48 10GBASE SFP+ Ports, 6 40GBASE QSFP Ports, 2 Power Supply Units, and 4 Fan Trays (4 Fans – F2B and B2F Airflow) AS6700-32X 32-Port 40G Data Center Switch with 20 40G QSFP+ Ports, 2 40G Expansion Slots, 2 Power Supply Units, and 5 Fan Trays (5 Fans –...
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features.
Page 4
How to Use This Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions.
Contents How to Use This Guide Contents Figures Tables Section I Getting Started 1 Initial Switch Configuration Connecting to the Switch Configuration Options Connecting to the Console Port Selecting Legacy or Hybrid Operation Mode Logging Onto the Command Line Interface Setting Passwords Remote Connections (Network Interface or Craft Port) Obtaining and Installing a License for the Network Ports...
Page 6
Contents Setting the System Clock Setting the Time Manually Configuring SNTP Configuring NTP Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Partial Keyword Lookup Negating the Effect of Commands...
Page 7
Contents exit 4 System Management Commands Device Designation hostname Banner Information banner configure banner configure company banner configure dc-power-info banner configure department banner configure equipment-info banner configure equipment-location banner configure ip-lan banner configure lp-number banner configure manager-info banner configure mux banner configure note show banner System Status...
Page 8
Contents fan-speed force-full Frame Size jumbo frame File Management General Commands boot system copy delete onie umount usbdisk whichboot Automatic Code Upgrade Commands upgrade opcode auto upgrade opcode path upgrade opcode reload show upgrade TFTP Configuration Commands ip tftp retry ip tftp timeout show ip tftp Line...
Page 9
Contents show line Event Logging logging facility logging history logging host logging on logging trap clear log show log show logging SMTP Alerts logging sendmail logging sendmail host logging sendmail level logging sendmail destination-email logging sendmail source-email show logging sendmail Time SNTP Commands sntp client...
Page 10
Contents calendar set show calendar Time Range time-range absolute periodic show time-range 5 SNMP Commands General SNMP Commands snmp-server snmp-server community snmp-server contact snmp-server location show snmp SNMP Target Host Commands snmp-server enable traps snmp-server host snmp-server enable port-traps mac-notification show snmp-server enable port-traps SNMPv3 Commands snmp-server engine-id...
Page 11
Contents Additional Trap Commands memory process cpu 6 Remote Monitoring Commands rmon alarm rmon event rmon collection history rmon collection rmon1 show rmon alarms show rmon events show rmon history show rmon statistics 7 Authentication Commands User Accounts enable password username Authentication Sequence authentication enable...
Page 12
Contents Web Server ip http port ip http server ip http secure-port ip http secure-server Telnet Server ip telnet max-sessions ip telnet port ip telnet server show ip telnet Secure Shell ip ssh authentication-retries ip ssh server ip ssh server-key size ip ssh timeout delete public-key ip ssh crypto host-key generate...
Page 13
Contents dot1x timeout re-authperiod dot1x timeout supp-timeout dot1x timeout tx-period dot1x re-authenticate Information Display Commands show dot1x Management IP Filter management show management 8 General Security Measures Port Security mac-learning port security show port security Network Access (MAC Address Authentication) network-access aging network-access mac-filter mac-authentication reauth-time...
Page 14
Contents Web Authentication web-auth login-attempts web-auth quiet-period web-auth session-timeout web-auth system-auth-control web-auth web-auth re-authenticate (Port) web-auth re-authenticate (IP) show web-auth show web-auth interface show web-auth summary DHCPv4 Snooping ip dhcp snooping ip dhcp snooping information option ip dhcp snooping information option encode no-subtype ip dhcp snooping information option remote-id ip dhcp snooping information policy ip dhcp snooping limit rate...
Page 15
Contents clear ipv6 dhcp snooping statistics show ipv6 dhcp snooping show ipv6 dhcp snooping binding show ipv6 dhcp snooping statistics IPv4 Source Guard ip source-guard binding ip source-guard ip source-guard max-binding ip source-guard mode clear ip source-guard binding blocked show ip source-guard show ip source-guard binding IPv6 Source Guard ipv6 source-guard binding...
Page 16
Contents show ip arp inspection statistics show ip arp inspection vlan Port-based Traffic Segmentation traffic-segmentation traffic-segmentation session traffic-segmentation uplink/downlink traffic-segmentation uplink-to-uplink show traffic-segmentation 9 Access Control Lists IPv4 ACLs access-list ip permit, deny (Standard IP ACL) permit, deny (Extended IPv4 ACL) ip access-group show ip access-group show ip access-list...
Page 17
Contents ACL Information clear access-list hardware counters show access-group show access-list 10 Interface Commands Interface Configuration interface alias description flowcontrol history media-type shutdown switchport mtu clear counters hardware profile portmode show hardware profile portmode show interfaces brief show interfaces counters show interfaces history show interfaces status show interfaces switchport...
Page 18
Contents show loop internal 11 Link Aggregation Commands Manual Configuration Commands port channel load-balance channel-group Dynamic Configuration Commands lacp lacp admin-key (Ethernet Interface) lacp port-priority lacp system-priority lacp admin-key (Port Channel) lacp timeout Trunk Status Display Commands show lacp show port-channel load-balance MLAG Commands mlag mlag peer-link...
Page 19
Contents rate-limit Storm Control Commands switchport packet-rate 14 Loopback Detection Commands loopback-detection loopback-detection action loopback-detection recover-time loopback-detection transmit-interval loopback detection trap loopback-detection release show loopback-detection 15 UniDirectional Link Detection Commands udld detection-interval udld message-interval udld recovery udld recovery-interval udld aggressive udld port show udld 16 Address Table Commands...
Page 23
Contents set phb service-policy show class-map show policy-map show policy-map interface 21 Data Center Bridging Commands DCB Exchange Commands dcbx dcbx mode show dcbx Priority-based Flow Control Commands pfc mode pfc priority clear pfc statistics show pfc show pfc statistics Enhanced Transmission Selection Commands ets mode traffic-class algo...
Page 24
Contents Openflow Commands of-agent controller of-agent datapath-desc clear of-agent show of-agent controller show of-agent flow show of-agent group 22 Multicast Filtering Commands IGMP Snooping ip igmp snooping ip igmp snooping priority ip igmp snooping proxy-reporting ip igmp snooping querier ip igmp snooping router-alert-option-check ip igmp snooping router-port-expire-time ip igmp snooping tcn-flood ip igmp snooping tcn-query-solicit...
Page 25
Contents show ip igmp snooping mrouter show ip igmp snooping statistics Static Multicast Routing ip igmp snooping vlan mrouter IGMP Filtering and Throttling ip igmp filter (Global Configuration) ip igmp profile permit, deny range ip igmp authentication ip igmp filter (Interface Configuration) ip igmp max-groups ip igmp max-groups action ip igmp query-drop...
Page 26
Contents show ipv6 mld snooping group source-list show ipv6 mld snooping mrouter IGMP (Layer 3) ip igmp ip igmp last-member-query-interval ip igmp max-resp-interval ip igmp query-interval ip igmp robustval ip igmp static-group ip igmp version clear ip igmp group show ip igmp groups show ip igmp interface IGMP Proxy Routing ip igmp proxy...
Page 28
Contents ethernet cfm ais ma ethernet cfm ais period ethernet cfm ais suppress alarm ethernet cfm domain ethernet cfm enable ma index name ma index name-format ethernet cfm mep ethernet cfm port-enable clear ethernet cfm ais mpid show ethernet cfm configuration show ethernet cfm md show ethernet cfm ma show ethernet cfm maintenance-points local...
Page 29
Contents clear ethernet cfm linktrace-cache show ethernet cfm linktrace-cache Loopback Operations ethernet cfm loopback Fault Generator Operations mep fault-notify alarm-time mep fault-notify lowest-priority mep fault-notify reset-time show ethernet cfm fault-notify-generator Delay Measure Operations ethernet cfm delay-measure two-way 25 Domain Name Service Commands ip domain-list ip domain-lookup ip domain-name...
Page 30
Contents show ipv6 dhcp relay destination 27 IP Interface Commands IPv4 Interface Basic IPv4 Configuration ip address ip default-gateway show ip interface show ip traffic traceroute ping ARP Configuration arp timeout clear arp-cache show arp IPv6 Interface Interface Address Configuration and Utilities ipv6 default-gateway ipv6 address ipv6 address eui-64...
Page 32
Contents show ip route show ip route database show ip route summary show ip traffic ECMP Commands ecmp load-balance hash-selection list maximum-paths dst-mac (MAC Hash) ethertype (MAC Hash) src-mac (MAC Hash) vlan (MAC Hash) dst-ip (IPv4 Hash) dst-l4-port (IPv4 Hash) protocol-id (IPv4 Hash) src-ip (IPv4 Hash) src-l4-port (IPv4 Hash)
Page 33
Contents neighbor network passive-interface redistribute timers basic version ip rip authentication mode ip rip authentication string ip rip receive version ip rip receive-packet ip rip send version ip rip send-packet ip rip split-horizon clear ip rip route show ip protocols rip show ip rip Open Shortest Path First (OSPFv2) General Configuration...
Page 34
Contents area virtual-link network area Interface Configuration ip ospf authentication ip ospf authentication-key ip ospf cost ip ospf dead-interval ip ospf hello-interval ip ospf message-digest-key ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay passive-interface Display Information show ip ospf show ip ospf border-routers show ip ospf database show ip ospf interface...
Page 35
Contents Area Configuration area stub area virtual-link ipv6 router ospf area ipv6 router ospf tag area Interface Configuration ipv6 ospf cost ipv6 ospf dead-interval ipv6 ospf hello-interval ipv6 ospf priority ipv6 ospf retransmit-interval ipv6 ospf transmit-delay passive-interface Display Information show ipv6 ospf show ipv6 ospf database show ipv6 ospf interface show ipv6 ospf neighbor...
Page 38
Contents show ip bgp dampening show ip bgp filter-list show ip bgp neighbors show ip bgp paths show ip bgp prefix-list show ip bgp regexp show ip bgp route-map show ip bgp scan show ip bgp summary show ip community-list show ip extcommunity-list show ip prefix-list show ip prefix-list detail...
Page 39
Contents set community 1005 set extcommunity 1006 set ip next-hop 1007 set local-preference 1008 set metric 1008 set origin 1009 set originator-id 1010 set pathlimit ttl 1010 set weight 1011 show route-map 1011 30 Multicast Routing Commands 1013 General Multicast Routing 1013 IPv4 Commands 1013...
Page 40
Contents ip pim trigger-hello-delay 1030 show ip pim interface 1030 show ip pim neighbor 1031 PIM-DM Commands 1032 ip pim graft-retry-interval 1032 ip pim max-graft-retries 1032 ip pim state-refresh origination-interval 1033 PIM-SM Commands 1034 ip pim bsr-candidate 1034 ip pim register-rate-limit 1035 ip pim register-source 1036...
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. This section includes these chapters: ◆ "Initial Switch Configuration" on page 55 –...
Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI).
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.1Q VLANs ◆ Configure IP routing for unicast or multicast traffic ◆...
Chapter 1 | Initial Switch Configuration Connecting to the Switch Power on the switch. After the system completes the boot cycle, the logon screen appears. Selecting Legacy or The switch supports two operating modes: Hybrid Operation ◆ Legacy Mode – Basic feature set, accessible via CLI, web interface, or SNMP. Mode ◆...
Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the AS5700-54X 10G and AS6700-32X 40G Layer 3 Ethernet switches. AS5700-54X and AS6700-32X are the bare metal switch names without any operating system installed. AOS5700-54X and AOS6700-32X are the same switches with the AOS operating system as described in this manual.
Chapter 1 | Initial Switch Configuration Connecting to the Switch An IPv4 address for the primary network interface is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP, see “Setting an IP Address” on page After configuring the switch’s IP parameters, you can access the onboard configuration program from anywhere within the attached network.
Page 60
Chapter 1 | Initial Switch Configuration Connecting to the Switch Current Status: Link Status : Down Link Down Reason : Invalid License or Trial License Operation Speed-duplex : 10G full Flow Control Type : None Max Frame Size : 1522 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled To order a licence, you must provide the following information to your distributor:...
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: ◆...
Page 63
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway, ” where “gateway” is the IP address of the default gateway.
Page 64
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management ff02::1:ff11:6700 ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds...
Page 65
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::260:3eff:fe11:6700%1/64 Global unicast address(es): 2001:db8:2222:7272::/64, subnet is 2001:db8:2222:7272::/64 Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff11:6700 ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Page 66
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Type “end” to return to the Privileged Exec mode. Press <Enter>. Wait a few minutes, and then check the IP configuration settings by typing the “show ip interface” command. Press <Enter>. Then save your configuration changes by typing “copy running-config startup- config.
Enabling SNMP Management Access The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as Edge-Core ECView Pro. You can configure the switch to respond to SNMP requests or generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 68
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type “snmp- server community string mode, ” where “string” is the community access string and “mode”...
Chapter 1 | Initial Switch Configuration Managing System Files another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace”...
Chapter 1 | Initial Switch Configuration Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows. The switch has a total of 2 GB of flash memory for system files.
Chapter 1 | Initial Switch Configuration Managing System Files Saving or Restoring Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in Configuration nonvolatile storage, you must copy the running configuration file to the start-up Settings configuration file using the “copy”...
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Console#copy tftp startup-config TFTP server IP address: 192.168.0.4 Source configuration file name: startup-rd.cfg Startup configuration file name [startup1.cfg]: Success. Console# Configuring Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from...
Page 73
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings the upgrade file is stored as AOS5700-54X.BIX (or even Aos5700-54x.bix) on a case-sensitive server, then the switch (requesting AOS5700-54X.bix) will not be upgraded because the server does not recognize the requested file name and the stored file name as being equal.
Page 74
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings This shows how to specify a TFTP server where new code is stored. Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# Set the switch to automatically reboot and load the new code after the opcode...
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings Specifying a DHCP DHCP servers index their database of address bindings using the client’s Media Access Control (MAC) Address or a unique client identifier. The client identifier is Client Identifier used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or...
Page 76
Chapter 1 | Initial Switch Configuration Configuring Automatic Installation of Operation Code and Configuration Settings ◆ If the switch fails to download the bootup configuration file based on information passed by the DHCP server, it will not send any further DHCP client requests.
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command. Manually Console#calendar set 14 11 36 1 April 2013 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients.
Page 80
Chapter 1 | Initial Switch Configuration Setting the System Clock – 80 –...
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. This section includes these chapters: ◆ “Using the Command Line Interface” on page 83 ◆ “General Commands” on page 95 ◆...
Page 82
Section II | Command Line Interface ◆ “Class of Service Commands” on page 507 ◆ “Quality of Service Commands” on page 527 ◆ “Multicast Filtering Commands” on page 581 ◆ “LLDP Commands” on page 653 ◆ “CFM Commands” on page 681 ◆...
Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt.
Page 84
Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5, ”...
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help command. You can also display command syntax by using the “?” character to list Commands keywords or parameters.
Chapter 2 | Using the Command Line Interface Entering Commands radius-server RADIUS server information reload Shows the reload settings rmon Remote Monitoring Protocol route-map Shows route-map rspan Display status of the current RSPAN configuration running-config Information on the running configuration sflow Shows the sflow information snmp...
Chapter 2 | Using the Command Line Interface Entering Commands Negating the Effect of For many configuration commands you can enter the prefix keyword “no” to cancel the effect of a command or reset the configuration to the default value. For Commands example, the logging command will log system messages to a host server.
Chapter 2 | Using the Command Line Interface Entering Commands commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode). To access Privilege Exec mode, open a new console session with the user name and password “admin. ” The system will now display the “Console#”...
Page 90
Chapter 2 | Using the Command Line Interface Entering Commands ◆ IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode. ◆ Interface Configuration - These commands modify the port configuration such as speed-duplex and negotiation. ◆...
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below Table 7: Command Group Index Command Group Description Page General Basic commands for entering privileged access mode, restarting the system, or quitting the CLI System Management Display and setting of system information, basic modes of...
Page 94
Chapter 2 | Using the Command Line Interface CLI Command Groups (Continued) Table 7: Command Group Index Command Group Description Page Quality of Service Configures Differentiated Services Multicast Filtering Configures IGMP multicast filtering, query, profile, and proxy parameters; specifies ports attached to a multicast router Link Layer Discovery Configures LLDP settings to enable information discovery about neighbor devices...
General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions. Table 8: General Commands Command Function Mode prompt Customizes the CLI prompt reload Restarts the system at a specified time, after a specified delay, or at a periodic interval enable Activates privileged mode...
Chapter 3 | General Commands Command Mode Global Configuration Example Console(config)#prompt RD2 RD2(config)# reload This command restarts the system at a specified time, after a specified delay, or at a periodic interval. You can reboot the system immediately, or you can configure the (Global Configuration) switch to reset after a specified amount of time.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage ◆ This command resets the entire system. ◆ Any combination of reload options may be specified. If the same option is re- specified, the previous setting will be overwritten. ◆...
Chapter 3 | General Commands Example Console>enable Password: [privileged level password] Console# Related Commands disable (100) enable password (212) quit This command exits the configuration program. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The quit and exit commands can both exit the configuration program. Example This example shows how to quit a CLI session: Console#quit...
Chapter 3 | General Commands Example In this example, the show history command lists the contents of the command history buffer: Console#show history Execution command history: 2 config 1 show history Configuration command history: 4 interface vlan 1 3 exit 2 interface vlan 1 1 end Console#...
Chapter 3 | General Commands disable This command returns to Normal Exec mode from privileged mode. In normal access mode, you can only display basic information on the switch's configuration or Ethernet statistics. To gain access to all commands, you must use the privileged mode.
Chapter 3 | General Commands show reload This command displays the current reload settings, and the time at which next scheduled reload will take place. Command Mode Privileged Exec Example Console#show reload Reloading switch in time: 0 hours 29 minutes. The switch will be rebooted at January 1 02:11:50 2001.
Page 102
Chapter 3 | General Commands Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session User Access Verification Username: – 102 –...
System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information. Table 9: System Management Commands Command Group Function Device Designation Configures information that uniquely identifies this switch Banner Information Configures administrative contact, device identification and location System Status...
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands Banner Information (Continued) Table 11: Banner Commands Command Function Mode banner configure Configures the Department information that is displayed department by banner banner configure Configures the Equipment information that is displayed by equipment-info banner banner configure Configures the Equipment Location information that is equipment-location...
Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St. Motown, Zimbabwe Information about this equipment: Manufacturer: Edge-Core Networks ID: 123_unique_id_number Floor: 2 Row: 7 Rack: 29 Shelf in this rack: 8 Information about DC power supply.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [floor | row | rack | electrical-circuit]...
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the banner. Use the no form to restore the default setting. department Syntax banner configure department dept-name no banner configure department dept-name - The name of the department.
Example Console(config)#banner configure equipment-info manufacturer-id ECS4660-28F floor 3 row 10 rack 15 shelf-rack 12 manufacturer Edge-Core Console(config)# banner configure This command is used to configure the equipment location information displayed equipment-location in the banner.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask information displayed in the banner. Use the no form to restore the default setting. ip-lan Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting. Syntax banner configure manager-info name mgr1-name phone-number mgr1-number...
Chapter 4 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected.
Chapter 4 | System Management Commands System Status (Continued) Table 12: System Status Commands Command Function Mode show license file Shows information on the installed license file required for the network ports show location-led status Shows if location LED function is enabled or not show memory Shows memory utilization parameters NE, PE...
Chapter 4 | System Management Commands System Status show access-list This command shows utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the tcam-utilization number of free entries, and the overall percentage of TCAM in use. Command Mode Privileged Exec Command Usage...
Chapter 4 | System Management Commands System Status (Continued) Table 13: show access-list tcam-utilization - display description Field Description Pool Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features. Total The maximum number of policy control entries allocated to the each pool.
Chapter 4 | System Management Commands System Status show location-led This command shows if location LED function is enabled or not. status Command Mode Privileged Exec Example Console#show location-led status Location Led Status:On Console# show memory This command shows memory utilization parameters, and alarm thresholds. Command Mode Normal Exec, Privileged Exec Command Usage...
Chapter 4 | System Management Commands System Status CPU Utilization in the past 60 seconds Average Utilization : 8% Maximum Utilization : 9% Alarm Status Current Alarm Status : Off Last Alarm Start Time : Jun 9 15:10:09 2011 Last Alarm Duration Time : 10 seconds Alarm Configuration Rising Threshold : 90%...
Page 119
Chapter 4 | System Management Commands System Status Example Console#show running-config Building startup configuration. Please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-e0-0c-00-00-fd_00</stackingMac> snmp-server community public ro snmp-server community private rw snmp-server enable traps authentication username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database...
Chapter 4 | System Management Commands System Status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system. Command Mode Privileged Exec Command Usage ◆ Use this command in conjunction with the show running-config command to compare the information in running memory to the information stored in non- volatile memory.
Page 121
Chapter 4 | System Management Commands System Status ◆ There are two thermal detectors in the switch The first detector is near the air flow intake vents. The second detector is near the switch ASIC and CPU. Example Console#show system System Description : AOS5700-54X System OID String : 1.3.6.1.4.1.259.12.1.2...
Chapter 4 | System Management Commands System Status (Continued) Table 14: show system – display description Parameter Description Jumbo Frame Shows if jumbo frames are enabled or disabled. System Fan Shows if forced full-speed mode is enabled. System Temperature Temperature at specified thermal detection point. Main Power Status Displays the status of the internal power supply.
Chapter 4 | System Management Commands System Status show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Chapter 4 | System Management Commands System Status Operation Code Version : 1.0.102.152 Console# Table 15: show version – display description Parameter Description Serial Number The serial number of the switch. Hardware Version Hardware version of the main board. EPLD Version Version number of Erasable Programmable Logic Device.
Chapter 4 | System Management Commands Fan Control Example Console#watchdog Console# Fan Control This section describes the command used to force fan speed. Table 16: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed show system Shows if full fan speed is enabled NE, PE fan-speed force-full...
Chapter 4 | System Management Commands File Management jumbo frame This command enables support for layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports. Use the no form to disable it. Syntax [no] jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 127
Chapter 4 | System Management Commands File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file.
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation.
