TigerAccess™ EE 6-Band VDSL2 Switch ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ 16 VDSL Downlink Ports (1 RJ-21 Connector) 2 Gigabit Ethernet Combination Ports (RJ-45/SFP) 1 Fast Ethernet Management Port (RJ-45) Non-blocking switching architecture Spanning Tree Protocol, RSTP, and MSTP Up to 12 LACP or static 8-port trunks Layer 2/3/4 CoS support through eight priority queues Layer 3/4 traffic priority with IP Precedence and IP DSCP Full support for VLANs with GVRP IGMP multicast filtering and snooping Manageable via consol
TigerAccess™ EE Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 Phone: (949) 679-8000 January 2007 Pub.
Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC. SMC reserves the right to change specifications at any time without notice. Copyright © 2007 by SMC Networks, Inc. 20 Mason Irvine, CA 92618 All rights reserved.
LIMITED WARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller. SMC may, at its own discretion, repair or replace any product not operating as warranted with a similar or functionally equivalent product, during the applicable warranty term.
WARRANTIES EXCLUSIVE: IF AN SMC PRODUCT DOES NOT OPERATE AS WARRANTED ABOVE, CUSTOMER’S SOLE REMEDY SHALL BE REPAIR OR REPLACEMENT OF THE PRODUCT IN QUESTION, AT SMC’S OPTION. THE FOREGOING WARRANTIES AND REMEDIES ARE EXCLUSIVE AND ARE IN LIEU OF ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, EITHER IN FACT OR BY OPERATION OF LAW, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
TABLE OF CONTENTS Section I Getting Started 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Description of Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 System Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9 2 Initial Configuration . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 4 Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . 4-1 Displaying System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Displaying System Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Displaying Hardware/Software Versions . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Setting SNMPv3 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24 6 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 Configuring Local/Remote Logon Authentication . . . . . . . . . . . . . . . . 6-3 Configuring HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS 9 Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Displaying Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1 Configuring Interface Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4 Creating Trunk Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8 Statically Configuring a Trunk . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Configuring Interface Settings for MSTP . . . . . . . . . . . . . . . . . . . . . . 12-27 13 VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 Selecting the VLAN Operation Mode . . . . . . . . . . . . . . . . . . . . . . . . . 13-1 IEEE 802.1Q VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-2 Enabling or Disabling GVRP (Global Setting) . . . . . . . . . . . . 13-6 Displaying Basic VLAN Information . . . . . . . . . . . . . .
TABLE OF CONTENTS 15 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-1 Configuring Quality of Service Parameters . . . . . . . . . . . . . . . . . . . . . 15-2 Configuring a Class Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-3 Creating QoS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15-6 Attaching a Policy Map to Ingress Queues . . . . . . . . . . . . . . . 15-10 16 Multicast Filtering . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Console Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-1 Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-2 Entering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3 Keywords and Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-3 Minimum Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18-4 Command Completion . . . . . . . .
TABLE OF CONTENTS show bme version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cpu utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show memory status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . system mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system mode . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS SMTP Alert Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logging sendmail host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logging sendmail level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logging sendmail source-email . . . . . . . . . . . . . . . . . . . . . . . . . logging sendmail destination-email . . . . . . . . . . . . . . . . . . . . . logging sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Authentication Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-5 authentication login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-5 authentication enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-7 RADIUS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-8 radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS dot1x max-req . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-36 dot1x port-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-36 dot1x operation-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-37 dot1x re-authenticate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-38 dot1x re-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22-39 dot1x timeout quiet-period . . .
TABLE OF CONTENTS 24 Access Control List Commands . . . . . . . . . . . . . . . . . 24-1 IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-2 access-list ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24-3 permit, deny (Standard IP ACL) . . . . . . . . . . . . . . . . . . . . . . . . 24-4 permit, deny (Extended IP ACL) . . . . . . . . . . . . . . . . . . . . . . . 24-5 show ip access-list . . . . . . . . . . . .
TABLE OF CONTENTS show interfaces counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-14 show interfaces switchport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25-16 26 Link Aggregation Commands . . . . . . . . . . . . . . . . . .26-1 channel-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26-3 lacp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS lre interleave-max-delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lre datarate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lre rate-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lre noise-mgn target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lre noise-mgn min . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . lre shutdown . . . . . . . . . . . . . . . .
TABLE OF CONTENTS Displaying VDSL Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-61 show lre band-plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-62 show lre option-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-63 show lre ham-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-64 show lre region-ham-band . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29-65 show lre psd . . . . . . . . . . . .
TABLE OF CONTENTS 31 Spanning Tree Commands . . . . . . . . . . . . . . . . . . . . 31-1 spanning-tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-3 spanning-tree mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-4 spanning-tree forward-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31-5 spanning-tree hello-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-8 Configuring VLAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-9 interface vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-9 switchport mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32-10 switchport acceptable-frame-types . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS show queue bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33-9 show queue cos-map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33-10 Priority Commands (Layer 3 and 4) . . . . . . . . . . . . . . . . . . . . . . . . . . 33-11 map ip port (Global Configuration) . . . . . . . . . . . . . . . . . . . . 33-12 map ip port (Interface Configuration) . . . . . . . . . . . . . . . . . . . 33-12 map ip precedence (Global Configuration) . . . . . . . . . .
TABLE OF CONTENTS ip igmp snooping query-interval . . . . . . . . . . . . . . . . . . . . . . . . 35-9 ip igmp snooping query-max-response-time . . . . . . . . . . . . . . 35-10 ip igmp snooping router-port-expire-time . . . . . . . . . . . . . . . . 35-11 Static Multicast Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 35-12 ip igmp snooping vlan mrouter . . . . . . . . . . . . . . . . . . . . . . . . 35-12 show ip igmp snooping mrouter . . . . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS 37 DHCP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 37-1 DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip dhcp restart client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip dhcp relay server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip dhcp information option . . .
TABLE OF CONTENTS Section IV Appendices A Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . A-1 Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 Management Information Bases . . . . . . . . . . . . . . . . . . . .
TABLE OF CONTENTS xxviii
TABLES Table 1-1 Table 1-2 Table 3-1 Table 3-2 Table 4-1 Table 5-1 Table 5-2 Table 6-1 Table 6-2 Table 9-1 Table 9-2 Table 9-3 Table 9-4 Table 10-1 Table 10-2 Table 10-3 Table 10-4 Table 10-5 Table 10-6 Table 10-7 Table 10-8 Table 10-9 Table 12-1 Table 12-2 Table 14-1 Table 14-2 Table 14-3 Table 14-4 Table 18-1 Table 18-2 Table 18-3 Table 18-4 Table 19-1 Table 20-1 Table 20-2 Table 20-3 Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 System Defaults . . . . . . . .
TABLES Table 20-4 Table 20-5 Table 20-7 Table 20-6 Table 20-8 Table 20-9 Table 20-10 Table 20-11 Table 20-12 Table 20-13 Table 20-14 Table 20-15 Table 20-16 Table 20-17 Table 21-1 Table 21-2 Table 21-3 Table 21-4 Table 21-5 Table 22-1 Table 22-2 Table 22-3 Table 22-4 Table 22-5 Table 22-6 Table 22-7 Table 22-8 Table 22-9 Table 22-10 Table 22-11 Table 22-12 Table 22-13 Table 23-1 Table 23-2 Table 23-3 Table 23-4 Table 23-5 xxx show bme version - display description . . . . . . . . . . . . .
TABLES Table 24-1 Table 24-2 Table 24-3 Table 24-4 Table 25-1 Table 25-2 Table 26-1 Table 26-2 Table 26-3 Table 26-4 Table 26-5 Table 27-1 Table 28-1 Table 29-1 Table 29-2 Table 29-3 Table 29-4 Table 29-5 Table 29-6 Table 29-7 Table 29-8 Table 29-9 Table 29-10 Table 29-11 Table 29-12 Table 29-13 Table 29-14 Table 29-15 Table 30-1 Table 31-1 Table 31-2 Table 31-3 Table 31-4 Table 32-1 Table 32-2 Table 32-3 Table 32-4 Access Control List Commands . . . . . . . . . . . . . . . . . . . . 24-1 IP ACL Commands .
TABLES Table 32-5 Table 32-6 Table 32-7 Table 32-8 Table 32-9 Table 33-1 Table 33-2 Table 33-3 Table 33-4 Table 33-5 Table 33-6 Table 34-1 Table 35-1 Table 35-2 Table 35-3 Table 35-4 Table 35-5 Table 35-6 Table 35-7 Table 35-8 Table 35-9 Table 36-1 Table 36-2 Table 37-1 Table 37-2 Table 37-3 Table 37-4 Table 38-1 Table B-1 xxxii Commands for Displaying VLAN Information . . . . . . 32-16 Private VLAN Commands . . . . . . . . . . . . . . . . . . . . . . . 32-17 Protocol-based VLAN Commands . . . . . . . . .
FIGURES Figure 3-1 Figure 3-2 Figure 4-1 Figure 4-2 Figure 4-3 Figure 4-4 Figure 4-5 Figure 4-6 Figure 4-7 Figure 4-8 Figure 4-9 Figure 4-10 Figure 4-11 Figure 4-12 Figure 4-13 Figure 4-14 Figure 4-15 Figure 4-16 Figure 4-17 Figure 4-18 Figure 4-19 Figure 4-20 Figure 4-21 Figure 5-1 Figure 5-2 Figure 5-3 Figure 5-4 Figure 5-5 Figure 5-6 Figure 5-7 Figure 5-8 Figure 5-9 Figure 6-1 Figure 6-2 Figure 6-3 Figure 6-4 Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIGURES Figure 6-5 Figure 6-6 Figure 6-7 Figure 6-8 Figure 6-9 Figure 6-10 Figure 7-1 Figure 7-2 Figure 7-3 Figure 7-4 Figure 7-5 Figure 7-6 Figure 8-1 Figure 8-2 Figure 8-3 Figure 8-4 Figure 8-5 Figure 8-6 Figure 8-7 Figure 8-8 Figure 9-1 Figure 9-2 Figure 9-3 Figure 9-4 Figure 9-5 Figure 9-6 Figure 9-7 Figure 9-8 Figure 9-9 Figure 9-10 Figure 9-11 Figure 9-12 Figure 9-13 Figure 10-1 Figure 10-2 Figure 10-3 Figure 10-4 xxxiv SSH Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FIGURES Figure 10-5 Figure 10-6 Figure 10-7 Figure 10-8 Figure 11-1 Figure 11-2 Figure 11-3 Figure 12-1 Figure 12-2 Figure 12-3 Figure 12-4 Figure 12-5 Figure 12-6 Figure 12-7 Figure 13-1 Figure 13-2 Figure 13-3 Figure 13-4 Figure 13-5 Figure 13-6 Figure 13-7 Figure 13-8 Figure 13-9 Figure 13-10 Figure 13-11 Figure 13-12 Figure 13-13 Figure 13-14 Figure 14-1 Figure 14-2 Figure 14-3 Figure 14-4 Figure 14-5 Figure 14-6 Figure 14-7 Figure 14-8 Figure 14-9 VDSL Performance Statistics . . . . . . . . . . . . .
FIGURES Figure 14-10 Figure 15-1 Figure 15-2 Figure 15-3 Figure 16-1 Figure 16-2 Figure 16-3 Figure 16-4 Figure 16-5 Figure 16-6 Figure 16-7 Figure 16-8 Figure 16-9 Figure 16-10 Figure 16-11 Figure 16-12 Figure 16-13 Figure 16-14 Figure 17-1 Figure 17-2 Figure 17-3 xxxvi IP Port Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-17 Configuring Class Maps . . . . . . . . . . . . . . . . . . . . . . . . . 15-5 Configuring Policy Maps . . . . . . . . . . . . . . . . . . . . . . . .
SECTION I GETTING STARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
GETTING STARTED
CHAPTER 1 INTRODUCTION This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular network environment. The switch uses six frequency bands (three downstream and three upstream) for VDSL lines.
KEY FEATURES Table 1-1 Key Features (Continued) Feature Description User Authentication Console, Telnet, web – User name / password, RADIUS, TACACS+ Web – HTTPS Telnet – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X Client Security Private VLANs, IEEE 802.
INTRODUCTION Table 1-1 Key Features (Continued) Feature Description Traffic Prioritization Default port priority, traffic class map, queue scheduling, IP Precedence, or Differentiated Services Code Point (DSCP), and TCP/UDP Port Qualify of Service Supports Differentiated Services (DiffServ) Multicast Filtering Supports IGMP snooping, query, profile filtering, and Multicast VLAN Registration Tunneling Supports IEEE 802.
DESCRIPTION OF SOFTWARE FEATURES server to verify the client’s right to access the network via an authentication server (i.e., RADIUS server). Other authentication options include HTTPS for secure management access via the web, SSH for secure management access over a Telnet-equivalent connection, SNMP Version 3, IP address filtering for SNMP/web/Telnet management access, and MAC address filtering for port access.
INTRODUCTION Port Trunking – Ports can be combined into an aggregate connection. Trunks can be manually set up or dynamically configured using IEEE 802.3-2002 (formerly IEEE 802.3ad) Link Aggregation Control Protocol (LACP). The additional ports dramatically increase the throughput across any connection, and provide redundancy by taking over the load if a port in the trunk should fail. The switch supports up to 12 trunks.
DESCRIPTION OF SOFTWARE FEATURES Spanning Tree Algorithm – The switch supports these spanning tree protocols: Spanning Tree Protocol (STP, IEEE 802.1D) – This protocol provides loop detection. When there are multiple physical paths between segments, this protocol will choose a single path and disable all others to ensure that only one route exists between any two stations on the network. This prevents the creation of network loops.
INTRODUCTION • • • • Simplify network management for node changes/moves by remotely configuring VLAN membership for any port, rather than having to manually change the network connection. Provide data security by restricting all traffic to the originating VLAN. Use private VLANs to restrict traffic to pass only between data ports and the uplink ports, thereby isolating adjacent ports within the same VLAN, and allowing you to limit the total number of VLANs that need to be configured.
DESCRIPTION OF SOFTWARE FEATURES Multicast Filtering – Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP snooping or query to manage multicast group registration; and multicast profile filtering to control access to specific multicast services.
INTRODUCTION System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-20). The following table lists some of the basic system defaults.
SYSTEM DEFAULTS Table 1-2 System Defaults (Continued) Function Parameter Web Management HTTP Server SNMP Default Enabled HTTP Port Number 80 HTTP Secure Server Enabled HTTP Secure Port Number 443 SNMP Agent Enabled Community Strings “public” (read only) “private” (read/write) Traps Authentication traps: enabled Link-up-down events: enabled SNMP V3 View: defaultview Group: public (read only); private (read/write) Port Configuration Admin Status Enabled Auto-negotiation Enabled Flow Con
INTRODUCTION Table 1-2 System Defaults (Continued) Function Parameter Default Virtual LANs Default VLAN 1 PVID 1 Acceptable Frame Type All Ingress Filtering Disabled Switchport Mode (Egress Mode) Hybrid: tagged/untagged frames GVRP (global) Disabled GVRP (port interface) Disabled QinQ Tunneling Disabled Ingress Port Priority 0 Queue Mode WRR Weighted Round Robin Queue: 0 1 2 3 4 5 6 7 Weight: 1 2 4 6 8 10 12 14 IP Precedence Priority Disabled IP DSCP Priority Disabled IP Port P
SYSTEM DEFAULTS Table 1-2 System Defaults (Continued) Function Parameter Multicast Filtering IGMP Snooping Default Snooping: Enabled Querier: Disabled IGMP Filtering/Throttling Disabled Multicast VLAN Registration Disabled System Log Status Enabled Messages Logged Levels 0-7 (all) Messages Logged to Flash Levels 0-3 SMTP Email Alerts Event Handler Enabled (but no server defined) SNTP Disabled 1-12 Clock Synchronization
CHAPTER 2 INITIAL CONFIGURATION Connecting to the Switch Configuration Options The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-6.
CONNECTING TO THE SWITCH The switch’s web interface, CLI configuration program, and SNMP agent allow you to perform the following management functions: • • • • • • • • • • • • • • • • • • • Set user names and passwords Set an IP interface for a management VLAN Configure SNMP parameters Enable/disable any port Set the speed/duplex mode for any port Configure the bandwidth of any port by limiting input or output rates Control port access through IEEE 802.
INITIAL CONFIGURATION To connect a terminal to the console port, complete the following steps: 1. Connect the console cable to the serial port on a terminal, or a PC running terminal emulation software, and tighten the captive retaining screws on the DB-9 connector. 2. Connect the other end of the cable to the RS-232 serial port on the switch. 3. Make sure the terminal emulation software is set as follows: • Select the appropriate serial port (COM port 1 or COM port 2).
BASIC CONFIGURATION Remote Connections Prior to accessing the switch’s onboard agent via a network connection, you must first configure it with a valid IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address” on page 2-6. Note: This switch supports four concurrent Telnet/SSH sessions.
INITIAL CONFIGURATION Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1. To initiate your console connection, press . The “User Access Verification” procedure starts. 2. At the Username prompt, enter “admin.” 3. At the Password prompt, also enter “admin.
BASIC CONFIGURATION 4. Type “username admin password 0 password,” for the Privileged Exec level, where password is your new password. Press . Username: admin Password: CLI session with the SMC7816M/VSW is opened. To end the CLI session, enter [Exit].
INITIAL CONFIGURATION Using the dedicated management port provides a back channel for troubleshooting when the switch cannot be reached through the data network. To provide additional security against eavesdropping on management traffic, leave the IP address for the data network (i.e., the VLAN containing ports 1-18) unconfigured. To create a new VLAN and assign the management port to it, enter commands similar to those shown below: 1.
BASIC CONFIGURATION 9. Then follow the steps indicated in the next section to assign an IP address to this VLAN using manual configuration or automatic configuration via DHCP or BOOTP.
INITIAL CONFIGURATION Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • • • IP address for the switch Network mask for this network Default gateway for the network To assign an IP address to the switch, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2.
BASIC CONFIGURATION To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press . 2. At the interface-configuration mode prompt, use one of the following commands: • To obtain IP settings via DHCP, type “ip address dhcp” and press .
INITIAL CONFIGURATION Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
BASIC CONFIGURATION To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2.
INITIAL CONFIGURATION Then press . For a more detailed description of these parameters, see “snmp-server host” on page 21-6. The following example creates a trap host for each type of SNMP client. Console(config)#snmp-server host 10.1.19.23 batman 21-6 Console(config)#snmp-server host 10.1.19.98 robin version 2c Console(config)#snmp-server host 10.1.19.
MANAGING SYSTEM FILES Managing System Files The switch’s flash memory supports three types of system files that can be managed by the CLI program, web interface, or SNMP. The switch’s file system allows files to be uploaded and downloaded, copied, deleted, and set as a start-up file. The three types of files are: • Configuration — This file type stores system configuration information and is created when configuration settings are saved.
INITIAL CONFIGURATION In the system flash memory, one file of each type must be set as the start-up file. During a system boot, the diagnostic and operation code files set as the start-up file are run, and then the start-up configuration file is loaded. Note that configuration files should be downloaded using a file name that reflects the contents or usage of the file settings.
MANAGING SYSTEM FILES To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press . 2. Enter the name of the start-up file. Press . Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming. \Write to FLASH finish. Success.
SECTION II SWITCH MANAGEMENT This section describes the basic switch features, along with a detailed description of how to configure each feature via a web browser, and a brief example for the Command Line Interface. Configuring the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Basic Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . .
SWITCH MANAGEMENT
CHAPTER 3 CONFIGURING THE SWITCH Using the Web Interface This switch provides an embedded HTTP web agent. Using a web browser you can configure the switch and view statistics to monitor network activity. The web agent can be accessed by any computer on the network using a standard web browser (Internet Explorer 5.0 or above, or Netscape Navigator 6.2 or above). Note: You can also use the Command Line Interface (CLI) to manage the switch over a serial connection to the console port or via Telnet.
CONFIGURING THE SWITCH Notes: 1. You are allowed three attempts to enter the correct password; on the third failed attempt the current connection is terminated. 2. If you log into the web interface as guest (Normal Exec level), you can view the configuration settings or change the guest password. If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3.
NAVIGATING THE WEB BROWSER INTERFACE Navigating the Web Browser Interface To access the web-browser interface you must first enter a user name and password. The administrator has Read/Write access to all configuration parameters and statistics. The default user name and password “admin” is used for the administrator. Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below.
CONFIGURING THE SWITCH Configuration Options Configurable parameters have a dialog box or a drop-down list. Once a configuration change has been made on a page, be sure to click on the Apply button to confirm the new setting. The following table summarizes the web page configuration buttons. Table 3-1 Web Page Configuration Buttons Button Action Apply Sets specified values to the system. Revert Cancels specified values and restores current values prior to pressing “Apply.
NAVIGATING THE WEB BROWSER INTERFACE Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program.
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Reset Description Restarts the switch SNTP Page 4-36 4-37 Configuration Configures SNTP client settings, including a specified list of servers 4-37 Clock Time Zone Sets the local time zone for the system clock 4-39 SNMP 5-1 Configuration Configures community strings and related trap functions 5-4 Agent Status Enables or disables SNMP 5-4 SNMPv3 Engine ID 5-10 Sets the SNMP v3 engine ID 5-10 Remote Engine ID Sets the SNM
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu 802.
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Description Trunk Configuration Configures trunk connection settings Trunk Membership Specifies ports to group into static trunks LACP Page 9-4 9-9 9-11 Configuration Allows ports to dynamically join trunks 9-11 Aggregation Port Configures parameters for link aggregation group members 9-13 Port Counters Information Displays statistics for LACP protocol messages 9-17 Port Internal Information Displays settings and operationa
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description VDSL Page 10-1 Global Configuration Configures global VDSL variables which can be applied to all ports 10-1 VDSL Port Configuration Configures communication parameters for VDSL ports 10-7 Line Profile Configuration Configures a list of communication parameters which 10-16 can be applied to all VDSL ports or to a selected group of ports VDSL Status Information Displays information on VDSL configuration s
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Description Spanning Tree Page 12-1 STA Information Displays STA values used for the bridge 12-4 Configuration Configures global bridge settings for STP, RSTP and MSTP 12-8 Port Information Displays individual port settings for STA 12-13 Trunk Information Displays individual trunk settings for STA 12-13 Port Configuration Configures individual port settings for STA 12-18 Trunk Configuration Configures individual trunk set
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description Page Static Membership by Configures membership type for interfaces, including 13-14 Port tagged, untagged or forbidden Port Configuration Specifies default PVID and VLAN attributes 13-15 Trunk Configuration Specifies default trunk VID and VLAN attributes 13-15 Private VLAN 13-18 Status Enables or disables the private VLAN 13-18 Link Status Configures the private VLAN 13-19 Protocol VLAN 13-20 Con
CONFIGURING THE SWITCH Table 3-2 Switch Main Menu (Continued) Menu Description Page IPv6 Mapping Assigns IPv6 traffic classes to one of the Class-of-Service values 14-15 IP Port Priority Status Globally enables or disables IP Port Priority 14-16 IP Port Priority Sets TCP/UDP port priority, defining the socket number and associated class-of-service value 14-11 QoS DiffServ 15-1 Configure QoS classification criteria and service policies 15-2 Class Map Creates a class map for a type of traffic
NAVIGATING THE WEB BROWSER INTERFACE Table 3-2 Switch Main Menu (Continued) Menu Description IGMP Filter/Throttling Assigns IGMP filter profiles to trunk interfaces and Trunk Configuration sets throttle mode MVR Page 16-18 16-20 Configuration Globally enables MVR, sets the MVR VLAN, adds multicast stream addresses 16-21 Port Information Displays MVR interface type, MVR operational and activity status, and immediate leave status 16-24 Trunk Information Displays MVR interface type, MVR operational
CONFIGURING THE SWITCH 3-14
CHAPTER 4 BASIC MANAGEMENT TASKS This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information. Field Attributes • System Name – Name assigned to the switch system. • Object ID – MIB II object ID for switch’s network management subsystem. • Location – Specifies the system location.
BASIC MANAGEMENT TASKS • Web Secure Server Port – Shows the TCP port used by the HTTPS interface. • Telnet Server – Shows if management access via Telnet is enabled. • Telnet Server Port – Shows the TCP port used by the Telnet interface. • Authentication Login – Shows the user login authentication sequence. • Jumbo Frame – Shows if jumbo frames are enabled.
DISPLAYING SYSTEM INFORMATION CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 20-2 Console(config)#snmp-server location WC 9 21-5 Console(config)#snmp-server contact Ted 21-5 Console(config)#exit Console#show system 20-8 System Description: TigerAccess(TM) SMC7816M/VSW System OID String: 1.3.6.1.4.1.202.40.2 System Information System Up Time: 0 days, 1 hours, 56 minutes, and 9.
BASIC MANAGEMENT TASKS Displaying System Health Use the System Health Information page to display the status of the fans, internal temperature, main board, CPU, and system memory. Field Attributes General Status • Fan Status – The fan’s functioning status. • Fan Failed Times – The number of times the fan has failed since the system was booted. • Thermal Status – The temperature status of the system. (Normal or Too High) • System Hardware Status – The status of the overall system.
DISPLAYING SYSTEM HEALTH • Free Amount – Amount of memory currently free for use. • Freed / Total – Percentage of free memory compared to total memory. • Utilization Raising Alarm Threshold1 – Rising threshold for memory utilization alarm. (Range: 1-100%; Default: 90%) • Utilization Falling Alarm Threshold1 – Falling threshold for memory utilization alarm. (Range: 1-100%; Default: 90%) Web – Click System, System Health Information.
BASIC MANAGEMENT TASKS CLI – Use the following commands to display the status of the CPU and system memory.
DISPLAYING HARDWARE/SOFTWARE VERSIONS Displaying Hardware/Software Versions Use the Switch Information page to display hardware/firmware version numbers for the main board and management software, as well as the power status of the system. Field Attributes Main Board • • • • Serial Number – Serial number of main board. Number of Ports – Number of built-in ports. Hardware Version – Hardware version of the main board. Internal Power Status – Displays the status of the internal power supply.
BASIC MANAGEMENT TASKS These additional parameters are displayed for the CLI. • Unit ID – Unit number in stack. • BME firmware version – Version number of Burst Mode Engine. Web – Click System, Switch Information.
DISPLAYING BRIDGE EXTENSION CAPABILITIES CLI – Use the following command to display version information. Console#show version Unit 1 Mainboard Serial Number: Signalboard Serial Number: Mainboard Hardware Version: Signalboard Hardware Version: EPLD1 Version: EPLD2 Version: Number of Ports: Main Power Status: Agent (Master) Unit ID: Loader Version: Boot ROM Version: Operation Code Version: Bme firmware version: Console# 20-10 A639000835 A639000958 R01 R01 0.09 0.09 19 Up 1 3.0.0.5 3.2.1.0 3.2.2.
BASIC MANAGEMENT TASKS • Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 13-1.) • Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs. • GMRP – GARP Multicast Registration Protocol (GMRP) allows network devices to register endstations with multicast groups.
SETTING THE SWITCH’S IP ADDRESS CLI – Enter the following command. Console#show bridge-ext Max Support VLAN Numbers: Max Support VLAN ID: Extended Multicast Filtering Services: Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Global GVRP Status: GMRP: Console# 32-3 255 4094 No Yes IVL Yes No Enabled Disabled Disabled Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network.
BASIC MANAGEMENT TASKS • • • • will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.) IP Address – Address of the VLAN to which the management station is attached. Valid IP addresses consist of four numbers, 0 to 255, separated by periods. (Default: 0.0.0.
SETTING THE SWITCH’S IP ADDRESS CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 Console(config)#end Console#show ip interface IP Address and Netmask: 10.1.0.253 255.255.255.0 on VLAN 2, Address Mode: User Console# 25-2 38-2 38-3 38-4 This example first sets up a dedicated VLAN for management access.
BASIC MANAGEMENT TASKS Using DHCP/BOOTP If your network provides DHCP/BOOTP services, you can configure the switch to be dynamically configured by these services. Web – Click System, IP Configuration. Specify the VLAN to which the management station is attached, set the IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
SETTING THE SWITCH’S IP ADDRESS This example first sets up a dedicated VLAN for management access. It adds Port 19 (the management port) to that VLAN and also removes this port from the VLAN 1, which is left for use by the data network. It then specifies the management interface, IP address and default gateway. For information on making these configuration changes through the web interface, refer to Chapter 13 “VLAN Configuration.
BASIC MANAGEMENT TASKS Configuring Support for Jumbo Frames The switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields. Command Usage To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature.
MANAGING FIRMWARE Managing Firmware You can upload/download firmware to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required.
