Page 1
ECS4120-28F/28F-I ECS4120-28T/28P C L I R e f e r e n c e G u i d e ECS4120-52T 28/52-Port Layer 2+ Gigabit Ethernet Switch Software Release v1.0.2.25 www.edge-core.com...
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4
This section summarizes the changes in each revision of this guide. Revision Date Change Description v1.0.2.25 09/2017 Added: ECS4120-28F-I ◆ "ip dhcp l2 relay" on page 841 ◆ "ip dhcp l3 relay" on page 841 ◆ "ip dhcp snooping information option tr101 board- ◆...
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Logging Onto the Command Line Interface Setting Passwords Remote Connections (Network Interface) Configuring the Switch for Remote Management Setting an IP Address Enabling SNMP Management Access...
Page 6
Contents Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes Exec Commands...
Page 7
Contents hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status show access-list tcam-utilization show location-led status show memory...
Page 8
Contents General Commands boot system copy delete umount usbdisk whichboot Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade TFTP Configuration Commands ip tftp retry ip tftp timeout show ip tftp Line line databits exec-timeout login parity...
Page 9
Contents logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client sntp poll sntp server show sntp NTP Commands ntp authenticate ntp authentication-key...
Page 10
Contents show time-range Switch Clustering cluster cluster commander cluster ip-pool cluster member rcommand show cluster show cluster members show cluster candidates 5 SNMP Commands General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps mac-notification...
Page 11
Contents show nlm oper-status show snmp notify-filter Additional Trap Commands memory process cpu process cpu guard 6 Remote Monitoring Commands rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Flow Sampling Commands sflow owner sflow polling instance...
Page 12
Contents radius-server key radius-server retransmit radius-server timeout show radius-server TACACS+ Client tacacs-server host tacacs-server key tacacs-server port tacacs-server retransmit tacacs-server timeout show tacacs-server aaa accounting dot1x aaa accounting exec aaa accounting update aaa authorization exec aaa group server server accounting dot1x accounting exec authorization exec show accounting...
Page 13
Contents ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate ip ssh crypto zeroize ip ssh save host-key show ip ssh show public-key show ssh 802.1X Port Authentication General Commands dot1x default dot1x eapol-pass-through dot1x system-auth-control Authenticator Commands...
Page 14
Contents pppoe intermediate-agent port-enable pppoe intermediate-agent port-format-type pppoe intermediate-agent port-format-type remote-id pppoe intermediate-agent trust pppoe intermediate-agent vendor-tag strip clear pppoe intermediate-agent statistics show pppoe intermediate-agent info show pppoe intermediate-agent statistics 9 General Security Measures Port Security mac-learning port security port security mac-address-as-permanent show port security Network Access (MAC Address Authentication) network-access aging...
Page 15
Contents Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information option encode no-subtype ip dhcp snooping information option remote-id ip dhcp snooping information option tr101 board-id information policy...
Page 16
Contents ipv6 dhcp snooping trust clear ipv6 dhcp snooping binding clear ipv6 dhcp snooping statistics show ipv6 dhcp snooping show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding ip source-guard mode clear ip source-guard binding blocked show ip source-guard...
Page 17
Contents dos-protection tcp-null-scan dos-protection tcp-syn-fin-scan dos-protection tcp-xmas-scan show dos-protection Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 10 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list IPv6 ACLs...
Page 18
Contents show access-list arp show arp access-list ACL Information clear access-list hardware counters show access-group show access-list 11 Interface Commands Interface Configuration interface alias capabilities description discard flowcontrol history media-type negotiation shutdown speed-duplex switchport block switchport mtu clear counters show discard show interfaces brief show interfaces counters show interfaces history...
Page 19
Contents transceiver-threshold tx-power transceiver-threshold voltage show interfaces transceiver show interfaces transceiver-threshold Cable Diagnostics test cable-diagnostics test loop internal show cable-diagnostics show loop internal Power Savings power-save show power-save 12 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority...
Page 20
Contents show power mainpower 14 Port Mirroring Commands Local Port Mirroring Commands port monitor show port monitor RSPAN Mirroring Commands rspan source rspan destination rspan remote vlan no rspan session show rspan 15 Congestion Control Commands Rate Limit Commands rate-limit Storm Control Commands switchport packet-rate Automatic Traffic Control Commands...
Page 26
Contents class-map description match rename policy-map class police flow police srtcm-color police trtcm-color set cos set ip dscp set phb service-policy show class-map show policy-map show policy-map interface 24 Multicast Filtering Commands IGMP Snooping ip igmp snooping ip igmp snooping priority ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check...
Page 27
Contents ip igmp snooping vlan mrd ip igmp snooping vlan proxy-address ip igmp snooping vlan query-interval ip igmp snooping vlan query-resp-intvl ip igmp snooping vlan static clear ip igmp snooping groups dynamic clear ip igmp snooping statistics show ip igmp snooping show ip igmp snooping group show ip igmp snooping mrouter show ip igmp snooping statistics...
Page 33
Contents show efm oam event-log interface show efm oam remote-loopback interface show efm oam status interface show efm oam status remote interface 28 Domain Name Service Commands ip domain-list ip domain-lookup ip domain-name ip host ip name-server ipv6 host clear dns cache clear host show dns show dns cache...
Page 34
Contents ip address ip default-gateway show ip interface show ip traffic traceroute ping ARP Configuration ip proxy-arp arp timeout clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address autoconfig ipv6 address eui-64 ipv6 address link-local ipv6 enable ipv6 mtu...
Figures Figure 1: Storm Control by Limiting the Traffic Rate Figure 2: Storm Control by Shutting Down a Port Figure 3: Non-ERPS Device Protection Figure 4: Sub-ring with Virtual Channel Figure 5: Sub-ring without Virtual Channel Figure 6: Configuring VLAN Trunking Figure 7: Mapping QinQ Service VLAN to Customer VLAN Figure 8: Configuring VLAN Translation –...
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ◆ "Initial Switch Configuration" on page 47 –...
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Enable GVRP automatic VLAN registration ◆...
Chapter 1 | Initial Switch Configuration Connecting to the Switch Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level (Normal Exec) and privileged access level (Privileged Exec).
Console(config)# * This manual covers the ECS4120-28T/52T Gigabit Ethernet switches, the ECS4120-28F/28F-I Gigabit Ethernet fiber switch, and the ECS4120-28P Gigabit Ethernet PoE switch. Other than the difference in port types, and support for PoE (ECS4120-28P), there are no significant differences. Therefore most of the screen display examples are based on the ECS4120-28T.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Configuring the Switch for Remote Management The switch can be managed through the operational network, known as in-band management. Because in-band management traffic is mixed in with operational network traffic, it is subject to all of the filtering rules usually applied to a standard network ports such as ACLs and VLAN tagging.
Page 52
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To assign an IPv4 address to the switch, complete the following steps From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode. Press <Enter>. Type “ip address ip-address netmask, ”...
Page 53
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::260:3EFF:FE11:6700 link-local Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): (None) Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff11:6700...
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Type “exit” to return to the global configuration mode prompt. Press <Enter>. To set the IP address of the IPv6 default gateway for the network to which the switch belongs, type “ipv6 default-gateway gateway, ”...
Page 55
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode.
Page 56
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1...
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Joined group address(es): ff02::1:ff00:fd ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds...
Page 58
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp- server community string mode, ” where “string” is the community access string and “mode”...
Chapter 1 | Initial Switch Configuration Managing System Files another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace”...
Chapter 1 | Initial Switch Configuration Managing System Files Note: The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. You must follow the instructions in the release notes for new firmware, or contact your distributor for help. Due to the size limit of the flash memory, the switch supports only two operation code files.
Chapter 1 | Initial Switch Configuration Managing System Files Saving or Restoring Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in Configuration nonvolatile storage, you must copy the running configuration file to the start-up Settings configuration file using the “copy”...
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success. Console# Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from...
Page 63
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings upgrade file is stored as ECS4120-Series.BIX (or even ECS4120-series.bix) on a case-sensitive server, then the switch (requesting ECS4120-serieS.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Page 64
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode...
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Access Control (MAC) Address or a unique client identifier. The client identifier is Client Identifier used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or...
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests.
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command. Manually Console#calendar set 14 11 36 1 April 2013 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 70
Chapter 1 | Initial Switch Configuration Setting the System Clock – 70 –...
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “Using the Command Line Interface” on page 73 ◆ “General Commands” on page 87 ◆...
Page 72
Section II | Command Line Interface ◆ “Spanning Tree Commands” on page 495 ◆ “VLAN Commands” on page 555 ◆ “ERPS Commands” on page 523 ◆ “Class of Service Commands” on page 601 ◆ “Quality of Service Commands” on page 621 ◆...
Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 74
Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5, ”...
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list Commands keywords or parameters.
Page 77
Chapter 2 | Using the Command Line Interface Entering Commands power Shows power power-save Shows the power saving information pppoe Displays PPPoE configuration privilege Shows current privilege level process Device process protocol-vlan Protocol-VLAN information public-key Public key information Quality of Service queue Priority queue information radius-server...
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the initial letters are provided. (Remember not to leave a space between the command Lookup and question mark.) For example “s?”...
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Access Control List Global Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch settings. These commands modify the running configuration only and are not Commands saved when the switch is rebooted. To store the running configuration in non- volatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands. Console#configure Console(config)# To enter the other modes, at the configuration prompt type one of the following...
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below Table 6: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 84
Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 6: Command Group Index Command Group Description Page ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks ERPS Configures Ethernet Ring Protection Switching for increased 1257 availability of Ethernet rings commonly used in service...
Page 85
Chapter 2 | Using the Command Line Interface CLI Command Groups IPC (IGMP Profile Configuration) LC (Line Configuration) MST (Multiple Spanning Tree) NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) VC (VLAN Database Configuration) – 85 –...
Page 86
Chapter 2 | Using the Command Line Interface CLI Command Groups – 86 –...
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 7: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt.
Chapter 3 | General Commands Default Setting None Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...
Chapter 3 | General Commands ◆ The “#” character is appended to the end of the prompt to indicate that the system is in privileged access mode. Example Console>enable Password: [privileged level password] Console# Related Commands disable (92) enable password (218) quit This command exits the configuration program.
Chapter 3 | General Commands show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Chapter 3 | General Commands Command Mode Privileged Exec Example Console#configure Console(config)# Related Commands end (93) disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics.
Chapter 3 | General Commands Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y show reload This command displays the current reload settings, and the time at which next scheduled reload will take place.
Chapter 3 | General Commands Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit % CLI exit session *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES Station's information: Floor / Row / Rack / Sub-Rack DC power supply:...
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 8: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location System Status...
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands Banner Information (Continued) Table 10: Banner Commands Command Function Mode banner configure Configures the Department information that is displayed department by banner banner configure Configures the Equipment information that is displayed by equipment-info banner banner configure Configures the Equipment Location information that is equipment-location...
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure Company: Edge-Core Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213...
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. department Syntax banner configure department dept-name no banner configure department dept-name - The name of the department.
Example Console(config)#banner configure equipment-info manufacturer-id ECS4120-28T floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. ip-lan Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number...
Chapter 4 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected.
Chapter 4 | System Management Commands System Status (Continued) Table 11: System Status Commands Command Function Mode show process cpu Shows CPU utilization parameters NE, PE show process cpu guard Shows the CPU utilization watermark and threshold show process cpu task Shows CPU utilization per process show running-config Displays the configuration data currently in use...
Chapter 4 | System Management Commands System Status L - Link local, Reserved - Reserved, ALL - All supported function, Unit Device Pool Total Used Free Capability ---- ------ ---- ----- ----- ----- ---------------------------------------- 128 A6S D6S 128 A6E D6E C L 128 A4 D4 128 AM DM 0 I6...
Chapter 4 | System Management Commands System Status Related Commands memory (198) show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds. Command Mode Normal Exec, Privileged Exec Example Console#show process cpu CPU Utilization in the past 5 seconds : 7% CPU Utilization in the past 60 seconds Average Utilization : 8%...
Chapter 4 | System Management Commands System Status Table 12: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the high- watermark,the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Page 111
Chapter 4 | System Management Commands System Status port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Command Mode Privileged Exec Command Usage ◆ Use the interface keyword to display configuration data for the specified interface. ◆ Use this command in conjunction with the show startup-config command to compare the information in running memory to the information stored in non- volatile memory.
Chapter 4 | System Management Commands System Status capabilities 1000full interface ethernet 1/1 interface vlan 1 ipv6 enable ipv6 address 2001:db8:2222:7272::/64 ipv6 address fe80::260:3eff:fe11:6700 link-local ipv6 default-gateway 2001:db8:2222:7272::254 line console line vty Console# Related Commands show startup-config (112) show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Chapter 4 | System Management Commands System Status Example Refer to the example for the running configuration file. Related Commands show running-config (110) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage ◆...
Chapter 4 | System Management Commands System Status Main Power Status : Up Redundant Power Status : Not present Console# Table 13: show system – display description Parameter Description System Description Brief description of device type. System OID String MIB II object ID for switch’s network management subsystem. System Up Time Length of time the management agent has been up.
Chapter 4 | System Management Commands System Status runtime.bix OpCode 1970-01-01 00:00:16 20971520 Factory_Default_Config.cfg Config 2015-05-15 06:40:35 startup1.cfg Config 2015-05-15 06:40:44 1737 ---------------------------------------------------------------------------- Free space for compressed user config files: 50393088 show arp: ARP Cache Timeout: 1200 (seconds) IP Address MAC Address Type Interface...
Chapter 4 | System Management Commands System Status Console# show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Example Console#show version Unit 1 Serial Number : S123456 Hardware Version : R0A EPLD Version : 0.00 Number of Ports...