Page 130
Chapter 4 | System Management Commands File Management ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.cfg” as the source to copy from the factory default configuration file, but you cannot use it as the destination. ◆...
Page 131
Chapter 4 | System Management Commands File Management The following example shows how to copy the running configuration to a startup file. Console#copy running-config file Destination configuration file name: startup Flash programming started. Flash programming completed. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.99 Source configuration file name: startup.01...
Chapter 4 | System Management Commands File Management onie This command configures the switch to install, rescue or update runtime code under the open network installation environment (ONIE). Syntax onie {install | rescue | upgrade} install - Installs a new operating system. This option will reboot the switch and the ONIE install process will run again.
Page 135
Chapter 4 | System Management Commands File Management Hash value: 185b962f Verifying Hash Integrity ... crc32+ OK ..pci 0000:00:00.0: ignoring class b20 (doesn't match header type 01) Info: Mounting kernel filesystems... done. Info: Using eth0 MAC address: 00:11:22:33:44:55 Info: eth0: Checking link...
Chapter 4 | System Management Commands File Management EXT3-fs (sda1): warning: checktime reached, running e2fsck is recommended filemapping file write OK!! FS_GenFilemappingFile OK Updating U-Boot environment variables ONIE:/ # umount: can't remount rootfs read-only The system is going down NOW! Sent SIGTERM to all processes Sent SIGKILL toRestarting system.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name Type Startup Modified Time Size (bytes)
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup.
Chapter 4 | System Management Commands File Management ◆ When specifying a TFTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous”...
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path File Name : aos5700-54x.bix Console# TFTP Configuration Commands ip tftp retry...
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Table 20: Line Commands Command Function...
Chapter 4 | System Management Commands Line Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users. However, the serial communication parameters (e.g., databits) do not affect Telnet connections. Example To enter console line mode, enter the following command: Console(config)#line console...
Chapter 4 | System Management Commands Line Related Commands parity (145) exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval. (Range: 60 - 65535 seconds;...
Chapter 4 | System Management Commands Line Default Setting login local Command Mode Line Configuration Command Usage ◆ There are three authentication modes provided by the switch itself at login: login selects authentication by a single global password as specified by the ■...
Chapter 4 | System Management Commands Line Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting. Example To specify no parity, enter this command: Console(config-line)#parity none Console(config-line)# password...
Chapter 4 | System Management Commands Line Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (144) password-thresh (147) password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh...
Chapter 4 | System Management Commands Line silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time...
Chapter 4 | System Management Commands Line Command Usage Set the speed to match the baud rate of the device connected to the serial port. Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600...
Chapter 4 | System Management Commands Line Default Setting 300 seconds Command Mode Line Configuration Command Usage ◆ If a login attempt is not detected within the timeout interval, the connection is terminated for the session. ◆ This command applies to both the local console and Telnet connections. ◆...
Chapter 4 | System Management Commands Line terminal This command configures terminal settings, including escape-character, lines displayed, terminal type, width, and command history. Use the no form with the appropriate keyword to restore the default setting. Syntax terminal {escape-character {ASCII-number | character} | history [size size] | length length | terminal-type {ansi-bbs | vt-100 | vt-102} | width width} escape-character - The keyboard character used to escape from current line input.
Chapter 4 | System Management Commands Line show line This command displays the terminal line’s parameters. Syntax show line [console | vty] console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting Shows all lines Command Mode Normal Exec, Privileged Exec Example...
Chapter 4 | System Management Commands Event Logging Event Logging This section describes commands used to configure event logging on the switch. Table 21: Event Logging Commands Command Function Mode logging facility Sets the facility type for remote logging of syslog messages GC logging history Limits syslog messages saved to switch memory based on severity...
Chapter 4 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory).
Chapter 4 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server.
Chapter 4 | System Management Commands Event Logging Example Console(config)#logging on Console(config)# Related Commands logging history (154) logging trap (156) clear log (157) logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging.
Chapter 4 | System Management Commands Event Logging clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands SMTP Alerts Table 23: show logging flash/ram - display description Field Description Syslog logging Shows if system logging has been enabled via the logging on command. History logging in FLASH The message level(s) reported based on the logging history command.
Chapter 4 | System Management Commands SMTP Alerts (Continued) Table 25: Event Logging Commands Command Function Mode logging sendmail source- Email address used for “From” field of alert messages email show logging sendmail Displays SMTP event handler settings NE, PE logging sendmail This command enables SMTP event handling.
Chapter 4 | System Management Commands SMTP Alerts ◆ To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command. If it fails to send mail, the switch selects the next server in the list and tries to send mail again.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command specifies the email recipients of alert messages. Use the no form to remove a recipient. destination-email Syntax [no] logging sendmail destination-email email-address email-address - The source email address used in alert messages. (Range: 1-41 characters) Default Setting None...
Chapter 4 | System Management Commands Time Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# show logging This command displays the settings for the SMTP event handler. sendmail Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP Minimum Severity Level: 7 SMTP Destination E-mail Addresses -----------------------------------------------...
Chapter 4 | System Management Commands Time (Continued) Table 26: Time Commands Command Function Mode ntp client Enables the NTP client for time updates from specified servers ntp server Specifies NTP servers to poll for time updates show ntp Shows current NTP configuration settings NE, PE Manual Configuration Commands clock summer-time date...
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console(config)#sntp poll 60 Console(config)#sntp client Console(config)#end Console#show sntp Current Time : Mar 12 02:33:00 2013 Poll Interval : 60 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 10.1.0.19 Current Server : 137.92.140.80 Console#...
Chapter 4 | System Management Commands Time sntp server This command sets the IP address of the servers to which SNTP time requests are issued. Use the this command with no arguments to clear all time servers from the current list. Use the no form to clear all time servers from the current list, or to clear a specific server.
Chapter 4 | System Management Commands Time Example Console#show sntp Current Time : Nov 5 18:51:22 2006 Poll Interval : 16 seconds Current Mode : Unicast SNTP Status : Enabled SNTP Server : 137.92.140.80 Current Server : 137.92.140.80 Console# NTP Commands ntp authenticate This command enables authentication for NTP client-server communications.
Chapter 4 | System Management Commands Time This command configures authentication keys and key numbers to use when NTP authentication is enabled. Use the no form of the command to clear a specific authentication-key authentication key or all keys from the current list. Syntax ntp authentication-key number md5 key no ntp authentication-key [number]...
Chapter 4 | System Management Commands Time ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests. Syntax [no] ntp client Default Setting Disabled Command Mode...
Chapter 4 | System Management Commands Time Default Setting Version number: 3 Command Mode Global Configuration Command Usage ◆ This command specifies time servers that the switch will poll for time updates when set to NTP client mode. It issues time synchronization requests based on the interval set with the ntp poll command.
Chapter 4 | System Management Commands Time NTP Status : Enabled NTP Authenticate Status : Enabled Last Update NTP Server : 192.168.0.88 Port: 123 Last Update Time : Mar 12 02:41:01 2013 UTC NTP Server 192.168.0.88 version 3 NTP Server 192.168.3.21 version 3 NTP Server 192.168.4.22 version 3 key 19 NTP Authentication Key 19 md5 42V68751663T6K11P2J307210R885 Console#...
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST).
Chapter 4 | System Management Commands Time Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time relative to the configured time zone. To specify the time corresponding to your local time when summer time is in effect, select the predefined summer-time zone appropriate for your location, or manually configure summer time if these predefined configurations do not...
Page 174
Chapter 4 | System Management Commands Time b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-hour - The hour when summer time will begin.
Chapter 4 | System Management Commands Time clock timezone This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} name - Name of timezone, usually an acronym. (Range: 1-30 characters) hours - Number of hours before/after UTC.
Chapter 4 | System Management Commands Time city - Select the city associated with the chosen GMT offset. After the offset has been entered, use the tab-complete function to display the available city options. Default Setting GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian,...
Chapter 4 | System Management Commands Time Range Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2011. Console#calendar set 15 12 34 1 February 2011 Console# show calendar This command displays the system clock.
Chapter 4 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode...
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆...
Chapter 4 | System Management Commands Time Range Default Setting None Command Mode Time Range Configuration Command Usage ◆ If a time range is already configured, you must use the no form of this command to remove the current entry prior to configuring a new time range. ◆...
SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption;...
Chapter 5 | SNMP Commands General SNMP Commands (Continued) Table 29: SNMP Commands Command Function Mode show snmp user Shows the SNMP users show snmp view Shows the SNMP views Notification Log Commands Enables the specified notification log snmp-server notify-filter Creates a notification log and specifies the target host show nlm oper-status Shows operation status of configured notification logs...
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server Console(config)# snmp-server This command defines community access strings used to authorize management access by clients using SNMP v1 or v2c. Use the no form to remove the specified community community string. Syntax snmp-server community string [ro | rw] no snmp-server community string...
Chapter 5 | SNMP Commands General SNMP Commands snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None...
Chapter 5 | SNMP Commands General SNMP Commands show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMP Target Host Commands SNMP Target Host Commands snmp-server enable This command enables this device to send Simple Network Management Protocol traps traps or informs (i.e., SNMP notifications). Use the no form to disable SNMP notifications.
Chapter 5 | SNMP Commands SNMP Target Host Commands Related Commands snmp-server host (187) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host host-addr [inform [retry retries | timeout seconds]] community-string [version {1 | 2c | 3 {auth | noauth | priv} [udp-port port]} no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (targeted recipient).
Page 188
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Usage ◆ If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ If you specify an SNMP Version 3 host, then the community string is interpreted as an SNMP user name. The user name must first be defined with the snmp- server user command.
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp-server This command shows if SNMP traps are enabled or disabled for the specified interfaces. enable port-traps Syntax show snmp-server enable port-traps interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: Always 1) port - Port number.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Usage ◆ An SNMP engine is an independent SNMP agent that resides either on this switch or on a remote device. This engine protects against message replay, delay, and redirection. The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets.
Page 192
Chapter 5 | SNMP Commands SNMPv3 Commands auth | noauth | priv - This group uses SNMPv3 with authentication, no authentication, or with authentication and privacy. See “Simple Network Management Protocol” in the Web Management Guide for further information about these authentication and encryption options. readview - Defines the view for read access.
Chapter 5 | SNMP Commands SNMPv3 Commands snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group.
Chapter 5 | SNMP Commands SNMPv3 Commands Command Mode Global Configuration Command Usage ◆ Local users (i.e., the command does not specify a remote engine identifier) must be configured to authorize management access for SNMPv3 clients, or to identify the source of SNMPv3 trap messages sent from the local switch. ◆...
Chapter 5 | SNMP Commands SNMPv3 Commands included - Defines an included view. excluded - Defines an excluded view. Default Setting defaultview (includes access to the entire MIB tree) Command Mode Global Configuration Command Usage ◆ Views are used in the snmp-server group command to restrict user access to specified portions of the MIB tree.
Chapter 5 | SNMP Commands SNMPv3 Commands Remote SNMP EngineID IP address 80000000030004e2b316c54321 192.168.1.19 Console# Table 30: show snmp engine-id - display description Field Description Local SNMP engineID String identifying the engine ID. Local SNMP engineBoots The number of times that the engine has (re-)initialized since the snmp EngineID was last configured.
Chapter 5 | SNMP Commands SNMPv3 Commands Group Name: private Security Model: v2c Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Console# Table 31: show snmp group - display description Field Description Group Name Name of an SNMP group.
Chapter 5 | SNMP Commands SNMPv3 Commands Table 32: show snmp user - display description Field Description SNMP remote user A user associated with an SNMP engine on a remote device. Engine ID String identifying the engine ID. User Name Name of user connecting to the SNMP agent.
Page 200
Chapter 5 | SNMP Commands Notification Log Commands Default Setting None Command Mode Global Configuration Command Usage ◆ Systems that support SNMP often need a mechanism for recording Notification information as a hedge against lost notifications, whether there are Traps or Informs that may be exceeding retransmission limits.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage Once the rising alarm threshold is exceeded, utilization must drop beneath the falling threshold before the alarm is terminated, and then exceed the rising threshold again before another alarm is triggered. Example Console(config)#memory rising 80 Console(config)#memory falling 60...
Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index –...
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port. If a default index entry is re-assigned to another port by this command, the show running- config...
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.1 every 1800 seconds Requested # of time intervals, ie buckets, is 8 Granted # of time intervals, ie buckets, is 8 Sample # 1 began measuring at 00:00:01...
Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Table 35: Authentication Commands Command Group Function User Accounts Configures the basic user names and passwords for management access Authentication Sequence Defines logon authentication method and precedence...
Chapter 7 | Authentication Commands User Accounts User Accounts The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 142), and user authentication via a remote authentication server (page 211).
Chapter 7 | Authentication Commands User Accounts Example Console(config)#enable password level 15 0 admin Console(config)# Related Commands enable (97) authentication enable (214) username This command adds named users, requires authentication at login, specifies or changes a user's password (or specify that no password is required), or specifies or changes a user's access level.
Chapter 7 | Authentication Commands Authentication Sequence Command Usage The encrypted password is required for compatibility with legacy password settings (i.e., plain text or encrypted) when reading the configuration file during system bootup or when downloading the configuration file from an FTP server. There is no need for you to manually configure encrypted passwords.
Chapter 7 | Authentication Commands Authentication Sequence Command Usage ◆ RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Chapter 7 | Authentication Commands RADIUS Client ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 7 | Authentication Commands RADIUS Client radius-server This command sets the RADIUS server network port for accounting messages. Use the no form to restore the default. acct-port Syntax radius-server acct-port port-number no radius-server acct-port port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813...
Chapter 7 | Authentication Commands RADIUS Client radius-server host This command specifies primary and backup RADIUS servers, and authentication and accounting parameters that apply to each server. Use the no form to remove a specified server, or to restore the default values. Syntax [no] radius-server index host host-ip-address [acct-port acct-port] [auth-port auth-port] [key key] [retransmit retransmit] [timeout timeout]...
Chapter 7 | Authentication Commands RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
Chapter 7 | Authentication Commands RADIUS Client radius-server timeout This command sets the interval between transmitting authentication requests to the RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number-of-seconds no radius-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 7 | Authentication Commands TACACS+ Client RADIUS Server Group: Group Name Member Index ------------------------- ------------- radius Console# TACACS+ Client Terminal Access Controller Access Control System (TACACS+) is a logon authentication protocol that uses software running on a central server to control access to TACACS-aware devices on the network.
Chapter 7 | Authentication Commands TACACS+ Client Default Setting Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax tacacs-server retransmit number-of-retries no tacacs-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the TACACS+ server.
Chapter 7 | Authentication Commands Web Server Example Console(config)#tacacs-server timeout 10 Console(config)# show tacacs-server This command displays the current settings for the TACACS+ server. Default Setting None Command Mode Privileged Exec Example Console#show tacacs-server Remote TACACS+ Server Configuration: Global Settings: Server Port Number : 49 Retransmit Times Timeout...
Chapter 7 | Authentication Commands Web Server Note: Users are automatically logged off of the HTTP server or HTTPS server if no input is detected for 300 seconds. ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port.
Chapter 7 | Authentication Commands Web Server Related Commands ip http port (225) show system (120) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port-number no ip http secure-port...
Page 227
Chapter 7 | Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port. ◆...
Chapter 7 | Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch. Table 43: Telnet Server Commands Command Function Mode ip telnet max-sessions Specifies the maximum number of Telnet sessions that can simultaneously connect to this system ip telnet port Specifies the port to be used by the Telnet interface...
Chapter 7 | Authentication Commands Telnet Server ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Chapter 7 | Authentication Commands Secure Shell Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch.
Page 231
Chapter 7 | Authentication Commands Secure Shell Configuration Guidelines The SSH server on this switch supports both password and public key authentication. If password authentication is specified by the SSH client, then the password can be authenticated either locally or via a RADIUS or TACACS+ remote authentication server, as specified by the authentication login command.
Page 232
Chapter 7 | Authentication Commands Secure Shell Password Authentication (for SSH v1.5 or V2 Clients) The client sends its password to the server. The switch compares the client's password to those stored in memory. If a match is found, the connection is allowed. Note: To use SSH with only password authentication, the host public key must still be given to the client, either during initial connection or manually entered into the...
Chapter 7 | Authentication Commands Secure Shell Note: The SSH server can be accessed using any configured IPv4 or IPv6 interface address on the switch. ip ssh authentication- This command configures the number of times the SSH server attempts to reauthenticate a user.
Chapter 7 | Authentication Commands Secure Shell ◆ The SSH server uses DSA or RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption. ◆...
Chapter 7 | Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 10 seconds...
Chapter 7 | Authentication Commands Secure Shell Related Commands ip ssh crypto host-key generate (236) show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - Version 2.0 Negotiation Timeout : 120 seconds;...
Chapter 7 | Authentication Commands 802.1X Port Authentication 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Chapter 7 | Authentication Commands 802.1X Port Authentication General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values. Command Mode Global Configuration Example Console(config)#dot1x default Console(config)# dot1x eapol-pass- This command passes EAPOL frames through to all ports in STP forwarding state when dot1x is globally disabled.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Usage ◆ When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication, the dot1x eapol pass-through command can be used to forward EAPOL frames from other switches on to the authentication servers, thereby allowing the authentication process to still be carried out by switches located on the edge of the network.
Chapter 7 | Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session.
Chapter 7 | Authentication Commands 802.1X Port Authentication mac-based – Allows multiple hosts to connect to this port, with each host needing to be authenticated. Default Single-host Command Mode Interface Configuration Command Usage ◆ The “max-count” parameter specified by this command is only effective if the dot1x mode is set to “auto”...
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x This command enables periodic re-authentication for a specified port. Use the no re-authentication form to disable re-authentication. Syntax [no] dot1x re-authentication Command Mode Interface Configuration Command Usage...
Chapter 7 | Authentication Commands 802.1X Port Authentication Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout This command sets the time period after which a connected client must be re- re-authperiod authenticated.
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Command Usage This command sets the timeout for EAP-request frames other than EAP-request/ identity frames. If dot1x authentication is enabled on a port, the switch will initiate authentication when the port link state comes up. It will send an EAP-request/ identity frame to the client to request its identity, followed by one or more requests for authentication information.
Chapter 7 | Authentication Commands 802.1X Port Authentication dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) Command Mode Privileged Exec Command Usage...
Page 250
Chapter 7 | Authentication Commands 802.1X Port Authentication Command Usage This command displays the following information: ◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 242). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 241).
Page 251
Chapter 7 | Authentication Commands 802.1X Port Authentication ◆ Backend State Machine State – Current state (including request, response, success, fail, timeout, ■ idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant ■ without receiving a response. Identifier (Server)–...
Chapter 7 | Authentication Commands Management IP Filter Backend State Machine State : Idle Request Count Identifier(Server) Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch. Table 47: Management IP Filter Commands Command Function...
Chapter 7 | Authentication Commands Management IP Filter Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses.
Page 254
Chapter 7 | Authentication Commands Management IP Filter Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2. 192.168.1.25 192.168.1.30 SNMP-Client: Start IP address End IP address ----------------------------------------------- 1. 192.168.1.19 192.168.1.19 2.
General Security Measures This switch provides port-based traffic segmentation to segregate traffic for clients attached to each of the data ports. Table 48: General Security Commands Command Group Function Configures secure addresses for a port Port Security 802.1X Port Configures host authentication on specific ports using 802.1X Authentication* Network Access*...
Chapter 8 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Chapter 8 | General Security Measures Port Security the static address table will be accepted, all other packets are dropped. Note that the dynamic addresses stored in the address table when MAC address learning is disabled are flushed from the system, and no dynamic addresses are subsequently learned until MAC address learning has been re-enabled.
Page 258
Chapter 8 | General Security Measures Port Security Command Usage ◆ The default maximum number of MAC addresses allowed on a secure port is zero (that is, port security is disabled). To use port security, you must configure the maximum number of addresses allowed on a port using the port security max-mac-count command.
Chapter 8 | General Security Measures Port Security Example The following example enables port security for port 5, and sets the response to a security violation to issue a trap message: Console(config)#interface ethernet 1/5 Console(config-if)#port security action trap Related Commands show interfaces status (376) shutdown (364) mac-address-table static (438)
Page 260
Chapter 8 | General Security Measures Port Security Table 50: show port security - display description Field Description Port Security The configured status (enabled or disabled). Port Status The operational status: ◆ Secure/Down – Port security is disabled. ◆ Secure/Up – Port security is enabled. ◆...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) MAC Filter : Disabled Last Intrusion MAC : 00-10-22-00-00-01 Last Time Detected Intrusion MAC : 2010/7/29 15:13:03 Console# Network Access (MAC Address Authentication) Network Access authentication controls access to the network by authenticating the MAC address of each host that attempts to connect to a switch port.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) (Continued) Table 51: Network Access Commands Command Function Mode show network-access mac- Displays information for entries in the secure MAC address-table address table show network-access mac-filter Displays information for entries in the MAC filter tables network-access aging Use this command to enable aging for authenticated MAC addresses stored in the secure MAC address table.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to add a MAC address into a filter table. Use the no form of this command to remove the specified MAC address. mac-filter Syntax [no] network-access mac-filter filter-id mac-address mac-address [mask mask-address] filter-id - Specifies a MAC address filter table.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Global Configuration Command Usage ◆ The reauthentication time is a global setting and applies to all ports. ◆ When the reauthentication time expires for a secure MAC address it is removed by the switch from the secure MAC table, and the switch will only perform the authentication process the next time it receives the MAC address packet.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the last user logs off of a port with a dynamic QoS assignment, the switch restores the original QoS configuration for the port. ◆ When a user attempts to log into the network with a returned dynamic QoS profile that is different from users already logged on to the same port, the user is denied access.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) ◆ When the dynamic VLAN assignment status is changed on a port, all authenticated addresses are cleared from the secure MAC address table. Example The following example enables dynamic VLAN assignment on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#network-access dynamic-vlan Console(config-if)#...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable link detection for the selected port. Use the no form of this command to restore the default. link-detection Syntax [no] network-access link-detection Default Setting Disabled Command Mode Interface Configuration...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) network-access link- Use this command to detect link-up events. When detected, the switch can shut down the port, send an SNMP trap, or both. Use the no form of this command to detection link-up disable this feature.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection link-up-down action trap Console(config-if)# network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default.
