ELTEX MES3108 Operation Manual
  1. Manuals
  2. Brands
  3. ELTEX Manuals
  4. Switch
  5. MES3108
  6. Operation manual

ELTEX MES3108 Operation Manual

Mes3000 series backbone switches, aggregation switches
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
MES3000
MES3108, MES3108F, MES3116, MES3116F,
MES3124, MES3124F, MES3224, MES3224F
Operation Manual, firmware version 2.5.47
Backbone Switches,
Aggregation Switches

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MES3108 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ELTEX MES3108

Summary of Contents for ELTEX MES3108

  • Page 1 MES3000 MES3108, MES3108F, MES3116, MES3116F, MES3124, MES3124F, MES3224, MES3224F Operation Manual, firmware version 2.5.47 Backbone Switches, Aggregation Switches...
  • Page 2 Document version Issue date Revisions Version 1.32 18.09.2017 Changes in chapters: - 5.1 Basic commands - 5.4 System management commands - 5.10 Storm control - 5.15.5.1 STP, RSTP configuration - 5.29 ACL configuration (Access Control Lists) - 5.31 Quality of Services (QOS) Version 1.31 18.09.2017 Added chapters:...
  • Page 3 - 5.31.5 Configuration of Virtual Router Redundancy Protocol (VRRP) Added chapter: - 5.23 IP Service Level Agreements (IP SLA) Version 1.26 03.06.2015 Changes in chapters: - 5.15.4 Loopback detection mechanism - 5.15.5 STP protocol family - 5.18.2 RADIUS protocol - 5.24.2. Port-based client authentication (802.1x standard) - 5.23.3 DHCP protocol management and Option 82 - 5.24 DHCP Relay mediation features Version 1.25...
  • Page 4 Version 1.17 29/04/2014 Changes in chapters: - 5.8.1 Parameters of the Ethernet and Port-Channel interfaces Version 1.16 01 April 2014 Changes in chapters: - 5.22.1 Copper-wire cable diagnostics Version 1.15 29/01/2014 Changes in chapters: - 5.17.2 IGMP Proxy multicast routing function Version 1.14 05/12/2013 Changes in chapters:...
  • Page 5 - 5.28.3 OSPF protocol configuration. - Appendix B. Typical network building schemes based on EAPS protocol. - Appendix C. Description of switch processes. Version 1.7 27/11/2012 Changes in chapters: - 2.3 Main specifications - 4.4.2 Switch operation in stackable mode - 5.10 Link Aggregation Group (LAG) Version 1.6 10/09/2012...

  • Page 6: Table Of Contents

    CONTENTS 1 INTRODUCTION ..........................10 2 PRODUCT DESCRIPTION ........................ 11 2.1 Purpose ............................. 11 2.2 Switch functionality .......................... 11 2.2.1 Basic functions ........................11 2.2.2 Functions for MAC address processing ................... 11 2.2.3 Second-layer functions of OSI model correspondence............12 2.2.4 Third-layer functions of OSI model ..................
  • Page 7 5.8.4 IP interface configuration ......................73 5.9 Selective Q-in-Q ..........................73 5.10 Storm control ............................. 75 5.11 Link Aggregation Groups (LAG) ......................76 5.11.1 Static link aggregation groups ....................77 5.11.2 Link aggregation Control Protocol ..................78 5.12 IPv4 addressing configuration ......................79 5.13 Green Ethernet configuration ......................
  • Page 8 5.24.4 Client IP address protection (IP-source Guard) ..............183 5.24.5 ARP management (ARP Inspection) ................... 185 5.24.6 MAC Address Notification configuration ................187 5.25 DHCP Relay mediation features ...................... 189 5.26 Lightweight DHCPv6 Relay Agent (LDRA) functions ............... 191 5.27 PPPoE Intermediate Agent configuration ..................192 5.28 DHCP server configuration ......................
  • Page 9 SYMBOLS Value Description In the command line, optional parameters are shown in square brackets; when entered, they provide additional options. In the command line, mandatory parameters are shown in curly braces. Choose one of the listed parameters. "," In the description of the command, these signs are used for defining ranges. "-"...

  • Page 10: Introduction

     MES3116F 12x1000Base-X (SFP) ports, 4x10/100/1000Base-T/1000Base-X (SFP) combo ports, 2x10GBase-X (SFP+) or 1000Base-X (SFP) ports;  MES3108 8x10/100/1000Base-T ports, 2x10GBaseX (SFP+) or 1000Base-X (SFP) ports;  MES3108F 4x1000Base-X (SFP) ports, 4x10/100/1000Base-T/1000Base-X (SFP) combo ports, 2x10GBase-X (SFP+) or 1000Base-X (SFP) ports;...

  • Page 11: Product Description

    PRODUCT DESCRIPTION Purpose MES3000 series devices are the first-class multi-purpose network switches that operate on data-link and network layers of the OSI model. MES3000 series switches provide high density of electric/optical Gigabit ports, allow to combine optical and electrical connection in one device by combo interfaces, have high-speed ports performing with rates up to 1Gbit/s and 10Gbit/s, allowing you to gradually expand the network performance while moving from 1Gbit/s to 10Gbit/s networks as necessary.