Chapter 4 | System Management Commands Fan Control show watchdog This command shows if watchdog debugging is enabled. Command Mode Privileged Exec Example Console#show watchdog Software Watchdog Information Status : Enabled Console# watchdog software This command monitors key processes, and automatically reboots the system if any of these processes are not responding correctly.
Chapter 4 | System Management Commands Frame Size fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed. Syntax [no] fan-speed force-full Default Setting Normal speed Command Mode Global Configuration Example Console(config)#fan-speed force-full...
Chapter 4 | System Management Commands File Management ◆ To use jumbo frames, both the source and destination end nodes (such as a computer or server) must support this feature. Also, when the connection is operating at full duplex, all switches in the network between the two end nodes must be able to accept the extended frame size.
Chapter 4 | System Management Commands File Management can be copied to the FTP/TFTP server, but cannot be used as the destination on the switch. Table 17: Flash/File Commands Command Function Mode General Commands boot system Specifies the file or image used to start up the system copy Copies a code image or a switch configuration to or from flash memory or an FTP/TFTP server...
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 123
Chapter 4 | System Management Commands File Management ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “. ” , “-”) ◆...
Page 124
Chapter 4 | System Management Commands File Management Destination file name: startup.01 TFTP completed. Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup Write to FLASH Programming. \Write to FLASH finish.
Chapter 4 | System Management Commands File Management Username: steve TFTP Download Success. Write to FLASH Programming. Success. Console# This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 169.254.1.11 User[anonymous]: bob@sample.com Password[]: ***** Choose file type: 1.
Chapter 4 | System Management Commands File Management ◆ If the public key type is not specified, then both DSA and RSA keys will be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory. Console#delete test2.cfg Console# Related Commands...
Chapter 4 | System Management Commands File Management (Continued) Table 18: File Directory Information Column Heading Description Startup Shows if this file is used when the system is started. Modified Time The date and time the file was last modified. Size The length of the file in bytes.
Chapter 4 | System Management Commands File Management whichboot This command displays which files were booted when the system powered up. Syntax whichboot Default Setting None Command Mode Privileged Exec Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command.
Chapter 4 | System Management Commands File Management version newer than the one currently in use, it will download the new image. If two code images are already stored in the switch, the image not set to start up the system will be overwritten by the new version. After the image has been downloaded, the switch will send a trap message to log whether or not the upgrade operation was successful.
Chapter 4 | System Management Commands File Management Command Usage ◆ This command is used in conjunction with the upgrade opcode auto command to facilitate automatic upgrade of new operational code stored at the location indicated by this command. ◆ The name for the new image stored on the TFTP server must be ECS4120- Seroes.bix.
Chapter 4 | System Management Commands File Management Example This shows how to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example...
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 19: Line Commands Command Function...
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity...
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the...
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (139) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response...
Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0”...
Chapter 4 | System Management Commands Line width - The number of character columns displayed on the terminal. (Range: 0-80) Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config...
Chapter 4 | System Management Commands Event Logging Command Usage The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Chapter 4 | System Management Commands Event Logging Command Usage The message level specified for flash memory must be a higher priority (i.e., numerically lower) than that specified for RAM. Example Console(config)#logging history ram 0 Console(config)# logging host This command adds a syslog server host IP address that will receive logging messages.
Chapter 4 | System Management Commands Event Logging Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history command to control the type of error messages that are stored in memory.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging trap level 4 Console(config)# clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands Event Logging ◆ All log messages are retained in Flash and purged from RAM after a cold restart (i.e., power is turned off and then on through the power source). Example The following example shows the event message stored in RAM. Console#show log ram [1] 00:01:30 2001-01-01 "VLAN 1 link-up notification."...
Chapter 4 | System Management Commands Event Logging Ram Logging Configuration: History Logging in RAM : Level Debugging (7) Console# Table 22: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command.
Chapter 4 | System Management Commands SMTP Alerts Default Setting None Command Mode Global Configuration Command Usage ◆ You can specify up to three SMTP servers for event handing. However, you must enter a separate command to specify each server. ◆...
Chapter 4 | System Management Commands SMTP Alerts Example This example will send email alerts for system errors from level 3 through 0. Console(config)#logging sendmail level 3 Console(config)# logging sendmail This command specifies the email recipients of alert messages. Use the no form to destination-email remove a recipient.
Chapter 4 | System Management Commands Time Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Privileged Exec...
Chapter 4 | System Management Commands Time (Continued) Table 25: Time Commands Command Function Mode NTP Commands ntp authenticate Enables authentication for NTP traffic ntp authentication-key Configures authentication keys ntp client Enables the NTP client for time updates from specified servers ntp server Specifies NTP servers to poll for time updates...
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time : Mar 12 02:33:00 2015 Poll Interval : 60 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 10.1.0.19 Current Server : 137.92.140.80 Console#...
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications.
Chapter 4 | System Management Commands Time This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication-key authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number]...
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode...
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command.
Chapter 4 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console#...
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time relative to the configured time zone. To specify the time corresponding to your local time when summer time is in effect, select the predefined summer-time time zone appropriate for your location, or manually configure summer time if these predefined...
Page 165
Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin.
Chapter 4 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC.
Chapter 4 | System Management Commands Time month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit). (Range: 1970-2037) Default Setting None Command Mode Privileged Exec...
Chapter 4 | System Management Commands Time Range Time Range This section describes the commands used to sets a time range for use by other functions, such as Access Control Lists. Table 27: Time Range Commands Command Function Mode time-range Specifies the name of a time range, and enters time range configuration mode absolute...
Chapter 4 | System Management Commands Time Range absolute This command sets the absolute time range for the execution of a command. Use the no form to remove a previously specified time. Syntax absolute start hour minute day month year [end hour minutes day month year] absolute end hour minutes day month year no absolute...
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range. Syntax [no] periodic {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend} hour minute to {daily | friday | monday | saturday | sunday | thursday | tuesday | wednesday | weekdays | weekend | hour minute}...
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Privileged Exec Example Console#show time-range r&d Time-range r&d: absolute start 01:01 01 April 2009 periodic...
Chapter 4 | System Management Commands Switch Clustering Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses. ◆ Clustered switches must be in the same Ethernet broadcast domain. In other words, clustering only functions for switches which can pass information between the Commander and potential Candidates or active Members through VLAN 4093.
Chapter 4 | System Management Commands Switch Clustering ◆ There can be up to 100 candidates and 16 member switches in one cluster. ◆ A switch can only be a Member of one cluster. ◆ Configured switch clusters are maintained across power resets and network changes.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 16. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration.
Chapter 4 | System Management Commands Switch Clustering Example Console#show cluster Role : commander Interval Heartbeat : 30 Heartbeat Loss Count : 3 seconds Number of Members Number of Candidates : 2 Console# show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example...
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Page 178
Chapter 5 | SNMP Commands (Continued) Table 29: SNMP Commands Command Function Mode show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs show snmp notify-filter...
Chapter 5 | SNMP Commands General SNMP Commands (Continued) Table 29: SNMP Commands Command Function Mode Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm process cpu Sets the rising and falling threshold for the CPU utilization alarm process cpu guard Sets the CPU utilization watermark and threshold...
Chapter 5 | SNMP Commands General SNMP Commands snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (181) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Page 183
Chapter 5 | SNMP Commands SNMP Target Host Commands Default Setting Issue authentication. Other traps are disabled. Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr...
Page 185
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (182) snmp-server This command enables the device to send SNMP traps (i.e., SNMP notifications) enable port-traps when a dynamic MAC address is added or removed. Use the no form to restore the default setting.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Privileged Exec Example Console#show snmp-server enable port-traps interface Interface MAC Notification Trap --------- --------------------- Eth 1/1 Eth 1/2 Eth 1/3 SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the no form to restore the default.
Chapter 5 | SNMP Commands SNMPv3 Commands remote agent. You therefore need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. ◆ Trailing zeroes need not be entered to uniquely specify a engine ID. In other words, the value “0123456789”...
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ A group sets the access policy for the assigned users. ◆ When authentication is selected, the MD5 or SHA algorithm is used as specified in the snmp-server user command.
Page 190
Chapter 5 | SNMP Commands SNMPv3 Commands md5 | sha - Uses MD5 or SHA authentication. auth-password - Authentication password. Enter as plain text if the encrypted option is not used. Otherwise, enter an encrypted password. (Range: 8-32 characters for unencrypted password) If the encrypted option is selected, enter an encrypted password.
Chapter 5 | SNMP Commands SNMPv3 Commands need to configure the remote agent’s SNMP engine ID before you can send proxy requests or informs to it. Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#...
Chapter 5 | SNMP Commands SNMPv3 Commands Console(config)#snmp-server view ifEntry.2 1.3.6.1.2.1.2.2.1.*.2 included Console(config)# This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example...
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user Engine ID : 8000018403fc0a81b7c7e00000 User Name : steve Group Name : r&d Security Model : v3 Security Level : Authentication and privacy Authentication Protocol : MD5...
Chapter 5 | SNMP Commands Notification Log Commands Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : permanent Row Status : active View Name : defaultview Subtree OID View Type : included Storage Type : volatile Row Status : active Console# Table 33: show snmp view - display description...
Chapter 5 | SNMP Commands Notification Log Commands Example This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server This command creates an SNMP notification log. Use the no form to remove this notify-filter log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
Chapter 5 | SNMP Commands Notification Log Commands ◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014). Notification logging is enabled by default (see the command), but will not start recording information until a logging profile specified with this command is enabled with the command.
Chapter 5 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ----------------...
Chapter 5 | SNMP Commands Additional Trap Commands Related Commands show memory (107) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Page 201
Chapter 5 | SNMP Commands Additional Trap Commands ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered. Example Console(config)#process cpu guard high-watermark 80 Console(config)#process cpu guard low-watermark 60 Console(config)#...
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running- config...
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value [destination {ipv4-address | ipv6-address} [max-datagram-size max-datagram-size] [port destination-udp-port] [version {v4 | v5]] [port destination-udp-port] no sflow owner owner-name owner-name - Name of the collector.
Chapter 7 | Flow Sampling Commands ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down. Once the timeout value has reached zero seconds, the sFlow owner and it’s associated sampling sources will be deleted from the configuration.
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Command Usage This command enables a polling data source and configures the interval at which counter values are added to the sample datagram. Example This example sets the polling interval to 10 seconds. Console(config)#interface ethernet 1/9 Console(config-if)#sflow polling-interval 10 Console(config-if)#...
Chapter 7 | Flow Sampling Commands Example This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 100. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 100 max-header-size 200 Console#...
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access to the data ports.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 133), user authentication via a remote authentication server...
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using privilege command.
Chapter 8 | Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command.
Chapter 8 | Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege line all level 0 accounting privilege exec level 15 ping Console(config)# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access.
Chapter 8 | Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local, ” the user name and password on the RADIUS server is verified first.
Chapter 8 | Authentication Commands RADIUS Client Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default. Syntax radius-server auth-port port-number no radius-server auth-port port-number - RADIUS server UDP port used for authentication messages.
Chapter 8 | Authentication Commands RADIUS Client auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) key - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes. (Maximum length: 48 characters) retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS Server Configuration: Global Settings: Authentication Port Number : 1812 Accounting Port Number : 1813 Retransmit Times...
Chapter 8 | Authentication Commands TACACS+ Client tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values. Syntax tacacs-server index host host-ip-address [key key] [port port-number] [retransmit retransmit] [timeout timeout] no tacacs-server index index - The index for this server.
Chapter 8 | Authentication Commands TACACS+ Client Default Setting None Command Mode Global Configuration Example Console(config)#tacacs-server key green Console(config)# tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages.
Chapter 8 | Authentication Commands TACACS+ Client Example Console(config)#tacacs-server retransmit 5 Console(config)# tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | Authentication Commands TACACS+ Server Group: Group Name Member Index ------------------------- ------------- tacacs+ Console# The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 42: AAA Commands Command Function...
Chapter 8 | Authentication Commands group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | Authentication Commands Default Setting Accounting is not enabled No servers are specified Command Mode Global Configuration Command Usage ◆ This command runs accounting for Exec service requests for the local console and Telnet connections. ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use.
Chapter 8 | Authentication Commands Example Console(config)#aaa accounting update periodic 30 Console(config)# aaa authorization exec This command enables the authorization for Exec access. Use the no form to disable the authorization service. Syntax aaa authorization exec {default | method-name} group {tacacs+ | server-group} no aaa authorization exec {default | method-name} default - Specifies the default authorization method for Exec access.
Chapter 8 | Authentication Commands aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group.
Chapter 8 | Authentication Commands Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the...
Chapter 8 | Authentication Commands Command Mode Line Configuration Example Console(config)#line console Console(config-line)#accounting exec tps Console(config-line)#exit Console(config)#line vty Console(config-line)#accounting exec default Console(config-line)# authorization exec This command applies an authorization method to local console, Telnet or SSH connections. Use the no form to disable authorization on the line. Syntax authorization exec {default | list-name} no authorization exec...
Chapter 8 | Authentication Commands Web Server statistics - Displays accounting records. user-name - Displays accounting records for a specifiable username. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) Default Setting None Command Mode Privileged Exec Example Console#show accounting...
Chapter 8 | Authentication Commands Web Server ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | Authentication Commands Web Server ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Chapter 8 | Authentication Commands Web Server Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆ If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] ◆...
Chapter 8 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch. Table 45: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Chapter 8 | Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 8 | Authentication Commands Telnet Server telnet (client) This command accesses a remote device using a Telnet connection. Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254... *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES User Access Verification...
Chapter 8 | Authentication Commands Secure Shell Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients.
Page 247
Chapter 8 | Authentication Commands Secure Shell To use the SSH server, complete these steps: Generate a Host Key Pair – Use the ip ssh crypto host-key generate command to create a host public/private key pair. Provide Host Public Key to Clients – Many SSH client programs automatically import the host public key during the initial connection setup with the switch.