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ When enabled on a port, the authentication process sends a Password Authentication Protocol (PAP) request to a configured RADIUS server. The user name and password are both equal to the MAC address being authenticated. ◆...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Command Mode Interface Configuration Command Mode ◆ Entries in the MAC address filter table can be configured with the network- access mac-filter command. ◆ Only one filter table can be assigned to a port. Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1...
Chapter 8 | General Security Measures Network Access (MAC Address Authentication) Default Setting Displays the settings for all interfaces. Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication...
Chapter 8 | General Security Measures Web Authentication Command Mode Privileged Exec Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF- 00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FF- FF-FF to be displayed.
Chapter 8 | General Security Measures Web Authentication name and password authentication via RADIUS. Once authentication is successful, the web browser is forwarded on to the originally requested web page. Successful authentication is valid for all hosts connected to the port. Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see...
Chapter 8 | General Security Measures Web Authentication Command Mode Global Configuration Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default.
Chapter 8 | General Security Measures Web Authentication Command Mode Global Configuration Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default. Syntax [no] web-auth system-auth-control Default Setting Disabled Command Mode...
Chapter 8 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate forces the users to re-authenticate. (Port) Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier.
Chapter 8 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters. Command Mode Privileged Exec Example Console#show web-auth Global Web-Auth Parameters System Auth Control : Enabled Session Timeout : 3600 Quiet Period...
Chapter 8 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and statistics. summary Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count ----...
Chapter 8 | General Security Measures DHCPv4 Snooping (Continued) Table 54: DHCP Snooping Commands Command Function Mode clear ip dhcp snooping Clears DHCP snooping binding table entries from RAM binding clear ip dhcp snooping Removes all dynamically learned snooping entries from database flash flash memory.
Page 282
Chapter 8 | General Security Measures DHCPv4 Snooping ◆ Filtering rules are implemented as follows: If global DHCP snooping is disabled, all DHCP packets are forwarded. ■ If DHCP snooping is enabled globally, and also enabled on the VLAN where ■...
Chapter 8 | General Security Measures DHCPv4 Snooping Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (288) ip dhcp snooping trust (290) ip dhcp snooping This command enables the use of DHCP Option 82 information for the switch, and information option specifies the frame format to use for the remote-id when Option 82 information is generated by the switch.
Chapter 8 | General Security Measures DHCPv4 Snooping compatible DHCP servers to use the information when assigning IP addresses, or to set other services or policies for clients. ◆ When the DHCP Snooping Information Option 82 is enabled, the requesting client (or an intermediate relay agent that has used the information fields to describe itself ) can be identified in the DHCP request packets forwarded by the switch and in reply packets sent back from the DHCP server.
Chapter 8 | General Security Measures DHCPv4 Snooping Command Usage See the Command Usage section under the ip dhcp snooping information option circuit-id command for a description of how these fields are included in TR-101 syntax. XAMPLE This example enables the use of sub-type and sub-length fields for the circuit-ID (CID) and remote-ID (RID).
Chapter 8 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Use the no form to restore the default information policy setting. Syntax ip dhcp snooping information policy {drop | keep | replace} no ip dhcp snooping information policy...
Chapter 8 | General Security Measures DHCPv4 Snooping Command Mode Global Configuration Example This example sets the DHCP snooping rate limit to 100 packets per second. Console(config)#ip dhcp snooping limit rate 100 Console(config)# ip dhcp snooping This command verifies the client’s hardware address stored in the DHCP packet verify mac-address against the source MAC address in the Ethernet header.
Chapter 8 | General Security Measures DHCPv4 Snooping ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting. Syntax [no] ip dhcp snooping vlan vlan-id vlan-id - ID of a configured VLAN (Range: 1-4094) Default Setting Disabled Command Mode...
Page 289
Chapter 8 | General Security Measures DHCPv4 Snooping Default Setting VLAN-Unit-Port Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server. DHCP Option 82 allows compatible DHCP servers to use the information when assigning IP addresses, to set other services or policies for clients.
Chapter 8 | General Security Measures DHCPv4 Snooping Example This example sets the DHCP Snooping Information circuit-id suboption string. Console(config)#interface ethernet 1/1 Console(config-if)#ip dhcp snooping information option circuit-id string 4500 Console(config-if)# ip dhcp snooping trust This command configures the specified interface as trusted. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (281) ip dhcp snooping vlan (288) clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this command without any optional keywords to clear all entries from the binding snooping binding table.
Chapter 8 | General Security Measures DHCPv4 Snooping Example Console#clear ip dhcp snooping database flash Console# show ip dhcp This command shows the DHCP snooping configuration settings. snooping Command Mode Privileged Exec Example Console#show ip dhcp snooping Global DHCP Snooping status: disabled DHCP Snooping Information Option Status: disabled DHCP Snooping Information Option Sub-option Format: extra subtype included DHCP Snooping Information Option Remote ID: MAC Address (hex encoded)
Chapter 8 | General Security Measures DHCPv6 Snooping DHCPv6 Snooping DHCPv6 snooping allows a switch to protect a network from rogue DHCPv6 servers or other devices which send port-related information to a DHCPv6 server. This information can be useful in tracking an IP address back to a physical port. This section describes commands used to configure DHCPv6 snooping.
Page 294
Chapter 8 | General Security Measures DHCPv6 Snooping wall. When DHCPv6 snooping is enabled globally by this command, and enabled on a VLAN interface by the ipv6 dhcp snooping vlan command, DHCP messages received on an untrusted interface (as specified by the no ipv6 dhcp snooping trust command) from a device not listed in the DHCPv6 snooping...
Page 295
Chapter 8 | General Security Measures DHCPv6 Snooping DHCP Server Packet If a DHCP server packet is received on an untrusted port, drop this ■ packet and add a log entry in the system. If a DHCPv6 Reply packet is received from a server on a trusted port, it ■...
Chapter 8 | General Security Measures DHCPv6 Snooping Example This example enables DHCPv6 snooping globally for the switch. Console(config)#ipv6 dhcp snooping Console(config)# Related Commands ipv6 dhcp snooping vlan (298) ipv6 dhcp snooping trust (299) ipv6 dhcp snooping This command enables the insertion of remote-id option 37 information into option remote-id DHCPv6 client messages.
Chapter 8 | General Security Measures DHCPv6 Snooping If an incoming packet is a DHCPv6 request packet with option 37 ■ information, it will modify the option 37 information according to settings specified with ipv6 dhcp snooping option remote-id policy command.
Chapter 8 | General Security Measures DHCPv6 Snooping Example This example configures the switch to keep existing remote-id option 37 information within DHCPv6 client packets and forward it. Console(config)#ipv6 dhcp snooping option remote-id policy keep Console(config)# ipv6 dhcp snooping This command enables DHCPv6 snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 8 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the binding database for an interface. Use the no form to restore the default setting. max-binding Syntax ipv6 dhcp snooping max-binding count no ipv6 dhcp snooping max-binding...
Chapter 8 | General Security Measures DHCPv6 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ipv6 dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCPv6 snooping bindings associated with this port are removed.
Chapter 8 | General Security Measures IPv4 Source Guard Table 57: IPv4 Source Guard Commands Command Function Mode show ip source-guard Shows whether source guard is enabled or disabled on each interface show ip source-guard Shows the source guard binding table binding ip source-guard This command adds a static address to the source-guard ACL or MAC address...
Page 304
Chapter 8 | General Security Measures IPv4 Source Guard ◆ When source guard is enabled, traffic is filtered based upon dynamic entries learned via DHCP snooping, or static addresses configured in the source guard binding table with this command. ◆ An entry with same MAC address and a different VLAN ID cannot be added to the binding table.
Chapter 8 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard...
Chapter 8 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. If the DHCP snooping is enabled, IP source guard will check the VLAN ID, ■...
Chapter 8 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard...
Chapter 8 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 8 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard ACL Table MAC Table Interface Filter-type Filter-table Max-binding Max-binding --------- ----------- ------------ ----------- ----------- Eth 1/1 DISABLED 1024 Eth 1/2 DISABLED 1024 Eth 1/3 DISABLED 1024 Eth 1/4 DISABLED 1024 Eth 1/5...
Chapter 8 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping”...
Page 311
Chapter 8 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, lease time, entry type (Static-IP-SG-Binding, Dynamic-ND-Snooping, Dynamic- DHCPv6-Snooping), VLAN identifier, and port identifier. ◆...
Chapter 8 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (293) ipv6 dhcp snooping vlan (298) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IP address stored in the binding table. Use the no form to disable this function. Syntax ipv6 source-guard sip no ipv6 source-guard...
Chapter 8 | General Security Measures IPv6 Source Guard ◆ Filtering rules are implemented as follows: If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will ■ check the VLAN ID, source IPv6 address, and port number. If a matching entry is found in the binding table and the entry type is static IPv6 source guard binding, the packet will be forwarded.
Chapter 8 | General Security Measures IPv6 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table, including both dynamic entries discovered by ND snooping, DHCPv6 snooping, and static entries set by the ipv6 source-guard command.
Chapter 8 | General Security Measures IPv6 Source Guard ipv6 source-guard This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. binding Syntax ipv6 source-guard binding mac-address vlan vlan-id ipv6-address interface interface no ipv6 source-guard binding mac-address vlan vlan-id mac-address - A valid unicast MAC address.
Chapter 8 | General Security Measures IPv6 Source Guard ◆ Static bindings are processed as follows: If there is no entry with same and MAC address and IPv6 address, a new ■ entry is added to binding table using static IPv6 source guard binding. If there is an entry with same MAC address and IPv6 address, and the type ■...
Page 318
Chapter 8 | General Security Measures IPv6 Source Guard ◆ This command checks the VLAN ID, IPv6 global unicast source IP address, and port number against all entries in the binding table. Use the no ipv6 source guard command to disable this function on the selected port. ◆...
Chapter 8 | General Security Measures IPv6 Source Guard Example This example enables IP source guard on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard sip Console(config-if)# Related Commands ipv6 source-guard binding (310) ipv6 dhcp snooping (293) ipv6 dhcp snooping vlan (298) ipv6 source-guard This command sets the maximum number of entries that can be bound to an max-binding...
Chapter 8 | General Security Measures IPv6 Source Guard binding table reaches the newly configured maximum number of allowed bindings. Example This example sets the maximum number of allowed entries in the binding table for port 5 to one entry. Console(config)#interface ethernet 1/5 Console(config-if)#ipv6 source-guard max-binding 1 Console(config-if)#...
Chapter 8 | General Security Measures ARP Inspection (Continued) Table 60: ARP Inspection Commands Command Function Mode show ip arp inspection Shows statistics about the number of ARP packets statistics processed, or dropped for various reasons show ip arp inspection vlan Shows configuration setting for VLANs, including ARP Inspection status, the ARP ACL name, and if the DHCP Snooping database is used after ACL validation is...
Chapter 8 | General Security Measures ARP Inspection Example Console(config)#ip arp inspection Console(config)# ip arp inspection filter This command specifies an ARP ACL to apply to one or more VLANs. Use the no form to remove an ACL binding. Syntax ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} [static] no ip arp inspection filter arp-acl-name vlan {vlan-id | vlan-range} arp-acl-name - Name of an ARP ACL.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and the rate at which these messages are sent. Use the no form to restore the default log-buffer logs settings.
Chapter 8 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP packet. Use the no form to restore the default setting. validate Syntax ip arp inspection validate {dst-mac [ip [allow-zeros] [src-mac]] | ip [allow-zeros] [src-mac]] | src-mac} no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header...
Chapter 8 | General Security Measures ARP Inspection vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage...
Chapter 8 | General Security Measures ARP Inspection none - There is no limit on the number of ARP packets that can be processed by the CPU. Default Setting Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ This command applies to both trusted and untrusted ports. ◆...
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection. configuration Command Mode Privileged Exec Example Console#show ip arp inspection configuration ARP Inspection Global Information: Global IP ARP Inspection Status : disabled Log Message Interval : 10 s Log Message Number...
Chapter 8 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address Dst IP Address...
Chapter 8 | General Security Measures Port-based Traffic Segmentation Example Console#show ip arp inspection vlan 1 VLAN ID DAI Status ACL Name ACL Status -------- --------------- -------------------- -------------------- disabled sales static Console# Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients.
Page 331
Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Usage ◆ Traffic segmentation provides port-based security and isolation between ports within the VLAN. Data traffic on the downlink ports can only be forwarded to, and from, the designated uplink port(s). Data cannot pass between downlink ports in the same segmented group, nor to ports which do not belong to the same group.
Chapter 8 | General Security Measures Port-based Traffic Segmentation traffic-segmentation This command creates a traffic-segmentation client session. Use the no form to remove a client session. session Syntax [no] traffic-segmentation session session-id session-id – Traffic segmentation session. (Range: 1-4) Default Setting None Command Mode Global Configuration...
Chapter 8 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ A port cannot be configured in both an uplink and downlink list. ◆ A port can only be assigned to one traffic-segmentation session. ◆ When specifying an uplink or downlink, a list of ports may be entered by using a hyphen or comma in the port field.
Chapter 8 | General Security Measures Port-based Traffic Segmentation Example This example enables forwarding of traffic between uplink ports assigned to different client sessions. Console(config)#traffic-segmentation uplink-to-uplink forwarding Console(config)# show This command displays the configured traffic segments. traffic-segmentation Command Mode Privileged Exec Example Console#show traffic-segmentation Private VLAN Status...
Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, next header type, or flow label), or any frames (based on MAC address or Ethernet type).
Chapter 9 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard –...
Page 337
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. (Standard IP ACL) Syntax {permit | deny} {any | source bitmask | host source}...
Chapter 9 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source (Extended IPv4 ACL) or destination protocol ports, or TCP control codes.
Page 339
Chapter 9 | Access Control Lists IPv4 ACLs dport – Protocol destination port number. (Range: 0-65535) port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) flag-bitmask –...
Chapter 9 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination...
Chapter 9 | Access Control Lists IPv4 ACLs Command Usage ◆ Only one ACL can be bound to a port. ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in...
Chapter 9 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (337) ip access-group (340) IPv6 ACLs The commands in this section configure ACLs based on IPv6 address, DSCP traffic class, next header type, or flow label.
Chapter 9 | Access Control Lists IPv6 ACLs Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list.
Chapter 9 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Chapter 9 | Access Control Lists IPv6 ACLs Command Mode Extended IPv6 ACL Command Usage ◆ All new rules are appended to the end of the list. Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79/8. Console(config-ext-ipv6-acl)#permit 2009:DB9:2229::79/8 Console(config-ext-ipv6-acl)# Related Commands...
Chapter 9 | Access Control Lists IPv6 ACLs Example Console(config)#interface ethernet 1/2 Console(config-if)#ipv6 access-group standard david in Console(config-if)# Related Commands show ipv6 access-list (346) show ipv6 This command shows the ports assigned to IPv6 ACLs. access-group Command Mode Privileged Exec Example Console#show ipv6 access-group Interface ethernet 1/2...
Chapter 9 | Access Control Lists MAC ACLs Related Commands permit, deny (Standard IPv6 ACL) (343) permit, deny (Extended IPv6 ACL) (344) ipv6 access-group (345) MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 9 | Access Control Lists MAC ACLs ◆ An ACL can contain up to 96 rules. Example Console(config)#access-list mac jerry Console(config-mac-acl)# Related Commands permit, deny (348) mac access-group (350) show mac access-list (351) permit, deny This command adds a rule to a MAC ACL. The rule filters packets matching a (MAC ACL) specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type.
Chapter 9 | Access Control Lists MAC ACLs Command Usage ◆ New rules are added to the end of the list. ◆ The ethertype option can only be used to filter Ethernet II formatted packets. ◆ A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include the following: 0800 - IP ■...
Chapter 9 | Access Control Lists MAC ACLs ◆ If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#interface ethernet 1/2 Console(config-if)#mac access-group jerry in Console(config-if)# Related Commands...
Chapter 9 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 9 | Access Control Lists ARP ACLs Related Commands permit, deny (353) show arp access-list (354) permit, deny This command adds a rule to an ARP ACL. The rule filters packets matching a (ARP ACL) specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 9 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#$permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (352) show access-list arp This command displays the rules for configured ARP ACLs.
Chapter 9 | Access Control Lists ACL Information Related Commands permit, deny (353) ACL Information This section describes commands used to display ACL information. Table 68: ACL Information Commands Command Function Mode clear access-list hardware Clears hit counter for rules in all ACLs, or in a specified ACL PE counters show access-group Shows the ACLs assigned to each port...
Chapter 9 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 IP access-list david MAC access-list jerry Console# show access-list This command shows all ACLs and associated rules. Syntax show access-list [[arp [acl-name]] |...
Page 357
Chapter 9 | Access Control Lists ACL Information MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2 permit any any Console# – 357 –...
Page 358
Chapter 9 | Access Control Lists ACL Information – 358 –...
Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface. Table 69: Interface Commands Command Function Mode Interface Configuration interface Configures an interface type and enters interface configuration mode alias Configures an alias name for the interface...
Chapter 10 | Interface Commands Interface Configuration (Continued) Table 69: Interface Commands Command Function Mode transceiver-threshold Sets thresholds for the transceiver power level of the rx-power received signal which can be used to trigger an alarm or warning message transceiver-threshold Sets thresholds for the transceiver temperature which can temperature be used to trigger an alarm or warning message...
Chapter 10 | Interface Commands Interface Configuration Command Usage The craft interface is provided as an out-of-band management connection which is isolated from all other ports on the switch. This interface must first be configured with an IPv4 or IPv6 address before a connection can be made through Telnet, SSH, or HTTP.
Chapter 10 | Interface Commands Interface Configuration description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Chapter 10 | Interface Commands Interface Configuration back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation. Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)# history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples.
Chapter 10 | Interface Commands Interface Configuration media-type This command forces the module type. Use the no form to restore the default mode. Syntax media-type sfp-forced [mode] no media-type sfp-forced - Always uses the selected SFP module type (even if a module is not installed).
Chapter 10 | Interface Commands Interface Configuration Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit, 10 Gigabit or 40 Gigabit Ethernet port or trunk. Use the no form to restore the default setting.
Chapter 10 | Interface Commands Interface Configuration ◆ For QinQ, the overall frame size is still calculated as described above, and does not add the length of the second tag to the frame. ◆ The port MTU size can be displayed with the show show interfaces status command.
Four 10G ports can also be configured as a single 40G port using breakout cable. Refer to the installation Guide for more information on how to use this cabling option. Example This example is for the AS6700-32X, affecting only Port 1. Console#hardware profile portmode ethernet 1/1 4x10g Console# – 367 –...
Interface Configuration show hardware profile This command displays the configuration settings for 40G operation. portmode Command Mode Privileged Exec Example This example shows the default 40G settings for the AS6700-32X. Console#show hardware profile portmode Config Oper Interfaces Interfaces Mode Mode...
Chapter 10 | Interface Commands Interface Configuration 1/54 1/75-78 1x40g Console# show interfaces brief This command displays a summary of key information, including operational status, native VLAN ID, default priority, speed/duplex mode, and port type for all ports. Command Mode Privileged Exec Example Console#show interfaces brief...
Page 371
Chapter 10 | Interface Commands Interface Configuration (Continued) Table 70: show interfaces counters - display description Parameter Description Octets Output The total number of octets transmitted out of the interface, including framing characters. Unicast Input The number of subnetwork-unicast packets delivered to a higher-layer protocol.
Page 372
Chapter 10 | Interface Commands Interface Configuration (Continued) Table 70: show interfaces counters - display description Parameter Description Late Collisions The number of times that a collision is detected later than 512 bit-times into the transmission of a packet. Excessive Collisions A count of frames for which transmission on a particular interface fails due to excessive collisions.
Chapter 10 | Interface Commands Interface Configuration (Continued) Table 70: show interfaces counters - display description Parameter Description 64 Octets The total number of packets (including bad packets) received and transmitted that were less than 64 octets in length (excluding framing bits but including FCS octets).
Chapter 10 | Interface Commands Interface Configuration Default Setting Shows historical statistics for all interfaces, intervals, ingress traffic, and egress traffic. Command Mode Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the statistics recorded for all named entries in the sampling table.
Page 375
Chapter 10 | Interface Commands Interface Configuration Discards Errors ------------- ------------- Console# This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 60 second(s) Buckets Requested : 10...
Chapter 10 | Interface Commands Interface Configuration Console# show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 10 | Interface Commands Interface Configuration Up Time : 0w 0d 1h 41m 8s (6068 seconds) Flow Control Type : None Max Frame Size : 1518 bytes (1522 bytes for tagged frames) MAC Learning Status : Enabled Console# show interfaces This command displays the administrative and operational status of the specified switchport interfaces.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Table 71: show interfaces switchport - display description Field Description Broadcast Shows if broadcast storm suppression is enabled or disabled; if enabled it also Threshold shows the threshold level (page 421). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 421).
Chapter 10 | Interface Commands Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages. Syntax transceiver-monitor Default Setting Disabled Command Mode Interface Configuration (Ethernet) Example Console(config)interface ethernet 1/1...
Chapter 10 | Interface Commands Transceiver Threshold Configuration be generated until the sampled value has fallen below the high threshold and reaches the low threshold. ◆ If trap messages are enabled with the transceiver-monitor command, and a low-threshold alarm or warning message is sent if the current value is less than or equal to the threshold, and the last sample value was greater than the threshold.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Command Mode Interface Configuration (Ethernet) Command Usage ◆ The threshold value is the power ratio in decibels (dB) of the measured power referenced to one milliwatt (mW). ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Command Usage ◆ Refer to the Command Usage section under the transceiver-threshold current command for more information on configuring transceiver thresholds. ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command.
Chapter 10 | Interface Commands Transceiver Threshold Configuration ◆ Trap messages enabled by the transceiver-monitor command are sent to any management station configured by the snmp-server host command. Example The following example sets alarm thresholds for the signal power transmitted at port 1.
Chapter 10 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 1. Console(config)interface ethernet 1/1 Console(config-if)#transceiver-threshold voltage low-alarm 4 Console(config-if)#transceiver-threshold voltage high-alarm 2 Console# show interfaces This command displays identifying information for the specified transceiver, including connector type and vendor-related parameters, as well as the transceiver temperature, voltage, bias current, transmit power, and receive power.