BASIC MANAGEMENT TASKS Downloading System Software from a Server When downloading runtime code, you can specify the destination file name to replace the current image, or first download the file using a different name from the current runtime code file, and then set the new file as the startup file. Web – Click System, File Management, Copy Operation.
MANAGING FIRMWARE If you download to a new destination file, go to the File Management, Set Start-Up menu, mark the operation code file used at startup, and click Apply. To start the new firmware, reboot the system via the System/Reset menu. Figure 4-9 Setting the Startup Code To delete a file select System, File Management, Delete. Select the file name from the given list by checking the tick box and click Apply. Note that the file currently designated as the startup code cannot be deleted.
BASIC MANAGEMENT TASKS To start the new firmware, enter the “reload” command or reboot the system. Console#copy tftp file TFTP server ip address: 10.1.0.19 Choose file type: 1. config: 2. opcode: <1-2>: 2 Source file name: V3.1.16.20.bix Destination file name: V311620 \Write to FLASH Programming. -Write to FLASH finish. Success.
SAVING OR RESTORING CONFIGURATION SETTINGS - running-config to file – Copies the running configuration to a file. - running-config to startup-config – Copies the running config to the startup config. - running-config to tftp – Copies the running configuration to a TFTP server. - startup-config to file – Copies the startup configuration to a file on the switch. - startup-config to running-config – Copies the startup config to the running config.
BASIC MANAGEMENT TASKS Downloading Configuration Settings from a Server You can download the configuration file under a new file name and then set it as the startup file, or you can specify the current startup configuration file as the destination file to directly replace it. Note that the file “Factory_Default_Config.cfg” can be copied to the TFTP server, but cannot be used as the destination on the switch. Web – Click System, File Management, Copy Operation.
SAVING OR RESTORING CONFIGURATION SETTINGS If you download to a new file name using “tftp to startup-config” or “tftp to file,” the file is automatically set as the start-up configuration file. To use the new settings, reboot the system via the System/Reset menu. You can also select any configuration file as the start-up configuration by using the System/File Management/Set Start-Up page.
BASIC MANAGEMENT TASKS Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface. Command Attributes • Login Timeout – Sets the interval that the system waits for a user to log into the CLI.
CONSOLE PORT SETTINGS device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password2 – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt.
BASIC MANAGEMENT TASKS CLI – Enter Line Configuration mode for the console, then specify the connection parameters as required. To display the current console port settings, use the show line command from the Normal Exec level.
TELNET SETTINGS • Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds) • Exec Timeout – Sets the interval that the system waits until user input is detected. If user input is not detected within the timeout interval, the current session is terminated.
BASIC MANAGEMENT TASKS Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 4-14 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
CONFIGURING EVENT LOGGING Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages. System Log Configuration The system allows you to enable or disable event logging, and specify which levels are logged to RAM or flash memory.
BASIC MANAGEMENT TASKS Table 4-1 Logging Levels (Continued) Level Severity Name Description 4 Warning Warning conditions (e.g., return false, unexpected return) 3 Error Error conditions (e.g., invalid input, default used) 2 Critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) 1 Alert Immediate action needed 0 Emergency System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release.
CONFIGURING EVENT LOGGING CLI – Enable system logging and then specify the level of messages to be logged to RAM and flash memory. Use the show logging command to display the current settings.
BASIC MANAGEMENT TASKS • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add. To delete an IP address, click the entry in the Host IP List, and then click Remove.
CONFIGURING EVENT LOGGING CLI – Enter the syslog server host IP address, choose the facility type and set the logging trap. Console(config)#logging host 10.1.0.9 Console(config)#logging facility 23 Console(config)#logging trap 4 Console(config)#logging trap Console(config)#exit Console#show logging trap Syslog logging: Enabled REMOTELOG status: Disabled REMOTELOG facility type: local use 7 REMOTELOG level type: Warning conditions REMOTELOG server ip address: 10.1.0.9 REMOTELOG server ip address: 0.0.0.
BASIC MANAGEMENT TASKS CLI – This example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification." level: 6, module: 5, function: 1, and event no.: 1 [0] 00:01:30 2001-01-01 "Unit 1, Port 1 link-up notification." level: 6, module: 5, function: 1, and event no.
CONFIGURING EVENT LOGGING Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add. To delete an IP address, click the entry in the SMTP Server List and click Remove. Specify up to five email addresses to receive the alert messages, and click Apply.
BASIC MANAGEMENT TASKS CLI – Enter the IP address of at least one SMTP server, set the syslog severity level to trigger an email message, and specify the switch (source) and up to five recipient (destination) email addresses. Enable SMTP with the logging sendmail command to complete the configuration. Use the show logging sendmail command to display the current SMTP configuration. Console(config)#logging sendmail host 192.168.1.
SETTING THE SYSTEM CLOCK CLI – Use the reload command to restart the switch. Console#reload System will be restarted, continue ? Note: 19-5 When restarting the system, it will always run the Power-On Self-Test. Setting the System Clock Simple Network Time Protocol (SNTP) allows the switch to set its internal clock based on periodic updates from a time server (SNTP or NTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
BASIC MANAGEMENT TASKS • SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence. Web – Select SNTP, Configuration. Modify any of the required parameters, and click Apply. Figure 4-20 SNTP Configuration CLI – This example configures the switch to operate as an SNTP client and then displays the current time and settings.
SETTING THE SYSTEM CLOCK Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC. Command Attributes • • • • • Current Time – Displays the current time. Name – Assigns a name to the time zone.
BASIC MANAGEMENT TASKS 4-40
CHAPTER 5 SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol (SNMP) is a communication protocol designed specifically for managing devices on a network. Equipment commonly managed with SNMP includes switches, routers and host computers. SNMP is typically used to configure these devices for proper operation in a network environment, as well as to monitor them to evaluate performance or detect potential problems.
SIMPLE NETWORK MANAGEMENT PROTOCOL Access to the switch using from clients using SNMPv3 provides additional security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree. The SNMPv3 security structure consists of security models, with each model having it’s own security levels. There are three security models defined, SNMPv1, SNMPv2c, and SNMPv3.
Table 5-1 SNMPv3 Security Models and Levels (Continued) Model Level Group Read View Write View Notify View Security v3 AuthNoPriv user defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms v3 AuthPriv user defined user defined user defined user defined Provides user authenticati on via MD5 or SHA algorithms and data privacy using DES 56-bit encryption Note: The predefined default groups and view can be deleted from the system.
SIMPLE NETWORK MANAGEMENT PROTOCOL Enabling the SNMP Agent Enables SNMPv3 service for all management clients (i.e., versions 1, 2c, 3). Command Attributes SNMP Agent Status – Enables SNMP on the switch. Web – Click SNMP, Agent Status. Enable the SNMP Agent by marking the Enabled checkbox, and click Apply. Figure 5-1 Enabling the SNMP Agent CLI – The following example enables SNMP on the switch.
SETTING COMMUNITY ACCESS STRINGS • Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive • Access Mode – Specifies the access rights for the community string: - Read-Only – Authorized management stations are only able to retrieve MIB objects. - Read/Write – Authorized management stations are able to both retrieve and modify MIB objects.
SIMPLE NETWORK MANAGEMENT PROTOCOL Specifying Trap Managers and Trap Types Traps indicating status changes are issued by the switch to specified trap managers. You must specify trap managers so that key events are reported by this switch to your management station (using network management platforms such as HP OpenView). You can specify up to five management stations that will receive authentication failure messages and other trap messages from the switch.
SPECIFYING TRAP MANAGERS AND TRAP TYPES To send an inform to a SNMPv3 host, complete these steps: 1. Enable the SNMP agent (page 5-4). 2. Enable trap informs as described in the following pages. 3. Create a view with the required notification messages (page 5-24). 4. Create a group that includes the required notify view (page 5-18). 5. Specify a remote engine ID where the user resides (page 5-11). 6. Then configure a remote user (page 5-15).
SIMPLE NETWORK MANAGEMENT PROTOCOL • Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) - Timeout – The number of seconds to wait for an acknowledgment before resending an inform message. (Range: 0-2147483647 centiseconds; Default: 1500 centiseconds) - Retry times – The maximum number of times to resend an inform message if the recipient does not acknowledge receipt.
SPECIFYING TRAP MANAGERS AND TRAP TYPES Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/ down traps, and then click Apply.
SIMPLE NETWORK MANAGEMENT PROTOCOL Configuring SNMPv3 Management Access To configure SNMPv3 management access to the switch, follow these steps: 1. If you want to change the default engine ID, do so before configuring other SNMP parameters. 2. Specify read and write access views for the switch MIB tree. 3. Configure SNMP user groups with the required security model (i.e., SNMP v1, v2c or v3) and security level (i.e., authentication and privacy). 4.
CONFIGURING SNMPV3 MANAGEMENT ACCESS Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 5-4 Setting the SNMPv3 Engine ID CLI – This example sets an SNMPv3 engine ID.
SIMPLE NETWORK MANAGEMENT PROTOCOL Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 5-5 Setting an Engine ID CLI – This example specifies a remote SNMPv3 engine ID. Console(config)#snmp-server engine-id remote 54321 192.168.1.19 Console(config)#exit Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# 21-10 21-12 IP address 192.
CONFIGURING SNMPV3 MANAGEMENT ACCESS • • • • • - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) Authentication Password – A minimum of eight plain text characters is required. Privacy Protocol – The encryption algorithm use for data privacy; only 56-bit DES is currently available.
SIMPLE NETWORK MANAGEMENT PROTOCOL Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete. To change the assigned group of a user, click Change Group in the Actions column of the users table and select the new group.
CONFIGURING SNMPV3 MANAGEMENT ACCESS CLI – Use the snmp-server user command to configure a new user name and assign it to a group.
SIMPLE NETWORK MANAGEMENT PROTOCOL • Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1) • Security Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications. (This is the default for SNMPv3.) - AuthNoPriv – SNMP communications use authentication, but the data is not encrypted (only available for the SNMPv3 security model).
CONFIGURING SNMPV3 MANAGEMENT ACCESS Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
SIMPLE NETWORK MANAGEMENT PROTOCOL CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien 21-18 Console(config)#exit Console#show snmp user 21-20 No user exist.
CONFIGURING SNMPV3 MANAGEMENT ACCESS • Notify View – The configured view for notifications. (Range: 1-64 characters) Table 5-2 Supported Notification Messages Object Label Object ID Description newRoot 1.3.6.1.2.1.17.0.1 The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree; the trap is sent by a bridge soon after its election as the new root, e.g., upon expiration of the Topology Change Timer immediately subsequent to its election. topologyChange 1.3.6.1.2.1.
SIMPLE NETWORK MANAGEMENT PROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description linkDown* 1.3.6.1.6.3.1.1.5.3 A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the notPresent state). This other state is indicated by the included value of ifOperStatus. linkUp* 1.3.6.1.6.3.1.1.5.
CONFIGURING SNMPV3 MANAGEMENT ACCESS Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description risingAlarm 1.3.6.1.2.1.16.0.1 The SNMP trap that is generated when an alarm entry crosses its rising threshold and generates an event that is configured for sending SNMP traps. fallingAlarm 1.3.6.1.2.1.16.0.2 The SNMP trap that is generated when an alarm entry crosses its falling threshold and generates an event that is configured for sending SNMP traps.
SIMPLE NETWORK MANAGEMENT PROTOCOL Table 5-2 Supported Notification Messages (Continued) Object Label Object ID Description swThermalRising Notification 1.3.6.1.4.1.202.40.2.6.2.1.0.58 This trap is sent when the temperature exceeds the switchThermalActionRisingThre shold. swThermalFalling Notification 1.3.6.1.4.1.202.40.2.6.2.1.0.59 This trap is sent when the temperature falls below the switchThermalActionFallingThre shold. swModuleInsertion Notificaiton 1.3.6.1.4.1.202.40.2.6.2.1.0.
CONFIGURING SNMPV3 MANAGEMENT ACCESS Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list. To delete a group, check the box next to the group name, then click Delete.
SIMPLE NETWORK MANAGEMENT PROTOCOL CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview Console(config)#exit Console#show snmp group . . .
CONFIGURING SNMPV3 MANAGEMENT ACCESS Web – Click SNMP, SNMPv3, Views. Click New to configure a new view. In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings.
SIMPLE NETWORK MANAGEMENT PROTOCOL CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included 21-13 Console(config)#exit Console#show snmp view 21-14 View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included Storage Type: nonvolatile Row Status: active View Name: readaccess Subtree OID: 1.3.6.1.
CHAPTER 6 USER AUTHENTICATION You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access5 to the data ports. This switch provides secure network management access using the following options: • User Accounts – Manually configure management access rights for users.
USER AUTHENTICATION The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) • New Account – Displays configuration settings for a new account. - User Name – The name of the user. (Maximum length: 8 characters; maximum number of users: 16) - Access Level – Specifies the user level.
CONFIGURING LOCAL/REMOTE LOGON AUTHENTICATION CLI – Assign a user name to access-level 15 (i.e., administrator), then specify the password. Console(config)#username bob access-level 15 Console(config)#username bob password 0 smith Console(config)# 22-2 Configuring Local/Remote Logon Authentication Use the Authentication Settings menu to restrict management access based on specified user names and passwords.
USER AUTHENTICATION Command Usage • By default, management access is always checked against the authentication database stored on the local switch. If a remote authentication server is used, you must specify the authentication sequence and the corresponding parameters for the remote authentication protocol. Local and remote logon authentication control management access via the console port, web browser, or Telnet.
CONFIGURING LOCAL/REMOTE LOGON AUTHENTICATION - ServerIndex – Specifies one of five RADIUS servers that may be configured. The switch attempts authentication using the listed sequence of servers. The process ends when a server either approves or denies access to a user. - Server IP Address – Address of authentication server. (Default: 10.1.0.1) - Server Port Number – Network (UDP) port of authentication server used for authentication messages.
USER AUTHENTICATION Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 6-2 Authentication Server Settings CLI – Specify all the required parameters to enable logon authentication.
CONFIGURING HTTPS Server 1: Server IP address: 192.168.1.25 Communication key with RADIUS server: ***** Server port number: 181 Retransmit times: 5 Request timeout: 10 Console#config Console(config)#authentication login tacacs Console(config)#tacacs-server host 10.20.30.40 Console(config)#tacacs-server port 200 Console(config)#tacacs-server key green Console(config)#exit Console#show tacacs-server Server IP address: 10.20.30.
USER AUTHENTICATION • The following web browsers and operating systems currently support HTTPS: Table 6-1 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.2 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP, Solaris 2.6 • To specify a secure-site certificate, see “Replacing the Default Secure-site Certificate” on page 6-9.
CONFIGURING HTTPS Replacing the Default Secure-site Certificate When you log onto the web interface using HTTPS (for secure access), a Secure Sockets Layer (SSL) certificate appears for the switch. By default, the certificate that Netscape and Internet Explorer display will be associated with a warning that the site is not recognized as a secure site. This is because the certificate has not been signed by an approved certification authority.
USER AUTHENTICATION Configuring the Secure Shell The Berkley-standard includes remote access tools originally designed for Unix systems. Some of these tools have also been implemented for Microsoft Windows and other environments. These tools, including commands such as rlogin (remote login), rsh (remote shell), and rcp (remote copy), are not secure from hostile attacks. The Secure Shell (SSH) includes server/client applications intended as a secure replacement for the older Berkley remote access tools.
CONFIGURING THE SECURE SHELL To use the SSH server, complete these steps: 1. Generate a Host Key Pair – On the SSH Host Key Settings page, create a host public/private key pair. 2. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch. Otherwise, you need to manually create a known hosts file on the management station and place the host public key in it.
USER AUTHENTICATION 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b. The switch compares the client's password to those stored in memory. c. If a match is found, the connection is allowed. Note:To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the known host file.
CONFIGURING THE SECURE SHELL Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request. c. The client sends a signature generated using the private key to the switch. d.
USER AUTHENTICATION • Host-Key Type – The key type used to generate the host key pair (i.e., public and private keys). (Range: RSA, DSA, Both: Default: Both) The SSH server uses RSA or DSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients.
CONFIGURING THE SECURE SHELL Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
USER AUTHENTICATION CLI – This example generates a host-key pair using both the RSA and DSA algorithms, stores the keys to flash memory, and then displays the host’s public keys.
CONFIGURING THE SECURE SHELL • SSH Authentication Retries – Specifies the number of authentication attempts that a client is allowed before authentication fails and the client has to restart the authentication process. (Range: 1-5 times; Default: 3) • SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default: 768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits.
USER AUTHENTICATION CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server Console(config)#ip ssh timeout 100 Console(config)#ip ssh authentication-retries 5 Console(config)#ip ssh server-key size 512 Console(config)#end Console#show ip ssh SSH Enabled - version 2.
CONFIGURING 802.1X PORT AUTHENTICATION Configuring 802.1X Port Authentication Network switches can provide open and easy access to network resources by simply attaching a client PC. Although this automatic configuration and access is a desirable feature, it also allows unauthorized personnel to easily intrude and possibly gain access to sensitive network data. The IEEE 802.
USER AUTHENTICATION releases. The client responds to the appropriate method with its credentials, such as a password or certificate. The RADIUS server verifies the client credentials and responds with an accept or reject packet. If authentication is successful, the switch allows the client to access the network. Otherwise, network access is denied and the port remains blocked. The operation of dot1x on the switch requires the following: • • • • • The switch must have an IP address assigned.
CONFIGURING 802.1X PORT AUTHENTICATION Displaying 802.1X Global Settings The 802.1X protocol provides port authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. Figure 6-6 802.1X Global Information CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 22-41 802.1X Port Summary Port Name Status 1/1 disabled 1/2 disabled . . . 802.
USER AUTHENTICATION Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web – Select Security, 802.1X, Configuration. Enable 802.1X globally for the switch, and click Apply. Figure 6-7 802.1X Global Configuration CLI – This example enables 802.
CONFIGURING 802.1X PORT AUTHENTICATION Configuring Port Settings for 802.1X When 802.1X is enabled, you need to configure the parameters for the authentication process that runs between the client and the switch (i.e., authenticator), as well as the client identity lookup process that runs between the switch and authentication server. These parameters are described in this section. Command Attributes • Status – Indicates if authentication is enabled or disabled on the port.
USER AUTHENTICATION • Re-authentication Period – Sets the time period after which a connected client must be re-authenticated. (Range: 1-65535 seconds; Default: 3600 seconds) • TX Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Authorized – - Yes – Connected client is authorized. - No – Connected client is not authorized. - Blank – Displays nothing when dot1x is disabled on a port.
CONFIGURING 802.1X PORT AUTHENTICATION CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 22-41.
USER AUTHENTICATION Reauthentication State Machine State Initialize . . . . 802.1X is disabled on port 1/19 Console# Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Table 6-2 802.1X Statistics Parameter Description Rx EAPOL Start The number of EAPOL Start frames that have been received by this Authenticator. Rx EAPOL Logoff The number of EAPOL Logoff frames that have been received by this Authenticator.
CONFIGURING 802.1X PORT AUTHENTICATION Table 6-2 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Web – Select Security, 802.1X, Statistics. Select the required port and then click Query. Click Refresh to update the statistics. Figure 6-9 802.
USER AUTHENTICATION Filtering IP Addresses for Management Access You can create a list of up to 16 IP addresses or IP address groups that are allowed management access to the switch through the web interface, SNMP, or Telnet. Command Usage • The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
FILTERING IP ADDRESSES FOR MANAGEMENT ACCESS Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. Figure 6-10 IP Filter CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 22-45 Console(config)#management telnet-client 192.168.1.25 192.168.1.
USER AUTHENTICATION 6-30
CHAPTER 7 CLIENT SECURITY This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are supported by this switch.
CLIENT SECURITY This switch provides client security using the following options: • Private VLANs – Provide port-based security and isolation between ports within the assigned VLAN. (See “Configuring Private VLANs” on page 13-18.) • 802.1X – Use IEEE 802.1X port authentication to control access to specific ports. (See “Configuring 802.1X Port Authentication” on page 6-19.) • Port Security – Configure secure addresses for individual ports.
CONFIGURING PORT SECURITY To use port security, specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the pair for frames received on the port. Note that you can also manually add secure addresses to the port using the Static Address Table (page 11-1). When the port has reached the maximum number of MAC addresses the selected port will stop learning. The MAC addresses already in the address table will be retained and will not age out.
CLIENT SECURITY • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) • Trunk – Trunk number if port is a member (page 9-9 and 9-11). Web – Click Security, Port Security. Set the action to take when an invalid address is detected on a port, mark the checkbox in the Status column to enable security for a port, set the maximum number of MAC addresses allowed on a port, and click Apply.
CONFIGURING IP SOURCE GUARD Configuring IP Source Guard IP Source Guard is a security feature that filters IP traffic on unsecure network interfaces based on static entries configured in the IP Source Guard table, or dynamic entries in the DHCP Snooping table. Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
CLIENT SECURITY • If the IP source guard is enabled, an inbound packet’s IP address (sip option) or both its IP address and corresponding MAC address (sip-mac option) will be checked against the binding table. If no matching entry is found, the packet will be dropped. • Filtering rules are implemented as follows: - If the DHCP snooping is disabled (see page 21-13), IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
CONFIGURING IP SOURCE GUARD IP Source Guard Filter • Port – Port for which to filter static entries. • Source IP – Filters traffic based on IP addresses stored in the binding table. • Source IP and MAC – Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table. Web – Click IP Source Guard, Configuration.
CLIENT SECURITY CLI – This example configures a static source-guard binding on port 1. Console(config)#ip source-guard binding 11-22-33-44-55-66 vlan 1 192.168.0.
CONFIGURING DHCP SNOOPING • When DHCP snooping is enabled, DHCP messages entering an untrusted interface are filtered based upon dynamic entries learned via DHCP snooping. • Filtering rules are implemented as follows: - If the DHCP snooping is disabled globally, all DHCP packets are forwarded. - If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, all DHCP packets are forwarded for a trusted port.
CLIENT SECURITY • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server. Also, when the switch sends out DHCP client packets for itself, no filtering takes place.
CONFIGURING DHCP SNOOPING • DHCP Snooping Service Provider Mode – Once an IP address is assigned to the host by a DHCP server, the switch sets this entry to static mode in the MAC address table, and registers the host as a valid entry in the DHCP snooping table. (Default: Disabled) - This function applies to all VDSL ports. When set, it will automatically convert an address assigned to an attached CPE by a DHCP server to a static entry in the MAC address table.
CLIENT SECURITY Web – Click DHCP Snooping, DHCP Snooping Configuration. Enable DHCP snooping status globally, enable it for the required VLANs, select whether or not to verify the client’s MAC address, configure those ports that will receive messages only from within the local network as trusted, and then click Apply. Figure 7-3 DHCP Snooping Configuration CLI – This example enables DHCP snooping on VLAN 1, and verification of the client’s MAC address. It then sets port 1 as untrusted.
DISPLAYING DHCP SNOOPING INFORMATION Displaying DHCP Snooping Information The configuration settings and binding table entries can be displayed on the DHCP Snooping Information page. Command Attributes DHCP Snooping Configuration Settings • DHCP Snooping Status – DHCP snooping global configuration status. • DHCP Snooping Enabled VLANs – VLANs where DHCP snooping is enabled.
CLIENT SECURITY Web – Click DHCP Snooping, DHCP Snooping Information.
CONFIGURING PACKET FILTERING CLI – These examples show the DHCP snooping configuration settings and binding table entries. Console(config)#ip dhcp snooping 23-18 Console#show ip dhcp snooping 23-25 Global DHCP Snooping status: enable DHCP Snooping is configured on the following VLANs: 1, Verify Source Mac-Address: enable Service Provider Mode: disable Interface Trusted Client-limit -----------------------------Eth 1/1 No 5 Eth 1/2 No 5 Eth 1/3 No 5 Eth 1/4 No 5 Eth 1/5 Yes 5 . . .
CLIENT SECURITY • Blocking NetBIOS traffic commonly used for resource sharing in a peer-to-peer environment to ensure that no privileged client data is passed to other data ports. Command Attributes • DHCP Request – Blocks DHCP request packets. (Default: Disabled) - In cases where the IP address for a client attached to a downlink port is fixed (i.e., at the VDSL port on the CPE), you should use this command to block any DHCP requests from the client.
CONFIGURING PACKET FILTERING • NetBIOS – Blocks NetBIOS packets. (Default: Disabled) - NetBIOS is commonly used in local area networks to facilitate sharing resources such as printers or files between computers. However, when providing network services over the Internet to different customers, all information about local resources should be protected. Sending NetBIOS packets over TCP or UDP protocols can be manually disabled at the host computer.
CLIENT SECURITY Web – Click Security, Packet Filter, Base Filter Configuration. Select the type of service packets to filter, and click Apply. Figure 7-5 Packet Filtering – Base Filter CLI – This example blocks DHCP service requests, DHCP reply packets, and all NetBIOS packets on port 1.
CONFIGURING PACKET FILTERING • This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs. One mask is allocated to IP-MAC packet filtering if any entries are defined. This mask will be released for use by other filtering functions if all IP-MAC packet filtering entries are deleted. Command Attributes • Port – A downlink or uplink port. (Range: 1-18) • IP – IP address of source.
CLIENT SECURITY 7-20
CHAPTER 8 ACCESS CONTROL LISTS Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
ACCESS CONTROL LISTS The following filtering modes are supported: • Standard IP ACL mode (STD-ACL) filters packets based on the source IP address. • Extended IP ACL mode (EXT-ACL) filters packets based on source or destination IP address, as well as protocol type and protocol port number. If the TCP protocol is specified, packets can also be filtered based on the TCP control code. • MAC ACL mode (MAC-ACL) filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060).
CONFIGURING ACCESS CONTROL LISTS • Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. The order in which active ACLs are checked is as follows: 1. 2. 3. 4. 5. User-defined rules in the Egress MAC ACL for egress ports. User-defined rules in the Egress IP ACL for egress ports. User-defined rules in the Ingress MAC ACL for ingress ports. User-defined rules in the Ingress IP ACL for ingress ports.
ACCESS CONTROL LISTS Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. Figure 8-1 Selecting ACL Type CLI – This example creates a standard IP ACL named bill. Console(config)#access-list ip standard bill Console(config-std-acl)# 24-3 Configuring a Standard IP ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules.
CONFIGURING ACCESS CONTROL LISTS Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add. Figure 8-2 ACL Configuration - Standard IP CLI – This example configures one permit rule for the specific address 10.1.1.21 and another rule for the address range 168.92.16.x – 168.92.31.x using a bitmask.
ACCESS CONTROL LISTS • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 8-4.) • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS – Type of Service level. (Range: 0-15) - DSCP – DSCP priority level. (Range: 0-63) • Protocol – Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255).
CONFIGURING ACCESS CONTROL LISTS Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code. Then click Add. Figure 8-3 ACL Configuration - Extended IP CLI – This example adds three rules: 1.
ACCESS CONTROL LISTS 3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any 24-5 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-std-acl)# Configuring a MAC ACL Command Attributes • Action – An ACL can contain any combination of permit or deny rules.
CONFIGURING ACCESS CONTROL LISTS Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,” enter a specific address (e.g., 11-22-33-44-55-66). If you select “MAC,” enter a base address and a hexidecimal bitmask for an address range.
ACCESS CONTROL LISTS Configuring ACL Masks You must specify masks that control the order in which ACL rules are checked. ACL rules matching the first entry in the mask are checked first. Rules matching subsequent entries in the mask are then checked in the specified order. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL.
CONFIGURING ACCESS CONTROL LISTS Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. Figure 8-5 Selecting ACL Mask Types CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries. The first entry matching a mask is applied to the inbound packet.
ACCESS CONTROL LISTS • Source/Destination Subnet Mask – Source or destination address of rule must match this bitmask. (See the description for SubMask on page 8-4.) • Protocol Mask – Check the protocol field. • Service Type Mask – Check the rule for the specified priority type. (Options: Precedence, TOS, DSCP; Default: TOS) • Source/Destination Port Bit Mask – Protocol port of rule must match this bitmask. (Range: 0-65535) • Control Code Bit Mask – Control flags of rule must match this bitmask.
CONFIGURING ACCESS CONTROL LISTS Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types. Or use a bitmask to search for specific protocol port(s) or TCP control code(s). Then click Add.
ACCESS CONTROL LISTS CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according to the “mask host any” entry. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 Console(config-std-acl)#deny 10.1.1.1 255.255.255.
CONFIGURING ACCESS CONTROL LISTS Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s). Or check for rules where a packet format was specified. Then click Add.
ACCESS CONTROL LISTS CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
BINDING A PORT TO AN ACCESS CONTROL LIST • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. Command Attributes • • • • • • Port – Fixed port or SFP module.