  • Page 12: Second-Layer Functions Of Osi Model Correspondence

    When learning is disabled, the data coming to any port will be transmitted to all other ports of the switch. In learning mode, the switch performs analysis of the frame, discovers sender's MAC address and adds it to the routing table. Learning mode Afterwards, Ethernet frames dedicated to the host, which MAC address has been already added to the routing table, will be sent only to the port specified in the...
  • Page 13 Spanning Tree Protocol is a network protocol that ensures loop-free network topology by converting networks with redundant links to the tree-like structure. Spanning Tree Protocol Switches exchange configuration messages, using the special format frames, and selectively enable or disable traffic transmission to ports. IEEE 802.1w Rapid Rapid STP (RSTP) is the enhanced version of STP protocol that enables faster Spanning Tree Protocol...

  • Page 14: Third-Layer Functions Of Osi Model

    2.2.4 Third-layer functions of OSI model Table 2.4 lists third-layer functions (OSI Layer 3). Table 2.4 —Third-layer functions description (OSI Layer 3) BootP and DHCP clients (Dynamic Host MES3000 devices can obtain IP address automatically via BootP/DHCP. Configuration Protocol) Administrator of the switch can add or remove static records into/from the Static IP routes routing table.

  • Page 15: Switch Control Functions

    Option that allows to inform DHCP server about DHCP relay and port of incoming request. DHCP Option 82 By default, the switch with DHCP snooping function enabled identifies and drops all DHCP requests with Option 82 if they were received via untrusted port. UDP relay Broadcast UDP traffic forwarding to the specified IP address.

  • Page 16: Additional Functions

    SNMP is used for monitoring and management of network devices. For system SNMP access control purpose, the community record list is defined, where each record contains access privileges. MES3000 switches CLI management is performed locally via serial port RS-232 or remotely via telnet, SSH.

  • Page 17: Main Specifications

    Supported operations: ICMP Echo, UDP Jitter. Main specifications Table 2.9 lists main specifications of the switch. Table 2.9 —Main specifications General parameters Packet processor Marvell 98DX4122 8x10/100/1000Base-T MES3108 2x(10GBase-X (SFP+)/1000Base-X (SFP) 4x1000 Base-X (SFP) MES3108F 4xCombo (10/100/1000Base-T/1000Base-X) 2x(10G Base-X (SFP+)/1000Base-X (SFP)) 16x10/100/1000Base-T MES3116...
  • Page 18 electric interfaces 10/100/1000 Mbps Data transfer rate optical interfaces 1/10 Gbps Table of MAC addresses 16,000 records (some MAC addresses are reserved by the system) for routing: 3272x24В TCAM routing volume for the processing of traffic tasks: 2048x24B Ingress: 980 SQinQ rules qty Egress: 140 ACL rules qty...

  • Page 19: Design

    The combined ports may have only one active interface at the same time. In case of simultaneous connections, the interface with SFP transceiver will be active. 2.4.1 Front panel of the device Front panel layout MES3108, MES3108F, MES3116, MES3116F, MES3124, MES3124F, MES3224, MES3224F is depicted in Fig. 1-8. Fig. 1—MES3108, front panel Fig.
  • Page 20 Fig. 4—MES3116F, front panel Fig. 5—MES3124, front panel Fig. 6—MES3124F, front panel Fig. 7—MES3224, front panel Fig. 8—MES3224F, front panel Table 2.10 lists sizes, LEDs and controls located on the front panel of the switch. MES3000 Ethernet switch series...

  • Page 21: Rear Panel Of The Device

    - XG3, XG4 slots for 10G SFP+/ 1G SFP transceivers installation XG1, XG2 XG optical interface activity indicator XG3, XG4 8/16/24 Gigabit Ethernet ports For MES3108, MES3116, MES3124, MES3224 devices: 10/100/1000 [1..8/16/24] Base-T (RJ-45). For MES3108F, MES3116F, MES3124F, MES3224F devices: 1000 Base-X (SFP).

  • Page 22: Side Panels Of The Device

    Table 2.11 lists rear panel connectors of the switch. Table 2.11 —Description of rear panel connectors of the switch № Rear panel element Description Connector for DC power supply Connector for AC power supply Removable fans Removable ventilation modules with hot-swapping. Earth bonding point Earth bonding point of the device.
  • Page 23 LINK/ACT SPEED Fig. 13—SFP transceiver socket appearance Table 2.12 —Ethernet interface status light indication SPEED indicator is lit LINK/ACT indicator is lit Ethernet interface state Port is disabled or connection is not established Solid on 10Mbps or 100Mbps connection is established Solid on Solid on 1000Mbps connection is established...

