can be done in either of the following ways: ◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
CHAPTER 2 | Initial Switch Configuration Basic Configuration 4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
CHAPTER 2 | Initial Switch Configuration Basic Configuration IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration IPv6 is enabled. Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 2 | Initial Switch Configuration Basic Configuration 3. Type “end” to return to the Privileged Exec mode. Press . 4. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press . 5. Then save your configuration changes by typing “copy running-config startup-config.” Enter the startup file name and press .
CHAPTER 2 | Initial Switch Configuration Basic Configuration ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# Address for Multi-segment Network — To generate an IPv6 address that can be used in a network containing more than one subnet, the switch can be configured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages.
CHAPTER 2 | Initial Switch Configuration Basic Configuration DOWNLOADING A CONFIGURATION FILE REFERENCED BY A DHCP SERVER Information passed on to the switch from a DHCP server may also include a configuration file to be downloaded and the TFTP servers where that file can be accessed.
CHAPTER 2 | Initial Switch Configuration Basic Configuration identify the device, and select the appropriate configuration file for download. This information is included in Option 55 and 124. Table 4: Options 55 and 124 Statements Option Statement Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier The following configuration examples are provided for a Linux-based DHCP daemon (dhcpd.
CHAPTER 2 | Initial Switch Configuration Basic Configuration requested data or sets the specified parameter. The switch can also be configured to send information to SNMP managers (without being requested by the managers) through trap messages, which inform the manager that certain events have occurred. The switch includes an SNMP agent that supports SNMP version 1, 2c, and 3 clients. To provide management access for version 1 or 2c clients, you must specify a community string.
CHAPTER 2 | Initial Switch Configuration Basic Configuration TRAP RECEIVERS You can also specify SNMP stations that are to receive traps from the switch. To configure a trap receiver, use the “snmp-server host” command.
CHAPTER 2 | Initial Switch Configuration Managing System Files MANAGING SYSTEM FILES The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The types of files are: ◆ Configuration — This file type stores system configuration information and is created when configuration settings are saved.
CHAPTER 2 | Initial Switch Configuration Managing System Files contain slashes (\ or /), and the leading letter of the file name must not be a period (.). (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) There can be more than one user-defined configuration file saved in the switch’s flash memory, but only one is designated as the “startup” file that is loaded when the switch boots. The copy running-config startupconfig command always sets the new file as the startup file.
SECTION II WEB CONFIGURATION This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser.
SECTION II | Web Configuration – 96 –
3 USING THE WEB INTERFACE This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions). NOTE: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface NOTE: Connection to the web interface is not supported for HTTPS using an IPv6 link local address. NAVIGATING THE WEB BROWSER INTERFACE To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password for the administrator is “admin.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface CONFIGURATION Configurable parameters have a dialog box or a drop-down list. Once a OPTIONS configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 5: Web Page Configuration Buttons Button Action Apply Sets specified values to the system.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface MAIN MENU Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Interface 149 Port 150 General Configure by Port List Configures connection settings per port 150 Configure by Port Range Configures connection settings for a range of ports 152 Show Information Displays port connection status 153 Mirror 154 Add Sets the source and target ports for mirroring 154 Show Shows the configured mirror sessions 154 Statistics
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Neighbors Description Page Displays configuration settings and operational state for the remote side of a link aggregation 182 Configure Trunk 173 Configure Configures connection settings 173 Show Displays port connection status 173 Show Member Shows the active members in a trunk 173 Statistics Shows Interface, Etherlike, and RMON port statistics 160 Chart Shows Interface,
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Interface 216 Add Maps a protocol group to a VLAN 216 Show Shows the protocol groups mapped to each VLAN 216 IP Subnet 219 Add Maps IP subnet traffic to a VLAN 219 Show Shows IP subnet to VLAN mapping 219 MAC-Based 221 Add Maps traffic with specified source MAC address to a VLAN 221 Show Shows source MAC address to VLAN mapping 221 Mirror
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu MSTP Description Page Multiple Spanning Tree Algorithm 255 Configure Global 255 Add Configures initial VLAN and priority for an MST instance 255 Modify Configures the priority or an MST instance 255 Show Configures global settings for an MST instance 255 Add Member Adds VLAN members for an MST instance 255 Show Member Adds or deletes VLAN members for an MST instance 255
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Show Shows configured class maps 286 Modify Modifies the name of a class map 286 Add Rule Configures the criteria used to classify ingress traffic 286 Show Rule Shows the traffic classification rules for a class map 286 Configure Policy 289 Add Creates a policy map to apply to multiple interfaces 289 Show Shows configured policy maps 289 Modify Modifi
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Configure Service Description Page Sets the accounting method applied to specific interfaces for 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Host Key 346 Generate Generates the host key pair (public and private) 346 Show Displays RSA and DSA host keys; deletes host keys 346 Configure User Key 347 Copy Imports user public keys from TFTP server 347 Show Displays RSA and DSA user keys; deletes user keys 347 Access Control Lists 349 Configures the time to apply an ACL 351 Add Specifi
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Shows the addresses to be allowed management access 380 Port Security Configures per port security, including status, response for security breach, and maximum allowed MAC addresses 382 Port Authentication IEEE 802.
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Port/Trunk Details Description Page Displays detailed information about a remote device connected to this switch 436 Show Device Statistics 444 General Displays statistics for all connected remote devices 444 Port/Trunk Displays statistics for remote devices on a selected port or trunk 444 Simple Network Management Protocol 446 Enables SNMP agent status, and sets related trap
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Remote Monitoring 474 Alarm Sets threshold bounds for a monitored variable 475 Event Creates a response event for an alarm 477 Alarm Shows all configured alarms 475 Event Shows all configured events 477 History Periodically samples statistics on a physical interface 479 Statistics Enables collection of statistics on a physical interface 482 History Sho
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Details Configures the archive hold time and fault notification settings 521 Show Shows list of configured maintenance domains 521 Configure Maintenance Associations 526 Add Defines a unique CFM service instance, identified by its parent MD, the MA index, the VLAN assigned to the MA, and the MIP creation method 526 Configure Details Configures detail
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Remote Loopback Description Page Performs a loopback test on the specified port 557 IP 561 General Ping Sends ICMP echo request packets to another node on the network 561 Trace Route Shows the route packets take to the specified destination 563 Address Resolution Protocol 564 Configure General Sets the aging time for dynamic entries in the ARP cache 565 Show Information Shows
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Dynamic Host Configuration Protocol 595 Client Specifies the DHCP client identifier for an interface 595 Relay Configures DHCP relay service for attached host devices, including 596 DHCP option 82 information, and relay servers DHCP Snooping 404 Configure Global Enables DHCP snooping globally, MAC-address verification, information option; and sets the informati
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Filter Configure General 629 Enables IGMP filtering for the switch Configure Profile 629 630 Add Adds IGMP filter profile; and sets access mode 630 Show Shows configured IGMP filter profiles 630 Add Multicast Group Range Assigns multicast groups to selected profile 630 Show Multicast Group Range Shows multicast groups assigned to a profile 630 Assigns IGMP
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface Table 6: Switch Main Menu (Continued) Menu Description Page Configure Static Group Member 652 Add Statically assigns MVR multicast streams to an interface 652 Show Shows MVR multicast streams assigned to an interface 652 Shows the multicast groups assigned to an MVR VLAN, the source address of the multicast services, and the interfaces with active subscribers 654 Show Member Show Statistics 655 Show Query Statistics
CHAPTER 3 | Using the Web Interface Navigating the Web Browser Interface – 116 –
4 BASIC MANAGEMENT TASKS This chapter describes the following topics: ◆ Displaying System Information – Provides basic system description, including contact information. ◆ Displaying Hardware/Software Versions – Shows the hardware version, power status, and firmware versions ◆ Configuring Support for Jumbo Frames – Enables support for jumbo frames. ◆ Displaying Bridge Extension Capabilities – Shows the bridge extension parameters.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions PARAMETERS These parameters are displayed: ◆ System Description – Brief description of device type. ◆ System Object ID – MIB II object ID for switch’s network management subsystem. (ES3528MV: 1.3.6.1.4.1.259.10.1.22.101; ES3528MV-DC: 1.3.6.1.4.1.259.10.1.22.102) ◆ System Up Time – Length of time the management agent has been up. ◆ System Name – Name assigned to the switch system.
CHAPTER 4 | Basic Management Tasks Displaying Hardware/Software Versions PARAMETERS The following parameters are displayed: Main Board Information ◆ Serial Number – The serial number of the switch. ◆ Number of Ports – Number of built-in ports. ◆ Hardware Version – Hardware version of the main board. ◆ Main Power Status – Displays the status of the internal power supply. Management Software Information ◆ Role – Shows that this switch is operating as Master or Slave.
CHAPTER 4 | Basic Management Tasks Configuring Support for Jumbo Frames CONFIGURING SUPPORT FOR JUMBO FRAMES Use the System > Capability page to configure support for layer 2 jumbo frames. The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 10240 bytes for Gigabit Ethernet. Compared to standard Ethernet frames that run only up to 1.
CHAPTER 4 | Basic Management Tasks Displaying Bridge Extension Capabilities DISPLAYING BRIDGE EXTENSION CAPABILITIES Use the System > Capability page to display settings based on the Bridge MIB. The Bridge MIB includes extensions for managed devices that support Multicast Filtering, Traffic Classes, and Virtual LANs. You can access these extensions to display default settings for the key variables.
CHAPTER 4 | Basic Management Tasks Managing System Files WEB INTERFACE To view Bridge Extension information: 1. Click System, then Capability. Figure 6: Displaying Bridge Extension Configuration MANAGING SYSTEM FILES This section describes how to upgrade the switch operating software or configuration files, and set the system start-up files. COPYING FILES VIA Use the System > File (Copy) page to upload/download firmware or FTP/TFTP OR HTTP configuration settings using FTP, TFTP or HTTP.
CHAPTER 4 | Basic Management Tasks Managing System Files PARAMETERS The following parameters are displayed: ◆ Copy Type – The firmware copy operation includes these options: ■ FTP Upgrade – Copies a file from an FTP server to the switch. ■ FTP Download – Copies a file from the switch to an FTP server. ■ HTTP Upgrade – Copies a file from a management station to the switch.
CHAPTER 4 | Basic Management Tasks Managing System Files 6. Set the file type to Operation Code. 7. Enter the name of the file to download. 8. Select a file on the switch to overwrite or specify a new file name. 9. Then click Apply. Figure 7: Copy Firmware If you replaced a file currently used for startup and want to start using the new file, reboot the system via the System > Reset menu.
CHAPTER 4 | Basic Management Tasks Managing System Files NOTE: The maximum number of user-defined configuration files is limited only by available flash memory space. WEB INTERFACE To save the running configuration file: 1. Click System, then File. 2. Select Copy from the Action list. 3. Select Running-Config from the Copy Type list. 4. Select the current startup file on the switch to overwrite or specify a new file name. 5. Then click Apply.
CHAPTER 4 | Basic Management Tasks Managing System Files Figure 9: Setting Start-Up Files To start using the new firmware or configuration settings, reboot the system via the System > Reset menu. SHOWING Use the System > File (Show) page to show the files in the system SYSTEM FILES directory, or to delete a file. NOTE: Files designated for start-up, and the Factory_Default_Config.cfg file, cannot be deleted.
CHAPTER 4 | Basic Management Tasks Managing System Files AUTOMATIC Use the System > File (Automatic Operation Code Upgrade) page to OPERATION CODE automatically download an operation code file when a file newer than the UPGRADE currently installed one is discovered on the file server. After the file is transferred from the server and successfully written to the file system, it is automatically set as the startup file, and the switch is rebooted.
CHAPTER 4 | Basic Management Tasks Managing System Files ◆ Note that the switch itself does not distinguish between upper and lower-case file names, and only checks to see if the file stored on the server is more recent than the current runtime image. ◆ If two operation code image files are already stored on the switch’s file system, then the non-startup image is deleted before the upgrade image is transferred.
CHAPTER 4 | Basic Management Tasks Managing System Files ftp://[username[:password@]]host[/filedir]/ ■ ■ ■ ■ ftp:// – Defines FTP protocol for the server connection. username – Defines the user name for the FTP connection. If the user name is omitted, then “anonymous” is the assumed user name for the connection. password – Defines the password for the FTP connection.
CHAPTER 4 | Basic Management Tasks Managing System Files ■ ftp://switches:upgrade@192.168.0.1/switches/opcode/ The user name is “switches” and the password is “upgrade”. The image file is in the “opcode” directory, which is within the “switches” parent directory, relative to the FTP root. WEB INTERFACE To configure automatic code upgrade: 1. Click System, then File. 2. Select Automatic Operation Code Upgrade from the Action list. 3. Mark the check box to enable Automatic Opcode Upgrade. 4.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE SYSTEM CLOCK Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. You can also manually set the clock.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 12: Manually Setting the System Clock SETTING THE SNTP Use the System > Time (Configure General - SNTP) page to set the polling POLLING INTERVAL interval at which the switch will query the specified time servers. CLI REFERENCES ◆ "Time" on page 749 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 13: Setting the Polling Interval for SNTP CONFIGURING NTP Use the System > Time (Configure General - NTP) page to configure NTP authentication and show the polling interval at which the switch will query the specified time servers. CLI REFERENCES ◆ "Time" on page 749 PARAMETERS The following parameters are displayed: ◆ Current Time – Shows the current time set on the switch.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 14: Configuring NTP CONFIGURING Use the System > Time (Configure Time Server) pages to specify the IP TIME SERVERS address for NTP/SNTP time servers, or to set the authentication key for NTP time servers. SPECIFYING SNTP TIME SERVERS Use the System > Time (Configure Time Server – Configure SNTP Server) page to specify the IP address for up to three SNTP time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 15: Specifying SNTP Time Servers SPECIFYING NTP TIME SERVERS Use the System > Time (Configure Time Server – Add NTP Server) page to add the IP address for up to 50 NTP time servers. CLI REFERENCES ◆ "ntp server" on page 755 PARAMETERS The following parameters are displayed: ◆ NTP Server IP Address – Adds the IPv4 or IPv6 address for up to 50 time servers.
CHAPTER 4 | Basic Management Tasks Setting the System Clock Figure 16: Adding an NTP Time Server To show the list of configured NTP time servers: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Show NTP Server from the Action list. Figure 17: Showing the NTP Time Server List SPECIFYING NTP AUTHENTICATION KEYS Use the System > Time (Configure Time Server – Add NTP Authentication Key) page to add an entry to the authentication key list.
CHAPTER 4 | Basic Management Tasks Setting the System Clock WEB INTERFACE To add an entry to NTP authentication key list: 1. Click System, then Time. 2. Select Configure Time Server from the Step list. 3. Select Add NTP Authentication Key from the Action list. 4. Enter the index number and MD5 authentication key string. 5. Click Apply. Figure 18: Adding an NTP Authentication Key To show the list of configured NTP authentication keys: 1. Click System, then Time. 2.
CHAPTER 4 | Basic Management Tasks Setting the System Clock SETTING THE Use the System > Time (Configure Time Server) page to set the time zone. TIME ZONE SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude, which passes through Greenwich, England. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
CHAPTER 4 | Basic Management Tasks Configuring The Console Port CONFIGURING THE CONSOLE PORT Use the System > Console menu to configure connection parameters for the switch’s console port. You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password (only configurable through the CLI), time outs, and basic communication settings.
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings NOTE: The password for the console connection can only be configured through the CLI (see "password" on page 733). NOTE: Password checking can be enabled or disabled for logging in to the console connection (see "login" on page 731). You can select authentication by a single global password as configured for the password command, or by passwords set up for specific user-name accounts. The default is for local passwords configured on the switch.
CHAPTER 4 | Basic Management Tasks Configuring Telnet Settings PARAMETERS The following parameters are displayed: ◆ Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) ◆ TCP Port – Sets the TCP port number for Telnet on the switch. (Range: 1-65535; Default: 23) ◆ Max Sessions – Sets the maximum number of Telnet sessions that can simultaneously connect to this system.
CHAPTER 4 | Basic Management Tasks Displaying CPU Utilization Figure 22: Telnet Connection Settings DISPLAYING CPU UTILIZATION Use the System > CPU Utilization page to display information on CPU utilization. CLI REFERENCES ◆ "show process cpu" on page 711 PARAMETERS The following parameters are displayed: ◆ Time Interval – The interval at which to update the displayed utilization rate. (Options: 1, 5, 10, 30, 60 seconds; Default: 1 second) ◆ CPU Utilization – CPU utilization over specified interval.
CHAPTER 4 | Basic Management Tasks Displaying Memory Utilization Figure 23: Displaying CPU Utilization DISPLAYING MEMORY UTILIZATION Use the System > Memory Status page to display memory utilization parameters. CLI REFERENCES ◆ "show memory" on page 710 PARAMETERS The following parameters are displayed: ◆ Free Size – The amount of memory currently free for use. ◆ Used Size – The amount of memory allocated to active processes. ◆ Total – The total amount of system memory.
CHAPTER 4 | Basic Management Tasks Resetting the System RESETTING THE SYSTEM Use the System > Reset menu to restart the switch immediately, at a specified time, after a specified delay, or at a periodic interval. CLI REFERENCES ◆ "reload (Privileged Exec)" on page 696 ◆ "reload (Global Configuration)" on page 692 ◆ "show reload" on page 697 COMMAND USAGE ◆ This command resets the entire system. ◆ When the system is restarted, it will always run the Power-On Self-Test.
CHAPTER 4 | Basic Management Tasks Resetting the System ■ ■ At – Specifies a time at which to reload the switch. ■ DD - The day of the month at which to reload. (Range: 01-31) ■ MM - The month at which to reload. (Range: 01-12) ■ YYYY - The year at which to reload. (Range: 1970-2037) ■ HH - The hour at which to reload. (Range: 00-23) ■ MM - The minute at which to reload. (Range: 00-59) Regularly – Specifies a periodic interval at which to reload the switch.
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 25: Restarting the Switch (Immediately) Figure 26: Restarting the Switch (In) – 146 –
CHAPTER 4 | Basic Management Tasks Resetting the System Figure 27: Restarting the Switch (At) Figure 28: Restarting the Switch (Regularly) – 147 –
CHAPTER 4 | Basic Management Tasks Resetting the System – 148 –
5 INTERFACE CONFIGURATION This chapter describes the following topics: ◆ Port Configuration – Configures connection settings, including autonegotiation, or manual setting of speed, duplex mode, and flow control. ◆ Local Port Mirroring – Sets the source and target ports for mirroring on the local switch. ◆ Remote Port Mirroring – Configures mirroring of traffic from remote switches for analysis at a destination port on the local switch.
CHAPTER 5 | Interface Configuration Port Configuration PORT CONFIGURATION This section describes how to configure port connections, mirror traffic from one port to another, and run cable diagnostics. CONFIGURING BY Use the Interface > Port > General (Configure by Port List) page to enable/ PORT LIST disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Media Type – Configures the forced/preferred port type to use for the combination ports (Ports 25-28). ■ Copper-Forced - Always uses the built-in RJ-45 port. ■ SFP-Forced 100FX - Always uses 100BASE-FX mode. ■ SFP-Forced 1000SFP - Always uses 1000BASE SFP mode. ■ ◆ SFP-Preferred-Auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link. (This is the default for the combination ports.
CHAPTER 5 | Interface Configuration Port Configuration 3. Modify the required interface settings. 4. Click Apply. Figure 29: Configuring Connections by Port List CONFIGURING BY Use the Interface > Port > General (Configure by Port Range) page to PORT RANGE enable/disable an interface, set auto-negotiation and the interface capabilities to advertise, or manually fix the speed, duplex mode, and flow control.
CHAPTER 5 | Interface Configuration Port Configuration Figure 30: Configuring Connections by Port Range DISPLAYING Use the Interface > Port > General (Show Information) page to display the CONNECTION STATUS current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. CLI REFERENCES ◆ "show interfaces status" on page 987 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. ◆ Type – Indicates the port type.
CHAPTER 5 | Interface Configuration Port Configuration Figure 31: Displaying Port Information CONFIGURING LOCAL Use the Interface > Port > Mirror page to mirror traffic from any source PORT MIRRORING port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
CHAPTER 5 | Interface Configuration Port Configuration ◆ The destination port cannot be a trunk or trunk member port. ◆ Note that Spanning Tree BPDU packets are not mirrored to the target port. PARAMETERS These parameters are displayed: ◆ Source Port – The port whose traffic will be monitored. ◆ Target Port – The port that will mirror the traffic on the source port. ◆ Type – Allows you to select which traffic to mirror to the target port, Rx (receive), Tx (transmit), or Both.
CHAPTER 5 | Interface Configuration Port Configuration Figure 34: Displaying Local Port Mirror Sessions CONFIGURING REMOTE Use the Interface > RSPAN page to mirror traffic from remote switches for PORT MIRRORING analysis at a destination port on the local switch. This feature, also called Remote Switched Port Analyzer (RSPAN), carries traffic generated on the specified source ports for each session over a user-specified VLAN dedicated to that RSPAN session in all participating switches.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Configuration Guidelines Take the following step to configure an RSPAN session: 1. Use the VLAN Static List (see "Configuring VLAN Groups" on page 196) to reserve a VLAN for use by RSPAN (marking the “Remote VLAN” field on this page. (Default VLAN 1 is prohibited.) 2. Set up the source switch on the RSPAN configuration page by specifying the mirror session, the switch’s role (Source), the RSPAN VLAN, and the uplink port1.
CHAPTER 5 | Interface Configuration Port Configuration ■ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port. Also, when a port is configured as an RSPAN uplink port, port security cannot be enabled on that port. PARAMETERS These parameters are displayed: ◆ Session – A number identifying this RSPAN session.
CHAPTER 5 | Interface Configuration Port Configuration ◆ Destination Port – Specifies the destination port to monitor the traffic mirrored from the source ports. Only one destination port can be configured on the same switch per session, but a destination port can be configured on more than one switch for the same session. Also note that a destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
CHAPTER 5 | Interface Configuration Port Configuration Figure 38: Configuring Remote Port Mirroring (Destination) SHOWING PORT OR Use the Interface > Port/Trunk > Statistics or Chart page to display TRUNK STATISTICS standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Transmitted Errors The number of outbound packets that could not be transmitted because of errors. Received Unicast Packets The number of subnetwork-unicast packets delivered to a higherlayer protocol.
CHAPTER 5 | Interface Configuration Port Configuration Table 7: Port Statistics (Continued) Parameter Description Internal MAC Receive Errors A count of frames for which reception on a particular interface fails due to an internal MAC sublayer receive error. Internal MAC Transmit Errors A count of frames for which transmission on a particular interface fails due to an internal MAC sublayer transmit error.
CHAPTER 5 | Interface Configuration Port Configuration WEB INTERFACE To show a list of port statistics: 1. Click Interface, Port, Statistics. 2. Select the statistics mode to display (Interface, Etherlike, RMON or Utilization). 3. Select a port from the drop-down list. 4. Use the Refresh button at the bottom of the page if you need to update the screen. Figure 39: Showing Port Statistics (Table) To show a chart of port statistics: 1. Click Interface, Port, Chart. 2.
CHAPTER 5 | Interface Configuration Port Configuration Figure 40: Showing Port Statistics (Chart) DISPLAYING Use the Interface > Port > Transceiver page to display identifying TRANSCEIVER DATA information, and operational for optical transceivers which support Digital Diagnostic Monitoring (DDM). CLI REFERENCES ◆ "show interfaces transceiver" on page 996 PARAMETERS These parameters are displayed: ◆ Port – Port number.
CHAPTER 5 | Interface Configuration Port Configuration The switch can display diagnostic information for SFP modules which support the SFF-8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers. This information allows administrators to remotely diagnose problems with optical devices. This feature, referred to as Digital Diagnostic Monitoring (DDM) provides information on transceiver parameters.
CHAPTER 5 | Interface Configuration Port Configuration ◆ "transceiver-threshold temperature" on page 993 ◆ "transceiver-threshold tx-power" on page 994 ◆ "transceiver-threshold voltage" on page 995 ◆ "show interfaces transceiver-threshold" on page 997 PARAMETERS These parameters are displayed: ◆ Port – Port number. (Range: 1-28) ◆ General – Information on connector type and vendor-related parameters.
CHAPTER 5 | Interface Configuration Port Configuration The threshold value for Rx and Tx power is calculated as the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). Threshold values for alarm and warning messages can be configured as described below. ■ A high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
CHAPTER 5 | Interface Configuration Port Configuration Figure 42: Configuring Transceiver Thresholds PERFORMING CABLE Use the Interface > Port > Cable Test page to test the cable attached to a DIAGNOSTICS port. The cable test will check for any cable faults (short, open, etc.). If a fault is found, the switch reports the length to the fault. Otherwise, it reports the cable length. It can be used to determine the quality of the cable, connectors, and terminations.
CHAPTER 5 | Interface Configuration Port Configuration PARAMETERS These parameters are displayed: ◆ Port – Switch port identifier. ◆ Type – Displays media type. (FE – Fast Ethernet, GE – Gigabit Ethernet) ◆ Link Status – Shows if the port link is up or down. ◆ Test Result – The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
CHAPTER 5 | Interface Configuration Trunk Configuration TRUNK CONFIGURATION This section describes how to configure static and dynamic trunks. You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a faulttolerant link between two devices. You can create up to 12 trunks at a time on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration CONFIGURING A Use the Interface > Trunk > Static page to create a trunk, assign member STATIC TRUNK ports, and configure the connection parameters.
CHAPTER 5 | Interface Configuration Trunk Configuration 5. Set the unit and port for the initial trunk member. 6. Click Apply. Figure 45: Creating Static Trunks To add member ports to a static trunk: 1. Click Interface, Trunk, Static. 2. Select Configure Trunk from the Step list. 3. Select Add Member from the Action list. 4. Select a trunk identifier. 5. Set the unit and port for an additional trunk member. 6. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 47: Configuring Connection Parameters for a Static Trunk To display trunk connection parameters: 1. Click Interface, Trunk, Static. 2. Select Configure General from the Step list. 3. Select Show Information from the Action list.
CHAPTER 5 | Interface Configuration Trunk Configuration CLI REFERENCES ◆ "Link Aggregation Commands" on page 1003 COMMAND USAGE ◆ To avoid creating a loop in the network, be sure you enable LACP before connecting the ports, and also disconnect the ports before disabling LACP. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID.
CHAPTER 5 | Interface Configuration Trunk Configuration transmit LACPDU interval to 1 second. When it receives an LACPDU set with a long timeout from the actor, it adjusts the transmit LACPDU interval to 30 seconds. If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port.
CHAPTER 5 | Interface Configuration Trunk Configuration NOTE: Configuring LACP settings for a port only applies to its administrative state, not its operational state, and will only take effect the next time an aggregate link is established with that port. NOTE: Configuring the port partner sets the remote side of an aggregate link; i.e., the ports on the attached device. The command attributes have the same meaning as those used for the port actor.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 51: Enabling LACP on a Port To configure LACP parameters for group members: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Aggregation Port from the Step list. 3. Select Configure from the Action list. 4. Click Actor or Partner. 5. Configure the required settings. 6. Click Apply. Figure 52: Configuring LACP Parameters on a Port To show the active members of a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 53: Showing Members of a Dynamic Trunk To configure connection parameters for a dynamic trunk: 1. Click Interface, Trunk, Dynamic. 2. Select Configure Trunk from the Step List. 3. Select Configure from the Action List. 4. Modify the required interface settings. (See "Configuring by Port List" on page 150 for a description of the interface settings.) 5. Click Apply.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show PORT COUNTERS Information - Counters) page to display statistics for LACP protocol messages. CLI REFERENCES ◆ "show lacp" on page 1012 PARAMETERS These parameters are displayed: Table 8: LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 56: Displaying LACP Port Counters DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Internal) page to display the configuration settings and FOR THE LOCAL SIDE operational state for the local side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Table 9: LACP Internal Configuration Information (Continued) Parameter Description Admin State, Oper State (continued) ◆ Aggregation – The system considers this link to be aggregatable; i.e., a potential candidate for aggregation. ◆ Long timeout – Periodic transmission of LACPDUs uses a slow transmission rate. ◆ LACP-Activity – Activity control value with regard to this link.
CHAPTER 5 | Interface Configuration Trunk Configuration DISPLAYING LACP Use the Interface > Trunk > Dynamic (Configure Aggregation Port - Show SETTINGS AND STATUS Information - Neighbors) page to display the configuration settings and FOR THE REMOTE SIDE operational state for the remote side of a link aggregation.
CHAPTER 5 | Interface Configuration Trunk Configuration Figure 58: Displaying LACP Port Remote Information CONFIGURING Use the Interface > Trunk > Load Balance page to set the load-distribution LOAD BALANCING method used among ports in aggregated links. CLI REFERENCES ◆ "port channel load-balance" on page 1004 COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 5 | Interface Configuration Trunk Configuration trunk. This mode works best for switch-to-router trunk links where traffic through the switch is received from and destined for many different hosts. ■ ■ ■ Source and Destination MAC Address: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-to-switch trunk links where traffic through the switch is received from and destined for many different hosts.
CHAPTER 5 | Interface Configuration Saving Power Figure 59: Configuring Load Balancing SAVING POWER Use the Interface > Green Ethernet page to enable power savings mode on the selected port. CLI REFERENCES ◆ "power-save" on page 1000 ◆ "show power-save" on page 1001 COMMAND USAGE ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
CHAPTER 5 | Interface Configuration Saving Power NOTE: Power savings can only be implemented on Gigabit Ethernet ports when using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. PARAMETERS These parameters are displayed: ◆ Port – Power saving mode only applies to the Gigabit Ethernet ports using copper media.
CHAPTER 5 | Interface Configuration Traffic Segmentation TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Data traffic on downlink ports is only forwarded to, and from, uplink ports. Traffic belonging to each client is isolated to the allocated downlink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation Figure 61: Enabling Traffic Segmentation CONFIGURING UPLINK Use the Interface > Traffic Segmentation (Configure Session) page to AND DOWNLINK PORTS assign the downlink and uplink ports to use in the segmented group. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
CHAPTER 5 | Interface Configuration Traffic Segmentation assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports. PARAMETERS These parameters are displayed: ◆ Session ID – Traffic segmentation session. (Range: 1-4) ◆ Direction – Adds an interface to the segmented group by setting the direction to uplink or downlink.
CHAPTER 5 | Interface Configuration VLAN Trunking To show the members of the traffic segmentation group: 1. Click Interface, Traffic Segmentation. 2. Select Configure Session from the Step list. 3. Select Show from the Action list. Figure 63: Showing Traffic Segmentation Members VLAN TRUNKING Use the Interface > VLAN Trunking page to allow unknown VLAN groups to pass through the specified interface.
CHAPTER 5 | Interface Configuration VLAN Trunking connecting VLANs 1 and 2, you only need to create these VLAN groups in switches A and B. Switches C, D and E automatically allow frames with VLAN group tags 1 and 2 (groups that are unknown to those switches) to pass through their VLAN trunking ports. ◆ VLAN trunking is mutually exclusive with the “access” switchport mode (see "Adding Static Members to VLANs" on page 198).
CHAPTER 5 | Interface Configuration VLAN Trunking Figure 65: Configuring VLAN Trunking – 192 –
6 VLAN CONFIGURATION This chapter includes the following topics: ◆ IEEE 802.1Q VLANs – Configures static and dynamic VLANs. ◆ IEEE 802.1Q Tunneling – Configures QinQ tunneling to maintain customer-specific VLAN and Layer 2 protocol configurations across a service provider network, even when different customers use the same internal VLAN IDs. ◆ Protocol VLANs – Configures VLAN groups based on specified protocols.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: ◆ Up to 4094 VLANs based on the IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 67: Using GVRP Port-based VLAN 2 1 9 10 11 3 4 5 13 12 6 7 8 15 16 14 18 19 Forwarding Tagged/Untagged Frames If you want to create a small port-based VLAN for devices attached directly to a single switch, you can assign ports to the same untagged VLAN. However, to participate in a VLAN group that crosses several switches, you should create a VLAN for that group and enable tagging on all ports.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ◆ Remote VLAN – Reserves this VLAN for RSPAN (see "Configuring Remote Port Mirroring" on page 156). Modify ◆ VLAN ID – ID of configured VLAN (1-4094). ◆ VLAN Name – Name of the VLAN (1 to 32 characters). ◆ Status – Enables or disables the specified VLAN. Show ◆ VLAN ID – ID of configured VLAN. ◆ VLAN Name – Name of the VLAN. ◆ Status – Operational status of configured VLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs To modify the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Modify from the Action list. 3. Select the identifier of a configured VLAN. 4. Modify the VLAN name or operational status as required. 5. Click Apply. Figure 69: Modifying Settings for Static VLANs To show the configuration settings for VLAN groups: 1. Click VLAN, Static. 2. Select Show from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs CLI REFERENCES ◆ "Configuring VLAN Interfaces" on page 1133 ◆ "Displaying VLAN Information" on page 1139 PARAMETERS These parameters are displayed: Edit Member by VLAN ◆ VLAN – ID of configured VLAN (1-4094). ◆ Interface – Displays a list of ports or trunks. ◆ Port – Port Identifier. (Range: 1-28) ◆ Trunk – Trunk Identifier. (Range: 1-12) ◆ Mode – Indicates VLAN membership mode for an interface.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs ■ ■ ■ ◆ If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs WEB INTERFACE To configure static members by the VLAN index: 1. Click VLAN, Static. 2. Select Edit Member by VLAN from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Modify the settings for any interface as required. 5. Click Apply. Figure 71: Configuring Static Members by VLAN Index To configure static members by interface: 1. Click VLAN, Static. 2. Select Edit Member by Interface from the Action list. 3.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 72: Configuring Static VLAN Members by Interface To configure static members by interface range: 1. Click VLAN, Static. 2. Select Edit Member by Interface Range from the Action list. 3. Set the Interface type to display as Port or Trunk. 4. Enter an interface range. 5. Modify the VLAN parameters as required.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs CONFIGURING Use the VLAN > Dynamic page to enable GVRP globally on the switch, or to DYNAMIC VLAN enable GVRP and adjust the protocol timers per interface.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Show Dynamic VLAN – Show VLAN VLAN ID – Identifier of a VLAN this switch has joined through GVRP. VLAN Name – Name of a VLAN this switch has joined through GVRP. Status – Indicates if this VLAN is currently operational. (Display Values: Enabled, Disabled) Show Dynamic VLAN – Show VLAN Member ◆ VLAN – Identifier of a VLAN this switch has joined through GVRP. ◆ Interface – Displays a list of ports or trunks which have joined the selected VLAN through GVRP.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q VLANs Figure 75: Configuring GVRP for an Interface To show the dynamic VLAN joined by this switch: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN from the Action list. Figure 76: Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN: 1. Click VLAN, Dynamic. 2. Select Show Dynamic VLAN from the Step list. 3. Select Show VLAN Members from the Action list.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling IEEE 802.1Q TUNNELING IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CHAPTER 6 | VLAN Configuration IEEE 802.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Layer 2 Flow for Packets Coming into a Tunnel Uplink Port An uplink port receives one of the following packets: ◆ Untagged ◆ One tag (CVLAN or SPVLAN) ◆ Double tag (CVLAN + SPVLAN) The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Configuration Limitations for QinQ ◆ The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out. Another reason is that it causes non-customer packets to be forwarded to the SPVLAN.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ENABLING QINQ Use the VLAN > Tunnel (Configure Global) page to configure the switch to TUNNELING ON THE operate in IEEE 802.1Q (QinQ) tunneling mode, which is used for passing SWITCH Layer 2 traffic across a service provider’s metropolitan area network. You can also globally set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling Figure 79: Enabling QinQ Tunneling CREATING Use the VLAN > Tunnel (Configure Service) page to create a CVLAN to CVLAN TO SPVLAN SPVLAN mapping entry.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling ◆ Service VLAN ID – VLAN ID for the outer VLAN tag. (Range: 1-4094) WEB INTERFACE To configure a mapping entry: 1. Click VLAN, Tunnel. 2. Select Configure Service from the Step list. 3. Select Add from the Action list. 4. Select an interface from the Port list. 5. Specify the CVID to SVID mapping for packets exiting the specified port. 6. Click Apply. Figure 80: Configuring CVLAN to SPVLAN Mapping Entries To show the mapping table: 1.
CHAPTER 6 | VLAN Configuration IEEE 802.1Q Tunneling The preceding example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. For a more detailed example, see the switchport dot1q-tunnel service match cvid command. ADDING AN INTERFACE Follow the guidelines in the preceding section to set up a QinQ tunnel on TO A QINQ TUNNEL the switch. Then use the VLAN > Tunnel (Configure Interface) page to set the tunnel mode for any participating interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs 4. Click Apply. Figure 82: Adding an Interface to a QinQ Tunnel PROTOCOL VLANS The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CHAPTER 6 | VLAN Configuration Protocol VLANs CONFIGURING Use the VLAN > Protocol (Configure Protocol - Add) page to create protocol PROTOCOL VLAN groups. GROUPS CLI REFERENCES ◆ "protocol-vlan protocol-group (Configuring Groups)" on page 1154 PARAMETERS These parameters are displayed: ◆ Frame Type – Choose either Ethernet, RFC 1042, or LLC Other as the frame type used by this protocol. ◆ Protocol Type – Specifies the protocol type to match. The available options are IP, ARP, RARP and IPv6.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 83: Configuring Protocol VLANs To configure a protocol group: 1. Click VLAN, Protocol. 2. Select Configure Protocol from the Step list. 3. Select Show from the Action list. Figure 84: Displaying Protocol VLANs MAPPING Use the VLAN > Protocol (Configure Interface - Add) page to map a PROTOCOL GROUPS protocol group to a VLAN for each interface that will participate in the TO INTERFACES group.
CHAPTER 6 | VLAN Configuration Protocol VLANs ◆ When a frame enters a port that has been assigned to a protocol VLAN, it is processed in the following manner: ■ ■ ■ If the frame is tagged, it will be processed according to the standard rules applied to tagged frames. If the frame is untagged and the protocol type matches, the frame is forwarded to the appropriate VLAN. If the frame is untagged but the protocol type does not match, the frame is forwarded to the default VLAN for this interface.
CHAPTER 6 | VLAN Configuration Protocol VLANs Figure 85: Assigning Interfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk: 1. Click VLAN, Protocol. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port or trunk.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs CONFIGURING IP SUBNET VLANS Use the VLAN > IP Subnet page to configure IP subnet-based VLANs. When using port-based classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port. When IP subnet-based VLAN classification is enabled, the source address of untagged ingress frames are checked against the IP subnet-to-VLAN mapping table.
CHAPTER 6 | VLAN Configuration Configuring IP Subnet VLANs WEB INTERFACE To map an IP subnet to a VLAN: 1. Click VLAN, IP Subnet. 2. Select Add from the Action list. 3. Enter an address in the IP Address field. 4. Enter a mask in the Subnet Mask field. 5. Enter the identifier in the VLAN field. Note that the specified VLAN need not already be configured. 6. Enter a value to assign to untagged frames in the Priority field. 7. Click Apply.
CHAPTER 6 | VLAN Configuration Configuring MAC-based VLANs CONFIGURING MAC-BASED VLANS Use the VLAN > MAC-Based page to configure VLAN based on MAC addresses. The MAC-based VLAN feature assigns VLAN IDs to ingress untagged frames according to source MAC addresses. When MAC-based VLAN classification is enabled, untagged frames received by a port are assigned to the VLAN which is mapped to the frame’s source MAC address.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring 6. Click Apply. Figure 89: Configuring MAC-Based VLANs To show the MAC addresses mapped to a VLAN: 1. Click VLAN, MAC-Based. 2. Select Show from the Action list. Figure 90: Showing MAC-Based VLANs CONFIGURING VLAN MIRRORING Use the VLAN > Mirror (Add) page to mirror traffic from one or more source VLANs to a target port for real-time analysis.
CHAPTER 6 | VLAN Configuration Configuring VLAN Mirroring ◆ When VLAN mirroring and port mirroring are both enabled, the target port can receive a mirrored packet twice; once from the source mirror port and again from the source mirrored VLAN. ◆ The target port receives traffic from all monitored source VLANs and can become congested. Some mirror traffic may therefore be dropped from the target port.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation To show the VLANs to be mirrored: 1. Click VLAN, Mirror. 2. Select Show from the Action list. Figure 92: Showing the VLANs to Mirror CONFIGURING VLAN TRANSLATION Use the VLAN > Translation (Add) page to map VLAN IDs between the customer and service provider for networks that do not support IEEE 802.1Q tunneling.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation ◆ If VLAN translation is set on an interface, and the same interface is also configured as a QinQ access port on the VLAN > Tunnel (Configure Interface) page, VLAN tag assignments will be determined by the QinQ process, not by VLAN translation. PARAMETERS These parameters are displayed: ◆ Old VLAN – The original VLAN ID. (Range: 1-4094) ◆ New VLAN – The new VLAN ID. (Range: 1-4094) WEB INTERFACE To configure VLAN translation: 1.
CHAPTER 6 | VLAN Configuration Configuring VLAN Translation – 226 –
7 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. This chapter describes the following topics: ◆ MAC Address Learning – Enables or disables address learning on an interface.
CHAPTER 7 | Address Table Settings Configuring MAC Address Learning ◆ Also note that MAC address learning cannot be disabled if any of the following conditions exist: ■ ■ 802.1X Port Authentication has been globally enabled on the switch (see "Configuring 802.1X Global Settings" on page 386). Security Status (see "Configuring Port Security" on page 382) is enabled on the same interface. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks.
CHAPTER 7 | Address Table Settings Setting Static Addresses SETTING STATIC ADDRESSES Use the MAC Address > Static page to configure static MAC addresses. A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
CHAPTER 7 | Address Table Settings Setting Static Addresses WEB INTERFACE To configure a static MAC address: 1. Click MAC Address, Static. 2. Select Add from the Action list. 3. Specify the VLAN, the port or trunk to which the address will be assigned, the MAC address, and the time to retain this entry. 4. Click Apply. Figure 97: Configuring Static MAC Addresses To show the static addresses in MAC address table: 1. Click MAC Address, Static. 2. Select Show from the Action list.
CHAPTER 7 | Address Table Settings Changing the Aging Time CHANGING THE AGING TIME Use the MAC Address > Dynamic (Configure Aging) page to set the aging time for entries in the dynamic address table. The aging time is used to age out dynamically learned forwarding information. CLI REFERENCES ◆ "mac-address-table aging-time" on page 1059 PARAMETERS These parameters are displayed: ◆ Aging Status – Enables/disables the function. ◆ Aging Time – The time after which a learned entry is discarded.
CHAPTER 7 | Address Table Settings Displaying the Dynamic Address Table DISPLAYING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Show Dynamic MAC) page to display the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port. Otherwise, the traffic is flooded to all ports.
CHAPTER 7 | Address Table Settings Clearing the Dynamic Address Table Figure 100: Displaying the Dynamic MAC Address Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address > Dynamic (Clear Dynamic MAC) page to remove any learned entries from the forwarding database.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring Figure 101: Clearing Entries in the Dynamic MAC Address Table CONFIGURING MAC ADDRESS MIRRORING Use the MAC Address > Mirror (Add) page to mirror traffic matching a specified source address from any port on the switch to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring ◆ Target Port – The port that will mirror the traffic from the source port. (Range: 1-28) WEB INTERFACE To mirror packets based on a MAC address: 1. Click MAC Address, Mirror. 2. Select Add from the Action list. 3. Specify the source MAC address and destination port. 4. Click Apply. Figure 102: Mirroring Packets Based on the Source MAC Address To show the MAC addresses to be mirrored: 1. Click MAC Address, Mirror. 2.