ACCESS CONTROL LISTS CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2.
CHAPTER 9 PORT CONFIGURATION Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • • • • Name – Interface label. Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) Admin Status – Shows if the interface is enabled or disabled. Oper Status – Indicates if the link is Up or Down.
PORT CONFIGURATION Web – Click Port, Port Information or Trunk Information. Figure 9-1 Port - Port Information Field Attributes (CLI) Basic information: • Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 4-11.) Configuration: • Name – Interface label. • Port admin – Shows if the interface is enabled or disabled (i.e., up or down).
DISPLAYING CONNECTION STATUS “Configuring Interface Connections” on page 3-48.) The following capabilities are supported.
PORT CONFIGURATION CLI – This example shows the connection status for Port 5.
CONFIGURING INTERFACE CONNECTIONS required operation modes must be specified in the capabilities list for an interface. • Auto-negotiation must be disabled before you can configure or force the interface to use the Speed/Duplex Mode or Flow Control options. Command Attributes • Name – Allows you to label an interface. (Range: 1-64 characters) • Admin – Allows you to manually disable an interface. You can disable an interface due to abnormal behavior (e.g.
PORT CONFIGURATION and IEEE 802.3x for full-duplex operation. (Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.
CONFIGURING INTERFACE CONNECTIONS Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. . . . Figure 9-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/19 Console(config-if)#description RD SW#19 Console(config-if)#shutdown . Console(config-if)#no shutdown Console(config-if)#no negotiation Console(config-if)#speed-duplex 100half .
PORT CONFIGURATION Creating Trunk Groups You can create multiple links between devices that work as one virtual, aggregate link. A port trunk offers a dramatic increase in bandwidth for network segments where bottlenecks exist, as well as providing a fault-tolerant link between two devices. You can create up to 12 trunks. The switch supports both static trunking and dynamic Link Aggregation Control Protocol (LACP).
CREATING TRUNK GROUPS • The ports at both ends of a trunk must be configured in an identical manner, including communication mode (i.e., speed, duplex mode and flow control), VLAN assignments, and CoS settings. • Any of the Gigabit ports on the front panel can be trunked together, including ports of different media types. • All the ports in a trunk have to be treated as a whole when moved from/ to, added or deleted from a VLAN. • STP, VLAN, and IGMP settings can only be made for the entire trunk.
PORT CONFIGURATION Web – Click Port, Trunk Membership. Enter a trunk ID of 1-12 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
CREATING TRUNK GROUPS CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk.
PORT CONFIGURATION • A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails. • All ports on both ends of an LACP trunk must be configured for full duplex, either by forced mode or auto-negotiation.
CREATING TRUNK GROUPS CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 25-2 Console(config-if)#lacp 26-4 Console(config-if)#exit . . .
PORT CONFIGURATION Note: If the port channel admin key (lacp admin key, page 26-8) is not set (through the CLI) when a channel group is formed (i.e., it has a null value of 0), this key is set to the same value as the port admin key used by the interfaces that joined the group (lacp admin key, as described in this section and on page 26-7). Command Attributes Set Port Actor – This menu sets the local side of an aggregate link; i.e., the ports on this switch. • Port – Port number.
CREATING TRUNK GROUPS Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
PORT CONFIGURATION CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 25-2 Console(config-if)#lacp actor system-priority 3 26-6 Console(config-if)#lacp actor admin-key 120 26-7 Console(config-if)#lacp actor port-priority 128 26-9 Console(config-if)#exit . . .
CREATING TRUNK GROUPS Displaying LACP Port Counters You can display statistics for LACP protocol messages. Table 9-1 LACP Port Counters Parameter Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received by this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
PORT CONFIGURATION CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters 26-10 Port channel: 1 ------------------------------------------------------------------Eth 1/ 2 ------------------------------------------------------------------LACPDUs Sent: 19 LACPDUs Receive: 10 Marker Sent: 0 Marker Receive: 0 LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 . . .
CREATING TRUNK GROUPS Table 9-2 LACP Internal Configuration Information (Continued) Field Description LACPDUs Internal Number of seconds before invalidating received LACPDU information. Admin State, Oper State Administrative or operational values of the actor’s state parameters: • Expired – The actor’s receive machine is in the expired state; • Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
PORT CONFIGURATION Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1.
CREATING TRUNK GROUPS Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Description Partner Admin System ID LAG partner’s system ID assigned by the user. Partner Oper System ID LAG partner’s system ID assigned by the LACP protocol. Partner Admin Port Number Current administrative value of the port number for the protocol Partner.
PORT CONFIGURATION Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 9-8 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1.
SETTING BROADCAST STORM THRESHOLDS Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt. You can protect your network from broadcast storms by setting a threshold for broadcast traffic for each port.
PORT CONFIGURATION Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. Figure 9-9 Port Broadcast Control CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
CONFIGURING PORT MIRRORING Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner. Command Usage • Monitor port speed should match or exceed source port speed, otherwise traffic may be dropped from the monitor port. • All mirror sessions have to share the same destination port.
PORT CONFIGURATION Web – Click Port, Mirror Port Configuration. Specify the source port, the traffic type to be mirrored, and the monitor port, then click Add. Figure 9-10 Mirror Port Configuration CLI – Use the interface command to select the monitor port, then use the port monitor command to specify the source port. Note that default mirroring under the CLI is for both received and transmitted packets.
CONFIGURING RATE LIMITS Note: You can also set an SNMP trap if traffic exceeds the configured rate limit using the CLI (see the “rate-limit trap-input” command on page 28-3). Command Attribute Rate Limit – Sets the input or output rate limit for an Ethernet interface, or the input rate limit for a VLAN port member, in increments of 64 Kbps.
PORT CONFIGURATION CLI - This example sets the rate limit for input and output traffic passing through port 1 to 64 Kbps. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)#rate-limit output 64 Console(config-if)# 25-2 28-2 Configuring the Rate Limit for a VLAN Port Member Web - Click Port, Rate Limit, Input VLAN Configuration. Select the port, and the VLAN to which the port belongs. Set the input rate limit for the selected interface, and then click Add.
SHOWING PORT STATISTICS Showing Port Statistics You can display standard statistics on network traffic from the Interfaces Group and Ethernet-like MIBs, as well as a detailed breakdown of traffic based on the RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading).
PORT CONFIGURATION Table 9-4 Port Statistics (Continued) Parameter Description Received Unknown Packets The number of packets received via the interface which were discarded because of an unknown or unsupported protocol. Received Errors The number of inbound packets that contained errors preventing them from being deliverable to a higher-layer protocol. Transmit Octets The total number of octets transmitted out of the interface, including framing characters.
SHOWING PORT STATISTICS Table 9-4 Port Statistics (Continued) Parameter Description FCS Errors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the FCS check. This count does not include frames received with frame-too-long or frame-too-short error. Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions.
PORT CONFIGURATION Table 9-4 Port Statistics (Continued) Parameter Description RMON Statistics 9-32 Drop Events The total number of events in which packets were dropped due to lack of resources. Jabbers The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or alignment error. Received Bytes Total number of bytes of data received on the network.
SHOWING PORT STATISTICS Table 9-4 Port Statistics (Continued) Parameter Description 64 Bytes Frames The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
PORT CONFIGURATION Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen.
SHOWING PORT STATISTICS CLI – This example shows statistics for port 12.
PORT CONFIGURATION 9-36
CHAPTER 10 VDSL CONFIGURATION VDSL communication parameters can be set for individual ports, or multiple parameters can be defined in a profile and applied globally to the switch or to a group of ports. Alarm thresholds can be defined in a profile and then applied globally to the switch or to selected ports. The switch also provides an extensive listing of VDSL statistics.
VDSL CONFIGURATION - Power Value – A power level for each of the PSD breakpoints. (Range: An integer from 0 to 255, which is used to calculate a power level in terms of -140 + (power-value) * 0.5 dBm/Hz; Default: 255, which is equivalent to -12.5 dBm/Hz) Breakpoints, which are defined by a signal frequency and corresponding power level, create a PSD mask for in-band spectrum shaping, set the Limit PSD Mask required for compliance with local regulations, or set mask limits for upstream power backoff.
CONFIGURING GLOBAL SETTINGS FOR VDSL PORTS the optimal transmission rate for the current conditions, setting the rate within the bounds defined by the Data Rate. When rate adaptation is enabled and the signal quality deteriorates on any line or the link is re-established after being dropped, that port will automatically enter retraining and connect at the optimum rate if Auto-retraining is enabled (described later in this section).
VDSL CONFIGURATION Upstream power back-off (UPBO) is used to mitigate far-end crosstalk caused by upstream transmissions from shorter to longer loops. The bounding power levels specified in this table are used to reshape the PSD, ensuring that the signals on short to long loops are compatible. The transceiver will adjust its transmitted signal to conform to the power limitations set in this table.
CONFIGURING GLOBAL SETTINGS FOR VDSL PORTS Web – Click VDSL, Global Configuration. Configure the required items, and click Apply. (Note that the parameters in the following screen are all set to their default values.
VDSL CONFIGURATION Figure 10-1 VDSL Global Configuration CLI – This example displays sample settings for some of the VDSL global configuration commands.
CONFIGURING INTERFACE SETTINGS FOR VDSL PORTS Configuring Interface Settings for VDSL Ports This section describes how to configure communication parameters for VDSL ports such as specifying data band usage plans, setting notches within the frequency bands to avoid interference with ham radio signals, setting a mask for power spectral density to meet regional or local limitations for transmitting signals on phone lines, setting an acceptable target for the signal-to-noise ratio, and enabling automatic rate
VDSL CONFIGURATION Configuration Tables • Channel Mode – Sets the channel mode to fast or interleaved. (Default: Interleaved) Interleaving protects data against bursts of errors by using the Reed-Solomon error correction algorithm to spread the errors over a number of code words. A greater degree of interleaving provides more protection against noise pulses, but increases transmission delay and reduces the effective bandwidth.
CONFIGURING INTERFACE SETTINGS FOR VDSL PORTS • Region Ham Band – Sets the ham radio band that will be blocked to VDSL signals based on defined usage types. (Options: See Table 29-5, “HAM Band Notches for Usage Types,” on page 29-10. Default: none) Using a HAM band mask prevents interference with other systems (e.g., amateur radio) that use narrow band transmission in the VDSL frequency band. The selected frequency range will not be used to transmit data on the VDSL line.
VDSL CONFIGURATION • PSD Breakpoints – See “Configuring Global Settings for VDSL Ports” on page 10-1. • PSD Mask Level – See “Configuring Global Settings for VDSL Ports” on page 10-1. • UPBO – See “Configuring Global Settings for VDSL Ports” on page 10-1. • Tone – Disables downstream or upstream VDSL signals at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. (Default: Disable tones at 640 KHz and below) This parameter specifies a frequency beneath which VDSL signals are not allowed.
CONFIGURING INTERFACE SETTINGS FOR VDSL PORTS This minimum margin indicates the amount of increase in impulse noise that the system can tolerate under operational conditions while still ensuring required transmission quality. This parameter is used to set the time span of impulse noise protection, as seen at the input to the de-interleaver, for which errors can be completely corrected by the error correcting code, regardless of the number of errors within the errored DMT symbols.
VDSL CONFIGURATION Web – Click VDSL, VDSL Port Configuration. Select one of the VDSL ports from the scroll-down list, set the required parameters, and click Apply. (Note that the parameters in the following screen are all set to their default values.
CONFIGURING INTERFACE SETTINGS FOR VDSL PORTS 10-13
VDSL CONFIGURATION 10-14
CONFIGURING INTERFACE SETTINGS FOR VDSL PORTS Figure 10-2 VDSL Port Configuration 10-15
VDSL CONFIGURATION CLI – This example displays sample settings for some of the VDSL port configuration commands.
CONFIGURING LINE PROFILES Web – Click VDSL, Line Profile Configuration. Select a line profile from the drop-down list above the Line Profile table of connection parameters, configure the required items in this table, and then click the Apply button beneath the table to store the profile settings. Now select the required line profile from the drop-down list in the Line Profile Mapping table, and click the Apply button next to the VDSL ports to apply the selected profile.
VDSL CONFIGURATION 10-18
CONFIGURING LINE PROFILES 10-19
VDSL CONFIGURATION Figure 10-3 Line Profile Configuration CLI – This example displays sample settings for a line profile.
DISPLAYING VDSL STATUS INFORMATION Displaying VDSL Status Information This section describes the information displayed for VDSL configuration settings, signal status, and communication statistics. Field Attributes LRE Status – Communication status of the VDSL line Table 10-1 LRE Status Parameter Description Port Status The current initialization or operational status.
VDSL CONFIGURATION Table 10-1 LRE Status (Continued) Parameter Description Avg SNR Margin Average signal-to-noise margin above the SNR. Avg SNR Average signal-to-noise ratio. LRE Rate Information – Data Rates for the VDSL line Table 10-2 Rate Status 10-22 Parameter Description Port Status Indicates if the port is administratively enabled or disabled. Line Rate The downstream and upsteam line rate. Payload Rate The actual payload carried on the fast and interleaved channels.
DISPLAYING VDSL STATUS INFORMATION Web – Click VDSL, VDSL Status Information. Select a VDSL port from the drop-down list, and click Query.
VDSL CONFIGURATION CLI – This example displays connection status and data rates for the selected VDSL port. Console#show lre 1/1 port 1 status : port 1 status : Downstream Training Margin: Upstream Training Margin: Downstream Line Protection (Slow Path): Upstream Line Protection (Slow Path): Downstream delay: Upstream delay: Tx total power : FE Tx total power : VDSL Estimated Loop Length : G.Hs Estimated Near End Loop Length : G.
DISPLAYING VDSL PERFORMANCE STATISTICS Displaying VDSL Performance Statistics This section describes the performance information displayed for VDSL lines, including common error conditions over predefined intervals.
VDSL CONFIGURATION Table 10-4 Ethernet Receive Performance Counters (Continued) Parameter Description Alignment Errors Number of alignment errors (missynchronized data packets). Oversize Number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. Undersize Number of frames received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed.
DISPLAYING VDSL PERFORMANCE STATISTICS High-Level Data-Link Control (H.D.L.C.) Performance Counters Table 10-6 H.D.L.C. Performance Counters Parameter Description CRC Errors Number of CRC errors (FCS or alignment errors). Invalid Frames Number of frames not properly bounded by flags, not containing an integral number of octets prior to zero-bit insertion or following zero-bit extraction, containing an FCS error, or containing an incorrect address field.
VDSL CONFIGURATION Web – Click VDSL, VDSL Performance Statistics. Select a VDSL port from the drop-down list, and click Query.
DISPLAYING VDSL PERFORMANCE STATISTICS CLI – This example displays performance information for the selected VDSL port.
VDSL CONFIGURATION Configuring an Alarm Profile This section describes how to configure a list of threshold values for error states which can be applied to a selected group of ports. Command Attributes • Alarm Profile – Name of the profile. (Range: 1-31 alphanumeric characters) The default profile includes the default thresholds for VDSL lines. • thresh-15min-ess – Threshold for Errored Seconds (ESs) that can occur within any given 15 minutes.
CONFIGURING AN ALARM PROFILE This parameter sets the threshold for the number of severely errored seconds within any 15 minute collection interval for performance data. If the number of severely errored seconds in a particular 15-minute collection interval reaches or exceeds this value, a vdslPerfSESsThreshNotification notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval.
VDSL CONFIGURATION interval reaches or exceeds this value, a vdslPerfLossThreshNotification notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval. • thresh-15min-uass – Threshold for Unavailable Seconds (UASs) that can occur within any given 15 minutes.
CONFIGURING AN ALARM PROFILE • init-failure – Threshold for initialization failures that can occur within any given 15 minutes. (Range: 0-900 seconds, where 0 disables the threshold; Default: 1) There are many factors which can cause an initialization failure, including lossOfFraming, lossOfSignal, lossOfPower, lossOfSignalQuality, lossOfLink, dataInitFailure, configInitFailure, protocolInitFailure, or noPeerVtuPresent.
VDSL CONFIGURATION Web – Click VDSL, Alarm Profile Configuration. Select a profile from the drop-down list above the Alarm Profile table of thresholds, configure the required items in this table, and then click the Apply button beneath the table to store the profile settings. Now select the required alarm profile from the drop-down list in the Alarm Profile Mapping table, and click the Apply button next to the VDSL ports to apply the selected profile.
CONFIGURING AN ALARM PROFILE Figure 10-6 Alarm Profile Configuration CLI – This example displays sample settings for an alarm profile.
VDSL CONFIGURATION Displaying CPE Information This section describes the information displayed for an attached CPE, including firmware module versions, and performance counters.
DISPLAYING CPE INFORMATION CPE Performance Counters Table 10-9 CPE Performance Counters Parameter Description cpe perfermance counters FeFEC_F Far end Forward Error Correction on fast path FeCRC_F Far end CRC errors on fast path FeFEC_S Far end Forward Error Correction on slow path FeCRC_S Far end CRC errors on slow path FeFLOS Far end Loss of Signal FeSEF Far end Severely Errored Frame FeFECUnCrr_F Far end Forward Error Correction on fast path uncorrected errors FeFECUnCrr_S Far end Forwar
VDSL CONFIGURATION Web – Click VDSL, CPE Information. Select a VDSL port from the drop-down list, and click Query.
DISPLAYING CPE INFORMATION Figure 10-7 CPE Information 10-39
VDSL CONFIGURATION CLI – This example displays information about the CPE attached to the selected VDSL port. Console#show cpe-info 1/1 Protocol ID: Ikanos EOC Protocol Protocol Version - Major: 01 Protocol Version - Minor: 01 Vendor ID (Value): ffffffff (HEX), -1 (DECIMAL) Host Application Version: 7.2.5r7IK104012 BME Firmware Version: Firmware-VTU-R:7.2.5r7 Time May 19 2006, RTOS Nucleus AFE Hardware Version: AFE <--:--> IFE Hardware Version: IFE
CONFIGURING OAM FUNCTIONS AND UPGRADING CPE FIRMWARE Configuring OAM Functions and Upgrading CPE Firmware This section describes operation and maintenance (OAM) functions for remote customer premises equipment (CPE), such as clearing counters, enabling loopback testing, and upgrading firmware. Command Usage Upgrading CPE Firmware To upgrade firmware on a CPE follow these steps: 1.
VDSL CONFIGURATION CPE, and verifying that the signal is returned from the CPE without any errors. Upgrading CPE Firmware • Upgrade Firmware – Transfers firmware from reserved buffer space in the switch to a remote CPE. • Firmware Active – Activates the alternate (inactive) BME firmware version on the CPE. (BME indicates the Burst Mode Engine used for digital signal processing.
CONFIGURING OAM FUNCTIONS AND UPGRADING CPE FIRMWARE Web – Click VDSL, VDSL OAM. Select a VDSL port from the drop-down list, and perform any of the local or remote OAM functions listed under the Action field. Before upgrading firmware on an attached CPE, first download it to the reserved buffer space on the switch using the dialog box at the bottom of this screen.
VDSL CONFIGURATION CLI – This example shows how to perform common OAM functions, and how to download firmware to a CPE. Console(config)#interface ethernet 1/1 Console(config-if)#oam local clear counter port 1 : success to clear perfermance counters! Console(config-if)#exit Console#copy tftp firmware TFTP server IP address: 192.168.1.19 Source file name: 724maccpe Success. Firmware size : 485719 Firmware version : 104012IK7.2.
CHAPTER 11 ADDRESS TABLE SETTINGS Switches store the addresses for all known devices. This information is used to pass traffic directly between the inbound and outbound ports. All the addresses learned by monitoring traffic are stored in the dynamic address table. You can also manually configure static addresses that are bound to a specific port. Setting Static Addresses A static address can be assigned to a specific interface on this switch.
ADDRESS TABLE SETTINGS Web – Click Address Table, Static Addresses. Specify the interface, the MAC address and VLAN, then click Add Static Address. Figure 11-1 Static Addresses CLI – This example adds an address to the static address table, but sets it to be deleted when the switch is reset.
DISPLAYING THE ADDRESS TABLE Command Attributes • • • • Interface – Indicates a port or trunk. MAC Address – Physical address associated with this interface. VLAN – ID of configured VLAN (1-4094). Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk). • Dynamic Address Counts – The number of addresses dynamically learned. • Current Dynamic Address Table – Lists all the dynamic addresses. Web – Click Address Table, Dynamic Addresses.
ADDRESS TABLE SETTINGS CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address Vlan Type --------- ----------------- ---- ----------------Eth 1/ 1 00-E0-29-94-34-DE 1 Permanent Eth 1/ 1 00-20-9C-23-CD-60 2 Learned Console# 30-4 Changing the Aging Time You can set the aging time for entries in the dynamic address table. Command Attributes • Aging Status – Enables/disables the aging function.
CHAPTER 12 SPANNING TREE ALGORITHM The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure that only one route exists between any two stations on the network, and provide backup links which automatically take over when a primary link goes down.
SPANNING TREE ALGORITHM Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down. This bridge will then initiate negotiations with other bridges to reconfigure the network to reestablish a valid network topology.
maintain connectivity among each of the assigned VLAN groups. MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest – see “Configuring Multiple Spanning Trees” on page 12-22). An MST Region may contain multiple MSTP Instances.
SPANNING TREE ALGORITHM MSTP connects all bridges and LAN segments with a single Common and Internal Spanning Tree (CIST). The CIST is formed as a result of the running spanning tree algorithm between switches that support the STP, RSTP, MSTP protocols. Displaying Global Settings You can display a summary of the current bridge STA information that applies to the entire switch using the STA Information screen.
DISPLAYING GLOBAL SETTINGS make it return to a discarding state; otherwise, temporary data loops might result. • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port. If there is no root port, then this switch has been accepted as the root device of the Spanning Tree network.
SPANNING TREE ALGORITHM • • • • • configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) Root Forward Delay – The maximum time (in seconds) this device will wait before changing states (i.e., discarding to learning to forwarding).
DISPLAYING GLOBAL SETTINGS CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree 31-25 Spanning-tree information --------------------------------------------------------------Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: 0 Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
SPANNING TREE ALGORITHM Configuring Global Settings Global settings apply to the entire switch. Command Usage • Spanning Tree Protocol13 Uses RSTP for the internal state machine, but sends only 802.1D BPDUs. This creates one spanning tree instance for the entire network. If multiple VLANs are implemented on a network, the path between specific VLAN members may be inadvertently disabled to prevent network loops, thus isolating group members.
CONFIGURING GLOBAL SETTINGS - Be careful when switching between spanning tree modes. Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Command Attributes Basic Configuration of Global Settings • Spanning Tree State – Enables/disables STA on this switch. (Default: Enabled) • Spanning Tree Type – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D); i.e.
SPANNING TREE ALGORITHM reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network. (References to “ports” in this section mean “interfaces,” which includes both ports and trunks.
CONFIGURING GLOBAL SETTINGS Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 33) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST. • Region Revision14 – The revision for this MSTI. (Range: 0-65535; Default: 0) • Region Name14 – The name for this MSTI.
SPANNING TREE ALGORITHM Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply.
DISPLAYING INTERFACE SETTINGS CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters.
SPANNING TREE ALGORITHM • • • • • • • • 12-14 - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding. Forward Transitions – The number of times this port has transitioned from the Learning state to the Forwarding state.
DISPLAYING INTERFACE SETTINGS • Trunk Member – Indicates if a port is a member of a trunk. (STA Port Information only) These additional parameters are only displayed for the CLI: • Admin status – Shows if this interface is enabled. • External path cost – The path cost for the IST. This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media.
SPANNING TREE ALGORITHM • • • • loops. Where more than one port is assigned the highest priority, the port with the lowest numeric identifier will be enabled. Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. Fast forwarding – This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products.
DISPLAYING INTERFACE SETTINGS CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 31-25 Eth 1/ 5 information -------------------------------------------------------------Admin Status: Enabled Role: Disabled State: Discarding External Admin Path Cost: 100000 Internal Admin Path Cost: 100000 External Oper Path Cost: 100000 Internal Oper Path Cost: 100000 Priority: 128 Designated Cost: 0 Designated Port: 128.1 Designated Root: 32768.0.
SPANNING TREE ALGORITHM Configuring Interface Settings You can configure RSTP and MSTP attributes for specific interfaces, including port priority, path cost, link type, and edge port. You may use a different priority or path cost for ports of the same media type to indicate the preferred path, link type to indicate a point-to-point connection or shared-media connection, and edge port to indicate if the attached device can support fast forwarding.
CONFIGURING INTERFACE SETTINGS loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. - Default: 128 - Range: 0-240, in steps of 16 • Admin Path Cost – This parameter is used by the STA to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
SPANNING TREE ALGORITHM • Admin Link Type – The link type attached to this interface. - Point-to-Point – A connection to exactly one other bridge. - Shared – A connection to two or more bridges. - Auto – The switch automatically determines if the interface is attached to a point-to-point link or to shared media. (This is the default setting.) • Admin Edge Port (Fast Forwarding) – You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node.
CONFIGURING INTERFACE SETTINGS Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 12-4 STA Port Configuration CLI – This example sets STA attributes for port 7.
SPANNING TREE ALGORITHM Configuring Multiple Spanning Trees MSTP generates a unique spanning tree for each instance. This provides multiple pathways across the network, thereby balancing the traffic load, preventing wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region.
CONFIGURING MULTIPLE SPANNING TREES • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure. (Range: 0-4094; Default: 0) • VLAN ID – VLAN to assign to this selected MST instance. (Range: 1-4093) The other global attributes are described under “Displaying Global Settings,” page 12-4. The attributes displayed by the CLI for individual interfaces are described under “Displaying Interface Settings,” page 12-13 Web – Click Spanning Tree, MSTP, VLAN Configuration.
SPANNING TREE ALGORITHM CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 31-25 Spanning-tree information --------------------------------------------------------------Spanning Tree Mode: MSTP Spanning Tree Enabled/Disabled: Enabled Instance: 1 VLANs Configuration: 1 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.): 20 Root Forward Delay (sec.
DISPLAYING INTERFACE SETTINGS FOR MSTP CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mst)# 31-10 31-12 31-11 Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
SPANNING TREE ALGORITHM CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 12-4), the settings for other instances only apply to the local spanning tree.
CONFIGURING INTERFACE SETTINGS FOR MSTP Configuring Interface Settings for MSTP You can configure the STA interface settings for an MST Instance using the MSTP Port Configuration and MSTP Trunk Configuration pages. Field Attributes The following attributes are read-only and cannot be changed: • STA State – Displays current state of this port within the Spanning Tree. (See Displaying Interface Settings on page 12-13 for additional information.
SPANNING TREE ALGORITHM • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.
CONFIGURING INTERFACE SETTINGS FOR MSTP Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 12-7 MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4.
SPANNING TREE ALGORITHM 12-30
CHAPTER 13 VLAN CONFIGURATION Selecting the VLAN Operation Mode The system can be configured to operate in normal mode or one of the tunneling modes used for passing Layer 2 traffic across a service provider’s metropolitan area network, including IEEE 802.1Q tunneling (QinQ) or static VLAN tag swapping (VLAN Swap). Command Attributes • Normal – The switch functions in normal operating mode. This is the default operating mode, and should be placed in this mode when using standard IEEE 802.
VLAN CONFIGURATION Web – Click VLAN, System Mode. Select the required mode, click Apply. Figure 13-1 Selecting the System Mode CLI – This example sets the switch to operate in QinQ mode. Console(config)#system mode qinq Console(config)# 20-13 IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains. This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains.
IEEE 802.1Q VLANS VLANs provide greater network efficiency by reducing broadcast traffic, and allow you to make network changes without having to update IP addresses or IP subnets. VLANs inherently provide a high level of network security since traffic must pass through a configured Layer 3 link to reach a different VLAN. This switch supports the following VLAN features: • Up to 255 VLANs based on the IEEE 802.
VLAN CONFIGURATION VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port). But if the frame is tagged, the switch uses the tagged VLAN ID to identify the port broadcast domain of the frame.
IEEE 802.1Q VLANS forward the message to all other ports. When the message arrives at another switch that supports GVRP, it will also place the receiving port in the specified VLANs, and pass the message on to all other ports. VLAN requirements are propagated in this way throughout the network. This allows GVRP-compliant devices to be automatically configured for VLAN groups based solely on endstation requests.
VLAN CONFIGURATION switches, you should create a VLAN for that group and enable tagging on all ports. Ports can be assigned to multiple tagged or untagged VLANs. Each port on the switch is therefore capable of passing tagged or untagged frames. When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags.
IEEE 802.1Q VLANS CLI – This example enables GVRP for the switch. Console(config)#bridge-ext gvrp Console(config)# 32-2 Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number18 – The VLAN version used by this switch as specified in the IEEE 802.1Q standard. • Maximum VLAN ID – Maximum VLAN ID recognized by this switch.