  • Page 24: Delivery Package

    supply (when device operates from the backup power supply) or primary power supply failure Green, solid The device is stack 'master' Marker of the master The device is not stack 'master' Master device in a stack or stackable mode is not specified All fans are operational Cooling fan status...

  • Page 25: Installation And Connection

    INSTALLATION AND CONNECTION This section describes installation of the equipment into a rack and connection to a power supply. Support brackets mounting The delivery package includes support brackets for rack installation and mounting screws to fix the device case on the brackets. To install the support brackets: Fig.
  • Page 26 Fig. 16—Device rack installation Fig. 17 shows the example of MES3000 rack installation. Fig. 17—MES3000 switch rack installation The device is ventilated from the front. The front panel of the device has air vents. Do not block air vents and fans located on the rear panel to avoid components overheating and subsequent switch malfunction.

  • Page 27: Power Module Installation

    Power module installation Switch can operate with one or two power modules. The second power module installation is necessary when the device operates under strict reliability requirements. From the electric point of view, both places for power module installation are identical. In the context of device operation, the power module located closer to the edge is considered as the main module, and the one closer to the centre—as the backup module.

  • Page 28: Sfp Transceiver Installation And Removal

    SFP transceiver installation and removal Optical modules can be installed when the terminal is turned on or off. 1. Insert the top SFP module into a slot with its open side down, and the bottom SFP module with its open side up. Fig.

  • Page 29: Initial Switch Configuration

    INITIAL SWITCH CONFIGURATION Configuring the Terminal Run terminal emulation application on PC (HyperTerminal, TeraTerm, Minicom) and perform the following actions: 1. Select the corresponding serial port. 2. Set the data transfer rate—115,200 baud. 3. Specify the data format: 8 data bits, 1 stop bit, non-parity. 4.

  • Page 30: Startup Menu

    Dram first block size is : 229376K bytes Dram first PTR is : 0x1C00000 Dram second block size is : 4096K bytes Dram second PTR is : 0xFC00000 Flash size is: 05-Jun-2011 16:14:09 %CDB-I-LOADCONFIG: Loading running configuration. 05-Jun-2011 16:14:09 %CDB-I-LOADCONFIG: Loading startup configuration. Device configuration: Slot 1 - 28 ports Device 0: GT_98DX4122 (BobCat)

  • Page 31: Switch Operation Modes

    In stackable mode, MES3124/MES3124F and MES3224/MES3224F use XG3 and XG4 ports for synchronization; also, these ports are not used for data transmission. MES3108/MES3108F and MES3116/MES3116F use only XG2 port for synchronization; also, this port is not used for data transmission.
  • Page 32 Privileged EXEC mode commands Command line request appears as follows: console# Table 4.2 —Basic commands available in privileged EXEC mode Command Value/Default value Action unit mode {standalone | Defines the switch operation mode: stackable} - standalone—switch can perform as a standalone device - stackable—switch can be combined in a stack The mode change takes effect after the switch is restarted.

  • Page 33: Switch Function Configuration

    Topology is Current stack topology—chain or ring Unit Mode After Reset: Switch operation mode after restart—standalone/stackable Unit Num After Reset: Switch identifier that will be applied after restart Devices with identical Unit IDs won't be able to work in one stack. Switch function configuration Initial configuration functions can be divided into two types.
  • Page 34  Example of commands for assigning eltex password for admin user and creation of operator user with pass password and the privilege level 1: console# configure console(config)# username admin password eltex console(config)# username operator password pass privilege 1 console(config)# exit console# 4.5.1.2 Static IP address, subnet mask, default gateway configuration...
  • Page 35 DHCP client is enabled on VLAN 1 interface by default. Configuration example for obtaining dynamic IP address from DHCP server on VLAN 1 interface: console# configure console(config)# interface vlan 1 console(config-if)# ip address dhcp console(config-if)# exit console# To ensure the correct IP address assigning for the interface, enter the following command: console# show ip interface vlan 1 Gateway IP Address Activity status...

  • Page 36: Security System Configuration

    ------------------ ------------------ --------------- ------ Traps are enabled. Authentication-failure trap is enabled. Version 1,2 notifications Target Address Type Community Version Filter Retries Port name ---------------- -------- ----------- ---------- ----- ------- ----- --------- Version 3 notifications Target Address Type Username Security Udp Filter Retries Level...

  • Page 37: Banner Configuration

    console(config-line)# enable authentication default console(config-line)# password telnet Enter the telnet password in reply to the password entry prompt that appears during the registration in the Telnet session. 4.5.2.3 Setting password for SSH console(config)# aaa authentication login default line console(config)# aaa authentication enable default line console(config)# ip ssh server console(config)# line ssh console(config-line)# login authentication default...