CHAPTER 7 | Address Table Settings Configuring MAC Address Mirroring – 236 –
8 SPANNING TREE ALGORITHM This chapter describes the following basic topics: ◆ Loopback Detection – Configures detection and response to loopback BPDUs. ◆ Global Settings for STA – Configures global bridge settings for STP, RSTP and MSTP. ◆ Interface Settings for STA – Configures interface settings for STA, including priority, path cost, link type, and designation as an edge port.
CHAPTER 8 | Spanning Tree Algorithm Overview lowest cost spanning tree, it enables all root ports and designated ports, and disables all other ports. Network packets are therefore only forwarded between root ports and designated ports, eliminating any possible network loops.
CHAPTER 8 | Spanning Tree Algorithm Overview Figure 105: MSTP Region, Internal Spanning Tree, Multiple Spanning Tree IST (for this Region) MST 1 Region R MST 2 An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see "Configuring Multiple Spanning Trees" on page 255). An MST Region may contain multiple MSTP Instances.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection CONFIGURING LOOPBACK DETECTION Use the Spanning Tree > Loopback Detection page to configure loopback detection on an interface. When loopback detection is enabled and a port or trunk receives it’s own BPDU, the detection agent drops the loopback BPDU, sends an SNMP trap, and places the interface in discarding mode. This loopback state can be released manually or automatically.
CHAPTER 8 | Spanning Tree Algorithm Configuring Loopback Detection ◆ Shutdown Interval – The duration to shut down the interface. (Range: 60-86400 seconds; Default: 60 seconds) If an interface is shut down due to a detected loopback, and the release mode is set to “Auto,” the selected interface will be automatically enabled when the shutdown interval has expired.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA CONFIGURING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Configure) page to configure global settings for the spanning tree that apply to the entire switch. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1065 COMMAND USAGE ◆ Spanning Tree Protocol2 This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA ■ Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. PARAMETERS These parameters are displayed: Basic Configuration of Global Settings ◆ Spanning Tree Status – Enables/disables STA on this switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Advanced Configuration Settings The following attributes are based on RSTP, but also apply to STP since the switch uses a backwards-compatible subset of RSTP to implement STP, and also apply to MSTP which is based on RSTP according to the standard: ◆ Path Cost Method – The path cost is used to determine the best path between devices. The path cost method is used to determine the range of values that can be assigned to each interface.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA RSTP does not depend on the forward delay timer in most cases. It is able to confirm that a port can transition to the forwarding state without having to rely on any timer configuration. To achieve fast convergence, RSTP relies on the use of edge ports, and automatic detection of point-to-point link types, both of which allow a port to directly transition to the forwarding state.
CHAPTER 8 | Spanning Tree Algorithm Configuring Global Settings for STA Figure 108: Configuring Global Settings for STA (STP) Figure 109: Configuring Global Settings for STA (RSTP) – 246 –
CHAPTER 8 | Spanning Tree Algorithm Displaying Global Settings for STA Figure 110: Configuring Global Settings for STA (MSTP) DISPLAYING GLOBAL SETTINGS FOR STA Use the Spanning Tree > STA (Configure Global - Show Information) page to display a summary of the current bridge STA information that applies to the entire switch.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA ◆ Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network. ◆ Root Path Cost – The path cost from the root port on this switch to the root device. ◆ Configuration Changes – The number of times the Spanning Tree has been reconfigured.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA CLI REFERENCES ◆ "Spanning Tree Commands" on page 1065 PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ Spanning Tree – Enables/disables STA on this interface. (Default: Enabled) ◆ BPDU Flooding - Enables/disables the flooding of BPDUs to other ports when global spanning tree is disabled (page 242) or when spanning tree is disabled on specific port.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA Table 13: Default STA Path Costs ◆ Port Type IEEE 802.1D-1998 IEEE 802.1w-2001 Ethernet 65,535 1,000,000 Fast Ethernet 65,535 100,000 Gigabit Ethernet 10,000 10,000 Admin Link Type – The link type attached to this interface. ■ Point-to-Point – A connection to exactly one other bridge. ■ Shared – A connection to two or more bridges.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for STA An interface cannot function as an edge port under the following conditions: ■ ■ ■ ■ If spanning tree mode is set to STP (page 242), edge-port mode cannot automatically transition to operational edge-port state using the automatic setting. If loopback detection is enabled (page 240) and a loopback BPDU is detected, the interface cannot function as an edge port until the loopback state is released.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 112: Configuring Interface Settings for STA DISPLAYING INTERFACE SETTINGS FOR STA Use the Spanning Tree > STA (Configure Interface - Show Information) page to display the current status of ports or trunks in the Spanning Tree. CLI REFERENCES ◆ "show spanning-tree" on page 1090 PARAMETERS These parameters are displayed: ◆ Spanning Tree – Shows if STA has been enabled on this interface.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA The rules defining port status are: ■ ■ ■ A port on a network segment with no other STA compliant bridging device is always forwarding. If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding.
CHAPTER 8 | Spanning Tree Algorithm Displaying Interface Settings for STA Figure 113: STA Port Roles R: Root Port A: Alternate Port D: Designated Port B: Backup Port Alternate port receives more useful BPDUs from another bridge and is therefore not selected as the designated R port. R A D x R A x Backup port receives more useful BPDUs from the same bridge and is therefore not selected as the designated port. R D B WEB INTERFACE To display interface settings for STA: 1.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees CONFIGURING MULTIPLE SPANNING TREES Use the Spanning Tree > MSTP (Configure Global) page to create an MSTP instance, or to add VLAN groups to an MSTP instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1065 COMMAND USAGE MSTP generates a unique spanning tree for each instance.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees WEB INTERFACE To create instances for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add from the Action list. 4. Specify the MST instance identifier and the initial VLAN member. Additional member can be added using the Spanning Tree > MSTP (Configure Global - Add Member) page. If the priority is not specified, the default value 32768 is used. 5. Click Apply.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To modify the priority for an MST instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Modify from the Action list. 4. Modify the priority for an MSTP Instance. 5. Click Apply. Figure 117: Modifying the Priority for an MST Instance To display global settings for MSTP: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3.
CHAPTER 8 | Spanning Tree Algorithm Configuring Multiple Spanning Trees To add additional VLAN groups to an MSTP instance: 1. Click Spanning Tree, MSTP. 2. Select Configure Global from the Step list. 3. Select Add Member from the Action list. 4. Select an MST instance from the MST ID list. 5. Enter the VLAN group to add to the instance in the VLAN ID field. Note that the specified member does not have to be a configured VLAN. 6.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP CONFIGURING INTERFACE SETTINGS FOR MSTP Use the Spanning Tree > MSTP (Configure Interface - Configure) page to configure the STA interface settings for an MST instance. CLI REFERENCES ◆ "Spanning Tree Commands" on page 1065 PARAMETERS These parameters are displayed: ◆ MST ID – Instance identifier to configure. (Default: 0) ◆ Interface – Displays a list of ports or trunks.
CHAPTER 8 | Spanning Tree Algorithm Configuring Interface Settings for MSTP The recommended range is listed in Table 12 on page 249. The default path costs are listed in Table 13 on page 250. WEB INTERFACE To configure MSTP parameters for a port or trunk: 1. Click Spanning Tree, MSTP. 2. Select Configure Interface from the Step list. 3. Select Configure from the Action list. 4. Enter the priority and path cost for an interface 5. Click Apply.
9 CONGESTION CONTROL The switch can set the maximum upload or download data transfer rate for any port. It can also control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Congestion Control includes following options: ◆ Rate Limiting – Sets the input and output rate limits for a port.
CHAPTER 9 | Congestion Control Storm Control ◆ Rate – Sets the rate limit level. (Range: 64 - 100,000 kbits per second for Fast Ethernet ports; 64 - 1,000,000 kbits per second for Gigabit Ethernet ports) WEB INTERFACE To configure rate limits: 1. Click Traffic, Rate Limit. 2. Set the interface type to Port or Trunk. 3. Enable the Rate Limit Status for the required interface. 4. Set the rate limit for the individual ports. 5. Click Apply.
CHAPTER 9 | Congestion Control Storm Control ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using Storm Control or at the software level using Automatic Traffic Control which triggers various control responses. However, only one of these control types can be applied to a port.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 124: Configuring Storm Control AUTOMATIC TRAFFIC CONTROL Use the Traffic > Congestion Control > Auto Traffic Control pages to configure bounding thresholds for broadcast and multicast storms which can automatically trigger rate limits or shut down a port. CLI REFERENCES ◆ "Automatic Traffic Control Commands" on page 1031 COMMAND USAGE ATC includes storm control for broadcast or multicast traffic.
CHAPTER 9 | Congestion Control Automatic Traffic Control The key elements of this diagram are described below: ◆ Alarm Fire Threshold – The highest acceptable traffic rate. When ingress traffic exceeds the threshold, ATC sends a Storm Alarm Fire Trap and logs it. ◆ When traffic exceeds the alarm fire threshold and the apply timer expires, a traffic control response is applied, and a Traffic Control Apply Trap is sent and logged.
CHAPTER 9 | Congestion Control Automatic Traffic Control SETTING THE Use the Traffic > Auto Traffic Control (Configure Global) page to set the ATC TIMERS time at which to apply the control response after ingress traffic has exceeded the upper threshold, and the time at which to release the control response after ingress traffic has fallen beneath the lower threshold.
CHAPTER 9 | Congestion Control Automatic Traffic Control Figure 127: Configuring ATC Timers CONFIGURING ATC Use the Traffic > Auto Traffic Control (Configure Interface) page to set the THRESHOLDS AND storm control mode (broadcast or multicast), the traffic thresholds, the RESPONSES control response, to automatically release a response of rate limiting, or to send related SNMP trap messages.
CHAPTER 9 | Congestion Control Automatic Traffic Control ◆ Auto Release Control – Automatically stops a traffic control response of rate limiting when traffic falls below the alarm clear threshold and the release timer expires as illustrated in Figure 125 on page 264. When traffic control stops, the event is logged by the system and a Traffic Release Trap can be sent.
CHAPTER 9 | Congestion Control Automatic Traffic Control WEB INTERFACE To configure the response timers for automatic storm control: 1. Click Traffic, Automatic Storm Control. 2. Select Configure Interface from the Step field. 3. Enable or disable ATC as required, set the control response, specify whether or not to automatically release the control response of rate limiting, set the upper and lower thresholds, and specify which trap messages to send. 4. Click Apply.
CHAPTER 9 | Congestion Control Automatic Traffic Control – 270 –
10 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CHAPTER 10 | Class of Service Layer 2 Queue Settings frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. ◆ If the output port is an untagged member of the associated VLAN, these frames are stripped of all VLAN tags prior to transmission. PARAMETERS These parameters are displayed: ◆ Interface – Displays a list of ports or trunks. ◆ CoS – The priority that is assigned to untagged frames received on the specified interface.
CHAPTER 10 | Class of Service Layer 2 Queue Settings COMMAND USAGE ◆ Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced. ◆ WRR queuing specifies a relative weight for each queue. WRR uses a predefined relative weight for each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
CHAPTER 10 | Class of Service Layer 2 Queue Settings WEB INTERFACE To configure the queue mode: 1. Click Traffic, Priority, Queue. 2. Set the queue mode. 3. If the weighted queue mode is selected, the queue weight can be modified if required. 4. If the queue mode that uses a combination of strict and weighted queueing is selected, the queues which are serviced first must be specified by enabling strict mode parameter in the table. 5. Click Apply.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Figure 132: Setting the Queue Mode (Strict and WRR) MAPPING COS VALUES Use the Traffic > Priority > PHB to Queue page to specify the hardware TO EGRESS QUEUES output queues to use based on the internal per-hop behavior value. (For more information on exact manner in which the ingress priority tags are mapped to egress queues for internal processing, see "Mapping CoS Priorities to Internal DSCP Values" on page 282).
CHAPTER 10 | Class of Service Layer 2 Queue Settings Table 15: CoS Priority Levels (Continued) Priority Level Traffic Type 4 Controlled Load 5 Video, less than 100 milliseconds latency and jitter 6 Voice, less than 10 milliseconds latency and jitter 7 Network Control CLI REFERENCES ◆ "qos map phb-queue" on page 1177 COMMAND USAGE ◆ Egress packets are placed into the hardware queues according to the mapping defined by this command.
CHAPTER 10 | Class of Service Layer 2 Queue Settings Figure 133: Mapping CoS Values to Egress Queues To show the internal PHB to hardware queue map: 1. Click Traffic, Priority, PHB to Queue. 2. Select Show from the Action list. 3. Select an interface.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings LAYER 3/4 PRIORITY SETTINGS Mapping Layer 3/4 Priorities to CoS Values The switch supports several common methods of prioritizing layer 3/4 traffic to meet application requirements. Traffic priorities can be specified in the IP header of a frame, using the priority bits in the Type of Service (ToS) octet, or the number of the TCP/UDP port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings PARAMETERS These parameters are displayed: ◆ Trust Mode ■ CoS – Maps layer 3/4 priorities using Class of Service values. (This is the default setting.) ■ DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point values. WEB INTERFACE To configure the trust mode: 1. Click Traffic, Priority, Trust Mode. 2. Set the trust mode. 3. Click Apply.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings ◆ This map is only used when the priority mapping mode is set to DSCP (see page 278), and the ingress packet type is IPv4. Any attempt to configure the DSCP mutation map will not be accepted by the switch, unless the trust mode has been set to DSCP. ◆ Two QoS domains can have different DSCP definitions, so the DSCP-toPHB/Drop Precedence mutation map can be used to modify one set of DSCP values to match the definition of another domain.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings WEB INTERFACE To map DSCP values to internal PHB/drop precedence: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4. Set the PHB and drop precedence for any DSCP value. 5. Click Apply. Figure 136: Configuring DSCP to DSCP Internal Mapping To show the DSCP to internal PHB/drop precedence map: 1. Click Traffic, Priority, DSCP to DSCP. 2. Select Show from the Action list. 3. Select a port.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings MAPPING COS Use the Traffic > Priority > CoS to DSCP page to maps CoS/CFI values in PRIORITIES TO incoming packets to per-hop behavior and drop precedence values for INTERNAL DSCP priority processing. VALUES CLI REFERENCES ◆ "qos map cos-dscp" on page 1174 COMMAND USAGE ◆ The default mapping of CoS to PHB values is shown in Table 18 on page 283. ◆ Enter up to eight CoS/CFI paired values, per-hop behavior and drop precedence.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings Table 18: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS CFI WEB INTERFACE To map CoS/CFI values to internal PHB/drop precedence: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Configure from the Action list. 3. Select a port. 4.
CHAPTER 10 | Class of Service Layer 3/4 Priority Settings To show the CoS/CFI to internal PHB/drop precedence map: 1. Click Traffic, Priority, CoS to DSCP. 2. Select Show from the Action list. 3. Select a port.
11 QUALITY OF SERVICE This chapter describes the following tasks required to apply QoS policies: Class Map – Creates a map which identifies a specific class of traffic. Policy Map – Sets the boundary parameters used for monitoring inbound traffic, and the action to take for conforming and non-conforming traffic. Binding to a Port – Applies a policy map to an ingress port.
CHAPTER 11 | Quality of Service Configuring a Class Map COMMAND USAGE To create a service policy for a specific category or ingress traffic, follow these steps: 1. Use the Configure Class (Add) page to designate a class name for a specific category of traffic. 2. Use the Configure Class (Add Rule) page to edit the rules for each class which specify a type of traffic based on an access list, a DSCP or IP Precedence value, a VLAN, a CoS value, or a source port. 3.
CHAPTER 11 | Quality of Service Configuring a Class Map ◆ Description – A brief description of a class map. (Range: 1-64 characters) Add Rule ◆ Class Name – Name of the class map. ◆ Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. ◆ ACL – Name of an access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. ◆ IP DSCP – A DSCP value.
CHAPTER 11 | Quality of Service Configuring a Class Map To show the configured class maps: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show from the Action list. Figure 141: Showing Class Maps To edit the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a class map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the rules for a class map: 1. Click Traffic, DiffServ. 2. Select Configure Class from the Step list. 3. Select Show Rule from the Action list. Figure 143: Showing the Rules for a Class Map CREATING QOS POLICIES Use the Traffic > DiffServ (Configure Policy) page to create a policy map that can be attached to multiple interfaces.
CHAPTER 11 | Quality of Service Creating QoS Policies conforming to the maximum throughput, or exceeding the maximum throughput. srTCM Police Meter – Defines an enforcer for classified traffic based on a single rate three color meter scheme defined in RFC 2697. This metering policy monitors a traffic stream and processes its packets according to the committed information rate (CIR, or maximum throughput), committed burst size (BC, or burst rate), and excess burst size (BE).
CHAPTER 11 | Quality of Service Creating QoS Policies When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in Color-Aware mode: ■ ■ ■ If the packet has been precolored as green and Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else If the packet has been precolored as yellow or green and if Te(t)-B ≥ 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red
CHAPTER 11 | Quality of Service Creating QoS Policies count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in Color-Blind mode: ■ If Tp(t)-B < 0, the packet is red, else ■ if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else ■ the packet is green and both Tp and Tc are decremented by B.
CHAPTER 11 | Quality of Service Creating QoS Policies ◆ Class Name – Name of a class map that defines a traffic classification upon which a policy can act. ◆ Action – This attribute is used to set an internal QoS value in hardware for matching packets. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion with the srTCM and trTCM metering functions.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Violate – Specifies whether the traffic that exceeds the maximum rate (CIR) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Violate – Specifies whether the traffic that exceeds the excess burst size (BE) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63) Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies ■ Exceed – Specifies whether traffic that exceeds the maximum rate (CIR) but is within the peak information rate (PIR) will be dropped or the DSCP service level will be reduced. ■ ■ ■ Set IP DSCP – Decreases DSCP priority for out of conformance traffic. (Range: 0-63). Drop – Drops out of conformance traffic.
CHAPTER 11 | Quality of Service Creating QoS Policies To show the configured policy maps: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show from the Action list. Figure 145: Showing Policy Maps To edit the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of a policy map. 5.
CHAPTER 11 | Quality of Service Creating QoS Policies Figure 146: Adding Rules to a Policy Map To show the rules for a policy map: 1. Click Traffic, DiffServ. 2. Select Configure Policy from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port ATTACHING A POLICY MAP TO A PORT Use the Traffic > DiffServ (Configure Interface) page to bind a policy map to a port. CLI REFERENCES ◆ "Quality of Service Commands" on page 1183 COMMAND USAGE First define a class map, define a policy map, and bind the service policy to the required interface. PARAMETERS These parameters are displayed: ◆ Port – Specifies a port. ◆ Ingress – Applies the selected rule to ingress traffic.
CHAPTER 11 | Quality of Service Attaching a Policy Map to a Port – 300 –
12 VOIP TRAFFIC CONFIGURATION This chapter covers the following topics: ◆ Global Settings – Enables VOIP globally, sets the Voice VLAN, and the aging time for attached ports. ◆ Telephony OUI List – Configures the list of phones to be treated as VOIP devices based on the specified Organization Unit Identifier (OUI).
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic CONFIGURING VOIP TRAFFIC Use the Traffic > VoIP (Configure Global) page to configure the switch for VoIP traffic. First enable automatic detection of VoIP devices attached to the switch ports, then set the Voice VLAN ID for the network. The Voice VLAN aging time can also be set to remove a port from the Voice VLAN when VoIP traffic is no longer received on the port.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI Figure 149: Configuring a Voice VLAN CONFIGURING TELEPHONY OUI VoIP devices attached to the switch can be identified by the vendor’s Organizational Unique Identifier (OUI) in the source MAC address of received packets. OUI numbers are assigned to vendors and form the first three octets of device MAC addresses. The MAC OUI numbers for VoIP equipment can be configured on the switch so that traffic from these devices is recognized as VoIP.
CHAPTER 12 | VoIP Traffic Configuration Configuring Telephony OUI 5. Select a mask from the pull-down list to define a MAC address range. 6. Enter a description for the devices. 7. Click Apply. Figure 150: Configuring an OUI Telephony List To show the MAC OUI numbers used for VoIP equipment: 1. Click Traffic, VoIP. 2. Select Configure OUI from the Step list. 3. Select Show from the Action list.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports CONFIGURING VOIP TRAFFIC PORTS Use the Traffic > VoIP (Configure Interface) page to configure ports for VoIP traffic, you need to set the mode (Auto or Manual), specify the discovery method to use, and set the traffic priority. You can also enable security filtering to ensure that only VoIP traffic is forwarded on the Voice VLAN.
CHAPTER 12 | VoIP Traffic Configuration Configuring VoIP Traffic Ports ■ LLDP – Uses LLDP (IEEE 802.1AB) to discover VoIP devices attached to the port. LLDP checks that the “telephone bit” in the system capability TLV is turned on. See "Link Layer Discovery Protocol" on page 424 for more information on LLDP. ◆ Priority – Defines a CoS priority for port traffic on the Voice VLAN.
13 SECURITY MEASURES You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ◆ IPv4 Source Guard – Filters IPv4 traffic on insecure ports for which the source address cannot be identified via DHCPv4 snooping nor static source bindings. ◆ IPv6 Source Guard – Filters IPv6 traffic on insecure ports for which the source address cannot be identified via ND snooping, DHCPv6 snooping, nor static source bindings.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure AAA on the switch, you need to follow this general process: 1. Configure RADIUS and TACACS+ server access parameters. See "Configuring Local/Remote Logon Authentication" on page 309. 2. Define RADIUS and TACACS+ server groups to support the accounting and authorization of services. 3.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ■ ■ ■ Local – User authentication is performed only locally by the switch. RADIUS – User authentication is performed using a RADIUS server only. TACACS – User authentication is performed using a TACACS+ server only. [authentication sequence] – User authentication is performed by up to three authentication methods in the indicated sequence. WEB INTERFACE To configure the method(s) of controlling management access: 1.
CHAPTER 13 | Security Measures AAA Authorization and Accounting RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a more reliable connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ■ ■ ■ ■ ◆ Authentication Timeout – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) Authentication Retries – Number of times the switch tries to authenticate logon access via the authentication server. (Range: 1-30; Default: 2) Set Key – Mark this box to set or modify the encryption key.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Configure Group ◆ Server Type – Select RADIUS or TACACS+ server. ◆ Group Name - Defines a name for the RADIUS or TACACS+ server group. (Range: 1-64 characters) ◆ Sequence at Priority - Specifies the server and sequence to use for the group. (Range: 1-5 for RADIUS; 1 for TACACS) When specifying the priority sequence for a sever, the server index must already be defined (see "Configuring Local/Remote Logon Authentication" on page 309).
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 156: Configuring Remote Authentication Server (TACACS+) To configure the RADIUS or TACACS+ server groups to use for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Select RADIUS or TACACS+ server type. 5. Enter the group name, followed by the index of the server to use for each priority level. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the RADIUS or TACACS+ server groups used for accounting and authorization: 1. Click Security, AAA, Server. 2. Select Configure Group from the Step list. 3. Select Show from the Action list.
CHAPTER 13 | Security Measures AAA Authorization and Accounting ■ ◆ Exec – Administrative accounting for local console, Telnet, or SSH connections. Method Name – Specifies an accounting method for service requests. The “default” methods are used for a requested service if no other methods have been defined. (Range: 1-64 characters) Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS+ servers.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Show Information – Summary ◆ Accounting Type - Displays the accounting service. ◆ Method Name - Displays the user-defined or default accounting method. ◆ Server Group Name - Displays the accounting server group. ◆ Interface - Displays the port, console or Telnet interface to which these rules apply. (This field is null if the accounting method and associated server group has not been assigned to an interface.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To configure the accounting method applied to various service types and the assigned server group: 1. Click Security, AAA, Accounting. 2. Select Configure Method from the Step list. 3. Select Add from the Action list. 4. Select the accounting type (802.1X, Command, Exec). 5. Specify the name of the accounting method and server group name. 6. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 161: Showing AAA Accounting Methods To configure the accounting method applied to specific interfaces, console commands entered at specific privilege levels, and local console, Telnet, or SSH connections: 1. Click Security, AAA, Accounting. 2. Select Configure Service from the Step list. 3. Select the accounting type (802.1X, Command, Exec). 4. Enter the required accounting method. 5. Click Apply.
CHAPTER 13 | Security Measures AAA Authorization and Accounting Figure 163: Configuring AAA Accounting Service for Command Service Figure 164: Configuring AAA Accounting Service for Exec Service To display a summary of the configured accounting methods and assigned server groups for specified service types: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Summary.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To display basic accounting information and statistics recorded for user sessions: 1. Click Security, AAA, Accounting. 2. Select Show Information from the Step list. 3. Click Statistics.
CHAPTER 13 | Security Measures AAA Authorization and Accounting other group name refers to a server group configured on the TACACS+ Group Settings page. Authorization is only supported for TACACS+ servers. Configure Service ◆ Authorization Type – Specifies the service as Exec, indicating administrative authorization for local console, Telnet, or SSH connections. ◆ Console Method Name – Specifies a user defined method name to apply to console connections.
CHAPTER 13 | Security Measures AAA Authorization and Accounting To show the authorization method applied to the EXEC service type and the assigned server group: 1. Click Security, AAA, Authorization. 2. Select Configure Method from the Step list. 3. Select Show from the Action list. Figure 168: Showing AAA Authorization Methods To configure the authorization method applied to local console, Telnet, or SSH connections: 1. Click Security, AAA, Authorization. 2. Select Configure Service from the Step list.
CHAPTER 13 | Security Measures Configuring User Accounts To display a the configured authorization method and assigned server groups for The Exec service type: 1. Click Security, AAA, Authorization. 2. Select Show Information from the Step list. Figure 170: Displaying the Applied AAA Authorization Method CONFIGURING USER ACCOUNTS Use the Security > User Accounts page to control management access to the switch based on manually configured user names and passwords.
CHAPTER 13 | Security Measures Configuring User Accounts ■ Plain Password – Plain text unencrypted password. ■ Encrypted Password – Encrypted password. The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP or FTP server. There is no need for you to manually configure encrypted passwords. ◆ Password – Specifies the user password.
CHAPTER 13 | Security Measures Web Authentication Figure 172: Showing User Accounts WEB AUTHENTICATION Web authentication allows stations to authenticate and access the network in situations where 802.1X or Network Access authentication are infeasible or impractical. The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries. All other traffic, except for HTTP protocol traffic, is blocked.
CHAPTER 13 | Security Measures Web Authentication ◆ Session Timeout – Configures how long an authenticated session stays active before it must re-authenticate itself. (Range: 300-3600 seconds; Default: 3600 seconds) ◆ Quiet Period – Configures how long a host must wait to attempt authentication again after it has exceeded the maximum allowable failed login attempts.
CHAPTER 13 | Security Measures Web Authentication ◆ Host IP Address – Indicates the IP address of each connected host. ◆ Remaining Session Time – Indicates the remaining time until the current authorization session for the host expires. ◆ Apply – Enables web authentication if the Status box is checked. ◆ Revert – Restores the previous configuration settings.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) NETWORK ACCESS (MAC ADDRESS AUTHENTICATION) Some devices connected to switch ports may not be able to support 802.1X authentication due to hardware or software limitations. This is often true for devices such as network printers, IP phones, and some wireless access points. The switch enables network access from these devices to be controlled by authenticating device MAC addresses with a central RADIUS server.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ The RADIUS server may optionally return a VLAN identifier list to be applied to the switch port. The following attributes need to be configured on the RADIUS server. ■ Tunnel-Type = VLAN ■ Tunnel-Medium-Type = 802 ■ Tunnel-Private-Group-ID = 1u,2t [VLAN ID list] The VLAN identifier list is carried in the RADIUS “Tunnel-Private-GroupID” attribute.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ■ ◆ Dynamic QoS assignment fails and the authentication result changes from success to failure when the following conditions occur: ■ ■ CONFIGURING GLOBAL SETTINGS FOR NETWORK ACCESS The Filter-ID attribute format for dynamic QoS assignment is unrecognizable (can not recognize the whole Filter-ID attribute). Illegal characters found in a profile value (for example, a non-digital character in an 802.1p profile value).
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) port remains unaffected. (Range: 120-1000000 seconds; Default: 1800 seconds) WEB INTERFACE To configure aging status and reauthentication time for MAC address authentication: 1. Click Security, Network Access. 2. Select Configure Global from the Step list. 3. Enable or disable aging for secure addresses, and modify the reauthentication time as required. 4. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) the Network Access process described in this section. (Range: 1-1024; Default: 1024) ◆ Network Access Max MAC Count5 – Sets the maximum number of MAC addresses that can be authenticated on a port interface via all forms of authentication (including Network Access and IEEE 802.1X). (Range: 1-2048; Default: 1024) ◆ Guest VLAN – Specifies the VLAN to be assigned to the port when 802.1X Authentication fails.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) supported, the guest VLAN to use when MAC Authentication or 802.1X Authentication fails, and the dynamic VLAN and QoS assignments. 5. Click Apply. Figure 176: Configuring Interface Settings for Network Access CONFIGURING PORT Use the Security > Network Access (Configure Interface - Link Detection) LINK DETECTION page to send an SNMP trap and/or shut down a port when a link event occurs.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) WEB INTERFACE To configure link detection on switch ports: 1. Click Security, Network Access. 2. Select Configure Interface from the Step list. 3. Click the Link Detection button. 4. Modify the link detection status, trigger condition, and the response for any port. 5. Click Apply.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) ◆ MAC Address Mask – The filter rule will check for the range of MAC addresses defined by the MAC bit mask. If you omit the mask, the system will assign the default mask of an exact match. (Range: 000000000000 - FFFFFFFFFFFF; Default: FFFFFFFFFFFF) WEB INTERFACE To add a MAC address filter for MAC authentication: 1. Click Security, Network Access. 2. Select Configure MAC Filter from the Step list. 3.
CHAPTER 13 | Security Measures Network Access (MAC Address Authentication) DISPLAYING SECURE Use the Security > Network Access (Show Information) page to display the MAC ADDRESS authenticated MAC addresses stored in the secure MAC address table. INFORMATION Information on the secure MAC entries can be displayed and selected entries can be removed from the table.
CHAPTER 13 | Security Measures Configuring HTTPS Figure 180: Showing Addresses Authenticated for Network Access CONFIGURING HTTPS You can configure the switch to enable the Secure Hypertext Transfer Protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. CONFIGURING GLOBAL Use the Security > HTTPS (Configure Global) page to enable or disable SETTINGS FOR HTTPS HTTPS and specify the UDP port used for this service.
CHAPTER 13 | Security Measures Configuring HTTPS ◆ The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 6, Mozilla Firefox 4, or Google Chrome 29, or more recent versions. ◆ The following web browsers and operating systems currently support HTTPS: Table 20: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 6.
CHAPTER 13 | Security Measures Configuring HTTPS Figure 181: Configuring HTTPS REPLACING THE Use the Security > HTTPS (Copy Certificate) page to replace the default DEFAULT SECURE-SITE secure-site certificate. CERTIFICATE When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that the web browser displays will be associated with a warning that the site is not recognized as a secure site.
CHAPTER 13 | Security Measures Configuring HTTPS ◆ Private Key Source File Name – Name of private key file stored on the TFTP server. ◆ Private Password – Password stored in the private key file. This password is used to verify authorization for certificate use, and is verified when downloading the certificate to the switch. ◆ Confirm Password – Re-type the string entered in the previous field to ensure no errors were made.
CHAPTER 13 | Security Measures Configuring the Secure Shell CONFIGURING THE SECURE SHELL The Berkeley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks.
CHAPTER 13 | Security Measures Configuring the Secure Shell 79355942303577413098022737087794545240839717526463580581767167 09574804776117 3. Import Client’s Public Key to the Switch – See "Importing User Public Keys" on page 347, or use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 324.
CHAPTER 13 | Security Measures Configuring the Secure Shell c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e. The switch compares the checksum sent from the client against that computed for the original string it sent.
CHAPTER 13 | Security Measures Configuring the Secure Shell ◆ Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. ◆ Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.
CHAPTER 13 | Security Measures Configuring the Secure Shell GENERATING THE Use the Security > SSH (Configure Host Key - Generate) page to generate HOST KEY PAIR a host public/private key pair used to provide secure communications between an SSH client and the switch. After generating this key pair, you must provide the host public key to SSH clients and import the client’s public key to the switch as described in the section "Importing User Public Keys" on page 347.
CHAPTER 13 | Security Measures Configuring the Secure Shell Figure 184: Generating the SSH Host Key Pair To display or clear the SSH host key pair: 1. Click Security, SSH. 2. Select Configure Host Key from the Step list. 3. Select Show from the Action list. 4. Select the host-key type to clear. 5. Click Clear. Figure 185: Showing the SSH Host Key Pair IMPORTING USER Use the Security > SSH (Configure User Key - Copy) page to upload a PUBLIC KEYS user’s public key to the switch.
CHAPTER 13 | Security Measures Configuring the Secure Shell PARAMETERS These parameters are displayed: ◆ User Name – This drop-down box selects the user who’s public key you wish to manage. Note that you must first create users on the User Accounts page (see "Configuring User Accounts" on page 324). ◆ User Key Type – The type of public key to upload. ■ RSA: The switch accepts a RSA version 1 encrypted public key. ■ DSA: The switch accepts a DSA version 2 encrypted public key.
CHAPTER 13 | Security Measures Access Control Lists To display or clear the SSH user’s public key: 1. Click Security, SSH. 2. Select Configure User Key from the Step list. 3. Select Show from the Action list. 4. Select a user from the User Name list. 5. Select the host-key type to clear. 6. Click Clear.
CHAPTER 13 | Security Measures Access Control Lists COMMAND USAGE The following restrictions apply to ACLs: ◆ The maximum number of ACLs is 64. ◆ The maximum number of rules per system is 512 rules. ◆ An ACL can have up to 64 rules. However, due to resource restrictions, the average number of rules bound to the ports should not exceed 20.
CHAPTER 13 | Security Measures Access Control Lists SETTING A Use the Security > ACL (Configure Time Range) page to sets a time range TIME RANGE during which ACL functions are applied. CLI REFERENCES ◆ "Time Range" on page 762 COMMAND USAGE If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
CHAPTER 13 | Security Measures Access Control Lists Figure 188: Setting the Name of a Time Range To show a list of time ranges: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show from the Action list. Figure 189: Showing a List of Time Ranges To configure a rule for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Add Rule from the Action list. 4. Select the name of time range from the drop-down list. 5.
CHAPTER 13 | Security Measures Access Control Lists Figure 190: Add a Rule to a Time Range To show the rules configured for a time range: 1. Click Security, ACL. 2. Select Configure Time Range from the Step list. 3. Select Show Rule from the Action list.
CHAPTER 13 | Security Measures Access Control Lists Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, VLAN translation, or traps. For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs. PARAMETERS These parameters are displayed: ◆ Total Policy Control Entries – The number policy control entries in use.
CHAPTER 13 | Security Measures Access Control Lists PARAMETERS These parameters are displayed: ◆ ACL Name – Name of the ACL. (Maximum length: 32 characters) ◆ Type – The following filter modes are supported: ■ IP Standard: IPv4 ACL mode filters packets based on the source IPv4 address. ■ IP Extended: IPv4 ACL mode filters packets based on the source or destination IPv4 address, as well as the protocol type and protocol port number.
CHAPTER 13 | Security Measures Access Control Lists To show a list of ACLs: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Show from the Action list. Figure 194: Showing a List of ACLs CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to STANDARD IPV4 ACL configure a Standard IPv4 ACL.
CHAPTER 13 | Security Measures Access Control Lists ◆ Source Subnet Mask – A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate “match” and 0 bits to indicate “ignore.” The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned. ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to an IP Standard ACL: 1.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to EXTENDED IPV4 ACL configure an Extended IPv4 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv4 ACL)" on page 954 ◆ "show ip access-list" on page 957 ◆ "Time Range" on page 762 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists ■ 1 (fin) – Finish ■ 2 (syn) – Synchronize ■ 4 (rst) – Reset ■ 8 (psh) – Push ■ 16 (ack) – Acknowledgement ■ 32 (urg) – Urgent pointer For example, use the code value and mask below to catch packets with the following flags set: ◆ ■ SYN flag valid, use control-code 2, control bit mask 2 ■ Both SYN and ACK valid, use control-code 18, control bit mask 18 ■ SYN valid and ACK invalid, use control-code 2, control bit mask 18 Time Range – N
CHAPTER 13 | Security Measures Access Control Lists Figure 196: Configuring an Extended IPv4 ACL CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to STANDARD IPV6 ACL configure a Standard IPv6ACL. CLI REFERENCES ◆ "permit, deny (Standard IPv6 ACL)" on page 959 ◆ "show ipv6 access-list" on page 963 ◆ "Time Range" on page 762 PARAMETERS These parameters are displayed in the web interface: ◆ Type – Selects the type of ACLs to show in the Name list.
CHAPTER 13 | Security Measures Access Control Lists ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to a Standard IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Standard from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the source address type (Any, Host, or IPv6-prefix). 8. If you select “Host,” enter a specific address.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page EXTENDED IPV6 ACL to configure an Extended IPv6 ACL. CLI REFERENCES ◆ "permit, deny (Extended IPv6 ACL)" on page 960 ◆ "show ipv6 access-list" on page 963 ◆ "Time Range" on page 762 PARAMETERS These parameters are displayed in the web interface: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists ◆ Time Range – Name of a time range. WEB INTERFACE To add rules to an Extended IPv6 ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select IPv6 Extended from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any or IPv6-prefix). 8. If you select “Host,” enter a specific address.
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING A Use the Security > ACL (Configure ACL - Add Rule - MAC) page to MAC ACL configure a MAC ACL based on hardware addresses, packet format, and Ethernet type. CLI REFERENCES ◆ "permit, deny (MAC ACL)" on page 965 ◆ "show ip access-list" on page 957 ◆ "Time Range" on page 762 PARAMETERS These parameters are displayed: ◆ Type – Selects the type of ACLs to show in the Name list. ◆ Name – Shows the names of ACLs matching the selected type.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To add rules to a MAC ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select MAC from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the address type (Any, Host, or MAC). 8. If you select “Host,” enter a specific address (e.g., 11-22-33-44-55- 66).
CHAPTER 13 | Security Measures Access Control Lists CONFIGURING AN Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ARP ACL ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic (see "Configuring Global Settings for ARP Inspection" on page 373).
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To add rules to an ARP ACL: 1. Click Security, ACL. 2. Select Configure ACL from the Step list. 3. Select Add Rule from the Action list. 4. Select ARP from the Type list. 5. Select the name of an ACL from the Name list. 6. Specify the action (i.e., Permit or Deny). 7. Select the packet type (Request, Response, All). 8. Select the address type (Any, Host, or IP). 9. If you select “Host,” enter a specific address (e.g., 11-22-33-44-5566).
CHAPTER 13 | Security Measures Access Control Lists BINDING A PORT TO AN After configuring ACLs, use the Security > ACL (Configure Interface) page ACCESS CONTROL to bind the ports that need to filter traffic to the appropriate ACLs. You can LIST assign one IP access list and one MAC access list to any port.
CHAPTER 13 | Security Measures Access Control Lists Figure 201: Binding a Port to an ACL CONFIGURING After configuring ACLs, use the Security > ACL > Configure Interface (Add ACL MIRRORING Mirror) page to mirror traffic matching an ACL from one or more source ports to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source VLAN(s) in a completely unobtrusive manner.
CHAPTER 13 | Security Measures Access Control Lists WEB INTERFACE To bind an ACL to a port: 1. Click Security, ACL. 2. Select Configure Interface from the Step list. 3. Select Add Mirror from the Action list. 4. Select a port. 5. Select the name of an ACL from the ACL list. 6. Click Apply. Figure 202: Configuring ACL Mirroring To show the ACLs to be mirrored: 1. Select Configure Interface from the Step list. 2. Select Show Mirror from the Action list. 3. Select a port.
CHAPTER 13 | Security Measures Access Control Lists SHOWING ACL Use the Security > ACL > Configure Interface (Show Hardware Counters) HARDWARE COUNTERS page to show statistics for ACL hardware counters. CLI REFERENCES ◆ "show access-list" on page 974 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Type – ACL type. (IP Standard, IP Extended, MAC, IPv6 Standard, or IPv6 Extended) ◆ Direction – Displays statistics for ingress or egress traffic.
CHAPTER 13 | Security Measures ARP Inspection Figure 204: Showing ACL Statistics ARP INSPECTION ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain “man-in-the-middle” attacks.
CHAPTER 13 | Security Measures ARP Inspection ■ ■ ■ ◆ When ARP Inspection is disabled, all ARP request and reply packets will bypass the ARP Inspection engine and their switching behavior will match that of all other packets. Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration of any VLANs. When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs.
CHAPTER 13 | Security Measures ARP Inspection ARP Inspection Logging ◆ By default, logging is active for ARP Inspection, and cannot be disabled. ◆ The administrator can configure the log facility rate. ◆ When the switch drops a packet, it places an entry in the log buffer, then generates a system message on a rate-controlled basis. After the system message is generated, the entry is cleared from the log buffer.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To configure global settings for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Configure General from the Step list. 3. Enable ARP inspection globally, enable any of the address validation options, and adjust any of the logging parameters if required. 4. Click Apply.
CHAPTER 13 | Security Measures ARP Inspection ◆ If Static is not specified, ARP packets are first validated against the selected ACL; if no ACL rules match the packets, then the DHCP snooping bindings database determines their validity. PARAMETERS These parameters are displayed: ◆ ARP Inspection VLAN ID – Selects any configured VLAN. (Default: 1) ◆ ARP Inspection VLAN Status – Enables ARP Inspection for the selected VLAN.
CHAPTER 13 | Security Measures ARP Inspection CONFIGURING Use the Security > ARP Inspection (Configure Interface) page to specify INTERFACE SETTINGS the ports that require ARP inspection, and to adjust the packet inspection FOR ARP INSPECTION rate. CLI REFERENCES ◆ "ARP Inspection" on page 931 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. ◆ Trust Status – Configures the port as trusted or untrusted.
CHAPTER 13 | Security Measures ARP Inspection Figure 207: Configuring Interface Settings for ARP Inspection DISPLAYING Use the Security > ARP Inspection (Show Information - Show Statistics) ARP INSPECTION page to display statistics about the number of ARP packets processed, or STATISTICS dropped for various reasons.
CHAPTER 13 | Security Measures ARP Inspection WEB INTERFACE To display statistics for ARP Inspection: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Statistics from the Action list. Figure 208: Displaying Statistics for ARP Inspection DISPLAYING THE Use the Security > ARP Inspection (Show Information - Show Log) page to ARP INSPECTION LOG show information about entries stored in the log, including the associated VLAN, port, and address components.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access WEB INTERFACE To display the ARP Inspection log: 1. Click Security, ARP Inspection. 2. Select Show Information from the Step list. 3. Select Show Log from the Action list.
CHAPTER 13 | Security Measures Filtering IP Addresses for Management Access ◆ You can delete an address range just by specifying the start address, or by specifying both the start address and end address. PARAMETERS These parameters are displayed: ◆ Mode ■ Web – Configures IP address(es) for the web group. ■ SNMP – Configures IP address(es) for the SNMP group. ■ Telnet – Configures IP address(es) for the Telnet group. ■ All – Configures IP address(es) for all groups.