VLAN CONFIGURATION CLI – Enter the following command. Console#show bridge-ext Max Support VLAN Numbers: Max Support VLAN ID: Extended Multicast Filtering Services: Static Entry Individual Port: VLAN Learning: Configurable PVID Tagging: Local VLAN Capable: Traffic Classes: Global GVRP Status: GMRP: Console# 32-3 255 4094 No Yes IVL Yes No Enabled Disabled Disabled Displaying Current VLANs The VLAN Current Table shows the current port members of each VLAN and whether or not the port supports VLAN tagging.
IEEE 802.1Q VLANS Web – Click VLAN, 802.1Q VLAN, Current Table. Select any ID from the scroll-down list. Figure 13-4 VLAN Current Table Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry. • Name – Name of the VLAN (1 to 32 characters). • Status – Shows if this VLAN is enabled or disabled. - Active: VLAN is operational.
VLAN CONFIGURATION CLI – Current VLAN information can be displayed with the following command. 32-16 Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 9(S) Eth1/10(S) Eth1/14(S) Eth1/15(S) Eth1/19(S) Console# Creating VLANs Use the VLAN Static List to create or remove VLAN groups.
IEEE 802.1Q VLANS • Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add. Figure 13-5 VLAN Static List - Creating VLANs CLI – This example creates a new VLAN.
VLAN CONFIGURATION Adding Static Members to VLANs (VLAN Index) Use the VLAN Static Table to configure port members for the selected VLAN index. Assign ports as tagged if they are connected to 802.1Q VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1.
IEEE 802.1Q VLANS - Forbidden: Interface is forbidden from automatically joining the VLAN via GVRP. For more information, see “Automatic VLAN Registration” on page 13-4. - None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. • Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the selected VLAN, use the last table on the VLAN Static Table page. Web – Click VLAN, 802.1Q VLAN, Static Table.
VLAN CONFIGURATION Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. • Non-Member – VLANs for which the selected interface is not a tagged member. Web – Open VLAN, 802.1Q VLAN, Static Membership by Port. Select an interface from the scroll-down box (Port or Trunk).
IEEE 802.1Q VLANS Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
VLAN CONFIGURATION - If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be flooded to all other ports (except for those VLANs explicitly forbidden on this port). - If ingress filtering is enabled and a port receives frames tagged for VLANs for which it is not a member, these frames will be discarded. - Ingress filtering does not affect VLAN independent BPDU frames, such as GVRP or STP.
IEEE 802.1Q VLANS belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the selected VLAN, use the last table on the VLAN Static Table page. Web – Click VLAN, 802.1Q VLAN, Port Configuration or Trunk Configuration. Fill in the required settings for each interface, click Apply.
VLAN CONFIGURATION Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function. Web – Click VLAN, Private VLAN, Status.
CONFIGURING PRIVATE VLANS Configuring Uplink and Downlink Ports Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports. Web – Click VLAN, Private VLAN, Link Status. Mark the ports that will serve as uplinks and downlinks for the private VLAN, then click Apply.
VLAN CONFIGURATION Configuring Protocol-Based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CONFIGURING PROTOCOL-BASED VLANS Configuring Protocol Groups Create a protocol group for one or more protocols. Command Attributes • Protocol Group ID – Group identifier of this protocol group. (Range: 1-2147483647) • Frame Type20 – Frame type used by this protocol. (Options: Ethernet, RFC_1042, LLC_other) • Protocol Type – The only option for the LLC_other frame type is IPX_raw. The options for all other frames types include: IP, ARP, and RARP. Web – Click VLAN, Protocol VLAN, Configuration.
VLAN CONFIGURATION Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 13-12) or VLAN Static Membership by Port menu (page 13-14), these interfaces will admit traffic of any protocol type into the associated VLAN.
CONFIGURING PROTOCOL-BASED VLANS Web – Click VLAN, Protocol VLAN, Port Configuration. Select a a port or trunk, enter a protocol group ID, the corresponding VLAN ID, and click Apply. Figure 13-12 Protocol VLAN Port Configuration CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
VLAN CONFIGURATION Configuring IEEE 802.1Q Tunneling IEEE 802.1Q Tunneling (QinQ) is designed for service providers carrying traffic for multiple customers across their networks. QinQ tunneling is used to maintain customer-specific VLAN and Layer 2 protocol configurations even when different customers use the same internal VLAN IDs.
CONFIGURING IEEE 802.1Q TUNNELING be added to this SPVLAN. The uplink port can be added to multiple SPVLANs to carry inbound traffic for different customers onto the service provider’s network. When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet.
VLAN CONFIGURATION The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ tunnel port are processed in the following manner: 1. New SPVLAN tags are added to all incoming packets, no matter how many tags they already have.
CONFIGURING IEEE 802.1Q TUNNELING The ingress process does source and destination lookups. If both lookups are successful, the ingress process writes the packet to memory. Then the egress process transmits the packet. Packets entering a QinQ uplink port are processed in the following manner: 1. If incoming packets are untagged, the PVID VLAN native tag is added. 2.
VLAN CONFIGURATION 8. If the egress port is an untagged member of the SPVLAN, the outer tag will be stripped. If it is a tagged member, the outgoing packet will have two tags. Configuration Limitations for QinQ • The native VLAN of uplink ports should not be used as the SPVLAN. If the SPVLAN is the uplink port's native VLAN, the uplink port must be an untagged member of the SPVLAN. Then the outer SPVLAN tag will be stripped when the packets are sent out.
CONFIGURING IEEE 802.1Q TUNNELING 4. Set the Tag Protocol Identifier (TPID) value of the tunnel port. This step is required is the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See “Adding an Interface to a QinQ Tunnel” on page 13-30.) 5. Configure the QinQ tunnel port to join the SPVLAN as an untagged member (see “Adding Static Members to VLANs (VLAN Index)” on page 13-12). 6.
VLAN CONFIGURATION Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Set the ingress port on the service provider’s network to dot1Q tunnel mode. Set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. And specify whether or not to copy the priority bits from the inner VLAN tag to the outer VLAN tag.
CONFIGURING IEEE 802.1Q TUNNELING necessary to support real-time services across the backbone network, then you may have to enable priority bit mapping from the inner to outer VLAN tag to ensure timely service. Web – Click VLAN, 802.1 Q Tunneling. Set the mode for the tunnel port to Dot1q-Tunnel, set the TPID if the client is using a non-standard ethertype to identify 802.1Q tagged frames, and specify whether or not to copy the priority bits from the inner VLAN tag to the outer tag. Then click Apply.
VLAN CONFIGURATION CLI – This example configures the switch to copy the priority bits from the inner to outer VLAN tag, it then sets port 2 to tunnel mode, and indicates that the TPID used for 802.1Q tagged frames will be 9100 hexadecimal.
CONFIGURING VLAN SWAPPING Configuring VLAN Swapping QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network. However, if any switch in the path crossing the service provider’s network does not support this feature, then the local switches connected directly to the customer can be manually configured to swap the customer’s VLAN ID with the service provider’s VLAN ID. General Configuration Guidelines for VLAN Swapping 1.
VLAN CONFIGURATION Field Attributes • • • • • • Entry Counts – The number of entries in the VLAN swapping table. VLAN Swap Table – Contains each entry in the VLAN swapping table. InPort – Port through which traffic is entering the switch. (Range: 1-18) OutPort – Port through which traffic is leaving the switch. (Range: 1-18) InVLAN – VLAN associated with the InPort. (Range: 1-4093) OutVLAN – VLAN associated with the OutPort. (Range: 1-4093) Web – Click VLAN, VLAN Swap.
CONFIGURING VLAN SWAPPING CLI – This example configures VLAN swapping for upstream traffic between port 1 and port 18, exchanging VLAN ID 1 for VLAN ID 3. It then sets VLAN swapping for downstream traffic to exchange VLAN ID 3 for VLAN ID 1.
VLAN CONFIGURATION 13-36
CHAPTER 14 CLASS OF SERVICE Class of Service (CoS) allows you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues. You can set the default priority for each interface, and configure the mapping of frame priority tags to the switch’s priority queues.
CLASS OF SERVICE Command Attributes • Default Priority21 – The priority that is assigned to untagged frames received on the specified interface. (Range: 0 - 7, Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply. Figure 14-1 Default Port Priority 21. CLI displays this information as “Priority for untagged traffic.
LAYER 2 QUEUE SETTINGS CLI – This example assigns a default priority of 5 to port 3.
CLASS OF SERVICE The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
LAYER 2 QUEUE SETTINGS Web – Click Priority, Traffic Classes. Assign priorities to the traffic classes (i.e., output queues), then click Apply. Figure 14-2 Traffic Classes CLI – The following example shows how to change the CoS assignments to a one-to-one mapping.
CLASS OF SERVICE Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, Weighted Round-Robin (WRR) queuing that specifies a relative weight of each queue, or a combination of strict service for the high priority queues and weighted queueing for the remaining queues.
LAYER 2 QUEUE SETTINGS Web – Click Priority, Queue Mode. Select Strict or WRR, then click Apply. Figure 14-3 Queue Mode CLI – The following sets the queue mode to strict priority service mode. Console(config)#queue mode strict Console(config)#exit Console#show queue mode 33-2 33-2 Queue mode: strict Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue.
CLASS OF SERVICE Command Attributes • WRR Setting Table23 – Displays a list of weights for each traffic class (i.e., queue). • Weight Value – Set a new weight for the selected traffic class. (Range: 0-15) Use queue weights 1-15 for queues allocated service time based on WRR. Queue weights must be configured in ascendant manner, assigning more weight to each higher numbered queue.
LAYER 3/4 PRIORITY SETTINGS CLI – The following example shows how to assign WRR weights to priority queues 0-5, and strict priority to queues 6 and 7. Console(config)#interface ethernet 1/1 Console(config-if)#queue bandwidth 1 3 5 7 9 11 0 0 Console(config-if)#end Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 3 2 5 3 7 4 9 5 11 6 0 7 0 Information of Eth 1/2 Queue ID Weight . . .
CLASS OF SERVICE Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) • IP Precedence – Maps layer 3/4 priorities using IP Precedence. • IP DSCP – Maps layer 3/4 priorities using Differentiated Services Code Point Mapping. Web – Click Priority, IP Precedence/DSCP Priority Status.
LAYER 3/4 PRIORITY SETTINGS Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth). Bits 6 and 7 are used for network control, and the other bits for various application types.
CLASS OF SERVICE Web – Click Priority, IP Precedence Priority. Select an entry from the IP Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. Figure 14-6 IP Precedence Priority CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings.
LAYER 3/4 PRIORITY SETTINGS Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP default values are defined in the following table.
CLASS OF SERVICE Web – Click Priority, IP DSCP Priority. Select an entry from the DSCP table, enter a value in the Class of Service Value field, then click Apply. Figure 14-7 IP DSCP Priority CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
LAYER 3/4 PRIORITY SETTINGS Mapping IPv6 Traffic Classes The Traffic Class field in the IPv6 header may be used by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities for IPv6 packets. (See RFC 2460.) Command Usage Nodes that support a specific use of some or all of the IPv6 traffic class bits are permitted to change the value of those bits in packets that they originate, forward, or receive, as required for that specific use.
CLASS OF SERVICE CLI – The following example maps the Traffic Class value of 1 to CoS value 0. Console(config)#priority ipv6 1 0 Console(config)#end Console#show priority CPU TX Priority 0 PORT Traffic-Class Priority 1 1 0 Console# 33-17 33-4 Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header. Some of the more common TCP service ports include: HTTP: 80, FTP: 21, Telnet: 23 and POP3: 110.
LAYER 3/4 PRIORITY SETTINGS Click Priority, IP Port Priority. Enter the port number for a network application in the IP Port Number box and the new CoS value in the Class of Service box, and then click Apply. Figure 14-10 IP Port Priority CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings.
CLASS OF SERVICE 14-18
CHAPTER 15 QUALITY OF SERVICE The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis. Each packet is classified upon entry into the network based on access lists, IP Precedence, DSCP values, or VLAN lists.
QUALITY OF SERVICE Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 15-9). Configuring Quality of Service Parameters To create a service policy for a specific category or ingress traffic, follow these steps: 1.
CONFIGURING QUALITY OF SERVICE PARAMETERS Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
QUALITY OF SERVICE Settings” page. Enter the criteria used to classify ingress traffic on this web page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command. • Description – A brief description of a class map. (Range: 1-80 characters) • Add – Adds the specified class.
CONFIGURING QUALITY OF SERVICE PARAMETERS Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 15-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
QUALITY OF SERVICE Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 15-3. - Open the Policy Map page, and click Add Policy. - When the Policy Configuration page opens, fill in the “Policy Name” field, and click Add. - When the Policy Rule Settings page opens, select a class name from the scroll-down list (Class Name field).
CONFIGURING QUALITY OF SERVICE PARAMETERS Command Attributes Policy Map • Modify Name and Description – Configures the name and a brief description of a policy map. (Range: 1-16 characters for the name; 1-80 characters for the description) • Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry. Modify the criteria used to service ingress traffic on this page. • Add Policy – Opens the “Policy Configuration” page.
QUALITY OF SERVICE • Remove Class – Deletes a class. - Policy Options • Class Name – Name of class map. • Action – Configures the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 15-3). (Range - CoS: 0-7, DSCP: 0-63, IP Precedence: 0-7) • Meter – Check this to define the maximum throughput, burst rate, and the action that results from a policy violation. - Rate (kbps) – Rate in kilobits per second.
CONFIGURING QUALITY OF SERVICE PARAMETERS Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes.
QUALITY OF SERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0.
CONFIGURING QUALITY OF SERVICE PARAMETERS Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a Policy Map for a port from the scroll-down box, then click Apply. Figure 15-3 Service Policy Settings CLI - This example applies a service policy to an ingress interface.
QUALITY OF SERVICE 15-12
CHAPTER 16 MULTICAST FILTERING Multicasting is used to support real-time applications such as videoconferencing or streaming audio. A multicast server does not have to establish a separate connection with each client. It merely broadcasts its service to the network, and any hosts that want to receive the multicast register with their local multicast switch/router.
MULTICAST FILTERING those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service. The purpose of IP multicast filtering is to optimize a switched network’s performance, so multicast packets will only be forwarded to those ports containing multicast group hosts or multicast routers/switches, instead of flooding traffic to all ports in the subnet (VLAN).
LAYER 2 IGMP (SNOOPING AND QUERY) is forwarded to the hosts from each of these sources. IGMPv3 hosts may also request that service be forwarded from all sources except for those specified. In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Notes: 1. When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN. 2.
MULTICAST FILTERING Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
LAYER 2 IGMP (SNOOPING AND QUERY) Command Attributes • IGMP Status — When enabled, the switch will monitor network traffic to determine which hosts want to receive multicast traffic. This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
MULTICAST FILTERING Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) Figure 16-1 IGMP Configuration CLI – This example modifies the settings for multicast filtering, and then displays the current status.
LAYER 2 IGMP (SNOOPING AND QUERY) Displaying Interfaces Attached to a Multicast Router Multicast routers that are attached to ports on the switch use information obtained from IGMP, along with a multicast routing protocol such as DVMRP or PIM, to support IP multicasting across the Internet. These routers may be dynamically discovered by the switch or statically assigned to an interface on the switch.
MULTICAST FILTERING CLI – This example shows that Port 11 has been statically configured as a port attached to a multicast router. Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/11 Static Console# 35-13 Specifying Static Interfaces for a Multicast Router Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier.
LAYER 2 IGMP (SNOOPING AND QUERY) CLI – This example configures port 11 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 35-12 Console(config)#exit Console#show ip igmp snooping mrouter vlan 1 35-13 VLAN M'cast Router Port Type ---- ------------------ ------1 Eth 1/11 Static Console# Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and multicast service.
MULTICAST FILTERING Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 16-4 IP Multicast Registration Table CLI – This example displays all the known multicast services supported on VLAN 1, along with the ports propagating the corresponding services.
LAYER 2 IGMP (SNOOPING AND QUERY) Assigning Ports to Multicast Services Multicast filtering can be dynamically configured using IGMP Snooping and IGMP Query messages as described in “Configuring IGMP Snooping and Query Parameters” on page 16-4. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
MULTICAST FILTERING Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
LAYER 2 IGMP (SNOOPING AND QUERY) Configuring Immediate Leave from Multicast Groups The switch can be configured to immediately delete a member port of a multicast service if a leave packet is received at that port and the immediate-leave function is enabled for the parent VLAN. Command Usage • If immediate leave is not used, a multicast router (or querier) will send a group-specific query message when an IGMPv2/v3 group leave message is received.
MULTICAST FILTERING Web – Click IGMP Snooping, IGMP Immediate Leave Table. Select the VLAN interface to configure, set the status for immediate leave, and click Apply. Figure 16-6 IGMP Immediate Leave Table CLI – This example enables immediate leave on VLAN 1.
IGMP FILTERING AND THROTTLING IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
MULTICAST FILTERING CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers.
IGMP FILTERING AND THROTTLING • Current Multicast Address Range List – Lists multicast groups currently included in the profile. Select an entry and click the Remove button to delete it from the list. Web – Click IGMP Snooping, IGMP Profile Group Configuration. Select the profile number you want to configure; then click Query to display the current settings. Specify the access mode for the profile and then add multicast groups to the profile list. Click Apply.
MULTICAST FILTERING Configuring IGMP Filtering and Throttling for Interfaces Once you have configured IGMP profiles, you can assign them to interfaces on the switch. Also, you can set the IGMP throttling number to limit the number of multicast groups an interface can join at the same time. Command Usage • Only one profile can be assigned to an interface. • An IGMP profile or throttling setting can also be applied to a trunk interface.
IGMP FILTERING AND THROTTLING Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 16-9 IGMP Filter and Throttling Port Configuration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action. The current IGMP filtering and throttling settings for the interface are then displayed.
MULTICAST FILTERING Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
MULTICAST VLAN REGISTRATION General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 16-21). 2. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR Interfaces” on page 16-26). 3.
MULTICAST FILTERING Field Attributes • MVR Domain – An independent multicast domain. (Range: 1-3; Default: 1) • MVR Status – When MVR is enabled on both the switch, any multicast data associated an MVR group is sent from all designated source ports, and to all receiver ports that have registered to receive data from that multicast group. (Default: Disabled) • MVR Running Status – Indicates whether or not all necessary conditions in the MVR environment are satisfied.
MULTICAST VLAN REGISTRATION Web – Click MVR, Configuration. Select the MVR domain, enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 16-10 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses. Console(config)#ip igmp snooping Console(config)#mvr Console(config)#mvr group 228.1.23.
MULTICAST FILTERING Displaying MVR Interface Status You can display information about the interfaces attached to the MVR VLAN. Field Attributes • • • • MVR Domain – An independent multicast domain. Type – Shows the MVR port type. Oper Status – Shows the link status. MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch.
MULTICAST VLAN REGISTRATION CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface ======================================================= MVR domain : 1 Port Type Status Immediate Leave ------- ---------------------------------eth1/1 RECEIVER ACTIVE/UP Disable eth1/18 SOURCE ACTIVE/UP Disable . . .
MULTICAST FILTERING Configuring MVR Interfaces Each interface that participates in the MVR VLAN must be configured as an MVR source port or receiver port. If only one subscriber attached to an interface is receiving multicast services, you can enable the immediate leave function. Command Usage • MVR source ports and receiver ports can be members of more than on MVR domain. However, an interface cannot be receiver port in one MVR domain and a source port in another domain.
MULTICAST VLAN REGISTRATION - Using immediate leave can speed up leave latency, but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached to the same interface. - Immediate leave does not apply to multicast groups which have been statically assigned to a port. - Immediate leave applies to all MVR domains. Command Attributes • MVR Domain – An independent multicast domain.
MULTICAST FILTERING Web – Click MVR, Port Configuration or Trunk Configuration. Figure 16-12 MVR Port Configuration CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port.
MULTICAST VLAN REGISTRATION Web – Click MVR, Group IP Information. Figure 16-13 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr members MVR Group IP Status ---------------- -------225.0.0.1 ACTIVE 225.0.0.2 INACTIVE 225.0.0.3 INACTIVE 225.0.0.4 INACTIVE 225.0.0.5 INACTIVE 225.0.0.6 INACTIVE 225.0.0.7 INACTIVE 225.0.0.8 INACTIVE 225.0.0.9 INACTIVE 225.0.0.
MULTICAST FILTERING Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage • Any multicast groups that use the MVR VLAN must be statically assigned to it under the MVR Configuration menu (see “Configuring Global MVR Settings” on page 16-21). • The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams.
MULTICAST VLAN REGISTRATION Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list. Figure 16-14 MVR Group Member Configuration CLI – This example statically assigns a multicast group to a receiver port. Console(config)#interface ethernet 1/2 Console(config-if)#mvr group 228.1.23.
MULTICAST FILTERING 16-32
CHAPTER 17 DOMAIN NAME SERVICE The Domain Naming System (DNS) service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
DOMAIN NAME SERVICE • When more than one name server is specified, the servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. • If all name servers are deleted, DNS will automatically be disabled. This is done by disabling the domain lookup status. Command Attributes • Domain Lookup Status – Enables DNS host name-to-address translation. • Default Domain Name26 – Defines the default domain name appended to incomplete host names.
CONFIGURING GENERAL DNS SERVICE PARAMETERS Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply.
DOMAIN NAME SERVICE CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS Enabled Default Domain Name: sample.
CONFIGURING STATIC DNS HOST TO ADDRESS ENTRIES Field Attributes • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-127 characters) • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) • Alias – Displays the host names that are mapped to the same address(es) as a previously configured entry. Web – Select DNS, Static Host Table. Enter a host name and one or more corresponding addresses, then click Apply.
DOMAIN NAME SERVICE CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts 36-2 36-8 Hostname rd5 Inet address 192.168.1.55 10.1.0.55 Console# Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers. Field Attributes • No – The entry number for each resource record.
DISPLAYING THE DNS CACHE Web – Select DNS, Cache. Figure 17-3 DNS Cache CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache NO FLAG TYPE 0 4 CNAME 1 4 CNAME 2 4 CNAME 3 4 CNAME 4 4 CNAME 5 4 ALIAS 6 4 CNAME 7 4 ALIAS 8 4 CNAME 9 4 ALIAS 10 4 CNAME Console# IP 207.46.134.222 207.46.134.190 207.46.134.155 207.46.249.222 207.46.249.27 POINTER TO:4 207.46.68.27 POINTER TO:6 65.54.131.192 POINTER TO:8 165.193.72.
DOMAIN NAME SERVICE 17-8
SECTION III COMMAND LINE INTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . 18-1 General Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19-1 System Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20-1 SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
COMMAND LINE INTERFACE IP Interface Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 18 OVERVIEW OF THE COMMAND LINE INTERFACE This chapter describes how to use the Command Line Interface (CLI). Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
OVERVIEW OF THE COMMAND LINE INTERFACE After connecting to the system through the console port, the login screen displays: User Access Verification Username: admin Password: CLI session with the SMC7816M/VSW is opened. To end the CLI session, enter [Exit]. Console# Telnet Connection Telnet operates over the IP transport protocol. In this environment, your management station and any network device you want to manage over the network must have a valid IP address.
ENTERING COMMANDS 2. At the prompt, enter the user name and system password. The CLI will display the “Vty-n#” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you are using normal access mode (i.e., Normal Exec), where n indicates the number of the current Telnet session. 3. Enter the necessary commands to complete your desired tasks. 4. When finished, exit the session with the “quit” or “exit” command.
OVERVIEW OF THE COMMAND LINE INTERFACE • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
ENTERING COMMANDS Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
OVERVIEW OF THE COMMAND LINE INTERFACE sntp spanning-tree ssh startup-config system tacacs-server users version vlan Console#show SNTP Specify spanning-tree Secure shell The system configuration of starting up Information of system Login by TACACS server Display information about terminal lines System hardware and software status Switch VLAN Virtual Interface The command “show interfaces ?” will display the following information: Console#show interfaces ? counters Information of interfaces counters efm Ef
ENTERING COMMANDS Using Command History The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed. Using the show history command displays a longer list of recently executed commands. Understanding Command Modes The command set is divided into Exec and Configuration classes.
OVERVIEW OF THE COMMAND LINE INTERFACE Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin.
ENTERING COMMANDS The configuration commands are organized into different modes: • Global Configuration - These commands modify the system level configuration, and include commands such as hostname and snmp-server community. • Access Control List Configuration - These commands are used for packet filtering. • Class Map Configuration - Creates a DiffServ class map for a specified traffic type. • Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation.
OVERVIEW OF THE COMMAND LINE INTERFACE To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode.
ENTERING COMMANDS For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
OVERVIEW OF THE COMMAND LINE INTERFACE Table 18-3 Keystroke Commands (Continued) Keystroke Function Esc-F Moves the cursor forward one word. Delete key or backspace key Erases a mistake when entering a command. Command Groups The system commands can be broken down into the functional groups shown below.
COMMAND GROUPS Table 18-4 Command Group Index (Continued) Command Group Description Page Interface Configures the connection parameters for all Ethernet ports, aggregated links, and VLANs 25-1 Link Aggregation Statically groups multiple ports into a single logical trunk; configures Link Aggregation Control Protocol for port trunks 26-1 Mirror Port Mirrors data to another port for analysis without affecting the data passing through or the performance of the monitored port 27-1 Rate Limit Control
OVERVIEW OF THE COMMAND LINE INTERFACE The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) NE (Normal Exec) GC (Global Configuration) IC (Interface Configuration) IPC (IGMP Profile Configuraiton) LC (Line Configuration) MST (Multiple Spanning Tree) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) VLP (VDSL Line Profile) VAP (VDSL Alarm Profile) 18-14
CHAPTER 19 GENERAL COMMANDS These commands are used to control the command access mode, configuration mode, and other basic functions.
GENERAL COMMANDS enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 18-7. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode.
DISABLE disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode. See “Understanding Command Modes” on page 18-7. Default Setting None Command Mode Privileged Exec Command Usage The “>” character is appended to the end of the prompt to indicate that the system is in normal access mode.
GENERAL COMMANDS Example Console#configure Console(config)# Related Commands end (19-6) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
RELOAD The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# reload This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test.
GENERAL COMMANDS prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# end This command returns to Privileged Exec mode.
EXIT exit This command returns to the previous configuration mode or exits the configuration program. Default Setting None Command Mode Any Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: quit This command exits the configuration program.
GENERAL COMMANDS Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 19-8
CHAPTER 20 SYSTEM MANAGEMENT COMMANDS These commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
SYSTEM MANAGEMENT COMMANDS Device Designation Commands This section describes commands used to configure information that uniquely identifies the switch. Table 20-2 Device Designation Commands Command Function Mode Page hostname Specifies the host name for the switch GC 20-2 snmp-server contact Sets the system contact string GC 21-5 snmp-server location Sets the system location string GC 21-5 hostname This command specifies or modifies the host name for this device.
SYSTEM STATUS COMMANDS System Status Commands This section describes commands used to display system information.
SYSTEM MANAGEMENT COMMANDS This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
SYSTEM STATUS COMMANDS Example Console#show startup-config building startup-config, please wait..... !00 !01_00-20-1a-df-9c-a0_00 ! phymap 00-20-1a-df-9c-a0 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
SYSTEM MANAGEMENT COMMANDS show running-config This command displays the configuration information currently in use. Command Mode Privileged Exec Command Usage Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non-volatile memory. This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
SYSTEM STATUS COMMANDS Example Console#show running-config building running-config, please wait..... !00 !01_00-30-f1-d4-73-a0_00 ! phymap 00-30-f1-d4-73-a0 ! SNTP server 0.0.0.0 0.0.0.0 0.0.0.
SYSTEM MANAGEMENT COMMANDS Related Commands show startup-config (20-3) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. • The POST results should all display “PASS.” If any POST test indicates “FAIL,” contact your distributor for assistance.
SYSTEM STATUS COMMANDS show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
SYSTEM MANAGEMENT COMMANDS show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Hardware/Software Versions” on page 4-7 for detailed information on the items displayed by this command.
SYSTEM STATUS COMMANDS Example Console#show bme version Firmware Firmware-VTU-O:1.0.5r11IK004010 Time May 19 2006 18:16:42, RTOS Nucleus BME R:96 AFE <0:b10> <1:b10> IFE <0:3.6> <1:3.6> <2:3.6> <3:3.6> <4:3.6> <5:3.6> <6:3.6> <7:3.