  • Page 38: Device Management Command Line Interface

    DEVICE MANAGEMENT COMMAND LINE INTERFACE Four main modes are used for configuration of the switch. Each mode has its own specific set of commands. Enter the '?' character to view the set of commands available for each mode. Transition between modes is performed with special commands. The list of existing modes and commands for mode transition: Command mode (EXEC)—this mode is available right after the successful startup of the switch and the username input.
  • Page 39 Table 5.1 —Basic commands available in EXEC mode Command Value/Default value Action enable [priv] Switch to the privileged mode (if the value is not defined— priv: (1..15)/15 privilege level 15). login Close the current session and switch the user. exit Close the active terminal session.

  • Page 40: Filtering Of Command Line Messages

    Exit from any configuration mode to the command mode (Privileged EXEC). Execute the command of the command level (EXEC) from any configuration mode. help Shows help on commands being used. Global configuration mode commands Command line request appears as follows: console(config)# Table 5.4 —Basic commands available in configuration mode Command...

  • Page 41: Macrocommand Configuration

    Table 5.6 —Global configuration mode commands Method Value/Default value Action begin pattern Show strings with first characters corresponding to the pattern template include pattern Display all strings that contain the pattern. exclude pattern Display all strings that doesn't contain the pattern. Macrocommand configuration This function allows to create the unified sets of commands—macros that can be used later for configuration purposes.

  • Page 42: System Management Commands

    Table 5.9 —Interface configuration mode commands Command Value/Default value Action macro apply word word: (1..32) Apply the selected macro. characters macro trace word word: (1..32) Validate the selected macro. characters macro description word Specify macro descriptor string. word: (1..160) characters no macro description Delete the descriptor string.
  • Page 43 traceroute ipv6 {A.B.C.D.E.F | Detection of the traffic route to the destination node. host} [size size] [ttl ttl] [count -A.B.C.D.E.F—IPv6 address of the network node count] [timeout timeout] - host—domain name of the network node [source ip_address] [tos tos] - size—size of the packet to be sent, the quantity of bytes in a host: (1..158) symbols;...
  • Page 44 Example use of command: traceroute console# traceroute eltex.com Type Esc to abort. Tracing the route to eltex.com (148.21.11.69) 1 gateway.eltex (192.168.1.101) 0 msec 0 msec 0 msec 2 eltexsrv (192.168.0.1) 0 msec 0 msec 0 msec 3 * * * Table 5.12 —Description of 'traceroute' command execution results...
  • Page 45 Table 5.13 —Errors occurring during 'traceroute' command execution Error symbol Description Packet transmission timeout. Unknown packet type. Administratively unavailable. Usually, this error is shown when outbound traffic is blocked by rules in ACL access table. Fragmentation or DF bit setting required. Network node is not available.

  • Page 46: Commands For Configuration Of Password Parameters

    no hostname characters/- Set the default network device name. stack master unit unit Assign the master device in a stack. unit: (1..2)/no master This command is available in the stackable mode only. device no stack master unit Set the default value. service cpu-utilization Allow the device to perform software-based measurement of the switch CPU load level.

  • Page 47: File Operations

    no passwords complexity Restore the default value. min­classes passwords complexity Enable minimum password length restriction. min­length value value: (0..64)/8 no passwords complexity Restore the default value. min­length passwords complexity Enable the restriction for the minimum quantity of identical no­repeat number consecutive characters in a new password.

  • Page 48: File Operation Commands

    The load file on the device or on one of the stacked devices. To copy file from the master unit://member/boot device to other modules, use '*' symbol in the member element. member—IP address or device network name in a stack. Empty destination for copies or files.
  • Page 49 delete url Delete the file from the device flash memory. *.prv, image-1 and image-2 files cannot be removed. delete startup-config Delete the initial configuration file. boot system [unit unit] Define the system firmware file, that will be loaded on startup. {image­1 | image-2} unit (1..8) - unit—number of the device in a stack (for standalone switch, this...

  • Page 50: Configuration Backup Commands

    Example use of commands  Delete test file from the non-volatile memory. console# delete flash: test Delete flash:test? [confirm] Command execution result: File will be deleted after confirmation. 5.6.3 Configuration backup commands This section describes commands intended for configuring backup timer or saving the current configuration on the flash drive.

  • Page 51: Automatic Configuration

    1. The switch downloads the text file and reads the firmware file name on TFTP server. 2. The switch downloads the first block (512 bytes) of the firmware image file from TFTP server with the firmware version. 3. The switch compares firmware image file version, downloaded from TFTP server, with the active image of the switch firmware.

  • Page 52: System Time Configuration

     Example of ISC DHCP Server configuration: option image-filename code 125 = { unsigned integer 32, #enterprise-number. Manufacturer ID, always equal to 35265(Eltex) unsigned integer 8, #data-len. All option data length. Equal to length of the string sub- option-data + 2.
  • Page 53 console(config)# Table 5.28 —List of system time configuration commands in global configuration mode Command Value/Default value Action clock source sntp -/external source is not Use the external source for setting system time. used no clock source Deny the utilization of the external source for setting system time. clock timezone zone zone: 4 characters/no Set the timezone value.
  • Page 54 no sntp client enable Restore the default value. {gigabitethernet gi_port | tengigabitethernet te_port | port-channel group| vlan vlan_id} sntp unicast client enable Allow unicast SNTP client operation. -/denied no sntp unicast client enable Restore the default value. sntp unicast client poll Allow sequential polling of the selected unicast SNTP servers.