Page 248
Chapter 8 | Authentication Commands Secure Shell Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Chapter 8 | Authentication Commands Secure Shell ip ssh authentication- This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. retries Syntax ip ssh authentication-retries count no ip ssh authentication-retries count –...
Chapter 8 | Authentication Commands Secure Shell Example Console#ip ssh crypto host-key generate dsa Console#configure Console(config)#ip ssh server Console(config)# Related Commands ip ssh crypto host-key generate (252) show ssh (255) ip ssh server-key size This command sets the SSH server key size. Use the no form to restore the default setting.
Chapter 8 | Authentication Commands Secure Shell Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Chapter 8 | Authentication Commands Secure Shell Command Mode Privileged Exec Command Usage ◆ This command clears the host key from volatile memory (RAM). Use the no ssh save host-key command to clear the host key from flash memory. ◆ The SSH server must be disabled before you can execute this command.
Chapter 8 | Authentication Commands Secure Shell Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds; Authentication Retries : 3 Server Key Size : 768 bits Console# show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username –...
Chapter 8 | Authentication Commands 802.1X Port Authentication show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Console#show ssh Connection Version State Username Encryption Session-Started admin ctos aes128-cbc-hmac-md5 stoc aes128-cbc-hmac-md5 Console# Table 47: show ssh - display description Field Description Connection...
Chapter 8 | Authentication Commands 802.1X Port Authentication (Continued) Table 48: 802.1X Port Authentication Commands Command Function Mode dot1x operation-mode Allows single or multiple hosts on an dot1x port dot1x port-control Sets dot1x mode for a port interface dot1x re-authentication Enables re-authentication for all ports dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request...
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state through when dot1x is globally disabled. Use the no form to restore the default. Syntax [no] dot1x eapol-pass-through Default Setting...
Chapter 8 | Authentication Commands 802.1X Port Authentication Command Mode Global Configuration Example Console(config)#dot1x system-auth-control Console(config)# Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x max-reauth-req This command sets the maximum number of times that the switch sends an EAP- request/identity frame to the client before restarting the authentication process. Use the no form to restore the default. Syntax dot1x max-reauth-req count no dot1x max-reauth-req...
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x operation- This command allows hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host. Use the no form mode with the multi-host max-count keywords to restore the default maximum count.
Chapter 8 | Authentication Commands 802.1X Port Authentication dot1x port-control This command sets the dot1x mode on a port interface. Use the no form to restore the default. Syntax dot1x port-control {auto | force-authorized | force-unauthorized} no dot1x port-control auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x re-authentication Console(config-if)# Related Commands dot1x timeout re-authperiod (262) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 259) has been exceeded before attempting to acquire a new client.
Chapter 8 | Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout re-authperiod 300 Console(config-if)# dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value.
Chapter 8 | Authentication Commands 802.1X Port Authentication Default 30 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier.
Chapter 8 | Authentication Commands 802.1X Port Authentication Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface. Syntax show dot1x [statistics] [interface interface] statistics - Displays dot1x status for each port. interface ethernet unit/port unit - Unit identifier.
Page 266
Chapter 8 | Authentication Commands 802.1X Port Authentication Max Request – Maximum number of times a port will retransmit an EAP ■ request/identity packet to the client before it times out the authentication session (page 259). Operation Mode– Shows if single or multiple hosts (clients) can connect to ■...
Chapter 8 | Authentication Commands Management IP Filter Console#show dot1x interface ethernet 1/28 802.1X Authenticator is enabled on port 28 Reauthentication : Enabled Reauth Period : 3600 Quiet Period : 60 TX Period : 30 Supplicant Timeout : 30 Server Timeout : 10 Reauth Max Retries Max Request...
Chapter 8 | Authentication Commands Management IP Filter management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. A list of up to 15 IP addresses or IP address groups can be specified. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address]...
Chapter 8 | Authentication Commands Management IP Filter Example This example restricts management access to the indicated addresses. Console(config)#management all-client 192.168.1.19 Console(config)#management all-client 192.168.1.25 192.168.1.30 Console# show management This command displays the client IP addresses that are allowed management access to the switch through various protocols. Syntax show management {all-client | http-client | snmp-client | telnet-client} all-client - Displays IP addresses for all groups.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent forwards this information to all trusted ports designated by the pppoe intermediate-agent trust command. The BRAS detects the presence of the subscriber’s circuit-ID tag inserted by the switch during the PPPoE discovery phase, and sends this tag as a NAS-port-ID attribute in PPP authentication and AAA accounting requests to a RADIUS server.
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Example Console(config)#pppoe intermediate-agent format-type access-node-identifier billibong Console(config)# pppoe intermediate- This command enables the PPPoE IA on an interface. Use the no form to disable this agent port-enable feature. Syntax [no] pppoe intermediate-agent port-enable Default Setting Disabled Command Mode...
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage ◆ The PPPoE server extracts the Line-ID tag from PPPoE discovery stage messages, and uses the Circuit-ID field of that tag as a NAS-Port-Id attribute in AAA access and accounting requests. ◆...
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Usage If the delimiter is enabled and it occurs in the remote ID string, the string will be truncated at that point. Example This command enables the delimiter for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-format-type remote-id Console(config-if)#...
Chapter 8 | Authentication Commands PPPoE Intermediate Agent Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command only applies to trusted interfaces. It is used to strip off vendor- specific tags (which carry subscriber and line identification information) in PPPoE Discovery packets received from an upstream PPPoE server before forwarding them to a user.
General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Chapter 9 | General Security Measures Port Security security function such as 802.1X or DHCP snooping is enabled and mac- learning is disabled, then only incoming traffic with source addresses stored in the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 282
Chapter 9 | General Security Measures Port Security Command Mode Interface Configuration (Ethernet) Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 9 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (407) shutdown (394) mac-address-table static (490)
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports. Console#show port security Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Port Summary Port Port Security Port Status...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Details Port : 1/2 Port Security : Enabled Port Status : Secure/Up Intrusion Action : None Max MAC Count...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) (Continued) Table 55: Network Access Commands Command Function Mode network-access dynamic-qos Enables the dynamic quality of service feature network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN network-access link-detection...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ There is no limitation on the number of entries that can entered in a filter table. Example Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66 Console(config)# mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user. The “Filter-ID” attribute (attribute 11) can be configured on the RADIUS server to pass the following QoS information: Table 56: Dynamic QoS Profiles Profile...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.1X authentication process will be applied to the port, providing the VLANs have already been created on the switch.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ The VLAN to be used as the guest VLAN must be defined and set as active (See vlan database command). ◆ When used with 802.1X authentication, the intrusion-action must be set for “guest-vlan”...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-down events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to detection link-down disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up action trap Console(config-if)# network-access link- Use this command to detect link-up and link-down events. When either event is detection link-up- detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Usage The maximum number of MAC addresses per port is 1024, and the maximum number of secure MAC addresses supported for the switch system is 1024. When the limit is reached, all new MAC addresses are treated as authentication failures.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ When port status changes to down, all MAC addresses are cleared from the secure MAC address table. Static VLAN assignments are not restored. ◆ The RADIUS server may optionally return a VLAN identifier list. VLAN identifier list is carried in the “Tunnel-Private-Group-ID”...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) mac-authentication Use this command to configure the port response to a host MAC authentication failure. Use the no form of this command to restore the default. intrusion-action Syntax mac-authentication intrusion-action {block traffic | pass traffic} no mac-authentication intrusion-action Default Setting Block Traffic...
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication : Disabled MAC Authentication Intrusion Action : Block traffic MAC Authentication Maximum MAC Counts : 1024 Maximum MAC Counts...
Chapter 9 | General Security Measures Web Authentication 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF- FF-FF to be displayed. All other MACs would be filtered out. Example Console#show network-access mac-address-table Interface MAC Address RADIUS Server Time Attribute --------- ----------------- --------------- ---------------------- -------...
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 222). Note: Web authentication cannot be configured on trunk ports. Table 57: Web Authentication Command Function Mode...
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode Global Configuration Command Usage...
Chapter 9 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 9 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period...
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Chapter 9 | General Security Measures DHCPv4 Snooping (Continued) Table 58: DHCP Snooping Commands Command Function Mode ip dhcp snooping information Enables or disables the use of DHCP Option 82 option circuit-id information circuit-id suboption ip dhcp snooping configures the maximum number of DHCP clients which max-number can be supported per interface ip dhcp snooping trust...
Page 307
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆...
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (314) ip dhcp snooping trust (317) ip dhcp snooping...
Chapter 9 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting Enabled Command Mode Global Configuration Command Usage ◆ Option 82 information generated by the switch is based on TR-101 syntax as shown below: Table 59: Option 82 information 3-69 1-67 opt82 opt-len sub-opt1 string-len...
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the remote ID to the switch’s IP address, MAC address, or arbitrary string, TR-101 compliant node identifier, or removes VLAN ID from the end information option of the TR101 field.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets the remote ID to the switch’s IP address. Console(config)#ip dhcp snooping information option remote-id tr101 node-identifier ip Console(config)# ip dhcp snooping This command sets the board identifier used in Option 82 information based on TR-101 syntax.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting replace Command Mode Global Configuration Command Usage When the switch receives DHCP packets from clients that already include DHCP Option 82 information, the switch can be configured to set the action policy for these packets.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet against the source MAC address in the Ethernet header. Use the no form to disable verify mac address this function.
Chapter 9 | General Security Measures DHCPv4 Snooping will be performed on any untrusted ports within the VLAN as specified by the dhcp snooping trust command. ◆ When the DHCP snooping is globally disabled, DHCP snooping can still be configured for specific VLANs, but the changes will not take effect until DHCP snooping is globally re-enabled.
Chapter 9 | General Security Measures DHCPv4 Snooping Default Setting VLAN-Unit-Port Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Chapter 9 | General Security Measures DHCPv4 Snooping untagged packets. Use the no form of this command to add the PVID for untagged packets at the end of the TR101 field. Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)#...
Chapter 9 | General Security Measures DHCPv4 Snooping Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆...
Chapter 9 | General Security Measures DHCPv4 Snooping show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping Status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: MAC Address (hex encoded) DHCP Snooping Information Policy: replace...
Chapter 9 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Page 322
Chapter 9 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping...
Page 323
Chapter 9 | General Security Measures DHCPv6 Snooping DHCP Server Packet If a DHCP server packet is received on an untrusted port, drop this ■ packet and add a log entry in the system. If a DHCPv6 Reply packet is received from a server on a trusted port, it ■...
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (326) ipv6 dhcp snooping trust (327) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 9 | General Security Measures DHCPv6 Snooping If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the binding database for an interface. Use the no form to restore the default setting. max-binding Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding...
Chapter 9 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
Chapter 9 | General Security Measures IPv4 Source Guard IPv6 Address Lifetime VLAN Port Type --------------------------------------- ---------- ---- ------- ---- 2001:b000::1 2591912 1 Eth 1/3 Console# show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard Table 62: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface show ip source-guard Shows the source guard binding table binding ip source-guard This command adds a static address to the source-guard ACL or MAC address...
Page 332
Chapter 9 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If the DHCP snooping is enabled, IP source guard will check the VLAN ID, ■...
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard...
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard ACL Table MAC Table Interface Filter-type Filter-table Max-binding Max-binding --------- ----------- ------------ ----------- ----------- Eth 1/1 DISABLED 1024 Eth 1/2 DISABLED 1024 Eth 1/3 DISABLED 1024 Eth 1/4 DISABLED 1024 Eth 1/5...
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping”...
Page 339
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6- Snooping), VLAN identifier, and port identifier. ◆...
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (321) ipv6 dhcp snooping vlan (326) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function. Syntax ipv6 source-guard sip no ipv6 source-guard...
Chapter 9 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will ■ check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded.
Chapter 9 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command.
Chapter 9 | General Security Measures ARP Inspection (Continued) Table 64: ARP Inspection Commands Command Function Mode ip arp inspection validate Specifies additional validation of address components in an ARP packet ip arp inspection vlan Enables ARP Inspection for a specified VLAN or range of VLANs ip arp inspection limit Sets a rate limit for the ARP packets received on a port...
Chapter 9 | General Security Measures ARP Inspection ◆ When ARP Inspection is disabled, all ARP request and reply packets bypass the ARP Inspection engine and their manner of switching matches that of all other packets. ◆ Disabling and then re-enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs.
Chapter 9 | General Security Measures ARP Inspection ◆ If static mode is not enabled, packets are first validated against the specified ARP ACL. Packets matching a deny rule are dropped. All remaining packets are validated against the address bindings in the DHCP snooping database. Example Console(config)#ip arp inspection filter sales vlan 1 Console(config)#...
Chapter 9 | General Security Measures ARP Inspection ◆ The switch generates a system message on a rate-controlled basis determined by the seconds values. After the system message is generated, all entries are cleared from the log buffer. Example Console(config)#ip arp inspection log-buffer logs 1 interval 10 Console(config)# ip arp inspection This command specifies additional validation of address components in an ARP...
Chapter 9 | General Security Measures ARP Inspection ip arp inspection vlan This command enables ARP Inspection for a specified VLAN or range of VLANs. Use the no form to disable this function. Syntax [no] ip arp inspection vlan {vlan-id | vlan-range} vlan-id - VLAN ID.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection limit This command sets a rate limit for the ARP packets received on a port. Use the no form to restore the default setting. Syntax ip arp inspection limit {rate pps | none} no ip arp inspection limit pps - The maximum number of ARP packets that can be processed by the CPU per second on trusted or untrusted ports.
Chapter 9 | General Security Measures ARP Inspection Example Console(config)#interface ethernet 1/1 Console(config-if)#ip arp inspection trust Console(config-if)# show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval...