SYSTEM MANAGEMENT COMMANDS Table 20-5 show cpu utilization - display description Field Description current utilization Current percentage of CPU utilization max utilization Maximum statistical utilization over the past 10 seconds avg utilization Average statistical utilization since the system was booted peak utilization Peak utilization over the indicated period peak begin Time at which the duration of peak utilization began peak during Duration of peak utilization rising threshold* Rising t
SYSTEM MODE COMMANDS Table 20-6 show memory status - display description Field Description free list The location and size of free system memory current free Amount of memory currently free for use allocated Amount of memory allocated to active processes cumulative allocated Amount of memory allocated since the system was booted System Mode Commands This section describes command used to configure the switch to operate in normal mode or QinQ mode.
SYSTEM MANAGEMENT COMMANDS Default Setting Normal operating mode Command Mode Global Configuration Command Usage Make sure that no dot1q-tunnel port is configured before exiting QinQ mode (see “switchport mode dot1q-tunnel” on page 32-27). If there are any dot1q-tunnel ports set on the switch, the no system mode command will fail. Example Console(config)#system mode qinq Console(config)# Related Commands show system mode (20-14) show system mode This command displays the switch system mode.
FRAME SIZE COMMANDS Frame Size Commands This section describes commands used to configure the Ethernet frame size on the switch. Table 20-8 Frame Size Commands Command Function Mode Page jumbo frame Enables support for jumbo frames GC 20-15 jumbo frame This command enables support for jumbo frames for Gigabit Ethernet ports. Use the no form to disable it.
SYSTEM MANAGEMENT COMMANDS Example Console(config)#jumbo frame Console(config)# File Management Commands Managing Firmware Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
FILE MANAGEMENT COMMANDS Table 20-9 Flash/File Commands (Continued) Command Function Mode Page whichboot Displays the files booted PE 20-24 boot system Specifies the file or image used to start up the GC system 20-25 copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server.
SYSTEM MANAGEMENT COMMANDS settings will be set to default values when the system is rebooted using this file. • firmware - Keyword that allows you to copy BME firmware used for upgrading CPEs to reserved buffer space in the switch. (BME indicates the Burst Mode Engine used for digital signal processing.) Default Setting None Command Mode Privileged Exec Command Usage • The system prompts for data required to complete the copy command.
FILE MANAGEMENT COMMANDS • Use the partial-running-config keyword to copy basic settings for the IP configuration, SNMP community strings, and CLI user names and passwords to a startup configuration file. The system can then be reset using the parameters copied from the partial-running-config, and default settings for all other parameters.
SYSTEM MANAGEMENT COMMANDS The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01 Startup configuration file name [startup]: Write to FLASH Programming.
FILE MANAGEMENT COMMANDS This example shows how to copy a public-key used by SSH from an TFTP server. Note that public key authentication via SSH is only supported for users configured locally on the switch. Console#copy tftp public-key TFTP server IP address: 192.168.1.19 Choose public key type: 1. RSA: 2. DSA: <1-2>: 1 Source file name: steve.pub Username: steve TFTP Download Success. Write to FLASH Programming. Success.
SYSTEM MANAGEMENT COMMANDS delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted. • “Factory_Default_Config.cfg” cannot be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.
FILE MANAGEMENT COMMANDS dir This command displays a list of files in flash memory. Syntax dir {{boot-rom: | config: | opcode:} [filename]} The type of file or image to display includes: • • • • boot-rom - Boot ROM (or diagnostic) image file. config - Switch configuration file. opcode - Run-time operation code image file. filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
SYSTEM MANAGEMENT COMMANDS Example The following example shows how to display all file information: Console#dir File name File type Startup Size (byte) -------------------------------------------------- ------- ----------Unit1: SMC7816M_VSW_Diag_V3.2.1.0.bix Boot-Rom Image Y 1556680 SMC7816M_VSW_Opcode_V3.2.2.5.bix Operation Code Y 4250428 Factory_Default_Config.cfg Config File N 455 startup1.
FILE MANAGEMENT COMMANDS boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • • • • boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required.
SYSTEM MANAGEMENT COMMANDS Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
LINE COMMANDS line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
SYSTEM MANAGEMENT COMMANDS login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
LINE COMMANDS Example Console(config-line)#login local Console(config-line)# Related Commands username (22-2) password (20-29) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password • password - Character string that specifies the line password. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting No password is specified.
SYSTEM MANAGEMENT COMMANDS configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (20-28) password-thresh (20-32) timeout login response This command sets the interval that the system waits for a user to log into the CLI. Use the no form to restore the default setting.
LINE COMMANDS Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
SYSTEM MANAGEMENT COMMANDS password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120; 0: no threshold) Default Setting The default value is three attempts.
LINE COMMANDS silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response. (Range: 0-65535; 0: no silent-time) Default Setting The default value is no silent-time.
SYSTEM MANAGEMENT COMMANDS Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
LINE COMMANDS Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
SYSTEM MANAGEMENT COMMANDS Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting.
LINE COMMANDS Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (22-31) show users (20-9) show line This command displays the terminal line’s parameters. Syntax show line [console | vty] • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet).
SYSTEM MANAGEMENT COMMANDS Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: 3 times Interactive timeout: Disabled Login timeout: Disabled Silent time: Disabled Baudrate: auto Databits: 8 Parity: none Stopbits: 1 VTY configuration: Password threshold: 3 times Interactive timeout: 600 sec Login timeout: 300 sec Console# 20-38
EVENT LOGGING COMMANDS Event Logging Commands This section describes commands used to configure event logging on the switch.
SYSTEM MANAGEMENT COMMANDS command to control the type of error messages that are stored in memory. You can use the logging trap command to control the type of error messages that are sent to specified syslog servers. Example Console(config)#logging on Console(config)# Related Commands logging history (20-40) logging trap (20-43) clear log (20-44) logging history This command limits syslog messages saved to switch memory based on severity.
EVENT LOGGING COMMANDS Table 20-13 Logging Levels (Continued) Level Severity Name Description 4 warnings Warning conditions (e.g., return false, unexpected return) 3 errors Error conditions (e.g., invalid input, default used) 2 critical Critical conditions (e.g., memory allocation, or free memory error - resource exhausted) 1 alerts Immediate action needed 0 emergencies System unusable * There are only Level 2, 5 and 6 error messages for the current firmware release.
SYSTEM MANAGEMENT COMMANDS Command Mode Global Configuration Command Usage • Use this command more than once to build up a list of host IP addresses. • The maximum number of host IP addresses allowed is five. Example Console(config)#logging host 10.1.0.3 Console(config)# logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default.
EVENT LOGGING COMMANDS logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap level - One of the syslog severity levels listed in the table on page 20-40. Messages sent include the selected level up through level 0.
SYSTEM MANAGEMENT COMMANDS clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
EVENT LOGGING COMMANDS show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). • ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
SYSTEM MANAGEMENT COMMANDS Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0).
EVENT LOGGING COMMANDS Table 20-15 show logging trap - display description (Continued) Field Description REMOTELOG level type The severity threshold for syslog messages sent to a remote server as specified in the logging trap command. REMOTELOG server IP address The address of syslog servers as specified in the logging host command. Related Commands show logging sendmail (20-52) show log This command displays the log messages stored in local memory.
SYSTEM MANAGEMENT COMMANDS SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients.
SMTP ALERT COMMANDS • To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
SYSTEM MANAGEMENT COMMANDS logging sendmail source-email This command sets the email address used for the “From” field in alert messages. Syntax logging sendmail source-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch.
SMTP ALERT COMMANDS Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
SYSTEM MANAGEMENT COMMANDS show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------ted@this-company.com SMTP source email address: bill@this-company.
TIME COMMANDS Time Commands The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
SYSTEM MANAGEMENT COMMANDS Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001). • This command enables client time requests to time servers specified via the sntp servers command. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
TIME COMMANDS Command Mode Global Configuration Command Usage This command specifies time servers from which the switch will poll for time updates when set to SNTP client mode. The client will poll the time servers in the order specified until a response is received. It issues time synchronization requests based on the interval set via the sntp poll command. Example Console(config)#sntp server 10.1.0.
SYSTEM MANAGEMENT COMMANDS Related Commands sntp client (20-53) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode (i.e., unicast).
TIME COMMANDS clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-13 hours) • minutes - Number of minutes before/after UTC. (Range: 0-59 minutes) • before-utc - Sets the local time zone before (east) of UTC. • after-utc - Sets the local time zone after (west) of UTC.
SYSTEM MANAGEMENT COMMANDS calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} • • • • • hour - Hour in 24-hour format. (Range: 0 - 23) min - Minute. (Range: 0 - 59) sec - Second. (Range: 0 - 59) day - Day of month.
TIME COMMANDS Example Console#show calendar 15:12:34 February 1 2002 Console# 20-59
SYSTEM MANAGEMENT COMMANDS 20-60
CHAPTER 21 SNMP COMMANDS Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
SNMP COMMANDS Table 21-1 SNMP Commands (Continued) Command Function Mode Page snmp-server engine-id Sets the SNMP engine ID GC 21-10 PE 21-12 show snmp engine-id Shows the SNMP engine ID snmp-server view Adds an SNMP view GC 21-13 show snmp view Shows the SNMP views PE 21-14 snmp-server group Adds an SNMP group, mapping users to views GC 21-15 show snmp group Shows the SNMP groups PE 21-16 snmp-server user Adds a user to an SNMP group GC 21-18 show snmp user Shows the SNMP user
SHOW SNMP show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
SNMP COMMANDS snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol. (Maximum length: 32 characters, case sensitive; Maximum number of strings: 5) • ro - Specifies read-only access.
SNMP-SERVER CONTACT snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information.
SNMP COMMANDS Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (21-5) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
SNMP-SERVER HOST community command prior to using the snmp-server host command. (Maximum length: 32 characters) • version - Specifies whether to send notifications as SNMP Version 1, 2c or 3 traps. (Range: 1, 2c, 3; Default: 1) - auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” on page 5-1 for further information about these authentication and encryption options. • port - Host UDP port to use.
SNMP COMMANDS • Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt. Informs can be used to ensure that critical information is received by the host. However, note that informs consume more system resources because they must be kept in memory until a response is received. Informs also add to network traffic.
SNMP-SERVER ENABLE TRAPS user command. Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host. Example Console(config)#snmp-server host 10.1.19.
SNMP COMMANDS notifications are enabled. If you enter the command with a keyword, only the notification type related to that keyword is enabled. • The snmp-server enable traps command is used in conjunction with the snmp-server host command. Use the snmp-server host command to specify which host or hosts receive SNMP notifications. In order to send notifications, you must configure at least one snmp-server host command.
SNMP-SERVER ENGINE-ID Command Mode Global Configuration Command Usage • An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. • A remote engine ID is required when using SNMPv3 informs. (See snmp-server host on page 21-6.
SNMP COMMANDS show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# IP address 192.168.1.19 Table 21-2 show snmp engine-id - display description 21-12 Field Description Local SNMP engineID String identifying the engine ID.
SNMP-SERVER VIEW snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) • oid-tree - Object identifier of a branch within the MIB tree. Wild cards can be used to mask a specific portion of the OID string. (Refer to the examples.) • included - Defines an included view.
SNMP COMMANDS This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.
SNMP-SERVER GROUP snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname • groupname - Name of an SNMP group. (Range: 1-32 characters) • v1 | v2c | v3 - Use SNMP version 1, 2c or 3.
SNMP COMMANDS • For additional information on the notification messages supported by this switch, see Table 5-2, “Supported Notification Messages,” on page 5-19. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 21-9).
SHOW SNMP GROUP Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 21-4 show snmp group - display description Fiel
SNMP COMMANDS snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote} • username - Name of user connecting to the SNMP agent.
SNMP-SERVER USER Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 21-10) to specify the engine ID for the remote device where the user resides.
SNMP COMMANDS show snmp user This command shows information on SNMP users.
CHAPTER 22 USER AUTHENTICATION COMMANDS You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access29 to the data ports.
USER AUTHENTICATION COMMANDS User Account Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 20-26), user authentication via a remote authentication server (page 22-1), and host access authentication for specific ports (page 22-34).
USER ACCOUNT COMMANDS • password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting The default access level is Normal Exec. The factory defaults for the user names and passwords are: Table 22-3 Default Login Settings username access-level password guest 0 guest admin 15 admin Command Mode Global Configuration Command Usage The encrypted password is required for compatibility with legacy password settings (i.
USER AUTHENTICATION COMMANDS enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password. Syntax enable password [level level] {0 | 7} password no enable password [level level] • level level - Level 15 for Privileged Exec. (Levels 0-14 are not used.
AUTHENTICATION SEQUENCE Related Commands enable (19-2) authentication enable (22-7) Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
USER AUTHENTICATION COMMANDS Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet. • RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair.
AUTHENTICATION SEQUENCE authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 19-2). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable • local - Use local password only. • radius - Use RADIUS server password only. • tacacs - Use TACACS server password.
USER AUTHENTICATION COMMANDS Example Console(config)#authentication enable radius Console(config)# Related Commands enable password - sets the password for changing command modes (22-4) RADIUS Client Remote Authentication Dial-in User Service (RADIUS) is a logon authentication protocol that uses software running on a central server to control access to RADIUS-aware devices on the network.
RADIUS CLIENT radius-server host This command specifies primary and backup RADIUS servers and authentication parameters that apply to each server. Use the no form to restore the default values. Syntax [no] radius-server index host {host_ip_address | host_alias} [auth-port auth_port] [timeout timeout] [retransmit retransmit] [key key] • index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires.
USER AUTHENTICATION COMMANDS radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration Example Console(config)#radius-server port 181 Console(config)# radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default.
RADIUS CLIENT Example Console(config)#radius-server key green Console(config)# radius-server retransmit This command sets the number of retries. Use the no form to restore the default. Syntax radius-server retransmit number_of_retries no radius-server retransmit number_of_retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
USER AUTHENTICATION COMMANDS Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: 1812 Retransmit times: 2 Request timeout: 5 Server 1: Server IP address: 192.168.1.
TACACS+ CLIENT TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch.
USER AUTHENTICATION COMMANDS tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server key This command sets the TACACS+ encryption key.
WEB SERVER COMMANDS Example Console(config)#tacacs-server key green Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS server configuration: Server IP address: 10.11.12.
USER AUTHENTICATION COMMANDS ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
WEB SERVER COMMANDS Example Console(config)#ip http server Console(config)# Related Commands ip http port (22-16) ip http secure-server This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function.
USER AUTHENTICATION COMMANDS • The client and server establish a secure encrypted connection. A padlock icon should appear in the status bar for Internet Explorer 5.x and Netscape Navigator 6.2 or later versions. • The following web browsers and operating systems currently support HTTPS: Table 22-8 HTTPS System Support Web Browser Operating System Internet Explorer 5.0 or later Windows 98,Windows NT (with service pack 6a), Windows 2000, Windows XP Netscape Navigator 6.
WEB SERVER COMMANDS Default Setting 443 Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port.
USER AUTHENTICATION COMMANDS Telnet Server Commands This section describes commands used to configure Telnet management access to the switch. Table 22-9 Telnet Server Commands Command Function Mode Page ip telnet server Allows the switch to be monitored or configured from Telnet; also specifies the port to be used by the Telnet interface GC 22-16 ip telnet server This command allows this device to be monitored or configured from Telnet.
SECURE SHELL COMMANDS Secure Shell Commands This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
USER AUTHENTICATION COMMANDS Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command on page 22-5.
SECURE SHELL COMMANDS 1024 35 1341081685609893921040944920155425347631641921872958921143173880 055536161631051775940838686311092912322268285192543746031009371877211996963178 136627741416898513204911720483033925432410163799759237144901193800609025394840 848271781943722884025331159521348610229029789827213532671316294325328189150453 06393916643 steve@192.168.1.19 4.
USER AUTHENTICATION COMMANDS c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch. e. The switch compares the checksum sent from the client against that computed for the original string it sent.
SECURE SHELL COMMANDS ip ssh server This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
USER AUTHENTICATION COMMANDS ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
SECURE SHELL COMMANDS ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
USER AUTHENTICATION COMMANDS Command Usage The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# delete public-key This command deletes the specified user’s public key. Syntax delete public-key username [dsa | rsa] • username – Name of an SSH user. (Range: 1-8 characters) • dsa – DSA public key type. • rsa – RSA public key type.
SECURE SHELL COMMANDS Default Setting Generates both the DSA and RSA key pairs. Command Mode Privileged Exec Command Usage • The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory. • Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process.
USER AUTHENTICATION COMMANDS Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
SECURE SHELL COMMANDS show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State 0 2.
USER AUTHENTICATION COMMANDS Table 22-11 show ssh - display description (Continued) Field Description Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.
SECURE SHELL COMMANDS Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. • When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
USER AUTHENTICATION COMMANDS 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol). Table 22-12 802.1X Port Authentication Commands 22-34 Command Function Mode Page dot1x system-auth-control Enables dot1x globally on the switch.
802.1X PORT AUTHENTICATION Table 22-12 802.1X Port Authentication Commands (Continued) Command Function Mode Page dot1x timeout tx-period Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet IC 22-41 show dot1x PE 22-41 Shows all dot1x related information dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default.
USER AUTHENTICATION COMMANDS dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
802.1X PORT AUTHENTICATION Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form with the multi-host max-count keywords to restore the default maximum count.
USER AUTHENTICATION COMMANDS • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message.
802.1X PORT AUTHENTICATION dot1x re-authentication This command enables periodic re-authentication for a specified port. Use the no form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage • The re-authentication process verifies the connected client’s user ID and password on the RADIUS server. During re-authentication, the client remains connected the network and the process is handled transparently by the dot1x client software.
USER AUTHENTICATION COMMANDS Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod seconds - The number of seconds.
802.1X PORT AUTHENTICATION dot1x timeout tx-period This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
USER AUTHENTICATION COMMANDS Command Usage This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following items: - Status – Administrative state for port access control. - Operation Mode – Allows single or multiple hosts (page 22-37).
802.1X PORT AUTHENTICATION - Port-control – Shows the dot1x mode on a port as auto, force-authorized, or force-unauthorized (page 22-36). - Supplicant – MAC address of authorized client. - Current Identifier – The integer (0-255) used by the Authenticator to identify the current authentication session. • Authenticator State Machine - State – Current state (including initialize, disconnected, connecting, authenticating, authenticated, aborting, held, force_authorized, force_unauthorized).
USER AUTHENTICATION COMMANDS Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name 1/1 1/2 . . . 1/17 1/18 Status disabled disabled disabled enabled Operation Mode Single-Host Single-Host Single-Host Single-Host 802.1X Port Details 802.1X is enabled on port 1/1 . . . 802.
MANAGEMENT IP FILTER COMMANDS Management IP Filter Commands This section describes commands used to configure IP management access to the switch.
USER AUTHENTICATION COMMANDS Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager. • IP address can be configured for SNMP, web and Telnet access respectively. Each of these groups can include up to five different sets of addresses, either individual addresses or address ranges. • When entering addresses for the same group (i.e.
MANAGEMENT IP FILTER COMMANDS Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.
USER AUTHENTICATION COMMANDS 22-48
CHAPTER 23 CLIENT SECURITY COMMANDS This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes. In addition to these methods, several other options of providing client security are described in this chapter.
CLIENT SECURITY COMMANDS Table 23-1 Client Security Commands Command Group Function Page Private VLANs Configures private VLANs, including uplink and downlink ports 32-17 Port Authentication Configures host authentication on specific ports using 802.
PORT SECURITY COMMANDS Table 23-2 Port Security Commands Command Function Mode Page port security Configures a secure port IC 23-3 mac-address-table static Maps a static address to a port in a VLAN GC 30-2 show mac-address-table Displays entries in the bridge-forwarding PE database 30-4 port security This command enables or configures port security. Use the no form without any keywords to disable port security.
CLIENT SECURITY COMMANDS Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted. • First use the port security max-mac-count command to set the number of addresses, and then use the port security command to enable security on the port.
PACKET FILTERING COMMANDS Packet Filtering Commands This section describes commands used to configure packet filtering for inbound traffic.
CLIENT SECURITY COMMANDS Default Setting Disabled Command Mode Global Configuration Command Usage • Both the specified source MAC address and source IP address for an entry must be matched to satisfy the filtering rule. Any packet matching a specified entry is dropped at the input port. • To delete an entry for a MAC and IP address pair, you can specify either the MAC address or both the MAC and IP address.
PACKET FILTERING COMMANDS filter netbios This command filters NetBIOS30 packets entering the specified input port. Syntax filter netbios {add | del} interface • add - Enables NetBIOS filtering. • del - Disables NetBIOS filtering. • interface - unit - Stack unit. (Range: 1) - port-list - Single port number or list of ports.
CLIENT SECURITY COMMANDS • This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs. Three masks are allocated to NetBIOS packet filtering if enabled on any interface. These masks will be released for use by other filtering functions if NetBIOS packet filtering is disabled on all interfaces.
PACKET FILTERING COMMANDS packet filtering if enabled on any interface. This mask will be released for use by other filtering functions if DHCP packet filtering is disabled on all interfaces. Example Console(config)#filter dhcp-request add 1/1 Console(config)# filter dhcp This command filters DHCP reply packets. Syntax filter dhcp {add | del} interface • add - Enables DHCP reply filtering. • del - Disables DHCP reply filtering. • interface - unit - Stack unit.
CLIENT SECURITY COMMANDS for use by other filtering functions if DHCP packet filtering is disabled on all interfaces. Example Console(config)#filter dhcp add 1/1 Console(config)# show filter This command displays the packet filter settings.
IP SOURCE GUARD COMMANDS IP Source Guard Commands IP Source Guard is a security feature that filters IP traffic on network interfaces based on manually configured entries in the IP Source Guard table, or static and dynamic entries in the DHCP Snooping table when enabled (see “DHCP Snooping Commands” on page 23-17). IP source guard can be used to prevent traffic attacks caused when a host tries to use the IP address of a neighbor to access the network.
CLIENT SECURITY COMMANDS Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor. • Setting source guard mode to “sip” or “sip-mac” enables this function on the selected port.
IP SOURCE GUARD COMMANDS found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. - If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, static DHCP snooping binding or dynamic DHCP snooping binding, the packet will be forwarded.
CLIENT SECURITY COMMANDS ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id • mac-address - A valid unicast MAC address. • vlan-id - ID of a configured VLAN (Range: 1-4093) • ip-address - A valid unicast IP address, including classful types A, B or C. • unit - Stack unit.
IP SOURCE GUARD COMMANDS - If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding. Example This example configures a static source-guard binding on port 5.
CLIENT SECURITY COMMANDS show ip source-guard binding This command shows the source guard binding table. Command Mode Privileged Exec Example Console#show ip source-guard binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.
DHCP SNOOPING COMMANDS DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCP snooping.
CLIENT SECURITY COMMANDS ip dhcp snooping This command enables DHCP snooping globally. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage • Network traffic may be disrupted when malicious DHCP messages are received from an outside source. DHCP snooping is used to filter DHCP messages received on an unsecure interface from outside the network or firewall.
DHCP SNOOPING COMMANDS forwarded for a trusted port. If the received packet is a DHCP ACK message, a dynamic DHCP snooping entry is also added to the binding table. - If DHCP snooping is enabled globally, and also enabled on the VLAN where the DHCP packet is received, but the port is not trusted, it is processed as follows: * If the DHCP packet is a reply packet from a DHCP server (including OFFER, ACK or NAK messages), the packet is dropped.
CLIENT SECURITY COMMANDS from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (23-20) ip dhcp snooping trust (23-24) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
DHCP SNOOPING COMMANDS • When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: - If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Example This example enables DHCP snooping for VLAN 1.
CLIENT SECURITY COMMANDS Related Commands ip dhcp snooping (23-18) ip dhcp snooping vlan (23-20) ip dhcp snooping trust (23-24) ip dhcp snooping database write This command writes all dynamically learned snooping entries to flash memory. Command Mode Global Configuration Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
DHCP SNOOPING COMMANDS Command Usage • This command applies to all VDSL ports. When set, it will automatically convert an address assigned to an attached CPE by a DHCP server to a static entry in the MAC address table. The MAC address, IP address, lease time, VLAN identifier, and port identifier are stored in the DHCP snooping table as a valid entry.
CLIENT SECURITY COMMANDS acknowledgement packets sent by the DHCP server in response to host requests will be blocked by the switch. Example This example sets the client limit to its maximum value on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping client limit 48 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
DHCP SNOOPING COMMANDS • Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5 Console(config-if)#no ip dhcp snooping trust Console(config-if)# Related Commands ip dhcp snooping (23-18) ip dhcp snooping vlan (23-20) show ip dhcp snooping This command shows the DHCP snooping configuration settings.
CLIENT SECURITY COMMANDS show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- -------11-22-33-44-55-66 192.168.0.
CHAPTER 24 ACCESS CONTROL LIST COMMANDS Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port. This section describes the Access Control List commands.
ACCESS CONTROL LIST COMMANDS IP ACLs The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code.
IP ACLS access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address. • extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. • acl_name – Name of the ACL.
ACCESS CONTROL LIST COMMANDS permit, deny (Standard IP ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} • • • • any – Any source IP address. source – Source IP address. bitmask – Decimal number representing the address bits to match. host – Keyword followed by a specific IP address.
IP ACLS permit, deny (Extended IP ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
ACCESS CONTROL LIST COMMANDS • control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • flag-bitmask – Decimal number representing the code bits to match. Default Setting None Command Mode Extended IP ACL Command Usage • All new rules are appended to the end of the list. • Address bitmasks are similar to a subnet mask, containing four integers from 0 to 255, each separated by a period.
IP ACLS Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
ACCESS CONTROL LIST COMMANDS Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny 24-4 ip access-group (24-14) access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks. Use the no form to delete the mask table. Syntax [no] access-list ip mask-precedence {in | out} • in – Ingress mask for ingress ACLs. • out – Egress mask for egress ACLs.
IP ACLS Example Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)# Related Commands mask (IP ACL) (24-9) ip access-group (24-14) mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask.
ACCESS CONTROL LIST COMMANDS Default Setting None Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered. • First create the required ACLs and ingress or egress masks before mapping an ACL to an interface. • If you enter dscp, you cannot enter tos or precedence.
IP ACLS This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any” entry. Console(config)#access-list ip standard A2 Console(config-std-acl)#permit 10.1.1.0 255.255.255.0 Console(config-std-acl)#deny 10.1.1.1 255.255.255.
ACCESS CONTROL LIST COMMANDS This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list IP extended access-list A3: deny host 171.69.198.5 any deny 171.69.198.0 255.255.255.
IP ACLS This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL. Note that once the ACL is bound to an interface (i.e., the ACL is active), the order in which the rules are displayed is determined by the associated mask.
ACCESS CONTROL LIST COMMANDS show access-list ip mask-precedence This command shows the ingress or egress rule masks for IP ACLs. Syntax show access-list ip mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs. Command Mode Privileged Exec Example Console#show access-list ip mask-precedence IP ingress mask ACL: mask host any mask 255.255.255.
IP ACLS Command Usage • A port can only be bound to one ACL. • If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group standard david in Console(config-if)# Related Commands show ip access-list (24-7) show ip access-group This command shows the ports assigned to IP ACLs.
ACCESS CONTROL LIST COMMANDS MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type.
MAC ACLS access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration Command Usage • When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list.
ACCESS CONTROL LIST COMMANDS permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] [ethertype protocol [protocol-bitmask]] Note:- The default is for Ethernet II packets.
MAC ACLS • source – Source MAC address. • destination – Destination MAC address range with bitmask. • address-bitmask33 – Bitmask for MAC address (in hexidecimal format). • vid – VLAN ID. (Range: 1-4093) • vid-bitmask33 – VLAN bitmask. (Range: 1-4093) • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask33 – Protocol bitmask. (Range: 600-fff hex.) Default Setting None Command Mode MAC ACL Command Usage • New rules are added to the end of the list.
ACCESS CONTROL LIST COMMANDS show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL.
MAC ACLS Command Usage • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. • A mask can only be used by all ingress ACLs or all egress ACLs. • The precedence of the ACL rules applied to a packet is not determined by order of the rules, but instead by the order of the masks; i.e., the first mask that matches a rule will determine the rule that is applied to a packet.
ACCESS CONTROL LIST COMMANDS • ethertype – Check the Ethernet type field. • ethertype-bitmask – Ethernet type of rule must match this bitmask. Default Setting None Command Mode MAC Mask Command Usage • Up to seven masks can be assigned to an ingress or egress ACL. • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
MAC ACLS Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.
ACCESS CONTROL LIST COMMANDS This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.
MAC ACLS mac access-group This command binds a port to a MAC ACL. Use the no form to remove the port. Syntax mac access-group acl_name in • acl_name – Name of the ACL. (Maximum length: 16 characters) • in – Indicates that this list applies to ingress packets. Default Setting None Command Mode Interface Configuration (Ethernet) Command Usage • A port can only be bound to one ACL.