Page 385
Chapter 10 | Interface Commands Transceiver Threshold Configuration Example Console#show interfaces transceiver ethernet 1/25 Information of Eth 1/7 Connector Type : LC Fiber Type : Multimode 50um (M5), Multimode 62.5um (M6) Eth Compliance Codes : 1000BASE-SX Baud Rate : 2100 MBd Vendor OUI : 00-90-65 Vendor Name...
Chapter 10 | Interface Commands Transceiver Threshold Configuration This command Displays the alarm/warning thresholds for temperature, show interfaces voltage, bias current, transmit power, and receive power. Syntax transceiver-threshold Syntax show interfaces transceiver-threshold [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 10 | Interface Commands Cable Diagnostics Cable Diagnostics test loop internal This command performs an internal loop back test on the specified port. Syntax test loop internal interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) Command Mode Privileged Exec Command Usage...
Page 388
Chapter 10 | Interface Commands Cable Diagnostics Example Console#show loop internal interface ethernet 1/1 Port Test Result Last Update -------- -------------- -------------------- Eth 1/1 Succeeded 2013-04-15 15:26:56 Console# – 388 –...
Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device.
Page 390
Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk on the AS6700-32X can have up to 32 ports, and up to 54 ports on the AS5700-54X. ◆ The ports at both ends of a connection must be configured as trunk ports.
Chapter 11 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac}...
Chapter 11 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. src-dst-mac: All traffic with the same source and destination MAC address ■ is output on the same link in a trunk. This mode works best for switch-to- switch trunk links where traffic through the switch is received from and destined for many different hosts.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port- channel 1 command shows that Trunk1 has been established.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: 1, Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage ◆ Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Chapter 11 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Use the no form to restore the default setting. Syntax lacp timeout {long | short} no lacp timeout...
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} port-channel - Local identifier for a link aggregation group. (Range: 1-16/27) counters - Statistics for LACP protocol messages.
Page 400
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands (Continued) Table 73: show lacp counters - display description Field Description Marker Received Number of valid Marker PDUs received by this channel group. MarkerResponsePD Number of valid Marker Response PDUs transmitted from this channel group. U Sent MarkerResponsePD Number of valid Marker Response PDUs received at this channel group.
Page 401
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands (Continued) Table 74: show lacp internal - display description Field Description Admin State, Administrative or operational values of the actor’s state parameters: Oper State ◆ Expired – The actor’s receive machine is in the expired state; ◆...
Page 402
Chapter 11 | Link Aggregation Commands Trunk Status Display Commands Table 75: show lacp neighbors - display description Field Description Port Channel Local identifier for a link aggregation group. Member Port The ports active in this link aggregation group. Partner Admin LAG partner’s system ID assigned by the user.
Chapter 11 | Link Aggregation Commands MLAG Commands show port-channel This command shows the load-distribution method used on aggregated links. load-balance Command Mode Privileged Exec Example Console#show port-channel load-balance Trunk Load Balance Mode: Destination IP address Console# MLAG Commands Operational Concept A multi-chassis link aggregation group (MLAG) is a pair of links that terminate on two cooperating switches and appear as an ordinary link aggregation group (LAG).
Chapter 11 | Link Aggregation Commands MLAG Commands ◆ The MLAG ID, associated MLAG domain ID and MLAG member must be configured using the mlag group member command. The associated MLAG domain may be nonexistent, which causes MLAG to be inactive locally. ◆...
Chapter 11 | Link Aggregation Commands MLAG Commands mlag peer-link This command configures the MLAG domain peer link. Use the no form to remove the MLAG domain. Syntax mlag domain domain-id peer-link interface no mlag domain domain-id domain-id – Domain identifier. (Range: 1-16 characters) interface ethernet unit/port unit - Unit identifier.
Page 406
Chapter 11 | Link Aggregation Commands MLAG Commands interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Command Mode Global Configuration Command Usage ◆ An MLAG domain can have two and only two MLAG devices. (See Figure ◆...
Chapter 11 | Link Aggregation Commands MLAG Commands When an MLAG member is operationally down, all updates for learned MAC ■ addresses on the MLAG peer member will be synced through the peer link automatically. Figure 2: MLAG Peer Operation ◆...
Page 408
Chapter 11 | Link Aggregation Commands MLAG Commands Example Console#show mlag domain 1 Peer Link : Eth 1/1 MLAG List : 10,20,33-35 Console# – 408 –...
Port Mirroring Commands Data can be mirrored from a local port on the same switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes. Table 77: Port Mirroring Commands Command Function Local Port Mirroring...
Chapter 12 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands port - Port number. (Range: 1-32/54) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 5: Console(config)#interface ethernet 1/5...
Page 412
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Configuration Guidelines Take the following steps to configure an RSPAN session: Use the vlan rspan command to configure a VLAN to use for RSPAN. (Default VLAN 1 and switch cluster VLAN 4093 are prohibited.) Use the rspan source command to specify the interfaces and the traffic type...
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Port Security – If port security is enabled on any port, that port cannot be set as an RSPAN uplink port, even though it can still be configured as an RSPAN source or destination port.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures the switch to mirror received packets from port 2 and 3: Console(config)#rspan session 1 source interface ethernet 1/2 rx Console(config)#rspan session 1 source interface ethernet 1/3 rx Console(config)# rspan destination Use this command to specify the destination port to monitor the mirrored traffic.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Example The following example configures port 4 to receive mirrored RSPAN traffic: Console(config)#rspan session 1 destination interface ethernet 1/4 Console(config)# rspan remote vlan Use this command to specify the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports.
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN. Ports cannot be manually assigned to an RSPAN VLAN with the switchport allowed vlan command.
Page 417
Chapter 12 | Port Mirroring Commands RSPAN Mirroring Commands Command Mode Privileged Exec Example Console#show rspan session RSPAN Session ID Source Ports (mirrored ports) : None RX Only : None TX Only : None BOTH : None Destination Port (monitor port) : Eth 1/2 Destination Tagged Mode : Untagged Switch Role...
Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port.
Chapter 13 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input –...
Chapter 13 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured.
Page 422
Chapter 13 | Congestion Control Commands Storm Control Commands ◆ Using both rate limiting and storm control on the same interface may lead to unexpected results. It is therefore not advisable to use both of these commands on the same interface. Example The following shows how to configure broadcast storm control at 600 kilobits per second:...
Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back. Table 83: Loopback Detection Commands Command Function...
Chapter 14 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 14 | Loopback Detection Commands Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may be untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by switchport ingress-filtering...
Chapter 14 | Loopback Detection Commands Command Usage ◆ When the loopback detection mode is changed, any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release...
Chapter 14 | Loopback Detection Commands detect - Sends an SNMP trap message when a loopback condition is detected. none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition.
Chapter 14 | Loopback Detection Commands show loopback- This command shows loopback detection configuration settings for the switch or for a specified interface. detection Syntax show loopback-detection [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number. (Range: 1-52) Command Mode Privileged Exec Command Usage...
UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache.
Chapter 15 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detection- interval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 15 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled...
Chapter 15 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 15 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage...
Chapter 15 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 15 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1-8) port - Port number.
Page 435
Chapter 15 | UniDirectional Link Detection Commands (Continued) Table 85: show udld - display description Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State...
Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 86: Address Table Commands Command Function Mode mac-address-table Sets the aging time of the address table aging-time mac-address-table static Maps a static address to a port in a VLAN...
Chapter 16 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates the address as permanent, or to be deleted on reset. Use the no form to remove an static address.
Chapter 16 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Default Setting None Command Mode Privileged Exec Example Console#clear mac-address-table dynamic Console# show mac-address- This command shows classes of entries in the bridge-forwarding database.
Chapter 16 | Address Table Commands Command Usage ◆ The MAC Address Table contains the MAC addresses associated with each interface. Note that the Type field may include the following types: Learn - Dynamic address entries ■ Config - Static entry ■...
Chapter 16 | Address Table Commands show mac-address- This command shows the number of MAC addresses used and the number of available MAC addresses for the overall system or for an interface. table count Syntax show mac-address-table count interface interface interface ethernet unit/port unit - Unit identifier.
Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 87: Spanning Tree Commands Command Function Mode spanning-tree Enables the spanning tree protocol spanning-tree forward-time Configures the spanning tree bridge forward time spanning-tree hello-time...
Chapter 17 | Spanning Tree Commands (Continued) Table 87: Spanning Tree Commands Command Function Mode spanning-tree port-priority Configures the spanning tree priority of an interface spanning-tree root-guard Prevents a designated port from passing superior BPDUs spanning-tree spanning- Disables spanning tree for an interface disabled spanning-tree tc-prop-stop Stops propagation of topology change information...
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the spanning tree bridge forward time globally for this switch. Use the no form to restore the default. forward-time Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 17 | Spanning Tree Commands Command Usage This command sets the time interval (in seconds) at which the root device transmits a configuration message. Example Console(config)#spanning-tree hello-time 5 Console(config)# Related Commands spanning-tree forward-time (445) spanning-tree max-age (446) spanning-tree This command configures the spanning tree bridge maximum age globally for this max-age switch.
Chapter 17 | Spanning Tree Commands spanning-tree mode This command selects the spanning tree mode for this switch. Use the no form to restore the default. Syntax spanning-tree mode {stp | rstp mstp} no spanning-tree mode stp - Spanning Tree Protocol (IEEE 802.1D) rstp - Rapid Spanning Tree Protocol (IEEE 802.1w) mstp - Multiple Spanning Tree (IEEE 802.1s) Default Setting...
Chapter 17 | Spanning Tree Commands Be careful when switching between spanning tree modes. Changing ■ modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree...
Chapter 17 | Spanning Tree Commands spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range – 0-61440, in steps of 4096; Options: 0, 4096, 8192, 12288, 16384, 20480, 24576, 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, 61440) Default Setting...
Chapter 17 | Spanning Tree Commands Related Commands mst vlan (452) mst priority (451) name (453) revision (454) max-hops (451) spanning-tree system- This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is disabled bpdu-flooding globally on the switch or disabled on a specific port.
Chapter 17 | Spanning Tree Commands Command Usage This command limits the maximum transmission rate for BPDUs. Example Console(config)#spanning-tree transmission-limit 4 Console(config)# max-hops This command configures the maximum number of hops in the region before a BPDU is discarded. Use the no form to restore the default. Syntax max-hops hop-number hop-number - Maximum hop number for multiple spanning tree.
Chapter 17 | Spanning Tree Commands wide-scale disruption when a bridge node in a single instance fails, and allowing for faster convergence of a new topology for the failed instance. ◆ By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region.
Chapter 17 | Spanning Tree Commands revision This command configures the revision number for this multiple spanning tree configuration of this switch. Use the no form to restore the default. Syntax revision number number - Revision number of the spanning tree. (Range: 0-65535) Default Setting Command Mode MST Configuration...
Chapter 17 | Spanning Tree Commands bridging device is mistakenly configured as an edge port, and BPDU filtering is enabled on this port, this might cause a loop in the spanning tree. ◆ BPDU filter can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto with the spanning- tree edge-port...
Chapter 17 | Spanning Tree Commands ◆ BPDU guard can only be configured on an interface if the edge port attribute is not disabled (that is, if edge port is set to enabled or auto with the spanning- tree edge-port command).
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Chapter 17 | Spanning Tree Commands ◆ When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link. ◆...
Chapter 17 | Spanning Tree Commands ◆ Path cost takes precedence over interface priority. Example Console(config)#interface Ethernet 1/5 Console(config-if)#spanning-tree mst 1 cost 50 Console(config-if)# Related Commands spanning-tree mst port-priority (460) spanning-tree mst This command configures the interface priority on a spanning instance in the port-priority Multiple Spanning Tree.
Chapter 17 | Spanning Tree Commands spanning-tree This command configures the priority for the specified interface. Use the no form to restore the default. port-priority Syntax spanning-tree port-priority priority no spanning-tree port-priority priority - The priority for a port. (Range: 0-240, in steps of 16) Default Setting Command Mode Interface Configuration (Ethernet, Port Channel)
Chapter 17 | Spanning Tree Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ A bridge with a lower bridge identifier (or same identifier and lower MAC address) can take over as the root bridge at any time. ◆...
Chapter 17 | Spanning Tree Commands Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree This command stops the propagation of topology change notifications (TCN). Use the no form to allow propagation of TCN messages. tc-prop-stop Syntax [no] spanning-tree tc-prop-stop...
Chapter 17 | Spanning Tree Commands Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol- migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 465
Chapter 17 | Spanning Tree Commands ◆ Use the show spanning-tree mst command to display the spanning tree configuration for all instances within the Multiple Spanning Tree (MST), including global settings and settings for active interfaces. ◆ Use the show spanning-tree mst instance-id command to display the spanning tree configuration for an instance within the Multiple Spanning Tree (MST), including global settings and settings for all interfaces.
Chapter 17 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree. mst configuration Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration Name : R&D Revision Level Instance VLANs -------------------------------------------------------------- 1-4094 Console#...
VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set.
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp...
Chapter 18 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Default Setting Shows both global and interface-specific configuration.
Chapter 18 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 92: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs vlan Configures a VLAN, including VID, name and state vlan database This command enters VLAN database mode.
Chapter 18 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (482) Configuring VLAN Interfaces Table 93: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN switchport acceptable- Configures frame types to be accepted by an interface frame-types switchport allowed vlan Configures the VLANs associated with an interface...
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (364) interface (360)
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form to restore the default. vlan Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the...
Chapter 18 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Chapter 18 | VLAN Commands Configuring VLAN Interfaces Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# switchport This command enables ingress filtering for an interface. Use the no form to restore the default.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only.
Chapter 18 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Page 481
Chapter 18 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 3: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches –...
Chapter 18 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 94: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an...
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configure the SPVLAN ID as the native VID on the QinQ tunnel access port (switchport native vlan). Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (switchport dot1q-tunnel mode). Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan).
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling dot1q-tunnel tpid This command sets the Tag Protocol Identifier (TPID) value of a tunnel port. Use the no form to restore the default setting. Syntax dot1q-tunnel tpid tpid no dot1q-tunnel tpid tpid –...
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command configures an interface as a QinQ tunnel port. Use the no form to disable QinQ on the interface. tunnel mode Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access –...
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport dot1q- This command creates a CVLAN to SPVLAN mapping entry. Use the no form to delete a VLAN mapping entry. tunnel service match cvid Syntax switchport dot1q-tunnel service svid match cvid cvid [remove-ctag] no switchport dot1q-tunnel service [svid [match cvid cvid]] svid - VLAN ID for the outer VLAN tag (Service Provider VID).
Page 489
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Example This example sets the SVID to 99 in the outer tag for egress packets exiting port 1 when the packet’s CVID is 2. Console(config)#interface ethernet 1/1 Console(config-if)#switchport dot1q-tunnel service 99 match cvid 2 Console(config-if)# The following example maps C-VLAN 10 to S-VLAN 100, C-VLAN 20 to S-VLAN 200 and C-VLAN 30 to S-VLAN 300 for ingress traffic on port 1 of Switches A and B.
Chapter 18 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configures port 1 as member of VLANs 10, 20 and 30 to avoid filtering out incoming frames tagged with VID 10, 20 or 30 on port 1 Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 10,20,30 Verify configuration settings.
Chapter 18 | VLAN Commands Configuring L2CP Tunneling Configuring L2CP Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT). Table 96: L2 Protocol Tunnel Commands Command Function Mode l2protocol-tunnel custom- Configures the PDU format and pattern used for custom PDUs l2protocol-tunnel tunnel- Configures the destination address for Layer 2 Protocol...
Chapter 18 | VLAN Commands Configuring L2CP Tunneling Command Usage ◆ Use this command to configure user-defined PDUs. Then use the switchport l2protocol-tunnel command to assign these PDUs to an interface. ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command.
Page 494
Chapter 18 | VLAN Commands Configuring L2CP Tunneling ◆ L2PT encapsulates protocol packets entering ingress ports on the service provider’s edge switch, replacing the destination MAC address with a proprietary MAC address (for example, the spanning tree protocol uses 10-12- CF-00-00-02), a reserved address for other specified protocol types (as defined in IEEE 802.1ad –...
Page 495
Chapter 18 | VLAN Commands Configuring L2CP Tunneling (a) all access ports for which L2PT has been disabled, and (b) all uplink ports. recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e., ■ having the destination address 01-00-0C-CD-CD-D0), it is forwarded to the following ports in the same S-VLAN: other access ports for which L2PT is enabled after decapsulating the ■...
Chapter 18 | VLAN Commands Configuring L2CP Tunneling switchport This command enables Layer 2 Protocol Tunneling (L2PT) for the specified protocol. Use the no form to disable L2PT for the specified protocol. l2protocol-tunnel Syntax switchport l2protocol-tunnel {cdp | custom-pdu index | lldp | pvst+ | spanning-tree | vtp} cdp - Cisco Discovery Protocol custom-pdu - User defined PDU...
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling show This command shows settings for Layer 2 Protocol Tunneling (L2PT). l2protocol-tunnel Command Mode Privileged Exec Example Console#show l2protocol-tunnel Layer 2 Protocol Tunnel Tunnel MAC Address : 01-12-CF-00-00-00 Interface Protocol ---------------------------------------------------------- Eth 1/ 1 Spanning Tree Console# Configuring VXLAN Tunneling...
Page 498
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling In addition to forwarding the packet to the destination VM, the remote VTEP learns the mapping from inner source MAC to outer source IP address. It stores this mapping in the bridge lookup table so that when the destination VM sends a response packet, there is no need for “unknown destination”...
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling (Continued) Table 97: VxLAN Tunneling Commands Command Function Mode show vxlan udp-dst-port Shows the VXLAN UDP destination port show vxlan vtep Shows the remote VXLAN tunnel endpoint (VTEP) show vxlan flood Shows the remote VXLAN tunnel endpoint (VTEP) used when received packet fails bridge table lookup show vxlan vlan-vni Shows the VLAN ID associated with a virtual network...
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling vxlan flood This command configures remote VXLAN tunnel endpoint (VTEP) when the received packet fails bridge table lookup. Use the no form to restore the default setting. Syntax vxlan [vni vni-id] flood { r-vtep ip-address | multicast ipv4-address vlan vid interface } no vxlan [vni vni-id] flood { r-vtep ip-address | multicast } vni-id - A 24-bit segment ID used to identify each VXLAN segment, termed...
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling ◆ If a VNI is already configured to flood by multicast, you can still add a remote VTEP. If a VNI is already configured to flood to a remote VTEP, you can still configure it to flood by multicast.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Console(config)#vxlan vlan 2 vni 1001 Console(config)#vxlan vlan 2 vni 1002 23:19:2: VXLAN: (1805) VLAN 2 is assigned to VNI 1001 Failed to associate VLAN 2 with VNI 1002. Console(config)# This example shows the type of debug information that would be to trace internal VXLAN information on VTEP.
Chapter 18 | VLAN Commands Configuring VXLAN Tunneling Example Console#show vxlan vtep R-VTEP Port -------- --------------- --------------- -------- 12345678 101.101.101.101 202.202.202.202 Eth 1/11 3 101.101.202.202 201.201.201.201 Eth 1/22 Console# show vxlan flood This command Shows the remote VXLAN tunnel endpoint (VTEP) used when a received packet fails bridge table lookup.
Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted Round- Robin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round.
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (508)
Chapter 19 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (377) show queue mode This command shows the current queue mode.
Page 512
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch. Table 100: Priority Commands (Layer 3 and 4) Command Function Mode...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map phb-queue This command determines the hardware output queues to use based on the internal per-hop behavior value. Use the no form to restore the default settings. Syntax qos map phb-queue queue-id from phb0 ...
Page 514
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) cfi - Canonical Format Indicator. Set to this parameter to “0” to indicate that the MAC address information carried in the frame is in canonical format. (Range: 0-1) EFAULT ETTING Table 102: Default Mapping of CoS/CFI to Internal PHB/Drop Precedence...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map default-drop- This command maps the internal per-hop behavior (based on packet priority) to a default drop precedence for internal processing of untagged packets. Use the no precedence form to restore the default settings.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface. Use the no form to restore the default settings.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map dscp-cos 1 0 from 1 2 Console(config-if)# qos map This command maps DSCP values in incoming packets to per-hop behavior and dscp-mutation drop precedence values for priority processing.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: ------------------------------------------------------- color: Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map dscp- This command shows the ingress DSCP to internal DSCP map. mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console#show qos map ip-port-dscp interface ethernet 1/5 Information of Eth 1/5 ip-port-dscp map:...
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Page 526
Chapter 19 | Class of Service Commands Priority Commands (Layer 3 and 4) – 526 –...
Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 20 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. Use the match command to select a specific type of traffic based on an access...
Chapter 20 | Quality of Service Commands ◆ One or more class maps can be assigned to a policy map (page 531). The policy map is then bound by a service policy to an interface (page 541). A service policy defines packet classification, service tagging, and bandwidth policing. Once a policy map has been bound to an interface, no additional class maps may be added to the policy map, nor any changes made to the assigned class maps with the...
Page 530
Chapter 20 | Quality of Service Commands cos - A Class of Service value. (Range: 0-7) dscp - A Differentiated Service Code Point value. (Range: 0-63) ip-precedence - An IP Precedence value. (Range: 0-7) vlan - A VLAN. (Range:1-4094) Default Setting None Command Mode Class Map Configuration...
Chapter 20 | Quality of Service Commands This example creates a class map call “rd-class#3, ” and sets it to match packets marked for VLAN 1. Console(config)#class-map rd-class#3 match-any Console(config-cmap)#match vlan 1 Console(config-cmap)# rename This command redefines the name of a class map or policy map. Syntax rename map-name map-name - Name of the class map or policy map.
Chapter 20 | Quality of Service Commands ◆ Create a Class Map (page 531) before assigning it to a Policy Map. Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set command to classify the service that incoming packets will receive, and then uses the police flow command to limit the...
Chapter 20 | Quality of Service Commands Example This example creates a policy called “rd-policy, ” uses the class command to specify the previously defined “rd-class, ” uses the set phb command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4,000 bytes, and...
Chapter 20 | Quality of Service Commands committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. ◆ The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented (CIR –...
Page 535
Chapter 20 | Quality of Service Commands committed-burst - Committed burst size (BC) in bytes. (Range: 0-524288 bytes) excess-burst - Excess burst size (BE) in bytes. (Range: 1000-128000000 bytes) conform-action - Action to take when rate is within the CIR and BC. (There are enough tokens in bucket BC to service the packet, packet is set green).