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection land Console(config)# dos-protection This command protects against TCP-null-scan attacks in which a TCP NULL scan tcp-null-scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags.
Chapter 9 | General Security Measures Denial of Service Protection Command Usage In these packets, SYN=1 and FIN=1. Example Console(config)#dos-protection syn-fin-scan Console(config)# dos-protection This command protects against TCP-xmas-scan in which a so-called TCP XMAS scan tcp-xmas-scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below. Table 67: Traffic Segmentation Forwarding Destination Session #1 Session #1 Session #2 Session #2...
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆...
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on source address or destination address), or any frames (based on MAC address or Ethernet type).
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Page 363
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. (Standard IP ACL) Syntax {permit | deny} {any | source bitmask | host source}...
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source (Extended IPv4 ACL) or destination protocol ports, or TCP control codes.
Page 365
Chapter 10 | Access Control Lists IPv4 ACLs dport – Protocol destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands...
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (363) ip access-group (366) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Chapter 10 | Access Control Lists IPv6 ACLs Command Mode Extended IPv6 ACL Command Usage All new rules are appended to the end of the list. Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (368)
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands show ipv6 access-list (372) Time Range (168) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended –...
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Related Commands permit, deny (374) mac access-group (376) show mac access-list (377) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Chapter 10 | Access Control Lists MAC ACLs 8137 - IPX ■ Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (373) Time Range (168)
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (376) show mac access-list This command displays the rules for configured MAC ACLs.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs Related Commands permit, deny (379) show arp access-list (380) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 10 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (378) show access-list arp This command displays the rules for configured ARP ACLs.
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (379) ACL Information This section describes commands used to display ACL information. Table 73: ACL Information Commands Command Function Mode clear access-list hardware Clears hit counter for rules in all ACLs, or in a specified ACL. PE counters show access-group Shows the ACLs assigned to each port...
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] |...
Page 383
Chapter 10 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 383 –...
Page 384
Chapter 10 | Access Control Lists ACL Information – 384 –...
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 74: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Page 386
Chapter 11 | Interface Commands (Continued) Table 74: Interface Commands Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent transceiver-threshold Sets thresholds for transceiver current which can be used...
Chapter 11 | Interface Commands Interface Configuration Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. Syntax [no] interface interface-list interface-list –...
Chapter 11 | Interface Commands Interface Configuration Command Usage ◆ 10GBASE-SFP+ connections are fixed at 10G, full duplex. When auto- negotiation is enabled, the only attribute which can be advertised is flow control. ◆ The 1000BASE-T standard does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The description is displayed by the show interfaces status command and in the running-configuration file. An example of the value which a network manager might store in this object is the name of the manufacturer, and the product name.
Chapter 11 | Interface Commands Interface Configuration flowcontrol This command enables flow control. Use the no form to disable flow control. Syntax [no] flowcontrol Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk.
ECS4120-52T: Ports 49-52 (10G SFP+) support 1000sfp ECS4120-28T/P: Ports 25-28 (10G SFP+) support 1000sfp ECS4120-28F/28F-I: Ports 25-28 (10G SFP+) support 1000sfp Ports 1-24 (1000BASE SFP) support 1000sfp or 100fx Example This forces the switch to use the 1000sfp mode for SFP port 28.
Chapter 11 | Interface Commands Interface Configuration Note: Auto-negotiation is not supported for 1000BASE SFP transceivers used in 10G SFP+ Ports 25-28/49-52. ◆ A connection can only be enabled on a port in which a recognized transceiver is inserted. Refer to the Installation Guide for a list of compliant transceivers. Example The following example configures port 10 to use auto-negotiation.
Chapter 11 | Interface Commands Interface Configuration speed-duplex This command configures the speed and duplex mode of a given interface when auto-negotiation is disabled. Use the no form to restore the default. Syntax speed-duplex {100full | 100half | 10full | 10half } no speed-duplex 10000full - Forces 10 Gbps full-duplex operation 100full - Forces 100 Mbps full-duplex operation...
Chapter 11 | Interface Commands Interface Configuration Related Commands negotiation (393) capabilities (388) switchport block This command prevents the flooding of broadcast, unknown multicast, or unknown unicast packets onto an interface. Use the no form to restore the default setting. Syntax [no] switchport block {broadcast | multicast | unicast} broadcast - Specifies broadcast packets.
Chapter 11 | Interface Commands Interface Configuration switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. Use the no form to restore the default setting. Syntax switchport mtu size no switchport mtu...
Chapter 11 | Interface Commands Interface Configuration Example The following first enables jumbo frames for layer 2 packets, and then sets the MTU for port 1: Console(config)#jumbo frame Console(config)#interface ethernet 1/1 Console(config-if)#switchport mtu 9216 Console(config-if)# Related Commands jumbo frame (118) show interfaces status (407) clear counters This command clears statistics on an interface.
Chapter 11 | Interface Commands Interface Configuration show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port PVST -------- ------- -------...
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting Shows the counters for all interfaces.
Page 402
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description QLen Output The length of the output packet queue (in packets). Extended IF Table Stats Multicast Input The number of packets, delivered by this sub-layer to a higher (sub- )layer, which were addressed to a multicast address at this sub-layer.
Page 403
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present. For an interface operating in half-duplex mode at 1000 Mb/s, the number of times the receiving media is non-idle (a carrier event) for a period of time equal to or greater than slotTime, and during which...
Chapter 11 | Interface Commands Interface Configuration (Continued) Table 75: show interfaces counters - display description Parameter Description Input utilization The input utilization rate for this interface. Octets Output in kbits per Number of octets leaving this interface in kbits per second. second Packets output per second Number of packets leaving this interface in packets per second.
Page 405
Chapter 11 | Interface Commands Interface Configuration Example This example shows the statistics recorded for all named entries in the sampling table. Console#show interfaces history ethernet 1/1 Interface : Eth 1/ 1 Name : 15min Interval : 900 second(s) Buckets Requested : 96 Buckets Granted Status : Active...
Page 406
Chapter 11 | Interface Commands Interface Configuration This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 60 second(s) Buckets Requested : 10 Buckets Granted Status : Active...
Chapter 11 | Interface Commands Interface Configuration show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 11 | Interface Commands Interface Configuration MAC Learning Status : Enabled Console# show interfaces This command displays the administrative and operational status of the specified interfaces. switchport Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 459). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 459).
Interface Configuration (ECS4120-28F SFP+ Ports 25-28 Other models: SFP/SFP+ Ports) Example Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold-auto Console# 12. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 410 –...
13. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 411 –...
14. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 412 –...
15. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 413 –...
16. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 414 –...
17. Due to a chip limitation, transceiver data cannot be configured on ports 1-20 on the ECS4120-28F. Default settings are used for these ports. – 415 –...
Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name : FINISAR CORP. Vendor PN : FTLF8519P2BNL Vendor Rev 18. Due to a chip limitation, transceiver data cannot be displayed on ports 1-20 on the ECS4120-28F. – 416 –...
◆ The DDM thresholds displayed by this command only apply to ports which have a DDM-compliant transceiver inserted. 19. Due to a chip limitation, transceiver data cannot be displayed on ports 1-20 on the ECS4120-28F. – 417 –...
Chapter 11 | Interface Commands Cable Diagnostics ◆ This cable test is only accurate for Gigabit Ethernet cables 7 - 100 meters long. ◆ The test takes approximately 1 second. Use the show cable-diagnostics command to display the results of the test, including common cable failures, as well as the status and approximate length of each cable pair.
Syntax show cable-diagnostics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (ECS4120-28F/28F-I: 21-24, Other models: 1-24/48) Command Mode Privileged Exec Command Usage ◆ The results include common cable failures, as well as the status and approximate distance to a fault, or the approximate cable length if no fault is found.
Chapter 11 | Interface Commands Power Savings Example Console#show cable-diagnostics interface ethernet 1/24 Port Type Link Pair A Pair B Pair C Pair D Last Status meters meters meters meters Updated -------- ---- -------- -------- -------- -------- -------- ------------------- Eth 1/24 GE Down NC (0) NC (0)
Page 422
Chapter 11 | Interface Commands Power Savings Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity.
This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (ECS4120-28F/28F-I: 21-24, Other models: 1-24/48) Command Mode Privileged Exec Example Console#show power-save interface ethernet 1/24...
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 426
Chapter 12 | Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 26 ports. ◆...
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac}...
Chapter 12 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. src-dst-mac: All traffic with the same source and destination MAC address ■ is output on the same link in a trunk. This mode works best for switch-to- switch trunk links where traffic through the switch is received from and destined for many different hosts.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port- channel 1 command shows that Trunk1 has been established.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: 1, Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout...
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-26) counters - Statistics for LACP protocol messages.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Console#show lacp 1 neighbors Port Channel 1 neighbors ------------------------------------------------------------------------- Eth 1/ 1 ------------------------------------------------------------------------- Partner Admin System ID : 32768, 00-00-00-00-00-00 Partner Oper System ID : 32768, 00-12-CF-61-24-2F Partner Admin Port Number : 1 Partner Oper Port Number Port Admin Priority : 32768...
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 81: show lacp sysid - display description Field Description Channel group A link aggregation group configured on this switch. LACP system priority for this channel group. System Priority System MAC System MAC address.
Power over Ethernet Commands The commands in this group control the power that can be delivered to attached PoE devices through RJ-45 ports 1-24 on the ECS4120-28P. The switch’s power management enables total switch power and individual port power to be controlled within a configured power budget. Port power can be automatically turned on and off for connected devices, and a per-port power priority can be set so that the switch never exceeds its allocated power budget.
Chapter 13 | Power over Ethernet Commands Command Mode Global Configuration Command Usage ◆ Setting a maximum power budget for the switch enables power to be centrally managed, preventing overload conditions at the power source. ◆ If the power demand from devices connected to the switch exceeds the power budget setting, the switch uses port power priority settings to limit the supplied power.
Chapter 13 | Power over Ethernet Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#power inline Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#no power inline Console(config-if)# Related Commands time-range (168) power inline This command limits the power allocated to specific ports. Use the no form to restore the default setting.
Chapter 13 | Power over Ethernet Commands power inline priority This command sets the power priority for specific ports. Use the no form to restore the default setting. Syntax power inline priority priority no power inline priority priority - The power priority for the port. Options: 1 (critical), 2 (high), or 3 (low) Default Setting 3 (low)
Chapter 13 | Power over Ethernet Commands power inline This command binds a time-range to a port during which PoE is supplied to the attached device. Use the no form to remove this binding. time-range Syntax power inline time-range time-range-name no power inline time-range time-range-name - Name of the time range.
Chapter 13 | Power over Ethernet Commands Related Commands power inline (440) show power Use this command to display the current power status for the switch. mainpower Command Mode Privileged Exec Example This example shows the maximum available PoE power and maximum allocated PoE power for the ECS4120-28P.
Page 446
Chapter 13 | Power over Ethernet Commands – 446 –...
Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 86: Port Mirroring Commands Command Function...
Page 448
Chapter 14 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) Default Setting Shows all sessions.
Page 450
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands (Continued) Table 88: RSPAN Commands Command Function Mode rspan remote vlan Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports no rspan session Deletes a configured RSPAN session show rspan Displays the configuration settings for an RSPAN session...
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports. ◆ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed. ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN source port –...
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN destination – static and dynamic trunks are not allowed. ◆ The source port and destination port cannot be configured on the same switch. ◆...
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch.
Chapter 14 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session. (Range: 1) Command Mode Privileged Exec Example Console#show rspan session...
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Chapter 15 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input –...
Chapter 15 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆...
Page 461
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands (Continued) Table 92: ATC Commands Command Function Mode auto-traffic-control Sets the upper threshold for ingress traffic beyond IC (Port) alarm-fire-threshold which a storm control response is triggered after the apply timer expires auto-traffic-control auto- Automatically releases a control response IC (Port)
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams. Figure 1: Storm Control by Limiting the Traffic Rate Traffic without storm control Traffic without storm control TrafficControl...
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmp- server enable port-traps atc multicast-control-apply...
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage ◆...
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm- clear command or...
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) auto-traffic-control apply-timer (463) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release timer expires.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (467) auto-traffic-control apply-timer (463) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release timer expires.
Chapter 15 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface...
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When When loopback detection (LBD) is enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 93: Loopback Detection Commands Command Function...
Chapter 16 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 16 | Loopback Detection Commands Command Mode Global Configuration Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆...
Chapter 16 | Loopback Detection Commands ◆ The recover-time is the maximum time when recovery is triggered after a loop is detected. The actual interval between recovery and detection will be less than or equal to the recover-time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command.
Chapter 16 | Loopback Detection Commands none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time...
Page 480
Chapter 16 | Loopback Detection Commands Command Mode Privileged Exec Example Console#show loopback-detection Loopback Detection Global Information Global Status : Enabled Transmit Interval : 10 Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State --------...
UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache.
Chapter 17 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detection- interval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 17 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled...
Chapter 17 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage...
Chapter 17 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 17 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 487
Chapter 17 | UniDirectional Link Detection Commands (Continued) Table 95: show udld - display description Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State...
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 96: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table static Maps a static address to a port in a VLAN...
Chapter 18 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates the address as permanent, or to be deleted on reset. Use the no form to remove an static address.
Chapter 18 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Chapter 18 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Chapter 18 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. table count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 97: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
Chapter 19 | Spanning Tree Commands (Continued) Table 97: Spanning Tree Commands Command Function Mode spanning-tree loopback- Configures loopback release mode for a port detection release-mode spanning-tree loopback- Enables BPDU loopback SNMP trap notification for a port detection trap spanning-tree mst cost Configures the path cost of an instance in the MST spanning-tree mst port- Configures the priority of an instance in the MST...
Chapter 19 | Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time...