CHAPTER 13 | Security Measures Configuring Port Security To show a list of IP addresses authorized for management access: 1. Click Security, IP Filter. 2. Select Show from the Action list. Figure 211: Showing IP Addresses Authorized for Management Access CONFIGURING PORT SECURITY Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
CHAPTER 13 | Security Measures Configuring Port Security ◆ When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table. ◆ If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ MAC Filter – Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter) as described on page 335. ◆ MAC Filter ID – The identifier for a MAC address filter. ◆ Last Intrusion MAC – The last unauthorized MAC address detected. ◆ Last Time Detected Intrusion MAC – The last time an unauthorized MAC address was detected. WEB INTERFACE To configure port security: 1.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server. The RADIUS server verifies the client identity and sends an access challenge back to the client.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ The RADIUS server and client also have to support the same EAP authentication type – MD5, PEAP, TLS, or TTLS. (Native support for these encryption methods is provided in Windows 8, 7, Vista and XP. CONFIGURING 802.1X Use the Security > Port Authentication (Configure Global) page to GLOBAL SETTINGS configure IEEE 802.1X port authentication. The 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To configure global settings for 802.1X: 1. Click Security, Port Authentication. 2. Select Configure Global from the Step list. 3. Enable 802.1X globally for the switch, and configure EAPOL Pass Through if required. Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server. 4. Click Apply Figure 214: Configuring Global Settings for 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ When devices attached to a port must submit requests to another authenticator on the network, configure the Identity Profile parameters on the Configure Global page (see "Configuring 802.1X Global Settings" on page 386) which identify this switch as a supplicant, and configure the supplicant parameters for those ports which must authenticate clients through the remote authenticator (see "Configuring Port Supplicant Settings for 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ■ MAC-Based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. In this mode, each host connected to a port needs to pass authentication. The number of hosts allowed access to a port operating in this mode is limited only by the available space in the secure address table (i.e., up to 1024 addresses).
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication before it times out the authentication session. (Range: 1-10; Default: 2) ◆ Intrusion Action – Sets the port’s response to a failed authentication. ■ ■ Block Traffic – Blocks all non-EAP traffic on the port. (This is the default setting.) Guest VLAN – All traffic for the port is assigned to a guest VLAN.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication 5. Click Apply Figure 215: Configuring Interface Settings for 802.1X Port Authenticator CONFIGURING PORT Use the Security > Port Authentication (Configure Interface – Supplicant) SUPPLICANT SETTINGS page to configure 802.1X port settings for supplicant requests issued from FOR 802.1X a port to an authenticator on another device. When 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication ◆ This switch can be configured to serve as the authenticator on selected ports by setting the Control Mode to Auto on the Authenticator configuration page, and as a supplicant on other ports by the setting the control mode to Force-Authorized on that configuration page and enabling the PAE supplicant on the Supplicant configuration page. PARAMETERS These parameters are displayed: ◆ Port – Port number.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Figure 216: Configuring Interface Settings for 802.1X Port Supplicant DISPLAYING 802.1X Use the Security > Port Authentication (Show Statistics) page to display STATISTICS statistics for dot1x protocol exchanges for any port. CLI REFERENCES ◆ "show dot1x" on page 860 PARAMETERS These parameters are displayed: Table 23: 802.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication Table 23: 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Tx EAPOL Total The number of EAPOL frames of any type that have been transmitted by this Authenticator.
CHAPTER 13 | Security Measures Configuring 802.1X Port Authentication WEB INTERFACE To display port authenticator statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Authenticator. Figure 217: Showing Statistics for 802.
CHAPTER 13 | Security Measures DoS Protection To display port supplicant statistics for 802.1X: 1. Click Security, Port Authentication. 2. Select Show Statistics from the Step list. 3. Click Supplicant. Figure 218: Showing Statistics for 802.1X Port Supplicant DOS PROTECTION Use the Security > DoS Protection page to protect against denial-of-service (DoS) attacks. A DoS attack is an attempt to block the services provided by a computer or network resource.
CHAPTER 13 | Security Measures DoS Protection ◆ Echo/Chargen Attack Rate – Maximum allowed rate. (Range: 64-2000 kbits/second; Default: 1000 kbits/second) ◆ Smurf Attack – Attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim. The victim should crash due to the many interrupts required to send ICMP Echo response packets.
CHAPTER 13 | Security Measures IPv4 Source Guard URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.” This did not cause any damage to, or change data on, the computer’s hard disk, but any unsaved data would be lost. Microsoft made patches to prevent the WinNuke attack, but the OOB packets. (Default: Disabled) ◆ WinNuke Attack Rate – Maximum allowed rate.
CHAPTER 13 | Security Measures IPv4 Source Guard CONFIGURING Use the Security > IP Source Guard > Port Configuration page to set the PORTS FOR IP filtering type based on source IP address, or source IP address and MAC SOURCE GUARD address pairs. IP Source Guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
CHAPTER 13 | Security Measures IPv4 Source Guard PARAMETERS These parameters are displayed: ◆ ◆ Filter Type – Configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. (Default: None) ■ None – Disables IP source guard filtering on the port. ■ SIP – Enables traffic filtering based on IP addresses stored in the binding table.
CHAPTER 13 | Security Measures IPv4 Source Guard CONFIGURING Use the Security > IP Source Guard > Static Configuration page to bind a STATIC BINDINGS FOR static address to a port. Table entries include a MAC address, IP address, IP SOURCE GUARD lease time, entry type (Static, Dynamic), VLAN identifier, and port identifier. All static entries are configured with an infinite lease time, which is indicated with a value of zero in the table.
CHAPTER 13 | Security Measures IPv4 Source Guard ◆ IP Address – IP address corresponding to the client. ◆ Lease Time – The time for which this IP address is leased to the client. (This value is zero for all static addresses.) WEB INTERFACE To configure static bindings for IP Source Guard: 1. Click Security, IP Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port. 4.
CHAPTER 13 | Security Measures IPv4 Source Guard DISPLAYING INFORMATION FOR DYNAMIC IPV4 SOURCE GUARD BINDINGS Use the Security > IP Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI REFERENCES ◆ "show ip dhcp snooping binding" on page 910 PARAMETERS These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address.
CHAPTER 13 | Security Measures IPv6 Source Guard Figure 223: Showing the IP Source Guard Binding Table IPV6 SOURCE GUARD IPv6 Source Guard is a security feature that filters IPv6 traffic on nonrouted, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see the DHCPv6 Snooping commands on page 910).
CHAPTER 13 | Security Measures IPv6 Source Guard snooping or DHCPv6 snooping, or static addresses configured in the source guard binding table. The port allows only IPv6 traffic with a matching entry in the binding table and denies all other IPv6 traffic. ◆ Table entries include a MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Binding, Dynamic-DHCPv6Binding), VLAN identifier, and port identifier.
CHAPTER 13 | Security Measures IPv6 Source Guard ■ ■ ■ ■ This parameter sets the maximum number of IPv6 global unicast source IPv6 address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping (see the DHCPv6 Snooping commands), and static entries set by IPv6 Source Guard (see "Configuring Static Bindings for IPv6 Source Guard" on page 406).
CHAPTER 13 | Security Measures IPv6 Source Guard COMMAND USAGE ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number. ◆ Static addresses entered in the source guard binding table are automatically configured with an infinite lease time. ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via ND snooping, DHCPv6 snooping, or static addresses configured in the source guard binding table.
CHAPTER 13 | Security Measures IPv6 Source Guard ◆ IPv6 Address – IPv6 address corresponding to the client. ◆ Type – Shows the entry type: ■ DHCP – Dynamic DHCPv6 binding, stateful address. ■ ND – Dynamic Neighbor Discovery binding, stateless address. ■ STA – Static IPv6 Source Guard binding. WEB INTERFACE To configure static bindings for IPv6 Source Guard: 1. Click Security, IPv6 Source Guard, Static Configuration. 2. Select Add from the Action list. 3. Enter the required bindings for each port.
CHAPTER 13 | Security Measures IPv6 Source Guard DISPLAYING INFORMATION FOR DYNAMIC IPV6 SOURCE GUARD BINDINGS Use the Security > IPv6 Source Guard > Dynamic Binding page to display the source-guard binding table for a selected interface. CLI REFERENCES ◆ "show ipv6 source-guard binding" on page 931 PARAMETERS These parameters are displayed: Query by ◆ Port – A port on this switch. ◆ VLAN – ID of a configured VLAN (Range: 1-4094) ◆ MAC Address – A valid unicast MAC address.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING The addresses assigned to DHCP clients on insecure ports can be carefully controlled using the dynamic bindings registered with DHCP Snooping (or using the static bindings configured with IP Source Guard). DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
CHAPTER 13 | Security Measures DHCP Snooping ■ ■ ■ If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. If the DHCP packet is from a client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled.
CHAPTER 13 | Security Measures DHCP Snooping the DHCP client request, including the port and VLAN ID. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them to the entire VLAN. ◆ If DHCP Snooping Information Option 82 is enabled on the switch, information may be inserted into a DHCP request packet received over any VLAN (depending on DHCP snooping filtering rules).
CHAPTER 13 | Security Measures DHCP Snooping ■ ◆ string - An arbitrary string inserted into the remote identifier field. (Range: 1-32 characters) DHCP Snooping Information Option Policy – Specifies how to handle DHCP client request packets which already contain Option 82 information. ■ ■ ■ Drop – Drops the client’s request packet instead of relaying it. Keep – Retains the Option 82 information in the client request, and forwards the packets to trusted ports.
CHAPTER 13 | Security Measures DHCP Snooping DHCP SNOOPING Use the IP Service > DHCP > Snooping (Configure VLAN) page to enable or VLAN disable DHCP snooping on specific VLANs. CONFIGURATION CLI REFERENCES ◆ "ip dhcp snooping vlan" on page 905 COMMAND USAGE ◆ When DHCP snooping is enabled globally on the switch, and enabled on the specified VLAN, DHCP packet filtering will be performed on any untrusted ports within the VLAN.
CHAPTER 13 | Security Measures DHCP Snooping CONFIGURING PORTS Use the IP Service > DHCP > Snooping (Configure Interface) page to FOR DHCP SNOOPING configure switch ports as trusted or untrusted. CLI REFERENCES ◆ "ip dhcp snooping trust" on page 907 COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
CHAPTER 13 | Security Measures DHCP Snooping Figure 230: Configuring the Port Mode for DHCP Snooping DISPLAYING DHCP Use the IP Service > DHCP > Snooping (Show Information) page to display SNOOPING BINDING entries in the binding table. INFORMATION CLI REFERENCES ◆ "show ip dhcp snooping binding" on page 910 PARAMETERS These parameters are displayed: ◆ MAC Address – Physical address associated with the entry. ◆ IP Address – IP address corresponding to the client.
CHAPTER 13 | Security Measures DHCP Snooping 3. Use the Store or Clear function if required.
CHAPTER 13 | Security Measures DHCP Snooping – 418 –
14 BASIC ADMINISTRATION PROTOCOLS This chapter describes basic administration tasks including: ◆ Event Logging – Sets conditions for logging event messages to system memory or flash memory, configures conditions for sending trap messages to remote log servers, and configures trap reporting to remote hosts using Simple Mail Transfer Protocol (SMTP).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging CONFIGURING EVENT LOGGING The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. SYSTEM LOG Use the Administration > Log > System (Configure Global) page to enable CONFIGURATION or disable event logging, and specify which levels are logged to RAM or flash memory.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging ◆ RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM. (Range: 0-7, Default: 7) NOTE: The Flash Level must be equal to or less than the RAM Level. NOTE: All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface).
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging Figure 233: Showing Error Messages Logged to System Memory REMOTE LOG Use the Administration > Log > Remote page to send log messages to CONFIGURATION syslog servers or other management stations. You can also limit the event messages sent to only those messages below a specified level.
CHAPTER 14 | Basic Administration Protocols Configuring Event Logging WEB INTERFACE To configure the logging of error messages to remote servers: 1. Click Administration, Log, Remote. 2. Enable remote logging, specify the facility type to use for the syslog messages. and enter the IP address of the remote servers. 3. Click Apply.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Email Destination Address – Specifies the email recipients of alert messages. You can specify up to five recipients. ◆ Server IP Address – Specifies a list of up to three recipient SMTP servers. IPv4 or IPv6 addresses may be specified. The switch attempts to connect to the listed servers in sequential order if the first server fails to respond. WEB INTERFACE To configure SMTP alert messages: 1. Click Administration, Log, SMTP.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Link Layer Discovery Protocol - Media Endpoint Discovery (LLDP-MED) is an extension of LLDP intended for managing endpoint devices such as Voice over IP phones and network switches. The LLDP-MED TLVs advertise information such as network policy, power, inventory, and device location details.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Notification Interval – Configures the allowed interval for sending SNMP notifications about LLDP MIB changes. (Range: 5-3600 seconds; Default: 5 seconds) This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol CONFIGURING Use the Administration > LLDP (Configure Interface - Configure General) LLDP INTERFACE page to specify the message attributes for individual interfaces, including ATTRIBUTES whether messages are transmitted, received, or both transmitted and received, whether SNMP notifications are sent, and the type of information advertised.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ■ ■ ◆ MAC/PHY Configuration/Status – The MAC/PHY configuration and status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type. MED TLVs – Configures general information included in the MED TLV field of advertised messages. ■ ◆ Max Frame Size – The maximum frame size.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To configure LLDP interface attributes: 1. Click Administration, LLDP. 2. Select Configure Interface from the Step list. 3. Set the LLDP transmit/receive mode, specify whether or not to send SNMP trap messages, and select the information to advertise in LLDP messages. 4. Click Apply.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 25: LLDP MED Location CA Types ◆ CA Type Description CA Value Example 1 National subdivisions (state, canton, province) California 2 County, parish Orange 3 City, township Irvine 4 City division, borough, city district West Irvine 5 Neighborhood, block Riverside 6 Group of streets below the neighborhood level Exchange 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 238: Configuring the Civic Address for an LLDP Interface DISPLAYING LLDP Use the Administration > LLDP (Show Local Device Information) page to LOCAL DEVICE display information about the switch, such as its MAC address, chassis ID, INFORMATION management IP address, and port information.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ System Description – A textual description of the network entity. This field is also displayed by the show system command. ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. Table 27: System Capabilities ID Basis Reference Other — Repeater IETF RFC 2108 Bridge IETF RFC 2674 WLAN Access Point IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port/Trunk ID Type – There are several ways in which a port may be identified. A port ID subtype is used to indicate how the port is being referenced in the Port ID TLV.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 239: Displaying Local Device Information for LLDP (General) Figure 240: Displaying Local Device Information for LLDP (Port) Figure 241: Displaying Local Device Information for LLDP (Port Details) – 435 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol DISPLAYING LLDP Use the Administration > LLDP (Show Remote Device Information) page to REMOTE DEVICE display information about devices connected directly to the switch’s ports INFORMATION which are advertising information through LLDP, or to display detailed information about an LLDP-enabled device connected to a specific port on the local switch.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Port ID – A string that contains the specific identifier for the port from which this LLDPDU was transmitted. ◆ System Capabilities Supported – The capabilities that define the primary function(s) of the system. (See Table 27, "System Capabilities," on page 433.) ◆ System Capabilities Enabled – The primary function(s) of the system which are currently enabled. (See Table 27, "System Capabilities," on page 433.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Table 29: Remote Port Auto-Negotiation Advertised Capability Bit Capability 3 100BASE-T4 4 100BASE-TX half duplex mode 5 100BASE-TX full duplex mode 6 100BASE-T2 half duplex mode 7 100BASE-T2 full duplex mode 8 PAUSE for full-duplex links 9 Asymmetric PAUSE for full-duplex links 10 Symmetric PAUSE for full-duplex links 11 Asymmetric and Symmetric PAUSE for full-duplex links 12 1000BASE-X, -LX, -SX, -CX half duple
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol points and others, will be classified according to their power requirements. Port Details – 802.3 Extension Trunk Information ◆ Remote Link Aggregation Capable – Shows if the remote port is not in link aggregation state and/or it does not support link aggregation. ◆ Remote Link Aggregation Status – The current aggregation status of the link. ◆ Remote Link Port ID – This object contains the IEEE 802.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Current Capabilities – The set of capabilities that define the primary function(s) of the port which are currently enabled.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol the other items and described under “Configuring LLDP Interface Civic-Address.” ■ ECS ELIN – Emergency Call Service Emergency Location Identification Number supports traditional PSAP-based Emergency Call Service in North America. ◆ Country Code – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol WEB INTERFACE To display LLDP information for a remote port: 1. Click Administration, LLDP. 2. Select Show Remote Device Information from the Step list. 3. Select Port, Port Details, Trunk, or Trunk Details. 4. When the next page opens, select a port on this switch and the index for a remote device attached to this port. 5. Click Query.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Figure 243: Displaying Remote Device Information for LLDP (Port Details) – 443 –
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol Additional information displayed by an end-point device which advertises LLDP-MED TLVs is shown in the following figure. Figure 244: Displaying Remote Device Information for LLDP (End Node) DISPLAYING Use the Administration > LLDP (Show Device Statistics) page to display DEVICE STATISTICS statistics for LLDP-capable devices attached to the switch, and for LLDP protocol messages transmitted or received on all local interfaces.
CHAPTER 14 | Basic Administration Protocols Link Layer Discovery Protocol ◆ Neighbor Entries Dropped Count – The number of times which the remote database on this switch dropped an LLDPDU because of insufficient resources. ◆ Neighbor Entries Age-out Count – The number of times that a neighbor’s information has been deleted from the LLDP remote systems MIB because the remote TTL timer has expired.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 245: Displaying LLDP Device Statistics (General) Figure 246: Displaying LLDP Device Statistics (Port) SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol as well as the traffic passing through its ports. A network management station can access this information using network management software. Access to the onboard agent from clients using SNMP v1 and v2c is controlled by community strings. To communicate with the switch, the management station must first submit a valid community string for authentication.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE Configuring SNMPv1/2c Management Access To configure SNMPv1 or v2c management access to the switch, follow these steps: 1. Use the Administration > SNMP (Configure Global) page to enable SNMP on the switch, and to enable trap messages. 2. Use the Administration > SNMP (Configure User - Add Community) page to configure the community strings authorized for management access. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: ◆ Agent Status – Enables SNMP on the switch. (Default: Enabled) ◆ Authentication Traps9 – Issues a notification message to specified IP trap managers whenever an invalid community string is submitted during the SNMP access authentication process. (Default: Enabled) ◆ Link-up and Link-down Traps9 – Issues a notification message whenever a port link is established or broken.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users. PARAMETERS These parameters are displayed: ◆ Engine ID – A new engine ID can be specified by entering 9 to 64 hexadecimal characters (5 to 32 octets in hexadecimal format). If an odd number of characters are specified, a trailing zero is added to the value to fill in the last octet.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol COMMAND USAGE ◆ SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. (See "Configuring Remote SNMPv3 Users" on page 463.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 250: Showing Remote Engine IDs for SNMP SETTING Use the Administration > SNMP (Configure View) page to configure SNMPV3 VIEWS SNMPv3 views which are used to restrict user access to specified portions of the MIB tree. The predefined view “defaultview” includes access to the entire MIB tree.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 3. Select Add View from the Action list. 4. Enter a view name and specify the initial OID subtree in the switch’s MIB database to be included or excluded in the view. Use the Add OID Subtree page to add additional object identifier branches to the view. 5. Click Apply Figure 251: Creating an SNMP View To show the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol 5. Click Apply Figure 253: Adding an OID Subtree to an SNMP View To show the OID branches configured for the SNMP views of the switch’s MIB database: 1. Click Administration, SNMP. 2. Select Configure View from the Step list. 3. Select Show OID Subtree from the Action list. 4. Select a view name from the list of existing views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol CONFIGURING Use the Administration > SNMP (Configure Group) page to add an SNMPv3 SNMPV3 GROUPS group which can be used to set the access policy for its assigned users, restricting them to specific read, write, and notify views. You can use the pre-defined default groups or create new groups to map a set of SNMP users to SNMP views.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 31: Supported Notification Messages Model Level Group newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.17.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swIpFilterRejectTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.40 This trap is sent when an incorrect IP address is rejected by the IP Filter. swAtcBcastStormAlarmFireTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.70 When broadcast traffic is detected as a storm, this trap is fired. swAtcBcastStormAlarmClearTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Table 31: Supported Notification Messages (Continued) Model Level Group swMemoryUtiFallingThreshold Notification 1.3.6.1.4.1.259.10.1.22.2.1.0.110 This notification indicates that the memory utilization has fallen from memoryUtiRisingThreshold to memoryUtiFallingThreshold. dhcpRougeServerAttackTrap 1.3.6.1.4.1.259.10.1.22.2.1.0.114 This trap is sent when receiving a DHCP packet from a rouge server. macNotificationTrap 1.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure an SNMP group: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3. Select Add from the Action list. 4. Enter a group name, assign a security model and level, and then select read, write, and notify views. 5. Click Apply Figure 255: Creating an SNMP Group To show SNMP groups: 1. Click Administration, SNMP. 2. Select Configure Group from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SETTING COMMUNITY Use the Administration > SNMP (Configure User - Add Community) page to ACCESS STRINGS configure up to five community strings authorized for management access by clients using SNMP v1 and v2c. For security reasons, you should consider removing the default strings.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show the community access strings: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show Community from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ■ AuthPriv – SNMP communications use both authentication and encryption. ◆ Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) ◆ Authentication Password – A minimum of eight plain text characters is required. ◆ Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol To show local SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Local User from the Action list. Figure 260: Showing Local SNMPv3 Users CONFIGURING REMOTE Use the Administration > SNMP (Configure User - Add SNMPv3 Remote SNMPV3 USERS User) page to identify the source of SNMPv3 inform messages sent from the local switch.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol ◆ Security Level – The following security levels are only used for the groups assigned to the SNMP security model: ■ ■ ■ noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default security level.) AuthNoPriv – SNMP communications use authentication, but the data is not encrypted. AuthPriv – SNMP communications use both authentication and encryption.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 261: Configuring Remote SNMPv3 Users To show remote SNMPv3 users: 1. Click Administration, SNMP. 2. Select Configure User from the Step list. 3. Select Show SNMPv3 Remote User from the Action list.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SPECIFYING TRAP Use the Administration > SNMP (Configure Trap) page to specify the host MANAGERS devices to be sent traps and the types of traps to send. Traps indicating status changes are issued by the switch to the specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management software).
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol PARAMETERS These parameters are displayed: SNMP Version 1 ◆ IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. (Default: v1) ◆ Community String – Specifies a valid community string for the new trap manager entry.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol SNMP Version 3 ◆ IP Address – IP address of a new management station to receive notification message (i.e., the targeted recipient). ◆ Version – Specifies whether to send notifications as SNMP v1, v2c, or v3 traps. ◆ Notification Type ■ ■ ◆ Traps – Notifications are sent as trap messages. Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol WEB INTERFACE To configure trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Add from the Action list. 4. Fill in the required parameters based on the selected SNMP version. 5.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 265: Configuring Trap Managers (SNMPv3) To show configured trap managers: 1. Click Administration, SNMP. 2. Select Configure Trap from the Step list. 3. Select Show from the Action list. Figure 266: Showing Trap Managers CREATING SNMP Use the Administration > SNMP (Configure Notify Filter - Add) page to NOTIFICATION LOGS create an SNMP notification log.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol The Notification Log MIB (NLM, RFC 3014) provides an infrastructure in which information from other MIBs may be logged. ◆ Given the service provided by the NLM, individual MIBs can now bear less responsibility to record transient information associated with an event against the possibility that the Notification message is lost, and applications can poll the log to verify that they have not missed any important Notifications.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol Figure 267: Creating SNMP Notification Logs To show configured SNMP notification logs: 1. Click Administration, SNMP. 2. Select Configure Notify Filter from the Step list. 3. Select Show from the Action list. Figure 268: Showing SNMP Notification Logs SHOWING Use the Administration > SNMP (Show Statistics) page to show counters SNMP STATISTICS for SNMP input and output protocol data units.
CHAPTER 14 | Basic Administration Protocols Simple Network Management Protocol represented an SNMP operation which was not allowed by the SNMP community named in the message. ◆ Encoding errors – The total number of ASN.1 or BER errors encountered by the SNMP entity when decoding received SNMP messages. ◆ Number of requested variables – The total number of MIB objects which have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show SNMP statistics: 1. Click Administration, SNMP. 2. Select Show Statistics from the Step list. Figure 269: Showing SNMP Statistics REMOTE MONITORING Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring CONFIGURING Use the Administration > RMON (Configure Global - Add - Alarm) page to RMON ALARMS define specific criteria that will generate response events. Alarms can be set to test data over any specified time interval, and can monitor absolute or changing values (such as a statistical counter reaching a specific value, or a statistic changing by a certain amount over the set interval).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Falling Threshold – If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring To show configured RMON alarms: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Alarm. Figure 271: Showing Configured RMON Alarms CONFIGURING Use the Administration > RMON (Configure Global - Add - Event) page to RMON EVENTS set the action to take when an alarm is triggered. The response can include logging the alarm or sending a message to a trap manager.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring ◆ Type – Specifies the type of event to initiate: ■ ■ ■ ■ ◆ None – No event is generated. Log – Generates an RMON log entry when the event is triggered. Log messages are processed based on the current configuration settings for event logging (see "System Log Configuration" on page 420). Trap – Sends a trap message to all configured trap managers (see "Specifying Trap Managers" on page 466).
CHAPTER 14 | Basic Administration Protocols Remote Monitoring Figure 272: Configuring an RMON Event To show configured RMON events: 1. Click Administration, RMON. 2. Select Configure Global from the Step list. 3. Select Show from the Action list. 4. Click Event.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring COMMAND USAGE ◆ Each index number equates to a port on the switch. ◆ If history collection is already enabled on an interface, the entry must be deleted before any changes can be made. ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 7. Click Apply Figure 274: Configuring an RMON History Sample To show configured RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5. Click History. Figure 275: Showing Configured RMON History Samples To show collected RMON history samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 4. Select a port from the list. 5. Click History. Figure 276: Showing Collected RMON History Samples CONFIGURING RMON Use the Administration > RMON (Configure Interface - Add - Statistics) STATISTICAL SAMPLES page to collect statistics on a port, which can subsequently be used to monitor the network for common errors and overall traffic rates.
CHAPTER 14 | Basic Administration Protocols Remote Monitoring 3. Select Add from the Action list. 4. Click Statistics. 5. Select a port from the list as the data source. 6. Enter an index number, and the name of the owner for this entry 7. Click Apply Figure 277: Configuring an RMON Statistical Sample To show configured RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show from the Action list. 4. Select a port from the list. 5.
CHAPTER 14 | Basic Administration Protocols Switch Clustering To show collected RMON statistical samples: 1. Click Administration, RMON. 2. Select Configure Interface from the Step list. 3. Select Show Details from the Action list. 4. Select a port from the list. 5. Click Statistics. Figure 279: Showing Collected RMON Statistical Samples SWITCH CLUSTERING Switch clustering is a method of grouping switches together to enable centralized management through a single unit.
CHAPTER 14 | Basic Administration Protocols Switch Clustering information between the Commander and potential Candidates or active Members through VLAN 4093. ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. ◆ There can be up to 100 candidates and 36 member switches in one cluster.
CHAPTER 14 | Basic Administration Protocols Switch Clustering ◆ Number of Members – The current number of Member switches in the cluster. ◆ Number of Candidates – The current number of Candidate switches discovered in the network that are available to become Members. WEB INTERFACE To configure a switch cluster: 1. Click Administration, Cluster. 2. Select Configure Global from the Step list. 3. Set the required attributes for a Commander or a managed candidate. 4.
CHAPTER 14 | Basic Administration Protocols Switch Clustering WEB INTERFACE To configure cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3. Select Add from the Action list. 4. Select one of the cluster candidates discovered by this switch, or enter the MAC address of a candidate. 5. Click Apply. Figure 281: Configuring a Cluster Members To show the cluster members: 1. Click Administration, Cluster. 2. Select Configure Member from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Switch Clustering Figure 283: Showing Cluster Candidates MANAGING CLUSTER Use the Administration > Cluster (Show Member) page to manage another MEMBERS switch in the cluster. CLI REFERENCES ◆ "Switch Clustering" on page 766 PARAMETERS These parameters are displayed: ◆ Member ID – The ID number of the Member switch. (Range: 1-36) ◆ Role – Indicates the current status of the switch in the cluster.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To manage a cluster member: 1. Click Administration, Cluster. 2. Select Show Member from the Step list. 3. Select an entry from the Cluster Member List. 4. Click Operate. Figure 284: Managing a Cluster Member ETHERNET RING PROTECTION SWITCHING NOTE: Information in this section is based on ITU-T G.8032/Y.1344. The ITU G.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching blocking traffic over the RPL. When a ring failure occurs, the RPL owner is responsible for unblocking the RPL, allowing this link to be used for traffic. Ring nodes may be in one of two states: Idle – normal operation, no link/node faults detected in ring Protection – Protection switching in effect after identifying a signal fault In Idle state, the physical topology has all nodes connected in a ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Multi-ring/Ladder Network – ERPSv2 also supports multipoint-to-multipoint connectivity within interconnected rings, called a “multi-ring/ladder network” topology. This arrangement consists of conjoined rings connected by one or more interconnection points, and is based on the following criteria: ◆ The R-APS channels are not shared across Ethernet Ring interconnections.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 286: Ring Interconnection Architecture (Multi-ring/Ladder Network) Normal Condition ring node B ring node C RPL ring node A Signal Fail Condition RPL Owner Node for ERP1 ring node B RPL ERP1 ERP1 ring link (ERP1) ring link (ERP1) ring node D ring node C ERP2 ring node F FAILURE ring node A RPL Owner Node for ERP1 ring node D ERP2 ring node E RPL Owner Node for ERP2 RPL ring node F ring node E RPL
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching 6. Enable ERPS (Configure Global): Before enabling a ring as described in the next step, first globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled, no ERPS rings will work. 7. Enable an ERPS ring (Configure Domain – Configure Details): Before an ERPS ring can work, it must be enabled.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To globally enable ERPS on the switch: 1. Click Administration, ERPS. 2. Select Configure Global from the Step list. 3. Mark the ERPS Status check box. 4. Click Apply. Figure 287: Setting ERPS Global Status ERPS RING Use the Administration > ERPS (Configure Domain) pages to configure CONFIGURATION ERPS rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Show ◆ Domain Name – Name of a configured ERPS ring. ◆ ID – ERPS ring identifier used in R-APS messages. ◆ Admin Status – Shows whether ERPS is enabled on the switch. ◆ Ver – Shows the ERPS version. ◆ MEG Level – The maintenance entity group (MEG) level providing a communication channel for ring automatic protection switching (R-APS) information. ◆ Control VLAN – Shows the Control VLAN ID.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ Local FS – Shows if a forced switch command was issued on this interface. ◆ Local MS – Shows if a manual switch command was issued on this interface. ◆ MEP – The CFM MEP used to monitor the status on this link. ◆ RPL – Shows if this node is connected to the RPL. Configure Details ◆ Domain Name – Name of a configured ERPS ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Version 2 is backward compatible with Version 1. If version 2 is specified, the inputs and commands are forwarded transparently. If set to version 1, MS and FS operator commands are filtered, and the switch set to revertive mode. The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ ■ ■ ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the Forced Switch or Manual Switch commands on the Configure Operation page). The east and west connections to the ring must be specified for all ring nodes.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching over both ring ports, informing that no request is present at this ring node and initiates a guard timer. When another recovered ring node (or nodes) holding the link block receives this message, it compares the Node ID information with its own Node ID. If the received R-APS (NR) message has the higher priority, this ring node unblocks its ring ports. Otherwise, the block remains unchanged.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery for Forced Switching – A Forced Switch command is removed by issuing the Clear command (Configure Operation page) to the same ring node where Forced Switch mode is in effect. The clear command removes any existing local operator commands, and triggers reversion if the ring is in revertive behavior mode.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. The acceptance of the R-APS (NR, RB) message triggers all ring nodes to unblock any blocked non-RPL which does not have an SF condition. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush their FDB. This action unblocks the ring port which was blocked as result of an operator command.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ Recovery with non-revertive mode is handled as follows: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. b.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ ■ A sub-ring may be attached to a primary ring with or without a virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching No R-APS messages are inserted or extracted by other rings or subrings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/Ring IDs for the ring interconnection. Furthermore, protection switching time for a sub-ring is independent from the configuration or topology of the interconnected rings.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ■ The RPL owner node detects a failed link when it receives R-APS (SF - signal fault) messages from nodes adjacent to the failed link. The owner then enters protection state by unblocking the RPL.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching that defect will be reported to the protection switching mechanism. The reported defect need not be the same one that started the timer. ◆ Guard Timer – The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ◆ West/East – Connects to next ring node to the west/east. Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching WEB INTERFACE To create an ERPS ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Add from the Action list. 4. Enter a name and optional identifier for the ring. 5. Click Apply. Figure 290: Creating an ERPS Ring To configure the ERPS parameters for a ring: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Configure Details from the Action list.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching Figure 291: Creating an ERPS Ring To show the configure ERPS rings: 1. Click Administration, ERPS. 2. Select Configure Domain from the Step list. 3. Select Show from the Action list.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching ERPS FORCED AND Use the Administration > ERPS (Configure Operation) page to block a ring MANUAL MODE port using Forced Switch or Manual Switch commands. OPERATIONS CLI REFERENCES ◆ "erps forced-switch" on page 1115 ◆ "erps manual-switch" on page 1117 ◆ "erps clear" on page 1115 PARAMETERS These parameters are displayed: ◆ Domain Name – Name of a configured ERPS ring.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued. The ring node where the forced switch command was issued transmits an R-APS message over both ring ports indicating FS. R-APS (FS) messages are continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching under maintenance in order to avoid falling into the above mentioned unrecoverable situation. ■ Manual Switch – Blocks specified ring port, in the absence of a failure or an FS command. ■ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the Manual Switch command triggers protection switching as follows: a.
CHAPTER 14 | Basic Administration Protocols Ethernet Ring Protection Switching c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ■ ■ Recovery for manual switching under revertive and nonrevertive mode is described under the Revertive parameter.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 293: Blocking an ERPS Ring Port CONNECTIVITY FAULT MANAGEMENT Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ A Maintenance Level allows maintenance domains to be nested in a hierarchical fashion, providing access to the specific network portions required by each operator. Domains at lower levels may be either hidden or exposed to operators managing domains at a higher level, allowing either course or fine fault resolution. ◆ Maintenance End Points (MEPs) which provide full CFM access to a Service Instance (i.e.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 295: Multiple CFM Maintenance Domains C Customer MA Operator 1 MA P C Operator 2 MA P O1 O2 O1 O2 O1 O2 P P Provider MA C C Note that the Service Instances within each domain shown above are based on a unique maintenance association for the specific users, distinguished by the domain name, maintenance level, maintenance association’s name, and assigned VLAN.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management SNMP traps can also be configured to provide an automated method of fault notification. If the fault notification generator detects one or more defects within the configured time period, and fault alarms are enabled, a corresponding trap will be sent. No further fault alarms are sent until the fault notification generator has been reset by the passage of a configured time period without detecting any further faults.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1319 PARAMETERS These parameters are displayed: Global Configuration ◆ CFM Status – Enables CFM processing globally on the switch. (Default: Enabled) To avoid generating an excessive number of traps, the complete CFM maintenance structure and process parameters should be configured prior to enabling CFM processing globally on the switch.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Link Trace Cache Hold Time – The hold time for CFM link trace cache entries. (Range: 1-65535 minutes; Default: 100 minutes) Before setting the aging time for cache entries, the cache must first be enabled in the Linktrace Cache attribute field. ◆ Link Trace Cache Size – The maximum size for the link trace cache.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Cross Check MEP Unknown – Sends a trap if an unconfigured MEP comes up. A MEP Unknown trap is sent if cross-checking is enabled10, and a CCM is received from a remote MEP that is not configured in the static list11. WEB INTERFACE To configure global settings for CFM: 1. Click Administration, CFM. 2. Select Configure Global from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CONFIGURING CFM processes are enabled by default for all physical interfaces, both ports INTERFACES FOR CFM and trunks. You can use the Administration > CFM (Configure Interface) page to change these settings. CLI REFERENCES ◆ "ethernet cfm port-enable" on page 1330 COMMAND USAGE ◆ An interface must be enabled before a MEP can be created (see "Configuring Maintenance End Points").
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management CLI REFERENCES ◆ "CFM Commands" on page 1319 COMMAND USAGE Configuring General Settings ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management The MIP creation method defined for an MA (see "Configuring CFM Maintenance Associations") takes precedence over the method defined on the CFM Domain List. Configuring Fault Notification ◆ A fault alarm can generate an SNMP notification.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management PARAMETERS These parameters are displayed: Creating a Maintenance Domain ◆ MD Index – Domain index. (Range: 1-65535) ◆ MD Name – Maintenance domain name. (Range: 1-43 alphanumeric characters) ◆ MD Level – Authorized maintenance level for this domain.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management 3. Select Add from the Action list. 4. Specify the maintenance domains and authorized maintenance levels (thereby setting the hierarchical relationship with other domains). 5. Specify the manner in which MIPs can be created within each domain. 6. Click Apply. Figure 298: Configuring Maintenance Domains To show the configured maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To configure detailed settings for maintenance domains: 1. Click Administration, CFM. 2. Select Configure MD from the Step list. 3. Select Configure Details from the Action list. 4. Select an entry from the MD Index. 5. Specify the MEP archive hold and MEP fault notification parameters. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Multiple domains at the same maintenance level cannot have an MA on the same VLAN (see "Configuring CFM Maintenance Domains" on page 521). ◆ Before removing an MA, first remove the MEPs assigned to it (see "Configuring Maintenance End Points" on page 531). ◆ For a detailed description of the MIP types, refer to the Command Usage section under "Configuring CFM Maintenance Domains" on page 521.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MIP Creation Type – Specifies the CFM protocol’s creation method for maintenance intermediate points (MIPs) in this MA: ■ ■ ■ Default – MIPs can be created for this MA on any bridge port through which the MA’s VID can pass. Explicit – MIPs can be created for this MA only on bridge ports through which the MA’s VID can pass, and only if a maintenance end point (MEP) is created at some lower MA Level.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ AIS Transmit Level – Configure the AIS maintenance level in an MA. (Range: 0-7; Default is 0) AIS Level must follow this rule: AIS Level >= Domain Level ◆ AIS Suppress Alarm – Enables/disables suppression of the AIS. (Default: Disabled) WEB INTERFACE To create a maintenance association: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management To show the configured maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Show from the Action list. 4. Select an entry from the MD Index list. Figure 302: Showing Maintenance Associations To configure detailed settings for maintenance associations: 1. Click Administration, CFM. 2. Select Configure MA from the Step list. 3. Select Configure Details from the Action list. 4.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 303: Configuring Detailed Settings for Maintenance Associations CONFIGURING Use the Administration > CFM (Configure MEP – Add) page to configure MAINTENANCE Maintenance End Points (MEPs). MEPs, also called Domain Service Access END POINTS Points (DSAPs), must be configured at the domain boundary to provide management access for each maintenance association.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management and receives them from, the direction of the internal bridge relay mechanism. If the Up option is not selected, then the MEP is facing away from the switch, and transmits CFM messages towards, and receives them from, the direction of the physical medium. ◆ Interface – Indicates a port or trunk. WEB INTERFACE To configure a maintenance end point: 1. Click Administration, CFM. 2. Select Configure MEP from the Step list. 3.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 305: Showing Maintenance End Points CONFIGURING REMOTE Use the Administration > CFM (Configure Remote MEP – Add) page to MAINTENANCE specify remote maintenance end points (MEPs) set on other CFM-enabled END POINTS devices within a common MA. Remote MEPs can be added to a static list in this manner to verify that each entry has been properly configured and is operational.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MEP ID – Identifier for a maintenance end point which exists on another CFM-enabled device within the same MA. (Range: 1-8191) WEB INTERFACE To configure a remote maintenance end point: 1. Click Administration, CFM. 2. Select Configure Remote MEP from the Step list. 3. Select Add from the Action list. 4. Select an entry from MD Index and MA Index. 5. Specify the remote MEPs which exist on other devices within the same MA. 6.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management TRANSMITTING LINK Use the Administration > CFM (Transmit Link Trace) page to transmit link TRACE MESSAGES trace messages (LTMs). These messages can isolate connectivity faults by tracing the path through a network to the designated target node (i.e., a remote maintenance end point). CLI REFERENCES ◆ "CFM Commands" on page 1319 COMMAND USAGE ◆ LTMs can be targeted to MEPs, not MIPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ■ ◆ MAC Address – MAC address of a remote MEP that is the target of a link trace message. This address can be entered in either of the following formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx TTL – The time to live of the link trace message. (Range: 0-255 hops) WEB INTERFACE To transmit link trace messages: 1. Click Administration, CFM. 2. Select Transmit Link Trace from the Step list. 3. Select an entry from MD Index and MA Index.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management or initiation of connectivity. The receiving maintenance point should respond to the loop back message with a loopback reply. ◆ The point from which the loopback message is transmitted (i.e., a local DSAP) and the target maintenance point must be within the same MA. ◆ If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 309: Transmitting Loopback Messages TRANSMITTING Use the Administration > CFM (Transmit Delay Measure) page to send DELAY-MEASURE periodic delay-measure requests to a specified MEP within a maintenance REQUESTS association. CLI REFERENCES ◆ "ethernet cfm delay-measure two-way" on page 1358 COMMAND USAGE ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ The MEP can also make two-way frame delay variation measurements based on its ability to calculate the difference between two subsequent two-way frame delay measurements. PARAMETERS These parameters are displayed: ◆ MD Index – Domain index. (Range: 1-65535) ◆ MA Index – MA identifier. (Range: 1-2147483647) ◆ Source MEP ID – The identifier of a source MEP that will send the delay-measure message.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 310: Transmitting Delay-Measure Messages DISPLAYING Use the Administration > CFM > Show Information (Show Local MEP) page LOCAL MEPS to show information for the MEPs configured on this device. CLI REFERENCES ◆ "show ethernet cfm maintenance-points local" on page 1334 PARAMETERS These parameters are displayed: ◆ MEP ID – Maintenance end point identifier. ◆ MD Name – Maintenance domain name.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ MAC Address – MAC address of this MEP entry. WEB INTERFACE To show information for the MEPs configured on this device: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MEP from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ CC Status – Shows if the MEP will generate CCM messages. ◆ MAC Address – MAC address of the local maintenance point. (If a CCM for the specified remote MEP has never been received or the local MEP record times out, the address will be set to the initial value of all Fs.) ◆ Defect Condition – Shows the defect detected on the MEP. ◆ Received RDI – Receive status of remote defect indication (RDI) messages on the MEP.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 312: Showing Detailed Information on Local MEPs DISPLAYING Use the Administration > CFM > Show Information (Show Local MIP) page LOCAL MIPS to show the MIPs on this device discovered by the CFM protocol. (For a description of MIPs, refer to the Command Usage section under "Configuring CFM Maintenance Domains".