ACCESS CONTROL LIST COMMANDS show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (24-25) ACL Information This section describes commands used to display ACL information.
ACL INFORMATION Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.
ACCESS CONTROL LIST COMMANDS 24-28
CHAPTER 25 INTERFACE COMMANDS These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN.
INTERFACE COMMANDS Table 25-1 Interface Commands (Continued) Command Function Mode show interfaces counters Displays statistics for the specified interfaces NE, PE 25-14 show interfaces switchport Displays the administrative and operational status of an interface NE, PE 25-16 interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk.
DESCRIPTION description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode Interface Configuration (Ethernet, Port Channel) Example The following example adds a description to port 4.
INTERFACE COMMANDS Default Setting • Auto-negotiation is permanently disabled on Ports 1-16, and enabled by default on Ports 17-19. • When auto-negotiation is disabled, the default speed-duplex setting is: - Fast Ethernet ports – 100full (100 Mbps full-duplex) - Gigabit Ethernet ports – 1000full (1 Gbps full-duplex) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • 1000BASE-T does not support forced mode.
NEGOTIATION negotiation This command enables autonegotiation for a given interface. Use the no form to disable autonegotiation. Syntax [no] negotiation Default Setting Ports 1-16: Permanently disabled Ports 17-19: Enabled Command Mode Interface Configuration (Ethernet - Ports 17-19, Port Channel) Command Usage • 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
INTERFACE COMMANDS capabilities This command advertises the port capabilities of a given interface during autonegotiation. Use the no form with parameters to remove an advertised capability, or the no form without parameters to restore the default values.
FLOWCONTROL manually specify the link attributes with the speed-duplex and flowcontrol commands. Example The following example configures Ethernet port 5 capabilities to include 100half and 100full. Console(config)#interface ethernet 1/5 Console(config-if)#capabilities 100half Console(config-if)#capabilities 100full Console(config-if)# Related Commands negotiation (25-5) speed-duplex (25-3) flowcontrol (25-7) flowcontrol This command enables flow control. Use the no form to disable flow control.
INTERFACE COMMANDS • To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command.
SWITCHPORT MDIX • copper-forced - Always uses the built-in RJ-45 port. • sfp-forced - Always uses the SFP port (even if module not installed). • sfp-preferred-auto - Uses SFP port if both combination types are functioning and the SFP port has a valid link. Default Setting sfp-preferred-auto Command Mode Interface Configuration (Ethernet - Ports 17-18) Example This forces the switch to use the built-in RJ-45 port for the combination port 18.
INTERFACE COMMANDS Command Mode Interface Configuration (Ethernet - Port 17-18) Command Usage Auto-negotiation must be enabled to use the “auto” option for this command. It must be disabled to force the pinout setting to one of the fixed modes of “normal” (MDI) or “crossover” (MDI-X). One side of a link must be configured with MDI pinouts and the other side with MDI-X pinouts to ensure that signals sent from the transmit pins on one side of the link are received on the receive pins by the link partner.
SWITCHPORT PACKET-RATE Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport packet-rate This command configures broadcast and multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unknown-unicast} packet-rate rate no switchport {broadcast | multicast | unknown-unicast} • broadcast - Specifies storm control for broadcast traffic.
INTERFACE COMMANDS Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
SHOW INTERFACES STATUS show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
INTERFACE COMMANDS Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: 1000T Mac address: 00-30-F1-D4-73-A5 Configuration: Name: Port admin: Up Speed-duplex: Auto Capabilities: 10half, 10full, 100half, 100full, 1000full Broadcast storm: Enabled Broadcast storm limit: 500 packets/second Flow control: Disabled LACP: Disabled Port security: Disabled Max MAC count: 0 Port security action: None Media type: None Current status: Link status: Up Port operation st
SHOW INTERFACES COUNTERS Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 9-29.
INTERFACE COMMANDS show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting Shows all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
SHOW INTERFACES SWITCHPORT Table 25-2 show interfaces switchport - display description Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 25-11). LACP status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 26-4). Ingress/Egress rate limit Shows if rate limiting is enabled, and the current rate limit (page 28-2).
INTERFACE COMMANDS 25-18
CHAPTER 26 LINK AGGREGATION COMMANDS Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP.
LINK AGGREGATION COMMANDS Table 26-1 Link Aggregation Commands (Continued) Command Function Mode Page lacp admin-key Configures an port IC (Port Channel) channel’s administration key 26-8 lacp port-priority Configures a port's LACP port priority 26-9 IC (Ethernet) Trunk Status Display Commands show interfaces status Shows trunk information port-channel NE, PE 25-13 show lacp PE 26-10 Shows LACP information Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks
CHANNEL-GROUP • If the port channel admin key (lacp admin key - Port Channel) is not set when a channel group is formed (i.e., it has the null value of 0), this key is set to the same value as the port admin key (lacp admin key Ethernet Interface) used by the interfaces that joined the group. • However, if the port channel admin key is set, then the port admin key must be set to the same value for a port to be allowed to join a channel group.
LINK AGGREGATION COMMANDS Example The following example creates trunk 1 and then adds port 11: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/11 Console(config-if)#channel-group 1 Console(config-if)# lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
LACP Example The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established.
LINK AGGREGATION COMMANDS lacp system-priority This command configures a port's LACP system priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} system-priority priority no lacp {actor | partner} system-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - This priority is used to determine link aggregation group (LAG) membership, and to identify this device to other switches during LAG negotiations.
LACP ADMIN-KEY (ETHERNET INTERFACE) lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • key - The port admin key must be set to the same value for ports that belong to the same link aggregation group (LAG).
LINK AGGREGATION COMMANDS lacp admin-key (Port Channel) This command configures a port channel's LACP administration key string. Use the no form to restore the default setting. Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch.
LACP PORT-PRIORITY lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. • priority - LACP port priority is used to select a backup link.
LINK AGGREGATION COMMANDS show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-12) • counters - Statistics for LACP protocol messages. • internal - Configuration settings and operational state for local side. • neighbors - Configuration settings and operational state for remote side. • sys-id - Summary of system priority and MAC address for all channel groups.
SHOW LACP Table 26-2 show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group. Marker Received Number of valid Marker PDUs received by this channel group.
LINK AGGREGATION COMMANDS Table 26-3 show lacp internal - display description (Continued) Field Description LACPDUs Internal Number of seconds before invalidating received LACPDU information. LACP System Priority LACP system priority assigned to this port channel. LACP Port Priority LACP port priority assigned to this interface within the channel group.
SHOW LACP Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------Eth 1/1 ------------------------------------------------------------------Partner Admin System ID: 32768, 00-00-00-00-00-00 Partner Oper System ID: 32768, 00-01-F4-78-AE-C0 Partner Admin Port Number: 2 Partner Oper Port Number: 2 Port Admin Priority: 32768 Port Oper Priority: 32768 Admin Key: 0 Oper Key: 3 Admin State: defaulted, distributing, collecting, synchronization, long
LINK AGGREGATION COMMANDS Console#show lacp sysid Port Channel System Priority System MAC Address ------------------------------------------------------------------1 32768 00-30-F1-8F-2C-A7 2 32768 00-30-F1-8F-2C-A7 3 32768 00-30-F1-8F-2C-A7 4 32768 00-30-F1-8F-2C-A7 5 32768 00-30-F1-8F-2C-A7 6 32768 00-30-F1-8F-2C-A7 7 32768 00-30-F1-D4-73-A0 8 32768 00-30-F1-D4-73-A0 9 32768 00-30-F1-D4-73-A0 10 32768 00-30-F1-D4-73-A0 11 32768 00-30-F1-D4-73-A0 12 32768 00-30-F1-D4-73-A0 . . .
CHAPTER 27 MIRROR PORT COMMANDS This section describes how to mirror traffic from a source port to a target port. Table 27-1 Mirror Port Commands Command Function port monitor Configures a mirror session show port monitor Shows the configuration for a mirror port Mode Page IC 27-1 PE 27-2 port monitor This command configures a mirror session. Use the no form to clear a mirror session.
MIRROR PORT COMMANDS Command Usage • You can mirror traffic from any source port to a destination port for real-time analysis. You can then attach a logic analyzer or RMON probe to the destination port and study the traffic crossing the source port in a completely unobtrusive manner. • The destination port is set by specifying an Ethernet interface. • The mirror port and monitor port speeds should match, otherwise traffic may be dropped from the monitor port.
SHOW PORT MONITOR Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
MIRROR PORT COMMANDS 27-4
CHAPTER 28 RATE LIMIT COMMANDS This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Rate limiting can be applied to individual ports or trunks, or for a VLAN member port.
RATE LIMIT COMMANDS rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled.
RATE-LIMIT TRAP-INPUT rate-limit trap-input This command sets an SNMP trap if traffic exceeds the configured rate limit. Use the no form to restore the default setting. Syntax rate-limit snmp-trap-input [up upper-discard-boundary down lower-discard-boundary] no snmp-rate-limit trap-input • upper-discard-boundary – The packet discard rate (per 10 second interval) above which the system sends a trap-input notification.
RATE LIMIT COMMANDS • For further information on the type of notification messages that can be sent by the system, refer to the information about trap and inform messages described under the snmp-server host command on page 21-6. Example This example sets an upper discard boundary of 500 packets / 10 seconds, and a lower discard boundary of 10 packets / 10 seconds.
CHAPTER 29 VDSL COMMANDS VDSL communication parameters can be set for individual ports, or multiple parameters can be defined in a profile and applied globally to the switch or to a group of ports. Alarm thresholds can be defined in a profile and then applied globally to the switch or to selected ports. The switch also provides an extensive listing of VDSL statistics. For intelligent CPEs, firmware can be remotely upgraded.
VDSL COMMANDS Long-Reach Ethernet Commands This section describes how to configure communication parameters for VDSL ports such as specifying data band usage plans, setting notches within the frequency bands to avoid interference with ham radio signals, setting a mask for power spectral density to meet regional or local limitations for transmitting signals on phone lines, setting an acceptable target for the signal-to-noise ratio, and enabling automatic rate adaptation.
LONG-REACH ETHERNET COMMANDS Table 29-2 Long-Reach Ethernet Commands (Continued) Command Function Mode lre max-power Sets the maximum aggregate downstream GC/IC 29-22 or upstream power lre min-protection Configures the minimum level of impulse IC noise protection for all bearer channels 29-23 lre channel Sets the channel mode to fast or interleaved IC 29-24 lre interleave-max-delay Sets the maximum interleave delay IC 29-25 lre datarate Specifies the minimum and maximum data rate for downst
VDSL COMMANDS lre band-plan This command sets the frequency bands used for VDSL signals based on a set of predefined plans. Use the no form to restore the default status. Syntax lre band-plan value no lre band-plan value – Index for a predefined band plan. (See Table 29-3, “VDSL2 Band Plans,” on page 29-5.
LONG-REACH ETHERNET COMMANDS Table 29-3 VDSL2 Band Plans Index Designator Number of Bands Reference Document 3 998-138-8500 Long Reach 3 4 998-138-12000 High Data Rate 4 5 998-640-30000 100/100 6 (US1-3, DS1-3) G.993.
VDSL COMMANDS lre option-band This command sets the frequencies to be used for the optional Upstream Band 0 (US0). Use the no form to restore the default status. Syntax lre option-band value no lre option-band value – Index of predefined frequency bounds for US0. Note that each option includes a range for the low and high end frequencies. (Options:0 - No optional band 1 - ITU-T G993.2, Annex A, 6-32 kHz, 26-138 kHz 2 - ITU-T G993.2, Annex B, 32-64 kHz, 138-276 kHz 3 - ITU-T G993.
LONG-REACH ETHERNET COMMANDS lre ham-band This command sets the Handheld Amateur Radio (HAM) band that will be blocked to VDSL signals based on defined frequencies. Use the no form to restore the default status. Syntax lre ham-band value no lre ham-band value – HAM band mask. (See Table 29-4, “HAM Band Notches,” on page 29-7.
VDSL COMMANDS Table 29-4 HAM Band Notches (Continued) 29-8 Index Name Frequency Reference 4 RFI-BAND04 3.500 - 3.575 MHz ANNEX F 5 RFI-BAND05 3.500 - 3.800 MHz ETSI 6 RFI-BAND06 3.500 - 4.000 MHz T1E1 7 RFI-BAND07 3.747 - 3.754 MHz ANNEX F 8 RFI-BAND08 3.791 - 3.805 MHz ANNEX F 9 RFI-BAND09 7.000 - 7.100 MHz ANNEX F, ETSI 10 RFI-BAND10 7.000 - 7.300 MHz T1E1 11 RFI-BAND11 10.100 - 10.150 MHz ANNEX F, ETSI, T1E1 12 RFI-BAND12 14.000 - 14.
LONG-REACH ETHERNET COMMANDS Example This example sets a HAM band notch in the transmitted power spectrum in the 10.000 - 10.150 MHz transmission band (also called the 30 meter band). Console(config)#interface ethernet 1/1 Console(config-if)#lre ham-band 11 Console(config-if)# Related Commands show lre ham-band (29-64) lre region-ham-band (29-9) lre region-ham-band This command sets the ham radio band that will be blocked to VDSL signals based on defined usage types.
VDSL COMMANDS • Using a HAM band mask prevents interference with other systems (e.g., amateur radio) that use narrow band transmission in the VDSL frequency band. The selected frequency range will not be used to transmit data on the VDSL line. You may need to specify a mask if required by local regulations or if specific incidents of interference are reported within a service area. • The following table lists HAM band notches for general usage types.
LONG-REACH ETHERNET COMMANDS Table 29-5 HAM Band Notches for Usage Types (Continued) Index Name Frequency Reference 18 RFI-BAND18 10.005 - 10.100 MHz Aeronautical Communications 19 RFI-BAND19 10.100 - 10.150 MHz Amateur Radio 20 RFI-BAND20 11.175 - 11.400 MHz Aeronautical Communications 21 RFI-BAND21 11.600 - 12.100 MHz DRM Radio 22 RFI-BAND22 12.570 - 12.585 MHz GMDSS 23 RFI-BAND23 13.200 - 13.360 MHz Aeronautical Communications 24 RFI-BAND24 13.570 - 13.
VDSL COMMANDS Example This example sets a HAM band notch in the transmitted power spectrum to avoid interference with CB radios. Console(config)#interface ethernet 1/1 Console(config-if)#lre region-ham-band 34 Console(config-if)# Related Commands show lre region-ham-band (29-65) lre ham-band (29-7) lre psd-breakpoints This command sets the number of frequency breakpoints in the PSD mask. Use the no form to restore the default setting.
LONG-REACH ETHERNET COMMANDS PSD Mask required for compliance with local regulations, or set mask limits for upstream power backoff. The methods used to calculate these various PSD masks, and local regulations governing the power spectrum used on VDSL lines are all described in ITU-T G.993.2. • Breakpoints can be applied to any upstream or downstream channel depending on the associated frequencies. Example The following sets 25 breakpoints on VDSL port 1.
VDSL COMMANDS Command Mode Global Configuration Interface Configuration (VDSL Port) Command Usage • Enter this command in global configuration mode to configure frequency breakpoints for all VDSL ports, or in interface mode to configure them for a specific VDSL port. • The number of breakpoints used in the PSD mask is specified with the lre psd-breakpoints command (page 29-12), while the power level set for each breakpoint is defined by the lre psd-value command (page 29-15).
LONG-REACH ETHERNET COMMANDS lre psd-value This command defines a power level for each of the PSD breakpoints. Use the no form to restore the default setting. Syntax lre psd-value breakpoint psd-value no lre psd-value breakpoint • breakpoint – Frequency breakpoint within the power spectral density (PSD) as defined by the lre psd-breakpoints command (page 29-12). • psd-value – Value of PSD at the specified breakpoint.
VDSL COMMANDS Example The following sets a PSD value for the frequency band bounded by breakpoints 1 and 2 to -20 dBm/Hz on VDSL port 1. Console(config)#interface ethernet 1/1 Console(config-if)#lre psd-value 1 240 Console(config-if)#lre psd-value 2 240 Console(config-if)# Related Commands lre psd-breakpoints (29-12) lre psd-frequencies (29-13) show lre psd (29-67) lre psd-mask-level (29-16) lre psd-mask-level This command sets a predefined PSD mask. Use the no form to restore the default setting.
LONG-REACH ETHERNET COMMANDS • The following table lists the predefined band plans. Table 29-6 PSD Mask Options Number of Index Designator 0 Default PSD 1 ANSI M1_CAB 2 ANSI M2_CAB 3 ETSI M1_CAB 4 ETSI M2_CAB 5 ANNEX F 6 ANSI M1_EX 7 ANSI M2_EX 8 ETSI M1_EX 9 ETSI M2_EX 10 Reserved 11 PSD K 12 PSD_CHINA 13 ETSI_M1_EX_P1 14 ETSI_M2_EX_P1 Bands Breakpoints / Band Reference Example The following specifies a predefined mask based on Annex F of ITU-T G.993.
VDSL COMMANDS lre pbo-config This command sets a mask to reduce the power spectral density (PSD) of transmitted signals at specified frequency breakpoints for upstream power backoff. Use the no form to restore the default status. Syntax lre pbo-config K1[0] Rx_PSD1 K1[1] Rx_PSD2 K1[2] Rx_PSD3 K1[3] Rx_PSD4 K1[4] Rx_PSD5 K1[5] Rx_PSD6 K2[0] Tx_PSD1 K2[1] Tx_PSD2 K2[2] Tx_PSD3 K2[3] Tx_PSD4 K2[4] Tx_PSD5 K2[5] Tx_PSD6 no lre pbo-config • K1[0-5] – Frequency breakpoints for upstream bands DS1-DS3.
LONG-REACH ETHERNET COMMANDS • The transceiver will adjust its transmitted signal to conform to the power limitations set by the lre pbo-config command. • If upstream power backoff is enabled with the lre upbo command (page 29-19), the transceiver will automatically reduce the PSD at each frequency breakpoint set the by the lre psd-breakpoints (page 29-12) and lre psd-frequencies (page 29-13) commands.
VDSL COMMANDS Command Usage • Enter this command in global configuration mode to enable upstream power backoff for all VDSL ports, or in interface mode to enable it for a VDSL port. • Upstream power backoff (UPBO) should be configured when there are VDSL connections of different lengths attached to this switch. UPBO is required to improve the spectral compatibility on lines of different lengths by reducing the transmitted power on shorter lines.
LONG-REACH ETHERNET COMMANDS lre tone This command disables VDSL signals at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. Use the no form to restore the default setting. Syntax lre tone {tx | rx} value no lre tone {tx | rx} • tx – Downstream band plan. • rx – Upstream band plan. • value – Index of low-end frequency range to disable. (Options:1 - all tones on 2 - disable tones at 640 KHz and below 3 - disable tones at 1.1 MHz and below 4 - disable tones at 2.
VDSL COMMANDS Example The following disables all tone beneath 640 kHz on the upstream band plan. Console(config)# Console(config)#lre tone tx 2 Console(config)# Related Commands show lre tone (29-71) lre max-power This command sets the maximum aggregate downstream or upstream power. Use the no form to restore the default setting. Syntax lre max-power {down | up} value no lre max-power {down | up} • down – Downstream bands. • up – Upstream bands. • value – Maximum aggregate power.
LONG-REACH ETHERNET COMMANDS Example The following sets the maximum downstream power on port 1 to 14.5 dBm. Console(config)#interface ethernet 1/1 Console(config-if)#lre max-power down 58 Console(config-if)# lre min-protection This command configures the minimum level of impulse noise protection for all bearer channels. Use the no form to restore the default setting. Syntax lre min-protection {down | up} value no lre max-power {down | up} • down – Downstream bands. • up – Upstream bands.
VDSL COMMANDS • Note that this parameter only applies to interleaved channels. Refer to ITU-T G.993.2 for a full description of the methods used to calculate the minimum level of impulse noise protection. Example Console(config)#interface ethernet 1/1 Console(config-if)#lr min-protection down 5 Console(config-if)# lre channel This command sets the channel mode to fast or interleaved. Use the no form to restore the default status.
LONG-REACH ETHERNET COMMANDS Related Commands lre interleave-max-delay (29-25) lre interleave-max-delay This command sets the maximum interleave delay. Use the no form to restore the default status. Syntax lre interleave-max-delay {down | up} value no lre interleave-max-delay {down | up} • down – Downstream bands. • up – Upstream bands. • value – Maximum interleave delay. (Range: 0-40, indicating units of 0.
VDSL COMMANDS Related Commands lre channel (29-24) show lre interleave-max-delay (29-72) lre datarate This command specifies the minimum and maximum data rate for downstream and upstream fast or slow (interleaved) channels. Use the no form to restore the default setting. Syntax lre datarate {down | up} {slow | fast} {max | min} value no lre datarate {down | up} {slow | fast} {max | min} • • • • • • • down – Downstream bands. up – Upstream bands. slow – Slow (interleaved) channel. fast – Fast channel.
LONG-REACH ETHERNET COMMANDS Example The following sets the minimum and maximum data rates for the downstream fast channel on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#lre datarate down fast max 190000 Console(config-if)#lre datarate down fast min 640 Console(config-if)# Related Commands show lre rate-adaption (29-75) show lre datarate (29-73) lre rate-set (29-27) lre rate-set This command sets the maximum input and output data rates for the VDSL ports.
VDSL COMMANDS Related Commands lre datarate (29-26) lre noise-mgn target This command configures the targeted signal-to-noise margin that VDSL ports must achieve to successfully complete initialization. Use the no form to restore the default setting. Syntax lre noise-mgn target {down | up} value no lre noise-mgn target {down | up} • down – Downstream bands. • up – Upstream bands. • value – Signal-to-noise margin. (Range: 0-62, in units of 0.
LONG-REACH ETHERNET COMMANDS lre noise-mgn min This command configures the minimum acceptable signal-to-noise margin. Use the no form to restore the default setting. Syntax lre noise-mgn min {down | up} value no lre noise-mgn min {down | up} • down – Downstream bands. • up – Upstream bands. • value – Signal-to-noise margin. (Range: 0-62, in units of 0.
VDSL COMMANDS lre shutdown This command shuts down a VDSL port. Use the no form to re-enabled a port. Syntax [no] lre shutdown Default Setting All VDSL ports are operational Command Mode Interface Configuration (VDSL Port) Command Usage Use this command to disable the VDSL chipset transmitter of a VDSL port that is not connected to a working CPE. In some unusual circumstances, the power emitted by VDSL ports can affect other VDSL ports.
LONG-REACH ETHERNET COMMANDS Command Mode Interface Configuration (VDSL Port) Command Usage Use this command to troubleshoot VDSL connection or performance problems. Example Console(config)#interface ethernet 1/1 Console(config-if)#lre reset remote Console(config-if)#lre reset local Console(config-if)# lre auto-retraining This command initiates automatic retraining to find the optimal transmission rate when the switch re-establishes the link to a port. Use the no form to disable this feature.
VDSL COMMANDS Related Commands lre datarate (29-26) lre retraining This command manually initiates the rate adaptation method to find the optimal transmission rate based on existing line conditions. Use the no form to disable this feature. Default Disabled Command Mode Interface Configuration (VDSL Port) Command Usage • This command can be used if auto-retraining has been disabled with the no lre auto-retraining command (page 29-31), and the signal quality or link on a port has dropped.
LONG-REACH ETHERNET COMMANDS lre rate-adaption This command enables automatic line rate adaptation, which can set the optimal transmission rate based on existing line conditions. Use the no form to disable this feature.
VDSL COMMANDS Related Commands lre datarate (29-26) show lre rate-adaption (29-75) lre apply This command applies all global VDSL settings to each VDSL port on the switch or to a specified port, overwriting any previous settings configured for specific interfaces. Use the no form to restore the default setting.
LINE PROFILE COMMANDS Line Profile Commands This section describes how to configure a list of communication parameters such as data rates and acceptable noise margins which can be applied to all VDSL ports or to a selected group of ports.
VDSL COMMANDS Table 29-7 Line Profile Commands Command Function Mode Page down-fast-max-datarate Sets maximum/minimum data rate on VLP down-fast-min-datarate a fast/slow downstream/upstream up-fast-max-datarate channel up-fast-min-datarate down-slow-max-datarate down-slow-min-datarate up-slow-max-datarate up-slow-min-datarate 29-47 down-target-noise-mgn up-target-noise-mgn Sets the targeted signal-to-noise margin VLP that VDSL ports must achieve to successfully complete initialization on a downstream
LINE PROFILE COMMANDS Example The following creates a VDSL line profile named southport. Console(config)#line-profile southport Console(config)# Related Commands show lre line-profile (29-77) lre line-profile This command applies a line profile to selected VDSL ports. Use the no form to restore the default settings for the selected ports. Syntax [no] lre line-profile profile-name profile-name – Name of the profile.
VDSL COMMANDS Example The following applies the line profile named southport to all VDSL ports. Console(config)#lre line-profile southport Console(config)# band-plan This command sets the frequency bands used for VDSL signals based on a set of predefined plans. Use the no form to restore the default status. Syntax band-plan value no band-plan value – Index for a predefined band plan. (See Table 29-3, “VDSL2 Band Plans,” on page 29-5.
LINE PROFILE COMMANDS option-band This command sets the frequencies to be used for optional Upstream Band 0 (US0). Use the no form to restore the default status. Syntax option-band value no option-band value – Index of predefined frequency bounds for US0. (Options:0 - No optional band 1 - ITU-T G993.2, Annex A, 6-32, 26-138 kHz 2 - ITU-T G993.2, Annex B, 32-64, 138-276 kHz 3 - ITU-T G993.
VDSL COMMANDS ham-band This command sets the Handheld Amateur Radio (HAM) band that will be blocked to VDSL signals based on defined frequencies. Use the no form to restore the default status. Syntax ham-band value no ham-band value – HAM band mask. (See Table 29-4, “HAM Band Notches,” on page 29-7.) Default Setting 22 (none) Command Mode VDSL Line Profile Command Usage Using a HAM band mask prevents interference with other systems (e.g.
LINE PROFILE COMMANDS region-ham-band This command sets the ham radio band that will be blocked to VDSL signals based on defined usage types. Use the no form to restore the default status. Syntax region-ham-band value no region-ham-band value – HAM band mask for designated usage type. (See Table 29-5, “HAM Band Notches for Usage Types,” on page 29-10.) Default Setting 36 (none) Command Mode VDSL Line Profile Command Usage Using a HAM band mask prevents interference with other systems (e.g.
VDSL COMMANDS tone This command disables VDSL signals at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. Use the no form to restore the default setting. Syntax lre tone {tx | rx} value no lre tone {tx | rx} • tx – Downstream band plan. • rx – Upstream band plan. • value – Index of low-end frequency range to disable. (Options:1 - all tones on 2 - disable tones at 640 KHz and below 3 - disable tones at 1.1 MHz and below 4 - disable tones at 2.
LINE PROFILE COMMANDS Example The following disables all tone beneath 640 kHz on the upstream band plan. Console(config-line-profile)#tone tx 2 Console(config-line-profile)# Related Commands lre tone (29-21) max-power This command sets the maximum aggregate downstream or upstream power. Use the no form to restore the default setting. Syntax max-power {down | up} value no max-power {down | up} • down – Downstream bands. • up – Upstream bands. • value – Maximum aggregate power. (Range: 0-255, in units of 0.
VDSL COMMANDS min-protection This command configures the minimum level of impulse noise protection for all bearer channels. Use the no form to restore the default setting. Syntax min-protection {down | up} value no max-power {down | up} • down – Downstream bands. • up – Upstream bands. • value – The number of consecutive DMT symbols for which errors can be completely corrected. (Range: 0-255, in units of 0.
LINE PROFILE COMMANDS Related Commands lre min-protection (29-23) channel This command sets the channel mode to fast or interleaved. Use the no form to restore the default status. Syntax channel mode no channel mode – Channel mode (Options: fast, interleave) Default Setting interleaved Command Mode VDSL Line Profile Command Usage • Interleaving protects data against bursts of errors by using the Reed-Solomon error correction algorithm to spread the errors over a number of code words.
VDSL COMMANDS down/up-max-inter-delay These commands set the maximum interleave delay on a downstream/ upstream channel. Use the no form to restore the default settings to the profile. Syntax {down|up}-max-inter-delay value no {down|up}-max-inter-delay • down – Downstream bands. • up – Upstream bands. • value – Maximum interleave delay. (Range: 0-40, indicating units of 0.5 ms) Default Setting 4 (2 ms) Command Mode VDSL Line Profile Command Usage • Interleaving causes a delay in the transmission of data.