Chapter 19 | Spanning Tree Commands spanning-tree hello- This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. time Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) - 1].
Chapter 19 | Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals.
Chapter 19 | Spanning Tree Commands ◆ Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: STP Mode –...
Chapter 19 | Spanning Tree Commands Command Mode Global Configuration Command Usage ◆ The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 509) takes precedence over port priority (page...
Chapter 19 | Spanning Tree Commands spanning-tree mst This command changes to Multiple Spanning Tree (MST) configuration mode. configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address. Command Mode Global Configuration Example...
Chapter 19 | Spanning Tree Commands Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command). Example Console(config)#spanning-tree system-bpdu-flooding Console(config)# spanning-tree This command configures the minimum interval between the transmission of transmission-limit consecutive RSTP/MSTP BPDUs.
Chapter 19 | Spanning Tree Commands Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs.
Chapter 19 | Spanning Tree Commands name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree. Default Setting Switch’s MAC address Command Mode...
Chapter 19 | Spanning Tree Commands Example Console(config-mstp)#revision 1 Console(config-mstp)# Related Commands name (506) spanning-tree This command allows you to avoid transmitting BPDUs on configured edge ports bpdu-filter that are connected to end nodes. Use the no form to disable this feature. Syntax [no] spanning-tree bpdu-filter Default Setting...
Chapter 19 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if it receives a BPDU. Use the no form without any keywords to disable this feature, or bpdu-guard with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]]...
Chapter 19 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method , 1-200,000,000 for long path cost method) Table 98: Recommended STA Path Cost Range...
Chapter 19 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 500) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port.
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. link-type Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting.
Chapter 19 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W- 2001 9.3.4 (Note 1). ◆...
Chapter 19 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the discarding state because a loopback BPDU was received. Use the no form to restore loopback-detection the default. release-mode Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode...
Chapter 19 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU detections. Use the no form to restore the default. loopback-detection trap Syntax [no] spanning-tree loopback-detection trap Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree loopback-detection trap...
Chapter 19 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50...
Chapter 19 | Spanning Tree Commands Related Commands spanning-tree mst cost (514) spanning-tree port- This command floods BPDUs to other ports when spanning tree is disabled globally or disabled on a specific port. Use the no form to restore the default setting. bpdu-flooding Syntax [no] spanning-tree port-bpdu-flooding...
Chapter 19 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Chapter 19 | Spanning Tree Commands by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. ◆...
Chapter 19 | Spanning Tree Commands Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 19 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected interface. protocol-migration Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Command Mode Privileged Exec...
Page 521
Chapter 19 | Spanning Tree Commands Command Mode Privileged Exec Command Usage ◆ Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. ◆...
Chapter 19 | Spanning Tree Commands Admin Edge Port : Auto Oper Edge Port : Disabled Admin Link Type : Auto Oper Link Type : Point-to-point Flooding Behavior : Enabled Spanning-Tree Status : Enabled Loopback Detection Release Mode : Auto Loopback Detection Trap : Disabled Loopback Detection Action...
ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS. Table 100: ERPS Commands Command Function Mode erps Enables ERPS globally on the switch...
Page 524
Chapter 20 | ERPS Commands (Continued) Table 100: ERPS Commands Command Function Mode clear erps Clears statistics, including SF, NR, NR-RB, FS, MS, Event, and Health statistics protocol messages erps clear Manually clears protection state which has been invoked by a Forced Switch or Manual Switch command, and the node is operating under non-revertive mode;...
Chapter 20 | ERPS Commands Enable ERPS: Before enabling a ring as described in the next step, first use the erps command to globally enable ERPS on the switch. If ERPS has not yet been enabled or has been disabled with the no erps command, no ERPS rings will work.
Chapter 20 | ERPS Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Service Instances within each ring are based on a unique maintenance association for the specific users, distinguished by the ring name, maintenance level, maintenance association’s name, and assigned VLAN. Up to 6 ERPS rings can be configured on the switch.
Chapter 20 | ERPS Commands In addition, only ring ports may be added to the Control VLAN. No other ■ ports can be members of this VLAN. Also, the ring ports of the Control VLAN must be tagged. ■ ◆ Once the ring has been activated with the enable command, the configuration...
Chapter 20 | ERPS Commands Related Commands erps (525) guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Chapter 20 | ERPS Commands Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Chapter 20 | ERPS Commands Example Console(config-erps)#major-domain rd0 Console(config-erps)# meg-level This command sets the Maintenance Entity Group level for a ring. Use the no form to restore the default setting. Syntax meg-level level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information.
Chapter 20 | ERPS Commands mep-monitor This command specifies the CFM MEPs used to monitor the link on a ring node. Use the no form to restore the default setting. Syntax mep-monitor {east | west} mep mpid east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Chapter 20 | ERPS Commands Related Commands ethernet cfm domain (779) ethernet cfm mep (784) node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax node-id mac-address mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 20 | ERPS Commands non-erps-dev-protect This command sends non-standard health-check packets when an owner node enters protection state without any link down event having been detected through SF messages. Use the no form to disable this feature. Syntax [no] non-erps-dev-protect Default Setting Disabled Command Mode...
Chapter 20 | ERPS Commands Example Console(config-erps)#non-erps-dev-protect Console(config-erps)# non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode. Syntax [no] non-revertive Default Setting Disabled Command Mode ERPS Configuration...
Page 535
Chapter 20 | ERPS Commands The WTR timer is cancelled if during the WTR period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. When the WTR timer expires, without the presence of any other higher priority request, the RPL Owner Node initiates reversion by blocking its traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and...
Page 536
Chapter 20 | ERPS Commands Recovery with revertive mode is handled in the following way: ■ The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTB timer. The WTB timer is cancelled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node.
Page 537
Chapter 20 | ERPS Commands If the ring node where the Manual Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message on both ring ports.
Chapter 20 | ERPS Commands propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Configuration Command Usage ◆...
Chapter 20 | ERPS Commands ◆ If this command is disabled, the following strings are used as the node identifier: ERPSv1: 01-19-A7-00-00-01 ■ ERPSv2: 01-19-A7-00-00-[Ring ID] ■ Example Console(config-erps)#propagate-tc Console(config-erps)# raps-without-vc This command terminates the R-APS channel at the primary ring to sub-ring interconnection nodes.
Chapter 20 | ERPS Commands may be affected if R-APS messages traverse a long distance over an R-APS virtual channel. Figure 4: Sub-ring with Virtual Channel Interconnection Node RPL Port Ring Node Major Ring Sub-ring with Virtual Channel Virtual Channel ◆...
Chapter 20 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface east - Connects to next ring node to the east. west - Connects to next ring node to the west.
Chapter 20 | ERPS Commands rpl neighbor This command configures a ring node to be the Ring Protection Link (RPL) neighbor. Use the no form to restore the default setting. Syntax rpl neighbor no rpl Default Setting None (that is, neither owner nor neighbor) Command Mode ERPS Configuration Command Usage...
Chapter 20 | ERPS Commands Command Mode ERPS Configuration Command Usage ◆ Only one RPL owner can be configured on a ring. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the ring or the protection state is enabled with the erps forced-switch erps manual-switch...
Chapter 20 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”.
Chapter 20 | ERPS Commands Example Console#erps clear domain r&d Console# erps forced-switch This command blocks the specified ring port. Syntax erps forced-switch [domain ring-name] {east | west} ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) east - East ring port. west - West ring port.
Chapter 20 | ERPS Commands While an existing forced switch request is present in a ring, any new forced switch request is accepted, except on a ring node having a prior local forced switch request. The ring nodes where further forced switch commands are issued block the traffic channel and R-APS channel on the ring port at which the forced switch was issued.
Chapter 20 | ERPS Commands node under maintenance in order to avoid falling into the above mentioned unrecoverable situation. Example Console#erps forced-switch domain r&d west Console# erps manual-switch This command blocks the specified ring port, in the absence of a failure or an erps forced-switch command.
Chapter 20 | ERPS Commands A ring node accepting an R-APS (MS) message, without any local higher priority requests stops transmitting R-APS messages. A ring node receiving an R-APS (MS) message flushes its FDB. ◆ Protection switching on a manual switch request is completed when the above actions are performed by each ring node.
Chapter 20 | ERPS Commands Example This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ERPS Status : Enabled Number of ERPS Domains Domain Enabled Ver MEL Ctrl VLAN State Type Revertive ------------ --- ------- --- --- --------- ---------- ------------ --------- r&d 1 Yes 1 Idle...
Chapter 20 | ERPS Commands (Continued) Table 102: show erps - summary display description Field Description Port State The operational state: Blocking – The transmission and reception of traffic is blocked and the forwarding of R-APS messages is blocked, but the transmission of locally generated R-APS messages is allowed and the reception of all R- APS messages is allowed.
Page 552
Chapter 20 | ERPS Commands (Continued) Table 103: show erps domain - detailed display description Field Description R-APS with VC The R-APS Virtual Channel is the R-APS channel connection used to tunnel R-APS messages between two interconnection nodes of a sub- ring in another Ethernet ring or network.
Chapter 20 | ERPS Commands Console# Table 104: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node. Local Clear SF The number of times a clear command was issued to terminate protection state entered through a forced switch or manual switch...
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of forbidden VLANs. vlan Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands (Continued) Table 107: show bridge-ext - display description Field Description Configurable PVID This switch allows you to override the default Port VLAN ID (PVID used in frame Tagging tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to the switchport allowed vlan command.) Local VLAN Capable This switch does not support multiple local bridges outside of the scope of...
Chapter 21 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting Shows both global and interface-specific configuration.
Chapter 21 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 108: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs vlan Configures a VLAN, including VID, name and state vlan database This command enters VLAN database mode.
Chapter 21 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (571) Configuring VLAN Interfaces Table 109: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN switchport acceptable- Configures frame types to be accepted by an interface frame-types switchport allowed vlan Configures the VLANs associated with an interface...
Chapter 21 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (394) interface (387) vlan (563) switchport This command configures the acceptable frame types for a port. Use the no form to restore the default. acceptable-frame- types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form to restore the default. vlan Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the...
Chapter 21 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 21 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 6: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches –...
Chapter 21 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 110: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an...
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆...
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. dot1q-tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command copies the inner tag 802.1p value to the outer tag 802.1p value. Use the no form of this command to use port default priority. dot1q-tunnel priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled...
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling VLAN that will carry this traffic across the 802.1Q tunnel. This process is performed in a transparent manner. ◆ When priority bits are found in the inner tag, these are also copied to the outer tag.
Page 577
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling Step 1. Configure Switch A and B. Create VLANs 100, 200 and 300. Console(config)#vlan database Console(config-vlan)#vlan 100,200,300 media ethernet state active Enable QinQ. Console(config)#dot1q-tunnel system-tunnel-control Configure port 2 as a tagged member of VLANs 100, 200 and 300 using uplink mode.
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. dot1q-tunnel tpid Syntax switchport dot1q-tunnel tpid tpid no switchport dot1q-tunnel tpid tpid –...
Chapter 21 | VLAN Commands Configuring IEEE 802.1Q Tunneling show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) svid - VLAN ID for the outer VLAN tag (SPVID).
Chapter 21 | VLAN Commands Configuring L2PT Tunneling Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT). Table 112: L2 Protocol Tunnel Commands Command Function Mode l2protocol-tunnel tunnel- Configures the destination address for Layer 2 Protocol dmac Tunneling switchport...
Page 581
Chapter 21 | VLAN Commands Configuring L2PT Tunneling encapsulated packets in the same way as normal data, forwarding them across to the tunnel’s egress port. The egress port decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site (via all of the appropriate tunnel ports and access ports connected to the same metro VLAN).
Chapter 21 | VLAN Commands Configuring L2PT Tunneling other access ports for which L2PT is enabled after decapsulating the ■ packet and restoring the proper protocol and MAC address information. all uplink ports. ■ ◆ When a Cisco-compatible L2PT packet is received on an access port, and recognized as a CDP/VTP/STP/PVST+ protocol packet, and ■...
Chapter 21 | VLAN Commands Configuring VLAN Translation Configuring VLAN Translation QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network. However, if any switch in the path crossing the service provider’s network does not support this feature, then the switches directly connected to that device can be configured to swap the customer’s VLAN ID with the service provider’s VLAN ID for upstream traffic, or the service provider’s VLAN ID with the customer’s VLAN ID for downstream traffic.
Chapter 21 | VLAN Commands Configuring VLAN Translation Figure 8: Configuring VLAN Translation (VLAN 10) (VLAN 100) upstream (VLAN 100) (VLAN 10) downstream ◆ The maximum number of VLAN translation entries is 8 per port, and up to 96 for the system.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Command Mode Privileged Exec Example Console#show vlan-translation Interface Old VID New VID --------- ------- ------- Eth 1/ 1 Console# Configuring Protocol-based VLANs The network devices required to support multiple protocols cannot be easily grouped into a common VLAN.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs Then map the protocol for each interface to the appropriate VLAN using the protocol-vlan protocol-group command (Interface Configuration mode). protocol-vlan This command creates a protocol group, or to add specific protocols to a group. Use the no form to remove a protocol group.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. protocol-group (Configuring Interfaces) Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group.
Chapter 21 | VLAN Commands Configuring Protocol-based VLANs show protocol-vlan This command shows the frame and protocol type associated with protocol groups. protocol-group Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed.
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port Protocol Group ID VLAN ID -------- ----------------- ------- Eth 1/ 2 1 Console#...
Chapter 21 | VLAN Commands Configuring IP Subnet VLANs Default Setting Priority: 0 Command Mode Global Configuration Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a subnet mask. The specified VLAN need not be an existing VLAN.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs 192.168.12.224 255.255.255.240 192.168.12.240 255.255.255.248 192.168.12.248 255.255.255.252 192.168.12.252 255.255.255.254 192.168.12.254 255.255.255.255 192.168.12.255 255.255.255.255 Console# Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Chapter 21 | VLAN Commands Configuring MAC Based VLANs Command Mode Global Configuration Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆...