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show information for the MIPs discovered by the CFM protocol: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Local MIP from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show information for remote MEPs: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Remote MEP from the Action list.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Age of Last CC Message – Length of time the last CCM message about this MEP has been in the CCM database. ◆ Frame Loss – Percentage of transmitted frames lost. ◆ CC Packet Statistics – The number of CCM packets received successfully and those with errors. ◆ Port State – Port states include: ■ Up – The port is functioning normally. ■ Blocked – The port has been blocked by the Spanning Tree Protocol.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 315: Showing Detailed Information on Remote MEPs DISPLAYING THE Use the Administration > CFM > Show Information (Show Link Trace LINK TRACE CACHE Cache) page to show information about link trace operations launched from this device.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management ◆ Ingress Action – Action taken on the ingress port: ■ ■ ■ ■ ◆ ◆ IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false. This value could be returned, for example, by an operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port’s MAC_Operational parameter to be false.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management Figure 316: Showing the Link Trace Cache DISPLAYING FAULT Use the Administration > CFM > Show Information (Show Fault Notification NOTIFICATION Generator) page to display configuration settings for the fault notification SETTINGS generator. CLI REFERENCES ◆ "show ethernet cfm fault-notify-generator" on page 1357 PARAMETERS These parameters are displayed: ◆ MEP ID – Maintenance end point identifier.
CHAPTER 14 | Basic Administration Protocols Connectivity Fault Management WEB INTERFACE To show configuration settings for the fault notification generator: 1. Click Administration, CFM. 2. Select Show Information from the Step list. 3. Select Show Fault Notification Generator from the Action list.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ ■ VIDS – MA x is associated with a specific VID list13, an MEP is configured facing inward (up) on this MA on the bridge port, and some other MA y, associated with at least one of the VID(s) also in MA x, also has an Up MEP configured facing inward (up) on some bridge port. ■ EXCESS_LEV – The number of different MD levels at which MIPs are to be created on this port exceeds the bridge's capabilities.
CHAPTER 14 | Basic Administration Protocols OAM Configuration CLI REFERENCES ◆ "OAM Commands" on page 1361 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Admin Status – Enables or disables OAM functions. (Default: Disabled) ◆ Operation State – Shows the operational state between the local and remote OAM devices. This value is always “disabled” if OAM is disabled on the local interface.
CHAPTER 14 | Basic Administration Protocols OAM Configuration ◆ Critical Link Event – Controls reporting of critical link events to its OAM peer. ■ Dying Gasp – If an unrecoverable condition occurs, the local OAM entity (i.e., this switch) indicates this by immediately sending a trap message. (Default: Enabled) Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset.
CHAPTER 14 | Basic Administration Protocols OAM Configuration 3. Click Apply. Figure 319: Enabling OAM for Local Ports DISPLAYING Use the Administration > OAM > Counters page to display statistics for the STATISTICS FOR various types of OAM messages passed across each port. OAM MESSAGES CLI REFERENCES ◆ "show efm oam counters interface" on page 1369 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ Clear – Clears statistical counters for the selected ports.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display statistics for OAM messages: 1. Click Administration, OAM, Counters. Figure 320: Displaying Statistics for OAM Messages DISPLAYING THE Use the Administration > OAM > Event Log page to display link events for OAM EVENT LOG the selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration Figure 321: Displaying the OAM Event Log DISPLAYING Use the Administration > OAM > Remote Interface page to display THE STATUS OF information about attached OAM-enabled devices. REMOTE INTERFACES CLI REFERENCES ◆ "show efm oam status remote interface" on page 1372 PARAMETERS These parameters are displayed: ◆ Port – Port identifier. (Range: 1-28) ◆ MAC Address – MAC address of the OAM peer.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display information about attached OAM-enabled devices: 1. Click Administration, OAM, Remote Interface. Figure 322: Displaying Status of Remote Interfaces CONFIGURING Use the Administration > OAM > Remote Loopback (Remote Loopback A REMOTE Test) page to initiate a loop back test to the peer device attached to the LOOP BACK TEST selected port.
CHAPTER 14 | Basic Administration Protocols OAM Configuration PARAMETERS These parameters are displayed: Loopback Mode of Remote Device ◆ Port – Port identifier. (Range: 1-28) ◆ Loopback Mode – Shows if loop back mode is enabled on the peer. This attribute must be enabled before starting the loopback test. ◆ Loopback Status – Shows if loopback testing is currently running. Loopback Test Parameters ◆ Packets Number – Number of packets to send.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To initiate a loop back test to the peer device attached to the selected port: 1. Click Administration, OAM, Remote Loop Back. 2. Select Remote Loopback Test from the Action list. 3. Select the port on which to initiate remote loop back testing, enable the Loop Back Mode attribute, and click Apply. 4. Set the number of packets to send and the packet size, and then click Test.
CHAPTER 14 | Basic Administration Protocols OAM Configuration WEB INTERFACE To display the results of remote loop back testing for each port for which this information is available: 1. Click Administration, OAM, Remote Loop Back. 2. Select Show Test Result from the Action list.
15 IP CONFIGURATION This chapter describes how to configure an IP interface for management access to the switch over the network. This switch supports both IP Version 4 and Version 6, and can be managed simultaneously through either of these address types. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 15 | IP Configuration Using the Ping Function COMMAND USAGE ◆ Use the ping command to see if another site on the network can be reached. ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. ■ Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
CHAPTER 15 | IP Configuration Using the Trace Route Function USING THE TRACE ROUTE FUNCTION Use the IP > General > Trace Route page to show the route packets take to the specified destination. CLI REFERENCES ◆ "traceroute" on page 1400 PARAMETERS These parameters are displayed: ◆ Destination IP Address – IPv4/IPv6 address of the host. ◆ IPv4 Max Failures – The maximum number of failures before which the trace route is terminated.
CHAPTER 15 | IP Configuration Address Resolution Protocol Figure 326: Tracing the Route to a Network Device ADDRESS RESOLUTION PROTOCOL The switch uses Address Resolution Protocol (ARP) to forward traffic from one hop to the next. ARP is used to map an IP address to a physical layer (i.e., MAC) address. When an IP frame is received by this switch (or any standards-based switch/router), it first looks up the MAC address corresponding to the destination IP address in the ARP cache.
CHAPTER 15 | IP Configuration Address Resolution Protocol address and corresponding MAC address into its cache, and forwards the IP traffic on to the next hop. As long as this entry has not timed out, the switch will be able forward traffic directly to the next hop for this destination without having to broadcast another ARP request. Also, if the switch receives a request for its own IP address, it will send back a response, and also cache the MAC of the source device's IP address.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) DISPLAYING Use the IP > ARP (Show Information) page to display dynamic entries in ARP ENTRIES the ARP cache. The ARP cache contains entries for local interfaces, including subnet, host, and broadcast addresses. These entries are dynamically learned through replies to broadcast messages. CLI REFERENCES ◆ "show arp" on page 1404 ◆ "clear arp-cache" on page 1403 WEB INTERFACE To display all entries in the ARP cache: 1.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) An IP default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch. WEB INTERFACE To configure an IPv4 default gateway for the switch: 1. Click System, IP. 2. Select Configure Global from the Action list. 3. Enter the IPv4 default gateway. 4. Click Apply.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) IP will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. DHCP/BOOTP responses can include the IP address, subnet mask, and default gateway. (Default: DHCP) ◆ IP Address Type – Specifies a primary or secondary IP address. An interface can have only one primary IP address, but can have many secondary IP addresses.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 4) Figure 330: Configuring a Static IPv4 Address To obtain an dynamic IPv4 address through DHCP/BOOTP for the switch: 1. Click System, IP. 2. Select Configure Interface from the Action list. 3. Select Add Address from the Step list. 4. Select the VLAN through which the management station is attached, set the IP Address Mode to “DHCP” or “BOOTP.” 5. Click Apply to save your changes. 6.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Renewing DCHP – DHCP may lease addresses to clients indefinitely or for a specific period of time. If the address expires or the switch is moved to another network segment, you will lose management access to the switch. In this case, you can reboot the switch or submit a client request to restart DHCP service via the CLI.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) CONFIGURING THE Use the IP > IPv6 Configuration (Configure Global) page to configure an IPV6 DEFAULT IPv6 default gateway for the switch. GATEWAY CLI REFERENCES ◆ "ipv6 default-gateway" on page 1405 PARAMETERS These parameters are displayed: ◆ Default Gateway – Sets the IPv6 address of the default next hop router. ■ An IPv6 default gateway must be defined if the management station is located in a different IPv6 segment.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) link-local address, as well as an IPv6 global address if router advertisements are detected on the local interface. ◆ The option to explicitly enable IPv6 will also create a link-local address, but will not generate a global IPv6 address if auto-configuration is not enabled. In this case, you must manually configure an address (see "Configuring an IPv6 Address" on page 576).
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ ■ ■ ◆ ◆ IPv6 routers do not fragment IPv6 packets forwarded from other routers. However, traffic originating from an end-station connected to an IPv6 router may be fragmented. All devices on the same physical medium must use the same MTU in order to operate correctly. IPv6 must be enabled on an interface before the MTU can be set. If an IPv6 address has not been assigned to the switch, “N/A” is displayed in the MTU field.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ND Reachable-Time – The amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. (Range: 0-3600000 milliseconds; Default: 30000 milliseconds) ◆ Restart DHCPv6 – When DHCPv6 is restarted, the switch may attempt to acquire an IP address prefix through stateful address autoconfiguration.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To general IPv6 settings for the switch: 1. Click IP, IPv6 Configuration. 2. Select Configure Interface from the Action list. 3. Specify the VLAN to configure, enable address auto-configuration, or enable IPv6 explicitly to automatically configure a link-local address and enable IPv6 on the selected interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 335: Configuring RA Guard for an IPv6 Interface CONFIGURING AN Use the IP > IPv6 Configuration (Add IPv6 Address) page to configure an IPV6 ADDRESS IPv6 interface for management access over the network. CLI REFERENCES ◆ "IPv6 Interface" on page 1404 COMMAND USAGE ◆ All IPv6 addresses must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ■ You can also manually configure the global unicast address by entering the full address and prefix length. ◆ You can configure multiple IPv6 global unicast addresses per interface, but only one link-local address per interface. ◆ If a duplicate link-local address is detected on the local segment, this interface is disabled and a warning message displayed on the console.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) in the address and inserting the hexadecimal number FFFE between the upper and lower three bytes of the MAC address. For example, if a device had an EUI-48 address of 28-9F-18-1C82-35, the global/local bit must first be inverted to meet EUI-64 requirements (i.e., 1 for globally defined addresses and 0 for locally defined addresses), changing 28 to 2A. Then the two bytes FFFE are inserted between the OUI (i.e.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) SHOWING IPV6 Use the IP > IPv6 Configuration (Show IPv6 Address) page to display the ADDRESSES IPv6 addresses assigned to an interface. CLI REFERENCES ◆ "show ipv6 interface" on page 1414 PARAMETERS These parameters are displayed: ◆ VLAN – ID of a configured VLAN which is to be used for management access. By default, all ports on the switch are members of VLAN 1.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show the configured IPv6 addresses: 1. Click IP, IPv6 Configuration. 2. Select Show IPv6 Address from the Action list. 3. Select a VLAN from the list. Figure 337: Showing Configured IPv6 Addresses SHOWING THE IPV6 Use the IP > IPv6 Configuration (Show IPv6 Neighbor Cache) page to NEIGHBOR CACHE display the IPv6 addresses detected for neighbor devices.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 38: Show IPv6 Neighbors - display description (Continued) Field Description State (continued) ◆ Delay - More than the ReachableTime interval has elapsed since the last positive confirmation was received that the forward path was functioning. A packet was sent within the last DELAY_FIRST_PROBE_TIME interval.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) ◆ ICMPv6 – Internet Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to report errors in processing IPv6 packets. ICMP is therefore an integral part of the Internet Protocol.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Delivers The total number of datagrams successfully delivered to IPv6 user-protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Destination Unreachable Messages The number of ICMP Destination Unreachable messages received by the interface. Packet Too Big Messages The number of ICMP Packet Too Big messages received by the interface. Time Exceeded Messages The number of ICMP Time Exceeded messages received by the interface.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Table 39: Show IPv6 Statistics - display description (Continued) Field Description Neighbor Solicit Messages The number of ICMP Neighbor Solicit messages sent by the interface. Neighbor Advertisement Messages The number of ICMP Router Advertisement messages sent by the interface. Redirect Messages The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) WEB INTERFACE To show the IPv6 statistics: 1. Click IP, IPv6 Configuration. 2. Select Show Statistics from the Action list. 3. Click IPv6, ICMPv6 or UDP.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) Figure 341: Showing IPv6 Statistics (UDP) SHOWING THE MTU Use the IP > IPv6 Configuration (Show MTU) page to display the maximum FOR RESPONDING transmission unit (MTU) cache for destinations that have returned an ICMP DESTINATIONS packet-too-big message along with an acceptable MTU to this switch.
CHAPTER 15 | IP Configuration Setting the Switch’s IP Address (IP Version 6) – 588 –
16 IP SERVICES This chapter describes how to configure Domain Name Service (DNS) on this switch. For information on DHCP snooping which is included in this folder, see "IPv6 Source Guard" on page 404. This chapter provides information on the following IP services, including: ◆ DNS – Configures default domain names, identifies servers to use for dynamic lookup, and shows how to configure static entries. ◆ DHCP Client – Specifies the DHCP client identifier for an interface.
CHAPTER 16 | IP Services Domain Name Service PARAMETERS These parameters are displayed: ◆ Domain Lookup – Enables DNS host name-to-address translation. (Default: Disabled) ◆ Default Domain Name – Defines the default domain name appended to incomplete host names. Do not include the initial dot that separates the host name from the domain name. (Range: 1-127 alphanumeric characters) WEB INTERFACE To configure general settings for DNS: 1. Click IP Service, DNS. 2.
CHAPTER 16 | IP Services Domain Name Service through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match (see "Configuring a List of Name Servers" on page 592). PARAMETERS These parameters are displayed: Domain Name – Name of the host. Do not include the initial dot that separates the host name from the domain name. (Range: 1-68 characters) WEB INTERFACE To create a list domain names: 1. Click IP Service, DNS. 2.
CHAPTER 16 | IP Services Domain Name Service CONFIGURING A LIST Use the IP Service > DNS - General (Add Name Server) page to configure a OF NAME SERVERS list of name servers to be tried in sequential order. CLI REFERENCES ◆ "ip name-server" on page 1377 ◆ "show dns" on page 1379 COMMAND USAGE ◆ To enable DNS service on this switch, configure one or more name servers, and enable domain lookup status (see "Configuring General DNS Service Parameters" on page 589).
CHAPTER 16 | IP Services Domain Name Service Figure 347: Showing the List of Name Servers for DNS CONFIGURING Use the IP Service > DNS - Static Host Table (Add) page to manually STATIC DNS HOST configure static entries in the DNS table that are used to map domain TO ADDRESS ENTRIES names to IP addresses.
CHAPTER 16 | IP Services Domain Name Service Figure 348: Configuring Static Entries in the DNS Table To show static entries in the DNS table: 1. Click IP Service, DNS, Static Host Table. 2. Select Show from the Action list. Figure 349: Showing Static Entries in the DNS Table THE DISPLAYING Use the IP Service > DNS - Cache page to display entries in the DNS cache DNS CACHE that have been learned via the designated name servers.
CHAPTER 16 | IP Services Dynamic Host Configuration Protocol ◆ Type – This field includes CNAME which specifies the host address for the owner, and ALIAS which specifies an alias. ◆ IP – The IP address associated with this record. ◆ TTL – The time to live reported by the name server. ◆ Host – The host name associated with this record. WEB INTERFACE To display entries in the DNS cache: 1. Click IP Service, DNS, Cache.
CHAPTER 16 | IP Services Dynamic Host Configuration Protocol PARAMETERS These parameters are displayed in the web interface: ◆ VLAN – ID of configured VLAN. ◆ Vendor Class ID – The following options are supported when the check box is marked to enable this feature: ◆ Default – The default string is ES3528MV2. ◆ Text – A text string. (Range: 1-32 characters) ◆ Hex – A hexadecimal value. (Range: 1-64 characters) WEB INTERFACE To configure a DHCP client identifier: 1.
CHAPTER 16 | IP Services Dynamic Host Configuration Protocol These fields identify the requesting device by indicating the interface through which the relay agent received the request. If DHCP relay is enabled, and this switch sees a DHCP client request, it inserts its own IP address into the request so that the DHCP server will know the subnet where the client is located.
CHAPTER 16 | IP Services Dynamic Host Configuration Protocol the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server.
CHAPTER 16 | IP Services Dynamic Host Configuration Protocol ■ ■ ■ ■ A DHCP relay server has been set on the switch, when the switch receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch receives DHCP reply packet without option 82 information from the management VLAN.
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent ◆ Server IP Address – Addresses of DHCP servers or relay servers to be used by the switch’s DHCP relay agent in order of preference. WEB INTERFACE To configure DHCP relay service: 1. Click IP Service, DHCP, Relay Option 82. 2. Enable or disable Option 82. 3. Set the Option 82 policy to specify how to handle Option 82 information already contained in DHCP client request packets. 4.
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent ◆ "show pppoe intermediate-agent info" on page 870 COMMAND USAGE When PPPoE IA is enabled, the switch inserts a tag identifying itself as a PPPoE IA residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent Figure 354: Configuring Global Settings for PPPoE Intermediate Agent CONFIGURING Use the IP Service > PPPoE Intermediate Agent (Configure Interface) page PPPOE IA INTERFACE to enable PPPoE IA on an interface, set trust status, enable vendor tag SETTINGS stripping, and set the circuit ID and remote ID. CLI REFERENCES ◆ "PPPoE Intermediate Agent" on page 865 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection.
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent ■ ■ The switch intercepts PPPoE discovery frames from the client and inserts a unique line identifier using the PPPoE Vendor-Specific tag (0x0105) to PPPoE Active Discovery Initiation (PADI) and Request (PADR) packets. The switch then forwards these packets to the PPPoE server.
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent SHOWING PPPOE IA Use the IP Service > PPPoE Intermediate Agent (Show Statistics) page to STATISTICS show statistics on PPPoE IA protocol messages. CLI REFERENCES ◆ "clear pppoe intermediate-agent statistics" on page 869 PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk selection. ◆ Received – Received PPPoE active discovery messages. ◆ ■ All – All PPPoE active discovery message types.
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent Figure 356: Showing PPPoE Intermediate Agent Statistics g – 605 –
CHAPTER 16 | IP Services Configuring the PPPoE Intermediate Agent – 606 –
17 MULTICAST FILTERING This chapter describes how to configure the following multicast services: ◆ IGMP Snooping – Configures snooping and query parameters. ◆ Filtering and Throttling IGMP Groups – Filters specified multicast service, or throttling the maximum of multicast groups allowed on an interface. ◆ MLD Snooping – Configures snooping and query parameters for IPv6.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 357: Multicast Filtering Concept Unicast Flow Multicast Flow This switch can use Internet Group Management Protocol (IGMP) to filter multicast traffic. IGMP Snooping can be used to passively monitor or “snoop” on exchanges between attached hosts and an IGMP-enabled device, most commonly a multicast router. In this way, the switch can discover the ports that want to join a multicast group, and set its filters accordingly.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) network segments where no node has expressed interest in receiving a specific multicast service. For switches that do not support multicast routing, or where multicast routing is already enabled on other switches in the local network segment, IGMP Snooping is the only service required to support multicast filtering.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Static IGMP Host Interface – For multicast applications that you need to control more carefully, you can manually assign a multicast service to specific interfaces on the switch (page 616).
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) NOTE: Multicast routers use this information from IGMP snooping and query reports, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. PARAMETERS These parameters are displayed: ◆ IGMP Snooping Status – When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is referred to as IGMP Snooping.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) multicast traffic will be flooded to all VLAN ports. If many ports have subscribed to different multicast groups, flooding may cause excessive packet loss on the link between the switch and the end host. Flooding may be disabled to avoid this, causing multicast traffic to be delivered only to those ports on which multicast group members have been learned.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Forwarding Priority – Assigns a CoS priority to all multicast traffic. (Range: 0-7, where 7 is the highest priority) This parameter can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 358: Configuring General Settings for IGMP Snooping SPECIFYING STATIC Use the Multicast > IGMP Snooping > Multicast Router (Add) page to INTERFACES FOR A statically attach an interface to a multicast router/switch. MULTICAST ROUTER Depending on network connections, IGMP snooping may not always be able to locate the IGMP querier.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Type14 – Shows if this entry is static or dynamic. ◆ Expire14 – Time until this dynamic entry expires. WEB INTERFACE To specify a static interface attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Add Static Multicast Router from the Action list. 3.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the all interfaces attached to a multicast router: 1. Click Multicast, IGMP Snooping, Multicast Router. 2. Select Current Multicast Router from the Action list. 3. Select the VLAN for which to display this information. Ports in the selected VLAN which are attached to a neighboring multicast router/ switch are displayed.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Port or Trunk – Specifies the interface assigned to a multicast group. ◆ Multicast IP – The IP address for a specific multicast service. WEB INTERFACE To statically assign an interface to a multicast service: 1. Click Multicast, IGMP Snooping, IGMP Member. 2. Select Add Static Member from the Action list. 3.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) SETTING IGMP Use the Multicast > IGMP Snooping > Interface (Configure VLAN) page to SNOOPING STATUS configure IGMP snooping attributes for a VLAN. To configure snooping PER INTERFACE globally, refer to "Configuring IGMP Snooping and Query Parameters" on page 610. CLI REFERENCES ◆ "IGMP Snooping" on page 1204 COMMAND USAGE Multicast Router Discovery There have been many mechanisms used in the past to identify multicast routers.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Multicast Router Termination – These messages are sent when a router stops IP multicast routing functions on an interface. Termination messages are sent by multicast routers when: ■ Multicast forwarding is disabled on an interface. ■ An interface is administratively disabled. ■ The router is gracefully shut down. Advertisement and Termination messages are sent to the All-Snoopers multicast address.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified time out period. Note that this time out is set to Last Member Query Interval * Robustness Variable (fixed at 2) as defined in RFC 2236.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) in report and leave messages sent upstream from the multicast router port. ◆ Interface Version – Sets the protocol version for compatibility with other devices on the network. This is the IGMP Version the switch uses to send snooping reports. (Range: 1-3; Default: 2) This attribute configures the IGMP report/query version used by IGMP snooping.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Proxy Query Address – A static source address for locally generated query and report messages used by IGMP Proxy Reporting. (Range: Any valid IP unicast address; Default: 0.0.0.0) IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) To show the interface settings for IGMP snooping: 1. Click Multicast, IGMP Snooping, Interface. 2. Select Show VLAN Information from the Action list. Figure 365: Showing Interface Settings for IGMP Snooping FILTERING IGMP Use the Multicast > IGMP Snooping > Interface (Configure Interface) page QUERY PACKETS AND to configure an interface to drop IGMP query packets or multicast data MULTICAST DATA packets.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 366: Dropping IGMP Query or Multicast Data Packets DISPLAYING Use the Multicast > IGMP Snooping > Forwarding Entry page to display the MULTICAST GROUPS forwarding entries learned through IGMP Snooping. DISCOVERED BY IGMP SNOOPING CLI REFERENCES ◆ "show ip igmp snooping group" on page 1222 COMMAND USAGE To display information about multicast groups, IGMP Snooping must first be enabled on the switch (see page 610).
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) WEB INTERFACE To show multicast groups learned through IGMP snooping: 1. Click Multicast, IGMP Snooping, Forwarding Entry. 2. Select the VLAN for which to display this information. Figure 367: Showing Multicast Groups Learned by IGMP Snooping DISPLAYING IGMP Use the Multicast > IGMP Snooping > Statistics pages to display IGMP SNOOPING STATISTICS snooping protocol-related statistics for the specified interface.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) WEB INTERFACE To display statistics for IGMP snooping query-related messages: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Query Statistics from the Action list. 3. Select a VLAN. Figure 368: Displaying IGMP Snooping Statistics – Query To display IGMP snooping protocol-related statistics for a VLAN: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show VLAN Statistics from the Action list. 3.
CHAPTER 17 | Multicast Filtering Layer 2 IGMP (Snooping and Query for IPv4) Figure 369: Displaying IGMP Snooping Statistics – VLAN To display IGMP snooping protocol-related statistics for a port: 1. Click Multicast, IGMP Snooping, Statistics. 2. Select Show Port Statistics from the Action list. 3. Select a Port.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups FILTERING AND THROTTLING IGMP GROUPS In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups Figure 371: Enabling IGMP Filtering and Throttling CONFIGURING IGMP Use the Multicast > IGMP Snooping > Filter (Configure Profile – Add) page FILTER PROFILES to create an IGMP profile and set its access mode. Then use the (Add Multicast Group Range) page to configure the multicast groups to filter.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups WEB INTERFACE To create an IGMP filter profile and set its access mode: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Add from the Action list. 4. Enter the number for a profile, and set its access mode. 5. Click Apply. Figure 372: Creating an IGMP Filtering Profile To show the IGMP filter profiles: 1. Click Multicast, IGMP Snooping, Filter. 2.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups 4. Select the profile to configure, and add a multicast group address or range of addresses. 5. Click Apply. Figure 374: Adding Multicast Groups to an IGMP Filtering Profile To show the multicast groups configured for an IGMP filter profile: 1. Click Multicast, IGMP Snooping, Filter. 2. Select Configure Profile from the Step list. 3. Select Show Multicast Group Range from the Action list. 4.
CHAPTER 17 | Multicast Filtering Filtering and Throttling IGMP Groups or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group. PARAMETERS These parameters are displayed: ◆ Interface – Port or trunk identifier. An IGMP profile or throttling setting can be applied to a port or trunk.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 376: Configuring IGMP Filtering and Throttling Interface Settings MLD SNOOPING (SNOOPING AND QUERY FOR IPV6) Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) An IPv6 address must be configured on the VLAN interface from which the querier will act if elected. When serving as the querier, the switch uses this IPv6 address as the query source address. The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. ◆ Robustness – MLD Snooping robustness variable.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) 3. Click Apply. Figure 377: Configuring General Settings for MLD Snooping SETTING IMMEDIATE Use the Multicast > MLD Snooping > Interface page to configure LEAVE STATUS FOR Immediate Leave status for a VLAN. MLD SNOOPING PER INTERFACE CLI REFERENCES ◆ "ipv6 mld snooping vlan immediate-leave" on page 1244 PARAMETERS These parameters are displayed: ◆ VLAN – A VLAN identification number.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 378: Configuring Immediate Leave for MLD Snooping SPECIFYING STATIC INTERFACES FOR AN IPV6 MULTICAST ROUTER Use the Multicast > MLD Snooping > Multicast Router (Add Static Multicast Router) page to statically attach an interface to an IPv6 multicast router/ switch. Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 379: Configuring a Static Interface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router: 1. Click Multicast, MLD Snooping, Multicast Router. 2. Select Show Static Multicast Router from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) ASSIGNING Use the Multicast > MLD Snooping > MLD Member (Add Static Member) INTERFACES TO IPV6 page to statically assign an IPv6 multicast service to an interface. MULTICAST SERVICES Multicast filtering can be dynamically configured using MLD snooping and query messages (see "Configuring MLD Snooping and Query Parameters" on page 634).
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 382: Assigning an Interface to an IPv6 Multicast Service To show the static interfaces assigned to an IPv6 multicast service: 1. Click Multicast, MLD Snooping, MLD Member. 2. Select Show Static Member from the Action list. 3. Select the VLAN for which to display this information.
CHAPTER 17 | Multicast Filtering MLD Snooping (Snooping and Query for IPv6) Figure 384: Showing Current Interfaces Assigned to an IPv6 Multicast Service SHOWING MLD Use the Multicast > MLD Snooping > Group Information page to display SNOOPING GROUPS known multicast groups, member ports, the means by which each group AND SOURCE LIST was learned, and the corresponding source list.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Request List – Sources included on the router’s request list. ◆ Exclude List – Sources included on the router’s exclude list. WEB INTERFACE To display known MLD multicast groups: 1. Click Multicast, MLD Snooping, Group Information. 2. Select the port or trunk, and then select a multicast service assigned to that interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 386: MVR Concept Multicast Router Satellite Services Multicast Server Layer 2 Switch Source Port Service Network Receiver Ports Set-top Box PC Set-top Box TV TV COMMAND USAGE ◆ General Configuration Guidelines for MVR: 1. Enable MVR for a domain on the switch, and select the MVR VLAN (see "Configuring MVR Domain Settings" on page 646). 2.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 PARAMETERS These parameters are displayed: ◆ ◆ Proxy Switching – Configures MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. (Default: Enabled) ■ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface, and the MVR receiver port serves as the querier.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ ■ ◆ This parameter sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 CONFIGURING MVR Use the Multicast > MVR (Configure Domain) page to enable MVR globally DOMAIN SETTINGS on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI REFERENCES ◆ "MVR for IPv4" on page 1258 PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To configure settings for an MVR domain: 1. Click Multicast, MVR. 2. Select Configure Domain from the Step list. 3. Select a domain from the scroll-down list. 4. Enable MVR for the selected domain, select the MVR VLAN, set the forwarding priority to be assigned to all ingress multicast traffic, and set the source IP address for all control packets sent upstream as required. 5. Click Apply.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 PARAMETERS These parameters are displayed: Configure Profile ◆ Profile Name – The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) ◆ Start IP Address – Starting IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.255) ◆ End IP Address – Ending IP address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 To show the configured MVR group address profiles: 1. Click Multicast, MVR. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list. Figure 390: Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain: 1. Click Multicast, MVR. 2. Select Associate Profile from the Step list. 3. Select Add from the Action list. 4.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 Figure 392: Showing the MVR Group Address Profiles Assigned to a Domain CONFIGURING MVR Use the Multicast > MVR (Configure Interface) page to configure each INTERFACE STATUS interface that participates in the MVR protocol as a source port or receiver port. If you are sure that only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 remaining subscribers for that multicast group before removing the port from the group list. ■ ■ Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. Immediate leave does not apply to multicast groups which have been statically assigned to a port.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To configure interface settings for MVR: 1. Click Multicast, MVR. 2. Select Configure Interface from the Step list. 3. Select Configure Port or Configure Trunk from the Action list. 4. Select an MVR domain. 5. Set each port that will participate in the MVR protocol as a source port or receiver port, and optionally enable Immediate Leave on any receiver port to which only one subscriber is attached. 6. Click Apply.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ The MVR VLAN cannot be specified as the receiver VLAN for static bindings. PARAMETERS These parameters are displayed: ◆ Domain ID – An independent multicast domain. (Range: 1-5) ◆ Interface – Port or trunk identifier. ◆ VLAN – VLAN identifier. (Range: 1-4094) ◆ Group IP Address – Defines a multicast service sent to the selected port.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 4. Select an MVR domain. 5. Select the port or trunk for which to display this information. Figure 395: Showing the Static MVR Groups Assigned to a Port DISPLAYING MVR Use the Multicast > MVR (Show Member) page to show the multicast RECEIVER GROUPS groups either statically or dynamically assigned to the MVR receiver groups on each interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To display the interfaces assigned to the MVR receiver groups: 1. Click Multicast, MVR. 2. Select Show Member from the Step list. 3. Select an MVR domain. Figure 396: Displaying MVR Receiver Groups DISPLAYING Use the Multicast > MVR > Show Statistics pages to display MVR protocolMVR STATISTICS related statistics for the specified interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 ◆ General Query Sent – The number of general queries sent from this interface. ◆ Specific Query Received – The number of specific queries received on this interface. ◆ Specific Query Sent – The number of specific queries sent from this interface. ◆ Number of Reports Sent – The number of reports sent from this interface. ◆ Number of Leaves Sent – The number of leaves sent from this interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 WEB INTERFACE To display statistics for MVR query-related messages: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Query Statistics from the Action list. 4. Select an MVR domain.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv4 To display MVR protocol-related statistics for a VLAN: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR domain. 5. Select a VLAN.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR protocol-related statistics for a port: 1. Click Multicast, MVR. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR domain. 5. Select a Port. Figure 399: Displaying MVR Statistics – Port MULTICAST VLAN REGISTRATION FOR IPV6 MVR6 functions in a manner similar to that described for MRV (see "Multicast VLAN Registration for IPv4" on page 642).
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 4. For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces (see "Assigning Static MVR6 Multicast Groups to Interfaces" on page 669). CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Global) page to configure proxy GLOBAL SETTINGS switching and the robustness variable.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 groups, and the number of times group-specific queries are sent to downstream receiver ports. ■ ◆ Proxy Query Interval – Configures the interval at which the receiver port sends out general queries. (Range: 2-31744 seconds; Default: 125 seconds) ■ ■ ◆ This parameter only takes effect when MVR6 proxy switching is enabled. This parameter sets the general query interval at which active receiver ports send out general queries.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 400: Configuring Global Settings for MVR6 CONFIGURING MVR6 Use the Multicast > MVR6 (Configure Domain) page to enable MVR6 DOMAIN SETTINGS globally on the switch, and select the VLAN that will serve as the sole channel for common multicast streams supported by the service provider. CLI REFERENCES ◆ "MVR for IPv6" on page 1277 PARAMETERS These parameters are displayed: ◆ Domain ID– An independent multicast domain.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Upstream Source IPv6 – The source IPv6 address assigned to all MVR6 control packets sent upstream on the specified domain. This parameter must be a full IPv6 address including the network prefix and host address bits. By default, all MVR6 reports sent upstream use a null source IP address. All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 COMMAND USAGE ◆ Use the Configure Profile page to statically configure all multicast group addresses that will join the MVR6 VLAN. Any multicast data associated with an MVR6 group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group. ◆ MLD snooping and MVR6 share a maximum number of 1024 groups.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 4. Enter the name of a group profile to be assigned to one or more domains, and specify a multicast group that will stream traffic to participating hosts. 5. Click Apply. Figure 402: Configuring an MVR6 Group Address Profile To show the configured MVR6 group address profiles: 1. Click Multicast, MVR6. 2. Select Configure Profile from the Step list. 3. Select Show from the Action list.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 404: Assigning an MVR6 Group Address Profile to a Domain To show the MVR6 group address profiles assigned to a domain: 1. Click Multicast, MVR6. 2. Select Associate Profile from the Step list. 3. Select Show from the Action list.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 Receiver ports should not be statically configured as a member of the MVR6 VLAN. If so configured, its MVR6 status will be inactive. Also, note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see"Adding Static Members to VLANs" on page 198). ◆ One or more interfaces may be configured as MVR6 source ports.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ MVR6 Status – Shows the MVR6 status. MVR6 status for source ports is “Active” if MVR6 is globally enabled on the switch. MVR6 status for receiver ports is “Active” only if there are subscribers receiving multicast traffic from one of the MVR6 groups, or a multicast group has been statically assigned to an interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 ASSIGNING STATIC Use the Multicast > MVR6 (Configure Static Group Member) page to MVR6 MULTICAST statically bind multicast groups to a port which will receive long-term GROUPS TO multicast streams associated with a stable set of hosts. INTERFACES CLI REFERENCES ◆ "mvr6 vlan group" on page 1287 COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this configuration page.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 Figure 407: Assigning Static MVR6 Groups to a Port To show the static MVR6 groups assigned to an interface: 1. Click Multicast, MVR6. 2. Select Configure Static Group Member from the Step list. 3. Select Show from the Action list. 4. Select an MVR6 domain. 5. Select the port or trunk for which to display this information.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ VLAN – The VLAN through which the service is received. Note that this may be different from the MVR6 VLAN if the group address has been statically assigned. ◆ Port – Indicates the source address of the multicast service, or displays an asterisk if the group address has been statically assigned (these entries are marked as “Source”).
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 ◆ Port – Port identifier. (Range: 1-28) ◆ Trunk – Trunk identifier. (Range: 1-12) Query Statistics ◆ Querier IPv6 Address – The IP address of the querier on this interface. ◆ Querier Expire Time – The time after which this querier is assumed to have expired. ◆ General Query Received – The number of general queries received on this interface. ◆ General Query Sent – The number of general queries sent from this interface.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 Output Statistics ◆ Report – The number of MLD membership reports sent from this interface. ◆ Leave – The number of leave messages sent from this interface. ◆ G Query – The number of general query messages sent from this interface. ◆ G(-S)-S Query – The number of group specific or group-and-source specific query messages sent from this interface. WEB INTERFACE To display statistics for MVR6 query-related messages: 1.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a VLAN: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show VLAN Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a VLAN.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 To display MVR6 protocol-related statistics for a port: 1. Click Multicast, MVR6. 2. Select Show Statistics from the Step list. 3. Select Show Port Statistics from the Action list. 4. Select an MVR6 domain. 5. Select a Port.
CHAPTER 17 | Multicast Filtering Multicast VLAN Registration for IPv6 – 676 –
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
SECTION III | Command Line Interface ◆ "Class of Service Commands" on page 1169 ◆ "Quality of Service Commands" on page 1183 ◆ "Multicast Filtering Commands" on page 1203 ◆ "LLDP Commands" on page 1295 ◆ "CFM Commands" on page 1319 ◆ "OAM Commands" on page 1361 ◆ "Domain Name Service Commands" on page 1373 ◆ "DHCP Commands" on page 1383 ◆ "IP Interface Commands" on page 1395 – 678 –
18 USING THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). ACCESSING THE CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
CHAPTER 18 | Using the Command Line Interface Accessing the CLI TELNET CONNECTION Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Each address consists of a network portion and host portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.
CHAPTER 18 | Using the Command Line Interface Entering Commands NOTE: You can open up to eight sessions to the device via Telnet or SSH. ENTERING COMMANDS This section describes how to enter CLI commands. KEYWORDS AND A CLI command is a series of keywords and arguments. Keywords identify ARGUMENTS a command, and arguments specify configuration parameters.
CHAPTER 18 | Using the Command Line Interface Entering Commands GETTING HELP ON You can display a brief description of the help system by entering the help COMMANDS command. You can also display command syntax by using the “?” character to list keywords or parameters. SHOWING COMMANDS If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
CHAPTER 18 | Using the Command Line Interface Entering Commands privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows current privilege level Device process Protocol-VLAN information Public key information Quality of Service Priority
CHAPTER 18 | Using the Command Line Interface Entering Commands PARTIAL KEYWORD If you terminate a partial keyword with a question mark, alternatives that LOOKUP match the initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
CHAPTER 18 | Using the Command Line Interface Entering Commands Table 41: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
CHAPTER 18 | Using the Command Line Interface Entering Commands CONFIGURATION Configuration commands are privileged level commands used to modify COMMANDS switch settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in non-volatile storage, use the copy running-config startup-config command.
CHAPTER 18 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
CHAPTER 18 | Using the Command Line Interface Entering Commands COMMAND LINE Commands are not case sensitive. You can abbreviate commands and PROCESSING parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters. You can use the Tab key to complete partial commands, or enter a partial command followed by the “?” character to display a list of possible matches.
CHAPTER 18 | Using the Command Line Interface CLI Command Groups CLI COMMAND GROUPS The system commands can be broken down into the functional groups shown below.
CHAPTER 18 | Using the Command Line Interface CLI Command Groups Table 44: Command Group Index (Continued) Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 1093 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures private VLANs, protocol VLANs, voice VLANs, and QinQ tunneling 1125 Class of Service Sets port priority for untagge
19 GENERAL COMMANDS The general commands are used to control the command access mode, configuration mode, and other basic functions.
CHAPTER 19 | General Commands EXAMPLE Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified (Global Configuration) delay, or at a periodic interval. You can reboot the system immediately, or you can configure the switch to reset after a specified amount of time. Use the cancel option to remove a configured setting.
CHAPTER 19 | General Commands COMMAND USAGE ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re-specified, the previous setting will be overwritten. ◆ When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command (See "copy" on page 720).
CHAPTER 19 | General Commands EXAMPLE Console>enable Password: [privileged level password] Console# RELATED COMMANDS disable (696) enable password (810) quit This command exits the configuration program. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The quit and exit commands can both exit the configuration program.
CHAPTER 19 | General Commands EXAMPLE In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console# The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the confi
CHAPTER 19 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See "Understanding Command Modes" on page 684. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
CHAPTER 19 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. COMMAND MODE Privileged Exec EXAMPLE Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001. Remaining Time: 0 days, 0 hours, 29 minutes, 52 seconds. Console# end This command returns to Privileged Exec mode.
CHAPTER 19 | General Commands EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 698 –
20 SYSTEM MANAGEMENT COMMANDS The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
CHAPTER 20 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. SYNTAX hostname name no hostname name - The name of this host.
CHAPTER 20 | System Management Commands Banner Information Table 48: Banner Commands (Continued) Command Function Mode banner configure manager-info Configures the Manager contact information that is displayed by banner GC banner configure mux Configures the MUX information that is displayed by banner GC banner configure note Configures miscellaneous information that is displayed by banner under the Notes heading GC show banner Displays all banner information NE, PE banner configure This co
CHAPTER 20 | System Management Commands Banner Information Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply. Floor: 2 Row: 7 Rack: 25 Electrical circuit: : ec-177743209-xb Number of LP:12 Position of the equipment in the MUX:1/23 IP LAN:192.168.1.1 Note: This is a random note about this managed switch and can contain miscellaneous information. Console(config)# banner configure This command is used to configure company information displayed in the company banner.
CHAPTER 20 | System Management Commands Banner Information banner configure This command is use to configure DC power information displayed in the dc-power-info banner. Use the no form to restore the default setting. SYNTAX banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit] floor-id - The floor number. row-id - The row number. rack-id - The rack number. ec-id - The electrical circuit ID.
CHAPTER 20 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure department command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 20 | System Management Commands Banner Information EXAMPLE Console(config)#banner configure equipment-info manufacturer-id ES3528MV2 floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information equipment-location displayed in the banner. Use the no form to restore the default setting.
CHAPTER 20 | System Management Commands Banner Information COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure ip-lan command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. EXAMPLE Console(config)#banner configure ip-lan 192.168.1.1/255.255.255.
CHAPTER 20 | System Management Commands Banner Information banner configure This command is used to configure the manager contact information manager-info displayed in the banner. Use the no form to restore the default setting. SYNTAX banner configure manager-info name mgr1-name phone-number mgr1-number [name2 mgr2-name phone-number mgr2-number | name3 mgr3-name phone-number mgr3-number] no banner configure manager-info [name1 | name2 | name3] mgr1-name - The name of the first manager.
CHAPTER 20 | System Management Commands Banner Information DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces. The banner configure mux command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
CHAPTER 20 | System Management Commands System Status show banner This command displays all banner information. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show banner Edge-Core WARNING - MONITORED ACTIONS AND ACCESSES R&D Albert_Einstein - 123-555-1212 Lamar - 123-555-1219 Station's information: 710_Network_Path,_Indianapolis ES3528MV2 Floor / Row / Rack / Sub-Rack 3/ 10 / 15 / 12 DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit 3/ 15 / 24 / 48v-id_3.15.24.
CHAPTER 20 | System Management Commands System Status Table 49: System Status Commands (Continued) Command Function Mode show watchdog Shows if watchdog debugging is enabled PE watchdog software Monitors key processes, and automatically reboots the system if any of these processes are not responding correctly PE show access-list This command shows utilization parameters for TCAM (Ternary Content tcam-utilization Addressable Memory), including the number policy control entries in use, the number of
CHAPTER 20 | System Management Commands System Status Alarm Configuration Rising Threshold Falling Threshold : 90% : 70% Console# RELATED COMMANDS memory (793) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm configuration.