Page 536
Chapter 20 | Quality of Service Commands The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows: If Tc is less than BC, Tc is incremented by one, else ■...
Chapter 20 | Quality of Service Commands police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer. Syntax [no] police {trtcm-color-blind | trtcm-color-aware} committed-rate committed-burst peak-rate peak-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp}...
Page 538
Chapter 20 | Quality of Service Commands ◆ The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked red if it exceeds the PIR. Otherwise it is marked either yellow or green depending on whether it exceeds or doesn't exceed the CIR.
Page 539
Chapter 20 | Quality of Service Commands to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop Console(config-pmap-c)# set cos...
Page 540
Chapter 20 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 20 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress or egress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy {input | output} policy-map-name input - Apply to the input traffic.
Chapter 20 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for...
Chapter 20 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface {input | output} interface unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) input - Apply to the input traffic.
Page 544
Chapter 20 | Quality of Service Commands – 544 –...
Data Center Bridging Commands Fibre Channel was developed as a dedicated fabric that loses little to no packets, and was not designed to work on an unreliable network. For this reason, a set of standards termed Data Center Bridging (DCB) have been developed to increase the reliability of Ethernet-based networks in the data center.
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands DCB Exchange Commands This section describes the commands used by DCB devices to exchange configuration information with directly-connected peers. These commands are also used to detect misconfiguration of the peer devices and, where accepted, to configured peer DCB devices.
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands Example The following example enables DCBX on port 5: Console(config)#interface ethernet 1/5 Console(config-if)#dcbx Console(config-if)# dcbx mode This command configures the DCBX mode used for message exchange. Use the no form to restore the default setting. Syntax dcbx mode {auto-down | auto-up | configuration-source | manual} no dcbx mode...
Chapter 21 | Data Center Bridging Commands DCB Exchange Commands propagated information utilize this information and ignore their local configuration. The first auto-upstream port to successfully accept a compatible configuration becomes the configuration source. Peer configurations received on auto-upstream ports other than the configuration source are accepted if compatible with the configuration source, and the DCBX client is set to operationally active on the auto-upstream port.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Default Setting Shows DCBX configuration settings for all ports. Command Mode Privileged Exec Example This example displays the DCBX administrative status, operational mode, and the status of the LLDP TLV willing bit for ETS and PFC. Console#show dcbx ethernet 1/5 DCBX Port Configuration Port...
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands (Continued) Table 110: Priority-based Flow Control Commands Command Function Mode clear pfc statistics Clears PFC statistics show pfc Shows PFC configuration settings show pfc statistics Shows PFC statistics for the number of PFC frames received and transmitted for each priority Configuration Guidelines Take the following steps to configure PFC:...
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands any manually configured information. Interfaces not enabled for PFC ignore received PFC frames. ◆ PFC is configurable on full duplex interfaces only. To enable PFC on a LAG, the member interfaces must have the same configuration.
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Example The following example configures port 5 to enable PFC for priorities 3 and 5: Console(config)#interface ethernet 1/5 Console(config-if)#pfc priority enable 3,5 Console(config-if)# clear pfc statistics Use this command to clear PFC statistics. Syntax clear pfc statistics [interface interface] interface...
Chapter 21 | Data Center Bridging Commands Priority-based Flow Control Commands Command Mode Privileged Exec Example This example displays the PFC administrative status, operational mode, and the priority bits for frames to pause (instead of drop) when congestion occurs in the specified priority buffers.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands Enhanced Transmission Selection Commands Enhanced Transmission Selection (ETS) provides a means to allocate link bandwidth to different priority groups as a percentage of total bandwidth. These settings are then advertised to other devices in a data center network through DCBX ETS TLVs.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands ets mode Use this command to set the ETS mode to negotiate capability through DCBX or by forcing it to on state. Use the no form to restore the default setting. Syntax ets mode {auto | on} no ets mode...
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands ets - Processes packets with priority values specified for a TCG using Weighted Deficit Round Robin (WDRR). Default Setting strict Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Packets with priority values not specified for a TCG use strict priority and therefore are processed ahead of the packets in the weighted queues.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands Example The following example maps priority 2 and 3 to TCG 0 for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#traffic-class map 2 1 Console(config-if)#traffic-class map 3 1 Console(config-if)# traffic-class weight Use this command to configure the bandwidth allocation for all TCGs on an interface.
Chapter 21 | Data Center Bridging Commands Enhanced Transmission Selection Commands show ets mapping Use this command to display mapping from IEEE 802.1p priorities to the traffic class group (TCGs). Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands show ets weight Use this command to display the bandwidth allocation for selected TCGs. Syntax show ets mapping [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-32/54) port-channel channel-id (Range: 1-16/27) Command Mode Privileged Exec...
Page 560
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands its congested state and that the rate of the flow entering the network should be reduced. Upon receiving the CN messages, rate limiting is initiated as close as possible to the source of the congestion.
Page 561
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands The QCN algorithm is composed of the following two parts: Congestion Point (CP) Algorithm: This is the mechanism by which a congested bridge or end station buffer samples outgoing frames and generates a feedback message (CNM –...
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands Use this command to enable congestion notification for all ports on the switch. Use the no form to disabled congestion notification on the switch. Syntax [no] cn Default Setting Disabled Command Mode Global Configuration Command Usage...
Page 563
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands Example The following example sets the CNM transmit priority to 1. Console(config)#cn cnm-transmit-priority 1 Console(config)# cn cnpv Use this command to set a dot1p priority to be a Congestion Notification Priority Value (CNPV).
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv Use this command to configure the alternate priority used to remark a received frame when its dot1p priority is equal to the CNPV when the defense mode is other alternate-priority than auto.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining whether CN is enabled or not, and if enabled, whether the port remarks the CNPV (Global Configuration) to a non-CNPV value on input, and whether the port removes CN-tags on output.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands ◆ Under the interior-ready option, on this port and for this CNPV, the priority parameters of input frames are not remapped to another value, and no priority value is remapped to this CNPV, regardless of the priority regeneration table. CN-TAGs are not removed from frames by the switch.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands cn cnpv defense-mode Use this command to configure the defense mode for a CNPV, determining whether CN is enabled or not, and if enabled, whether the port remarks the CNPV (Interface Configuration) to a non-CNPV value on input, and whether the port removes CN-tags on output.
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands Example This example shows the global settings for congestion notification, and the number of discarded frames. Console#show cn Congestion Notification Global Information Admin Status : Enabled Oper Status : Enabled CNM Transmit Priority Total Discarded Frames : 0 Console#...
Page 569
Chapter 21 | Data Center Bridging Commands Congestion Notification Commands show cn cp Use this command to show functional settings and status for the specified CP. Syntax show cn cp interface index index interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | Data Center Bridging Commands Openflow Commands (Continued) Table 113: show cn cp - display description Field Description Set Point The set-point for the queue. This is the target number of octets in the CP’s queue. (Default: 26000) Feedback Weight Variable used in calculation or Quantized Feedback and New Sample Base.
Page 571
Chapter 21 | Data Center Bridging Commands Openflow Commands Figure 5: Openflow Process Note: The storm control function will be invalid if an Openflow flow rule is added to the switch. Due to a chip-specific behavior, storm control is detected and limited in the DA lookup stage.
Chapter 21 | Data Center Bridging Commands Openflow Commands (Continued) Table 114: Openflow Commands Command Function Mode show of-agent flow Displays all flow table settings show of-agent group Displays all group settings of-agent controller This command sets the address for the OpenFlow controller. Use the no form to deleted the controller address.
Chapter 21 | Data Center Bridging Commands Openflow Commands of-agent This command configures the data path description. Use the no form to remove the data path descriptor. datapath-desc Syntax of-agent datapath-desc description no of-agent datapath-desc description - A unique description or identifier for the flow forwarding behaviour implemented by the data path.
Chapter 21 | Data Center Bridging Commands Openflow Commands Match: In port: 0/0xFFFF0000 Instruction: Goto table: 10 [VLAN table] No more flow from ofagent Console# show of-agent group This command displays all group settings. Syntax show of-agent group [type {group-type | l2-interface | l2-rewrite | l3-unicast | l2-multicast | l2-flood | l3-interface | l3-multicast | l3-ecmp | l2-overlay}] group-type - Specifies group type.
Page 579
Chapter 21 | Data Center Bridging Commands Openflow Commands Output: 3 Group 0x10000001 [L2 Rewrite] Bucket Index: 0 New Source MAC: 00-00-62-22-33-55 New Dest MAC: 00-00-62-22-44-66 New VID: 3 Reference Group: 0x30001 [L2 Interface] Group 0x20000001 [L3 Unicast] Bucket Index: 0 New Source MAC: 00-00-63-22-33-55 New Dest MAC: 00-00-63-22-44-66 New VID: 2...
Page 580
Chapter 21 | Data Center Bridging Commands Openflow Commands Output: 45 Group 0x30001 [L2 Interface] VID: 3, Port: 1 Bucket Index: 0 Output: 1 Group 0x30003 [L2 Interface] VID: 3, Port: 3 Bucket Index: 0 Output: 3 No more group from ofagent Console#show of-agent group type l3-interface Group 0x50000003 [L3 Interface] Bucket Index: 0...
Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 22 | Multicast Filtering Commands IGMP Snooping IGMP Snooping This section describes commands used to configure IGMP snooping on the switch. Table 116: IGMP Snooping Commands Command Function Mode ip igmp snooping Enables IGMP snooping ip igmp snooping priority Assigns a priority to all multicast traffic ip igmp snooping proxy- Enables IGMP Snooping with Proxy Reporting...
Chapter 22 | Multicast Filtering Commands IGMP Snooping (Continued) Table 116: IGMP Snooping Commands Command Function Mode ip igmp snooping vlan Adds an interface as a member of a multicast group static ip igmp snooping Configures the IGMP version for snooping vlan version ip igmp snooping Discards received IGMP messages which use a version...
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following example enables IGMP snooping globally. Console(config)#ip igmp snooping Console(config)# ip igmp snooping This command assigns a priority to all multicast traffic. Use the no form to restore priority the default setting. Syntax ip igmp snooping priority priority no ip igmp snooping priority...
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to restore the default setting. proxy-reporting Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting - vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN.
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the default. router-port-expire- time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled. Use the no form to unsolicited-report- restore the default value. interval Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping version-exclusive...
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command suppresses general queries except for ports attached to downstream multicast hosts. Use the no form to flood general queries to all ports general-query- except for the multicast router port. suppression Syntax [no] ip igmp snooping vlan vlan-id general-query-suppression...
Chapter 22 | Multicast Filtering Commands IGMP Snooping The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period. (The timeout for this release is currently defined by Last Member Query Interval (fixed at one second) * Robustness Variable (fixed at 2) as defined in RFC 2236.).
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default. intvl Syntax ip igmp snooping vlan vlan-id last-memb-query-intvl interval no ip igmp snooping vlan vlan-id last-memb-query-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The interval to wait for a response to a group-specific or group-...
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the no form to disable these messages. Syntax [no] ip igmp snooping vlan vlan-id mrd vlan-id - VLAN ID (Range: 1-4094) Default Setting Disabled Command Mode...
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures a static source address for locally generated query and report messages used by IGMP proxy reporting. Use the no form to restore the proxy-address default source address. Syntax [no] ip igmp snooping vlan vlan-id proxy-address source-address vlan-id - VLAN ID (Range: 1-4094)
Chapter 22 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use the no form to restore the default.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to general queries. Use the no form to restore the default. query-resp-intvl Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general...
Chapter 22 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Static multicast entries are never aged out. ◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port.
Chapter 22 | Multicast Filtering Commands IGMP Snooping ---- --------------- -------- 235.0.0.0 Eth 1/ 5 show ip igmp This command shows known multicast group, source, and host port mappings for the specified VLAN interface, or for all interfaces if none is specified. snooping group Syntax show ip igmp snooping group [host-ip-addr ip-address interface | igmpsnp |...
Chapter 22 | Multicast Filtering Commands IGMP Snooping 1 224.1.1.1 00:00:00:37 2(P) Eth 1/ 1(R) Eth 1/ 2(M) 0(H) Console# show ip igmp This command displays information on statically configured and dynamically snooping mrouter learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting Displays multicast router ports for all configured VLANs.
Page 604
Chapter 22 | Multicast Filtering Commands IGMP Snooping Table 118: show ip igmp snooping statistics output - display description Field Description Interface Shows interface. Report The number of IGMP membership reports sent from this interface. Leave The number of leave messages sent from this interface. G Query The number of general query messages sent from this interface.
Chapter 22 | Multicast Filtering Commands Static Multicast Routing Table 119: show ip igmp snooping statistics vlan query - display description Field Description Warn Rate Limit The rate at which received query messages of the wrong version type cause the Vx warning count to increment. Note that “0 sec” means that the Vx warning count is incremented for each wrong message version received.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router or switch connected over the network to an interface (port or trunk) on this switch, that interface can be manually configured to join all the current multicast groups.
Page 607
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 121: IGMP Filtering and Throttling Commands Command Function Mode show ip igmp query-drop Shows if the interface is configured to drop IGMP query packets show ip igmp throttle Displays the IGMP throttling setting for interfaces interface ip igmp filter...
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile. Syntax [no] range low-ip-address [high-ip-address] low-ip-address - A valid IP address of a multicast group or start of a group range.
Page 610
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling (Continued) Table 122: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry NAS_PORT User Port Number FRAMED_IP_ADDRESS Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace. ” If the action is set to deny, any new IGMP join reports will be dropped.
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting None Command Mode...
Chapter 22 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays all interfaces. Example Console#show ip igmp query-drop interface ethernet 1/1 Ethernet 1/1: Enabled Console# show ip igmp throttle This command displays the interface settings for IGMP throttling. interface Syntax show ip igmp throttle interface [interface]...
Chapter 22 | Multicast Filtering Commands MLD Snooping MLD Snooping Multicast Listener Discovery (MLD) snooping operates on IPv6 traffic and performs a similar function to IGMP snooping for IPv4. That is, MLD snooping dynamically configures switch ports to limit IPv6 multicast traffic so that it is forwarded only to ports with users that want to receive it.
Chapter 22 | Multicast Filtering Commands MLD Snooping (Continued) Table 123: MLD Snooping Commands Command Function Mode show ipv6 mld snooping Displays the learned groups and corresponding source list PE group source-list show ipv6 mld snooping Displays the information of multicast router ports mrouter ipv6 mld snooping This command enables MLD Snooping globally on the switch.
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries.
Chapter 22 | Multicast Filtering Commands MLD Snooping Default Setting 10 seconds Command Mode Global Configuration Command Usage This command controls how long the host has to respond to an MLD Query message before the switch deletes the group if it is the last member. Example Console(config)#ipv6 mld snooping query-max-response-time seconds 15 Console(config)#...
Chapter 22 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the MLD query timeout. Use the no form to restore the default. router-port-expire- time Syntax ipv6 mld snooping router-port-expire-time time no ipv6 mld snooping router-port-expire-time time - Specifies the timeout of a dynamically learned router port. (Range: 300-500 seconds) Default Setting 300 seconds...
Chapter 22 | Multicast Filtering Commands MLD Snooping ◆ When set to “router-port, ” any received IPv6 multicast packets that have not been requested by a host are forwarded to ports that are connected to a detected multicast router. Example Console(config)#ipv6 mld snooping unknown-multicast mode flood Console(config)# ipv6 mld snooping...
Page 623
Chapter 22 | Multicast Filtering Commands MLD Snooping Command Usage ◆ If MLD immediate-leave is not used, a multicast router (or querier) will send a group-specific query message when an MLD group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows how to configure port 1 as a multicast router port within VLAN Console(config)#ipv6 mld snooping vlan 1 mrouter ethernet 1/1 Console(config)# ipv6 mld snooping This command adds a port to an IPv6 multicast group. Use the no form to remove the port.
Chapter 22 | Multicast Filtering Commands MLD Snooping Example The following shows MLD Snooping configuration information Console#show ipv6 mld snooping Service Status : Disabled Proxy Reporting : Disabled Querier Status : Disabled Robustness Query Interval : 125 sec Query Max Response Time : 10 sec Router Port Expiry Time : 300 sec...
Chapter 22 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, the means by which each group was learned, and the corresponding source list. snooping group source-list Syntax show ipv6 mld snooping group source-list Command Mode Privileged Exec Example...
Page 628
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) IGMP (Layer 3) This section describes commands used to configure Layer 3 Internet Group Management Protocol (IGMP) on the switch. Table 124: IGMP Commands (Layer 3) Command Function Mode ip igmp Enables IGMP for the specified interface ip igmp last-member- Configures the frequency at which to send query messages...
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp This command configures the maximum response time advertised in IGMP queries. Use the no form of this command to restore the default. max-resp-interval Syntax ip igmp max-resp-interval seconds no ip igmp max-resp-interval seconds - The report delay advertised in IGMP queries.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp query-interval This command configures the frequency at which host query messages are sent. Use the no form to restore the default. Syntax ip igmp query-interval seconds no ip igmp query-interval seconds - The frequency at which the switch sends IGMP host-query messages.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) ip igmp robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ip igmp robustval robust-value no ip igmp robustval robust-value - The robustness of this interface.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ Group addresses within the entire multicast group address range can be specified with this command. However, if any address within the source- specific multicast (SSM) address range (default 232/8) is specified, but no source address is included in the command, the request to join the multicast group will fail unless the next node up the reverse path tree has statically mapped this group to a specific source address.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Default Setting IGMP Version 2 Command Mode Interface Configuration (VLAN) Command Usage ◆ All routers on the subnet must support the same version. However, the multicast hosts on the subnet may support any of the IGMP versions 1 - 3. ◆...
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Example The following example clears all multicast group entries for VLAN 1. Console#clear ip igmp interface vlan1 Console# show ip igmp groups This command displays information on multicast groups active on the switch and learned through IGMP.
Page 636
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) Table 125: show ip igmp groups - display description Field Description IP multicast group address with subscribers directly attached or Group Address downstream from the switch. The interface on the switch that has received traffic directed to the Interface VLAN multicast group address.
Chapter 22 | Multicast Filtering Commands IGMP (Layer 3) (Continued) Table 126: show ip igmp groups detail - display description Field Description In INCLUDE mode, reception of packets sent to the specified multicast Group mode address is requested only from those IP source addresses listed in the source-list parameter.
Chapter 22 | Multicast Filtering Commands IGMP Proxy Routing Last Member Query Interval : 10 (resolution in 0.1 sec) Querier : 0.0.0.0 Joined Groups : Static Groups : switch# IGMP Proxy Routing This section describes commands used to configure IGMP Proxy Routing on the switch.
Page 639
Chapter 22 | Multicast Filtering Commands IGMP Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When IGMP proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of IGMP by sending IGMP membership reports, and automatically disables IGMP router functions.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ip igmp proxy This command specifies how often the upstream interface should transmit unsolicited IGMP reports. Use the no form to restore the default value. unsolicited-report- interval Syntax ip igmp proxy unsolicited-report-interval seconds no ip igmp proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld This command enables MLD on a VLAN interface. Use the no form of this command to disable MLD on the selected interface. Syntax [no] ipv6 mld Default Setting Disabled Command Mode Interface Configuration (VLAN) Command Usage...
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Default Setting 10 (1 second) Command Mode Interface Configuration (VLAN) Command Usage When the switch receives an MLD or MLDv2 leave message from a host that wants to leave a multicast group, source or channel, it sends a number of group-specific or group-source-specific query messages at intervals defined by this command.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Example The following shows how to configure the maximum response time to 20 seconds. Console(config-if)#ipv6 mld max-resp-interval 200 Console(config-if)# Related Commands ipv6 mld query-interval (643) ipv6 mld This command configures the frequency at which host query messages are sent. query-interval Use the no form to restore the default.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) ipv6 mld robustval This command specifies the robustness (expected packet loss) for this interface. Use the no form of this command to restore the default value. Syntax ipv6 mld robustval robust-value no ipv6 mld robustval robust-value - The robustness of this interface.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Command Mode Interface Configuration (VLAN) Command Usage ◆ If a static group is configured for an any-source multicast (*,G), a source address cannot subsequently be defined for this group without first deleting the entry. ◆...
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) Command Usage ◆ MLDv1 is derived from IGMPv2, and MLDv2 from IGMPv3. IGMP uses IP Protocol 2 message types, and MLD uses IP Protocol 58 message types, which is a subset of the ICMPv6 messages.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) show ipv6 mld groups This command displays information on multicast groups active on the switch and learned through MLD. Syntax show ipv6 mld groups [{group-address | interface} [detail] | detail] group-address - IPv6 multicast group address. (Note that link-local scope addresses FF02:* are not allowed.) interface vlan vlan-id - VLAN ID.
Chapter 22 | Multicast Filtering Commands MLD (Layer 3) (Continued) Table 129: show ipv6 mld groups - display description Field Description The time remaining before this entry will be aged out. (The default is Expire 260 seconds.) This field displays “stopped” if the Group Mode is INCLUDE. In Include mode, reception of packets sent to the specified multicast Group Mode address is requested only from those IP source addresses listed in the...
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing Querier : FE80::200:E8FF:FE93:82A0 Joined Groups : Static Groups : FFEE::101 Console# MLD Proxy Routing This section describes commands used to configure MLD Proxy Routing on the switch. Table 130: IGMP Proxy Commands Command Function Mode...
Page 650
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing Command Mode Interface Configuration (VLAN) Command Usage ◆ When MLD proxy is enabled on an interface, that interface is known as the upstream or host interface. This interface performs only the host portion of MLD by sending MLD membership reports, and automatically disables MLD router functions.
Chapter 22 | Multicast Filtering Commands MLD Proxy Routing ipv6 mld proxy This command specifies how often the upstream interface should transmit unsolicited MLD reports. Use the no form to restore the default value. unsolicited-report- interval Syntax ipv6 mld proxy unsolicited-report-interval seconds no ipv6 mld proxy unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1ab standard, and can include details such as device identification, capabilities and configuration settings.
Page 654
Chapter 23 | LLDP Commands (Continued) Table 131: LLDP Commands Command Function Mode lldp basic-tlv Configures an LLDP-enabled port to advertise the system-description system description lldp basic-tlv Configures an LLDP-enabled port to advertise its system-name system name lldp dcbx-tlv ets-config Configures an LLDP-enabled port to advertise ETS configuration settings lldp dcbx-tlv...