Chapter 21 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices.
Chapter 21 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN.
Chapter 21 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.
Chapter 21 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-00- 00 description A new phone Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 21 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to restore the default priority on a port. priority Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value.
Chapter 21 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device.
Chapter 21 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (602)
Chapter 22 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (408) show queue mode This command shows the current queue mode.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 120: Priority Commands (Layer 3 and 4) Command Function Mode...
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ...
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent;...
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Console(config-if)#qos map default-drop-precedence 3 from 3 4 5 Console(config-if)#qos map default-drop-precedence 0 from 6 7 Console(config-if)# qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ If the packet is forwarded with an 8021.Q tag, the priority value in the egress packet is modified based on the table shown above, or on similar values as modified by this command.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop...
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: ------------------------------------------------------- color: Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console#show qos map ip-port-dscp interface ethernet 1/5 Information of Eth 1/5 ip-port-dscp map:...
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 620
Chapter 22 | Class of Service Commands Priority Commands (Layer 3 and 4) – 620 –...
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 23 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an access...
Chapter 23 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 625). The policy map is then bound by a service policy to an interface (page 635). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the...
Page 624
Chapter 23 | Quality of Service Commands cos - A Class of Service value. (Range: 0-7) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration...
Chapter 23 | Quality of Service Commands This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Chapter 23 | Quality of Service Commands ◆ Create a Class Map (page 625) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the...
Chapter 23 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and...
Chapter 23 | Quality of Service Commands committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. ◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR –...
Page 629
Chapter 23 | Quality of Service Commands committed-burst - Committed burst size (BC) in bytes. (Range: 4000-16000000 bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 4000-16000000 bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green).
Page 630
Chapter 23 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: If Tc is less than BC, Tc is incremented by one, else ■...
Chapter 23 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp}...
Page 632
Chapter 23 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
Page 633
Chapter 23 | Quality of Service Commands to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop Console(config-pmap-c)# set cos...
Page 634
Chapter 23 | Quality of Service Commands set ip dscp This command modifies the IP DSCP value in a matching packet (as specified by the match command). Use the no form to remove this traffic classification. Syntax [no] set ip dscp new-dscp new-dscp - New Differentiated Service Code Point (DSCP) value.
Chapter 23 | Quality of Service Commands Command Usage ◆ The set phb command is used to set an internal QoS value in hardware for matching packets (see Table 122, "Default Mapping of CoS/CFI to Internal PHB/ Drop Precedence"). The QoS label is composed of five bits, three bits for per- hop behavior, and two bits for the color scheme used to control queue congestion by the police srtcm-color...
Chapter 23 | Quality of Service Commands ◆ The switch does not allow a policy map to be bound to an interface for egress traffic. Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd-policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for...
Chapter 23 | Quality of Service Commands Default Setting Displays all policy maps and all classes. Command Mode Privileged Exec Example Console#show policy-map Policy Map rd-policy Description: class rd-class set phb 3 Console#show policy-map rd-policy class rd-class Policy Map rd-policy class rd-class set phb 3 Console#...
Page 638
Chapter 23 | Quality of Service Commands – 638 –...
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Page 640
Chapter 24 | Multicast Filtering Commands IGMP Snooping (Continued) Table 129: IGMP Snooping Commands Command Function Mode ip igmp snooping Discards any IGMPv2/v3 packets that do not include the router-alert-option-check Router Alert option ip igmp snooping Configures the querier timeout router-port-expire-time ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology...
Chapter 24 | Multicast Filtering Commands IGMP Snooping (Continued) Table 129: IGMP Snooping Commands Command Function Mode show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping Shows known multicast group, source, and host port group mapping show ip igmp snooping...
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore the default setting. priority Syntax ip igmp snooping priority priority no ip igmp snooping priority priority - The CoS priority assigned to all multicast traffic.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ When proxy reporting is enabled with this command, the switch performs “IGMP Snooping with Proxy Reporting” (as defined in DSL Forum TR-101, April 2006), including last leave, and query suppression. Last leave sends out a proxy query when the last member leaves a multicast group, and query suppression means that specific queries are not forwarded from an upstream multicast router to hosts downstream from this device.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any IGMPv2/v3 packets that do not include the Router Alert option. Use the no form to ignore the Router Alert Option when receiving router-alert-option- IGMP messages. check Syntax [no] ip igmp snooping router-alert-option-check...
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example The following shows how to configure the timeout to 400 seconds: Console(config)#ip igmp snooping router-port-expire-time 400 Console(config)# ip igmp snooping This command enables flooding of multicast traffic if a spanning tree topology tcn-flood change notification (TCN) occurs.
Chapter 24 | Multicast Filtering Commands IGMP Snooping The proxy query and unsolicited MRD request are flooded to all VLAN ports except for the receiving port when the switch receives such packets. Example The following example enables TCN flooding. Console(config)#ip igmp snooping tcn-flood Console(config)# ip igmp snooping This command instructs the switch to send out an IGMP general query solicitation...
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command floods unregistered multicast traffic into the attached VLAN. Use the no form to drop unregistered multicast traffic. unregistered-data- flood Syntax [no] ip igmp snooping unregistered-data-flood Default Setting Disabled Command Mode Global Configuration...
Chapter 24 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping unsolicited-report-interval 5 Console(config)# ip igmp snooping This command configures the IGMP snooping version. Use the no form to restore version the default. Syntax ip igmp snooping [vlan vlan-id] version {1 | 2 | 3} no ip igmp snooping version vlan-id - VLAN ID (Range: 1-4094) 1 - IGMP Version 1...
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command discards any received IGMP messages (except for multicast protocol packets) which use a version different to that currently configured by the ip igmp version-exclusive snooping version command. Use the no form to disable this feature. Syntax ip igmp snooping [vlan vlan-id] version-exclusive no ip igmp snooping version-exclusive...
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ By default, general query messages are flooded to all ports, except for the multicast router through which they are received. ◆ If general query suppression is enabled, then these messages are forwarded only to downstream ports which have joined a multicast service.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ◆ This command is only effective if IGMP snooping is enabled, and IGMPv2 or IGMPv3 snooping is used. Example The following shows how to enable immediate leave. Console(config)#ip igmp snooping vlan 1 immediate-leave Console(config)# ip igmp snooping vlan This command configures the number of IGMP proxy group-specific or group-and-...
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to restore the default. last-memb-query- intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or group- and-source-specific query message.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Multicast Router Discovery (MRD) uses multicast router advertisement, multicast router solicitation, and multicast router termination messages to discover multicast routers. Devices send solicitation messages in order to solicit advertisement messages from multicast routers.
Page 654
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.0 for the source of IGMP query messages which are proxied to downstream hosts to indicate that it is not the elected querier, but is only proxying these messages as defined in RFC 4541.
Chapter 24 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use the no form to restore the default. query-interval Syntax ip igmp snooping vlan vlan-id query-interval interval no ip igmp snooping vlan vlan-id query-interval vlan-id - VLAN ID (Range: 1-4094) interval - The interval between sending IGMP general queries.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Usage This command applies when the switch is serving as the querier (page 643), or as a proxy host when IGMP snooping proxy reporting is enabled (page 642). Example Console(config)#ip igmp snooping vlan 1 query-resp-intvl 20 Console(config)# ip igmp snooping vlan This command adds a port to a multicast group.
Chapter 24 | Multicast Filtering Commands IGMP Snooping clear ip igmp This command clears multicast group information dynamically learned through IGMP snooping. snooping groups dynamic Syntax clear ip igmp snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though IGMP snooping. Statically configured multicast address are not cleared.
Page 658
Chapter 24 | Multicast Filtering Commands IGMP Snooping Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific IGMP configuration settings. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping IGMP Snooping : Enabled Router Port Expire Time : 300 s Router Alert Check...
Chapter 24 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is specified. snooping group Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp | sort-by-port | user | vlan vlan-id [user | igmpsnp]] ip-address - IP address for multicast group interface...
Chapter 24 | Multicast Filtering Commands IGMP Snooping show ip igmp This command displays information on statically configured and dynamically learned multicast router ports. snooping mrouter Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Chapter 24 | Multicast Filtering Commands IGMP Snooping Table 131: show ip igmp snooping statistics output - display description Field Description G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface. Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed.
Chapter 24 | Multicast Filtering Commands Static Multicast Routing Table 132: show ip igmp snooping statistics vlan query - display description Field Description V2 Warning Count The number of times the query version received (Version 2) does not match the version configured for this interface. V3 Warning Count The number of times the query version received (Version 3) does not match the version configured for this interface.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling trunk) on this switch, that interface can be manually configured to join all the current multicast groups. ◆ IGMP Snooping must be enabled globally on the switch (using the ip igmp snooping command) before a multicast router port can take effect.
Page 665
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 134: IGMP Filtering and Throttling Commands Command Function Mode show ip igmp throttle Displays the IGMP throttling setting for interfaces interface show ip multicast-data- Shows if the interface is configured to drop multicast data drop packets ip igmp filter...
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 135: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT User Port Number FRAMED_IP_ADDRESS Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace. ” If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can be used to stop multicast services from being forwarded to users attached to the downstream port (i.e., the interfaces specified by this command).
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp filter This command displays the global and interface settings for IGMP filtering. Syntax show ip igmp filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Console#show ip igmp profile 19 IGMP Profile 19 Deny Range 239.1.1.1 239.1.1.1 Range 239.2.3.1 239.2.3.100 Console# show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets.
Chapter 24 | Multicast Filtering Commands IGMP Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp throttle interface ethernet 1/1 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 255...
Chapter 24 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic. ◆ An IPv6 address must be configured on the VLAN interface from which the querier will act if elected.
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the maximum response time advertised in MLD general queries. Use the no form to restore the default. query-max-response- time Syntax ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping proxy-reporting Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 24 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)#...
Chapter 24 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. Use the no form to unsolicited-report- restore the default value. interval Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval...
Chapter 24 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN.
Chapter 24 | Multicast Filtering Commands MLD Snooping interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28/52) port-channel channel-id (Range: 1-26) Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 24 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping group configuration information: Console#show ipv6 mld snooping group VLAN Multicast IPv6 Address Member port Type ---- --------------------------------------- ----------- --------------- 1 FF02::01:01:01:01 Eth 1/1 MLD Snooping 1 FF02::01:01:01:02 Eth 1/1 Multicast Data 1 FF02::01:01:01:02...
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld filter This command globally enables MLD filtering and throttling on the switch. Use the no form to disable the feature. (Global Configuration) Syntax [no] ipv6 mld filter Default Setting Disabled Command Mode Global Configuration...
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Global Configuration Command Usage A profile defines the multicast groups that a subscriber is permitted or denied to join. The same profile can be applied to many interfaces, but only one profile can be assigned to one interface.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ipv6-address [high-ipv6-address] low-ipv6-address - A valid IPv6 address (X:X:X:X::X) of a multicast group or start of a group range.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ◆ A profile can also be assigned to a trunk interface. When ports are configured as trunk members, the trunk uses the filtering profile assigned to the first port member in the trunk. Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld filter 19...
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling ipv6 mld max-groups This command sets the MLD throttling action for an interface on the switch. action Syntax ipv6 mld max-groups action {deny | replace} deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group.
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ipv6 mld query-drop Console(config-if)# ipv6 Use this command to enable multicast data drop mode on a port interface. Use the multicast-data-drop no form of the command to disable multicast data drop. Syntax [no] ipv6 multicast-data-drop Default Setting...
Chapter 24 | Multicast Filtering Commands MLD Filtering and Throttling Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ipv6 mld query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ipv6 mld throttle This command displays the interface settings for MLD throttling.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 MVR for IPv4 This section describes commands used to configure Multicast VLAN Registration for IPv4 (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 (Continued) Table 138: Multicast VLAN Registration for IPv4 Commands Command Function Mode show mvr Shows the profiles bound the specified domain associated-profile show mvr interface Shows MVR settings for interfaces attached to the MVR VLAN show mvr members Shows information about the current number of entries in...
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Default Setting Disabled Command Mode Global Configuration Example The following an MVR group address profile to domain 1: Console(config)#mvr domain 1 associated-profile rd Console(config)# Related Commands mvr profile (701) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting. Syntax mvr priority priority no mvr priority priority - The CoS priority assigned to all multicast traffic forwarded into the MVR VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ Use this command to statically configure all multicast group addresses that will join the MVR VLAN. Any multicast data associated an MVR group is sent from all source ports to all receiver ports that have registered to receive data from that multicast group.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example This example sets the proxy query interval for MVR proxy switching. Console(config)#mvr proxy-query-interval 250 Console(config)# mvr priority This command assigns a priority to all multicast traffic in the MVR VLAN. Use the no form of this command to restore the default setting.
Page 704
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface. The source port performs only the host portion of MVR by sending summarized membership reports, and automatically disables MVR router functions.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr domain domain-id vlan vlan-id no mvr domain domain-id vlan domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax mvr [domain domain-id] immediate-leave [by-host-ip] no mvr [domain domain-id] immediate-leave...
Chapter 24 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Console(config-if)#mvr domain 1 type receiver Console(config-if)# mvr vlan group This command statically binds a multicast group to a port which will receive long- term multicast streams associated with a stable set of hosts. Use the no form to restore the default settings.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 clear mvr groups This command clears multicast group information dynamically learned through MVR. dynamic Syntax clear mvr groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MVR. Statically configured multicast address are not cleared.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 (Continued) Table 139: show mvr - display description Field Description MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Current Learned The current number of MVR group addresses Groups MVR Upstream Source IP The source IP address assigned to all upstream control packets.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Flag: H - immediate leave by host ip Port Type Status...