  • Page 55: Interface And Vlan Configuration

    Begins at first Sunday of April at 2:00. Synchronization status is shown by the additional character before the time value. Example: *15:29:08 PDT(UTC-7) Jun 17 2009 The following symbols are used:  The dot (.) means, that the time is valid, but there is no synchronization with SNTP server ...

  • Page 56: Ethernet And Port-Channel Interface Parameters Configuration

    tengigabitethernet te_port | port-channel group | ip ip | vlan vlan_id | tunnel tunnel_id | range {…}} 5.8.1 Ethernet and Port-Channel interface parameters configuration Interface configuration mode commands (interface range) console# configure console(config)# interface { gigabitethernet gi_port | tengigabitethernet te_port | port-channel group | range {…}} console(config-if)# This mode is available from the configuration mode and designed for configuration of interface parameters (switch port or port group operating in the load distribution mode) or the interface range.
  • Page 57 Given below are commands for entering the configuration mode of the Ethernet interface range from 1 to 10 and entering the configuration mode of all port groups. console# configure console(config)# interface range gigabitethernet 1/0/1-10 console(config-if)# console# configure console(config)# interface range port-channel 1-8 console(config-if)# Table 5.30 —Ethernet and Port-Channel interface configuration mode commands Command...
  • Page 58 Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)# Table 5.31 —Ethernet and Port-Channel interface general configuration mode commands Command Value| Default value Action port jumbo-frame Enable processing of jumbo fames by the switch. Maximum transmission unit MTU) default value is 1500 bytes.
  • Page 59 show interfaces status Show status for all interfaces. show interfaces status Show status for Ethernet port, port group. gi_port: (1..8/0/1..24); {gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port| group: (1..24) port-channel group} show interfaces Show information about state, settings and statistics of Ethernet- gi_port: (1..8/0/1..24);...
  • Page 60 gi1/0/19 1G-Copper Down Access gi1/0/20 1G-Copper Down Access gi1/0/21 1G-Copper Down Access gi1/0/22 1G-Copper Down Access gi1/0/23 1G-Copper Down Access gi1/0/24 1G-Copper Down General gi1/0/25 1G-Combo-C Down Access gi1/0/26 1G-Combo-C Full 1000 Enabled 01,00:25:56 Disabled Off Access gi1/0/27 1G-Combo-C Down Trunk gi1/0/28 1G-Combo-C Full...
  • Page 61 te0/2 10G-Fiber Disabled te0/3 10G-Fiber Disabled te0/4 10G-Fiber Disabled Type Operational Link Advertisement --------- ------------ -------- ---------------------------------- Enabled … Enabled Enabled  Show interface statistics: console# show interfaces counters Port InUcastPkts InMcastPkts InBcastPkts InOctets ---------------- ------------ ------------ ------------ ------------ gi0/1 gi0/2 gi0/3 gi0/4...
  • Page 62  Show jumbo frame settings for the switch: console# show ports jumbo-frame Jumbo frames are disabled Jumbo frames will be disabled after reset Table 5.33 —Description of counters Counter Description InOctets Quantity of bytes received. InUcastPkts Quantity of unicast packets received. InMcastPkts Quantity of multicast packets received.

  • Page 63: Vlan And Interfaces Switching Modes Configuration

    5.8.2 VLAN and interfaces switching modes configuration VLAN configuration mode commands Command line request in VLAN configuration mode appears as follows: console# configure console(config)# vlan database console(config-vlan)# This mode is available from the global configuration mode and designed for configuration of VLAN parameters.
  • Page 64 Table 5.35 —VLAN interface configuration mode commands Command Value/Default value Action name name name: (1..64) Add VLAN name. characters/name no name Set the default value. matches VLAN number Ethernet interface configuration mode commands (interface range), port group interface Command line request in Ethernet interface, port group interface configuration mode appears as follows: console# configure console(config)# interface {tengigabitethernet te_port | gigabitethernet...
  • Page 65 switchport general pvid Add port VLAN identifier (PVID) for the main interface. vlan_id (1..4094)/1—if vlan_id default VLAN is defined, otherwise—4095 no switchport general pvid Set the default value. switchport general Disable filtering of inbound packets on the main interface based ingress­filtering disable on their assigned VLAN ID.
  • Page 66 switchport community Add port to community (port isolation group). community Ports within a single community can exchange traffic only with each other and other unprotected ports (without 'switchport protected-port' setting). - community—community name. community: (1..30) no switchport community Restore the default value. In this case, protected port is an isolated port (does not belong to any community), and it can exchange traffic only with unprotected ports (without 'switchport protected-port' setting).
  • Page 67 vlan statistics egress low Enable egress traffic counter for VLAN 1...2047 (only for standalone mode). -/disable no vlan statistics egress low Disable egress traffic counter for VLAN 1...2047 (only for standalone mode). vlan statistics egress high Enable egress traffic counter for VLAN 2048...4094 (only for standalone mode).
  • Page 68 show interfaces counters vlan Show VLAN statistics vlan_id (1..4094) vlan_id show interfaces switchport Show port, port group configuration. gi_port: (1..8/0/1..24); {gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24) port-channel group } show interfaces protected- Show port status: in Private VLAN Edge mode, in private-vlan-edge gi_port: (1..8/0/1..24);...
  • Page 69 gi0/22 Inactive  Show VLAN 103 statistics console>show interfaces counters vlan 103 Vlan InPkts InOctets OutPkts OutOctets ---- ------------- ------------- ------------- ------------- 1612  Show interface statistics with enabled traffic counters for VLAN console>show interfaces counters Port InUcastPkts InMcastPkts InBcastPkts InOctets ---------------- ------------ ------------ ------------ ------------ gi1/0/1...