Chapter 23 | LLDP Commands (Continued) Table 131: LLDP Commands Command Function Mode show lldp info Shows LLDP global and interface-specific remote-device configuration settings for remote devices show lldp info statistics Shows statistical counters for all LLDP-enabled interfaces Vendor-specific options may or may not be advertised by neighboring devices. lldp This command enables LLDP globally on the switch.
Chapter 23 | LLDP Commands Command Usage ◆ The time-to-live tells the receiving LLDP agent how long to retain all information pertaining to the sending LLDP agent if it does not transmit updates in a timely manner. ◆ If the local interface attached to a remote device is shut down or otherwise disabled, information about the remote device is purged immediately.
Chapter 23 | LLDP Commands lldp notification- This command configures the allowed interval for sending SNMP notifications about LLDP MIB changes. Use the no form to restore the default setting. interval Syntax lldp notification-interval seconds no lldp notification-interval seconds - Specifies the periodic interval at which SNMP notifications are sent.
Chapter 23 | LLDP Commands Example Console(config)#lldp refresh-interval 60 Console(config)# lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay...
Chapter 23 | LLDP Commands Command Usage ◆ The transmit delay is used to prevent a series of successive LLDP transmissions during a short period of rapid changes in local LLDP MIB objects, and to increase the probability that multiple, rather than single changes, are reported in each transmission.
Chapter 23 | LLDP Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. ◆...
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv port-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode...
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp basic-tlv system-description Console(config-if)# lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature. Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode...
Chapter 23 | LLDP Commands ◆ If you configure ETS on an interface (using the ets mode command), DCBX advertises each priority group on the interface, the priorities in each priority group, and the bandwidth properties of each priority group and priority. ◆...
Chapter 23 | LLDP Commands lldp dcbx-tlv This command configures an LLDP-enabled port to advertise PFC configuration settings. Use the no form to disable this feature. pfc-config Syntax [no] lldp dcbx-tlv pfc-config Default Setting Enabled Command Mode Interface Configuration (Ethernet) Command Usage ◆...
Chapter 23 | LLDP Commands lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface.
Chapter 23 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use the no form to disable this feature. vlan-name Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned.
Chapter 23 | LLDP Commands lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes information...
Chapter 23 | LLDP Commands lldp med-location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to restore the default settings. civic-addr Syntax lldp med-location civic-addr [[country country-code] | [what device-type] | [ca-type ca-value]] no lldp med-location civic-addr [[country] | [what] | [ca-type]] country-code –...
Chapter 23 | LLDP Commands (Continued) Table 132: LLDP MED Location CA Types CA Type Description CA Value Example City division, borough, city district West Irvine Neighborhood, block Riverside Group of streets below the neighborhood level Exchange Street suffix or type Avenue House number House number suffix...
Chapter 23 | LLDP Commands Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ This option sends out SNMP trap notifications to designated target stations at the interval specified by the lldp notification-interval command. Trap notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), the LLDP-MED MIB (ANSI/TIA 1057), or organization-specific LLDP- EXT-DOT1 and LLDP-EXT-DOT3 MIBs.
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#no lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode...
Chapter 23 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv network- This command configures an LLDP-MED-enabled port to advertise its network policy policy configuration. Use the no form to disable this feature. Syntax [no] lldp med-tlv network-policy Default Setting Enabled Command Mode...
Chapter 23 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted.
Chapter 23 | LLDP Commands Example Console#show lldp info local-device LLDP Local Global Information Chassis Type : MAC Address Chassis ID : 00-E0-0C-02-00-FD System Name System Description : AOS5700-54X System Capabilities Support : Bridge, Router System Capabilities Enabled : Bridge, Router Management Address : 192.168.0.3 (IPv4) LLDP Local Port Information...
Page 676
Chapter 23 | LLDP Commands Example Note that an IP phone or other end-node device which advertises LLDP-MED capabilities must be connected to the switch for information to be displayed in the “Device Class” field. Console#show lldp info remote-device LLDP Remote Devices Information Interface Chassis ID Port ID System Name...
Chapter 23 | LLDP Commands Location Identification Extended Power via MDI - PSE Inventory Location Identification : Location Data Format : Civic Address LCI Country Name : TW What Extended Power via MDI : Power Type : PSE Power Source : Unknown Power Priority : Unknown...
Page 679
Chapter 23 | LLDP Commands Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 Console#show lldp info statistics detail ethernet 1/1 LLDP Port Statistics Detail Port Name : Eth 1/1 Frames Discarded Frames Invalid Frames Received : 327 Frames Sent : 328 TLVs Unrecognized : 0 TLVs Discarded Neighbor Ageouts...
CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Page 682
Chapter 24 | CFM Commands (Continued) Table 133: CFM Commands Command Function Mode ma index name-format Specifies the name format for the maintenance association as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.1731 defined ICC-based format ethernet cfm mep Sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages ethernet cfm port-enable...
Page 683
Chapter 24 | CFM Commands (Continued) Table 133: CFM Commands Command Function Mode ethernet cfm mep Enables cross-checking between the list of configured crosscheck remote MEPs within a maintenance association and MEPs learned through continuity check messages show ethernet cfm Displays information about remote maintenance points maintenance-points configured statically in a cross-check list...
Chapter 24 | CFM Commands Defining CFM Structures Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages.
Chapter 24 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no form to restore the default setting. period Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period –...
Chapter 24 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Page 688
Chapter 24 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆...
Chapter 24 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 24 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA.
Page 691
Chapter 24 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages.
Chapter 24 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable CFM processing on an interface. port-enable Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆...
Chapter 24 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console(config)# show ethernet cfm...
Page 695
Chapter 24 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps. Console#show ethernet cfm configuration traps CC MEP Up Trap :Disabled CC MEP Down Trap :Disabled CC Configure Trap :Disabled CC Loop Trap :Disabled Cross Check MEP Unknown Trap :Disabled Cross Check MEP Missing Trap :Disabled...
Chapter 24 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the continuity check database. maintenance-points local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name –...
Chapter 24 | CFM Commands Defining CFM Structures Table 135: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry. MA Name Maintenance association to which this remote MEP belongs MA Name Format The format of the Maintenance Association name, including primary VID, character string, unsigned Integer 16, or RFC 2865 VPN ID...
Page 700
Chapter 24 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address.
Chapter 24 | CFM Commands Continuity Check Operations Table 136: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state –...
Chapter 24 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency.
Chapter 24 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 24 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (709) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged.
Chapter 24 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 24 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting.
Chapter 24 | CFM Commands Cross Check Operations Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 24 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆...
Chapter 24 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a...
Chapter 24 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded.
Chapter 24 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting.
Page 713
Chapter 24 | CFM Commands Link Trace Operations source-mpid – The identifier of a source MEP that will send the link trace message. (Range: 1-8191) mac-address – MAC address of a remote MEP that is the target of the link trace message.
Chapter 24 | CFM Commands Link Trace Operations clear ethernet cfm This command clears link trace messages logged on this device. linktrace-cache Command Mode Privileged Exec Example Console#clear ethernet cfm linktrace-cache Console# show ethernet cfm This command displays the contents of the link trace cache. linktrace-cache Command Mode Privileged Exec...
Chapter 24 | CFM Commands Loopback Operations (Continued) Table 138: show ethernet cfm linktrace-cache - display description Field Description Egr. Action Action taken on the egress port: EgrOk – The targeted data frame was forwarded. EgrDown – The Egress Port can be identified, but that bridge port’s MAC_Operational parameter is false.
Chapter 24 | CFM Commands Fault Generator Operations Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed. ◆...
Chapter 24 | CFM Commands Fault Generator Operations more defects indicated, and fault alarms are enabled at or above the priority level set by the mep fault-notify lowest-priority command. Example This example set the delay time before generating a fault alarm. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify alarm-time 10 Console(config-ether-cfm)#...
Chapter 24 | CFM Commands Fault Generator Operations Default Setting 10 seconds Command Mode CFM Domain Configuration Example This example sets the reset time after which another fault alarm can be generated. Console(config)#ethernet cfm domain index 1 name voip level 3 Console(config-ether-cfm)#mep fault-notify reset-time 7 Console(config-ether-cfm)# show ethernet cfm...
Chapter 24 | CFM Commands Delay Measure Operations (Continued) Table 141: show fault-notify-generator - display description Field Description Alarm Time The time a defect must exist before a fault alarm is issued (see the fault-notify alarm-time, command). Reset Time The time after a fault alarm has been issued, and no defect exists, before another fault alarm can be issued (see the mep fault-notify reset-time command).
Page 721
Chapter 24 | CFM Commands Delay Measure Operations Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command.
Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation.
Chapter 25 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host.
Chapter 25 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage If one or more name servers are configured, but DNS is not yet enabled and the switch receives a DHCP packet containing a DNS field with a list of DNS servers, then the switch will automatically enable DNS host name-to-address translation.
Page 726
Chapter 25 | Domain Name Service Commands Default Setting None Command Mode Global Configuration Example Console(config)#ip domain-name sample.com Console(config)#end Console#show dns Domain Lookup Status: DNS Disabled Default Domain Name: sample.com Domain Name List: Name Server List: Console# Related Commands ip domain-list (724) ip name-server (727) ip domain-lookup (725) ip host...
Chapter 25 | Domain Name Service Commands Flag Type IP Address Domain ---- ---- ------- -------------------- ----- ------------------------------ 2 Address 192.168.1.55 Console# ip name-server This command specifies the address of one or more domain name servers to use for name-to-address resolution. Use the no form to remove a name server from this list.
Chapter 25 | Domain Name Service Commands ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host.
Chapter 25 | Domain Name Service Commands clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-100 characters) * - Removes all entries. Default Setting None Command Mode Privileged Exec...
Chapter 25 | Domain Name Service Commands show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache Flag Type IP Address Host ------- ------- ------- --------------- ------- -------- 4 Host 209.131.36.158 115 www-real.wa1.b.yahoo.com 4 CNAME POINTER TO:3...
Page 731
Chapter 25 | Domain Name Service Commands Table 144: show hosts - display description Field Description The entry number for each resource record. Flag The field displays “2” for a static entry, or “4” for a dynamic entry stored in the cache.
Page 732
Chapter 25 | Domain Name Service Commands – 732 –...
DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client, relay, and server functions. Any VLAN interface can be configured to automatically obtain an IPv4 address through DHCP. This switch can be configured to relay DHCP client configuration requests to a DHCP server on another network. Table 145: DHCP Commands Command Group Function...
Page 734
Chapter 26 | DHCP Commands DHCP Client Default Setting Class identifier option enabled, with the name AOS5700-54X Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command without any keyword to restore the default setting. ◆ This command is used to identify the vendor class and configuration of the switch to the DHCP server, which then uses this information to decide on how to service the client or the type of information to return.
Chapter 26 | DHCP Commands DHCP Client ◆ Note that the vendor class identifier can be formatted in either text or hexadecimal using the ip dhcp client class-id command, but the format used by both the client and server must be the same. Example Console(config)#interface vlan 2 Console(config-if)#ip dhcp client class-id hex 0000e8666572...
Chapter 26 | DHCP Commands DHCP Client Related Commands ip address (742) ipv6 dhcp client rapid- This command specifies the Rapid Commit option for DHCPv6 message exchange for all DHCPv6 client requests submitted from the specified interface. Use the no commit vlan form to disable this option.
Chapter 26 | DHCP Commands DHCP Relay DHCP Relay This section describes commands used to configure DHCP relay functions for host devices attached to the switch. Table 149: DHCP Relay Commands Command Function Mode DHCP for IPv4 ip dhcp relay server Specifies DHCP server addresses for relay ip dhcp restart relay Enables DHCP relay agent...
Chapter 26 | DHCP Commands DHCP Relay Related Commands ip dhcp restart relay (738) ip dhcp restart relay This command enables DHCP relay for the specified VLAN. Use the no form to disable it. Syntax ip dhcp restart relay Default Setting Disabled Command Mode Privileged Exec...
Chapter 26 | DHCP Commands DHCP Relay DHCP for IPv6 ipv6 dhcp relay This command specifies a DHCPv6 server or the VLAN to which client requests are destination forwarded, and also enables DHCPv6 relay service on this interface. Use the no form to disable this service.
Chapter 26 | DHCP Commands DHCP Relay Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ipv6 dhcp relay destination multicast vlan 2 Console(config-if)# Console# show ipv6 dhcp relay This command displays a DHCPv6 server or the VLAN to which client requests are forwarded.
IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a DHCP server when it is powered on.
Chapter 27 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch. Table 152: Basic IP Configuration Commands Command Function Mode ip address Sets the IP address for the current interface ip default-gateway Defines the default gateway through which this switch can reach other subnetworks...
Page 743
Chapter 27 | IP Interface Commands IPv4 Interface segment that is connected to that interface, and allows you to send IP packets to or from the router. ◆ Before any network interfaces are configured on the router, first create a VLAN for each unique user group, or for each network application and its associated users.
Page 744
Chapter 27 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.1/24 Console(config-if)#...
Page 745
Chapter 27 | IP Interface Commands IPv4 Interface This example shows that the no ip default-gateway command can be used to remove the active default gateway. Note that the active default gateway in the previous example was 192.168.1.224. Console#configure Console(config)#no ip default-gateway Console(config)#end Console#show ip route database Codes: C - connected, S - static, R - RIP, B - BGP...
Chapter 27 | IP Interface Commands IPv4 Interface ip default-gateway This command specifies the default gateway for destinations not found in the local routing tables. Use the no form to remove a default gateway. Syntax ip default-gateway gateway no ip default-gateway gateway - IP address of the default gateway Default Setting No default gateway is established.
Chapter 27 | IP Interface Commands IPv4 Interface Related Commands ip address (742) ip route (803) ipv6 default-gateway (755) show ip interface This command displays the settings of an IPv4 interface. show ip interface [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4094) Default Setting VLAN 1 Command Mode...
Chapter 27 | IP Interface Commands IPv4 Interface reassembly request datagrams reassembly succeeded reassembly failed IP sent forwards datagrams 5927 requests discards no routes generated fragments fragment succeeded fragment failed ICMP Statistics: ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages...
Page 749
Chapter 27 | IP Interface Commands IPv4 Interface Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination. ◆ A trace terminates when the destination responds, when the maximum timeout (TTL) is exceeded, or the maximum number of hops is exceeded.
Chapter 27 | IP Interface Commands IPv4 Interface ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send. (Range: 1-16) size - Number of bytes in a packet.
Chapter 27 | IP Interface Commands IPv4 Interface ◆ You may need to put a static entry in the cache if there is no response to an ARP broadcast message. For example, some applications may not respond to ARP requests or the response arrives too late, causing network operations to time out.
Chapter 27 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache.
Chapter 27 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands. Table 154: IPv6 Configuration Commands Command Function Mode Interface Address Configuration and Utilities ipv6 default-gateway Sets an IPv6 default gateway for traffic with no known next ipv6 address Configures an IPv6 global unicast address, and enables IPv6 on an interface...
Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 154: IPv6 Configuration Commands Command Function Mode show ipv6 nd raguard Displays the configuration setting for RA Guard show ipv6 neighbors Displays information in the IPv6 neighbor discovery cache PE Interface Address Configuration and Utilities ipv6 default-gateway This command sets an IPv6 default gateway to use for destinations with no known...
Chapter 27 | IP Interface Commands IPv6 Interface Related Commands ip route (803) show ip route (805) ip default-gateway (746) ipv6 address This command configures an IPv6 global unicast address and enables IPv6 on an interface. Use the no form without any arguments to remove all IPv6 addresses from the interface, or use the no form with a specific IPv6 address to remove that address from the interface.
Chapter 27 | IP Interface Commands IPv6 Interface Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled. Link-local address: fe80::2e0:cff:fe02:fd%1/64 Global unicast address(es): 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Page 758
Chapter 27 | IP Interface Commands IPv6 Interface Command Usage ◆ The prefix must be formatted according to RFC 2373 “IPv6 Addressing Architecture, ” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
Chapter 27 | IP Interface Commands IPv6 Interface ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1. ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds...
Chapter 27 | IP Interface Commands IPv6 Interface Example This example assigns a link-local address of FE80::269:3EF9:FE19:6779 to VLAN 1. Note that a prefix in the range of FE80~FEBF is required for link-local addresses, and the first 16-bit group in the host address is padded with a zero in the form 0269. Console(config)#interface vlan 1 Console(config-if)#ipv6 address FE80::269:3EF9:FE19:6779 link-local Console(config-if)#end...
Page 761
Chapter 27 | IP Interface Commands IPv6 Interface host portion of the address is generated by converting the switch’s MAC address to modified EUI-64 format (see page 757). This address type makes the switch accessible over IPv6 for all devices attached to the same local subnet. ◆...
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size.
Chapter 27 | IP Interface Commands IPv6 Interface show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface.
Page 764
Chapter 27 | IP Interface Commands IPv6 Interface Table 155: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 27 | IP Interface Commands IPv6 Interface Craft Down Unassigned Console# Related Commands show ip interface (747) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Page 766
Chapter 27 | IP Interface Commands IPv6 Interface too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received...
Page 767
Chapter 27 | IP Interface Commands IPv6 Interface Table 157: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Page 768
Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 157: show ipv6 traffic - display description Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source- Routed via this entity, and the Source-Route processing was successful.
Page 769
Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 157: show ipv6 traffic - display description Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement The number of ICMP Neighbor Advertisement messages received by messages the interface.
Chapter 27 | IP Interface Commands IPv6 Interface (Continued) Table 157: show ipv6 traffic - display description Field Description no port errors The total number of received UDP datagrams for which there was no application at the destination port. other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.
Chapter 27 | IP Interface Commands IPv6 Interface Command Mode Privileged Exec Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007).
Page 772
Chapter 27 | IP Interface Commands IPv6 Interface max-failures - The maximum number of failures before which the trace route is terminated. (Range: 1-255) Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination.
Chapter 27 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Page 774
Chapter 27 | IP Interface Commands IPv6 Interface ◆ Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface. ◆ Duplicate address detection is stopped on any interface that has been suspended (see the vlan command).
Chapter 27 | IP Interface Commands IPv6 Interface ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 nd ns-interval (775) show ipv6 neighbors (780) ipv6 nd ns-interval This command configures the interval between transmitting IPv6 neighbor solicitation messages on an interface. Use the no form to restore the default value. Syntax ipv6 nd ns-interval milliseconds no ipv6 nd ns-interval...
Chapter 27 | IP Interface Commands IPv6 Interface Global unicast address(es): 2001:db8:0:1:2e0:cff:fe02:fd/64, subnet is 2001:db8:0:1::/64[EUI] 2001:db8:2222:7272::72/96, subnet is 2001:db8:2222:7272::/96 Joined group address(es): ff02::2 ff02::1:ff19:6779 ff02::1:ff00:0 ff02::1:ff00:72 ff02::1:ff02:fd ff02::1:2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 5. ND retransmit interval is 30000 milliseconds ND advertised retransmit interval is 30000 milliseconds ND reachable time is 30000 milliseconds...
Chapter 27 | IP Interface Commands IPv6 Interface Example Console(config)#interface ethernet 1/1 Console(config-if)#pv6 nd raguard Console(config-if)# ipv6 nd This command configures the amount of time that a remote IPv6 node is reachable-time considered reachable after some reachability confirmation event has occurred. Use the no form to restore the default setting.
Chapter 27 | IP Interface Commands IPv6 Interface ipv6 neighbor This command configures a static entry in the IPv6 neighbor discovery cache. Use the no form to remove a static entry from the cache. Syntax ipv6 neighbor ipv6-address vlan vlan-id hardware-address no ipv6 mtu ipv6-address - The IPv6 address of a neighbor device that can be reached through one of the network interfaces configured on this switch.
Chapter 27 | IP Interface Commands IPv6 Interface Example The following maps a static entry for global unicast address to a MAC address: Console(config)#ipv6 neighbor 2009:DB9:2229::81 vlan 1 30-65-14-01-11-86 Console(config)#end Console#show ipv6 neighbors State: I1 - Incomplete, I2 - Invalid, R - Reachable, S - Stale, D - Delay, P1 - Probe, P2 - Permanent, U - Unknown IPv6 Address Link-layer Addr...
Chapter 27 | IP Interface Commands IPv6 Interface Example Console#show ipv6 nd raguard interface ethernet 1/1 Interface RA Guard --------- -------- Eth 1/ 1 Console# show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device.
Chapter 27 | IP Interface Commands ND Snooping (Continued) Table 158: show ipv6 neighbors - display description Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message.
Chapter 27 | IP Interface Commands ND Snooping packet to the target host. If it receives an NA packet in response, it knows that the target still exists and updates the lifetime of the binding; otherwise, it deletes the binding. This section describes commands used to configure ND Snooping.
Page 783
Chapter 27 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs.
Chapter 27 | IP Interface Commands ND Snooping Console(config)#ipv6 nd snooping Console(config)#ipv6 nd snooping vlan 1 Console(config)# ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 27 | IP Interface Commands ND Snooping Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval (see the ipv6 nd snooping auto-detect retransmit interval command).
Chapter 27 | IP Interface Commands ND Snooping timeout – The time to wait for an RA message to confirm that a prefix entry is still valid. (Range: 3-1800 seconds) Default Setting Set to the valid lifetime field in received RA packet Command Mode Global Configuration Command Usage...
Chapter 27 | IP Interface Commands ND Snooping ipv6 nd snooping trust This command configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table, or NS messages can be forwarded without validation. Use the no form to restore the default setting. Syntax [no] ipv6 nd snooping trust Default Setting...
VRRP Commands Virtual Router Redundancy Protocol (VRRP) use a virtual IP address to support a primary router and multiple backup routers. The backup routers can be configured to take over the workload if the master router fails, or can also be configured to share the traffic load.
Chapter 28 | VRRP Commands Default Setting Disabled Command Usage When a host cannot communicate, the first debug method is to ping the host's default gateway to determine whether the problem is in the first hop of the path to the destination.
Page 793
Chapter 28 | VRRP Commands ◆ When a VRRP packet is received from another router in the group, its authentication key is compared to the string configured on this router. If the keys match, the message is accepted. Otherwise, the packet is discarded. ◆...