Page 715
Chapter 24 | Multicast Filtering Commands MVR for IPv4 host-ip-address - The subscriber IP addresses. igmp - Entry created by IGMP protocol. sort-by-port - The multicast groups associated with an interface. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------- 234.5.6.7 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# Table 141: show mvr members - display description Field Description Group Address...
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 144: show mvr statistics query - display description Field Description Other Querier The IP address of the querier on this interface. Other Querier Expire The time after which this querier is assumed to have expired. Other Querier Uptime Other querier’s time up.
Page 720
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 145: show mvr statistics summary interface - display description Field Description Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3.
Chapter 24 | Multicast Filtering Commands MVR for IPv4 Table 146: show mvr statistics summary interface mvr vlan - description Field Description Domain An independent multicast domain. Number of Groups Number of groups learned on this port. Querier Other Querier Other IGMP querier’s IP address.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 MVR for IPv6 This section describes commands used to configure Multicast VLAN Registration for IPv6 (MVR6). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR6 VLAN is sent to all subscribers.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 147: Multicast VLAN Registration for IPv6 Commands Command Function Mode show mvr6 members Shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address show mvr6 profile Shows all configured MVR profiles...
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Default Setting Disabled Command Mode Global Configuration Command Usage When MVR6 is enabled on a domain, any multicast data associated with an MVR6 group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 profile This command maps a range of MVR6 group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr6 profile profile-name start-ip-address end-ip-address profile-name - The name of a profile containing one or more MVR6 group addresses.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 proxy-query- This command configures the interval at which the receiver port sends out general queries. Use the no form to restore the default setting. interval Syntax mvr6 proxy-query-interval interval no mv6r proxy-query-interval interval - The interval at which the receiver port sends out general queries.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR6 subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR6 proxy service.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ This command sets the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports.
Page 729
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example Console(config)#mvr6 source-port-mode dynamic Console(config)# mvr6 upstream- This command configures the source IPv6 address assigned to all MVR control source-ip packets sent upstream on the specified domain. Use the no form to restore the default setting.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR6 multicast data is received. Use the no form of this command to restore the default MVR6 VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 using the standard rules for multicast filtering (see “MLD Snooping” on page 676). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR6 VLAN. MLD snooping can be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR6 VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Default Setting No receiver port is a member of any configured multicast group. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this command.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR6 Profile Name Start IPv6 Addr. End IPv6 Addr. --------------------- ------------------------- ------------------------- ff01::fe ff01::ff Console#...
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 149: show mvr6 interface - display description Field Description Immediate Leave Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR6 group assigned to an interface, and the receiver VLAN.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following example shows detailed information about a specific multicast address: Console#show mvr6 domain 1 members ff00::1 MVR6 Domain : 1 MVR6 Forwarding Entry Count :1 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port).
Chapter 24 | Multicast Filtering Commands MVR for IPv6 (Continued) Table 151: show mvr6 statistics input - display description Field Description Leave The number of leave messages received on this interface. G Query The number of general query messages received on this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages received on this interface.
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Specific Query Sent Console# The following shows MVR6 summary statistics for an interface: Console#show mvr6 domain 1 statistics summary interface ethernet 1/1 Domain 1: Number of Groups: Querier: Report & Leave: Transmit Transmit General...
Chapter 24 | Multicast Filtering Commands MVR for IPv6 The following shows MVR6 summary statistics for the MVR6 VLAN: Console#show mvr6 domain 1 statistics summary interface mvr-vlan Domain 1: Number of Groups: Querier: Report & Leave: Other Addr : None Host Addr : None Other Expire...
Page 744
Chapter 24 | Multicast Filtering Commands MVR for IPv6 Table 154: show mvr6 statistics summary interface mvr vlan - description Field Description Transmit Report Number of reports sent out from source port. Leave Number of leaves sent out from source port. Received Field header Report...
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Page 746
Chapter 25 | LLDP Commands (Continued) Table 155: LLDP Commands Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name lldp dot1-tlv proto-ident Configures an LLDP-enabled port to advertise the supported protocols Configures an LLDP-enabled port to advertise port- lldp dot1-tlv proto-vid based protocol related VLAN information Configures an LLDP-enabled port to advertise its...
Chapter 25 | LLDP Commands lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements. multiplier Use the no form to restore the default setting.
Chapter 25 | LLDP Commands Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting.
Chapter 25 | LLDP Commands Command Mode Global Configuration Command Usage ◆ This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Chapter 25 | LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
Chapter 25 | LLDP Commands ◆ This attribute must comply with the following rule: (4 * tx-delay) ≤ refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status...
Chapter 25 | LLDP Commands Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. ◆...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature. Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv proto-ident Console(config-if)# lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot1-tlv pvid Console(config-if)# lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use vlan-name the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp dot3-tlv link-agg Console(config-if)# lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp dot3-tlv max-frame Console(config-if)# lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-over- Ethernet (PoE) capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv poe Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands ca-type – A one-octet descriptor of the data civic address value. (Range: 0-255) ca-value – Description of a location. (Range: 1-32 characters) Default Setting Not advertised No description Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Chapter 25 | LLDP Commands location is not known, 0 and 1 can be used, providing the client device is physically close to the DHCP server or network element. Example The following example enables advertising location identification details. Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-location civic-addr Console(config-if)#lldp med-location civic-addr 1 California Console(config-if)#lldp med-location civic-addr 2 Orange...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-notification Console(config-if)# lldp med-tlv ext-poe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature. Syntax [no] lldp med-tlv ext-poe Default Setting Enabled...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature. Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode...
Chapter 25 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Page 765
Chapter 25 | LLDP Commands LLDP Port Configuration Port Admin Status Notification Enabled -------- ------------ -------------------- Eth 1/1 Tx-Rx True Eth 1/2 Tx-Rx True Eth 1/3 Tx-Rx True Eth 1/4 Tx-Rx True Eth 1/5 Tx-Rx True Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1...
Chapter 25 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for this device. local-device Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for remote devices attached to an LLDP-enabled port. remote-device Syntax show lldp info remote-device [detail interface] detail - Shows detailed information. interface ethernet unit/port unit - Unit identifier.
Page 768
Chapter 25 | LLDP Commands Port MAU Type : 16 Power via MDI Power Class : PSE Power MDI Supported : Yes Power MDI Enabled : Yes Power Pair Controllable : No Power Pairs : Spare Power Classification : Class 1 Link Aggregation Link Aggregation Capable : Yes Link Aggregation Enable...
Chapter 25 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDP- enabled interfaces. statistics Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. LLDP-MED Capability : Device Class : Network Connectivity Supported Capabilities : LLDP-MED Capabilities Network Policy Location Identification Extended Power via MDI - PSE Inventory Current Capabilities : LLDP-MED Capabilities...
Page 771
Chapter 25 | LLDP Commands Example Console#show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated : 96 seconds New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- ------------------...
CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Page 774
Chapter 26 | CFM Commands (Continued) Table 157: CFM Commands Command Function Mode ma index name-format Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages ethernet cfm port-enable...
Page 775
Chapter 26 | CFM Commands (Continued) Table 157: CFM Commands Command Function Mode ethernet cfm mep Enables cross-checking between the list of configured crosscheck remote MEPs within a maintenance association and MEPs learned through continuity check messages show ethernet cfm Displays information about remote maintenance points maintenance-points configured statically in a cross-check list...
Chapter 26 | CFM Commands Defining CFM Structures Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages.
Chapter 26 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no form to restore the default setting. period Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period –...
Chapter 26 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Page 780
Chapter 26 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆...
Chapter 26 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 26 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA.
Page 783
Chapter 26 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages.
Chapter 26 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable CFM processing on an interface. port-enable Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Chapter 26 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm...
Chapter 26 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps. Console#show ethernet cfm configuration traps CC MEP Up Trap :Disabled CC MEP Down Trap :Disabled CC Configure Trap :Disabled CC Loop Trap :Disabled Cross Check MEP Unknown Trap :Disabled Cross Check MEP Missing Trap :Disabled...
Chapter 26 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the continuity check database. maintenance-points local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name –...
Chapter 26 | CFM Commands Defining CFM Structures Table 159: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry. MA Name Maintenance association to which this remote MEP belongs MA Name Format The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID...
Chapter 26 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address.
Chapter 26 | CFM Commands Continuity Check Operations Table 160: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state –...
Chapter 26 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency.
Chapter 26 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 26 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (801) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged.
Chapter 26 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 26 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting.
Chapter 26 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 26 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆...
Chapter 26 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a...
Chapter 26 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded.
Chapter 26 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting.
Page 805
Chapter 26 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message.
Chapter 26 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec...
Chapter 26 | CFM Commands Loopback Operations (Continued) Table 162: show ethernet cfm linktrace-cache - display description Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false.
Chapter 26 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆...
Chapter 26 | CFM Commands Fault Generator Operations more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)#...
Chapter 26 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm...
Chapter 26 | CFM Commands Delay Measure Operations (Continued) Table 165: show fault-notify-generator - display description Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Page 813
Chapter 26 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command.
OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 27 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link.
Chapter 27 | OAM Commands ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down. Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam critical-link-event dying-gasp...
Chapter 27 | OAM Commands count - The threshold for errored frame link events. (Range: 1-65535) Default Setting Command Mode Interface Configuration Command Usage If this feature is enabled, an event notification message is sent if the threshold is reached or exceeded within the period specified by the efm oam link-monitor frame window command.
Chapter 27 | OAM Commands Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting. Syntax efm oam mode {active | passive} no efm oam mode active - All OAM functions are enabled.
Chapter 27 | OAM Commands Example Console#clear efm oam counters Console# Related Commands show efm oam counters interface (822) clear efm oam This command clears all entries from the OAM event log for the specified port. event-log Syntax clear efm oam event-log [interface-list] unit - Unit identifier.
Chapter 27 | OAM Commands Command Usage ◆ OAM remote loop back can be used for fault localization and link performance testing. Statistics from both the local and remote DTE can be queried and compared at any time during loop back testing. ◆...
Chapter 27 | OAM Commands Command Usage ◆ You can use this command to perform an OAM remote loopback test on the specified port. The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode. ◆...
Chapter 27 | OAM Commands show efm oam This command displays the OAM event log for the specified port(s) or for all ports that have logs. event-log interface show efm oam event-log interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports.
Chapter 27 | OAM Commands Console#show efm oam event-log interface 1/1 <--- When dying gasp happens and the switch get these packets, it will log this event in OAM event-log. OAM event log of Eth 1/1: 10:27:21 2013/09/13 "Unit 1, Port 1: Connection to remote device is down at Local" 10:27:20 2013/09/13 "Unit 1, Port 1: Dying Gasp occurred at Remote"...
Chapter 27 | OAM Commands port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports. (Range: 1-28/52) brief - Displays a brief list of OAM configuration states. Command Mode Normal Exec, Privileged Exec Example...
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Chapter 28 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host.
Chapter 28 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage ◆ At least one name server must be specified before DNS can be enabled. ◆...
Chapter 28 | Domain Name Service Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Chapter 28 | Domain Name Service Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts Flag Type...
Chapter 28 | Domain Name Service Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (830) ip domain-lookup (829) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address.
Chapter 28 | Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- Console# clear host This command deletes dynamic entries from the DNS table.
Chapter 28 | Domain Name Service Commands Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example...
Chapter 28 | Domain Name Service Commands Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts Flag Type IP Address Host ---- ---- ------- -------------------- ----- ---------------------------- 2 Address 192.168.1.55 2 Address 2001:DB8:1::12...
Page 836
Chapter 28 | Domain Name Service Commands – 836 –...
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 29 | DHCP Commands DHCP Client hex - A hexadecimal value. (Range: 1-64 characters) Default Setting Class identifier option enabled, with the name of the switch. Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command without any keyword to restore the default setting. ◆...
Chapter 29 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572...
Chapter 29 | DHCP Commands DHCP Client DHCP for IPv6 ipv6 dhcp client This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no rapid-commit vlan form to disable this option. Syntax [no] ipv6 dhcp client rapid-commit vlan vlan-list vlan-list - VLAN ID, specified as a single number, a range of consecutive...
Chapter 29 | DHCP Commands DHCP Relay Option 82 DHCP Relay Option 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server. Table 174: DHCP Relay Option 82 Commands Command Function Mode...
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay server This command specifies the DHCP server or relay server addresses to use. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server.
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay This command enables DHCP Option 82 information relay, and specifies the frame format to use for the remote-id when Option 82 information is generated by the information option switch.
Page 844
Chapter 29 | DHCP Commands DHCP Relay Option 82 ◆ DHCP request packets received by the switch are handled as follows: If a DHCP relay server has been set on the switch, when the switch receives ■ a DHCP request packet without option 82 information from the management VLAN or a non-management VLAN, it will add option 82 relay information and the relay agent’s address to the DHCP request packet, and then unicast it to the DHCP server.
Page 845
Chapter 29 | DHCP Commands DHCP Relay Option 82 A DHCP relay server has been set on the switch, when the switch receives a ■ DHCP request packet with a non-zero relay agent address field (that is not the address of this switch). A DHCP relay server has been set on the switch, when the switch receives a ■...
Chapter 29 | DHCP Commands DHCP Relay Option 82 ip dhcp relay This command specifies how to handle client requests which already contain DHCP Option 82 information. information policy Syntax ip dhcp relay information policy {drop | keep | replace} drop - Floods the original request packet onto the VLAN that received it instead of relaying it.
Chapter 29 | DHCP Commands DHCP Relay Option 82 Example Console#show ip dhcp relay L2 relay: enabled. Status of DHCP relay information: Insertion of relay information: disabled. DHCP option policy: drop. DHCP relay-server address: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 DHCP sub-option format: extra subtype included DHCP relay is configured on the following VLANs: 1-4094 Interface...