LINE PROFILE COMMANDS Related Commands lre interleave-max-delay (29-25) down/up-fast/slow-max/min-datarate These commands set the maximum/minimum data rate on a fast/slow downstream/upstream channel. Use the no form to restore the default settings to the profile. Syntax {down|up}-{fast|slow}-{max|min}-datarate value no {down|up}-{fast|slow}-{max|min}-datarate • • • • • • • down – Downstream bands. up – Upstream bands. slow – Slow (interleaved) channel. fast – Fast channel. max – Maximum channel data rate.
VDSL COMMANDS Example The following sets the minimum and maximum data rates for the downstream fast channel on port 1. Console(config-line-profile)#down-fast-max-datarate 190000 Console(config-line-profile)#down-fast-min-datarate 640 Console(config-line-profile)# Related Commands lre datarate (29-26) down/up-target-noise-mgn These commands set the targeted signal-to-noise margin that VDSL ports must achieve to successfully complete initialization on a downstream/ upstream channel.
LINE PROFILE COMMANDS Example The following sets an SNR of 12 dB for the downstream channels and 18 dB for the upstream channels. Console(config-line-profile)#down-target-noise-mgn 12 Console(config-line-profile)#up-target-noise-mgn 18 Console(config-line-profile)# Related Commands lre noise-mgn target (29-28) down/up-min-noise-mgn These commands set the minimum acceptable signal-to-noise margin on a downstream/upstream channel. Use the no form to restore the default settings.
VDSL COMMANDS • When rate adaptation is enabled (see Command Usage, page 29-32), the signal-to-noise ratio (SNR) is an indicator of link quality. The switch itself has no internal functions to ensure link quality. To ensure a stable link, you should add a margin to the theoretical minimum signal-to-noise ratio (SNR). Example The following sets the minimum noise margin on downstream channels to 12 dB.
ALARM PROFILE COMMANDS Alarm Profile Commands This section describes how to configure a list of threshold values for error states which can be applied all VDSL ports or to a selected group of ports.
VDSL COMMANDS alarm-profile This command enters VDSL Alarm Profile configuration mode. Use the no form to delete an alarm profile. Syntax [no] alarm-profile profile-name profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Global Configuration Command Usage All commands entered in this mode are stored under the named profile, and take effect only when this profile is applied to a set of VDSL ports. Example The following creates a VDSL alarm profile named southport.
ALARM PROFILE COMMANDS Command Usage First create a profile of VDSL alarm thresholds using the other commands described in this section, then enter Global Configuration mode to apply the profile to all VDSL ports on the switch using the lre alarm-profile command. Or use the interface command to select a specific port, and then use the lre alarm-profile command to apply the settings to that interface. Example The following applies the alarm profile named southport to all VDSL ports.
VDSL COMMANDS the status of remote transceivers is obtained via the embedded operation channel (EOC), this information may be unavailable for units that are unreachable via the EOC during a line error condition. Therefore, not all conditions may always be included in its current status. • This command sets the threshold for the number of initialization failures within any 15 minute collection interval for performance data.
ALARM PROFILE COMMANDS Command Usage • An Errored Second is a one-second interval containing one or more CRC anomalies, or one or more Loss of Signal (LOS) or Loss of Framing (LOF) defects. • This command sets the threshold for the number of errored seconds within any 15 minute collection interval for performance data. If the number of errored seconds in a particular 15-minute collection interval reaches or exceeds this value, a vdslPerfESsThreshNotification notification will be generated.
VDSL COMMANDS Command Usage This command sets the threshold for the number of seconds during which there is loss of framing within any 15 minute collection interval for performance data. If loss of framing in a particular 15-minute collection interval reaches or exceeds this value, a vdslPerfLofsThreshNotification notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval.
ALARM PROFILE COMMANDS notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval. Example The following sets the LOLs threshold to 15. Console(config-alarm-profile)#thresh-15min-lols 15 Console(config-alarm-profile)# thresh-15min-loss This command sets the threshold for Loss of Signal seconds (LOSs) that can occur within any given 15 minutes. Use the no form to restore the default setting.
VDSL COMMANDS Example The following sets the LOSs threshold to 15. Console(config-alarm-profile)#thresh-15min-loss 15 Console(config-alarm-profile)# thresh-15min-lprs This command sets the threshold for Loss of Power Seconds (LPRs) that can occur within any given 15 minutes. Use the no form to restore the default setting. Syntax thresh-15min-lprs value value – Threshold for Loss of Power Seconds.
ALARM PROFILE COMMANDS thresh-15min-sess This command sets the threshold for Severely Errored Seconds (SESs) that can occur within any given 15 minutes. Use the no form to restore the default setting. Syntax thresh-15min-sess value value – Threshold for Severely Errored Seconds.
VDSL COMMANDS thresh-15min-uass This command sets the threshold for Unavailable Seconds (UASs) that can occur within any given 15 minutes. Use the no form to restore the default setting. Syntax thresh-15min-uass value value – Threshold for Unavailable Seconds. (Range: 0-900 seconds; 0 disables the threshold) Default Setting 10 Command Mode VDSL Alarm Profile Command Usage • An Unavailable Seconds is a one-second interval during which the VDSL transceiver is powered up but not available (i.e.
DISPLAYING VDSL INFORMATION Displaying VDSL Information This section describes the commands used to display information on VDSL configuration settings, signal status, and communication statistics.
VDSL COMMANDS Table 29-9 Commands for Displaying VDSL Information (Continued) Command Function Mode Page show lre noise-mgn Displays the targeted signal-to-noise margin PE that VDSL ports must achieve to successfully complete initialization 29-74 show lre rate-adaption Shows if line rate adaptation which sets the PE optimal transmission rate based on existing line conditions is enabled or disabled 29-75 show lre config Shows the VDSL configuration settings for PE an interface 29-76 show lre line-
DISPLAYING VDSL INFORMATION Command Usage • Use this command without the interface parameter to display the band plans used for all VDSL ports on the switch, or with an interface to display the band plan used for a specific port. • The band plan options provided by this switch are described by ITU-T Standards G.997 and G.998. The first field in the band plan designator indicates the ITU standard, the second field indicates the lower frequency bound, and the third field indicates the upper frequency bound.
VDSL COMMANDS Command Usage • Use this command without the interface parameter to display the optional US0 band used for all VDSL ports on the switch, or with an interface to display the optional band used for a specific port. • Refer to the lre option-band command on page 29-6 for a list of the frequency bounds for the optional band supported by this switch. Example This example shows that the optional US0 band used for Port 1.
DISPLAYING VDSL INFORMATION Example This example shows that the HAM band in the 1.810 - 1.825 MHz range is blocked to VDSL signals for Port 1. Console#sh lre ham-band 1/1 RFI-BAND01: 1.810 - 1.825 MHz: ANNEX F : RFI-BAND02: 1.810 - 2.000 MHz: ETSI, T1E1 : RFI-BAND03: 1.9075 - 1.9125 MHz: ANNEX F : RFI-BAND04: 3.500 - 3.575 MHz: ANNEX F : RFI-BAND05: 3.500 - 3.800 MHz: ETSI : RFI-BAND06: 3.500 - 4.000 MHz: T1E1 : RFI-BAND07: 3.747 - 3.754 MHz: ANNEX F : RFI-BAND08: 3.791 - 3.805 MHz: ANNEX F : RFI-BAND09: 7.
VDSL COMMANDS Command Usage • Use this command without the interface parameter to display the HAM band usage filter used for all VDSL ports on the switch, or with an interface to display the filter used for a specific port. • Refer to Table 29-5, “HAM Band Notches for Usage Types,” on page 29-10 for a list of the stop bands for radio usage types supported by this switch. Example This example shows that the amateur radio band in the 1.800 - 2.000 MHz range is blocked to VDSL signals for Port 1.
DISPLAYING VDSL INFORMATION Related Commands lre region-ham-band (29-9) show lre psd This command displays the power level set for each of the PSD breakpoints. Syntax show lre psd [unit/port] • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-16) Command Mode Privileged Exec Command Usage • Use this command without the interface parameter to display the PSD used for all VDSL ports on the switch, or with an interface to display it used for a specific port.
VDSL COMMANDS 3000 kHz : 3008 kHz : 3750 kHz : 3758 kHz : 4500 kHz : 4508 kHz : 5200 kHz : 5208 kHz : 7000 kHz : 7008 kHz : 8500 kHz : 8508 kHz : 12000 kHz : 12008 kHz : 16700 kHz : 16708 kHz : 16708 kHz : 17600 kHz : 17608 kHz : 18100 kHz : 18108 kHz : 30000 kHz : Console# -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 dBm/Hz -12 d
DISPLAYING VDSL INFORMATION Command Usage • Use this command without the interface parameter to display the predefined PSD mask used for all VDSL ports on the switch, or with an interface to display it used for a specific port. • Refer to Table 29-6, “PSD Mask Options,” on page 29-17 for a list of the PSD mask options supported by this switch. Example This example shows that the PSD mask defined in Annex F of ITU-T G.993.1 is being used for Port 1.
VDSL COMMANDS Example This example shows that the UPBO mask used for all upstream traffic. Console#show lre pbo-config CO Rx PSD constants K1[0] = 0, K1[1] = -60000, K1[2] = -60000 K1[3] = -60000, K1[4] = 0, K1[5] = 0 CO Tx PSD constants K2[0] = 0, K2[1] = -11200, K2[2] = -7419 K2[3] = -7419, K2[4] = 0, K2[5] = 0 Console# Related Commands lre pbo-config (29-18) show lre upbo This command shows if upstream power backoff is enabled or disabled. Syntax show lre upbo [unit/port] • unit - Stack unit.
DISPLAYING VDSL INFORMATION transceiver will automatically control upstream power backoff based on default values set by the DSP engine. Example This example shows that UPBO has been enabled on Port 1. Console#sh lre upbo 1/1 UPBO status : Console# Enable Related Commands lre upbo (29-19) show lre tone This command shows if VDSL signals are enabled or disabled at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. Syntax show lre tone [unit/port] • unit - Stack unit.
VDSL COMMANDS Related Commands lre tone (29-21) show lre interleave-max-delay This command displays the maximum interleave-delay that can be used for downstream and upstream channels. Syntax show lre interleave-max-delay [unit/port] • unit - Stack unit. (Range: 1) • port - Port number.
DISPLAYING VDSL INFORMATION show lre datarate This command displays the minimum and maximum data rate for downstream and upstream fast or slow (interleaved) channels. Syntax show lre interleave-delay [unit/port] • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-16) Command Mode Privileged Exec Command Usage • Use this command without the interface parameter to show the data rate bounds for all VDSL ports on the switch, or with an interface to display this information for a specific port.
VDSL COMMANDS show lre noise-mgn This command displays the targeted signal-to-noise margin that VDSL ports must achieve to successfully complete initialization. Syntax show lre noise-mgn [unit/port] • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-16) Command Mode Privileged Exec Command Usage • Use this command without the interface parameter to show the SNR target for all VDSL ports on the switch, or with an interface to display this information for a specific port.
DISPLAYING VDSL INFORMATION show lre rate-adaption This command shows if line rate adaptation which sets the optimal transmission rate based on existing line conditions is enabled or disabled. Syntax show lre rate-adaption [unit/port] • unit - Stack unit. (Range: 1) • port - Port number.
VDSL COMMANDS show lre config This command shows the VDSL configuration settings for an interface. Syntax show lre config [unit/port] • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-16) Command Mode Privileged Exec Command Usage Use this command without the interface parameter to show the VDSL settings for all VDSL ports on the switch, or with an interface to display this information for a specific port. Example This example shows the VDSL configuration settings for Port 1.
DISPLAYING VDSL INFORMATION Related Commands lre apply (29-34) show lre line-profile This command displays a specified line profile which may be applied selected VDSL ports. Syntax show lre line-profile [profile-name] profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Privileged Exec Command Usage Use this command without a profile name to show the settings for all configured line profiles, or with a profile name to display the settings for a specific profile.
VDSL COMMANDS Related Commands line-profile (29-36) lre line-profile (29-37) show lre alarm-profile This command displays a specified alarm profile which may be applied selected VDSL ports. Syntax show lre alarm-profile [profile-name] profile-name – Name of the profile.
DISPLAYING VDSL INFORMATION show lre This command displays the communication status of the VDSL line. Syntax show lre unit/port • unit - Stack unit. (Range: 1) • port - Port number.
VDSL COMMANDS Table 29-10 show lre - display description (Continued) Field Description Line Protection (Slow Path) The minimum level of impulse noise protection for all bearer channels (see lre min-protection, page 29-23). Downstream/Upstream delay The maximum interleave delay (see lre interleave-max-delay, page 29-25). Tx total power The maximum aggregate transmit power over all signal bands for the specified interface. FE Tx total power The maximum transmit power used at the far end.
DISPLAYING VDSL INFORMATION Example Console#show lre phys-info 1/1 port 1/1 Phys info: Phys current line rate : Phys current attainable rate : Phys current output power : Phys current atn : 71680 kpbs 72064 kpbs 7.7 dbm 1.4 dbm Console# Table 29-11 show lre phys-info - display description Field Description Phys current line rate Current data rate in steps of 1000 bits/second. Phys current attainable rate Maximum currently attainable data rate in steps of 1000 bits/second.
VDSL COMMANDS Example Console#show lre rate-info 1/1 port 1 Rate informaition : Downstream line rate: Upstream line rate: Fast Downstream payload rate: Slow Downstream payload rate: Fast Upstream payload rate: Slow Upstream payload rate: Downstream attainable payload rate: Downstream attainable line rate: Upstream attainable payload rate: Upstream attainable line rate: Console# 119040 115648 0 kbps 104960 0 kbps 101952 110080 129664 109696 124480 kbps kbps kbps kbps kbps kbps kbps kbps Table 29-12 show l
DISPLAYING VDSL INFORMATION Command Usage Use this command without the interface parameter to show performance information for all VDSL ports on the switch, or with an interface to display this information for a specific port. For a description of the displayed items, refer to the “Alarm Profile Commands” on page 29-51.
VDSL COMMANDS Table 29-13 show lre phys-info - display description (Continued) Field Description Loss of power Number of seconds during which there was loss of power Errored seconds Number of seconds during which there was one or more CRC anomalies, or one or more Loss of Signal (LOS) or Loss of Framing (LOF) defects Severely errored seconds Number of seconds containing 18 or more CRC-8 anomalies, one or more Loss of Signal (LOS) defects, one or more Severely Errored Frame (SEF) defects, or one or mo
DISPLAYING VDSL INFORMATION Table 29-13 show lre phys-info - display description (Continued) Field Description Ethernet Transmit Performance Counters Frames Number of frames (unicast, broadcast and multicast) transmitted. Bytes Number of bytes of data transmitted onto the network. This statistic can be used as a reasonable indication of Ethernet utilization. Pause Frames Number of MAC Control frames transmitted with an opcode indicating the PAUSE operation. High-Level Data-Link Control (H.D.L.C.
VDSL COMMANDS CPE Configuration This section describes operation and maintenance (OAM) functions for remote customer premises equipment (CPE), including upgrading firmware.
CPE CONFIGURATION Example Console(config)#interface ethernet 1/1 Console(config-if)#oam local clear counter port 1 : success to clear perfermance counters! Console(config-if)# efm remote eeprom-write This command enables firmware upgrade on the CPE.
VDSL COMMANDS Example This example shows how to copy BME firmware for CPEs to a reserved buffer on the switch, copy this firmware to a remote CPE, and then activate the new firmware. Console#show cpe-info 1/16 Protocol ID: Protocol Version - Major: Protocol Version - Minor: Vendor ID (Value): Host Application Version: BME Firmware Version: 2006, Ikanos EOC Protocol 01 01 ffffffff (HEX), -1 (DECIMAL) 7.2.5r7IK104012 Firmware-VTU-R:7.2.
CPE CONFIGURATION Console#configure Console(config)#interface ethernet 1/16 Console(config-if)#oam remote upgrade firmware Console(config)#end Console#show cpe-info 1/16 Protocol ID: Ikanos EOC Protocol Protocol Version - Major: 01 Protocol Version - Minor: 01 Vendor ID (Value): ffffffff (HEX), -1 (DECIMAL) Host Application Version: 7.2.5r7IK104012 BME Firmware Version: Firmware-VTU-R:7.2.5r7 Time May 19 2006, RTOS Nucleus AFE Hardware Version: AFE <--:--> IFE Hardware Version: IFE
VDSL COMMANDS Related Commands oam remote upgrade firmware (page 29-90) oam remote firmware active (page 29-90) oam remote upgrade firmware This command copies BME firmware to the CPE. Command Mode Interface Configuration Command Usage • BME indicates the Burst Mode Engine used for digital signal processing. • Two firmware files can be stored on a CPE. The oam remote firmware upgrade command copies firmware to buffer space for the inactive version.
CPE CONFIGURATION Command Usage • BME indicates the Burst Mode Engine used for digital signal processing. • This command activates the firmware version currently in inactive state. It can therefore be used to activate the firmware version copied to the CPE by the oam remote upgrade firmware command (page 29-90).
VDSL COMMANDS Example Console#show cpe-info 1/1 Protocol ID: Ikanos EOC Protocol Protocol Version - Major: 01 Protocol Version - Minor: 01 Vendor ID (Value): ffffffff (HEX), -1 (DECIMAL) Host Application Version: 7.2.5r7IK104012 BME Firmware Version: Firmware-VTU-R:7.2.5r7 Time May 19 2006, RTOS Nucleus AFE Hardware Version: AFE <--:--> IFE Hardware Version: IFE <0:a10> Firmware Number: Active Version: verId 1: verId 2: 2 2 NULL 104012IK7.2.
CHAPTER 30 ADDRESS TABLE COMMANDS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
ADDRESS TABLE COMMANDS mac-address-table static This command maps a static address to a destination port in a VLAN. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id • mac-address - MAC address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
CLEAR MAC-ADDRESS-TABLE DYNAMIC • A static address cannot be learned on another port until the address is removed with the no form of this command. Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries.
ADDRESS TABLE COMMANDS show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
MAC-ADDRESS-TABLE AGING-TIME • The maximum number of address entries is 8191. Example Console#show mac-address-table Interface MAC Address VLAN Type --------- ----------------- ---- ----------------Eth 1/ 1 00-e0-29-94-34-de 1 Delete-on-reset Console# mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time. Syntax mac-address-table aging-time seconds no mac-address-table aging-time seconds - Aging time.
ADDRESS TABLE COMMANDS show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec.
CHAPTER 31 SPANNING TREE COMMANDS This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
SPANNING TREE COMMANDS Table 31-1 Spanning Tree Commands (Continued) Command Function revision Configures the revision number for the MST multiple spanning tree 31-14 max-hops Configures the maximum number of hops allowed in the region before a BPDU is discarded 31-14 spanning-tree spanning-disabled Disables spanning tree for an interface IC 31-15 spanning-tree cost Configures the spanning tree path cost IC of an interface 31-16 spanning-tree port-priority Configures the spanning tree priorit
SPANNING-TREE spanning-tree This command enables the Spanning Tree Algorithm globally for the switch. Use the no form to disable it. Syntax [no] spanning-tree Default Setting Spanning tree is enabled. Command Mode Global Configuration Command Usage The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers.
SPANNING TREE COMMANDS spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp | mstp} no spanning-tree mode • stp - Spanning Tree Protocol (IEEE 802.1D) • rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) • mstp - Multiple Spanning Tree (IEEE 802.1s) Default Setting rstp Command Mode Global Configuration Command Usage • Spanning Tree Protocol Uses RSTP for the internal state machine, but sends only 802.
SPANNING-TREE FORWARD-TIME restarts the migration delay timer and begins using RSTP BPDUs on that port. • Multiple Spanning Tree Protocol - To allow multiple spanning trees to operate over the network, you must configure a related set of bridges with the same MSTP configuration, allowing them to participate in a specific set of spanning tree instances. - A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments.
SPANNING TREE COMMANDS Command Usage This command sets the maximum time (in seconds) the root device will wait before changing states (i.e., discarding to learning to forwarding). This delay is required because every device must receive information about topology changes before it starts to forward frames. In addition, each port needs time to listen for conflicting information that would make it return to the discarding state; otherwise, temporary data loops might result.
SPANNING-TREE MAX-AGE Related Commands spanning-tree forward-time (31-5) spanning-tree max-age (31-7) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)]. The maximum value is the lower of 40 or [2 x (forward-time - 1)].
SPANNING TREE COMMANDS Related Commands spanning-tree forward-time (31-5) spanning-tree hello-time (31-6) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge.
SPANNING-TREE PATHCOST METHOD spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol. • short - Specifies 16-bit based values that range from 1-65535.
SPANNING TREE COMMANDS spanning-tree transmission-limit This command configures the minimum interval between the transmission of consecutive RSTP/MSTP BPDUs. Use the no form to restore the default. Syntax spanning-tree transmission-limit count no spanning-tree transmission-limit count - The transmission limit in seconds. (Range: 1-10) Default Setting 3 Command Mode Global Configuration Command Usage This command limits the maximum transmission rate for BPDUs.
MST VLAN Related Commands mst vlan (31-11) mst priority (31-12) name (31-13) revision (31-14) max-hops (31-14) mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance_id vlan vlan-range • instance_id - Instance identifier of the spanning tree. (Range: 0-4094) • vlan-range - Range of VLANs.
SPANNING TREE COMMANDS instance (on each bridge) with the same set of VLANs. Also, note that RSTP treats each MSTI region as a single node, connecting all regions to the Common Spanning Tree. Example Console(config-mstp)#mst 1 vlan 2-5 Console(config-mstp)# mst priority This command configures the priority of a spanning tree instance. Use the no form to restore the default. Syntax mst instance_id priority priority no mst instance_id priority • instance_id - Instance identifier of the spanning tree.
NAME Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number (page 31-14) are used to designate a unique MST region. A bridge (i.e.
SPANNING TREE COMMANDS revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting 0 Command Mode MST Configuration Command Usage The MST region name (page 31-13) and revision number are used to designate a unique MST region. A bridge (i.e.
SPANNING-TREE SPANNING-DISABLED Default Setting 20 Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
SPANNING TREE COMMANDS Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port.
SPANNING-TREE COST Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535. Table 31-4 Default STA Path Costs Port Type Link Type IEEE 802.
SPANNING TREE COMMANDS spanning-tree port-priority This command configures the priority for the specified interface. Use the no form to restore the default. Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting 128 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command defines the priority for the use of a port in the Spanning Tree Algorithm.
SPANNING-TREE PORTFAST Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
SPANNING TREE COMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. • Since end-nodes cannot cause forwarding loops, they can be passed through the spanning tree state changes more quickly than allowed by standard convergence time.
SPANNING-TREE LINK-TYPE spanning-tree link-type This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type • auto - Automatically derived from the duplex mode setting. • point-to-point - Point-to-point link. • shared - Shared medium.
SPANNING TREE COMMANDS spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost • instance_id - Instance identifier of the spanning tree. (Range: 0-4094, no leading zeroes) • cost - Path cost for an interface.
SPANNING-TREE MST PORT-PRIORITY should be assigned to interfaces attached to faster media, and higher values assigned to interfaces with slower media. • Use the no spanning-tree mst cost command to specify auto-configuration mode. • Path cost takes precedence over interface priority.
SPANNING TREE COMMANDS Where more than one interface is assigned the highest priority, the interface with lowest numeric identifier will be enabled. Example Console(config)#interface ethernet ethernet 1/5 Console(config-if)#spanning-tree mst 1 port-priority 0 Console(config-if)# Related Commands spanning-tree mst cost (31-22) spanning-tree protocol-migration This command re-checks the appropriate BPDU format to send on the selected interface.
SHOW SPANNING-TREE Example Console#spanning-tree protocol-migration eth 1/5 Console# show spanning-tree This command shows the configuration for the common spanning tree (CST) or for an instance within the multiple spanning tree (MST). Syntax show spanning-tree [interface | mst instance_id] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) • instance_id - Instance identifier of the multiple spanning tree.
SPANNING TREE COMMANDS description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 12-13. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------Spanning tree mode: MSTP Spanning tree enable/disable: enable Instance: 0 Vlans configuration: 1-4093 Priority: 32768 Bridge Hello Time (sec.): 2 Bridge Max Age (sec.): 20 Bridge Forward Delay (sec.): 15 Root Hello Time (sec.): 2 Root Max Age (sec.
SHOW SPANNING-TREE MST CONFIGURATION show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree.
SPANNING TREE COMMANDS 31-28
CHAPTER 32 VLAN COMMANDS A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
VLAN COMMANDS GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
GVRP AND BRIDGE EXTENSION COMMANDS Command Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp Console(config)# show bridge-ext This command shows the configuration for bridge extension commands.
VLAN COMMANDS switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled. Syntax show gvrp configuration [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
GVRP AND BRIDGE EXTENSION COMMANDS garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} • {join | leave | leaveall} - Timer to set. • timer_value - Value of timer.
VLAN COMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (32-6) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting Shows all GARP timers.
EDITING VLAN GROUPS Editing VLAN Groups Table 32-3 Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC Page 32-7 vlan Configures a VLAN, including VID, name and state VC 32-8 vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
VLAN COMMANDS vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] • vlan-id - ID of configured VLAN. (Range: 1-4093, no leading zeroes) • name - Keyword to be followed by the VLAN name. - vlan-name - ASCII string from 1 to 32 characters. • media ethernet - Ethernet media type. • state - Keyword to be followed by the VLAN state.
CONFIGURING VLAN INTERFACES Related Commands show vlan (32-16) Configuring VLAN Interfaces Table 32-4 Commands for Configuring VLAN Interfaces Command Function Mode Page interface vlan Enters interface configuration mode for IC a specified VLAN switchport mode Configures VLAN membership mode for an interface IC 32-10 switchport Configures frame types to be accepted acceptable-frame-types by an interface IC 32-11 switchport ingress-filtering Enables ingress filtering on an interface IC 32-12
VLAN COMMANDS Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (25-10) switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default.
CONFIGURING VLAN INTERFACES Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (32-11) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default.
VLAN COMMANDS Related Commands switchport mode (32-10) switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Ingress filtering only affects tagged frames.
CONFIGURING VLAN INTERFACES switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
VLAN COMMANDS switchport allowed vlan This command configures VLAN groups on the selected interface. Use the no form to restore the default. Syntax switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan • add vlan-list - List of VLAN identifiers to add. • remove vlan-list - List of VLAN identifiers to remove. • vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
CONFIGURING VLAN INTERFACES • If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged Console(config-if)# switchport forbidden vlan This command configures forbidden VLANs.
VLAN COMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information.
CONFIGURING PRIVATE VLANS Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: 1 Static DefaultVlan Active Eth1/ 1(S) Eth1/ 2(S) Eth1/ 6(S) Eth1/ 7(S) Eth1/11(S) Eth1/12(S) Eth1/16(S) Eth1/17(S) Eth1/ 3(S) Eth1/ 8(S) Eth1/13(S) Eth1/18(S) Eth1/ 4(S) Eth1/ 5(S) Eth1/ 9(S) Eth1/10(S) Eth1/14(S) Eth1/15(S) Eth1/19(S) Console# Configuring Private VLANs Private VLANs provide port-based security and isolation betwe
VLAN COMMANDS Default Setting No private VLANs are defined. No default group exists. Command Mode Global Configuration Command Usage • A private VLAN provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the uplink port. Data cannot pass between downlink ports in the same private VLAN group, in other private VLAN groups, nor to ports which do not belong to a private VLAN.
CONFIGURING PRIVATE VLANS show pvlan This command displays the configured private VLAN. Command Mode Privileged Exec Example This example shows the information displayed when no group is defined.
VLAN COMMANDS Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN. This may require non-standard devices to pass traffic between different VLANs in order to encompass all the devices participating in a specific protocol. This kind of configuration deprives users of the basic benefits of VLANs, including security and easy accessibility.
CONFIGURING PROTOCOL-BASED VLANS 3. Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan protocol-group (Configuring Groups) This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group.
VLAN COMMANDS protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan • group-id - Group identifier of this protocol group. (Range: 1-2147483647) • vlan-id - VLAN to which matching protocol traffic is forwarded.
CONFIGURING PROTOCOL-BASED VLANS Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups. Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group.
VLAN COMMANDS show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting The mapping for all interfaces is displayed.
CONFIGURING IEEE 802.1Q TUNNELING Configuring IEEE 802.1Q Tunneling QinQ tunneling uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
VLAN COMMANDS 5. 6. 7. Configure the QinQ tunnel port to join the SPVLAN as an untagged member (switchport allowed vlan, page 32-14). Configure the SPVLAN ID as the native VID on the QinQ tunnel port (switchport native vlan, page 32-13). Configure the QinQ uplink port to join the SPVLAN as a tagged member (switchport allowed vlan, page 32-14). Limitations for QinQ 1. 2. 3. The native VLAN for the uplink ports and tunnel ports cannot be the same.