Chapter 28 | VRRP Commands Example This example creates VRRP group 1 using the primary interface for VLAN 1 as the VRRP group Owner. Console(config)#interface vlan 1 Console(config-if)#vrrp 1 ip 192.168.1.6 Console(config-if)# vrrp preempt This command configures the router to take over as the master virtual router for a VRRP group if it has a higher priority than the current acting master router.
Chapter 28 | VRRP Commands vrrp priority This command sets the priority of this router in a VRRP group. Use the no form to restore the default setting. Syntax vrrp group priority level no vrrp group priority group - Identifies the VRRP group. (Range: 1-255) The maximum number or groups which can be defined is 64.
Chapter 28 | VRRP Commands vrrp timers advertise This command sets the interval at which the master virtual router sends advertisements communicating its state as the master. Use the no form to restore the default interval. Syntax vrrp group timers advertise interval no vrrp group timers advertise group - Identifies the VRRP group.
Page 797
Chapter 28 | VRRP Commands Command Mode Privileged Exec Command Usage ◆ Use this command without any keywords to display the full listing of status information for all VRRP groups configured on this router. ◆ Use this command with the brief keyword to display a summary of status information for all VRRP groups configured on this router.
Chapter 28 | VRRP Commands (Continued) Table 161: show vrrp - display description Field Description Master The advertisement interval configured on the VRRP master. Advertisement Interval Master Down The down interval configured on the VRRP master interval (This interval is used by all the routers in the group regardless of their local settings) This example displays the brief listing of status information for all groups.
Chapter 28 | VRRP Commands Example This example displays the full listing of status information for VLAN 1. Console#show vrrp interface vlan 1 Vlan 1 - Group 1, State Master Virtual IP Address 192.168.1.6 Virtual MAC Address 00-00-5E-00-01-01 Advertisement Interval 5 sec Preemption Enabled...
Chapter 28 | VRRP Commands show vrrp router This command displays counters for errors found in VRRP protocol packets. counters Command Mode Privileged Exec Example Note that unknown errors indicate VRRP packets received with an unknown or unsupported version number. Console#show vrrp router counters Total Number of VRRP Packets with Invalid Checksum : 0 Total Number of VRRP Packets with Unknown Error...
IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks. However, to forward traffic to devices on other subnetworks, either configure fixed paths with static routing commands, or enable a dynamic routing protocol that exchanges information with other routers on the network to automatically...
Page 802
Chapter 29 | IP Routing Commands Global Routing Configuration (Continued) Table 164: Global Routing Configuration Commands Command Function Mode show ip traffic Displays statistics for IP, ICMP, UDP, TCP and ARP protocols PE IPv6 Commands ipv6 route Configures static routes show ipv6 route Displays specified entries in the routing table ECMP Commands...
Chapter 29 | IP Routing Commands Global Routing Configuration (Continued) Table 164: Global Routing Configuration Commands Command Function Mode show ecmp load-balance Shows the load-balance method used when there are multiple equal-cost paths to the same destination show hash-selection list Shows the packet type and hash list attributes MAC HS –...
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆...
Chapter 29 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [bgp | connected | database | ospf | rip | static | summary] bgp – Displays external routes imported from the Border Gateway Protocol (BGP) into this routing domain.
Chapter 29 | IP Routing Commands Global Routing Configuration Example In the following example, note that the entry for RIP displays both the distance and metric for this route. Console#show ip route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2...
Chapter 29 | IP Routing Commands Global Routing Configuration show ip route This command displays summary information for the routing table. summary Command Mode Privileged Exec Example In the following example, the numeric identifier following the routing table name (0) indicates the Forwarding Information Base (FIB) identifier. Console#show ip route summary IP routing table name is Default-IP-Routing-Table(0) IP routing table maximum-paths is 8...
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If dstip-l4-port is selected, traffic matching the same destination IP address and L4 protocol port will be carried across the same ECMP path. ◆ If hash-selection-list is selected, use the hash-selection list command to enter hash-sele tion list configuration mode, and then configure the required hash...
Chapter 29 | IP Routing Commands Global Routing Configuration maximum-paths This command sets the maximum number of paths allowed. Use the no form to restore the default settings. Syntax maximum-paths path-count no maximum-paths path-count - The maximum number of equal-cost paths to the same destination that can be installed in the routing table.
Page 811
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 1 mac Console(config-mac-hash-sel)#ethertype Console# src-mac This command adds the source-mac address hash attribute to the hash selection (MAC Hash) list. Use the no form to remove the specified attribute. Syntax [no] src-mac Command Mode...
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#dst-ip Console# dst-l4-port This command adds the destination Layer 4 protocol port hash attribute to the (IPv4 Hash) hash selection list. Use the no form to remove the specified attribute. Syntax [no] dst-l4-port Command Mode...
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 2 ipv4 Console(config-ipv4-hash-sel)#src-ip Console# src-l4-port This command adds the source Layer 4 protocol port hash attribute to the hash (IPv4 Hash) selection list. Use the no form to remove the specified attribute. Syntax [no] src-l4-port Command Mode...
Chapter 29 | IP Routing Commands Global Routing Configuration Command Usage An example of an IPv6 address in full form and collapsed form is shown below. Full IPv6 Address: FE80:0000:0000:0000:0202:B3FF:FE1E:8329 Collapsed IPv6 Address: FE80::0202:B3FF:FE1E:8329 Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv6-hash-sel)#collapsed-dst-ip Console# collapsed-src-ip This command adds the collapsed source IPv6 address hash attribute to the hash...
Chapter 29 | IP Routing Commands Global Routing Configuration next-header This command adds the next header hash attribute to the hash selection list. Use (IPv6 Hash) the no form to remove the specified attribute. Syntax [no] next-header Command Mode IPv6 hash selection mode Command Usage The next header identifies the type of header immediately following the IPv6 header.
Chapter 29 | IP Routing Commands Global Routing Configuration Example Console(config)#hash-selection list 3 ipv6 Console(config-ipv4-hash-sel)#vlan Console# show ecmp This command shows the load-balance method used when there are multiple load-balance equal-cost paths to the same destination. Command Mode Privileged Exec Example The default setting is shown in the following example.
Chapter 29 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. Syntax ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance]} no ipv6 route destination-ipv6-address/prefix-length {gateway-address | link-local-address%zone-id} destination-ipv6-address –...
Chapter 29 | IP Routing Commands Global Routing Configuration ◆ If both static and dynamic paths have the same lowest cost, the first route stored in the routing table, either statically configured or dynamically learned via a routing protocol, will be used. ◆...
Page 819
Chapter 29 | IP Routing Commands Global Routing Configuration Command Usage ◆ The FIB contains information required to forward IP traffic. It contains the interface identifier and next hop information for each reachable destination network prefix based on the IP routing table. When routing or topology changes occur in the network, the routing table is updated, and those changes are immediately reflected in the FIB.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Routing Information Protocol (RIP) Table 166: Routing Information Protocol Commands Command Function Mode router rip Enables the RIP routing protocol default-information Generates a default external route into an autonomous originate system default-metric Sets the default metric assigned to external routes...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Global Configuration Default Setting Disabled Command Usage ◆ RIP is used to specify how routers exchange routing table information. ◆ This command is also used to enter router configuration mode. Example Console(config)#router rip Console(config-router)#...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) default-metric This command sets the default metric assigned to external routes imported from other protocols. Use the no form to restore the default value. Syntax default-metric metric-value no default-metric metric-value – Metric assigned to external routes. (Range: 1-15) Default Setting Command Mode Router Configuration...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) distance This command defines an administrative distance for external routes learned from other routing protocols. Use the no form to restore the default setting. Syntax [no] distance distance network-address netmask distance - Administrative distance for external routes.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Mode Router Configuration Command Usage All the learned RIP routes may not be copied to the hardware tables in ASIC for fast data forwarding because of hardware resource limitations. Example Console(config-router)#maximum-prefix 1024 Console(config-router)#...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) network This command specifies the network interfaces that will be included in the RIP routing process. Use the no form to remove an entry. Syntax [no] network {ip-address netmask | vlan vlan-id} ip-address –...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) passive-interface This command stops RIP from sending routing updates on the specified interface. Use the no form to disable this feature. Syntax [no] passive-interface vlan vlan-id vlan-id - VLAN ID. (Range: 1-4094) Default Setting Disabled Command Mode...
Page 827
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) metric-value - Metric value assigned to all external routes for the specified protocol. (Range: 1-16) Default Setting redistribution - none metric-value - set by the default-metric command Command Mode Router Configuration Command Usage ◆...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) timers basic This command configures the RIP update timer, timeout timer, and garbage- collection timer. Use the no form to restore the defaults. Syntax timers basic update timeout garbage no timers basic update –...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) version This command specifies a RIP version used globally by the router. Use the no form to restore the default value. Syntax version {1 | 2} no version 1 - RIP Version 1 2 - RIP Version 2 Default Setting Receive: Accepts RIPv1 or RIPv2 packets...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies the type of authentication that can be used for RIPv2 packets. Use the no form to restore the default value. mode Syntax ip rip authentication mode {md5 | text} no ip rip authentication mode md5 - Message Digest 5 (MD5) authentication text - Indicates that a simple password will be used.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip authentication This command specifies an authentication key for RIPv2 packets. Use the no form to delete the authentication key. string Syntax ip rip authentication string key-string no ip rip authentication string key-string - A password used for authentication.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Default Setting RIPv1 and RIPv2 packets Command Mode Interface Configuration (VLAN) Command Usage ◆ Use this command to override the global setting specified by the RIP version command. ◆ You can specify the receive version based on these options: Use version 1 or version 2 if all routers in the local network are based on ■...
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Command Usage Use the no form of this command if it is not required to add any dynamic entries to the routing table for an interface. For example, when only static routes are to be allowed for a specific interface.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Example This example sets the interface version for VLAN 1 to send RIPv1 packets. Console(config)#interface vlan 1 Console(config-if)#ip rip send version 1 Console(config-if)# Related Commands version (829) ip rip send-packet This command configures the interface to send RIP packets.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ip rip split-horizon This command enables split-horizon or poison-reverse (a variation) on an interface. Use the no form to disable this function. Syntax ip rip split-horizon [poisoned] no rip ip split-horizon poisoned - Enables poison-reverse on the current interface.
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) ospf - Deletes all entries learned through the Open Shortest Path First routing protocol. rip - Deletes all entries learned through the Routing Information Protocol. static - Deletes all static entries. Default Setting None Command Mode...
Page 837
Chapter 29 | IP Routing Commands Routing Information Protocol (RIP) Distance: Default is 120 Console# show ip rip This command displays information about RIP routes and configuration settings. Use this command without any keywords to display all RIP routes. Syntax show ip rip [interface [vlan vlan-id]] interface - Shows RIP configuration settings for all interfaces or for a specified interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) Table 167: Open Shortest Path First Commands Command Function Mode General Configuration router ospf Enables or disables OSPFv2 compatible rfc1583 Calculates summary route costs using RFC 1583 (early OSPFv2) default-information Generates a default external route into an autonomous...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) (Continued) Table 167: Open Shortest Path First Commands Command Function Mode ip ospf priority Sets the router priority used to determine the designated router ip ospf retransmit-interval Specifies the time between resending a link-state advertisement ip ospf transmit-delay Estimates time to send a link-state update packet over an...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#router ospf Console(config-router)# Related Commands network area (856) compatible rfc1583 This command calculates summary route costs using RFC 1583 (early OSPFv2). Use the no form to calculate costs using RFC 2328 (OSPFv2). Syntax [no] compatible rfc1583 Command Mode...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) default-information This command generates a default external route into an autonomous system. Use the no form to disable this feature. originate Syntax default-information originate [always] [metric interface-metric] [metric- type metric-type] no default-information originate [always | metric | metric-type] always - Always advertise itself as a default external route for the local AS regardless of whether the router has a default route.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) routes, the internal cost is only used as a tie-breaker if several Type 2 routes have the same cost. ◆ This command should not be used to generate a default route for a stub or NSSA.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ If the priority values of the routers bidding to be the designated router or backup designated router for an area are equal, the router with the highest ID is elected.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) clear ip ospf process This command clears and restarts the OSPF routing process. Specify the process ID to clear a particular OSPF process. When no process ID is specified, this command clears all running OSPF processes.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config-router)#area 10.3.9.0 default-cost 10 Console(config-router)# Related Commands area stub (853) area nssa (851) area range This command summarizes the routes advertised by an Area Border Router (ABR). Use the no form to disable this function. Syntax [no] area area-id range ip-address netmask [advertise | not-advertise] area-id - Identifies an area for which the routes are summarized.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example creates a summary address for all area routes in the range of 10.2.x.x. Console(config-router)#area 10.2.0.0 range 10.2.0.0 255.255.0.0 advertise Console(config-router)# auto-cost reference- Use this command to calculate the default metrics for an interface based on bandwidth bandwidth.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) default-metric This command sets the default metric for external routes imported from other protocols. Use the no form to remove the default metric for the supported protocol types. Syntax default-metric metric-value no default-metric metric-value –...
Page 848
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) rip – Imports external routes learned through Routing Information Protocol (RIP) into this routing domain. static - Static routes will be imported into this Autonomous System. metric-value - Metric assigned to all external routes for the specified protocol.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example redistributes routes learned from BGP as Type 1 external routes. Console(config-router)#redistribute bgp metric-type 1 Console(config-router)# Related Commands default-information originate (841) summary-address This command aggregates routes learned from other protocols. Use the no form to remove a summary address.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Area Configuration area authentication This command enables authentication for an OSPF area. Use the no form to remove authentication for an area. Syntax [no] area area-id authentication [message-digest] area-id - Identifies an area for which authentication is to be configured. The area ID can be in the form of an IPv4 address or as a four octet unsigned integer ranging from 0-4294967295.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example This example enables message-digest authentication for the specified area. Console(config-router)#area 10.3.0.0 authentication Console(config-router)# Related Commands ip ospf authentication-key (859) ip ospf message-digest-key (862) area nssa This command defines a not-so-stubby area (NSSA). To remove an NSSA, use the no form without any optional keywords.
Page 852
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) type-value 1 - Type 1 external route 2 - Type 2 external route (default) - Routers do not add internal cost to the external route metric. Command Mode Router Configuration Default Setting No NSSA is configured.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword. To remove the summary attribute, use the no form with the summary keyword.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) area virtual-link This command defines a virtual link. To remove a virtual link, use the no form with no optional keywords. To restore the default value for an attribute, use the no form with the required keyword.
Page 855
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays. LSAs have their age incremented by this amount before transmission.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) configured as a backup connection that can take over if the normal connection to the backbone fails. ◆ A virtual link can be configured between any two backbone routers that have an interface to a common non-backbone area.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ An area ID uniquely defines an OSPF broadcast area. The area ID 0.0.0.0 indicates the OSPF backbone for an autonomous system. Each router must be connected to the backbone via a direct connection or a virtual link. ◆...
Page 858
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Usage ◆ Use authentication to prevent routers from inadvertently joining an unauthorized area. Configure routers in the same area with the same password or key. All neighboring routers on the same network with the same password will exchange routing data.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf This command assigns a simple password to be used by neighboring routers to verify the authenticity of routing protocol messages. Use the no form to remove authentication-key the password.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf cost This command explicitly sets the cost of sending a protocol packet on an interface, where higher values indicate slower ports. Use the no form to restore the default value.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ip ospf dead-interval This command sets the interval at which hello packets are not seen before neighbors declare the router down. Use the no form to restore the default value. Syntax ip ospf [ip-address] dead-interval seconds no ip ospf [ip-address] dead-interval...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Command Mode Interface Configuration (VLAN) Default Setting 10 seconds Command Usage Hello packets are used to inform other routers that the sending router is still active. Setting the hello interval to a smaller value can reduce the delay in detecting topological changes, but will increase routing traffic.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) ◆ When changing to a new key, the router will send multiple copies of all protocol messages, one with the old key and another with the new key. Once all the neighboring routers start sending protocol messages back to this router with the new key, the router will stop using the old key.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) become the DR and the router with the next highest priority becomes the BDR. If two or more routers are tied with the same highest priority, the router with the higher ID will be elected.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Example Console(config)#interface vlan 1 Console(config-if)#ip ospf retransmit-interval 7 Console(config-if)# ip ospf transmit-delay This command sets the estimated time to send a link-state update packet over an interface. Use the no form to restore the default value. Syntax ip ospf [ip-address] transmit-delay seconds no ip ospf [ip-address] transmit-delay...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface. Syntax [no] passive-interface vlan vlan-id [ip-address] vlan-id - VLAN ID.
Page 867
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 LSDB database overflow limit is 20480 Number of LSA originated 1 Number of LSA received 0...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) (Continued) Table 168: show ip ospf - display description Field Description Number of LSA The number of new link-state advertisements that have been originated. originated Number of LSA The number of link-state advertisements that have been received. received Number of areas The number of configured areas attached to this router.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf database This command shows information about different OSPF Link State Advertisements (LSAs) stored in this router’s database. Syntax show ip ospf [process-id] database [asbr-summary | external | network | nssa-external | router | summary] [adv-router ip-address | link-state-id | self-originate] process-id - The ID of the router process for which information will be displayed.
Page 870
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Net Link States (Area 0.0.0.0) Link ID ADV Router Seq# CkSum 192.168.0.2 192.168.0.2 225 0x80000001 0x9c0f AS External Link States Link ID ADV Router Seq# CkSum Route 0.0.0.0 192.168.0.2 487 0x80000001 0xd491 E2 0.0.0.0/0 0 0.0.0.0 192.168.0.3...
Page 871
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 170: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to AS boundary routers Link State ID...
Page 872
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Metric: 1 Forward Address: 0.0.0.0 External Route Tag: 0 Console# Table 171: show ip ospf database external - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA...
Page 873
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 172: show ip ospf database network - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Network Link - LSA describes the routers attached to the network Link State ID...
Page 874
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 173: show ip ospf database router - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA Flags Indicate if this router is a virtual link endpoint, an ASBR, or an ABR LS Type...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 174: show ip ospf database summary - display description Field Description OSPF Router ID Router ID LS Age Age of LSA (in seconds) Options Optional capabilities associated with the LSA LS Type Summary Links - LSA describes routes to networks Link State ID...
Page 876
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 175: show ip ospf interface - display description Field Description VLAN VLAN ID and Status of physical link Internet Address IP address of OSPF interface Area OSPF area to which this interface belongs Maximum transfer unit Process ID OSPF process ID...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf neighbor This command displays information about neighboring routers on each interface within an OSPF area. Syntax show ip ospf [process-id] neighbor process-id - The ID of the router process for which information will be displayed.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) show ip ospf route This command displays the OSPF routing table. Syntax show ip ospf [process-id] route process-id - The ID of the router process for which information will be displayed.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv2) Table 177: show ip ospf virtual-links - display description Field Description Virtual Link to OSPF neighbor and link state (up or down) router Transit area Common area the virtual link crosses to reach the target router Local address The IP address of ABR that serves as an endpoint connecting the isolated area to the common transit area.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) (Continued) Table 178: show ip protocols ospf - display description Field Description Routing for Shows the networks for which route summarization is in effect Summary Address Distance The administrative distance used for external routes learned by OSPF (see the route command).
Page 881
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) (Continued) Table 179: Open Shortest Path First Commands (Version 3) Command Function Mode ipv6 ospf Specifies the time between resending a link-state retransmit-interval advertisement ipv6 ospf transmit-delay Estimates time to send a link-state update packet over an interface passive-interface Suppresses OSPF routing traffic on the specified interface...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) General Configuration router ipv6 ospf This command creates an Open Shortest Path First (OSPFv3) routing process and enters router configuration mode. Use the no form to disable OSPF for all processes or for a specified process.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) abr-type This command sets the criteria used to determine if this router can declare itself an ABR and issue Type 3 and Type 4 summary LSAs. Use the no form to restore the default setting.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) summary-LSAs are examined. Otherwise (when either the router is not an ABR or it has no active backbone connection), the router should consider summary- LSAs from all actively attached areas. This ensures that the summary-LSAs originated by area border routers advertise only intra-area routes into the backbone if the router has an active backbone connection, and advertises both intra-area and inter-area routes into...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) router-id This command assigns a unique router ID for this device within the autonomous system for the current OSPFv3 process. Use the no form to restore the default setting. Syntax router-id ip-address no router-id...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) timers spf This command configures the delay after receiving a topology change and starting the shortest path first (SPF) calculation, and the hold time between making two consecutive SPF calculations. Use the no form to restore the default values. Syntax timers spf spf-delay spf-holdtime no timers spf...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Router Configuration Default Setting Default cost: 1 Command Usage ◆ If the default cost is set to “0, ” the router will not advertise a default route into the attached stub.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ If the network addresses within an area are assigned in a contiguous manner, the ABRs can advertise a summary route that covers all of the individual networks within the area that fall into the specified range using a single area range command.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Related Commands redistribute (889) redistribute This command redistributes external routing information from other routing protocols and static routes into an autonomous system. Use the no form to disable this feature or to restore the default settings. Syntax redistribute {connected | rip | static} [metric metric-value] [metric-type type-value]...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example redistributes automatically connected routes as Type 1 external routes. Console(config-router)#redistribute connected metric-type 1 Console(config-router)# Area Configuration area stub This command defines a stub area. To remove a stub, use the no form without the optional keyword.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ◆ Use the area default-cost command to specify the cost of a default summary route sent into a stub by an ABR attached to the stub area. Example This example creates a stub area 2, and makes it totally stubby by blocking all Type 3 summary LSAs.