  • Page 70: Private Vlan Configuration

     Show GigabitEthernet 22 port configuration. console# show interfaces switchport gigabitethernet 1/0/22 Port : gi0/22 Port Mode: Access Gvrp Status: disabled Ingress Filtering: true Acceptable Frame Type: admitAll Ingress UnTagged VLAN ( NATIVE ): 1 Protected: Disabled Port is member in: Vlan Name Egress rule Port Membership Type...
  • Page 71 Fig. 23 – Example of Private VLAN technology Command line request in configuration mode for Ethernet, VLAN interface and port group interface appears as follows: console# configure console(config)# interface {tengigabitethernet te_port | gigabitethernet gi_port | port-channel group | range {…} | vlan vlan_id} console(config-if)# Table 5.41 - Ethernet interface configuration mode commands Command...
  • Page 72 private-vlan association [add | Add (remove) secondary and primary VLAN linking. The setting is remove] vlan_list available only for primary VLAN vlan_list: (1..4094) no private-vlan association Remove secondary and primary VLAN linking Maximal quantity of secondary VLAN - 256. Maximal quantity of community VLANs, which can be associated with one primary VLAN Example of interfaces settings for switch SW1 (fig.

  • Page 73: Ip Interface Configuration

    5.8.4 IP interface configuration IP interface is created, when the IP address is assigned to any of the device interfaces gigabitethernet, tengigabitethernet, port-channel, or vlan. Command line request in IP interface configuration mode appears as follows console# configure console(config)# interface ip A.B.C.D console(config-ip)# This mode is available from the configuration mode and designed for configuration of IP interface parameters.
  • Page 74 Ethernet and Port-Channel interface configuration mode commands (interface range) Command line request in configuration interface configuration mode appears as follows: console# configure console(config)# interface { gigabitethernet gi_port | tengigabitethernet te_port | port-channel group | range {…}} console(config-if)# Table 5.44 —Ethernet interface configuration mode commands (interface range) Command Value Action...

  • Page 75: Storm Control

     Show created selective qinq rule list. console# show selective-qinq Direction Interface Rule type Vlan ID Classification by Parameter --------- --------- --------------- -------- ---------------- ------------------ ingress gi0/1 override_vlan ingress_vlan 5.10 Storm control Storm appears as a result of excessive amount of messages transmitted simultaneously via single network port, that causes delays and network resources overloads.

  • Page 76: Link Aggregation Groups (Lag)

    no storm-control broadcast Disable broadcast storm logging logging storm-control broadcast Disable the interface when it detects a broadcast storm. shutdown "Storm-control broadcast shutdown" function forbids SQinQ configuring on this interface. -/disabled no storm-control broadcast Restore the default value shutdown EXEC mode commands Command line request in EXEC mode appears as follows: console# Table 5.47 —EXEC mode commands...

  • Page 77: Static Link Aggregation Groups

    Table 5.48 —Ethernet interface configuration mode commands Command Value Action channel-group group mode Add Ethernet interface to the port group: mode - on—add port to channel without LACP group (1..24) - passive – add port to channel with LACP in passive mode mode (on, passive, - auto—add port to channel with LACP in active mode.

  • Page 78: Link Aggregation Control Protocol

    5.11.2 Link aggregation Control Protocol Link Aggregation Control Protocol (LACP) is for the aggregation of multiple physical links into a single link. Link aggregation allows to increase the link bandwidth and robustness. LACP performs traffic transmission via aggregated links according to the defined priorities. To enable the interface operation via LACP, use 'channel-group {group} mode auto' command in the configuration mode of the respective interface.

  • Page 79: Ipv4 Addressing Configuration

    Example execution of commands  Create the first LACP protocol port group, that includes two Ethernet interfaces—3 and 4. Group operation transfer rate—1000Mbps. Set the system priority 6, priorities 12 and 13 for Ports 3 and 4 respectively. console# configure console(config)# lacp system-priority 6 console(config)# interface port-channel 1 console(config-if)# speed 1000...
  • Page 80 no ip default-gateway not defined Remove the default gateway address. ip helper-address Enable broadcast UDP packet forwarding to the specific address. {ip_interface | all} ip_address - ip_interface—IP address of the interface being configured [udp_port_list] - all—allows to select all device IP interfaces - ip_address—destination IP address for packets forwarding.