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on.
Chapter 30 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 177: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 851
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask.
Chapter 30 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.1/24 Console(config-if)#...
Chapter 30 | IP Interface Commands IPv4 Interface after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2...
Chapter 30 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols. Command Mode Privileged Exec Example Console#show ip traffic IP Statistics: IP received 4877 total received header errors unknown protocols address errors discards...
Chapter 30 | IP Interface Commands IPv4 Interface input errors 5867 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage...
Chapter 30 | IP Interface Commands IPv4 Interface Traceroute to 192.168.1.99, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------- 20 ms <10 ms <10 ms 192.168.1.99 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the...
Chapter 30 | IP Interface Commands IPv4 Interface Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9:...
Chapter 30 | IP Interface Commands IPv4 Interface Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆...
Chapter 30 | IP Interface Commands IPv4 Interface Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. Syntax arp timeout seconds no arp timeout...
Chapter 30 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Chapter 30 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands. Table 179: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface...
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 179: IPv6 Configuration Commands Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known...
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands ip route (898) show ip route (899) ip default-gateway (852) show ipv6 default-gateway (871) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 30 | IP Interface Commands IPv6 Interface Example This example specifies a full IPv6 address and prefix length. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:DB8:2222:7272::72/96 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is stale. Link-local address: fe80::2e0:cff:fe02:fd%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::1:ff00:72...
Chapter 30 | IP Interface Commands IPv6 Interface (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format. ◆ If a duplicate address is detected, a warning message is sent to the console. ◆...
Page 866
Chapter 30 | IP Interface Commands IPv6 Interface ipv6-prefix - The IPv6 network portion of the address assigned to the interface. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Chapter 30 | IP Interface Commands IPv6 Interface Example This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up...
Page 868
Chapter 30 | IP Interface Commands IPv6 Interface Command Usage ◆ The specified address must be formatted according to RFC 2373 “IPv6 Addressing Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address.
Chapter 30 | IP Interface Commands IPv6 Interface ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 address link-local (867) show ipv6 interface (871) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface.
Chapter 30 | IP Interface Commands IPv6 Interface Related Commands show ipv6 mtu (873) jumbo frame (118) show ipv6 This command displays the current IPv6 default gateway. default-gateway Command Mode Normal Exec, Privileged Exec Example The following shows the default gateway configured for this device: Console#show ipv6 default-gateway IPv6 default gateway 2001:DB8:2222:7272::254 Console#...
Chapter 30 | IP Interface Commands IPv6 Interface Global unicast address(es): 2001:db8:0:1:2e0:cff:fe02:fd/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff19:6779 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds...
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 180: show ipv6 interface - display description Field Description ND advertised The retransmit interval is included in all router advertisements sent out of an retransmit interface so that nodes on the same link use the same time value. interval ND reachable The amount of time a remote IPv6 node is considered reachable after a...
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 181: show ipv6 mtu - display description Field Description Since Time since an ICMP packet-too-big message was received from this destination. Destination Address which sent an ICMP packet-too-big message. Address No information is displayed if an IPv6 address has not been assigned to the switch.
Chapter 30 | IP Interface Commands IPv6 Interface group membership response messages group membership reduction messages ICMPv6 sent 4 output destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo reply messages 3 router solicit messages router advertisement messages 1 neighbor solicit messages neighbor advertisement messages...
Page 876
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description delivers The total number of datagrams successfully delivered to IPv6 user- protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.
Page 877
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description destination unreachable The number of ICMP Destination Unreachable messages received by messages the interface. packet too big messages The number of ICMP Packet Too Big messages received by the interface. time exceeded messages The number of ICMP Time Exceeded messages received by the interface.
Chapter 30 | IP Interface Commands IPv6 Interface (Continued) Table 182: show ipv6 traffic - display description Field Description redirect messages The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects. group membership query The number of ICMPv6 Group Membership Query messages sent by messages...
Page 879
Chapter 30 | IP Interface Commands IPv6 Interface host-name - A host name string which can be resolved into an IPv6 address through a domain name server. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet. (Range: 0-1500 bytes) The actual packet size will be eight bytes larger than the size specified because the router adds header information.
Chapter 30 | IP Interface Commands IPv6 Interface traceroute6 This command shows the route packets take to the specified destination. Syntax traceroute6 {ipv6-address | host-name} [max-failures max-failures] ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture, ”...
Chapter 30 | IP Interface Commands IPv6 Interface Traceroute to FE80::2E0:CFF:FE9C:CA10%1/64, 30 hops max, timeout is 3 seconds, 5 max failure(s) before termination. Hop Packet 1 Packet 2 Packet 3 IPv6 Address --- -------- -------- -------- -------------------------------------------- <10 ms <10 ms <10 ms FE80::2E0:CFF:FE9C:CA10%1/64 Trace completed.
Page 882
Chapter 30 | IP Interface Commands IPv6 Interface processes are disabled on the interface. If a duplicate global unicast address is detected, it is not used. All configuration commands associated with a duplicate address remain configured while the address is in “duplicate” state. ◆...
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval milliseconds - The interval between transmitting IPv6 neighbor solicitation messages.
Chapter 30 | IP Interface Commands IPv6 Interface ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 30000 milliseconds ND advertised retransmit interval is 30000 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Related Commands...
Chapter 30 | IP Interface Commands IPv6 Interface ipv6 nd This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred. Use reachable-time the no form to restore the default setting. Syntax ipv6 nd reachable-time milliseconds no ipv6 nd reachable-time...
Chapter 30 | IP Interface Commands IPv6 Interface clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache. Command Mode Privileged Exec Example The following deletes all dynamic entries in the IPv6 neighbor cache: Console#clear ipv6 neighbors Console# show ipv6 nd raguard This command displays the configuration setting for RA Guard.
Chapter 30 | IP Interface Commands IPv6 Interface Default Setting All IPv6 neighbor discovery cache entries are displayed. Command Mode Privileged Exec Example The following shows all known IPv6 neighbors for this switch: Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Link-layer Addr...
Chapter 30 | IP Interface Commands ND Snooping Related Commands show mac-address-table (491) ND Snooping Neighbor Discover (ND) Snooping maintains an IPv6 prefix table and user address binding table. These tables can be used for stateless address auto-configuration or for address filtering by IPv6 Source Guard. ND snooping maintains a binding table in the process of neighbor discovery.
Chapter 30 | IP Interface Commands ND Snooping (Continued) Table 184: ND Snooping Commands Command Function Mode show ipv6 nd snooping Shows configuration settings for ND snooping show ipv6 nd snooping Shows entries in the binding table binding show ipv6 nd snooping prefix Show entries in the prefix table ipv6 nd snooping This command enables ND snooping globally or on a specified VLAN or range of...
Chapter 30 | IP Interface Commands ND Snooping If an NS message is received on an untrusted interface, and the address ■ prefix does not match any entry in the prefix table, it drops the packet. If the message does match an entry in the prefix table, it adds an entry to ■...
Chapter 30 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping auto-detect Console(config)# ipv6 nd snooping This command sets the number of times the auto-detection process sends an NS auto-detect message to determine if a dynamic user binding is still valid. Use the no form to restore the default setting.
Chapter 30 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count (see the ipv6 nd snooping auto- detect retransmit count command) x the retransmit interval.
Chapter 30 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the maximum number of address entries in the dynamic user binding table which can be bound to a port. Use the no form to restore the default max-binding setting.
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks. However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically...
Chapter 30 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask [next-hop] | *} destination-ip –...
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database –...
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays entries in the Routing Information Base (RIB). database Command Mode Privileged Exec Command Usage The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes.
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 903 ◆ “License Information” on page 905 – 901 –...
Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action ◆ Cannot connect using Be sure the switch is powered up. Telnet, or SNMP software ◆ Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: Enable logging.
License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors.
Page 906
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program"...
Page 907
Appendix B | License Information The GNU General Public License Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange;...
Page 908
Appendix B | License Information The GNU General Public License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address.
Page 910
Glossary Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 911
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks.
Page 912
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Page 913
Glossary MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group.
Page 914
Glossary Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow.
Page 915
Glossary TCP/IP Transmission Control Protocol/Internet Protocol. Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. User Datagram Protocol.
CLI Commands aaa accounting dot1x 232 calendar set 166 aaa accounting exec 233 capabilities 388 aaa accounting update 234 channel-group 428 aaa authorization exec 235 class 626 aaa group server 236 class-map 622 absolute 169 clear access-list hardware counters 381 access-list arp 378 clear arp-cache 860 access-list ip 362...
Page 918
CLI Commands cluster member 174 ethernet cfm ais level 776 configure 91 ethernet cfm ais ma 777 control-vlan 526 ethernet cfm ais period 778 copy 122 ethernet cfm ais suppress alarm 778 ethernet cfm cc enable 794 ethernet cfm cc ma interval 793 ethernet cfm delay-measure two-way 812 databits 134 ethernet cfm domain 779...
Page 919
CLI Commands ip dhcp relay information option 843 ip multicast-data-drop 671 ip dhcp relay information policy 846 ip name-server 831 ip dhcp relay server 842 ip proxy-arp 858 ip dhcp restart client 839 ip route 898 ip dhcp snooping 306 ip source-guard 333 ip dhcp snooping max-number 317 ip source-guard binding 331...
Page 922
CLI Commands show cluster members 176 show discard 399 radius-server acct-port 224 show dns 833 radius-server auth-port 225 show dns cache 834 radius-server host 225 show dos-protection 354 radius-server key 226 show dot1q-tunnel 579 radius-server retransmit 227 show dot1x 265 radius-server timeout 227 show efm oam counters interface 822 range 667...
Page 923
CLI Commands show ip igmp snooping statistics 660 show mac-address-table 491 show ip igmp throttle interface 674 show mac-address-table aging-time 492 show ip interface 853 show mac-address-table count 493 show ip multicast-data-drop 675 show mac-vlan 593 show ip route 899 show management 269 show ip route database 900 show map default-drop-precedence 615...
Page 924
CLI Commands show rmon history 209 snmp-server enable port-traps atc multicast-control-apply show rmon statistics 209 show rspan 455 snmp-server enable port-traps atc multicast-control- show running-config 110 release 473 show sflow 215 snmp-server enable port-traps mac-notification 186 show snmp 181 snmp-server enable traps 182 show snmp engine-id 192 snmp-server engine-id 187 show snmp group 192...
Index Numerics aging time 489 aging time, displaying 492 802.1Q tunnel 572 aging time, setting 489 access 574 administrative users, displaying 115 configuration, guidelines 572 configuration, limitations 573 ACL 345 CVID to SVID map 575 configuration 857 ethernet type 578 proxy 858 –...
Page 928
Index selecting protocol based on message format 520 continuity check messages, CFM 533 shut down port on receipt 508 CoS 614 bridge extension capabilities, displaying 559 configuring 601 broadcast packets, blocking 396 default mapping to internal values 608 broadcast storm, threshold 459 enabling 614 layer 3/4 priorities 606 priorities, mapping to internal values 608...
Page 929
Index remote ID 311 static entries, IPv4 830 sub-length field 309 static entries, IPv6 832 sub-option format 309 Domain Name Service See DNS sub-type and sub-length, disabling 309 domain service access point, CFM 780 subtype field 309 downloading software 122 DHCPv6 snooping 321 automatically 128 enabling 321...
Page 930
Index RPL owner 542 IEEE 802.1w 499 secondary ring 529 IEEE 802.1X 255 status, displaying 549 IGMP version 543 filter profiles, binding to interface 669 wait-to-restore timer 544 filter profiles, configuration 666 – WTR timer 544 filter, parameters 665 Ethernet Ring Protection Switching See ERPS filtering &...
Page 931
Index ingress filtering 567 host 246 IP address host, generating 252 BOOTP/DHCP 839 setting 849 IP filter, for management access 268 LACP IP Port to PHB/drop precedence 612 admin key 430 IP Precedence 614 configuration 425 enabling 614 group attributes, configuring 433 IP precedence to PHB/drop precedence 613 –...
Page 932
Index TLV, network policy 763 MLD snooping 676 TLV, PoE 761 configuring 676 local engine ID 187 enabling 677 logging immediate leave 683 messages, displaying 148 immediate leave, status 683 syslog traps 147 multicast static router port 683 to syslog servers 146 querier 677 logon authentication 217 querier, enabling 677...
Page 933
Index setting multicast domain 700 specifying servers 160 setting multicast groups 699 setting multicast priority 701 source port mode 705 specifying a domain 700 active mode 819 specifying a VLAN 699 – displaying settings and status 822 specifying priority 701 enabling on switch ports 816 static binding 701 –...
Page 934
Index capabilities 388 PHB to drop precedence, for untagged packets 609 configuring 385 PHB to queue 607 discard CDP/PVST 390 PHB/drop precedence to CoS/CFI 610 duplex mode 395 selecting CoS, DSCP, IP Precedence 614 flow control 391 QoS policy forced selection of media type 392 committed burst size 627 forced selection on combo ports 392 excess burst size 629...
Page 935
Index server, configuring 249 timeout 250 secure shell 246 STA 495 configuration 246 BPDU filter 507 security, general measures 279 BPDU flooding 516 serial port, configuring 133 BPDU shutdown 508 service instance, CFM 782 detecting loopbacks 511 sFlow edge port 510 destination for traffic 212 forward delay 497 destination, IPv6 212...
Page 936
Index – setting with SNTP 155 unregistered data flooding, IGMP snooping 647 – summer time 162 upgrading software 122 system logs 146 user account 218 system software, downloading from server 122 user password 218 TACACS+ VLAN trunking 569 – logon authentication 228 VLANs 555 settings 228 802.1Q tunnel mode 574...