CONFIGURING IEEE 802.1Q TUNNELING • The packet must have a standard ethertype value of 0x8100 for this command to take effect. Otherwise, the priority bits in the outer tag are set to zero. • Using a fixed priority level for all customer traffic allows the service provider to more easily calculate the resources required to maintain adequate bandwidth for a large number of customers.
VLAN COMMANDS to the service provider’s outer tag. The Tag Protocol Identifier (TPID) of the tunnel port is used for the outer tag. The default is for the standard ethertype value 0x8100, but may be changed to a non-standard value using the switchport dot1q-ethertype command (page 32-29). The tunnel port’s native VLAN is used to process inbound packets. This can be modified using the switchport native vlan, command (page 32-13).
CONFIGURING IEEE 802.1Q TUNNELING switchport dot1q-ethertype This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax switchport dot1q-ethertype tpid no switchport dot1q-ethertype tpid – Sets the ethertype value for 802.1Q encapsulation. This identifier is used to select a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100.
VLAN COMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-ethertype 9100 Console(config-if)# Related Commands show interfaces switchport (page 25-16) Configuring VLAN Swapping QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
CONFIGURING VLAN SWAPPING 3. uplink port (using the command parameters – input VLAN ID, output VLAN ID, and uplink interface). Enter Interface Configuration mode for the uplink port, and map the service provider’s VLAN ID to the customer’s VLAN ID for traffic forwarded to the downlink port (using the command parameters – input VLAN ID, output VLAN ID, and downlink interface). switchport vlan swap This command maps VLAN IDs between uplink and downlink ports.
VLAN COMMANDS • VLAN swapping only supports one-to-one mapping of VLAN IDs between a VDSL port and an uplink port. • VLAN IDs must be mapped for both the upstream and downstream direction. • The maximum number of VLAN swap entries is 64 per port groups 1-8, 9-16, 17, and 18. However, note that configuring a large number of entries may degrade the performance of other processes that also use the Fast Forwarding Processor (FFP) table, such as access lists, rate limiting, and IP filtering.
CONFIGURING VLAN SWAPPING Example Console#show vlan swap vlan-swap enable ethernet 1/1 invlan outvlan 1 100 ethernet 1/18 invlan outvlan 100 1 Console# outport 1/18 outport 1/1 32-33
VLAN COMMANDS 32-34
CHAPTER 33 CLASS OF SERVICE COMMANDS The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
CLASS OF SERVICE COMMANDS Table 33-2 Priority Commands (Layer 2) Command Function Mode Page show priority Shows the priority bits used in packets sent by the CPU, and the IPv6 Traffic Class to Class-of-Service priority map PE 33-4 show queue mode Shows the current queue mode PE 33-5 switchport priority default Sets a port priority for incoming untagged IC frames 33-17 queue bandwidth Assigns round-robin weights to the priority queues IC 33-7 queue cos-map Assigns class-of-service values t
PRIORITY COMMANDS (LAYER 2) Levels,” on page 33-8 for information on how CoS values are mapped to the output queues. Example Console(config)#priority bits Console(config)# queue mode This command sets the queue mode to strict priority, Weighted Round-Robin (WRR), or a combination of both for the class of service (CoS) priority queues. Use the no form to restore the default value.
CLASS OF SERVICE COMMANDS • Weighted Round-Robin (WRR) specifies a relative weight of each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing. • Hybrid mode uses strict priority on the high-priority queues and WRR on the rest of the queues. • Use the queue bandwidth command to assigns weights for WRR or hybrid mode to each of the priority queues.
PRIORITY COMMANDS (LAYER 2) Related Commands priority bits (33-2) priority ipv6 (33-17) show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#show queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value.
CLASS OF SERVICE COMMANDS Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • The default priority applies for an untagged frame received on a port set to accept all frame types (i.e, receives both untagged and tagged frames). This priority does not apply to IEEE 802.1Q VLAN tagged frames. If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used.
PRIORITY COMMANDS (LAYER 2) queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues, or specifies a high-priority queue when the queue mode is set to hybrid. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight8 no queue bandwidth weight1...weight7 - The ratio of weights for queues 0 - 7 determines the weights used by the WRR scheduler.
CLASS OF SERVICE COMMANDS Example This example assign WRR weights to priority queues 0-5, and strict priority to queues 6 and 7: Console#configure Console(config)#interface ethernet 1/5 Console(config-if)#queue bandwidth 1 3 5 7 9 11 0 0 Console(config-if)# Related Commands queue mode (33-3) show queue bandwidth (33-9) queue cos-map This command assigns class of service (CoS) values to the priority queues (i.e., hardware output queues 0 - 7). Use the no form set the CoS map to the default values.
PRIORITY COMMANDS (LAYER 2) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage CoS values assigned at the ingress port are also used at the egress port. This command sets the CoS priority for all interfaces.
CLASS OF SERVICE COMMANDS Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
PRIORITY COMMANDS (LAYER 3 AND 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch.
CLASS OF SERVICE COMMANDS map ip port (Global Configuration) This command enables IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Syntax [no] map ip port Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority.
PRIORITY COMMANDS (LAYER 3 AND 4) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • Up to 8 entries can be specified for IP Port priority mapping. • This command sets the IP port priority for all interfaces.
CLASS OF SERVICE COMMANDS Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence • precedence-value - 3-bit precedence value.
PRIORITY COMMANDS (LAYER 3 AND 4) Example The following example shows how to map IP precedence value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip precedence 1 cos 0 Console(config-if)# map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping). Use the no form to disable IP DSCP mapping.
CLASS OF SERVICE COMMANDS map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp • dscp-value - DSCP value. (Range: 0-63) • cos-value - Class-of-Service value (Range: 0-7) Default Setting The DSCP default values are defined in the following table. Note that all of the DSCP values not specified are mapped to CoS value 0.
PRIORITY COMMANDS (LAYER 3 AND 4) Example The following example shows how to map IP DSCP value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# priority ipv6 This command assigns IPv6 traffic classes to one of the Class-of-Service values. Use the no form to restore the default setting. Syntax priority ipv6 interface traffic-class cos-value no queue mode • interface - unit - Stack unit.
CLASS OF SERVICE COMMANDS Example The following example maps the Traffic Class value of 1 to CoS value 0: Console(config)#priority ipv6 1 0 Console(config)# show map ip port This command shows the IP port priority map. Syntax show map ip port [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
PRIORITY COMMANDS (LAYER 3 AND 4) show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
CLASS OF SERVICE COMMANDS show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Example Console#show map ip dscp ethernet 1/1 DSCP mapping status: disabled Port DSCP COS --------- ---- --Eth 1/ 1 0 0 Eth 1/ 1 1 0 Eth 1/ 1 2 0 Eth 1/ 1 3 0 . . .
CHAPTER 34 QUALITY OF SERVICE COMMANDS The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
QUALITY OF SERVICE COMMANDS Table 34-1 Quality of Service Commands (Continued) Command Function Mode Page show policy-map Displays the QoS policy maps which define PE classification criteria for incoming traffic, and may include policers for bandwidth limitations 34-12 show policy-map interface Displays the configuration of all classes configured for all service policies on the specified interface 34-12 PE To create a service policy for a specific category of ingress traffic, follow these steps: 1
CLASS-MAP Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 34-3) before creating a Policy Map (page 34-6). Otherwise, you will not be able to specify a Class Map with the class command (page 34-7) after entering Policy-Map Configuration mode. class-map This command creates a class map used for matching packets to the specified class, and enters Class Map configuration mode.
QUALITY OF SERVICE COMMANDS • The class map is used with a policy map (page 34-6) to create a service policy (page 34-10) for a specific interface that defines packet classification, service tagging, and bandwidth policing.
MATCH command to specify the fields within ingress packets that must match to qualify for this class map. • Only one match command can be entered per class map. • The class map uses the Access Control List filtering engine, so you must also set an ACL mask to enable filtering for the criteria specified in the match command. See “mask (IP ACL)” on page 24-9 and “mask (MAC ACL)” on page 24-21 for information on configuring an appropriate ACL mask.
QUALITY OF SERVICE COMMANDS policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
CLASS class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting None Command Mode Policy Map Configuration Command Usage • Use the policy-map command to specify a policy map and enter Policy Map configuration mode.
QUALITY OF SERVICE COMMANDS Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
POLICE police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic. Use the no form to remove a policer.
QUALITY OF SERVICE COMMANDS Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
SHOW CLASS-MAP Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
QUALITY OF SERVICE COMMANDS show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map. (Range: 1-16 characters) • class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all policy maps and all classes.
SHOW POLICY-MAP INTERFACE Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# 34-13
QUALITY OF SERVICE COMMANDS 34-14
CHAPTER 35 MULTICAST FILTERING COMMANDS This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
MULTICAST FILTERING COMMANDS IGMP Snooping Commands This section describes commands used to configure IGMP snooping on the switch.
IGMP SNOOPING COMMANDS Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface • vlan-id - VLAN ID (Range: 1-4093) • ip-address - IP address for multicast group • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
MULTICAST FILTERING COMMANDS ip igmp snooping version This command configures the IGMP snooping version. Use the no form to restore the default. Syntax ip igmp snooping version {1 | 2 | 3} no ip igmp snooping version • 1 - IGMP Version 1 • 2 - IGMP Version 2 • 3 - IGMP Version 3 Default Setting IGMP Version 2 Command Mode Global Configuration Command Usage • All systems on the subnet must support the same version.
IGMP SNOOPING COMMANDS ip igmp snooping immediate-leave This command immediately deletes a member port of a multicast service if a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
MULTICAST FILTERING COMMANDS show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 16-4 for a description of the displayed items.
IGMP QUERY COMMANDS Command Mode Privileged Exec Command Usage Member types displayed include IGMP or USER, depending on selected options. Example The following shows the multicast entries learned through IGMP snooping for VLAN 1: Console#show mac-address-table multicast vlan 1 igmp-snooping VLAN M'cast IP addr. Member ports Type ---- --------------- ------------ ------1 224.1.2.3 Eth1/11 IGMP Console# IGMP Query Commands This section describes commands used to configure Layer 2 IGMP query on the switch.
MULTICAST FILTERING COMMANDS ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
IGMP QUERY COMMANDS Command Usage The query count defines how long the querier waits for a response from a multicast client before taking action. If a querier has sent a number of queries defined by this command, but a client has not responded, a countdown timer is started using the time defined by ip igmp snooping query-max- response-time. If the countdown finishes, and the client still has not responded, then that client is considered to have left the multicast group.
MULTICAST FILTERING COMMANDS ip igmp snooping query-max-response-time This command configures the query report delay. Use the no form to restore the default. Syntax ip igmp snooping query-max-response-time seconds no ip igmp snooping query-max-response-time seconds - The report delay advertised in IGMP queries. (Range: 5-25) Default Setting 10 seconds Command Mode Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect.
IGMP QUERY COMMANDS ip igmp snooping router-port-expire-time This command configures the query timeout. Use the no form to restore the default. Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
MULTICAST FILTERING COMMANDS Static Multicast Routing Commands This section describes commands used to configure static multicast routing on the switch. Table 35-4 Static Multicast Routing Commands Command Function Mode Page ip igmp snooping vlan mrouter Adds a multicast router port GC 35-12 show ip igmp snooping Shows multicast router ports mrouter PE 35-13 ip igmp snooping vlan mrouter This command statically configures a multicast router port. Use the no form to remove the configuration.
STATIC MULTICAST ROUTING COMMANDS Example The following shows how to configure port 11 as a multicast router port within VLAN 1: Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093) Default Setting Displays multicast router ports for all configured VLANs.
MULTICAST FILTERING COMMANDS IGMP Filtering and Throttling Commands In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join.
IGMP FILTERING AND THROTTLING COMMANDS ip igmp filter (Global Configuration) This command globally enables IGMP filtering and throttling on the switch. Use the no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multcast groups that are permitted or denied on the port.
MULTICAST FILTERING COMMANDS ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join.
IGMP FILTERING AND THROTTLING COMMANDS Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
MULTICAST FILTERING COMMANDS ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
IGMP FILTERING AND THROTTLING COMMANDS Default Setting 64 Command Mode Interface Configuration Command Usage • IGMP throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
MULTICAST FILTERING COMMANDS Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
IGMP FILTERING AND THROTTLING COMMANDS Example Console#show ip igmp filter IGMP filter enable Console#show ip igmp filter interface ethernet 1/1 Information of Eth 1/1 IGMP Profile 19 deny range 239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number.
MULTICAST FILTERING COMMANDS show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces.
MULTICAST VLAN REGISTRATION COMMANDS Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
MULTICAST FILTERING COMMANDS mvr (Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, enables a specific MVR domain using the domain keyword, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword. Use the no form of this command without any keywords to globally disable MVR.
MULTICAST VLAN REGISTRATION COMMANDS • Use the mvr group command to statically configure all multicast group addresses that will join an MVR VLAN. Any multicast data associated with an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group. The IP address range from 224.0.0.0 to 239.255.255.255 is used for multicast streams. MVR group addresses cannot fall within the reserved IP multicast address range of 224.0.0.x.
MULTICAST FILTERING COMMANDS mvr (Interface Configuration) This command configures an interface as a static member of an MVR domain using the group keyword, or configures an interface as an MVR receiver or source port using the type keyword. Use the no form to restore the default settings. Syntax [no] mvr {domain domain-id [group ip-address |type {receiver | source}] | group ip-address | type {receiver | source}} • domain-id - An independent multicast domain.
MULTICAST VLAN REGISTRATION COMMANDS groups within an MVR VLAN. Multicast groups can also be statically assigned to a receiver port using the group keyword. However, if a receiver port is statically configured as a member of an MVR VLAN, its status will be inactive. Also, note that VLAN membership for MVR receiver ports cannot be set to trunk mode (see the switchport mode command on page 32-10). • One or more interfaces may be configured as MVR source ports.
MULTICAST FILTERING COMMANDS mvr immediate This command causes the switch to immediately removes an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax [no] mvr immediate Default Setting Disabled. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This option only applies to an interface configured as an MVR receiver (see the mvr interface command on page 35-26).
MULTICAST VLAN REGISTRATION COMMANDS show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword. Syntax show mvr [interface [interface] | members [ip-address]] • interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
MULTICAST FILTERING COMMANDS Example The following shows the global MVR settings: Console#show mvr ================================ MVR domain : 1 MVR Status:enable MVR running status:TRUE MVR multicast vlan:1 MVR Max Multicast Groups:255 MVR Current multicast groups:1 ================================ MVR domain : 2 MVR Status:disable MVR running status:FALSE MVR multicast vlan:0 MVR Max Multicast Groups:255 MVR Current multicast groups:0 ================================ MVR domain : 3 MVR Status:disable MV
MULTICAST VLAN REGISTRATION COMMANDS The following displays information about the interfaces attached to the MVR VLAN: Console#show mvr interface ======================================================= MVR domain : 1 Port Type Status Immediate Leave ------- ---------------------------------eth1/1 SOURCE ACTIVE/UP Disable eth1/2 RECEIVER ACTIVE/UP Disable eth1/5 RECEIVER INACTIVE/DOWN Disable eth1/6 RECEIVER INACTIVE/DOWN Disable eth1/7 RECEIVER INACTIVE/DOWN Disable =========================================
MULTICAST FILTERING COMMANDS The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members =================================== MVR domain : 1 MVR Group IP Status Members ---------------- -------- ------225.0.0.1 ACTIVE eth1/1(d), eth1/2(s) 225.0.0.2 INACTIVE None 225.0.0.3 INACTIVE None 225.0.0.4 INACTIVE None 225.0.0.5 INACTIVE None 225.0.0.6 INACTIVE None 225.0.0.7 INACTIVE None 225.0.0.8 INACTIVE None 225.0.0.9 INACTIVE None 225.
CHAPTER 36 DOMAIN NAME SERVICE COMMANDS These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
DOMAIN NAME SERVICE COMMANDS Table 36-1 DNS Commands (Continued) Command Function Mode Page show dns cache Displays entries in the DNS cache PE 36-9 clear dns cache Clears all entries from the DNS cache PE 36-10 ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry. Syntax [no] ip host name address1 [address2 … address8] • name - Name of the host. (Range: 1-127 characters) • address1 - Corresponding IP address.
CLEAR HOST Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname rd5 Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} • name - Name of the host. (Range: 1-127 characters) • * - Removes all entries. Default Setting None Command Mode Privileged Exec Example This example clears all static entries from the DNS table.
DOMAIN NAME SERVICE COMMANDS ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
IP DOMAIN-LIST ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
DOMAIN NAME SERVICE COMMANDS Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.
IP DOMAIN-LOOKUP Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (36-4) ip domain-lookup (36-7) ip domain-lookup This command enables DNS host name-to-address translation.
DOMAIN NAME SERVICE COMMANDS Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (36-4) ip name-server (36-6) show hosts This command displays the static host name-to-address mapping table.
SHOW DNS show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
DOMAIN NAME SERVICE COMMANDS Table 36-2 show dns cache - display description Field Description NO The entry number for each resource record. FLAG The flag is always “4” indicating a cache entry and therefore unreliable. TYPE This field includes CNAME which specifies the canonical or primary name for the owner, and ALIAS which specifies multiple domain names which are mapped to the same IP address as an existing entry. IP The IP address associated with this record.
CHAPTER 37 DHCP COMMANDS These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. You can configure any VLAN interface to be automatically assigned an IP address via DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
DHCP COMMANDS Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available. • If the BOOTP or DHCP server has been moved to a different domain, the network portion of the address provided to the client will be based on this new domain. Example In the following example, the device is reassigned the same address.
DHCP RELAY ip dhcp relay server This command enables DHCP relay service, and specifies the address of the server to use. Use the no form to clear a server address. Syntax ip dhcp relay server address no ip dhcp relay server address - IP address of a DHCP server. Default Setting None Command Mode Global Configuration Usage Guidelines • DHCP relay service only applies to the management VLAN. DHCP client request packets entering any other VLAN on the switch will be flooded.
DHCP COMMANDS Example Console(config)#ip dhcp relay server 192.168.10.19 Console(config)# ip dhcp information option This command enables DHCP Option 82 information relay, and specifies the frame format to use when Option 82 information is generated by the switch. Use the no form of this command to disable this feature.
DHCP RELAY • If Option 82 is enabled on the switch, client information will be included in any relayed request packet received through the management interface according to this criteria. Table 37-4 Inserting Option 82 Information DHCP DHCP Snooping* Relay† DHCP Option 82 Action Enabled Disabled Enabled Circuit-id or remote-id information is added to the Option 82 packet, but the gateway Internet address is not included.
DHCP COMMANDS the reply packet was received. If the DHCP packet’s broadcast flag is off, the switch uses the Option 82 information to identify the interface connected to the requesting client and unicasts the reply packet to the client. • DHCP reply packets are flooded onto all attached VLANs other than the inbound management VLAN under the following situations: - The reply packet does not contain Option 82 information.
DHCP RELAY address (when DHCP snooping or relay is enabled), and unicast the packet to the DHCP server. Default Setting replace Command Mode Global Configuration Usage Guidelines • Refer to the Usage Guidelines under the ip dhcp information option command (page 37-4) for information on when Option 82 information is processed by the switch.
DHCP COMMANDS Example Console#show ip dhcp relay server Ip Dhcp Relay Status: Enable Ip Dhcp Relay Server: 192.168.10.
CHAPTER 38 IP INTERFACE COMMANDS An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on. You may also need to a establish a default gateway between this device and management stations that exist on another network segment.
IP INTERFACE COMMANDS ip address This command sets the IP address for the currently selected VLAN interface. Use the no form to restore the default IP address. Syntax ip address {ip-address netmask | bootp | dhcp} no ip address • ip-address - IP address • netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. • bootp - Obtains IP address from BOOTP. • dhcp - Obtains IP address from DHCP.
BASIC IP CONFIGURATION Notes: 1. Only one VLAN interface can be assigned an IP address (the default is VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN. 2. Before you can change the IP address, you must first clear the current address with the no form of this command.
IP INTERFACE COMMANDS Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (38-4) show ip interface This command displays the settings of an IP interface. Command Mode Privileged Exec Example Console#show ip interface Console# Related Commands show ip redirects (38-4) show ip redirects This command shows the IP default gateway configured for this device.
BASIC IP CONFIGURATION ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. • count - Number of packets to send. (Range: 1-16, default: 5) • size - Number of bytes in a packet. (Range: 32-512, default: 32) The actual packet size will be eight bytes larger than the size specified because the router adds header information. Default Setting This command has no default for the host.
IP INTERFACE COMMANDS Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
SECTION IV APPENDICES This section provides additional information on the following topics. Software Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
APPENDICES
APPENDIX A SOFTWARE SPECIFICATIONS Software Features Authentication Local, RADIUS, TACACS+, Port (802.
SOFTWARE SPECIFICATIONS Rate Limits Input/output limit Range (configured per port) Port Trunking Static trunks (Cisco EtherChannel compliant) Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Algorithm Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 256 groups; port-based, protocol-based, or tagged (802.
MANAGEMENT FEATURES 3 OAM channels (IB, eoc, VOC) between VTU-C and VTU-R HDLC or 802.
SOFTWARE SPECIFICATIONS IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1X Port Authentication IEEE 802.3-2002 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging ITU-T G.993.1 (VDSL) and G.993.2 (VDSL2) ITU-T G.994.
MANAGEMENT INFORMATION BASES Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Multicasting related MIBs MAU MIB (RFC 3636) MIB II (RFC 1213) Port Access Entity MIB (IEEE 802.1X) Port Access Entity Equipment MIB Private MIB QnQ Tunneling (IEEE 802.
SOFTWARE SPECIFICATIONS A-6
APPENDIX B TROUBLESHOOTING Problems Accessing the Management Interface Table B-1 Troubleshooting Chart Symptom Action Cannot connect using Telnet, web browser, or SNMP software • Be sure the switch is powered up. • Check network cabling between the management station and the switch. • Check that you have a valid network connection to the switch and that the port you are using has not been disabled.
TROUBLESHOOTING Table B-1 Troubleshooting Chart (Continued) Symptom Action Cannot connect using Secure Shell • If you cannot connect using SSH, you may have exceeded the maximum number of concurrent Telnet/SSH sessions permitted. Try connecting again at a later time. • Be sure the control parameters for the SSH server are properly configured on the switch, and that the SSH client software is properly configured on the management station.
USING SYSTEM LOGS Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Designate the SNMP host that is to receive the error messages. 4. Repeat the sequence of commands or other actions that lead up to the error. 5.
TROUBLESHOOTING B-4
GLOSSARY Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) BOOTP is used to provide bootup information for network devices, including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
GLOSSARY marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. Domain Name Service (DNS) A system used for translating host names for network nodes into IP addresses. Dynamic Host Control Protocol (DHCP) Provides a framework for passing configuration information to hosts on a TCP/IP network.
GLOSSARY Generic Multicast Registration Protocol (GMRP) GMRP allows network devices to register end stations with multicast groups. GMRP requires that any participating network devices or end stations comply with the IEEE 802.1p standard. Group Attribute Registration Protocol (GARP) See Generic Attribute Registration Protocol. IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.
GLOSSARY IEEE 802.3ac Defines frame extensions for VLAN tagging. IEEE 802.3x Defines Ethernet frame start/stop requests and timers used for flow control on full-duplex links. IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members.
GLOSSARY IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The eight values are mapped one-to-one to the Class of Service categories by default, but may be configured differently to suit the requirements for specific network applications. Layer 2 Data Link layer in the ISO 7-Layer Data Communications Protocol.
GLOSSARY Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network. The time servers operate in a hierarchical-master-slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio.
GLOSSARY Private Branch Exchange (PBX) A telephone exchange local to a particular organization who use, rather than provide, telephone services. Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports.
GLOSSARY Secure Shell (SSH) A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25. Simple Network Management Protocol (SNMP) The application protocol in the Internet suite of protocols which offers network management services.
GLOSSARY Terminal Access Controller Access Control System Plus (TACACS+) TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACS-compliant devices on the network. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Trivial File Transfer Protocol (TFTP) A TCP/IP protocol commonly used for software downloads.
GLOSSARY Very high data rate Digital Subscriber Line 2 (VDSL2) VDSL2 as defined in ITU-T Recommendation G.993.2 is an enhancement to the first VDSL standard (G.993.1). It supports transmission at a bi-directional net data rate (the sum of upstream and downstream rates) of up to 200 Mbps on twisted pair cables using a bandwidth of up to 30 MHz. VDSL2 includes many enhancements, one of which is the addition of the US0 band and methods to train echo cancellers and time domain equalizers.
INDEX Numerics 802.1Q tunnel 13-24, 32-25 description 13-24 interface configuration 13-30, 32-27–32-29 mode selection 13-30, 32-10, 32-27 TPID 13-30, 32-29 802.
INDEX verifying MAC addresses 7-10, 23-21 VLAN configuration 7-10, 23-20 Differentiated Code Point Service See DSCP Differentiated Services See DiffServ DiffServ 15-2, 34-1 binding policy to interface 15-10, 34-10 class map 15-3, 34-3, 34-7 policy map 15-6, 34-6 service policy 15-10, 34-10 DNS default domain name 17-1, 36-4 displaying the cache 17-6, 36-9 domain name list 17-1, 36-2 enabling lookup 17-1, 36-7 name server list 17-1, 36-6 static entries 17-4, 36-2 Domain Name Service See DNS downloading softw
INDEX Layer 2 16-2, 35-2 query 16-2, 35-8 query, Layer 2 16-4, 35-7 snooping 16-2, 35-2 snooping, configuring 16-4, 35-2 snooping, setting immediate leave 16-13, 35-5 ingress filtering 13-15, 32-12 internal temperature status 4-4, 20-8 IP address BOOTP/DHCP 4-14, 37-1, 37-4, 38-2 setting 2-6, 38-2 IP port priority enabling 14-16, 33-12 mapping priorities 14-16, 33-12 IP precedence enabling 14-10, 33-13 mapping priorities 14-11, 33-14 IP source guard 7-5 configuring static entries 7-6, 23-14 setting filter c
INDEX MVR assigning static multicast groups 16-30, 35-26 setting interface type 16-26, 35-26, 35-28 setting multicast groups 16-21, 35-24 specifying a VLAN 16-21, 35-24 using immediate leave 16-26, 35-26, 35-28 unknown unicast storm threshold 25-11 ports, configuring 9-1, 25-1 ports, mirroring 9-25, 27-1 priority, default port ingress 14-1, 33-5 problems, troubleshooting B-1 protocol migration 12-20, 31-24 P QoS 15-1, 34-1 Quality of Service See QoS queue weights 14-7, 33-7 packet filtering 7-15, 23-5 D
INDEX groups 5-18, 21-15 user configuration 5-12, 5-15, 21-18 views 5-24, 21-13 software displaying version 4-7, 20-10 downloading 4-18, 20-17 Spanning Tree Protocol See STA specifications, software A-1 SSH 6-10, 22-21 STA 12-1, 31-1 edge port 12-16, 12-20, 31-18 global settings, configuring 12-8, 31-3–31-10 global settings, displaying 12-4, 31-25 interface settings 12-13, 12-25, 31-16–31-24, 31-25 link type 12-16, 12-20, 31-21 path cost 12-5, 12-15, 31-16 path cost method 12-10, 31-9 port priority 12-15, 3
INDEX ham band notch 10-8, 29-7 ham band region/usage notch 10-9, 29-9 impulse noise protection 10-10, 29-23 interface settings 10-7, 29-2 line profiles 10-16, 29-35 maximum data rate 10-10, 29-27 maximum power 10-10, 29-22 OAM functions 10-41 option band 10-9, 29-6 PSD breakpoints 10-1, 29-12 PSD frequencies at breakpoints 10-1, 29-13 PSD mask level 10-2, 29-16 PSD power level at breakpoints 10-2, 29-15 rate adaptation 10-2, 29-33 signal-to-noise margin 10-11, 29-28 upstream power back-off 10-2, 29-18, 29-
FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; (949) 679-8000; Fax: (949) 679-1481 From Europe: Contact details can be found on www.smc-europe.com or www.smc.com INTERNET E-mail addresses: techsupport@smc.com european.techsupport@smc-europe.com Driver updates: http://www.smc.com/index.cfm?action=tech_support_drivers_downloads World Wide Web: http://www.smc.com http://www.smc-europe.com FOR LITERATURE OR ADVERTISING RESPONSE, CALL: U.S.A.