  • Page 81: Green Ethernet Configuration

    console (config)# interface vlan 1002 console (config)# ip unnumbered vlan 100 5.13 Green Ethernet configuration Green Ethernet is a technology that allows to reduce the device power consumption by disabling power supply to unused electric ports and changing levels of transmitted signal according to the cable length.

  • Page 82: Ipv6 Addressing Configuration

    [gigabitethernet gi_port | te_port: (1..8/0/1..4) tengigabitethernet te_port] green-ethernet power-meter Reset the power meter readings. reset Example execution of commands  Show green-ethernet statistics: console# show green-ethernet Energy-Detect mode: Enabled Short-Reach mode: Enabled Power Consumption: 83% (5.57W out of maximum 6.69W) Cumulative Energy Saved: 0 [Watt*Hour] Short-Reach cable length threshold: 10m Port...
  • Page 83 interface-name—name of the interface: interface-name = vlan<integer> | ch<integer> |<physical-port-name> integer = <decimal-number> | <integer><decimal-number> decimal-number = 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 physical-port-name = gigabitethernet (1..8/0/1..24)| tengigabitethernet (1..8/0/1..4) If the value of a single group or multiple sequential groups in the IPv6 address is equal to zero—0000, these groups can be dropped.
  • Page 84 in 64 lower bits of IPv6 address - anycast—identifies that the specified address is the anycast address. (up to 64 IPv6 interfaces) . no ipv6 address Remove IPv6 address from the interface. [ipv6_address/prefix_length] [eui-64] ipv6 address autoconfig Enable automatic IPv6 address configuration for the interface. By default, automatic Addresses are configured depending on prefixes, that were configuration is...

  • Page 85: Ipv6 Protocol Tunnelling (Isatap)

    Table 5.64 —EXEC mode commands Command Value Action show ipv6 interface Show IPv6 protocol settings for the selected interface. gi_port: (1..8/0/1..24); [gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24); port-channel group | vlan vlan_id: (1..4094) vlan_id] show ipv6 route Show IPv6 routing table.
  • Page 86 2. Enter the tunnelling interface configuration mode. tunnel isatap query-interval Set the period between DNS requests, sent for automatic seconds: (10..3600)/10 seconds discovery of ISATAP router IP address. seconds no tunnel isatap query-interval Restore the default value. tunnel isatap Set the transmission period for requests, that require confirmation solicitation­interval seconds from ISATAP router (if there is no active router).

  • Page 87: Ipv6 Ra Guard Configuration

    console(config-tunnel)# tunnel source ip-address 192.168.16.88 5.14.3 IPv6 RA guard configuration IPv6 RA guard function provides attacks protection based on sending fake Router Advertisement packets and allows sending messages only from trusted ports. Global Configuration Mode Commands Command line request in global configuration mode appears as follows: console(config)# Table 5.68—Global configuration mode commands Command...

  • Page 88: Protocol Configuration

    Table 5.70—Global configuration mode commands Command Value/Default value Action ipv6 dhcp guard Enable DHCPv6 guard management for the switch. -/disabled no ipv6 dhcp guard Disable DHCPv6 guard. ipv6 dhcp guard vlan vlan Enable DHCPv6 guard management within the specified VLAN. (1..4094) - vlan –...

  • Page 89: Arp Configuration

    сonsole# configure console(config)# ip name-server 192.168.16.35 192.168.16.38 console(config)# ip domain-name mes Define static match: network node with the name eltex.mes has IP address 192.168.16.39: сonsole# configure console(config)# ip host eltex.mes 192.168.16.39 5.15.2 ARP configuration ARP (Address Resolution Protocol) is a channel-level interface that performs the identification of MAC address based on the IP address contained in the request.
  • Page 90 tengigabitethernet te_port | H.H.H - ip_address—IP address port-channel group | vlan H:H:H:H:H:H - hw_address—MAC address vlan_id] H-H-H-H-H-H; gi_port: (1..8/0/1..24); no arp ip_address Remove the static record of matches between IP and MAC te_port: (1..8/0/1..4); [gigabitethernet gi_port | addresses from ARP table for the interface, specified in the group: (1..24);...

  • Page 91: Gvrp Protocol Configuration

     Show ARP table contents: сonsole# show arp VLAN Interface IP address HW address status --------------------- --------------- ------------------- --------------- vlan 1 gi0/12 192.168.25.1 02:00:2a:00:04:95 dynamic 5.15.3 GVRP protocol configuration GARP VLAN Registration Protocol (GVRP). This protocol allows to distribute VLAN identifiers in the network.
  • Page 92 Table 5.79 —GARP timer description GARP timer Value Define the request transmission interval for adding VLAN into the group (value range Join Timer from 10 to 2147483640 ms, default value 200 ms). Define the amount of time the interface will wait before leaving the VLAN group (value range from 10 to 2147483640 ms, default value 600 ms).