CHAPTER 20 | System Management Commands System Status COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the interface keyword to display configuration data for the specified interface. ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. ◆ This command displays settings for key command modes.
CHAPTER 20 | System Management Commands System Status line console ! line vty ! end ! Console# RELATED COMMANDS show startup-config (713) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non-volatile memory.
CHAPTER 20 | System Management Commands System Status COMMAND USAGE For a description of the items shown by this command, refer to "Displaying System Information" on page 117. EXAMPLE Console#show system System Description : ES3528MV2 System OID String : 1.3.6.1.4.1.259.10.1.22.101 System Information System Up Time : 0 days, 0 hours, 52 minutes, and 2.
CHAPTER 20 | System Management Commands System Status . . show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. DEFAULT SETTING None COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
CHAPTER 20 | System Management Commands System Status EXAMPLE Console#show version Unit 1 Serial Number Hardware Version EPLD Version Number of Ports Main Power Status Role Loader Version Linux Kernel Version Boot ROM Version Operation Code Version : : : : : : : : : : V11149000072 R0C 0.00 28 Up Master 1.0.0.0 2.6.22.18 1.0.0.1 1.4.0.0 Console# show watchdog This command shows if watchdog debugging is enabled.
CHAPTER 20 | System Management Commands Frame Size FRAME SIZE This section describes commands used to configure the Ethernet frame size on the switch. Table 50: Frame Size Commands Command Function Mode jumbo frame Enables support for jumbo frames GC jumbo frame This command enables support for layer 2 jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
CHAPTER 20 | System Management Commands File Management FILE MANAGEMENT Managing Firmware Firmware can be uploaded and downloaded to or from an FTP/TFTP server. By saving runtime code to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
CHAPTER 20 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. SYNTAX boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required. DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ A colon (:) is required after the specified file type.
CHAPTER 20 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
CHAPTER 20 | System Management Commands File Management ◆ To replace the startup configuration, you must use startup-config as the destination. ◆ The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. ◆ For information on specifying an https-certificate, see "Replacing the Default Secure-site Certificate" on page 340.
CHAPTER 20 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.
CHAPTER 20 | System Management Commands File Management This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: BLANC.BIX Destination file name: BLANC.BIX Console# delete This command deletes a file or image. SYNTAX delete {file name filename}| {public-key username [dsa | rsa]} file - Keyword that allows you to delete a file.
CHAPTER 20 | System Management Commands File Management RELATED COMMANDS dir (724) delete public-key (844) dir This command displays a list of files in flash memory. SYNTAX dir {boot-rom: | config: | opcode:} [filename]} boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
CHAPTER 20 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. SYNTAX whichboot DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
CHAPTER 20 | System Management Commands File Management stored on the TFTP server must be es3528mv2.bix. If the switch detects a code version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. 2. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful. 3.
CHAPTER 20 | System Management Commands File Management COMMAND MODE Global Configuration COMMAND USAGE ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be es3528mv2.bix. However, note that file name is not to be included in this command.
CHAPTER 20 | System Management Commands Line EXAMPLE This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. COMMAND MODE Privileged Exec EXAMPLE Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : es3528mv2.
CHAPTER 20 | System Management Commands Line Table 53: Line Commands (Continued) Command Function Mode silent-time* Sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the passwordthresh command LC speed* Sets the terminal baud rate LC stopbits* Sets the number of the stop bits transmitted per byte LC timeout login response Sets the interval that the system waits for a login attempt LC disconnect Termina
CHAPTER 20 | System Management Commands Line databits This command sets the number of data bits per character that are interpreted and generated by the console port. Use the no form to restore the default value. SYNTAX databits {7 | 8} no databits 7 - Seven data bits per character. 8 - Eight data bits per character.
CHAPTER 20 | System Management Commands Line COMMAND USAGE ◆ If user input is detected within the timeout interval, the session is kept open; otherwise the session is terminated. ◆ This command applies to both the local console and Telnet connections. ◆ The timeout for Telnet cannot be disabled. ◆ Using the command without specifying a timeout restores the default setting.
CHAPTER 20 | System Management Commands Line ◆ This command controls login authentication via the switch itself. To configure user names and passwords for remote authentication servers, you must use the RADIUS or TACACS software installed on those servers. EXAMPLE Console(config-line)#login local Console(config-line)# RELATED COMMANDS username (811) password (733) parity This command defines the generation of a parity bit. Use the no form to restore the default setting.
CHAPTER 20 | System Management Commands Line password This command specifies the password for a line. Use the no form to remove the password. SYNTAX password {0 | 7} password no password {0 | 7} - 0 means plain password, 7 means encrypted password password - Character string that specifies the line password. (Maximum length: 32 characters plain text or encrypted, case sensitive) DEFAULT SETTING No password is specified.
CHAPTER 20 | System Management Commands Line password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. SYNTAX password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) DEFAULT SETTING The default value is three attempts.
CHAPTER 20 | System Management Commands Line COMMAND MODE Line Configuration EXAMPLE To set the silent time to 60 seconds, enter this command: Console(config-line)#silent-time 60 Console(config-line)# RELATED COMMANDS password-thresh (734) speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. SYNTAX speed bps no speed bps - Baud rate in bits per second.
CHAPTER 20 | System Management Commands Line stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
CHAPTER 20 | System Management Commands Line EXAMPLE To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# disconnect This command terminates an SSH, Telnet, or console connection. SYNTAX disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) COMMAND MODE Privileged Exec COMMAND USAGE Specifying session identifier “0” will disconnect the console connection.
CHAPTER 20 | System Management Commands Line length - The number of lines displayed on the screen. (Range: 0-512, where 0 means not to pause) terminal-type - The type of terminal emulation used. ansi-bbs - ANSI-BBS vt-100 - VT-100 vt-102 - VT-102 width - The number of character columns displayed on the terminal.
CHAPTER 20 | System Management Commands Event Logging History Size : 10 Escape Character(ASCII-number) : 27 Terminal Type : VT100 Console Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 seconds Silent Time : Disabled Baud Rate : 115200 Data Bits : 8 Parity : None Stop Bits : 1 VTY Configuration: Password Threshold EXEC Timeout Login Timeout Silent Time Console# : : : : 3 times 600 seconds 300 sec.
CHAPTER 20 | System Management Commands Event Logging DEFAULT SETTING 23 COMMAND MODE Global Configuration COMMAND USAGE The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
CHAPTER 20 | System Management Commands Event Logging DEFAULT SETTING Flash: errors (level 3 - 0) RAM: debugging (level 7 - 0) COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. EXAMPLE Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host.
CHAPTER 20 | System Management Commands Event Logging DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers.
CHAPTER 20 | System Management Commands Event Logging EXAMPLE Console(config)#logging trap 4 Console(config)# clear log This command clears messages from the log buffer. SYNTAX clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
CHAPTER 20 | System Management Commands Event Logging COMMAND USAGE ◆ All log messages are retained in RAM and Flash after a warm restart (i.e., power is reset through the command interface). ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). EXAMPLE The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification.
CHAPTER 20 | System Management Commands Event Logging History Logging in Flash Console# : Level Errors (3) Table 56: show logging flash/ram - display description Field Description Syslog Logging Shows if system logging has been enabled via the logging on command. History Logging in Flash The message level(s) reported based on the logging history command. History Logging in RAM The message level(s) reported based on the logging history command.
CHAPTER 20 | System Management Commands SMTP Alerts SMTP ALERTS These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
CHAPTER 20 | System Management Commands SMTP Alerts COMMAND MODE Global Configuration COMMAND USAGE ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆ To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection.
CHAPTER 20 | System Management Commands SMTP Alerts EXAMPLE This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no destination-email form to remove a recipient. SYNTAX [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages.
CHAPTER 20 | System Management Commands Time COMMAND USAGE You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. EXAMPLE Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show logging sendmail SMTP Servers ----------------------------------------------192.
CHAPTER 20 | System Management Commands Time Table 59: Time Commands (Continued) Command Function Mode ntp authenticate Enables authentication for NTP traffic GC ntp authentication-key Configures authentication keys GC ntp client Enables the NTP client for time updates from specified servers GC ntp server Specifies NTP servers to poll for time updates GC show ntp Shows current NTP configuration settings NE, PE NTP Commands Manual Configuration Commands clock summer-time (date) Configur
CHAPTER 20 | System Management Commands Time EXAMPLE Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time: Dec 23 02:52:44 2002 Poll Interval: 60 Current Mode: Unicast SNTP Status : Enabled SNTP Server 137.92.140.80 0.0.0.0 0.0.0.0 Current Server: 137.92.140.
CHAPTER 20 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server. SYNTAX sntp server [ip1 [ip2 [ip3]]] no sntp server [ip1 [ip2 [ip3]]] ip - IP address of an time server (NTP or SNTP).
CHAPTER 20 | System Management Commands Time EXAMPLE Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 0.0.0.0 0.0.0.0 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications. Use the no form to disable authentication.
CHAPTER 20 | System Management Commands Time md5 - Specifies that authentication is provided by using the message digest algorithm 5. key - An MD5 authentication key string. The key string can be up to 32 case-sensitive printable ASCII characters (no spaces). DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE ◆ The key number specifies a key value in the NTP authentication key list. Up to 255 keys can be configured on the switch.
CHAPTER 20 | System Management Commands Time COMMAND USAGE ◆ The SNTP and NTP clients cannot be enabled at the same time. First disable the SNTP client before using this command. ◆ The time acquired from time servers is used to record accurate dates and times for log events. Without NTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
CHAPTER 20 | System Management Commands Time ◆ NTP authentication is optional. If enabled with the ntp authenticate command, you must also configure at least one key number using the ntp authentication-key command. ◆ Use the no form of this command without an argument to clear all configured servers in the list. EXAMPLE Console(config)#ntp server 192.168.3.20 Console(config)#ntp server 192.168.3.21 Console(config)#ntp server 192.168.5.
CHAPTER 20 | System Management Commands Time Manual Configuration Commands clock summer-time This command sets the start, end, and offset times of summer time (date) (daylight savings time) for the switch on a one-time basis. Use the no form to disable summer time. SYNTAX clock summer-time name date b-date b-month b-year b-hour b-minute e-date e-month e-year e-hour e-minute [offset] no clock summer-time name - Name of the time zone while summer time is in effect, usually an acronym.
CHAPTER 20 | System Management Commands Time ◆ This command sets the summer-time time zone relative to the currently configured time zone. To specify a time corresponding to your local time when summer time is in effect, you must indicate the number of minutes your summer-time time zone deviates from your regular time zone (that is, the offset). EXAMPLE The following example sets the 2014 Summer Time ahead by 60 minutes on March 9th and returns to normal time on November 2nd.
CHAPTER 20 | System Management Commands Time Table 60: Predefined Summer-Time Parameters Region Start Time, Day, Week, & Month End Time, Day, Week, & Month Rel.
CHAPTER 20 | System Management Commands Time e-day - The day of the week summer time will end. (Options: sunday | monday | tuesday | wednesday | thursday | friday | saturday) e-month - The month when summer time will end. (Options: january | february | march | april | may | june | july | august | september | october | november | december) e-hour - The hour when summer time will end. (Range: 0-23 hours) e-minute - The minute when summer time will end.
CHAPTER 20 | System Management Commands Time hours - Number of hours before/after UTC. (Range: 0-12 hours before UTC, 0-13 hours after UTC) minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) before-utc - Sets the local time zone before (east) of UTC. after-utc - Sets the local time zone after (west) of UTC.
CHAPTER 20 | System Management Commands Time Range COMMAND MODE Privileged Exec COMMAND USAGE Note that when SNTP is enabled, the system clock cannot be manually configured. EXAMPLE This example shows how to set the system clock to 15:12:34, February 1st, 2011. Console#calendar set 15:12:34 1 February 2011 Console# show calendar This command displays the system clock.
CHAPTER 20 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. SYNTAX [no] time-range name name - Name of the time range. (Range: 1-16 characters) DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE This command sets a time range for use by other functions, such as Access Control Lists.
CHAPTER 20 | System Management Commands Time Range COMMAND MODE Time Range Configuration COMMAND USAGE ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e., named entry), that entry will only take effect if the current time is within the absolute time range and one of the periodic time ranges.
CHAPTER 20 | System Management Commands Time Range DEFAULT SETTING None COMMAND MODE Time Range Configuration COMMAND USAGE ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆ If both an absolute rule and one or more periodic rules are configured for the same time range (i.e.
CHAPTER 20 | System Management Commands Switch Clustering SWITCH CLUSTERING Switch Clustering is a method of grouping switches together to enable centralized management through a single unit. Switches that support clustering can be grouped together regardless of physical location or switch type, as long as they are connected to the same local network.
CHAPTER 20 | System Management Commands Switch Clustering cluster This command enables clustering on the switch. Use the no form to disable clustering. SYNTAX [no] cluster DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ To create a switch cluster, first be sure that clustering is enabled on the switch (the default is enabled), then set the switch as a Cluster Commander. Set a Cluster IP Pool that does not conflict with any other IP subnets in the network.
CHAPTER 20 | System Management Commands Switch Clustering COMMAND USAGE ◆ Once a switch has been configured to be a cluster Commander, it automatically discovers other cluster-enabled switches in the network. These “Candidate” switches only become cluster Members when manually selected by the administrator through the management station. ◆ Cluster Member switches can be managed through a Telnet connection to the Commander.
CHAPTER 20 | System Management Commands Switch Clustering cluster member This command configures a Candidate switch as a cluster Member. Use the no form to remove a Member switch from the cluster. SYNTAX cluster member mac-address mac-address id member-id no cluster member id member-id mac-address - The MAC address of the Candidate switch. member-id - The ID number to assign to the Member switch.
CHAPTER 20 | System Management Commands Switch Clustering EXAMPLE Console#rcommand id 1 CLI session with the ES3528MV2 is opened. To end the CLI session, enter [Exit]. Vty-0# show cluster This command shows the switch clustering configuration. COMMAND MODE Privileged Exec EXAMPLE Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster This command shows the current switch cluster members.
CHAPTER 20 | System Management Commands Switch Clustering show cluster This command shows the discovered Candidate switches in the network.
CHAPTER 20 | System Management Commands Switch Clustering – 772 –
21 SNMP COMMANDS SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
CHAPTER 21 | SNMP Commands Table 63: SNMP Commands (Continued) Command Function Mode show snmp view Shows the SNMP views PE Notification Log Commands nlm Enables the specified notification log GC snmp-server notify-filter Creates a notification log and specifies the target host GC show nlm oper-status Shows operation status of configured notification logs PE show snmp notify-filter Displays the configured notification logs PE ATC Trap Commands snmp-server enable port- Sends a trap when broa
CHAPTER 21 | SNMP Commands General SNMP Commands Table 63: SNMP Commands (Continued) Command Function Mode memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization alarm GC show memory Shows memory utilization parameters PE show process cpu Shows CPU utilization parameters PE Additional Trap Commands General SNMP Commands snmp-server This command enables the SNMPv3 engine and services for all
CHAPTER 21 | SNMP Commands General SNMP Commands DEFAULT SETTING ◆ public - Read-only access. Authorized management stations are only able to retrieve MIB objects. ◆ private - Read/write access. Authorized management stations are able to both retrieve and modify MIB objects. COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server community alpha rw Console(config)# snmp-server This command sets the system contact string. Use the no form to remove contact the system contact information.
CHAPTER 21 | SNMP Commands General SNMP Commands DEFAULT SETTING None COMMAND MODE Global Configuration EXAMPLE Console(config)#snmp-server location WC-19 Console(config)# RELATED COMMANDS snmp-server contact (776) show snmp This command can be used to check the status of SNMP communications.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging: Disabled Console# SNMP Target Host Commands snmp-server This command enables this device to send Simple Network Management enable traps Protocol traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands send notifications, you must configure at least one snmp-server host command. ◆ The authentication, link-up, and link-down traps are legacy notifications, and therefore when used for SNMP Version 3 hosts, they must be enabled in conjunction with the corresponding entries in the Notify View assigned by the snmp-server group command.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands privacy. See "Simple Network Management Protocol" on page 446 for further information about these authentication and encryption options. port - Host UDP port to use. (Range: 1-65535; Default: 162) DEFAULT SETTING Host Address: None Notification Type: Traps SNMP Version: 1 UDP Port: 162 COMMAND MODE Global Configuration COMMAND USAGE ◆ If you do not enter an snmp-server host command, no notifications are sent.
CHAPTER 21 | SNMP Commands SNMP Target Host Commands To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 775). 2. Create a local SNMPv3 user to use in the message exchange 3. 4. 5. 6. process (page 785). Create a view with the required notification messages (page 786). Create a group that includes the required notify view (page 784). Allow the switch to send SNMP traps; i.e., notifications (page 778).
CHAPTER 21 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps mac-notification Console(config)# show snmp-server This command shows if SNMP traps are enabled or disabled for the enable port-traps specified interfaces. SYNTAX show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 21 | SNMP Commands SNMPv3 Commands DEFAULT SETTING A unique engine ID is automatically generated by the switch based on its MAC address. COMMAND MODE Global Configuration COMMAND USAGE ◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
CHAPTER 21 | SNMP Commands SNMPv3 Commands snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. SYNTAX snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname groupname - Name of an SNMP group. (Range: 1-32 characters) v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
CHAPTER 21 | SNMP Commands SNMPv3 Commands EXAMPLE Console(config)#snmp-server group r&d v3 auth write daily Console(config)# snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
CHAPTER 21 | SNMP Commands SNMPv3 Commands ◆ Remote users (i.e., the command specifies a remote engine identifier) must be configured to identify the source of SNMPv3 inform messages sent from the local switch. ◆ The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command.
CHAPTER 21 | SNMP Commands SNMPv3 Commands COMMAND USAGE ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree. ◆ The predefined view “defaultview” includes access to the entire MIB tree. EXAMPLES This view includes MIB-2. Console(config)#snmp-server view mib-2 1.3.6.1.2.1 included Console(config)# This view includes the MIB-2 interfaces table, ifDescr. The wild card is used to select all the index values in this table.
CHAPTER 21 | SNMP Commands SNMPv3 Commands Table 64: show snmp engine-id - display description (Continued) Field Description Remote SNMP engineID String identifying an engine ID on a remote device. IP address IP address of the device containing the corresponding remote SNMP engine. show snmp group Four default groups are provided – SNMPv1 read-only access and read/ write access, and SNMPv2c read-only access and read/write access.
CHAPTER 21 | SNMP Commands SNMPv3 Commands Table 65: show snmp group - display description Field Description groupname Name of an SNMP group. security model The SNMP version. readview The associated read view. writeview The associated write view. notifyview The associated notify view. storage-type The storage type for this entry. Row Status The row status of this entry. show snmp user This command shows information on SNMP users.
CHAPTER 21 | SNMP Commands Notification Log Commands show snmp view This command shows information on the SNMP views. COMMAND MODE Privileged Exec EXAMPLE Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included Storage Type: permanent Row Status: active View Name: defaultview Subtree OID: 1 View Type: included Storage Type: volatile Row Status: active Console# Table 67: show snmp view - display description Field Description View Name Name of an SNMP view.
CHAPTER 21 | SNMP Commands Notification Log Commands ◆ Disabling logging with this command does not delete the entries stored in the notification log. EXAMPLE This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server This command creates an SNMP notification log. Use the no form to notify-filter remove this log. SYNTAX [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
CHAPTER 21 | SNMP Commands Notification Log Commands ◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and nlm command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged. ◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014).
CHAPTER 21 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter COMMAND MODE Privileged Exec EXAMPLE This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
CHAPTER 21 | SNMP Commands Additional Trap Commands process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. SYNTAX process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage. (Range: 1-100) falling-threshold - Falling threshold for CPU utilization alarm expressed in percentage.
22 REMOTE MONITORING COMMANDS Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
CHAPTER 22 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. SYNTAX rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
CHAPTER 22 | Remote Monitoring Commands ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated. After a falling event has been generated, another such event will not be generated until the sampled value has risen above the falling threshold, reaches the rising threshold, and again moves back down to the failing threshold. EXAMPLE Console(config)#rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 22 | Remote Monitoring Commands ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager. EXAMPLE Console(config)#rmon event 2 log description urgent owner mike Console(config)# rmon collection This command periodically samples statistics on a physical interface. Use history the no form to disable periodic sampling.
CHAPTER 22 | Remote Monitoring Commands show running-config command will display a message indicating that this index is not available for the port to which is normally assigned. For example, if control entry 15 is assigned to port 5 as shown below, the show running-config command will indicate that this entry is not available for port 8.
CHAPTER 22 | Remote Monitoring Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#rmon collection rmon1 controlEntry 1 owner mike Console(config-if)# show rmon alarms This command shows the settings for all configured alarms. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon alarms Alarm 1 is valid, owned by Monitors 1.3.6.1.2.1.16.1.1.1.6.
CHAPTER 22 | Remote Monitoring Commands 0 undersized and 0 oversized packets, 0 fragments and 0 jabbers packets, 0 CRC alignment errors and 0 collisions. # of dropped packet events is 0 Network utilization is estimated at 0 . . . show rmon This command shows the information collected for all configured entries in statistics the statistics group. COMMAND MODE Privileged Exec EXAMPLE Console#show rmon statistics Interface 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
CHAPTER 22 | Remote Monitoring Commands – 802 –
23 FLOW SAMPLING COMMANDS Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
CHAPTER 23 | Flow Sampling Commands timeout-value - The length of time the sFlow interface is available to send samples to a receiver, after which the owner and associated polling and sampling data source instances are removed from the configuration. (Range: 30-10000000 seconds) ipv4-address - IPv4 address of the sFlow collector. Valid IPv4 addresses consist of four decimal numbers, 0 to 255, separated by periods. ipv6-address - IPv6 address of the sFlow collector.
CHAPTER 23 | Flow Sampling Commands This example shows how to modify the sFlow port number for an already configured collector. Console(config)#sflow owner stat_server1 timeout 100 port 35100 Console(config)# sflow polling This command enables an sFlow polling data source, for a specified instance interface, that polls periodically based on a specified time interval. Use the no form to remove the polling data source instance from the switch’s sFlow configuration.
CHAPTER 23 | Flow Sampling Commands sflow sampling This command enables an sFlow data source instance for a specific instance interface that takes samples periodically based on the number of packets processed. Use the no form to remove the sampling data source instance from the switch’s sFlow configuration.
CHAPTER 23 | Flow Sampling Commands show sflow This command shows the global and interface settings for the sFlow process. SYNTAX show sflow [owner owner-name | interface interface] owner-name - The associated receiver, to which the samples are sent. (Range: 1-30 alphanumeric characters) interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 23 | Flow Sampling Commands – 808 –
24 AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access17 to the data ports.
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels USER ACCOUNTS AND PRIVILEGE LEVELS The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 728), user authentication via a remote authentication server (page 809), and host access authentication for specific ports (page 848).
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels ◆ The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords.
CHAPTER 24 | Authentication Commands User Accounts and Privilege Levels COMMAND USAGE The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP/TFTP server. There is no need for you to manually configure encrypted passwords. EXAMPLE This example shows how the set the access level and password for a user.
CHAPTER 24 | Authentication Commands Authentication Sequence EXAMPLE This example sets the privilege level for the ping command to Privileged Exec. Console(config)#privilege exec level 15 ping Console(config)# show privilege This command shows the privilege level for the current user, or the privilege level for commands modified by the privilege command. SYNTAX show privilege [command] command - Displays the privilege level for all commands modified by the privilege command.
CHAPTER 24 | Authentication Commands Authentication Sequence authentication This command defines the authentication method and precedence to use enable when changing from Exec command mode to Privileged Exec command mode with the enable command. Use the no form to restore the default. SYNTAX authentication enable {[local] [radius] [tacacs]} no authentication enable local - Use local password only. radius - Use RADIUS server password only. tacacs - Use TACACS server password.
CHAPTER 24 | Authentication Commands Authentication Sequence authentication login This command defines the login authentication method and precedence. Use the no form to restore the default. SYNTAX authentication login {[local] [radius] [tacacs]} no authentication login local - Use local password. radius - Use RADIUS server password. tacacs - Use TACACS server password. DEFAULT SETTING Local COMMAND MODE Global Configuration COMMAND USAGE ◆ RADIUS uses UDP while TACACS+ uses TCP.
CHAPTER 24 | Authentication Commands RADIUS Client RADIUS CLIENT Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
CHAPTER 24 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port. Use the no form to auth-port restore the default. SYNTAX radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
CHAPTER 24 | Authentication Commands RADIUS Client DEFAULT SETTING auth-port - 1812 acct-port - 1813 timeout - 5 seconds retransmit - 2 COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server 1 host 192.168.1.20 port 181 timeout 10 retransmit 5 key green Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default.
CHAPTER 24 | Authentication Commands RADIUS Client DEFAULT SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console(config)#radius-server retransmit 5 Console(config)# radius-server This command sets the interval between transmitting authentication timeout requests to the RADIUS server. Use the no form to restore the default. SYNTAX radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 24 | Authentication Commands TACACS+ Client Retransmit Times Request Timeout : 2 : 5 Server 1: Server IP Address Authentication Port Number Accounting Port Number Retransmit Times Request Timeout : : : : : 192.168.1.
CHAPTER 24 | Authentication Commands TACACS+ Client key - Encryption key used to authenticate logon access for the client. Do not use blank spaces in the string. (Maximum length: 48 characters) port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) retransmit - Number of times the switch will try to authenticate logon access via the TACACS+ server. (Range: 1-30) timeout - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 24 | Authentication Commands TACACS+ Client tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. SYNTAX tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) DEFAULT SETTING 49 COMMAND MODE Global Configuration EXAMPLE Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries.
CHAPTER 24 | Authentication Commands TACACS+ Client tacacs-server This command sets the interval between transmitting authentication timeout requests to the TACACS+ server. Use the no form to restore the default. SYNTAX tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
CHAPTER 24 | Authentication Commands AAA AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 76: AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802.
CHAPTER 24 | Authentication Commands AAA group - Specifies the server group to use. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command. (Range: 1-64 characters) DEFAULT SETTING Accounting is not enabled No servers are specified COMMAND MODE Global Configuration COMMAND USAGE ◆ The accounting of Exec mode commands is only supported by TACACS+ servers.
CHAPTER 24 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 24 | Authentication Commands AAA group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radiusserver host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
CHAPTER 24 | Authentication Commands AAA ◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting. EXAMPLE Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form exec to disable the authorization service.
CHAPTER 24 | Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. SYNTAX [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
CHAPTER 24 | Authentication Commands AAA EXAMPLE Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. SYNTAX accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
CHAPTER 24 | Authentication Commands AAA COMMAND MODE Line Configuration EXAMPLE Console(config)#line console Console(config-line)#accounting commands 15 default Console(config-line)# accounting exec This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. SYNTAX accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
CHAPTER 24 | Authentication Commands AAA DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console(config)#line console Console(config-line)#authorization exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#authorization exec default Console(config-line)# show accounting This command displays the current accounting settings per function and per port.
CHAPTER 24 | Authentication Commands Web Server Interface : Eth 1/1 Method List Group List Interface : tps : radius : Eth 1/2 Accounting Type Method List Group List Interface : : : : EXEC default tacacs+ vty Console# WEB SERVER This section describes commands used to configure web browser management access to the switch.
CHAPTER 24 | Authentication Commands Web Server RELATED COMMANDS ip http server (834) show system (713) ip http server This command allows this device to be monitored or configured from a browser. Use the no form to disable this function.
CHAPTER 24 | Authentication Commands Web Server EXAMPLE Console(config)#ip http secure-port 1000 Console(config)# RELATED COMMANDS ip http secure-server (835) show system (713) ip http This command enables the secure hypertext transfer protocol (HTTPS) over secure-server the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
CHAPTER 24 | Authentication Commands Telnet Server The following web browsers and operating systems currently support HTTPS: Table 78: HTTPS System Support ◆ Web Browser Operating System Internet Explorer 6.
CHAPTER 24 | Authentication Commands Telnet Server ip telnet This command specifies the maximum number of Telnet sessions that can max-sessions simultaneously connect to this system. Use the no from to restore the default setting. SYNTAX ip telnet max-sessions session-count no ip telnet max-sessions session-count - The maximum number of allowed Telnet session.
CHAPTER 24 | Authentication Commands Secure Shell ip telnet server This command allows this device to be monitored or configured from Telnet. Use the no form to disable this function. SYNTAX [no] ip telnet server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#ip telnet server Console(config)# show ip telnet This command displays the configuration settings for the Telnet server.
CHAPTER 24 | Authentication Commands Secure Shell Table 80: Secure Shell Commands (Continued) Command Function Mode ip ssh timeout Specifies the authentication timeout for the SSH server GC copy tftp public-key Copies the user’s public key from a TFTP server to the switch PE delete public-key Deletes the public key for the specified user PE disconnect Terminates a line connection PE ip ssh crypto host-key generate Generates the host key PE ip ssh crypto zeroize Clear the host key from RA
CHAPTER 24 | Authentication Commands Secure Shell 93559423035774130980227370877945452408397175264635805817671670 9574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch with the username command.) The clients are subsequently authenticated using these keys.
CHAPTER 24 | Authentication Commands Secure Shell c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e. The switch compares the checksum sent from the client against that computed for the original string it sent.
CHAPTER 24 | Authentication Commands Secure Shell EXAMPLE Console(config)#ip ssh authentication-retires 2 Console(config)# RELATED COMMANDS show ip ssh (846) ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. SYNTAX [no] ip ssh server DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ The SSH server supports up to four client sessions.
CHAPTER 24 | Authentication Commands Secure Shell ip ssh server This command sets the SSH server key size. Use the no form to restore the key size default setting. SYNTAX ip ssh server-key size key-size no ip ssh server-key size key-size – The size of server key. (Range: 512-896 bits) DEFAULT SETTING 768 bits COMMAND MODE Global Configuration COMMAND USAGE The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits.
CHAPTER 24 | Authentication Commands Secure Shell EXAMPLE Console(config)#ip ssh timeout 60 Console(config)# RELATED COMMANDS exec-timeout (730) show ip ssh (846) delete public-key This command deletes the specified user’s public key. SYNTAX delete public-key username [dsa | rsa] username – Name of an SSH user. (Range: 1-8 characters) dsa – DSA public key type. rsa – RSA public key type. DEFAULT SETTING Deletes both the DSA and RSA key.
CHAPTER 24 | Authentication Commands Secure Shell ◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. ◆ Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process. Otherwise, you must manually create a known hosts file and place the host public key in it.
CHAPTER 24 | Authentication Commands Secure Shell RELATED COMMANDS ip ssh crypto host-key generate (844) ip ssh save host-key (846) no ip ssh server (842) ip ssh save host-key This command saves the host key from RAM to flash memory. SYNTAX ip ssh save host-key DEFAULT SETTING Saves both the DSA and RSA key.
CHAPTER 24 | Authentication Commands Secure Shell COMMAND MODE Privileged Exec COMMAND USAGE ◆ If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. ◆ When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication Table 81: show ssh - display description Field Description Session The session number. (Range: 0-3) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X PORT AUTHENTICATION The switch supports IEEE 802.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication Table 82: 802.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network. ◆ When this device is functioning as an edge switch but does not require any attached clients to be authenticated, the no dot1x eapol-passthrough command can be used to discard unnecessary EAPOL traffic.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication DEFAULT block-traffic COMMAND MODE Interface Configuration COMMAND USAGE For guest VLAN assignment to be successful, the VLAN must be configured and set as active (see the vlan database command) and assigned as the guest VLAN for the port (see the network-access guest-vlan command).
CHAPTER 24 | Authentication Commands 802.1X Port Authentication DEFAULT 2 COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-req 2 Console(config-if)# dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized mode port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10 Console(config-if)# dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. SYNTAX dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication transparently by the dot1x client software. Only if re-authentication fails is the port blocked. ◆ The connected client is re-authenticated after the interval specified by the dot1x timeout re-authperiod command. The default is 3600 seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication DEFAULT 3600 seconds COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a supp-timeout response to an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits during an tx-period authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. SYNTAX dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication Supplicant Commands dot1x identity This command sets the dot1x supplicant user name and password. Use the profile no form to delete the identity settings. SYNTAX dot1x identity profile {username username | password password} no dot1x identity profile {username | password} username - Specifies the supplicant user name. (Range: 1-8 characters) password - Specifies the supplicant password.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication COMMAND MODE Interface Configuration EXAMPLE Console(config)#interface eth 1/2 Console(config-if)#dot1x max-start 10 Console(config-if)# dot1x pae This command enables dot1x supplicant mode on a port. Use the no form supplicant to disable dot1x supplicant mode on a port.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits for a response auth-period from the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout auth-period seconds no dot1x timeout auth-period seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that a supplicant port waits before resending start-period an EAPOL start frame to the authenticator. Use the no form to restore the default setting. SYNTAX dot1x timeout start-period seconds no dot1x timeout start-period seconds - The number of seconds.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication ◆ Supplicant Parameters – Shows the supplicant user name used when the switch responds to an MD5 challenge from an authenticator (page 857). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: ■ ■ ■ ■ ◆ 802.
CHAPTER 24 | Authentication Commands 802.1X Port Authentication ■ ■ ◆ Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response. Identifier (Server)– Identifier carried in the most recent EAP Success, Failure or Request packet received from the Authentication Server. Reauthentication State Machine State – Current state (including initialize, reauthenticate). EXAMPLE Console#show dot1x Global 802.
CHAPTER 24 | Authentication Commands Management IP Filter Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# MANAGEMENT IP FILTER This section describes commands used to configure IP management access to the switch.
CHAPTER 24 | Authentication Commands Management IP Filter ◆ IP address can be configured for SNMP, web, and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. ◆ When entering addresses for the same group (i.e., SNMP, web, or Telnet), the switch will not accept overlapping address ranges. When entering addresses for different groups, the switch will accept overlapping address ranges.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent TELNET-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 Console# PPPOE INTERMEDIATE AGENT This section describes commands used to configure the PPPoE Intermediate Agent (PPPoE IA) relay parameters required for passing authentication messages between a client and broadband remote access servers.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent COMMAND MODE Global Configuration COMMAND USAGE ◆ The switch inserts a tag identifying itself as a PPPoE Intermediate Agent residing between the attached client requesting network access and the ports connected to broadband remote access servers (BRAS).
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent the source or destination MAC address of these PPPoE discovery packets. ◆ These messages are forwarded to all trusted ports designated by the pppoe intermediate-agent trust command. EXAMPLE Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# pppoe This command enables the PPPoE IA on an interface. Use the no form to intermediate-agent disable this feature.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent DEFAULT SETTING circuit-id: unit/port:vlan-id or 0/trunk-id:vlan-id remote-id: port MAC address COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The PPPoE server extracts the Line-Id tag from PPPoE discovery stage messages, and uses the Circuit-Id field of that tag as a NAS-Port-Id attribute in AAA access and accounting requests.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent ◆ At least one trusted interface must be configured on the switch for the PPPoE IA to function. EXAMPLE Console(config)#int ethernet 1/5 Console(config-if)#pppoe intermediate-agent trust Console(config-if)# pppoe This command enables the stripping of vendor tags from PPPoE Discovery intermediate-agent packets sent from a PPPoE server. Use the no form to disable this feature.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent EXAMPLE Console#clear pppoe intermediate-agent statistics Console# show pppoe This command displays configuration settings for the PPPoE Intermediate intermediate-agent Agent. info SYNTAX show pppoe intermediate-agent info [interface [interface]] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent show pppoe This command displays statistics for the PPPoE Intermediate Agent. intermediate-agent statistics SYNTAX show pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 24 | Authentication Commands PPPoE Intermediate Agent – 872 –
25 GENERAL SECURITY MEASURES This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
CHAPTER 25 | General Security Measures Port Security PORT SECURITY These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
CHAPTER 25 | General Security Measures Port Security traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled. ◆ The mac-learning commands cannot be used if 802.
CHAPTER 25 | General Security Measures Port Security COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
CHAPTER 25 | General Security Measures Port Security RELATED COMMANDS show interfaces status (987) shutdown (982) mac-address-table static (1060) port security Use this command to save the MAC addresses that port security has mac-address-as- learned as static entries. permanent SYNTAX port security mac-address-as-permanent [interface interface] interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 25 | General Security Measures Port Security EXAMPLE This example shows the port security settings and number of secure addresses for all ports.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) Current MAC Count MAC Filter ID Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : 0 Disabled NA NA This example shows information about a detected intrusion.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) Table 89: Network Access Commands Command Function Mode network-access link-detection Configures the link detection feature to detect and link-up act upon link-up events IC network-access link-detection Configures the link detection feature to detect and link-up-down act upon both link-up and link-down events IC network-access max-mac-count Sets the maximum number of MAC addresses that can be authenticated on a port
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) regardless of the 802.1X Operation Mode (Single-Host, Multi-Host, or MAC-Based authentication as described on page 852). ◆ The maximum number of secure MAC addresses supported for the switch system is 1024. EXAMPLE Console(config-if)#network-access aging Console(config-if)# network-access Use this command to add a MAC address into a filter table.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the time period after which a connected MAC reauth-time address must be re-authenticated. Use the no form of this command to restore the default value. SYNTAX mac-authentication reauth-time seconds no mac-authentication reauth-time seconds - The reauthentication time period.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 90: Dynamic QoS Profiles Profile Attribute Syntax Example DiffServ service-policy-in=policy-map-name service-policy-in=p1 Rate Limit rate-limit-input=rate rate-limit-input=100 (Kbps) 802.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) COMMAND USAGE ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch. GVRP is not used to create the VLANs. ◆ The VLAN settings specified by the first authenticated MAC address are implemented for a port.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access guest-vlan 25 Console(config-if)# network-access Use this command to enable link detection for the selected port. Use the link-detection no form of this command to restore the default.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-down action trap Console(config-if)# network-access Use this command to detect link-up events. When detected, the switch can link-detection shut down the port, send an SNMP trap, or both. Use the no form of this link-up command to disable this feature.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) trap-and-shutdown - Issue SNMP trap message and disable the port.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable network access authentication on a port. Use mode the no form of this command to disable network access authentication.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable the specified MAC address filter. Use the no port-mac-filter form of this command to disable the specified MAC address filter. SYNTAX network-access port-mac-filter filter-id no network-access port-mac-filter filter-id - Specifies a MAC address filter table.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to set the maximum number of MAC addresses that can max-mac-count be authenticated on a port via MAC authentication. Use the no form of this command to restore the default. SYNTAX mac-authentication max-mac-count count no mac-authentication max-mac-count count - The maximum number of MAC-authenticated MAC addresses allowed.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) show Use this command to display the MAC authentication settings for port network-access interfaces. SYNTAX show network-access [interface interface] interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) DEFAULT SETTING Displays the settings for all interfaces.
CHAPTER 25 | General Security Measures Network Access (MAC Address Authentication) show Use this command to display secure MAC address table entries. network-access mac-address-table SYNTAX show network-access mac-address-table [static | dynamic] [address mac-address [mask]] [interface interface] [sort {address | interface}] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
CHAPTER 25 | General Security Measures Web Authentication show Use this command to display information for entries in the MAC filter network-access tables. mac-filter SYNTAX show network-access mac-filter [filter-id] filter-id - Specifies a MAC address filter table. (Range: 1-64) DEFAULT SETTING Displays all filters.
CHAPTER 25 | General Security Measures Web Authentication Table 91: Web Authentication (Continued) Command Function Mode web-auth system-authcontrol Enables web authentication globally for the switch GC web-auth Enables web authentication for an interface IC web-auth re-authenticate (Port) Ends all web authentication sessions on the port and forces the users to re-authenticate PE web-auth re-authenticate (IP) Ends the web authentication session associated with PE the designated IP address and f
CHAPTER 25 | General Security Measures Web Authentication web-auth This command defines the amount of time a host must wait after exceeding quiet-period the limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. SYNTAX web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
CHAPTER 25 | General Security Measures Web Authentication web-auth This command globally enables web authentication for the switch. Use the system-auth-control no form to restore the default. SYNTAX [no] web-auth system-auth-control DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Both web-auth system-auth-control for the switch and web-auth for an interface must be enabled for the web authentication feature to be active.
CHAPTER 25 | General Security Measures Web Authentication web-auth This command ends all web authentication sessions connected to the port re-authenticate (Port) and forces the users to re-authenticate. SYNTAX web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - This is unit 1. port - Port number.
CHAPTER 25 | General Security Measures Web Authentication show web-auth This command displays global web authentication parameters. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth Global Web-Auth Parameters System Auth Control Session Timeout Quiet Period Max Login Attempts Console# : : : : Enabled 3600 60 3 show web-auth This command displays interface-specific web authentication parameters interface and statistics.
CHAPTER 25 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters summary and statistics. COMMAND MODE Privileged Exec EXAMPLE Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
CHAPTER 25 | General Security Measures DHCPv4 Snooping Table 92: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping database flash Writes all dynamically learned snooping entries to flash memory PE show ip dhcp snooping Shows the DHCP snooping configuration settings PE show ip dhcp snooping binding Shows the DHCP snooping binding table entries PE ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: ■ ■ ■ ■ If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command enables the use of DHCP Option 82 information for the information option switch, and specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
CHAPTER 25 | General Security Measures DHCPv4 Snooping just their MAC address. DHCP client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/ remove option 82 information in incoming DCHP packets but not relay them.
CHAPTER 25 | General Security Measures DHCPv4 Snooping COMMAND USAGE When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCP packets, keep the existing information, or replace it with the switch’s relay information.
CHAPTER 25 | General Security Measures DHCPv4 Snooping COMMAND USAGE If MAC address verification is enabled, and the source MAC address in the Ethernet header of the packet is not same as the client’s hardware address in the DHCP packet, the packet is dropped. EXAMPLE This example enables MAC address verification.
CHAPTER 25 | General Security Measures DHCPv4 Snooping EXAMPLE This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# RELATED COMMANDS ip dhcp snooping (900) ip dhcp snooping trust (907) ip dhcp snooping This command enables the use of DHCP Option 82 information circuit-id information option suboption. Use the no form to disable this feature.
CHAPTER 25 | General Security Measures DHCPv4 Snooping ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ ■ port - The port which received the DHCP request. If the packet arrives over a trunk, the value is the ifIndex of the trunk.
CHAPTER 25 | General Security Measures DHCPv4 Snooping configured for an interface with the no ip dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. EXAMPLE This example sets port 5 to untrusted.
CHAPTER 25 | General Security Measures DHCPv4 Snooping EXAMPLE Console(config)#clear ip dhcp snooping database flash Console(config)# ip dhcp snooping This command writes all dynamically learned snooping entries to flash database flash memory. COMMAND MODE Privileged Exec COMMAND USAGE This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
CHAPTER 25 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding COMMAND MODE Privileged Exec EXAMPLE Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -----11-22-33-44-55-66 192.168.0.
CHAPTER 25 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping globally. Use the no form to restore the default setting. SYNTAX [no] ipv6 dhcp snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
CHAPTER 25 | General Security Measures DHCPv6 Snooping ■ ■ ■ ■ Solicit: Add new entry in binding cache, recording client’s DUID, IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. Decline: If no matching entry is found in binding cache, drop this packet. Renew, Rebind, Release, Confirm: If no matching entry is found in binding cache, drop this packet.