Page 892
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) adequate flow of routing information, but does not produce unnecessary protocol traffic. However, note that this value should be larger for virtual links. (Range: 1-65535 seconds; Default: 5 seconds) transmit-delay seconds - Estimates the time required to send a link-state update packet over the virtual link, considering the transmission and propagation delays.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 router ospf area This command binds an OSPF area to the selected interface. Use the no form to remove an OSPF area, disable an OSPF process, or remove an instance identifier from an interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Console(config-if)# Related Commands router ipv6 ospf (882) router-id (885) ipv6 router ospf tag area (894) ipv6 router ospf tag This command binds an OSPF area to the selected interface and process. Use the no form to remove the specified area from an interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example This example assigns area 0.0.0.1 to the currently selected interface under routing process “1. ” Console(config)#interface vlan 1 Console(config-if)#ipv6 router ospf tag 1 area 0.0.0.1 Console(config-if)# Related Commands router ipv6 ospf (882) router-id (885) ipv6 router ospf area (893)
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf cost 10 Console(config-if)# ipv6 ospf This command sets the interval at which hello packets are not seen before dead-interval neighbors declare the router down. Use the no form to restore the default value. Syntax ipv6 ospf dead-interval seconds [instance-id instance-id] no ipv6 ospf dead-interval [instance-id instance-id]...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) ipv6 ospf This command specifies the interval between sending hello packets on an interface. Use the no form to restore the default value. hello-interval Syntax ipv6 ospf hello-interval seconds [instance-id instance-id] no ipv6 ospf hello-interval [instance-id instance-id] seconds - Interval at which hello packets are sent from an interface.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Command Mode Interface Configuration (VLAN) Default Setting Command Usage ◆ A designated router (DR) and backup designated router (BDR) are elected for each OSPF area based on Router Priority. The DR forms an active adjacency to all other routers in the area to exchange routing topology information.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Default Setting 5 seconds Command Usage ◆ A router will resend an LSA to a neighbor if it receives no acknowledgment after the specified retransmit interval. The retransmit interval should be set to a conservative value that provides an adequate flow of routing information, but does not produce unnecessary protocol traffic.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) problem, use the transmit delay to force the router to wait a specified interval between transmissions. Example Console(config)#interface vlan 1 Console(config-if)#ipv6 ospf transmit-delay 6 Console(config-if)# passive-interface This command suppresses OSPF routing traffic on the specified interface. Use the no form to allow routing traffic to be sent and received on the specified interface.
Page 901
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf Routing Process "ospf 1" with ID 192.168.0.2 Process uptime is 24 minutes Supports only single TOS(TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of incoming concurrent DD exchange neighbors 0/5 Number of outgoing concurrent DD exchange neighbors 0/5 Number of external LSA 0.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) (Continued) Table 180: show ip ospf - display description Field Description Number of areas The number of configured areas attached to this router. attached to this router Area Information Area The area identifier.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Table 181: show ip ospf database - display description Field Description OSPF Router OSPF router ID and process ID. The router ID uniquely identifies the router in the Process with ID autonomous system.
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) (Continued) Table 182: show ip ospf interface - display description Field Description Router ID Identifier for this router Network Type Includes broadcast, non-broadcast, or point-to-point networks Cost Interface transmit cost Transmit Delay Interface transmit delay (in seconds) ◆...
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) Example Console#show ipv6 ospf route Codes: C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area ::1/128, lo0...
Page 907
Chapter 29 | IP Routing Commands Open Shortest Path First (OSPFv3) (Continued) Table 184: show ipv6 ospf virtual-links - display description Field Description Timer intervals Configuration settings for timer intervals, including Hello, Dead and Retransmit Hello due The timeout for the next hello message from the neighbor Adjacency state The adjacency state between these neighbors: Down –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Border Gateway Protocol (BGPv4) BGP Overview An autonomous system (AS) functions as a separate routing domain under one administrative authority, which implements its own routing policies. An AS exchanges routing information within its boundaries using Interior Gateway Protocols (IGPs) such as RIP or OSPF, and connects to external organizations or to the Internet using an Exterior Gateway Protocol (EGP).
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) External BGP – eBGP interconnects different ASs through border routers, or eBGP peers. These peering routers are commonly connected over a WAN link using a single physical path. Alternatively, multiple eBGP peer connections may be used to provide redundancy or load balancing.
Page 910
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) BGP uses a path vector routing approach, which is roughly based on a distance- vector approach, where the cost between two adjacent ASes is implicitly assumed to be a single hop. The shortest path from an AS to a remote AS is therefore the path with the shortest number or AS hops.
Page 911
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ COMMUNITY – This attribute associates routing information with a community of users. These communities share a common property, and tagging routes with a community makes it easier for routers to identify that property and enforce appropriate routing policies.
Page 912
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Choose the path with the lowest ORIGIN (IGP < EGP < Incomplete). If the value of this criteria is the same for more than one candidate, go to the next step. Choose the path with the lowest MED.
Page 913
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Aggregation and Dissemination In the Internet, the number of destinations is larger than most routing protocols can manage. It is not possible for routers to track every possible destination in their routing tables.
Page 914
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 7: Connections for Single Route Reflector Router Router Advertised Routes Reflected Router Router Routes eBGP Route Router Reflector Speaker Router Route reflector clients are not aware that they are connected to a route reflector, and function as though fully meshed within the autonomous system.
Page 915
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) connected to its designated route reflector. Once all iBGP routing sessions are established, routing advertisements must follow these rules: ◆ Announcements received by a route reflector from another reflector are passed to its clients.
Page 916
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Figure 9: Connections for BGP Confederation AS16478 Router Public Domain Autonomous AS200 System Member AS iBGP Router Router eBGP Router Router AS100 Member AS eBGP iBGP Router Router Router AS300 Router Member AS iBGP...
Page 917
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Use the bgp confederation peer command to add an internal peer autonomous system to a confederation. Route Servers Route Servers are used to relay routes received from remote ASes to client routers, as well as to relay routes between client routers.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route damping provides a relief mechanism to minimize the effects of route flapping. It can reduce the propagation of updates for flapping routes without impacting the route convergence time for stable routes. When enabled, a route is assigned a penalty each time it flaps (i.e., announced and then quickly withdrawn).
Page 919
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 185: Border Gateway Protocol Commands – Version 4 Command Function Mode bgp confederation peer Adds an internal peer autonomous system to a confederation bgp dampening Configures route dampening to reduce the propagation of unstable routes bgp enforce-first-as Denies an update received from an external peer that does...
Page 920
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 185: Border Gateway Protocol Commands – Version 4 Command Function Mode distance bgp Sets the administrative distance for BGP external, internal, and local routes Neighbor Configuration neighbor activate Enables exchange of routing information with a neighboring router or peer group neighbor advertisement-...
Page 921
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 185: Border Gateway Protocol Commands – Version 4 Command Function Mode neighbor prefix-list Configures prefix restrictions applied in inbound/ outbound route updates to/from specified neighbors neighbor remote-as Configures a neighbor and its AS number, identifying the neighbor as a local AS member neighbor remove-private- Removes private autonomous system numbers from...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 185: Border Gateway Protocol Commands – Version 4 Command Function Mode show ip bgp prefix-list Shows routes matching the specified prefix-list show ip bgp regexp Shows routes matching the AS path regular expression show ip bgp route-map Shows routes matching the specified route map show ip bgp scan...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to specify all of the routers within an autonomous system used to exchange interior or exterior BGP routing messages. Repeat this process for any other autonomous system under your administrative control to create a distributed routing core for the exchange of routing information between autonomous systems.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example The regular expression in this example uses symbols which instruct the filter to match the character or null string at the beginning and end of an input string. Console(config-router)#ip as-path access-list RD deny ^100$ Console(config-router)# Related Commands neighbor filter-list (958)
Page 925
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) no-export – Routes with this community attribute are advertised only to peers in the same autonomous system or to other sub-autonomous systems within a confederation. These routes are not advertised to external peers.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example This example configures a named standard community list LN that permits routes with community value 100:10, denoting that they come from autonomous system 100 and network 10. Console(config)#ip community-list standard LN permit 100:10 Console(config)# Related Commands neighbor send-community (970)
Page 927
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) IP:NN – Community to deny or permit. The community number is composed of a 4-byte IP address (representing the autonomous system number) and a 2-byte network number, separated by one colon. The 2- byte network number can range from 0 to 65535.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command in conjunction with the neighbor filter-list to filter route updates sent to or received from a neighbor, or with the match extcommunity route map command to implement a more comprehensive filter for policy- based routing.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Global Configuration Default Setting No prefix lists are defined. Command Usage ◆ Prefix filtering can be performed on an IP address expressed as a classful network, a subnet, or a single host route. ◆...
Page 930
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) as-set – Generates autonomous system set information for the AS path attribute, indicating that a route originated in multiple autonomous systems. summary-only – Sends the summary routes only, ignoring more specific routes.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp client-to-client This command restores route reflection via this router. Use the no form to disable route reflection. reflection Syntax [no] bgp client-to-client reflection Command Mode Router Configuration Default Setting Enabled Command Usage ◆...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp cluster-id This command configures the cluster identifier for multiple route reflectors in the same cluster. Use the no form to remove the cluster identifier. Syntax bgp cluster-id cluster-identifier no bgp cluster-id cluster-identifier –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command configures the identifier for a confederation containing smaller multiple internal autonomous systems, and declares this router as a member of the identifier confederation. Use the no form to remove the confederation identifier. Syntax bgp confederation identifier as-number no bgp confederation identifier...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp confederation This command adds an internal peer autonomous system to a confederation. Use the no form to remove an autonomous system from a confederation. peer Syntax bgp confederation peer as-number no bgp confederation identifier as-number –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp dampening This command configures route dampening to reduce the propagation of unstable routes. Use the no form to restore the default settings. Syntax bgp dampening [half-life [reuse-limit [suppress-limit max-suppress-time]]] no dampening half-life –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp enforce-first-as This command denies an update received from an external peer that does not list its own autonomous system number at the beginning of the AS path attribute. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp log-neighbor- This command enables logging of neighbor resets (that is, up or down status changes). Use the no form to disable this feature. changes Command Mode Router Configuration Default Setting Disabled Command Usage ◆...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp router-id This command sets the router ID for this device. Use the no form to remove this ID. Syntax bgp router-id router-id no bgp router-id router-id – Router ID formatted as an IPv4 address. Command Mode Router Configuration Default Setting...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ This command sets the interval at which to check the validity of the next hop for all routes in the routing information database. During the interval between scan cycles, IGP instability or other network problems may cause black holes or routing loops to form.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) backdoor network is treated as a local network, except that it not advertised by the local router. A backdoor route should not be sourced at the local router, but should be one that has been learned from external neighbors. However, since these routes are treated as a local network, they are given priority over routes learned through eBGP, even if the distance of the external route is shorter.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ A route metric must be used to resolve the problem of redistributing external routes with incompatible metrics. Example Console(config-router)#redistribute static metric 10 Console(config-router)# timers bgp This command sets the Keep Alive time used for maintaining connectivity, and the Hold time to wait for Keep Alive or Update messages before declaring a neighbor down.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Use this command to clear peering sessions when changes are made to any BGP access lists, weights, or route-maps. ◆ Route refresh (RFC 2918) allows a router to reset inbound routing tables dynamically by exchanging route refresh requests with peers.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Route Metrics and Selection bgp always-compare- This command allows comparison of the Multi Exit Discriminator (MED) for paths advertised from neighbors in different autonomous systems. Use the no form to disable this feature.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting Disabled Example Console(config-router)#bgp bestpath as-path ignore Console(config-router)# bgp bestpath This command compare confederation AS path length in addition to external AS compare-confed- path length in the selection of a path. Use the no form to disable this feature. aspath Syntax [no] bgp bestpath compare-confed-aspath...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Normally, the first route arriving from different external peers (with other conditions equal) will be chosen as the best route. By using this command, the route with lowest router ID will be selected. Example Console(config-router)#bgp bestpath compare-routerid Console(config-router)#...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) bgp default local- This command sets the default local preference used for best path selection among local iBGP peers. Use the no form to restore the default setting. preference Syntax bgp default local-preference preference preference –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ The router immediately groups and sorts all local paths when this command is entered. For correct results, deterministic comparison of the MED must be configured in the same manner (enabled or disabled) on all routers in the local ◆...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ If an access-list is specified, it will be applied to received routes. If the received routes are not matched in the access-list or the specified list does not exist, the original distance value will be used.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ Changing the administrative distance of iBGP routes is not recommended. It may cause an accumulation of routing table inconsistencies which can break routing to many parts of the network. Example Console(config-router)#distance bgp 20 200 20 Console(config-router)#...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor This command configures the interval between sending update messages to a neighbor. Use the no form to restore the default setting. advertisement- interval Syntax neighbor ip-address advertisement-interval interval no neighbor ip-address advertisement-interval ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage Under standard routing practices, BGP will not accept a route sent from a neighbor if the same AS number appears in the AS path more than once. This could indicate a routing loop, and the route message would therefore be dropped.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor capability This command configures dynamic negotiation of capabilities between neighboring routers. Use the no form to disable this feature. dynamic Syntax [no] neighbor {ip-address | group-name} capability dynamic ip-address – IP address of a neighbor. group-name –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage When this command is entered, the side configured with inbound prefix-list filter rules will transmit its own rules to the peer, and the peer will then use these rules as its own outbound rules, thereby avoiding sending routes which will be denied by its partner.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example Console(config-router)#neighbor 10.1.1.64 default-originate Console(config-router)# neighbor description This command configures the description of a neighbor or peer group. Use the no form to remove a description. Syntax neighbor {ip-address | group-name} description description no neighbor {ip-address | group-name} description ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Router Configuration Default Setting None Command Usage ◆ If the specified access list for input or output mode does not exist, all input or output route updates will be filtered. ◆...
Page 957
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor ebgp- This command allows eBGP neighbors to exist in different segments, and configures the maximum hop count (TTL). Use the no form to restore the default multihop setting. Syntax neighbor {ip-address | group-name} ebgp-multihop [count] no neighbor {ip-address | group-name} ebgp-multihop ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Not enforced Command Usage By default, the multi-hop check is only performed on iBGP and eBGP non-direct routes. This command can be used to force the router to perform the multi-hop check on directly connected routes as well.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In this example, the AS path access list “ASPF” is first configured to deny access to any route passing through AS 100. It then enables route filtering by assigning this list to a peer.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) threshold – The percentage of the maximum number of allowed prefixes at which the router will initiate the specified response. restart – Restarts BGP connection after the threshold is exceeded. interval –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ iBGP routers only connected to other iBGP routers in same segment will not be able to talk with iBGP routers outside of the segment if they are not directly connected with each other.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor passive This command passively forms a connection with the specified neighbor, not sending a TCP connection request, but waiting a connection request from the specified neighbor. Use the no form to disable this feature. Syntax [no] neighbor {ip-address | group-name} passive ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ When MD5 authentication is configured on a TCP connection between two peers, neighbor authentication occurs whenever routing updates are exchanged. Authentication must be configured with the same password on both peers;...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor peer-group This command assigns routers to a peer group. Use the no form to remove a group member. (Group Members) Syntax [no] neighbor ip-address peer-group group-name ip-address – IP address of a neighbor. group-name –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor prefix-list This command configures prefix restrictions applied in inbound/outbound route updates to/from specified neighbors. Use the no form to remove the neighbor binding for a prefix list. Syntax neighbor {ip-address | group-name} prefix-list list-name {in | out} no neighbor {ip-address | group-name} prefix-list {in | out} ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor remote-as This command configures a neighbor and its AS number, identifying the neighbor as an iBGP or eBGP peer. Use the no form to remove a neighbor. Syntax neighbor {ip-address | group-name} remote-as as-number no neighbor {ip-address | group-name} remote-as ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting Disabled Command Usage ◆ This command only applies to eBGP neighbors. It is used to avoid passing an internal AS number to an external AS. Internal AS numbers range from 64512- 65535, and should not be sent to the Internet since they are not valid external AS numbers.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ First, use route-map command to create a route map, and the match and set commands to configure the route attributes to act upon. Then use this command to specify neighbors to which the route map is applied. ◆...
Page 969
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor route- This command configures this router as a route server and the specified neighbor as its client. Use the no form to disable the route server for the specified neighbor. server-client Syntax [no] neighbor {ip-address | group-name} route-server-client...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor send- This command configures the router to send community attributes to a neighbor in peering messages. Use the no form to stop sending this attribute to a neighbor. community Syntax [no] neighbor {ip-address | group-name} send-community [both | extended | standard]...
Page 971
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Default Setting None Command Usage ◆ This command terminates any active sessions for the specified neighbor, and removes any associated routing information. ◆ Use the show ip bgp summary command display the neighbors which have been administratively shut down.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) ◆ To use soft reconfiguration, without preconfiguration, both BGP neighbors must support the soft route refresh capability advertised in open messages sent when a BGP session is established. To see if a BGP router supports this capability, use the show ip bgp neighbors command.
Page 973
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) hold-time – The maximum interval after which a neighbor is declared dead if a keep-alive or update message has not been received. (Range: 0-65535 seconds) Command Mode Router Configuration Default Setting Keep Alive time: 60 seconds Hold time: 180 seconds Command Usage...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage This command sets the time to wait before attempting to reconnect to a BGP neighbor after having failed to connect. During the idle time specified by the Connect Retry timer, the remote BGP peer can actively establish a BGP session with the local router.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) neighbor update- This command specifies the interface to use for a TCP connection, instead of using the nearest interface. Use the no form to use the default interface. source Syntax [no] neighbor {ip-address | group-name} update-source interface vlan vlan-id ip-address –...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Usage ◆ Use this command to specify a weight for all the routes learned from a neighbor. The route with the highest weight gets preference over other routes to the same network. ◆...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 186: show ip bgp - display description Field Description BGP table version Internal version number of routing table, incremented per table change. local router ID IP address of router. Status codes Status of table entry includes these values: ◆...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Example In the following example, Refcnt refers to the number of routes using the indicated next hop. Console#show ip bgp attribute-info Refcnt Nexthop 1 0.0.0.0 1 10.1.1.64 3 10.1.1.64 1 10.1.1.121 2 10.1.1.200 Console# show ip bgp cidr-only...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) internet – Specifies the entire Internet. Routes with this community attribute are advertised to all internal and external peers. local-as – Specifies the local autonomous system. Routes with this community attribute are advertised only to peers that are part of the local autonomous system or to peers within a sub-autonomous system of a confederation.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Table 187: show ip bgp community-info - display description Field Description Address Internal address in memory where the entry is stored. Refcnt The number of routes which refer to this community. Community 4-byte community number composed of a 2-byte autonomous system number and a 2-byte network number, separated by one colon...
Page 981
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) parameters – Route dampening parameters. Command Mode Privileged Exec Example In the following example, “From” indicates the peer that advertised this path, while “Reuse” is the time after which the path will be made available. Console#show ip bgp dampening dampened-paths BGP table version is 0, local router ID is 192.168.0.2 Status codes: s suppressed, d damped, h history, * valid, >...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 188: show ip bgp dampening parameters- display description Field Description Suppress penalty The point at which to start suppressing a route. Max suppress The maximum time a route can be suppressed. time show ip bgp filter-list This command shows routes matching the specified filter list.
Page 983
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Console#show ip bgp neighbors 192.168.0.3 BGP neighbor is 192.168.0.3, remote AS 200, local AS 100, external link Member of peer-group for session parameters BGP version 4, remote router ID 192.168.0.3 BGP state = Established, up for 00:00:58 Last read 16:40:37, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities:...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) (Continued) Table 189: show ip bgp - display description Field Description keepalive interval Interval at which keepalive messages are transmitted to this neighbor. Neighbor capabilities BGP capabilities advertised and received from this neighbor. Message statistics Statistics organized by message type.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp prefix-list This command shows routes matching the specified prefix-list. Syntax show ip bgp prefix-list list-name list-name – Name of a prefix-list. The prefix list can be used to filter the networks to import or export as defined by the match ip address prefix-list command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip bgp This command shows routes matching the specified route map. route-map Syntax show ip bgp route-map map-name map-name – Name of the route map as defined by the route-map command.
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) Command Mode Privileged Exec Example In the following example, “Up/Down” refers to the length of time the session has been in the Established state, or the current status if not in Established state. Console#show ip bgp summary BGP router identifier 192.168.0.2, local AS number 100 RIB entries 0...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) 100-500 – Expanded community list number that identifies one or more groups of communities. community-list-name – Name of standard or expanded access list. (Maximum length: 32 characters, no spaces or other special characters) Command Mode Privileged Exec Example...
Chapter 29 | IP Routing Commands Border Gateway Protocol (BGPv4) show ip prefix-list This command shows detailed information for the specified prefix list. detail Syntax show ip prefix-list detail [prefix-list-name] prefix-list-name – Name of prefix list. (Maximum length: 128 characters, no spaces or other special characters) Command Mode Privileged Exec...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Policy-based Routing for BGP This section describes commands used to configure policy-based routing (PBR) maps for Border Gateway Protocol (BGP). Policy-based routing is performed before regular routing. PBR inspects traffic on the interface where the policy is applied and then, based on the policy, makes some decision.
Page 992
Chapter 29 | IP Routing Commands Policy-based Routing for BGP (Continued) Table 192: Policy-based Routing Configuration Commands Command Function Mode match ip address Specifies destination addresses to match in a standard access list, extended access list, or prefix list match ip next-hop Specifies next hop addresses to match in a standard access list, extended access list, or prefix list match ip route-source...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP route-map This command enters route-map configuration mode, allowing route maps to be created or modified. Use the no form to remove a route map. Syntax [no] route-map map-name {deny | permit} sequence-number map-name –...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP For a permit route-map, if it does not have a match clause, any routing ■ message is matched, and therefore all routes are permitted. For a permit route-map which includes a match clause for an access-list, if ■...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP continue This command goes to a route-map entry with a higher sequence number after a successful match occurs. Use the no form to remove this entry from a route map. Syntax continue [sequence-number] no continue...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match as-path This command sets a BGP autonomous system path access list to match. Use the no form to remove this entry from a route map. Syntax [no] match as-path access-list-name access-list-name –...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP Command Usage This command matches the community attributes of the BGP routing message following the rules specified with the ip community-list command. Example Console(config)#route-map RD permit 2 Console(config-route-map)#match community 60 Console(config-route-map)#set weight 30 Console(config-route-map)# match extcommunity...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP prefix-list-name – Name of a specific prefix list. Command Mode Route Map Example Console(config)#route-map RD permit 4 Console(config-route-map)#match ip address rd-addresses Console(config-route-map)#set weight 30 Console(config-route-map)# Related Commands ip prefix-list (928) Access Control Lists (335) match ip next-hop This command specifies the next-hop addresses to be matched in a standard access...
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match ip route-source This command specifies the source of routing messages advertised by routers and access servers to be matched in a standard access list, an extended access list, or a prefix list.
Chapter 29 | IP Routing Commands Policy-based Routing for BGP match origin This command sets the originating protocol to match in routing messages. Use the no form to remove this entry from a route map. Syntax match origin {egp | igp | incomplete} no match origin egp –...