CHAPTER 25 | General Security Measures DHCPv6 Snooping EXAMPLE This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# RELATED COMMANDS ipv6 dhcp snooping vlan (915) ipv6 dhcp snooping trust (916) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information option remote-id into DHCPv6 client messages.
CHAPTER 25 | General Security Measures DHCPv6 Snooping either drop, keep or remove option 37 information in incoming DCHPv6 packets. Packets are processed as follows: ■ ■ ■ ◆ If an incoming packet is a DHCPv6 request packet with option 37 information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
CHAPTER 25 | General Security Measures DHCPv6 Snooping COMMAND MODE Global Configuration COMMAND USAGE When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
CHAPTER 25 | General Security Measures DHCPv6 Snooping ◆ When DHCPv6 snooping is enabled globally, and then disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. EXAMPLE This example enables DHCP6 snooping for VLAN 1.
CHAPTER 25 | General Security Measures DHCPv6 Snooping COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall.
CHAPTER 25 | General Security Measures DHCPv6 Snooping colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. COMMAND MODE Privileged Exec EXAMPLE Console(config)#clear ipv6 dhcp snooping binding 00-12-cf-01-02-03 2001::1 Console(config)# show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
CHAPTER 25 | General Security Measures IPv4 Source Guard 2001:b000::1 2591912 1 Eth 1/3 NA Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and snooping statistics relay packets.
CHAPTER 25 | General Security Measures IPv4 Source Guard Table 95: IPv4 Source Guard Commands (Continued) Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface PE show ip source-guard binding Shows the source guard binding table PE, NE ip source-guard This command adds a static address to the source-guard ACL or MAC binding address binding table. Use the no form to remove a static entry.
CHAPTER 25 | General Security Measures IPv4 Source Guard ◆ Static bindings are processed as follows: ■ ■ ■ If there is no entry with same VLAN ID and MAC address, a new entry is added to binding table using the type of static IP source guard binding. If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one.
CHAPTER 25 | General Security Measures IPv4 Source Guard COMMAND USAGE ◆ Source guard is used to filter traffic on an insecure port which receives messages from outside the network or fire wall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. ◆ Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
CHAPTER 25 | General Security Measures IPv4 Source Guard EXAMPLE This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip source-guard sip Console(config-if)# RELATED COMMANDS ip source-guard binding (920) ip dhcp snooping (900) ip dhcp snooping vlan (905) ip source-guard This command sets the maximum number of entries that can be bound to max-binding an interface. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures IPv4 Source Guard ip source-guard This command sets the source-guard learning mode to search for mode addresses in the ACL binding table or the MAC address binding table. Use the no form to restore the default setting. SYNTAX ip source-guard mode {acl | mac} no ip source-guard mode mode - Specifies the learning mode. acl - Searches for addresses in the ACL table. mac - Searches for addresses in the MAC address table.
CHAPTER 25 | General Security Measures IPv4 Source Guard EXAMPLE This command clears the blocked record table. Console(config)#clear ip source-guard binding blocked Console(config)# show ip This command shows whether source guard is enabled or disabled on each source-guard interface. COMMAND MODE Privileged Exec EXAMPLE Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . .
CHAPTER 25 | General Security Measures IPv6 Source Guard EXAMPLE Console#show ip source-guard binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------- --------- --------11-22-33-44-55-66 192.168.0.
CHAPTER 25 | General Security Measures IPv6 Source Guard interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) DEFAULT SETTING No configured entries COMMAND MODE Global Configuration COMMAND USAGE ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6-Snooping), VLAN identifier, and port identifier.
CHAPTER 25 | General Security Measures IPv6 Source Guard RELATED COMMANDS ipv6 source-guard (928) ipv6 dhcp snooping (911) ipv6 dhcp snooping vlan (915) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function.
CHAPTER 25 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: ■ ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded. If ND snooping or DHCPv6 snooping is enabled, IPv6 source guard will check the VLAN ID, source IP address, and port number.
CHAPTER 25 | General Security Measures IPv6 Source Guard COMMAND USAGE ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command. ◆ IPv6 source guard maximum bindings must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings.
CHAPTER 25 | General Security Measures ARP Inspection show ipv6 This command shows the IPv6 source guard binding table. source-guard binding SYNTAX show ipv6 source-guard binding [dynamic | static] dynamic - Shows dynamic entries configured with ND Snooping or DHCPv6 Snooping commands (see page 910) static - Shows static entries configured with the ipv6 source-guard binding command.
CHAPTER 25 | General Security Measures ARP Inspection Table 97: ARP Inspection Commands (Continued) Command Function Mode ip arp inspection limit Sets a rate limit for the ARP packets received on a port IC ip arp inspection trust Sets a port as trusted, and thus exempted from ARP Inspection IC show ip arp inspection configuration Displays the global configuration settings for ARP Inspection PE show ip arp inspection interface Shows the trust status and inspection rate limit for ports PE show
CHAPTER 25 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled globally, it is still possible to configure ARP Inspection for individual VLANs. These configuration changes will only become active after ARP Inspection is globally enabled again. EXAMPLE Console(config)#ip arp inspection Console(config)# ip arp inspection This command specifies an ARP ACL to apply to one or more VLANs. Use filter the no form to remove an ACL binding.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection filter sales vlan 1 Console(config)# ip arp inspection This command sets the maximum number of entries saved in a log log-buffer logs message, and the rate at which these messages are sent. Use the no form to restore the default settings.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an validate ARP packet. Use the no form to restore the default setting.
CHAPTER 25 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection for a specified VLAN or range of vlan VLANs. Use the no form to disable this function. SYNTAX [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma.
CHAPTER 25 | General Security Measures ARP Inspection ip arp inspection This command sets a rate limit for the ARP packets received on a port. Use limit the no form to restore the default setting. SYNTAX ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second.
CHAPTER 25 | General Security Measures ARP Inspection EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp This command displays the global configuration settings for ARP inspection Inspection.
CHAPTER 25 | General Security Measures ARP Inspection show ip arp This command shows information about entries stored in the log, including inspection log the associated VLAN, port, and address components. COMMAND MODE Privileged Exec EXAMPLE Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
CHAPTER 25 | General Security Measures Denial of Service Protection EXAMPLE Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static DENIAL OF SERVICE PROTECTION A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
CHAPTER 25 | General Security Measures Denial of Service Protection DEFAULT SETTING Disabled, 1000 kbits/second COMMAND MODE Global Configuration EXAMPLE Console(config)#dos-protection echo-chargen 65 Console(config)# dos-protection This command protects against DoS smurf attacks in which a perpetrator smurf generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address (255.255.255.255), all of which uses a spoofed source address of the intended victim.
CHAPTER 25 | General Security Measures Denial of Service Protection COMMAND MODE Global Configuration EXAMPLE Console(config)#dos-protection tcp-flooding 65 Console(config)# dos-protection This command protects against DoS TCP-null-scan attacks in which a TCP tcp-null-scan NULL scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
CHAPTER 25 | General Security Measures Denial of Service Protection EXAMPLE Console(config)#dos-protection syn-fin-scan Console(config)# dos-protection This command protects against DoS TCP-xmas-scan in which a so-called tcp-xmas-scan TCP XMAS scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a TCP RST packet.
CHAPTER 25 | General Security Measures Denial of Service Protection EXAMPLE Console(config)#dos-protection udp-flooding 65 Console(config)# dos-protection This command protects against DoS WinNuke attacks in which affected the win-nuke Microsoft Windows 3.1x/95/NT operating systems. In this type of attack, the perpetrator sends the string of OOB out-of-band (OOB) packets contained a TCP URG flag to the target computer on TCP port 139 (NetBIOS), casing it to lock up and display a “Blue Screen of Death.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation WinNuke Attack Console# : Disabled, 1000 kilobits per second PORT-BASED TRAFFIC SEGMENTATION If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation ◆ Traffic segmentation and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in segmented groups and ports in normal VLANs. ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation DEFAULT SETTING None COMMAND MODE Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field. Note that lists are not supported for the channel-id field. ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
CHAPTER 25 | General Security Measures Port-based Traffic Segmentation – 950 –
26 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
CHAPTER 26 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. SYNTAX [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter (Standard IP ACL) condition for packets emanating from the specified source. Use the no form to remove a rule. SYNTAX {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
CHAPTER 26 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter (Extended IPv4 ACL) condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
CHAPTER 26 | Access Control Lists IPv4 ACLs control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range. (Range: 1-30 characters) DEFAULT SETTING None COMMAND MODE Extended IPv4 ACL COMMAND USAGE ◆ All new rules are appended to the end of the list.
CHAPTER 26 | Access Control Lists IPv4 ACLs EXAMPLE This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
CHAPTER 26 | Access Control Lists IPv4 ACLs COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. EXAMPLE Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# RELATED COMMANDS show ip access-list (957) Time Range (762) show ip This command shows the ports assigned to IP ACLs.
CHAPTER 26 | Access Control Lists IPv6 ACLs EXAMPLE Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# RELATED COMMANDS permit, deny (953) ip access-group (956) IPV6 ACLS The commands in this section configure ACLs based on IPv6 addresses, DSCP traffic class, or next header type.
CHAPTER 26 | Access Control Lists IPv6 ACLs COMMAND MODE Global Configuration COMMAND USAGE ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 64 rules.
CHAPTER 26 | Access Control Lists IPv6 ACLs DEFAULT SETTING None COMMAND MODE Standard IPv6 ACL COMMAND USAGE New rules are appended to the end of the list. EXAMPLE This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
CHAPTER 26 | Access Control Lists IPv6 ACLs to indicate the appropriate number of zeros required to fill the undefined fields. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix; i.e., the network portion of the address. (Range: 0-128 for source prefix, 0-8 for destination prefix) dscp – DSCP traffic class. (Range: 0-63) next-header – Identifies the type of header immediately following the IPv6 header.
CHAPTER 26 | Access Control Lists IPv6 ACLs This allows any packets sent to the destination 2009:DB9:2229::79/48 when the next header is 43.” Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/48 next-header 43 Console(config-ext-ipv6-acl)# RELATED COMMANDS access-list ipv6 (958) Time Range (762) ipv6 access-group This command binds a port to an IPv6 ACL. Use the no form to remove the port.
CHAPTER 26 | Access Control Lists IPv6 ACLs show ipv6 This command shows the ports assigned to IPv6 ACLs. access-group COMMAND MODE Privileged Exec EXAMPLE Console#show ipv6 access-group Interface ethernet 1/2 IPv6 standard access-list david in Console# RELATED COMMANDS ipv6 access-group (962) show ipv6 This command displays the rules for configured IPv6 ACLs. access-list SYNTAX show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL.
CHAPTER 26 | Access Control Lists MAC ACLs MAC ACLS The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. The ACLs can further specify optional IP and IPv6 addresses including protocol type and upper layer ports. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
CHAPTER 26 | Access Control Lists MAC ACLs EXAMPLE Console(config)#access-list mac jerry Console(config-mac-acl)# RELATED COMMANDS permit, deny (965) mac access-group (968) show mac access-list (969) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching (MAC ACL) a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Rules can also filter packets based on IPv4/v6 addresses, including Layer 4 ports and protocol types.
CHAPTER 26 | Access Control Lists MAC ACLs {permit | deny} tagged-eth2 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype ethertype [ethertype-bitmask]] {{ip {any | host source-ip | source-ip network-mask} {any | host destination-ip | destination-ip network-mask} {ipv6 {any | host source-ipv6 | source-ipv6/prefix-length} {any | host destination-ipv6 | destination-ipv6/prefix-length}} [protocol protocol] [l4-source-port sport
CHAPTER 26 | Access Control Lists MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.
CHAPTER 26 | Access Control Lists MAC ACLs DEFAULT SETTING None COMMAND MODE MAC ACL COMMAND USAGE ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060.
CHAPTER 26 | Access Control Lists MAC ACLs COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. EXAMPLE Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# RELATED COMMANDS show mac access-list (969) Time Range (762) show mac This command shows the ports assigned to MAC ACLs.
CHAPTER 26 | Access Control Lists ARP ACLs RELATED COMMANDS permit, deny (965) mac access-group (968) ARP ACLS The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command (page 936).
CHAPTER 26 | Access Control Lists ARP ACLs RELATED COMMANDS permit, deny (971) show access-list arp (972) permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching (ARP ACL) a specified source or destination address in ARP messages. Use the no form to remove a rule. SYNTAX [no] {permit | deny} ip {any | host source-ip | source-ip ip-address-bitmask} mac {any | host source-mac | source-mac mac-address-bitmask} [log] This form indicates either request or response packets.
CHAPTER 26 | Access Control Lists ARP ACLs EXAMPLE This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# RELATED COMMANDS access-list arp (970) show access-list This command displays the rules for configured ARP ACLs. arp SYNTAX show access-list arp [acl-name] acl-name – Name of the ACL.
CHAPTER 26 | Access Control Lists ACL Information ACL INFORMATION This section describes commands used to display ACL information. Table 106: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
CHAPTER 26 | Access Control Lists ACL Information MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. SYNTAX show access-list [[arp [acl-name]] | [ip [extended [acl-name] | standard [acl-name]] | [ipv6 [extended [acl-name] | standard [acl-name]] | [mac [acl-name]] | [tcam-utilization] | [hardware counters]] arp – Shows ingress or egress rules for ARP ACLs. hardware counters – Shows statistics for all ACLs.
27 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
CHAPTER 27 | Interface Commands Interface Configuration Table 107: Interface Commands (Continued) Command Function Mode transceiver-threshold temperature Sets thresholds for the transceiver temperature which can IC be used to trigger an alarm or warning message transceiver-threshold tx-power Sets thresholds for the transceiver power level of the IC transmitted signal which can be used to trigger an alarm or warning message transceiver-threshold voltage Sets thresholds for the transceiver voltage wh
CHAPTER 27 | Interface Commands Interface Configuration EXAMPLE To specify port 4, enter the following command: Console(config)#interface ethernet 1/4 Console(config-if)# alias This command configures an alias name for the interface. Use the no form to remove the alias name. SYNTAX alias string no alias string - A mnemonic name to help you remember what is attached to this interface.
CHAPTER 27 | Interface Commands Interface Configuration 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control DEFAULT SETTING 100BASE-TX: 10half, 10full, 100half, 100full 1000BASE-T: 10half, 10full, 100half, 100full, 1000full 1000BASE-SX/LX/LH (SFP): 1000full COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ The 1000BASE-T standard does not support forced mode.
CHAPTER 27 | Interface Commands Interface Configuration DEFAULT SETTING None COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name. EXAMPLE The following example adds a description to port 4.
CHAPTER 27 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. SYNTAX [no] flowcontrol DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
CHAPTER 27 | Interface Commands Interface Configuration media-type This command forces the port type selected for combination ports. Use the no form to restore the default mode. SYNTAX media-type mode no media-type mode copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Always uses the SFP port (even if module not installed). sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link.
CHAPTER 27 | Interface Commands Interface Configuration COMMAND USAGE ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ When auto-negotiation is enabled the switch will negotiate the best settings for a link based on the capabilities command. When autonegotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
CHAPTER 27 | Interface Commands Interface Configuration speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default.
CHAPTER 27 | Interface Commands Interface Configuration RELATED COMMANDS negotiation (981) capabilities (977) clear counters This command clears statistics on an interface. SYNTAX clear counters interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-12) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Statistics are only initialized for a power reset.
CHAPTER 27 | Interface Commands Interface Configuration EXAMPLE In this example, “Default” means that the packets are not discarded. Console#show discard Port CDP PVST -------- ------- ------Eth 1/ 1 Default Default Eth 1/ 2 Default Default Eth 1/ 3 Default Default Eth 1/ 4 Default Default Eth 1/ 5 Default Default Eth 1/ 6 Default Default . . .
CHAPTER 27 | Interface Commands Interface Configuration COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see "Showing Port or Trunk Statistics" on page 160.
CHAPTER 27 | Interface Commands Interface Configuration ===== Port Utilization ===== 111 Octets Input in kbits per second 0 Packets Input per second 0.00 % Input Utilization 606 Octets Output in kbits per second 1 Packets Output per second 0.00 % Output Utilization Console# show interfaces This command displays the status for an interface. status SYNTAX show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 27 | Interface Commands Interface Configuration MAC Learning Media Type Current Status: Link Status Port Operation Status Operation Speed-duplex Up Time Flow Control Type Max Frame Size MAC Learning Status Console# : Enabled : None : : : : : : : Up Up 100full 0w 0d 3h 18m 18s (11898 seconds) None 1518 bytes (1522 bytes for tagged frames) Enabled show interfaces This command displays the administrative and operational status of the switchport specified interfaces.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration 802.1Q Tunnel Mode 802.1Q Tunnel TPID Layer 2 Protocol Tunnel Console# : Normal : 8100 (Hex) : None Table 108: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 1030).
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet) EXAMPLE Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold-auto Console# transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration DEFAULT SETTING High Alarm: 100 mA HIgh Warning: 90 mA Low Warning: 7 mA Low Alarm: 6 mA COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ If trap messages are enabled with the transceiver-monitor command, and a high-threshold alarm or warning message is sent if the current value is greater than or equal to the threshold, and the last sample value was less than the threshold.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration transceiver- This command sets thresholds for the transceiver power level of the threshold rx-power received signal which can be used to trigger an alarm or warning message. SYNTAX transceiver-threshold rx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high power threshold for an alarm message. high-warning – Sets the high power threshold for a warning message.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration transceiver- This command sets thresholds for the transceiver temperature which can threshold be used to trigger an alarm or warning message. temperature SYNTAX transceiver-threshold temperature {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high temperature threshold for an alarm message. high-warning – Sets the high temperature threshold for a warning message.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration transceiver- This command sets thresholds for the transceiver power level of the threshold tx-power transmitted signal which can be used to trigger an alarm or warning message. SYNTAX transceiver-threshold tx-power {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high power threshold for an alarm message. high-warning – Sets the high power threshold for a warning message.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration transceiver- This command sets thresholds for the transceiver voltage which can be threshold voltage used to trigger an alarm or warning message. SYNTAX transceiver-threshold voltage {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high voltage threshold for an alarm message. high-warning – Sets the high voltage threshold for a warning message.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration show interfaces This command displays identifying information for the specified transceiver, transceiver including connector type and vendor-related parameters, as well as the temperature, voltage, bias current, transmit power, and receive power. SYNTAX show interfaces transceiver [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 27 | Interface Commands Transceiver Threshold Configuration show interfaces This command Displays the alarm/warning thresholds for temperature, transceiver- voltage, bias current, transmit power, and receive power. SYNTAX threshold SYNTAX show interfaces transceiver-threshold [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) DEFAULT SETTING Shows all SFP interfaces.
CHAPTER 27 | Interface Commands Cable Diagnostics Cable Diagnostics test cable- This command performs cable diagnostics on the specified port to diagnose diagnostics any cable faults (short, open, etc.) and report the cable length. SYNTAX test cable-diagnostics interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) COMMAND MODE Privileged Exec COMMAND USAGE ◆ Cable diagnostics are performed using Digital Signal Processing (DSP) test methods.
CHAPTER 27 | Interface Commands Cable Diagnostics EXAMPLE Console#test cable-diagnostics interface ethernet 1/24 Console#show cable-diagnostics interface ethernet 1/24 Port Type Link Status Pair A (meters) Pair B (meters) Last Update -------- ---- ----------- ---------------- ---------------- ----------------Eth 1/25 GE Up OK (21) OK (21) 2009-11-13 09:44:19 Console# show cable- This command shows the results of a cable diagnostics test.
CHAPTER 27 | Interface Commands Power Savings Power Savings power-save This command enables power savings mode on the specified port. SYNTAX [no] power-save COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters.
CHAPTER 27 | Interface Commands Power Savings NOTE: Power savings can only be implemented on Gigabit Ethernet ports using twisted-pair cabling. Power-savings mode on a active link only works when connection speed is 1 Gbps, and line length is less than 60 meters. EXAMPLE Console(config)#interface ethernet 1/28 Console(config-if)#power-save Console(config-if)# show power-save This command shows the configuration settings for power savings.
CHAPTER 27 | Interface Commands Power Savings – 1002 –
28 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks.
CHAPTER 28 | Link Aggregation Commands Manual Configuration Commands ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings. ◆ Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types.
CHAPTER 28 | Link Aggregation Commands Manual Configuration Commands DEFAULT SETTING src-dst-mac COMMAND MODE Global Configuration COMMAND USAGE ◆ This command applies to all static and dynamic trunks on the switch.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands channel-group This command adds a port to a trunk. Use the no form to remove a port from a trunk. SYNTAX channel-group channel-id no channel-group channel-id - Trunk index (Range: 1-12) DEFAULT SETTING The current port will be added to this trunk. COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ When configuring static trunks, the switches must comply with the Cisco EtherChannel standard.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands ◆ A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. ◆ If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. ◆ If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp admin-key This command configures a port's LACP administration key. Use the no (Ethernet Interface) form to restore the default setting. SYNTAX lacp {actor | partner} admin-key key no lacp {actor | partner} admin-key actor - The local side an aggregate link. partner - The remote side of an aggregate link. key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link. priority - LACP port priority is used to select a backup link.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. SYNTAX lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority actor - The local side an aggregate link. partner - The remote side of an aggregate link.
CHAPTER 28 | Link Aggregation Commands Dynamic Configuration Commands DEFAULT SETTING 0 COMMAND MODE Interface Configuration (Port Channel) COMMAND USAGE ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured). ◆ If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands ◆ If the actor does not receive an LACPDU from its partner before the configured timeout expires, the partner port information will be deleted from the LACP group. ◆ When a dynamic port-channel member leaves a port-channel, the default timeout value will be restored on that port. ◆ When a dynamic port-channel is torn down, the configured timeout value will be retained.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands EXAMPLE Console#show lacp 1 counters Port Channel: 1 ------------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------------LACPDUs Sent : 12 LACPDUs Received : 6 Marker Sent : 0 Marker Received : 0 LACPDUs Unknown Pkts : 0 LACPDUs Illegal Pkts : 0 . . .
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands Table 111: show lacp internal - display description (Continued) Field Description LACP Port Priority LACP port priority assigned to this interface within the channel group. Admin State, Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands Table 112: show lacp neighbors - display description (Continued) Field Description Port Admin Priority Current administrative value of the port priority for the protocol partner. Port Oper Priority Priority value assigned to this aggregation port by the partner. Admin Key Current administrative value of the Key for the protocol partner. Oper Key Current operational value of the Key for the protocol partner.
CHAPTER 28 | Link Aggregation Commands Trunk Status Display Commands – 1016 –
29 PORT MIRRORING COMMANDS Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
CHAPTER 29 | Port Mirroring Commands Local Port Mirroring Commands vlan-id - VLAN ID (Range: 1-4094) mac-address - MAC address in the form of xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx. acl-name – Name of the ACL. (Maximum length: 16 characters, no spaces or other special characters) DEFAULT SETTING ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets.
CHAPTER 29 | Port Mirroring Commands Local Port Mirroring Commands ◆ ACL-based mirroring is only used for ingress traffic. To mirror an ACL, follow these steps: 1. Use the access-list command (page 951) to add an ACL. 2. Use the access-group command to add a mirrored port to access control list. 3. Use the port monitor access-list command to specify the destination port to which traffic matching the ACL will be mirrored.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands COMMAND USAGE This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands 4. Use the rspan remote vlan command to specify the VLAN to be used for an RSPAN session, to specify the switch’s role as a source, intermediate relay, or destination of the mirrored traffic, and to configure the uplink ports designated to carry this traffic.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands rspan source Use this command to specify the source port and traffic type to be mirrored remotely. Use the no form to disable RSPAN on the specified port, or with a traffic type keyword to disable mirroring for the specified type. SYNTAX [no] rspan session session-id source interface interface-list [rx | tx | both] session-id – A number identifying this RSPAN session.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands rspan destination Use this command to specify the destination port to monitor the mirrored traffic. Use the no form to disable RSPAN on the specified port. SYNTAX rspan session session-id destination interface interface [tagged | untagged] no rspan session session-id destination interface interface session-id – A number identifying this RSPAN session. (Range: 1) Only one mirror session is allowed, including both local and remote mirroring.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports. Use the no form to disable the RSPAN on the specified VLAN. SYNTAX [no] rspan session session-id remote vlan vlan-id {source | intermediate | destination} uplink interface session-id – A number identifying this RSPAN session.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands show vlan command will not display any members for an RSPAN VLAN, but will only show configured RSPAN VLAN identifiers. EXAMPLE The following example enables RSPAN on VLAN 2, specifies this device as an RSPAN destination switch, and the uplink interface as port 3: Console(config)#rspan session 1 remote vlan 2 destination uplink ethernet 1/3 Console(config)# no rspan session Use this command to delete a configured RSPAN session.
CHAPTER 29 | Port Mirroring Commands RSPAN Mirroring Commands EXAMPLE Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) RX Only TX Only BOTH Destination Port (monitor port) Destination Tagged Mode Switch Role RSPAN VLAN RSPAN Uplink Ports Operation Status Console# – 1026 – : : : : : : : : : : : 1 None None None None Eth 1/2 Untagged Destination 2 Eth 1/3 Up
30 CONGESTION CONTROL COMMANDS The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 117: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
CHAPTER 30 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. SYNTAX rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
CHAPTER 30 | Congestion Control Commands Storm Control Commands STORM CONTROL COMMANDS Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
CHAPTER 30 | Congestion Control Commands Storm Control Commands switchport This command configures broadcast, multicast and unknown unicast storm packet-rate control. Use the no form to restore the default setting. SYNTAX switchport {broadcast | multicast | unicast} packet-rate rate no switchport {broadcast | multicast | unicast} broadcast - Specifies storm control for broadcast traffic. multicast - Specifies storm control for multicast traffic.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands RELATED COMMANDS storm-sample-type show interfaces switchport AUTOMATIC TRAFFIC CONTROL COMMANDS Automatic Traffic Control (ATC) configures bounding thresholds for broadcast and multicast storms which can be used to trigger configured rate limits or to shut down a port.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands Table 120: ATC Commands (Continued) Command Function Mode snmp-server enable port-traps atc multicast-controlapply Sends a trap when multicast traffic exceeds the upper threshold for automatic storm control and the apply timer expires IC (Port) snmp-server enable port-traps atc multicast-controlrelease Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered and
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands expires. When ingress traffic falls below this threshold, ATC sends a Storm Alarm Clear Trap and logs it. ◆ When traffic falls below the alarm clear threshold after the release timer expires, traffic control (for rate limiting) will be stopped and a Traffic Control Release Trap sent and logged.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands Threshold Commands auto-traffic-control This command sets the time at which to apply the control response after apply-timer ingress traffic has exceeded the upper threshold. Use the no form to restore the default setting. SYNTAX auto-traffic-control {broadcast | multicast} apply-timer seconds no auto-traffic-control {broadcast | multicast} apply-timer broadcast - Specifies automatic storm control for broadcast traffic.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands seconds - The time at which to release the control response after ingress traffic has fallen beneath the lower threshold. (Range: 1-900 seconds) DEFAULT SETTING 900 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the delay after which the control response can be terminated.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example enables automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast Console(config-if)# auto-traffic-control This command sets the control action to limit ingress traffic or shut down action the offending port. Use the no form to restore the default setting.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example sets the control response for broadcast traffic on port 1.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast alarm-clear-threshold 155 Console(config-if)# auto-traffic-control This command sets the upper threshold for ingress traffic beyond which a alarm-fire-threshold storm control response is triggered after the apply timer expires.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command automatically releases a control response of rate-limiting auto-control-release after the time specified in the auto-traffic-control release-timer command has expired. SYNTAX auto-traffic-control {broadcast | multicast} auto-controlrelease broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#auto-traffic-control broadcast control-release Console#(config-if) SNMP Trap Commands snmp-server enable This command sends a trap when broadcast traffic falls beneath the lower port-traps atc threshold after a storm control response has been triggered. Use the no broadcast-alarm- form to disable this trap.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-fire Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (1038) snmp-server enable This command sends a trap when broadcast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the broadcast-control- no form to disable this trap.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (1037) auto-traffic-control action (1036) auto-traffic-control release-timer (1034) snmp-server enable This command sends a trap when multicast traffic falls beneath the lower port-traps atc threshold after a storm control respo
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-fire Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-fire-threshold (1038) snmp-server enable This command sends a trap when multicast traffic exceeds the upper port-traps atc threshold for automatic storm control and the apply timer expires. Use the multicast-control- no form to disable this trap.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-controlrelease Console(config-if)# RELATED COMMANDS auto-traffic-control alarm-clear-threshold (1037) auto-traffic-control action (1036) auto-traffic-control release-timer (1034) ATC Display Commands show auto-traffic- This command shows global configuration settings for automatic storm control control.
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands EXAMPLE Console#show auto-traffic-control interface ethernet 1/1 Eth 1/1 Information -----------------------------------------------------------------------Storm Control: Broadcast Multicast State: Disabled Disabled Action: rate-control rate-control Auto Release Control: Disabled Disabled Alarm Fire Threshold(Kpps): 128 128 Alarm Clear Threshold(Kpps):128 128 Trap Storm Fire: Disabled Disabled Trap Storm Clear: Disabled Disabled Tr
CHAPTER 30 | Congestion Control Commands Automatic Traffic Control Commands – 1046 –
31 LOOPBACK DETECTION COMMANDS The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
CHAPTER 31 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. SYNTAX [no] loopback-detection DEFAULT SETTING Disabled COMMAND MODE Global Configuration Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
CHAPTER 31 | Loopback Detection Commands COMMAND USAGE ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
CHAPTER 31 | Loopback Detection Commands EXAMPLE Console(config)#loopback-detection recover-time 120 Console(config-if)# loopback-detection This command specifies the interval at which to transmit loopback transmit-interval detection control frames. Use the no form to restore the default setting. SYNTAX loopback-detection transmit-interval seconds no loopback-detection transmit-interval seconds - The transmission interval for loopback detection control frames.
CHAPTER 31 | Loopback Detection Commands COMMAND MODE Global Configuration COMMAND USAGE Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery. EXAMPLE Console(config)#loopback-detection trap both Console(config)# loopback-detection This command releases all interfaces currently shut down by the loopback release detection feature.
CHAPTER 31 | Loopback Detection Commands Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Disabled Eth 1/ 3 Disabled Disabled . . .
32 UNIDIRECTIONAL LINK DETECTION COMMANDS The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
CHAPTER 32 | UniDirectional Link Detection Commands If the link is deemed anything other than bidirectional at the end of the detection phase, this curve becomes a flat line with a fixed value of Mfast (7 seconds). If the link is instead deemed bidirectional, the curve will use Mfast for the first four subsequent message transmissions and then transition to an Mslow value for all other steady-state transmissions. Mslow is the value configured by this command.
CHAPTER 32 | UniDirectional Link Detection Commands problem. Because this type of detection can be event-less, and lack of information cannot always be associated to an actual malfunction of the link, this mode is optional and is recommended only in certain scenarios (typically only on point-to-point links where no communication failure between two neighbors is admissible). EXAMPLE This example enables UDLD aggressive mode on port 1.
CHAPTER 32 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. SYNTAX show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 32 | UniDirectional Link Detection Commands Table 123: show udld - display description (Continued) Field Description Port State Shows the UDLD port state (Unknown, Bidirectional, Unidirectional, Transmit-to-receive loop, Mismatch with neighbor state reported, Neighbor's echo is empty) The state is Unknown if the link is down or not connected to a UDLDcapable device. The state is Bidirectional if the link has a normal two-way connection to a UDLD-capable device.
CHAPTER 32 | UniDirectional Link Detection Commands – 1058 –
33 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
CHAPTER 33 | Address Table Commands EXAMPLE Console(config)#mac-address-table aging-time 100 Console(config)# mac-address-table This command maps a static address to a destination port in a VLAN. Use static the no form to remove an address. SYNTAX mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 33 | Address Table Commands EXAMPLE Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
CHAPTER 33 | Address Table Commands COMMAND USAGE ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: ■ ■ ■ Learn - Dynamic address entries Learned-PSEC - Address learned through port security Config - Static entry ◆ The mask should be hexadecimal numbers (representing an equivalent bit mask) in the form xx-xx-xx-xx-xx-xx that is applied to the specified MAC address.
CHAPTER 33 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number table count of available MAC addresses for the overall system or for an interface. SYNTAX show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 33 | Address Table Commands – 1064 –
34 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
CHAPTER 34 | Spanning Tree Commands Table 125: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopbackdetection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst port-priority Configures the priority of an instance in the MST IC spanning-tree port-bpdu-flooding Floods B
CHAPTER 34 | Spanning Tree Commands EXAMPLE This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures spanning tree operation to be compatible with cisco-prestandard Cisco prestandard versions. Use the no form to restore the default setting.
CHAPTER 34 | Spanning Tree Commands COMMAND USAGE This command sets the maximum time (in seconds) a port will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge maximum age globally max-age for this switch. Use the no form to restore the default. SYNTAX spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
CHAPTER 34 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Spanning Tree Protocol This option uses RSTP set to STP forced compatibility mode. It uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command configures the path cost method used for Rapid Spanning pathcost method Tree and Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree pathcost method {long | short} no spanning-tree pathcost method long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. short - Specifies 16-bit based values that range from 1-65535.
CHAPTER 34 | Spanning Tree Commands COMMAND MODE Global Configuration COMMAND USAGE Bridge priority is used in selecting the root device, root port, and designated port. The device with the highest priority (i.e., lower numeric value) becomes the STA root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command configures the system to flood BPDUs to all other ports on system-bpdu- the switch or just to all other ports in the same VLAN when spanning tree is flooding disabled globally on the switch or disabled on a specific port. Use the no form to restore the default. SYNTAX spanning-tree system-bpdu-flooding {to-all | to-vlan} no spanning-tree system-bpdu-flooding to-all - Floods BPDUs to all other ports on the switch.
CHAPTER 34 | Spanning Tree Commands EXAMPLE Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. SYNTAX max-hops hop-number hop-number - Maximum hop number for multiple spanning tree. (Range: 1-40) DEFAULT SETTING 20 COMMAND MODE MST Configuration COMMAND USAGE An MSTI region is treated as a single node by the STP and RSTP protocols.
CHAPTER 34 | Spanning Tree Commands DEFAULT SETTING 32768 COMMAND MODE MST Configuration COMMAND USAGE ◆ MST priority is used in selecting the root bridge and alternate bridge of the specified instance. The device with the highest priority (i.e., lowest numerical value) becomes the MSTI root device. However, if all devices have the same priority, the device with the lowest MAC address will then become the root device.
CHAPTER 34 | Spanning Tree Commands which cover the same general area of your network. However, remember that you must configure all bridges within the same MSTI Region (page 1076) with the same set of instances, and the same instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree.
CHAPTER 34 | Spanning Tree Commands DEFAULT SETTING 0 COMMAND MODE MST Configuration COMMAND USAGE The MST region name (page 1076) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
CHAPTER 34 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree bpdu-filter Console(config-if)# RELATED COMMANDS spanning-tree edge-port (1080) spanning-tree This command shuts down an edge port (i.e., an interface set for fast bpdu-guard forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings.
CHAPTER 34 | Spanning Tree Commands RELATED COMMANDS spanning-tree edge-port (1080) spanning-tree spanning-disabled (1088) spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. SYNTAX spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
CHAPTER 34 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 1071) is set to short, the maximum value for path cost is 65,535. EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to edge-port restore the default.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and link-type Multiple Spanning Tree. Use the no form to restore the default. SYNTAX spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
CHAPTER 34 | Spanning Tree Commands COMMAND USAGE ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W-2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in loopback-detection the discarding state because a loopback BPDU was received. Use the no release-mode form to restore the default. SYNTAX spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
CHAPTER 34 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback loopback-detection BPDU detections. Use the no form to restore the default.
CHAPTER 34 | Spanning Tree Commands ◆ This command is used by the multiple spanning-tree algorithm to determine the best path between devices. Therefore, lower values should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify autoconfiguration mode. ◆ Path cost takes precedence over interface priority.
CHAPTER 34 | Spanning Tree Commands RELATED COMMANDS spanning-tree mst cost (1084) spanning-tree This command floods BPDUs to other ports when spanning tree is disabled port-bpdu-flooding globally or disabled on a specific port. Use the no form to restore the default setting.
CHAPTER 34 | Spanning Tree Commands COMMAND USAGE ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
CHAPTER 34 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree edge-port Console(config-if)#spanning-tree root-guard Console(config-if)# spanning-tree This command disables the spanning tree algorithm for the specified spanning-disabled interface. Use the no form to re-enable the spanning tree algorithm for the specified interface.
CHAPTER 34 | Spanning Tree Commands EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#spanning-tree tc-prop-stop Console(config-if)# spanning-tree This command manually releases a port placed in discarding state by loopback-detection loopback-detection. release SYNTAX spanning-tree loopback-detection release interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 34 | Spanning Tree Commands COMMAND USAGE If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
CHAPTER 34 | Spanning Tree Commands ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces. ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
CHAPTER 34 | Spanning Tree Commands Spanning-Tree Status Loopback Detection Status Loopback Detection Release Mode Loopback Detection Trap Loopback Detection Action Root Guard Status BPDU Guard Status BPDU Guard Auto Recovery BPDU Guard Auto Recovery Interval BPDU Filter Status : : : : : : : : : : Enabled Enabled Auto Disabled Block Disabled Disabled Disabled 300 Disabled . . . This example shows a brief summary of global and interface setting for the spanning tree.
35 ERPS COMMANDS The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
CHAPTER 35 | ERPS Commands Table 128: ERPS Commands(Continued) Command Function Mode erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode PE erps forcedswitch Blocks the specified ring port PE erps manualswitch Blocks the specified ring port, in the absence of a failure or an erps forced-switch command P
CHAPTER 35 | ERPS Commands 7. Enable an ERPS ring: Before an ERPS ring can work, it must be enabled using the enable command. When configuration is completed and the ring enabled, R-APS messages will start flowing in the control VLAN, and normal traffic will begin to flow in the data VLANs. To stop a ring, it can be disabled on any node using the no enable command. 8.
CHAPTER 35 | ERPS Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 6 ERPS rings can be configured on the switch. ◆ R-APS information is carried in an R-APS PDUs. The last octet of the MAC address is designated as the Ring ID (01-19-A7-00-00-[Ring ID]).
CHAPTER 35 | ERPS Commands ◆ Once the ring has been activated with the enable command, the configuration of the control VLAN cannot be modified. Use the no enable command to stop the ERPS ring before making any configuration changes to the control VLAN.
CHAPTER 35 | ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. SYNTAX guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages. During the duration of the guard timer, all received R-APS messages are ignored by the ring protection control process, giving time for old messages still circulating on the ring to expire.
CHAPTER 35 | ERPS Commands server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero. Instead, the hold-off timer will be started. When the timer expires, whether a defect still exists or not, the timer will be checked.
CHAPTER 35 | ERPS Commands meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. SYNTAX meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) DEFAULT SETTING 1 COMMAND MODE ERPS Configuration COMMAND USAGE ◆ This parameter is used to ensure that received R-APS PDUs are directed for this ring.
CHAPTER 35 | ERPS Commands DEFAULT SETTING None COMMAND MODE ERPS Configuration COMMAND USAGE ◆ If this command is used to monitor the link status of an ERPS node with CFM continuity check messages, then the MEG level set by the meglevel command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs. ◆ To ensure complete monitoring of a ring node, use the mep-monitor command to specify the CFM MEPs used to monitor both the east and west ports of the ring node.
CHAPTER 35 | ERPS Commands For example, a node that has one ring port in SF condition and detects that the condition has been cleared, will continuously transmit R-APS (NR) messages with its own Node ID as priority information over both ring ports, informing its neighbors that no request is present at this node. When another recovered node holding the link blocked receives this message, it compares the Node ID information with its own.
CHAPTER 35 | ERPS Commands Figure 415: Non-ERPS Device Protection RPL A B blocked C D blocked fault X non-ERPS E F RPL Owner X non-ERPS When non-ERPS device protection is enabled on the ring, the ring ports on the RPL owner node and non-owner nodes will not be blocked when signal loss is detected by CCM loss events. ◆ When non-ERPS device protection is enabled on an RPL owner node, it will send non-standard health-check packets to poll the ring health when it enters the protection state.
CHAPTER 35 | ERPS Commands the erps clear command to used to return the RPL from Protection state to Idle state. ◆ Recovery for Protection Switching – A ring node that has one or more ring ports in an SF (Signal Fail) condition, upon detecting the SF condition cleared, keeps at least one of its ring ports blocked for the traffic channel and for the R-APS channel, until the RPL is blocked as a result of ring protection reversion, or until there is another higher priority request (e.g.
CHAPTER 35 | ERPS Commands c. When the operator issues the erps clear command for nonrevertive mode at the RPL Owner Node, the non-revertive operation is cleared, the RPL Owner Node blocks its RPL port, and transmits an R-APS (NR, RB) message in both directions, repeatedly. d. Upon receiving an R-APS (NR, RB) message, any blocking node should unblock its non-failed ring port. If it is an R-APS (NR, RB) message without a DNF indication, all ring nodes flush the FDB.
CHAPTER 35 | ERPS Commands ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS(NR) message and in the absence of any other higher priority request does not perform any action. b. Then, after the operator issues the erps clear command at the RPL Owner Node, this ring node blocks the ring port attached to the RPL, transmits an R-APS (NR, RB) message on both ring ports, informing the ring that the RPL is blocked, and flushes its FDB. c.
CHAPTER 35 | ERPS Commands condition. If it is an R-APS (NR, RB) message without a DNF indication, all Ethernet Ring Nodes flush their FDB. This action unblocks the ring port which was blocked as a result of an operator command. ■ Recovery with non-revertive mode is handled in the following way: a. The RPL Owner Node, upon reception of an R-APS (NR) message and in the absence of any other higher priority request does not perform any action. b.
CHAPTER 35 | ERPS Commands EXAMPLE Console(config-erps)#propagate-tc Console(config-erps)# raps-def-mac This command sets the switch’s MAC address to be used as the node identifier in R-APS messages. Use the no form to use the node identifier specified in the G8032 standards. SYNTAX [no] raps-def-mac DEFAULT SETTING Enabled COMMAND MODE ERPS Configuration COMMAND USAGE ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
CHAPTER 35 | ERPS Commands COMMAND USAGE ◆ A sub-ring may be attached to a primary ring with or without a virtual channel. A virtual channel is used to connect two interconnection points on the sub-ring, tunneling R-APS control messages across an arbitrary Ethernet network topology. If a virtual channel is not used to cross the intermediate Ethernet network, data in the traffic channel will still flow across the network, but the all R-APS messages will be terminated at the interconnection points.
CHAPTER 35 | ERPS Commands No R-APS messages are inserted or extracted by other rings or subrings at the interconnection nodes where a sub-ring is attached. Hence there is no need for either additional bandwidth or for different VIDs/ Ring IDs for the ring interconnection. Furthermore, protection switching time for a sub-ring is independent from the configuration or topology of the interconnected rings.
CHAPTER 35 | ERPS Commands COMMAND USAGE ◆ Each node must be connected to two neighbors on the ring. For convenience, the ports connected are referred to as east and west ports. Alternatively, the closest neighbor to the east should be the next node in the ring in a clockwise direction, and the closest neighbor to the west should be the next node in the ring in a counter-clockwise direction. ◆ Note that a ring port cannot be configured as a member of a spanning tree, a dynamic trunk, or a static trunk.
CHAPTER 35 | ERPS Commands of the RPL. If the switch is set as the RPL neighbor for an ERPS domain, the east ring port is set as the other end of the RPL. ◆ The east and west connections to the ring must be specified for all ring nodes using the ring-port command. When this switch is configured as the RPL neighbor, the east ring port is set as being connected to the RPL. ◆ Note that is not mandatory to declare a RPL neighbor.
CHAPTER 35 | ERPS Commands version This command specifies compatibility with ERPS version 1 or 2. SYNTAX version {1 | 2} 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
CHAPTER 35 | ERPS Commands wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting. SYNTAX wtr-timer minutes minutes - The wait-to-restore timer is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure.
CHAPTER 35 | ERPS Commands erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under non-revertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. SYNTAX erps clear domain ring-name ring-name - Name of a specific ERPS ring.
CHAPTER 35 | ERPS Commands COMMAND USAGE ◆ A ring with no pending request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the erps forced-switch command triggers protection switching as follows: a. The ring node where a forced switch command was issued blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b.
CHAPTER 35 | ERPS Commands Table 129: ERPS Request/State Priority (Continued) Request / State and Status Type R-APS (FS) remote | local SFa local | local clear SF local | R-APS (SF) remote | R-APS (MS) remote | MS local | WTR Expires local | WTR Running local | WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote lowest a. Priority If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored.
CHAPTER 35 | ERPS Commands COMMAND MODE Privileged Exec COMMAND USAGE ◆ A ring with no request has a logical topology with the traffic channel blocked at the RPL and unblocked on all other ring links. In this situation, the erps manual-switch command triggers protection switching as follows: a.
CHAPTER 35 | ERPS Commands c. An ring node with a local manual switch command that receives an R-APS message or a local request of higher priority than R-APS (MS) clear its manual switch request. The ring node then processes the new higher priority request. ◆ Recovery for manual switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
CHAPTER 35 | ERPS Commands Table 130: show erps - summary display description Field Description Node Information ERPS Status Shows whether ERPS is enabled on the switch. Number of ERPS Domains Shows the number of ERPS rings configured on the switch. Domain Displays the name of each ring followed by a brief list of status information ID ERPS ring identifier used in R-APS messages. Enabled Shows if the specified ring is enabled. Ver Shows the ERPS version.
CHAPTER 35 | ERPS Commands This example displays detailed information for the specified ERPS ring.
CHAPTER 35 | ERPS Commands Table 131: show erps domain - detailed display description (Continued) Field Description WTB Expire The time before the wait-to-block timer expires. WTR Expire The time before the wait-to-restore timer expires. This example displays statistics for all configured ERPS rings.
CHAPTER 35 | ERPS Commands Table 132: show erps statistics - detailed display description (Continued) Field Description EVENT Any request/state message, excluding FS, SF, MS, and NR HEALTH The number of non-standard health-check messages – 1123 –
CHAPTER 35 | ERPS Commands – 1124 –
36 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
CHAPTER 36 | VLAN Commands GVRP and Bridge Extension Commands GVRP AND BRIDGE EXTENSION COMMANDS GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
CHAPTER 36 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. SYNTAX garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
CHAPTER 36 | VLAN Commands GVRP and Bridge Extension Commands switchport This command configures forbidden VLANs. Use the no form to remove the forbidden vlan list of forbidden VLANs. SYNTAX switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CHAPTER 36 | VLAN Commands GVRP and Bridge Extension Commands COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE GVRP cannot be enabled for ports set to Access mode using the switchport mode command. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
CHAPTER 36 | VLAN Commands GVRP and Bridge Extension Commands port-channel channel-id (Range: 1-12) DEFAULT SETTING Shows all GARP timers. COMMAND MODE Normal Exec, Privileged Exec EXAMPLE Console#show garp timer ethernet 1/1 Eth 1/ 1 GARP Timer Status: Join Timer : 20 centiseconds Leave Timer : 60 centiseconds Leave All Timer : 1000 centiseconds Console# RELATED COMMANDS garp timer (1127) show gvrp This command shows if GVRP is enabled.
CHAPTER 36 | VLAN Commands Editing VLAN Groups EDITING VLAN GROUPS Table 135: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
CHAPTER 36 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. SYNTAX vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example adds a VLAN, using VLAN ID 105 and name RD5. The VLAN is activated by default.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# RELATED COMMANDS shutdown (982) interface (976) vlan (1132) switchport This command configures the acceptable frame types for a port. Use the acceptable-frame- no form to restore the default.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces switchport This command configures VLAN groups on the selected interface. Use the allowed vlan no form to restore the default. SYNTAX switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces switchport This command enables ingress filtering for an interface. Use the no form to ingress-filtering restore the default. SYNTAX [no] switchport ingress-filtering DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Ingress filtering only affects tagged frames.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. DEFAULT SETTING All ports are in access mode with the PVID set to VLAN 1. COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE Access mode is mutually exclusive with VLAN trunking (see the vlantrunking command). If VLAN trunking is enabled on an interface, then that interface cannot be set to access mode, and vice versa.
CHAPTER 36 | VLAN Commands Configuring VLAN Interfaces EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport native vlan 3 Console(config-if)# vlan-trunking This command allows unknown VLAN groups to pass through the specified interface. Use the no form to disable this feature.
CHAPTER 36 | VLAN Commands Displaying VLAN Information interface, then that interface cannot be set to access mode, and vice versa. ◆ To prevent loops from forming in the spanning tree, all unknown VLANs will be bound to a single instance (either STP/RSTP or an MSTP instance, depending on the selected STA mode).
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling DEFAULT SETTING Shows all VLANs.
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling General Configuration Guidelines for QinQ 1. Configure the switch to QinQ mode (dot1q-tunnel system-tunnelcontrol). 2. Create a SPVLAN (vlan). 3. Configure the QinQ tunnel access port to dot1Q-tunnel access mode (switchport dot1q-tunnel mode). 4. Set the Tag Protocol Identifier (TPID) value of the tunnel access port. This step is required if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling COMMAND USAGE QinQ tunnel mode must be enabled on the switch for QinQ interface settings to be functional. EXAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)# RELATED COMMANDS show dot1q-tunnel (1146) show interfaces switchport (988) switchport This command configures an interface as a QinQ tunnel port. Use the no dot1q-tunnel mode form to disable QinQ on the interface.
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling RELATED COMMANDS show dot1q-tunnel (1146) show interfaces switchport (988) switchport This command creates a CVLAN to SPVLAN mapping entry. Use the no dot1q-tunnel form to delete a VLAN mapping entry. service match cvid SYNTAX switchport dot1q-tunnel service svid match cvid cvid svid - VLAN ID for the outer VLAN tag (Service Provider VID). (Range: 1-4094) cvid - VLAN ID for the inner VLAN tag (Customer VID).
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling EXAMPLE This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to SVLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Verify configuration settings. Console#show dot1q-tunnel service 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 1 10 100 Eth 1/ 1 20 200 Eth 1/ 1 30 300 Step 2. Configure Switch C. 1. Create VLAN 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active 2. Configure port 1 and port 2 as tagged members of VLAN 100, 200 and 300.
CHAPTER 36 | VLAN Commands Configuring IEEE 802.1Q Tunneling ◆ The specified ethertype only applies to ports configured in Uplink mode using the switchport dot1q-tunnel mode command. If the port is in normal mode, the TPID is always 8100. If the port is in Access mode, received packets are processes as untagged packets.
CHAPTER 36 | VLAN Commands Configuring L2CP Tunneling Console#show dot1q-tunnel service 100 802.1Q Tunnel Service Subscriptions Port Match C-VID S-VID -------- ----------- ----Eth 1/ 5 1 100 Eth 1/ 6 1 100 Console# RELATED COMMANDS switchport dot1q-tunnel mode (1142) CONFIGURING L2CP TUNNELING This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
CHAPTER 36 | VLAN Commands Configuring L2CP Tunneling ◆ L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider’s network. In this way, normally segregated network segments can be configured to function inside a common protocol domain.
CHAPTER 36 | VLAN Commands Configuring L2CP Tunneling ■ with destination address 01-80-C2-00-00-01~0A (S-VLAN), the frame is filtered, decapsulated, and processed locally by the switch if the protocol is supported. Processing Cisco-compatible protocol packets ◆ When a Cisco-compatible L2PT packet is received on an uplink port, and ■ ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
CHAPTER 36 | VLAN Commands Configuring L2CP Tunneling EXAMPLE Console(config)#dot1q-tunnel system-tunnel-control Console(config)#l2protocol-tunnel tunnel-dmac 01-80-C2-00-00-01 Console(config-)# switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified l2protocol-tunnel protocol. Use the no form to disable L2PT for the specified protocol.
CHAPTER 36 | VLAN Commands Configuring VLAN Translation show This command shows settings for Layer 2 Protocol Tunneling (L2PT).
CHAPTER 36 | VLAN Commands Configuring VLAN Translation COMMAND MODE Interface Configuration (Ethernet) COMMAND USAGE ◆ If the next switch upstream does not support QinQ tunneling, then use this command to map the customer’s VLAN ID to the service provider’s VLAN ID for the upstream port. Similarly, if the next switch downstream does not support QinQ tunneling, then use this command to map the service provider’s VLAN ID to the customer’s VLAN ID for the downstream port.
CHAPTER 36 | VLAN Commands Configuring Protocol-based VLANs Console# show This command displays the configuration settings for VLAN translation. vlan-translation SYNTAX show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 36 | VLAN Commands Configuring Protocol-based VLANs Table 141: Protocol-based VLAN Commands (Continued) Command Function Mode show protocol-vlan protocol-group Shows the configuration of protocol groups PE show interfaces protocol- Shows the interfaces mapped to a protocol group and vlan protocol-group the corresponding VLAN PE To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 1132).
CHAPTER 36 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE The following creates protocol group 1, and specifies Ethernet frames with IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# protocol-vlan This command maps a protocol group to a VLAN for the current interface.
CHAPTER 36 | VLAN Commands Configuring Protocol-based VLANs EXAMPLE The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan This command shows the frame and protocol type associated with protocol protocol-group groups.
CHAPTER 36 | VLAN Commands Configuring IP Subnet VLANs DEFAULT SETTING The mapping for all interfaces is displayed. COMMAND MODE Privileged Exec EXAMPLE This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port ProtocolGroup ID VLAN ID ---------- ------------------ ----------Eth 1/1 1 vlan2 Console# CONFIGURING IP SUBNET VLANS When using IEEE 802.
CHAPTER 36 | VLAN Commands Configuring IP Subnet VLANs subnet-vlan This command configures IP Subnet VLAN assignments. Use the no form to remove an IP subnet-to-VLAN assignment. SYNTAX subnet-vlan subnet ip-address mask vlan vlan-id [priority priority] no subnet-vlan subnet {ip-address mask | all} ip-address – The IP address that defines the subnet. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods. mask – This mask identifies the host address bits of the IP subnet.
CHAPTER 36 | VLAN Commands Configuring MAC Based VLANs show subnet-vlan This command displays IP Subnet VLAN assignments. COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use this command to display subnet-to-VLAN mappings. ◆ The last matched entry is used if more than one entry can be matched. EXAMPLE The following example displays all configured IP subnet-based VLANs. Console#show subnet-vlan IP Address Mask --------------- --------------192.168.12.0 255.255.255.128 192.168.12.128 255.255.255.192 192.168.
CHAPTER 36 | VLAN Commands Configuring MAC Based VLANs mac-vlan This command configures MAC address-to-VLAN mapping. Use the no form to remove an assignment. SYNTAX mac-vlan mac-address mac-address [mask mask-address] vlan vlan-id [priority priority] no mac-vlan mac-address {mac-address [mask mask-address] | all} mac-address – The source MAC address to be matched. Configured MAC addresses can only be unicast addresses. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs show mac-vlan This command displays MAC address-to-VLAN assignments. COMMAND MODE Privileged Exec EXAMPLE The following example displays all configured MAC address-based VLANs.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When IP telephony is deployed in an enterprise network, it is recommended to isolate the Voice over IP (VoIP) network traffic from other data traffic. Traffic isolation helps prevent excessive packet delays, packet loss, and jitter, which results in higher voice quality. This is best achieved by assigning all VoIP traffic to a single VLAN.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs COMMAND USAGE The Voice VLAN aging time is the time after which a port is removed from the Voice VLAN when VoIP traffic is no longer received on the port. The Remaining Age starts to count down when the OUI’s MAC address expires from the MAC address table. Therefore, the MAC address aging time should be added to the overall aging time.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs ◆ Setting a mask of FF-FF-FF-00-00-00 identifies all devices with the same OUI (the first three octets). Other masks restrict the MAC address range. Setting FF-FF-FF-FF-FF-FF specifies a single MAC address. EXAMPLE The following example adds a MAC OUI to the OUI Telephony list.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs switchport voice This command specifies a CoS priority for VoIP traffic on a port. Use the no vlan priority form to restore the default priority on a port. SYNTAX switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) DEFAULT SETTING 6 COMMAND MODE Interface Configuration COMMAND USAGE Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See "LLDP Commands" on page 1295 for more information on LLDP. EXAMPLE The following example enables the OUI method on port 1 for detecting VoIP traffic.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. SYNTAX show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
CHAPTER 36 | VLAN Commands Configuring Voice VLANs – 1168 –
37 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round-Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# RELATED COMMANDS queue mode (1170) show queue weight (1173) switchport This command sets a priority for incoming untagged frames. Use the no priority default form to restore the default value.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 2) EXAMPLE The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# RELATED COMMANDS show interfaces switchport (988) show queue mode This command shows the current queue mode.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) PRIORITY COMMANDS (LAYER 3 AND 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) DEFAULT SETTING Table 148: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence CFI 0 1 0 (0,0) (0,0) 1 (1,0) (1,0) 2 (2,0) (2,0) 3 (3,0) (3,0) 4 (4,0) (4,0) 5 (5,0) (5,0) 6 (6,0) (6,0) 7 (7,0) (7,0) CoS COMMAND MODE Interface Configuration (Port) COMMAND USAGE ◆ The default mapping of CoS to PHB values shown in Table 148 is based on the recommended settings in IEEE 802.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map This command maps DSCP values in incoming packets to per-hop behavior dscp-mutation and drop precedence values for priority processing. Use the no form to restore the default settings. SYNTAX qos map dscp-mutation phb drop-precedence from dscp0 ... dscp7 no qos map dscp-mutation dscp0 ... dscp7 phb - Per-hop behavior, or the priority used for this router hop.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) map should be applied at the receiving port (ingress mutation) at the boundary of a QoS administrative domain. ◆ Random Early Detection starts dropping yellow and red packets when the buffer fills up to 0x60 packets, and then starts dropping any packets regardless of color when the buffer fills up to 0x80 packets. ◆ The specified mapping applies to all interfaces.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) EXAMPLE Console(config)#interface ethernet 1/5 Console(config-if)#qos map phb-queue 0 from 1 2 3 Console(config-if)# qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. SYNTAX qos map trust-mode {dscp | cos} no qos map trust-mode dscp - Sets the QoS mapping mode to DSCP. cos - Sets the QoS mapping mode to CoS.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp SYNTAX show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) COMMAND MODE Privileged Exec EXAMPLE Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) ingress DSCP = d1 * 10 + d2); and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table. Console#show qos map dscp-mutation interface ethernet 1/5 Information of Eth 1/5 DSCP mutation map.
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) COMMAND MODE Privileged Exec EXAMPLE The following shows that the trust mode is set to CoS: Console#show qos map trust-mode interface ethernet 1/5 Information of Eth 1/5 CoS Map Mode: CoS mode Console# – 1181 –
CHAPTER 37 | Class of Service Commands Priority Commands (Layer 3 and 4) – 1182 –
38 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
CHAPTER 38 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, IPv6 DSCP value, a VLAN, a CoS value, or a source port. 3.
CHAPTER 38 | Quality of Service Commands COMMAND USAGE ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 1188). The policy map is then bound by a service policy to an interface (page 1199). A service policy defines packet classification, service tagging, and bandwidth policing.
CHAPTER 38 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. SYNTAX [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | ipv6 dscp dscp | source-port interface | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IPv4/IPv6 ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
CHAPTER 38 | Quality of Service Commands EXAMPLE This example creates a class map called “rd-class#1,” and sets it to match packets marked for DSCP service value 3. Console(config)#class-map rd-class#1 match-any Console(config-cmap)#match ip dscp 3 Console(config-cmap)# This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5.
CHAPTER 38 | Quality of Service Commands policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map. SYNTAX [no] policy-map policy-map-name policy-map-name - Name of the policy map.
CHAPTER 38 | Quality of Service Commands DEFAULT SETTING None COMMAND MODE Policy Map Configuration COMMAND USAGE ◆ Use the policy-map command to specify a policy map and enter Policy Map configuration mode. Then use the class command to enter Policy Map Class configuration mode. And finally, use the set command and one of the police commands to specify the match criteria, where the: ◆ ■ set phb command sets the per-hop behavior value in matching packets.
CHAPTER 38 | Quality of Service Commands police flow This command defines an enforcer for classified traffic based on the metered flow rate. Use the no form to remove a policer. SYNTAX [no] police flow committed-rate committed-burst conform-action transmit violate-action {drop| new-dscp} committed-rate - Committed information rate (CIR) in kilobits per second. (Range: 0-1000000 kbps at a granularity of 64 kbps or maximum port speed, whichever is lower) committed-burst - Committed burst size (BC) in bytes.
CHAPTER 38 | Quality of Service Commands The token bucket C is initially full, that is, the token count Tc(0) = BC. Thereafter, the token count Tc is updated CIR times per second as follows: ■ ■ If Tc is less than BC, Tc is incremented by one, else Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens: ■ ■ If Tc(t)-B ≥ 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else else the packet is red and Tc is not decremented.
CHAPTER 38 | Quality of Service Commands conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green). exceed-action - Action to take when rate exceeds the CIR and BC but is within the BE. (There are enough tokens in bucket BE to service the packet, the packet is set yellow.) violate-action - Action to take when rate exceeds the BE. (There are not enough tokens in bucket BE to service the packet, the packet is set red.
CHAPTER 38 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: ■ ■ ■ If Tc is less than BC, Tc is incremented by one, else if Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented.
CHAPTER 38 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. SYNTAX [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action transmit exceed-action {drop | new-dscp} violate action {drop | new-dscp} trtcm-color-blind - Two rate three color meter in color-blind mode.
CHAPTER 38 | Quality of Service Commands ◆ The committed-rate and peak-rate cannot exceed the configured interface speed, and the committed-burst and peak-burst cannot exceed 16 Mbytes. ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).
CHAPTER 38 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set phb command to classify the service that incoming packets will receive, and then uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 kbps, the peak burst size to 6000, to remark any packets exceeding the committed
CHAPTER 38 | Quality of Service Commands EXAMPLE This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
CHAPTER 38 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. SYNTAX [no] set phb phb-value phb-value - Per-hop behavior value.
CHAPTER 38 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. SYNTAX [no] service-policy {input | output} policy-map-name input - Apply to the input traffic. output - Apply to the output traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) DEFAULT SETTING No policy map is attached to an interface.
CHAPTER 38 | Quality of Service Commands EXAMPLE Console#show class-map Class Map match-any rd-class#1 Description: Match ip dscp 10 Match access-list rd-access Match ip dscp 0 Class Map match-any rd-class#2 Match ip precedence 5 Class Map match-any rd-class#3 Match vlan 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
CHAPTER 38 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface interface. SYNTAX show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 38 | Quality of Service Commands – 1202 –
39 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping IGMP SNOOPING This section describes commands used to configure IGMP snooping on the switch.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping Table 153: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping vlan version-exclusive Discards received IGMP messages which use a version different to that currently configured GC clear ip igmp snooping groups dynamic Clears multicast group information dynamicall
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to priority restore the default setting. SYNTAX ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE As described in Section 9.1 of RFC 3376 for IGMP Version 3, the Router Alert Option can be used to protect against DOS attacks.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables flooding of multicast traffic if a spanning tree tcn-flood topology change notification (TCN) occurs. Use the no form to disable flooding. SYNTAX [no] ip igmp snooping tcn-flood DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When a spanning tree topology change occurs, the multicast membership information learned by the switch may be out of date.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query tcn-query-solicit solicitation when a spanning tree topology change notification (TCN) occurs. Use the no form to disable this feature.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping COMMAND MODE Global Configuration COMMAND USAGE Once the table used to store multicast entries for IGMP snooping and multicast routing is filled, no new entries are learned. If no router port is configured in the attached VLAN, and unregistered-flooding is disabled, any subsequent multicast traffic not found in the table is dropped, otherwise it is flooded throughout the VLAN.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the IGMP snooping version. Use the no form to version restore the default.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping DEFAULT SETTING Global: Disabled VLAN: Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ If version exclusive is disabled on a VLAN, then this setting is based on the global setting. If it is enabled on a VLAN, then this setting takes precedence over the global setting. ◆ When this function is disabled, the currently selected version is backward compatible (see the ip igmp snooping version command.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command immediately deletes a member port of a multicast service if vlan immediate- a leave packet is received at that port and immediate-leave is enabled for leave the parent VLAN. Use the no form to restore the default.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the number of IGMP proxy group-specific or vlan last-memb- group-and-source-specific query messages that are sent out before the query-count system assumes there are no more local members. Use the no form to restore the default.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping COMMAND USAGE ◆ When a multicast host leaves a group, it sends an IGMP leave message. When the leave message is received by the switch, it checks to see if this host is the last to leave the group by sending out an IGMP groupspecific or group-and-source-specific query message, and starts a timer. If no reports are received before the timer expires, the group record is deleted, and a report is sent to the upstream multicast router.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping messages is not required and may be disabled using the no ip igmp snooping vlan mrd command. ◆ This command may also be used to disable multicast router solicitation messages when the upstream router does not support MRD, to reduce the loading on a busy upstream router, or when IGMP snooping is disabled in a VLAN. EXAMPLE This example disables sending of multicast router solicitation messages on VLAN 1.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping Rules Used for Proxy Reporting When IGMP Proxy Reporting is disabled, the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ◆ This command applies when the switch is serving as the querier (page 1207), or as a proxy host when IGMP snooping proxy reporting is enabled (page 1206). EXAMPLE Console(config)#ip igmp snooping vlan 1 query-interval 150 Console(config)# ip igmp snooping This command configures the maximum time the system waits for a vlan query-resp- response to general queries. Use the no form to restore the default.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command adds a port to a multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ip igmp snooping vlan vlan-id static ip-address interface vlan-id - VLAN ID (Range: 1-4094) ip-address - IP address for multicast group interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping Example Console#clear ip igmp snooping groups dynamic Console# clear ip igmp This command clears IGMP snooping statistics. snooping statistics SYNTAX clear ip igmp snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP Snooping Router Port Expire Time Router Alert Check Router Port Mode TCN Flood TCN Query Solicit Unregistered Data Flood 802.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping igmpsnp - Display only entries learned through IGMP snooping. sort-by-port - Display entries sorted by port. user - Display only the user-configured multicast entries. vlan-id - VLAN ID (1-4094) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Member types displayed include IGMP or USER, depending on selected options. EXAMPLE The following shows the multicast entries learned through IGMP snooping for VLAN 1.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping EXAMPLE The following shows the ports in VLAN 1 which are attached to multicast routers. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Ports Type Expire ---- ------------------- ------- -------1 Eth 1/4 Dynamic 0:4:28 1 Eth 1/10 Static Console# show ip igmp This command shows IGMP snooping protocol statistics for the specified snooping statistics interface.
CHAPTER 39 | Multicast Filtering Commands IGMP Snooping Table 154: show ip igmp snooping statistics input - display description Field Description Interface Shows interface. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
CHAPTER 39 | Multicast Filtering Commands Static Multicast Routing Table 156: show ip igmp snooping statistics vlan query - display description Field Description Querier IP Address The IP address of the querier on this interface. Querier Expire Time The time after which this querier is assumed to have expired. General Query Received The number of general queries received on this interface. General Query Sent The number of general queries sent from this interface.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling Table 158: IGMP Filtering and Throttling Commands (Continued) Command Function Mode show ip igmp profile Displays IGMP profiles and settings PE show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets PE show ip igmp throttle interface Displays the IGMP throttling setting for interfaces PE show ip multicast-datadrop Shows if the interface is configured to drop multicast data packets PE ip i
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. SYNTAX [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling EXAMPLE Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. SYNTAX [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling Table 159: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID EXAMPLE This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. SYNTAX ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND USAGE This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command). EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ip multicast-data-drop Console(config-if)# show ip igmp This command displays the interface settings for IGMP authentication.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. SYNTAX show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query-drop query packets. SYNTAX show ip igmp throttle interface [interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands IGMP Filtering and Throttling COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays information for all interfaces. EXAMPLE Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : TRUE Action : Deny Max Multicast Groups : 32 Current Multicast Groups : 0 Console# show ip This command shows if the specified interface is configured to drop multicast-data-drop multicast data packets.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping MLD SNOOPING Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it. This reduces the flooding of IPv6 multicast packets in the specified VLANs. There are two versions of the MLD protocol, version 1 and version 2.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping Table 160: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping group source-list Displays the learned groups and corresponding source list PE show ipv6 mld snooping mrouter Displays the information of multicast router ports PE ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. EXAMPLE Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general query-interval queries. Use the no form to restore the default.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping DEFAULT SETTING 10 seconds COMMAND MODE Global Configuration COMMAND USAGE This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. EXAMPLE Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the robustness no form to restore the default value.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to router-port-expire- restore the default. time SYNTAX ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port,” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. EXAMPLE Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping This command configures the MLD snooping version. Use the no form to version restore the default. SYNTAX ipv6 mld snooping version {1 | 2} 1 - MLD version 1.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping group only if no host replies to the query within the specified timeout period. ◆ If MLD immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one MLDenabled device, either a service host or a neighbor running MLD snooping. EXAMPLE The following shows how to enable MLD immediate leave.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to vlan static remove the port. SYNTAX [no] ipv6 mld snooping vlan vlan-id static ipv6-address interface vlan - VLAN ID (Range: 1-4094) ipv6-address - An IPv6 address of a multicast group. (Format: X:X:X:X::X) interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping Example Console#clear ipv6 mld snooping groups dynamic Console# clear ipv6 mld This command clears MLD snooping statistics. snooping statistics SYNTAX clear ipv6 mld snooping statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, and the snooping group means by which each group was learned.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling Option: Filter Mode: Include, Exclude Console# show ipv6 mld This command shows MLD Snooping multicast router information. snooping mrouter SYNTAX show ipv6 mld snooping mrouter vlan vlan-id vlan-id - A VLAN identification number.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling Table 161: IGMP Filtering and Throttling Commands (Continued) Command Function Mode ipv6 multicast-data-drop Enable multicast data guard mode on a port interface IC show ipv6 mld filter Displays the MLD filtering status PE show ipv6 mld profile Displays MLD profiles and settings PE show ipv6 mld query-drop Shows if the interface is configured to drop MLD query packets PE show ipv6 mld throttle interface Displays the MLD t
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld profile This command creates an MLD filter profile number and enters MLD profile configuration mode. Use the no form to delete a profile number. SYNTAX [no] ipv6 mld profile profile-number profile-number - An MLD filter profile number. (Range: 1-4294967295) DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console(config)#ipv6 mld profile 19 Console(config-mld-profile)#permit Console(config-mld-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. SYNTAX [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND USAGE ◆ The MLD filtering profile must first be created with the ipv6 mld profile command before being able to assign it to an interface. ◆ Only one profile can be assigned to an interface. ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld max-groups 10 Console(config-if)# ipv6 mld This command sets the MLD throttling action for an interface on the switch. max-groups action SYNTAX ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling COMMAND USAGE This command can be used to drop any query packets received on the specified interface. If this switch is acting as a Querier, this prevents it from being affected by messages received from another Querier. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data guard mode on a port multicast-data-drop interface.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling EXAMPLE Console#show ipv6 mld filter MLD filter Enabled Console#show ipv6 mld filter interface ethernet 1/3 Ethernet 1/3 information --------------------------------MLD Profile 19 Deny Range ff05::101 ff05::103 Console# show ipv6 mld This command displays MLD filtering profiles created on the switch. profile SYNTAX show ipv6 mld profile [profile-number] profile-number - An existing MLD filter profile number.
CHAPTER 39 | Multicast Filtering Commands MLD Filtering and Throttling DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces. EXAMPLE Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld This command displays the interface settings for MLD throttling. throttle interface SYNTAX show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 MVR FOR IPV4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 Table 162: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode show mvr interface Shows MVR settings for interfaces attached to the MVR VLAN PE show mvr members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address PE show mvr profile Shows all configured MVR profiles PE show mvr statistics Shows MVR protocol statistics for th
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Global Configuration EXAMPLE The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# RELATED COMMANDS mvr profile (1261) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr domain domain-id domain-id - An independent multicast domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile. SYNTAX mvr profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv4 address for an MVR multicast group. (Range: 224.0.1.0 - 239.255.255.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 DEFAULT SETTING 125 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the general query interval at which active receiver ports send out general queries. This interval is only effective when proxy switching is enabled with the mvr proxy-switching command. EXAMPLE This example sets the proxy query interval for MVR proxy switching.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 mvr proxy-switching This command enables MVR proxy switching, where the source port acts as a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function. SYNTAX [no] mvr proxy-switching DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 RELATED COMMANDS mvr robustness-value (1264) mvr This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting. SYNTAX mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 COMMAND USAGE ◆ By default, the switch forwards any multicast streams within the address range set by a profile, and bound to a domain. The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. SYNTAX mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 ◆ Receiver ports can belong to different VLANs, but should not normally be configured as a member of the MVR VLAN. IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN. Also, note that VLAN membership for MVR receiver ports cannot be set to access mode (see the switchport mode command). ◆ One or more interfaces may be configured as MVR source ports.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ Multicast groups can be statically assigned to a receiver port using this command. ◆ The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x. ◆ Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 clear mrv statistics This command clears MRV statistics. SYNTAX clear mrv statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 MVR Current Learned Groups MVR Upstream Source IP . . . : 10 : 192.168.0.3 Table 163: show mvr - display description Field Description MVR 802.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN. SYNTAX show mvr [domain domain-id] interface domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays configuration settings for all attached interfaces.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 show mvr members This command shows information about the current number of entries in the forwarding database, detailed information about a specific multicast address, the IP address of the hosts subscribing to all active multicast groups, or the multicast groups associated with each port. SYNTAX show mvr [domain domain-id] members [ip-address | host-ip-address [interface] | sort-by-port [interface]]] domain-id - An independent multicast domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 The following example shows detailed information about a specific multicast address: Console#show mvr domain 1 members 234.5.6.7 MVR Domain : 1 MVR Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts joined to group on this port). P - Port counts (number of ports joined to group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 show mvr statistics This command shows MVR protocol-related statistics for the specified interface. SYNTAX show mvr statistics {input | output} [interface interface] show mvr domain domain-id statistics {input [interface interface] | output [interface interface] | query} domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv4 Table 166: show mvr statistics input - display description (Continued) Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, packet content not allowed, or MVR group report received Join Succ The number of times a multicast group was successfully joined. Group The number of MVR groups active on this interface.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 Table 168: show mvr statistics query - display description (Continued) Field Description General Query Sent The number of general queries sent from this interface. Specific Query Received The number of specific queries received on this interface. Specific Query Sent The number of specific queries sent from this interface. Number of Reports Sent The number of reports sent from this interface.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 Table 169: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode clear mvr6 statistics Clears the MVR statistics globally or on a per-interface basis.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 mvr6 domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. SYNTAX [no] mvr6 domain domain-id domain-id - An independent multicast domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 COMMAND USAGE ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated with an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. ◆ IGMP snooping and MVR share a maximum number of 1024 groups.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 EXAMPLE This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr profile rd 228.1.23.1 228.1.23.10 Console(config)# mvr6 This command enables MVR proxy switching, where the source port acts as proxy-switching a host, and the receiver port acts as an MVR router with querier service enabled. Use the no form to disable this function.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 ■ When a receiver port receives a query message, it will be dropped. EXAMPLE The following example enable MVR proxy switching. Console(config)#mvr proxy-switching Console(config)# RELATED COMMANDS mvr6 robustness-value (1282) mvr6 This command configures the expected packet loss, and thereby the robustness-value number of times to generate report and group-specific queries. Use the no form to restore the default setting.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 mvr6 This command configures the switch to only forward multicast streams source-port-mode which the source port has dynamcially joined. Use the no form to restore dynamic the default setting. SYNTAX [no] mvr6 source-port-mode dynamic DEFAULT SETTING Forwards all multicast streams which have been specified in a profile and bound to a domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 COMMAND MODE Global Configuration COMMAND USAGE All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (Note that the IP address ff02::X is reserved.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 mvr6 This command causes the switch to immediately remove an interface from immediate-leave a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. SYNTAX [no] mvr6 domain domain-id immediate-leave domain-id - An independent multicast domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 source - Configures the interface as an uplink port that can send and receive multicast data for the configured multicast groups. Note that the source port must be manually configured as a member of the MVR6 VLAN using the switchport allowed vlan command. DEFAULT SETTING The port type is not defined.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan group This command statically binds a multicast group to a port which will receive long-term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. SYNTAX [no] mvr6 domain domain-id vlan vlan-id group ip-address domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Receiver VLAN to which the specified multicast traffic is flooded.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 clear mvr6 groups This command clears multicast group information dynamically learned dynamic through MVR6. SYNTAX clear mvr6 groups dynamic [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) COMMAND MODE Privileged Exec COMMAND USAGE This command only clears entries learned though MVR6. Statically configured multicast addresses are not cleared.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 show mvr6 This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. SYNTAX show mvr6 [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) DEFAULT SETTING Displays configuration settings for all MVR domains.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 Table 170: show mvr6 - display description (Continued) Field Description MVR6 Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR6 Upstream Source IP The source IP address assigned to all upstream control packets. show mvr6 This command shows the profiles bound the specified domain. associated-profile SYNTAX show mvr6 [domain domain-id] associated-profile domain-id - An independent multicast domain.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr6 domain 1 interface MVR6 Domain : 1 Port Type Status Immediate -------- -------- ------------- --------Eth1/ 1 Source Active/Up Eth1/ 2 Receiver Active/Up Disabled Console# Static Group Address ------------------------FF00::1(VLAN2) Table 171: show mvr6 interface - display description Field Description Port Shows interfaces attach
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 H - Host P - Port Up time: Group Expire : Group counts (number of hosts join the group on this port). counts (number of ports join the group). elapsed time (d:h:m:s). remaining time (m:s).
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 EXAMPLE The following shows all configured MVR profiles: Console#show mvr6 profile MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd FF00::1 FF00::9 Console# show mvr6 This command shows MVR protocol-related statistics for the specified statistics interface.
CHAPTER 39 | Multicast Filtering Commands MVR for IPv6 Table 173: show mvr6 statistics input - display description Field Description Interface Shows interfaces attached to the MVR. Report The number of IGMP membership reports received on this interface. Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface.
40 LLDP COMMANDS Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
CHAPTER 40 | LLDP Commands Table 175: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1-tlv proto-vid* Configures an LLDP-enabled port to advertise port-based protocol related VLAN information IC lldp dot1-tlv pvid* Configures an LLDP-enabled port to advertise its default VLAN ID IC lldp dot1-tlv v
CHAPTER 40 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. SYNTAX [no] lldp DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console(config)#lldp Console(config)# lldp This command configures the time-to-live (TTL) value sent in LLDP holdtime-multiplier advertisements. Use the no form to restore the default setting.
CHAPTER 40 | LLDP Commands lldp This command specifies the amount of MED Fast Start LLDPDUs to transmit med-fast-start-count during the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. SYNTAX lldp med-fast-start-count packets seconds - Amount of packets.
CHAPTER 40 | LLDP Commands ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission. An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss.
CHAPTER 40 | LLDP Commands COMMAND MODE Global Configuration COMMAND USAGE When LLDP is re-initialized on a port, all information in the remote systems LLDP MIB associated with this port is deleted. EXAMPLE Console(config)#lldp reinit-delay 10 Console(config)# lldp tx-delay This command configures a delay between the successive transmission of advertisements initiated by a change in local LLDP MIB variables. Use the no form to restore the default setting.
CHAPTER 40 | LLDP Commands lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. SYNTAX lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs. tx-rx - Both transmit and receive LLDP Protocol Data Units (PDUs).
CHAPTER 40 | LLDP Commands enterprise specific or other starting points for the search, such as the Interface or Entity MIB. ◆ Since there are typically a number of different addresses associated with a Layer 3 device, an individual LLDP PDU may contain more than one management address TLV.
CHAPTER 40 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-capabilities DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
CHAPTER 40 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system system-name name. Use the no form to disable this feature. SYNTAX [no] lldp basic-tlv system-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
CHAPTER 40 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise port-based proto-vid protocol VLAN information. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv proto-vid DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the port-based protocol VLANs configured on this interface (see "Configuring Protocol-based VLANs" on page 1153).
CHAPTER 40 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN vlan-name name. Use the no form to disable this feature. SYNTAX [no] lldp dot1-tlv vlan-name DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises the name of all VLANs to which this interface has been assigned. See "switchport allowed vlan" on page 1135 and "protocolvlan protocol-group (Configuring Interfaces)" on page 1155.
CHAPTER 40 | LLDP Commands lldp dot3-tlv This command configures an LLDP-enabled port to advertise its MAC and mac-phy physical layer capabilities. Use the no form to disable this feature. SYNTAX [no] lldp dot3-tlv mac-phy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
CHAPTER 40 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its civic-addr location identification details. Use the no form to restore the default settings. SYNTAX lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code – The two-letter ISO 3166 country code in capital ASCII letters.
CHAPTER 40 | LLDP Commands Table 176: LLDP MED Location CA Types (Continued) CA Type Description CA Value Example 18 Street suffix or type Avenue 19 House number 320 20 House number suffix A 21 Landmark or vanity address Tech Center 26 Unit (apartment, suite) Apt 519 27 Floor 5 28 Room 509B Any number of CA type and value pairs can be specified for the civic address location, as long as the total does not exceed 250 characters.
CHAPTER 40 | LLDP Commands COMMAND USAGE ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command.
CHAPTER 40 | LLDP Commands lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv location DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises location identification details.
CHAPTER 40 | LLDP Commands lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network-policy network policy configuration. Use the no form to disable this feature. SYNTAX [no] lldp med-tlv network-policy DEFAULT SETTING Enabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE This option advertises network policy configuration information, aiding in the discovery and diagnosis of VLAN configuration mismatches on a port.
CHAPTER 40 | LLDP Commands An SNMP agent should therefore periodically check the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification-events missed due to throttling or transmission loss. EXAMPLE Console(config)#interface ethernet 1/1 Console(config-if)#lldp notification Console(config-if)# show lldp config This command shows LLDP configuration settings for all ports. SYNTAX show lldp config [detail interface] detail - Shows configuration summary.
CHAPTER 40 | LLDP Commands Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised: port-description system-name system-description system-capabilities management-ip-address 802.1 specific TLVs Advertised: *port-vid *vlan-name *proto-vlan *proto-ident 802.
CHAPTER 40 | LLDP Commands EXAMPLE Console#show lldp info local-device LLDP Local System Information Chassis Type : MAC Address Chassis ID : 00-01-02-03-04-05 System Name : System Description : ES3528MV2 System Capabilities Support : Bridge System Capabilities Enable : Bridge Management Address : 192.168.0.
CHAPTER 40 | LLDP Commands EXAMPLE Note that an IP phone or other end-node device which advertises LLDPMED capabilities must be connected to the switch for information to be displayed in the “Device Class” field.
CHAPTER 40 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. ...
CHAPTER 40 | LLDP Commands EXAMPLE Console#show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count : : : : : 2450279 seconds 1 0 0 0 Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- -----------------Eth 1/1 0 83 0 Eth 1/2 11 12 0 Eth 1/3 0 0 0 Eth 1/4 0 0 0 Eth 1/5 0 0 0 . . .
41 CFM COMMANDS Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
CHAPTER 41 | CFM Commands Table 177: CFM Commands (Continued) Command Function Mode ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages IC ethernet cfm port-enable Enables CFM processing on an interface IC clear ethernet cfm ais mpid Clears AIS defect information for the specified MEP PE show ethernet cfm configuration Displays CFM configuration settings, including gl
CHAPTER 41 | CFM Commands Table 177: CFM Commands (Continued) Command Function Mode ethernet cfm linktrace cache Enables caching of CFM data learned through link trace messages GC ethernet cfm linktrace cache hold-time Sets the hold time for CFM link trace cache entries GC ethernet cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace-cache Clears link trace
CHAPTER 41 | CFM Commands Defining CFM Structures 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6. Enable CFM on the local MEPs with the ethernet cfm port-enable command. 7. Enable continuity check operations with the ethernet cfm cc enable command. 8. Enable cross-check operations with the ethernet cfm mep crosscheck command.
CHAPTER 41 | CFM Commands Defining CFM Structures EXAMPLE This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. SYNTAX [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
CHAPTER 41 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use period the no form to restore the default setting. SYNTAX ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 41 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ For multipoint connectivity, a MEP cannot determine the specific maintenance level entity that has encountered defect conditions upon receiving a frame with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information.
CHAPTER 41 | CFM Commands Defining CFM Structures pass, and only if a maintenance end point (MEP) is created at some lower MA Level. none – No MIP can be created for any MA configured in this domain. DEFAULT SETTING No maintenance domains are configured. No MIPs are created for any MA in the specified domain. COMMAND MODE Global Configuration COMMAND USAGE ◆ A domain can only be configured with one name.
CHAPTER 41 | CFM Commands Defining CFM Structures Also note that while MEPs are active agents which can initiate consistency check messages (CCMs), transmit loop back or link trace messages, and maintain the local CCM database. MIPs, on the other hand are passive agents which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command.
CHAPTER 41 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
CHAPTER 41 | CFM Commands Defining CFM Structures EXAMPLE This example creates a maintenance association, binds it to VLAN 1, and allows MIPs to be created within this MA using the default method. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#ma index 1 name rd vlan 1 mip-creation default Console(config-ether-cfm)# ma index This command specifies the name format for the maintenance association name-format as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
CHAPTER 41 | CFM Commands Defining CFM Structures ma-name – Maintenance association name. (Range: 1-43 alphanumeric characters) up – Indicates that the MEP faces inward toward the switch crossconnect matrix, and transmits CFM messages towards, and receives them from, the direction of the internal bridge relay mechanism.
CHAPTER 41 | CFM Commands Defining CFM Structures COMMAND USAGE ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command. ◆ If a MEP has been configured on an interface with the ethernet cfm mep command, it must first be deleted before CFM can be disabled on that interface. ◆ When CFM is disabled, hardware resources previously used for CFM processing on that interface are released, and all CFM frames entering that interface are forwarded as normal data traffic.
CHAPTER 41 | CFM Commands Defining CFM Structures show ethernet cfm This command displays CFM configuration settings, including global configuration settings, SNMP traps, and interface settings. SYNTAX show ethernet cfm configuration {global | traps | interface interface} global – Displays global settings including CFM global status, crosscheck start delay, and link trace parameters. traps – Displays the status of all continuity check and cross-check traps.
CHAPTER 41 | CFM Commands Defining CFM Structures Table 178: show ethernet cfm configuration traps - display description Field Description CC MEP Up Trap Sends a trap if a remote MEP is discovered and added to the local database, the port state of a previously discovered remote MEP changes, or a CCM is received from a remote MEP which as an expired entry in the archived database.
CHAPTER 41 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the configured maintenance associations. ma SYNTAX show ethernet cfm ma [level level] level – Maintenance level. (Range: 0-7) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE For a description of the values displayed in the CC Interval field, refer to the ethernet cfm cc ma interval command. EXAMPLE This example shows all configured maintenance associations.
CHAPTER 41 | CFM Commands Defining CFM Structures DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ Use the mep keyword with this command to display the MEPs configured on this device as DSAPs through the ethernet cfm mep command. ◆ Using the mip keyword with this command to display the MIPs generated on this device by the CFM protocol when the mip-creation method is set to either “default” or “explicit” by the ethernet cfm domain command or the ma index name command.
CHAPTER 41 | CFM Commands Defining CFM Structures EXAMPLE This example shows detailed information about the local MEP on port 1.
CHAPTER 41 | CFM Commands Defining CFM Structures Table 179: show ethernet cfm maintenance-points local detail mep - display Field Description Suppress Alarm Shows if the specified MEP is configured to suppress sending frames containing AIS information following the detection of defect conditions. Suppressing Alarms Shows if the specified MEP is currently suppressing sending frames containing AIS information following the detection of defect conditions.
CHAPTER 41 | CFM Commands Defining CFM Structures CC Lifetime Age of Last CC Message Frame Loss CC Packet Statistics Port State Interface State : : : : : : 645 seconds 2 seconds 137 647/1 Up Up Crosscheck Status : Enabled Console# Table 180: show ethernet cfm maintenance-points remote detail - display Field Description MAC Address MAC address of the remote maintenance point.
CHAPTER 41 | CFM Commands Continuity Check Operations Continuity Check Operations ethernet cfm cc ma This command sets the transmission delay between continuity check interval messages (CCMs). Use the no form to restore the default settings. SYNTAX ethernet cfm cc md domain-name ma ma-name interval interval-level no ethernet cfm cc ma ma-name interval domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 41 | CFM Commands Continuity Check Operations ethernet cfm cc This command enables the transmission of continuity check messages enable (CCMs) within a specified maintenance association. Use the no form to disable the transmission of these messages. SYNTAX [no] ethernet cfm cc enable md domain-name ma ma-name domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
CHAPTER 41 | CFM Commands Continuity Check Operations snmp-server enable This command enables SNMP traps for CFM continuity check events. Use traps ethernet cfm the no form to disable these traps. cc SYNTAX [no] snmp-server enable traps ethernet cfm cc [config | loop | mep-down | mep-up] config – Sends a trap if this device receives a CCM with the same MPID as its own but with a different source MAC address, indicating that a CFM configuration error exists.
CHAPTER 41 | CFM Commands Continuity Check Operations mep This command sets the time that data from a missing MEP is retained in archive-hold-time the continuity check message (CCM) database before being purged. Use the no form to restore the default setting. SYNTAX mep archive-hold-time hold-time hold-time – The time to retain data for a missing MEP.
CHAPTER 41 | CFM Commands Continuity Check Operations EXAMPLE Console#clear ethernet cfm maintenance-points remote domain voip Console# clear ethernet cfm This command clears continuity check errors logged for the specified errors maintenance domain or maintenance level. SYNTAX clear ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Maintenance level.
CHAPTER 41 | CFM Commands Cross Check Operations EXAMPLE Console#show ethernet cfm Level VLAN MPID Interface ----- ---- ---- --------5 2 40 Eth 1/1 Console# errors Remote MAC Reason MA Name ----------------- ---------------- ---------------ab.2f.9c.00.05.01 LEAK provider_1_2 Table 181: show ethernet cfm errors - display description Field Description Level Maintenance level associated with this entry. VLAN VLAN in which this error occurred. MPID Identifier of remote MEP.
CHAPTER 41 | CFM Commands Cross Check Operations COMMAND MODE Global Configuration COMMAND USAGE ◆ This command sets the delay that a device waits for a remote MEP to come up, and it starts cross-checking the list of statically configure remote MEPs in the local maintenance domain against the MEPs learned through CCMs. ◆ The cross-check start delay should be configured to a value greater than or equal to the continuity check message interval to avoid generating unnecessary traps.
CHAPTER 41 | CFM Commands Cross Check Operations remote MEP configured in the static list (with the mep crosscheck mpid command). ◆ A mep-unknown trap is sent if cross-checking is enabled, and a CCM is received from a remote MEP that is not configured in the static list. ◆ A ma-up trap is sent if cross-checking is enabled, and a CCM is received from all remote MEPs configured in the static list for this maintenance association.
CHAPTER 41 | CFM Commands Cross Check Operations EXAMPLE This example defines a static MEP for the specified maintenance association.
CHAPTER 41 | CFM Commands Link Trace Operations show ethernet cfm This command displays information about remote MEPs statically maintenance-points configured in a cross-check list. remote crosscheck SYNTAX show ethernet cfm maintenance-points remote crosscheck [domain domain-name | mpid mpid] domain-name – Domain name. (Range: 1-43 alphanumeric characters) mpid – Maintenance end point identifier.
CHAPTER 41 | CFM Commands Link Trace Operations ◆ Link trace responses are returned from each MIP along the path and from the target MEP. Information stored in the cache includes the maintenance domain name, MA name, MEPID, sequence number, and TTL value. EXAMPLE This example enables link trace caching. Console(config)#ethernet cfm linktrace cache Console(config)# ethernet cfm This command sets the hold time for CFM link trace cache entries.
CHAPTER 41 | CFM Commands Link Trace Operations DEFAULT SETTING 100 entries COMMAND MODE Global Configuration COMMAND USAGE ◆ Before setting the cache size, the cache must first be enabled with the ethernet cfm linktrace cache command. ◆ If the cache reaches the maximum number of specified entries, or the size is set to a value less than the current number of stored entries, no new entries are added.
CHAPTER 41 | CFM Commands Link Trace Operations COMMAND MODE Privileged Exec COMMAND USAGE ◆ Link trace messages can be targeted to MEPs, not MIPs. Before sending a link trace message, be sure you have configured the target MEP for the specified MA. ◆ If the MAC address of target MEP has not been learned by any local MEP, then the linktrace may fail. Use the show ethernet cfm maintenance-points remote crosscheck command to verify that a MAC address has been learned for the target MEP.
CHAPTER 41 | CFM Commands Link Trace Operations show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache COMMAND MODE Privileged Exec EXAMPLE Console#show ethernet cfm linktrace-cache Hops MA IP / Alias Forwarded ---- -------------- ----------------------2 rd 192.168.0.6 Not Forwarded Console# Ingress MAC Egress MAC ----------------00-12-CF-12-12-2D Ing. Action Relay Egr.
CHAPTER 41 | CFM Commands Loopback Operations Loopback Operations ethernet cfm This command sends CFM loopback messages to a MAC address for a MEP loopback or MIP. SYNTAX ethernet cfm loopback {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [count transmit-count] [size packet-size] destination-mpid – The identifier of a MEP that is the target of the loopback message.
CHAPTER 41 | CFM Commands Fault Generator Operations When using the command line or web interface, the source MEP used by to send a loopback message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. ◆ EXAMPLE This example sends a loopback message to the specified remote MEP.
CHAPTER 41 | CFM Commands Fault Generator Operations mep fault-notify This command sets the lowest priority defect that is allowed to generate a lowest-priority fault alarm. Use the no form to restore the default setting. SYNTAX mep fault-notify lowest-priority priority no fault-notify lowest-priority priority – Lowest priority default allowed to generate a fault alarm.
CHAPTER 41 | CFM Commands Fault Generator Operations Table 184: MEP Defect Descriptions Field Description DefMACstatus Either some remote MEP is reporting its Interface Status TLV as not isUp, or all remote MEPs are reporting a Port Status TLV that contains some value other than psUp. DefRemoteCCM The MEP is not receiving valid CCMs from at least one of the remote MEPs. DefErrorCCM The MEP has received at least one invalid CCM whose CCM Interval has not yet timed out.
CHAPTER 41 | CFM Commands Fault Generator Operations show ethernet cfm This command displays configuration settings for the fault notification fault-notify- generator. generator SYNTAX show ethernet cfm fault-notify-generator mep mpid mpid – Maintenance end point identifier. (Range: 1-8191) DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example shows the fault notification settings configured for one MEP.
CHAPTER 41 | CFM Commands Delay Measure Operations Delay Measure Operations ethernet cfm delay- This command sends periodic delay-measure requests to a specified MEP measure two-way within a maintenance association.
CHAPTER 41 | CFM Commands Delay Measure Operations ◆ Frame delay measurement can be made only for two-way measurements, where the MEP transmits a frame with DM request information with the TxTimeStampf (Timestamp at the time of sending a frame with DM request information), and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information, RxTimeStampf (Timestamp at the time of receiving a frame with DM request information), and TxTimeStampb (Tim
CHAPTER 41 | CFM Commands Delay Measure Operations – 1360 –
42 OAM COMMANDS The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
CHAPTER 42 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. SYNTAX [no] efm oam DEFAULT SETTING Disabled COMMAND MODE Interface Configuration COMMAND USAGE ◆ If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
CHAPTER 42 | OAM Commands detected, fan failure, CRC error in flash memory, insufficient memory, or other hardware faults. ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. NOTE: When system power fails, the switch will always send a dying gasp trap message prior to power down.
CHAPTER 42 | OAM Commands efm oam This command sets the threshold for errored frame link events. Use the no link-monitor form to restore the default setting. frame threshold SYNTAX efm oam link-monitor frame threshold count no efm oam link-monitor frame threshold count - The threshold for errored frame link events.
CHAPTER 42 | OAM Commands (page 1364) is reached or exceeded within the period specified by this command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period. EXAMPLE This example set the window size to 5 seconds. Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting.
CHAPTER 42 | OAM Commands clear efm oam This command clears statistical counters for various OAMPDU message counters types. SYNTAX clear efm oam counters [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 42 | OAM Commands efm oam This command starts or stops OAM loopback test mode to the attached remote-loopback CPE. SYNTAX efm oam remote-loopback {start | stop} interface start - Starts remote loopback test mode. stop - Stops remote loopback test mode. interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ OAM remote loop back can be used for fault localization and link performance testing.
CHAPTER 42 | OAM Commands efm oam This command performs a remote loopback test, sending a specified remote-loopback number of packets. test SYNTAX efm oam remote-loopback test interface [number-of-packets [packet-size]] interface - unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) number-of-packets - Number of packets to send. (Range: 1-99999999) packet-size - Size of packets to send.
CHAPTER 42 | OAM Commands show efm oam This command displays counters for various OAM PDU message types. counters interface SYNTAX show efm oam counters interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 42 | OAM Commands EXAMPLE Console#show efm oam event-log interface 1/1 OAM event log of Eth 1/1: 00:24:07 2001/01/01 "Unit 1, Port 1: Dying Gasp at Remote" Console# This command can show OAM link status changes for link partner as shown in this example.
CHAPTER 42 | OAM Commands show efm oam This command displays the results of an OAM remote loopback test. remote-loopback interface SYNTAX show efm oam remote-loopback interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
CHAPTER 42 | OAM Commands Link Monitor: Errored Frame Window (100msec) : 10 Errored Frame Threshold : 1 Console#show efm oam status interface 1/1 brief $ = local OAM in loopback * = remote OAM in loopback Port Admin Mode State ---- ------- ------1/1 Enabled Active Console# Remote Loopback -------Disabled Dying Gasp ------Enabled Critical Event -------Enabled Errored Frame ------Enabled show efm oam This command displays information about attached OAM-enabled devices.
43 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
CHAPTER 43 | Domain Name Service Commands COMMAND MODE Global Configuration COMMAND USAGE ◆ Domain names are added to the end of the list one at a time. ◆ When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match. ◆ If there is no domain list, the domain name specified with the ip domain-name command is used.
CHAPTER 43 | Domain Name Service Commands ◆ If all name servers are deleted, DNS will automatically be disabled. EXAMPLE This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.
CHAPTER 43 | Domain Name Service Commands Name Server List: Console# RELATED COMMANDS ip domain-list (1373) ip name-server (1377) ip domain-lookup (1374) ip host This command creates a static entry in the DNS table that maps a host name to an IPv4 address. Use the no form to remove an entry. SYNTAX [no] ip host name address name - Name of an IPv4 host. (Range: 1-100 characters) address - Corresponding IPv4 address.
CHAPTER 43 | Domain Name Service Commands ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list. SYNTAX [no] ip name-server server-address1 [server-address2 … server-address6] server-address1 - IPv4 or IPv6 address of domain-name server. server-address2 … server-address6 - IPv4 or IPv6 address of additional domain-name servers.
CHAPTER 43 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. SYNTAX [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-100 characters) ipv6-address - Corresponding IPv6 address. This address must be entered according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 43 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. SYNTAX clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the clear host command to clear dynamic entries, or the no ip host command to clear static entries. EXAMPLE This example clears all dynamic entries from the DNS table.
CHAPTER 43 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. COMMAND MODE Privileged Exec EXAMPLE Console#show dns cache No. Flag Type ------- ------- ------3 4 Host 4 4 CNAME 5 4 CNAME Console# IP Address TTL Host --------------- ------- -------209.131.36.158 115 www-real.wa1.b.yahoo.com POINTER TO:3 115 www.yahoo.com POINTER TO:3 115 www.wa1.b.yahoo.com Table 188: show dns cache - display description Field Description No.
CHAPTER 43 | Domain Name Service Commands Table 189: show hosts - display description Field Description No. The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache. Type This field includes “Address” which specifies the primary name for the owner, and “CNAME” which specifies multiple domain names (or aliases) which are mapped to the same IP address as an existing entry.
CHAPTER 43 | Domain Name Service Commands – 1382 –
44 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
CHAPTER 44 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp client This command specifies the DCHP client vendor class identifier for the class-id current interface. Use the no form to remove the class identifier from the DHCP packet. SYNTAX ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value.
CHAPTER 44 | DHCP Commands DHCP Client ip dhcp restart client This command submits a BOOTP or DHCP client request. DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE ◆ This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode through the ip address command. ◆ DHCP requires the server to reassign the client’s last address if available.
CHAPTER 44 | DHCP Commands DHCP Client DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ◆ DHCPv6 clients can obtain configuration parameters from a server through a normal four-message exchange (solicit, advertise, request, reply), or through a rapid two-message exchange (solicit, reply). The rapid-commit option must be enabled on both client and server for the two-message exchange to be used. ◆ This command allows two-message exchange method for prefix delegation.
CHAPTER 44 | DHCP Commands DHCP Client flag (M flag) and Other Stateful Configuration flag (O flag) received in Router Advertisement messages will determine the information this switch should attempt to acquire from the DHCPv6 server as described below. ■ Both M and O flags are set to 1: DHCPv6 is used for both address and other configuration settings. This combination is known as DHCPv6 stateful, in which a DHCPv6 server assigns stateful addresses to IPv6 hosts.
CHAPTER 44 | DHCP Commands DHCP Client ◆ To display the DUID assigned to this device, first enter the ipv6 address autoconfig command. EXAMPLE Console(config-if)#ipv6 address autoconfig Console(config-if)#end Console#show ipv6 dhcp duid DHCPv6 Unique Identifier (DUID): 0001-0001-4A8158B4-00E00C0000FD Console# show ipv6 dhcp vlan This command shows DHCPv6 information for the specified interface(s).
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 DHCP RELAY OPTION 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 client requests to a DHCP server. Up to five DHCP servers can be specified in order of preference. If any of the specified DHCP server addresses are not located in the same network segment with this switch, use the ip default-gateway or ipv6 default-gateway command to specify the default router through which this switch can reach other IP subnetworks. EXAMPLE Console(config)#ip dhcp relay server 192.168.10.
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 Otherwise, the switch’s DHCP relay agent will not be able to forward client requests to a DHCP server. ◆ DHCP provides a relay agent information option for sending information about its DHCP clients or the relay agent itself to the DHCP server. Also known as DHCP Option 82, it allows compatible DHCP servers to use this information when assigning IP addresses, or to set other services or policies for clients.
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 ◆ DHCP reply packets received by the relay agent are handled as follows: When the relay agent receives a DHCP reply packet with Option 82 information over the management VLAN, it first ensures that the packet is destined for itself. ■ ■ ◆ If the RID in the DHCP reply packet is not identical with that configured on the switch, the option 82 information is retained, and the packet is flooded onto the VLAN through which it was received.
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 EXAMPLE This example enables Option 82, and sets the frame format of the remote ID for the option to use the MAC address of the switch’s CPU.
CHAPTER 44 | DHCP Commands DHCP Relay Option 82 EXAMPLE This example sets the Option 82 policy to keep the client information in the request packet received by the relay agent, and forward this packet on to the DHCP server. Console(config)#ip dhcp relay information policy keep Console(config)# RELATED COMMANDS ip dhcp relay information option (1390) ip dhcp relay server (1389) ip dhcp snooping (900) show ip dhcp relay This command displays the configuration settings for DHCP relay service.
45 IP INTERFACE COMMANDS An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
CHAPTER 45 | IP Interface Commands IPv4 Interface BASIC IPV4 This section describes commands used to configure IP addresses for VLAN CONFIGURATION interfaces on the switch.
CHAPTER 45 | IP Interface Commands IPv4 Interface directed to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. Anything other than this format is not be accepted by the configuration program. ◆ An interface can have only one primary IP address, but can have many secondary IP addresses. In other words, secondary addresses need to be specified if more than one IP subnet can be accessed through this interface.
CHAPTER 45 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway through which this switch can reach other subnetworks. Use the no form to remove a default gateway. SYNTAX ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway DEFAULT SETTING No default gateway is established.
CHAPTER 45 | IP Interface Commands IPv4 Interface RELATED COMMANDS ip default-gateway (1398) show ipv6 default-gateway (1414) show ip interface This command displays the settings of an IPv4 interface. COMMAND MODE Privileged Exec EXAMPLE Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 00-E0-00-00-00-01 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.0.2 Mask: 255.255.255.
CHAPTER 45 | IP Interface Commands IPv4 Interface time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages source quench messages address mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp request messages timestamp reply messages
CHAPTER 45 | IP Interface Commands IPv4 Interface ◆ The traceroute command first sends probe datagrams with the TTL value set at one. This causes the first router to discard the datagram and return an error message. The trace function then sends several probe messages at each subsequent TTL level and displays the roundtrip time for each message. Not all devices respond correctly to probes by returning an “ICMP port unreachable” message.
CHAPTER 45 | IP Interface Commands IPv4 Interface COMMAND USAGE ◆ Use the ping command to see if another site on the network can be reached. ◆ ◆ The following are some results of the ping command: ■ Normal response - The normal response occurs in one to ten seconds, depending on network traffic. ■ Destination does not respond - If the host does not respond, a “timeout” appears in ten seconds. ■ Destination unreachable - The gateway for this destination indicates that the destination is unreachable.
CHAPTER 45 | IP Interface Commands IPv4 Interface arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. SYNTAX arp timeout seconds no arp timeout seconds - The time a dynamic entry remains in the ARP cache.
CHAPTER 45 | IP Interface Commands IPv6 Interface show arp This command displays entries in the Address Resolution Protocol (ARP) cache. COMMAND MODE Normal Exec, Privileged Exec COMMAND USAGE This command displays information about the ARP cache. The first line shows the cache timeout. It also shows each cache entry, including the IP address, MAC address, type (dynamic, other), and VLAN interface. Note that entry type “other” indicates local addresses for this router.
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 197: IPv6 Configuration Commands (Continued) Command Function Mode show ipv6 default-gateway Displays the current IPv6 default gateway NE, PE show ipv6 interface Displays the usability and configured settings for IPv6 interfaces NE, PE show ipv6 mtu Displays maximum transmission unit (MTU) information for IPv6 interfaces NE, PE show ipv6 traffic Displays statistics about IPv6 traffic NE, PE clear ipv6 traffic Resets IPv6 traffic counte
CHAPTER 45 | IP Interface Commands IPv6 Interface COMMAND USAGE ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
CHAPTER 45 | IP Interface Commands IPv6 Interface COMMAND USAGE ◆ All IPv6 addresses must be according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. ◆ To connect to a larger network with multiple subnets, you must configure a global unicast address.
CHAPTER 45 | IP Interface Commands IPv6 Interface ipv6 address This command enables stateless autoconfiguration of IPv6 addresses on an autoconfig interface and enables IPv6 on the interface. The network portion of the address is based on prefixes received in IPv6 router advertisement messages; the host portion in based on the modified EUI-64 form of the interface identifier (i.e., the switch’s MAC address). Use the no form to remove the address generated by this command.
CHAPTER 45 | IP Interface Commands IPv6 Interface ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# RELATED COMMANDS ipv6 address (1406) show ipv6 interface (1414) ipv6 address eui-64 This command configures an IPv6 address for an interface using an EUI-64 interface ID in the low order 64 bits and enables IPv6 on the interface.
CHAPTER 45 | IP Interface Commands IPv6 Interface ◆ IPv6 addresses are 16 bytes long, of which the bottom 8 bytes typically form a unique host identifier based on the device’s MAC address. The EUI-64 specification is designed for devices that use an extended 8-byte MAC address.
CHAPTER 45 | IP Interface Commands IPv6 Interface ipv6 address This command configures an IPv6 link-local address for an interface and link-local enables IPv6 on the interface. Use the no form without any arguments to remove all manually configured IPv6 addresses from the interface. Use the no form with a specific address to remove it from the interface. SYNTAX ipv6 address ipv6-address link-local no ipv6 address [ipv6-address link-local] ipv6-address - The IPv6 address assigned to the interface.
CHAPTER 45 | IP Interface Commands IPv6 Interface FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds Console# RELATED COMMANDS ipv6 enable (1412) show ipv6 interface (1414) ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address.
CHAPTER 45 | IP Interface Commands IPv6 Interface Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 45 | IP Interface Commands IPv6 Interface EXAMPLE The following example sets the MTU for VLAN 1 to 1280 bytes: Console(config)#interface vlan 1 Console(config-if)#ipv6 mtu 1280 Console(config-if)# RELATED COMMANDS show ipv6 mtu (1416) jumbo frame (717) show ipv6 This command displays the current IPv6 default gateway.
CHAPTER 45 | IP Interface Commands IPv6 Interface EXAMPLE This example displays all the IPv6 addresses configured for the switch. Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::2E0:CFF:FE00:FD/64 Global unicast address(es): 2001:DB8:2222:7273::72/96, subnet is 2001:DB8:2222:7273::/96 Joined group address(es): FF02::1:FF00:72 FF02::1:FF00:FD FF02::1 IPv6 link MTU is 1280 bytes ND DAD is enabled, number of DAD attempts: 3.
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 198: show ipv6 interface - display description (Continued) Field Description ND retransmit interval The interval between IPv6 neighbor solicitation retransmissions sent on an interface during duplicate address detection. ND advertised retransmit interval The retransmit interval is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value.
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 199: show ipv6 mtu - display description* Field Description MTU Adjusted MTU contained in the ICMP packet-too-big message returned from this destination, and now used for all traffic sent along this path. Since Time since an ICMP packet-too-big message was received from this destination. Destination Address Address which sent an ICMP packet-too-big message. * No information is displayed if an IPv6 address has not been assigned to the switch.
CHAPTER 45 | IP Interface Commands IPv6 Interface neighbor advertisement messages redirect messages group membership query messages group membership response messages group membership reduction messages multicast listener discovery version 2 reports ICMPv6 sent output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages router solicit messages router advertisement messages neighbor solicit messages neighbor adve
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 200: show ipv6 traffic - display description (Continued) Field Description discards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. delivers The total number of datagrams successfully delivered to IPv6 user-protocols (including ICMP).
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 200: show ipv6 traffic - display description (Continued) Field Description errors The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP check sums, bad length, etc.). destination unreachable messages The number of ICMP Destination Unreachable messages received by the interface. packet too big messages The number of ICMP Packet Too Big messages received by the interface.
CHAPTER 45 | IP Interface Commands IPv6 Interface Table 200: show ipv6 traffic - display description (Continued) Field Description router advertisement messages The number of ICMP Router Advertisement messages sent by the interface. neighbor solicit messages The number of ICMP Neighbor Solicit messages sent by the interface. neighbor advertisement messages The number of ICMP Router Advertisement messages sent by the interface. redirect messages The number of Redirect messages sent.
CHAPTER 45 | IP Interface Commands IPv6 Interface ping6 This command sends (IPv6) ICMP echo request packets to another node on the network. SYNTAX ping6 {ipv6-address | host-name} [count count] [size size] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 45 | IP Interface Commands IPv6 Interface response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 4 response time: 0 ms [FE80::2E0:CFF:FE00:FC] seq_no: 5 Ping statistics for FE80::2E0:CFF:FE00:FC%1/64: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%) Approximate round trip times: Minimum = 0 ms, Maximum = 20 ms, Average = 4 ms Console# traceroute6 This command shows the route packets take to the specified destination.
CHAPTER 45 | IP Interface Commands IPv6 Interface before a response is returned, the trace function prints a series of asterisks and the “Request Timed Out” message. A long sequence of these messages, terminating only when the maximum timeout has been reached, may indicate this problem with the target device. EXAMPLE Console#traceroute6 FE80::2E0:CFF:FE9C:CA10%1/64 Press "ESC" to abort. Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination.
CHAPTER 45 | IP Interface Commands IPv6 Interface ◆ An interface that is re-activated restarts duplicate address detection for all unicast IPv6 addresses on the interface. While duplicate address detection is performed on the interface’s link-local address, the other IPv6 addresses remain in a “tentative” state. If no duplicate link-local address is found, duplicate address detection is started for the remaining IPv6 addresses.
CHAPTER 45 | IP Interface Commands IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. SYNTAX ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
CHAPTER 45 | IP Interface Commands IPv6 Interface ipv6 nd raguard This command blocks incoming Router Advertisement and Router Redirect packets. Use the no form to disable this feature. SYNTAX [no] ipv6 nd raguard DEFAULT SETTING Disabled COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network.
CHAPTER 45 | IP Interface Commands IPv6 Interface COMMAND USAGE ◆ The time limit configured by this command allows the switch to detect unavailable neighbors. EXAMPLE The following sets the reachable time for a remote node to 1000 milliseconds: Console(config)#interface vlan 1 Console(config)#pv6 nd reachable-time 1000 Console(config)# clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache.
CHAPTER 45 | IP Interface Commands IPv6 Interface show ipv6 This command displays information in the IPv6 neighbor discovery cache. neighbors SYNTAX show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
CHAPTER 45 | IP Interface Commands ND Snooping Table 201: show ipv6 neighbors - display description (Continued) Field Description State (continued) P1 (Probe) - A reachability confirmation is actively sought by re-sending neighbor solicitation messages every RetransTimer interval until confirmation of reachability is received. U (Unknown) - Unknown state. The following states are used for static entries: I1 (Incomplete)-The interface for this entry is down.
CHAPTER 45 | IP Interface Commands ND Snooping Table 202: ND Snooping Commands (Continued) Command Function Mode ipv6 nd snooping prefix timeout Sets the time to wait for an RA message before deleting an entry in the prefix table GC ipv6 nd snooping max-binding Sets the maximum number of address entries which can be bound to a port IC ipv6 nd snooping trust Configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table, or NS messages can be
CHAPTER 45 | IP Interface Commands ND Snooping lifetime, as well as the VLAN and port interface which received the message. ■ ◆ If an RA message is not received updating a table entry with the same prefix for a specified timeout period, the entry is deleted.
CHAPTER 45 | IP Interface Commands ND Snooping DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE If auto-detection is enabled, the switch periodically sends an NS message to determine is a client listed in the dynamic binding table still exists. If it does not receive an RA message in response after the configured timeout, the entry is dropped.
CHAPTER 45 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the interval between which the auto-detection process auto-detect sends NS messages to determine if a dynamic user binding is still valid. retransmit interval Use the no form to restore the default setting.
CHAPTER 45 | IP Interface Commands ND Snooping Prefix Information contained in the message. If an RA message is not received for a table entry with the same prefix for the specified timeout period, the entry is deleted. EXAMPLE Console(config)#ipv6 nd snooping prefix timeout 200 Console(config)# ipv6 nd snooping This command sets the maximum number of address entries in the max-binding dynamic user binding table which can be bound to a port. Use the no form to restore the default setting.
CHAPTER 45 | IP Interface Commands ND Snooping COMMAND MODE Interface Configuration (Ethernet, Port Channel) COMMAND USAGE ◆ In general, interfaces facing toward to the network core, or toward routers supporting the Network Discovery protocol, are configured as trusted interfaces. ◆ RA messages received from a trusted interface are added to the prefix table and forwarded toward their destination. ◆ NS messages received from a trusted interface are forwarded toward their destination.
CHAPTER 45 | IP Interface Commands ND Snooping EXAMPLE Console#clear ipv6 nd snooping prefix Console#show ipv6 nd snooping prefix Prefix entry timeout: (seconds) Prefix Len Valid-Time Expire VLAN Interface -------------------------------------- --- ---------- ---------- ---- --------Console# show ipv6 nd This command shows the configuration settings for ND snooping.
CHAPTER 45 | IP Interface Commands ND Snooping show ipv6 nd This command shows all entries in the address prefix table. snooping prefix SYNTAX show ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID.
SECTION IV APPENDICES This section provides additional information and includes these items: ◆ "Software Specifications" on page 1441 ◆ "Troubleshooting" on page 1445 ◆ "License Information" on page 1447 – 1439 –
SECTION IV | Appendices – 1440 –
A SOFTWARE SPECIFICATIONS SOFTWARE FEATURES MANAGEMENT Local, RADIUS, TACACS+, Port Authentication (802.1X), HTTPS, SSH, Port AUTHENTICATION Security, IP Filter CLIENT ACCESS Access Control Lists (512 rules), Port Authentication (802.
APPENDIX A | Software Specifications Management Features VLAN SUPPORT Up to 4094 groups; port-based, protocol-based, tagged (802.
APPENDIX A | Software Specifications Standards RMON Groups 1, 2, 3, 9 (Statistics, History, Alarm, Event) STANDARDS Ethernet Service OAM (ITU-T Y.1731) - partial support IEEE 802.1AB Link Layer Discovery Protocol IEEE 802.1D-2004 Spanning Tree Algorithm and traffic priorities Spanning Tree Protocol Rapid Spanning Tree Protocol Multiple Spanning Tree Protocol IEEE 802.1p Priority tags IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1X Port Authentication IEEE 802.
APPENDIX A | Software Specifications Management Information Bases ERPS MIB (ITU-T G.8032) Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP Multicasting related MIBs IPV6-MIB (RFC 2065) IPV6-ICMP-MIB (RFC 2066) IPV6-TCP-MIB (RFC 2052) IPV6-UDP-MIB (RFC2054) Link Aggregation MIB (IEEE 802.
B TROUBLESHOOTING PROBLEMS ACCESSING THE MANAGEMENT INTERFACE Table 203: Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software ◆ Be sure the switch is powered on. ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary. ◆ Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
APPENDIX B | Troubleshooting Using System Logs USING SYSTEM LOGS If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
C LICENSE INFORMATION This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
APPENDIX C | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
APPENDIX C | License Information The GNU General Public License 4.
APPENDIX C | License Information The GNU General Public License practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 9.
GLOSSARY ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
GLOSSARY DIFFSERV Differentiated Services provides quality of service on large networks by employing a well-defined set of building blocks from which a variety of aggregate forwarding behaviors may be built. Each packet carries information (DS byte) used by each hop to give it a particular forwarding treatment, or per-hop behavior, at each network node.
GLOSSARY GMRP Generic Multicast Registration Protocol. GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. GVRP GARP VLAN Registration Protocol. Defines a way for switches to exchange VLAN information in order to register necessary VLAN members on ports along the Spanning Tree so that VLANs defined in each switch can work automatically over a Spanning Tree network.
GLOSSARY IGMP Internet Group Management Protocol. A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
GLOSSARY LLDP Link Layer Discovery Protocol is used to discover basic information about neighboring devices in the local broadcast domain by using periodic broadcasts to advertise information such as device identification, capabilities and configuration settings. MD5 MD5 Message-Digest is an algorithm that is used to create digital signatures. It is intended for use with 32 bit machines and is safer than the MD4 algorithm, which has been broken.
GLOSSARY PORT AUTHENTICATION See IEEE 802.1X. PORT MIRRORING A method whereby data on a target port is mirrored to a monitor port for troubleshooting with a logic analyzer or RMON probe. This allows data on the target port to be studied unobstructively. PORT TRUNK Defines a network link aggregation and trunking method which specifies how to create a single high-speed logical link that combines several lowerspeed physical links.
GLOSSARY SNTP Simple Network Time Protocol allows a device to set its internal clock based on periodic updates from a Network Time Protocol (NTP) server. Updates can be requested from a specific NTP server, or can be received via broadcasts sent by NTP servers. SSH Secure Shell is a secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch.
GLOSSARY VLAN Virtual LAN. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network. A VLAN serves as a logical workgroup with no physical barriers, and allows users to share information and resources as though located on the same LAN. XMODEM A protocol used to transfer files between devices. Data is grouped in 128byte blocks and error-corrected.
COMMAND LIST A C aaa accounting commands 824 aaa accounting dot1x 825 aaa accounting exec 826 aaa accounting update 827 aaa authorization exec 828 aaa group server 829 absolute 763 access-list arp 970 access-list ip 952 access-list ipv6 958 access-list mac 964 accounting commands 830 accounting dot1x 830 accounting exec 831 alias 977 arp timeout 1403 authentication enable 814 authentication login 815 authorization exec 831 auto-traffic-control 1035 auto-traffic-control action 1036 auto-traffic-control al
COMMAND LIST cluster 767 cluster commander 767 cluster ip-pool 768 cluster member 769 configure 695 control-vlan 1096 copy 720 D databits 730 delete 723 delete public-key 844 description 1185 description 978 dir 724 disable 696 discard 979 disconnect 737 dos-protection echo-chargen 940 dos-protection smurf 941 dos-protection tcp-flooding 941 dos-protection tcp-null-scan 942 dos-protection tcp-syn-fin-scan 942 dos-protection tcp-xmas-scan 943 dos-protection udp-flooding 943 dos-protection win-nuke 944 dot1
COMMAND LIST ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip arp inspection 932 arp inspection filter 933 arp inspection limit 937 arp inspection log-buffer logs 934 arp inspection trust 937 arp inspection validate 935 arp inspection vlan 936 default-gateway 1398 dhcp client class-id 1384 dhcp relay information option 1390 dhcp relay information policy 1393 dhcp relay server 1389 dhcp restart client 1385 dhcp snooping 900 dhcp snooping database flash 909 dhcp snooping information option 902 ip dhcp snoopi
COMMAND LIST ipv6 mld max-groups action 1254 ipv6 mld profile 1251 ipv6 mld query-drop 1254 ipv6 mld snooping 1240 ipv6 mld snooping querier 1240 ipv6 mld snooping query-interval 1241 ipv6 mld snooping query-maxresponse-time 1241 ipv6 mld snooping robustness 1242 ipv6 mld snooping router-port-expiretime 1243 ipv6 mld snooping unknown-multicast mode 1243 ipv6 mld snooping version 1244 ipv6 mld snooping vlan immediateleave 1244 ipv6 mld snooping vlan mrouter 1245 ipv6 mld snooping vlan static 1246 ipv6 mtu 1
COMMAND LIST max-hops 1074 media-type 981 meg-level 1100 memory 793 mep archive-hold-time 1342 mep crosscheck mpid 1346 mep fault-notify alarm-time 1354 mep fault-notify lowest-priority 1355 mep fault-notify reset-time 1356 mep-monitor 1100 mst priority 1074 mst vlan 1075 mvr 1259 mvr associated-profile 1259 mvr domain 1260 mvr immediate-leave 1266 mvr priority 1262 mvr profile 1261 mvr proxy-query-interval 1261 mvr proxy-switching 1263 mvr robustness-value 1264 mvr source-port-mode dynamic 1264 mvr type 1
COMMAND LIST qos map dscp-mutation 1176 qos map phb-queue 1177 qos map trust-mode 1178 queue mode 1170 queue weight 1171 quit 694 R radius-server acct-port 816 radius-server auth-port 817 radius-server host 817 radius-server key 818 radius-server retransmit 818 radius-server timeout 819 range 1230 range 1252 raps-def-mac 1108 raps-without-vc 1108 rate-limit 1028 rcommand 769 reload (Global Configuration) 692 reload (Privileged Exec) 696 rename 1187 revision 1076 ring-port 1110 rmon alarm 796 rmon collecti
COMMAND LIST show ip dhcp relay 1394 show ip dhcp snooping 909 show ip dhcp snooping binding 910 show ip igmp authentication 1235 show ip igmp filter 1236 show ip igmp profile 1236 show ip igmp query-drop 1237 show ip igmp snooping 1221 show ip igmp snooping group 1222 show ip igmp snooping mrouter 1223 show ip igmp snooping statistics 1224 show ip igmp throttle interface 1237 show ip interface 1399 show ip multicast-data-drop 1238 show ip source-guard 925 show ip source-guard binding 925 show ip ssh 846 s
COMMAND LIST show snmp user 789 show snmp view 790 show snmp-server enable port-traps 782 show sntp 752 show spanning-tree 1090 show spanning-tree mst configuration 1092 show ssh 847 show startup-config 713 show subnet-vlan 1159 show system 713 show tacacs-server 823 show tech-support 714 show time-range 765 show traffic-segmentation 949 show udld 1056 show upgrade 728 show users 715 show version 715 show vlan 1139 show vlan-translation 1153 show voice vlan 1167 show watchdog 716 show web-auth 898 show web
COMMAND LIST switchport switchport switchport switchport switchport switchport switchport switchport native vlan 1137 packet-rate 1030 priority default 1172 vlan-translation 1151 voice vlan priority 1165 voice vlan rule 1165 voice vlan 1164 voice vlan security 1166 T tacacs-server host 820 tacacs-server key 821 tacacs-server port 822 tacacs-server retransmit 822 tacacs-server timeout 823 terminal 737 test cable-diagnostics 998 timeout login response 736 time-range 763 traceroute 1400 traceroute6 1423 tra
COMMAND LIST – 1468 –
INDEX NUMERICS 802.1Q tunnel 206, 1140 access 213, 1142 configuration, guidelines 209 configuration, limitations 209 CVID to SVID map 211, 1143 description 206 ethernet type 210, 1145 interface configuration 213, 1142–1145 mode selection 213, 1142 status, configuring 210, 1141 TPID 210, 1145 uplink 213, 1142 802.
INDEX selecting protocol based on message format 251, 1089 shut down port on receipt 251, 1078 bridge extension capabilities, displaying 121, 1129 broadcast storm, sample type 1029 broadcast storm, threshold 262, 263, 1029, 1030 C cable diagnostics 168, 998 canonical format indicator 282 CDP discard 979 CFM basic operations 516 continuity check errors 550, 1343 continuity check messages 505, 514, 516, 517, 1102, 1319, 1339, 1340 cross-check errors 1341, 1345, 1347 cross-check message 514, 517, 1319, 1344,
INDEX information option 412, 902 information option policy 413, 903 information option, enabling 412, 902 limit rate 904 policy selection 413, 903 specifying trusted interfaces 415, 907 verifying MAC addresses 412, 904 VLAN configuration 414, 905 DHCPv6 snooping 910 enabling 911 global configuration 911 remote id policy, option 37 914 remote ID, option 37 913 specifying trusted interfaces 916 VLAN configuration 915 Differentiated Code Point Service See DSCP Differentiated Services See DiffServ DiffServ 28
INDEX ring configuration 494, 1095 ring port, east interface 495, 1110 ring port, west interface 495, 1110 ring, enabling 496, 1097 RPL neighbor 498 RPL owner 497, 1112 secondary ring 502, 1099 status, displaying 509, 1119 version 496 wait-to-block timer 506 wait-to-restore timer 506, 1114 WTB timer 506 WTR timer 506, 1114 Ethernet Ring Protection Switching See ERPS event logging 420, 739 excess burst size, QoS policy 294, 1194 exec command privileges, accounting 315, 826, 830 exec settings accounting 316,
INDEX IP filter, for management access 380, 863 IP source guard binding static addresses 920 configuring static entries 401, 920 setting filter criteria 399, 921 setting learning mode 924 setting maximum bindings 400, 923 IP statistics 1399 IPv4 address BOOTP/DHCP 567, 1385, 1396 dynamic configuration 86 manual configuration 83 setting 83, 566, 1396 IPv6 displaying neighbors 580, 1429 duplicate address detection 573, 1424 enabling 572, 1412 MTU 572, 1413 router advertisements, blocking 574 IPv6 address dyn
INDEX settings 310, 815 TACACS+ client 310, 820 TACACS+ server 310, 820 logon authentication, settings 312 logon banner, configuring 700 loop back messages, CFM 514, 516, 536, 1319, 1353 loopback detection STA 240, 1081 loopback detection, non-STA 1047 M MAC address authentication 329, 879 ports, configuring 332, 879, 888 reauthentication 331, 882 MAC address learning 227, 874 MAC address, mirroring 234, 1017 main menu, web interface 100 maintenance association, CFM 514, 526, 1319, 1328, 1334 maintenance
INDEX statistics, displaying 655, 1275 using immediate leave 651, 1266 MVR6 assigning static multicast groups 669, 1279, 1287 configuring 662, 1277, 1284 forwarding priority 662 interface status, configuring 666, 1285–1287 interface status, displaying 668, 1291 IP for control packets sent upstream 663, 1283 proxy switching 660, 1281 receiver groups, displaying 670, 1291 robust value for proxy switching 660, 1282 setting interface type 667, 1285 setting multicast domain 667, 1279 setting multicast groups 66
INDEX privilege level, defining per command 812 problems, troubleshooting 1445 protocol migration 251, 1089 protocol tunnel, layer 2 1150 protocol VLANs 214, 1153 configuring 215, 1154, 1155 interface configuration 216, 1155 system configuration 215, 1154 proxy address, IGMP snooping 622, 1217 proxy reporting, IGMP snooping 620, 1206 public key 342, 838 PVID, port native VLAN 199, 1137 PVST, discard 979 Q QinQ Tunneling See 802.
INDEX SNTP setting the system clock 132, 750–752 specifying servers 134, 752 software displaying version 118, 715 downloading 122, 720 version, displaying 118, 715 Spanning Tree Protocol See STA specifications, software 1441 srTCM police meter 294, 1191 QoS policy 290, 1191 SSH 342, 838 authentication retries 345, 841 configuring 342, 839 downloading public keys for clients 347, 720, 723 generating host key pair 346, 844 server, configuring 344, 842 timeout 345, 843 SSL, replacing certificate 340 STA 237,
INDEX unknown unicast storm, sample type 1029 unknown unicast storm, threshold 263, 1030 unregistered data flooding, IGMP snooping 612, 1210 upgrading software 122, 720, 725 user account 324, 810, 811 user password 324, 810, 811 V VLAN trunking 190, 1138 VLANs 193–222, 1125–1167 802.
ES3528MV2 ES3528MV2-DC E112013/ST-R03