  • Page 93: Loopback Detection Mechanism (Loopback-Detection)

    5.15.4 Loopback detection mechanism (loopback-detection) This mechanism allows the device to detect loopback ports. Port loopback detection is performed by sending frame with the destination address, matching one of the device MAC addresses. Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)# Table 5.82 —Global configuration mode commands Command...

  • Page 94: Stp Family (Stp, Rstp, Mstp)

    Table 5.84 —EXEC mode commands Command Value Action show loopback-detection Show the state of loopback-detection mechanism. gi_port: (1..8/0/1..24); [gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24) port-channel group] 5.15.5 STP family (STP, RSTP, MSTP) The main task of STP (Spanning Tree Protocol) is to convert Ethernet network with multiple links into tree-like loop-free topology.
  • Page 95 no spanning-tree max-age Restore the default value. spanning-tree priority priority Set the priority of the STP spanning tree. priority: Priority value must be divisible by 4096. (0..61440)/32768 no spanning-tree priority Restore the default value. spanning-tree pathcost Set the method for defining the path value. method {long | short} - long—value in the range 1..200000000 -/short...
  • Page 96 received. spanning-tree link-type Default value for full- Define the transfer state for RSTP protocol and specify the {point­to-point | shared} duplex port—'point-to- connection type for the selected port—'point-to-point' or 'split'. point', for half-duplex— no spanning-tree link-type Restore the default value. split'.
  • Page 97 id] [gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24) port-channel group] id: 0..31 show spanning-tree [detail] Show the detailed information on STP configuration, information id: 0..31 [active | blockedports] on active or blocked ports [process id] clear spanning-tree Restart protocol migration process.
  • Page 98 MSTP configuration mode commands Command line request in MSTP configuration mode appears as follows: console# configure console (config)# spanning-tree mst configuration console (config-mst)# Table 5.92 —MSTP configuration mode commands Command Value/Default value Action instance instance_id vlan Create the match between MSTP instance and VLAN groups. vlan_range - instance_id—MSTP instance identifier;...
  • Page 99 Table 5.94 —EXEC mode commands Command Value Action show spanning-tree Show STP configuration. gi_port: (1..8/0/1..24); [gigabitethernet gi_port | - instance_id—MSTP instance identifier. te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24) port-channel group] [instance instance_id: (1..64); instance_id ] [process process_id: (0..31) process_id] show spanning-tree [detail] Show the detailed information on STP configuration, information [active | blockedports]...

  • Page 100: Flex-Link Configuration

    gi1/0/8 enabled 128.56 2000000 Dsbl Dsbl gi1/0/9 enabled 128.57 2000000 Dsbl Dsbl Information about last change in topology is shown only by command "show spanning-tree detail". 5.15.6 Flex-link configuration Flex-link is a redundancy function that secures the reliability of data communication channel. A flex- link can contain Ethernet and port-channel interfaces.

  • Page 101: Eaps Protocol

    5.15.7 EAPS protocol EAPS (Ethernet Automatic Protection Switching) protocol allows to increase stability and robustness of data network with ring topology by decreasing the restoration time after the failure. Restoration time does not exceed 1 second, which is substantially lower than the network reconstruction in case of spanning tree family of protocols.

  • Page 102: G.8032V2 (Erps) Protocol Configuration

    secondary-port Select the secondary switch port included in the ring. gi_port: (1..8/0/1..24); {gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24) port-channel group } role {master | transit} level Select the switch role in the configured domain and ring. level_id: (0..1) level_id Possible roles:...

  • Page 103: Lldp Protocol Configuration

    port {west | east} Select the west(east) switch port included in the ring. gi_port: (1..8/0/1..24); {gigabitethernet gi_port | te_port: (1..8/0/1..4); tengigabitethernet te_port | group: (1..24). port-channel group} no port {west | east} Remove the west (east) switch port, included in the ring. rpl {west | east} {owner | Select RPL switch port an its role.
  • Page 104 MES3000 switches support transmission of standard and optional parameters, such as:  Device name and description  Port name and description  MAC/PHY information  etc. Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)# Table 5.104 —Global configuration mode commands Command...
  • Page 105 lldp notifications interval Specify the maximum LLDP notification transfer rate. seconds seconds: (5..3600)/5 - seconds—time period during which the device can send only one seconds notification no lldp notifications interval Restore the default value. Ethernet interface configuration mode commands Command line request in Ethernet interface configuration mode appears as follows: console(config-if)# Table 5.105 —Ethernet interface configuration mode commands Command...
  • Page 106 no lldp med network-policy Remove network-policy rule from this interface. number lldp med location {coordinate Specify the device location for LLDP ('location' parameter value of coordinate: 16 bytes; coordinate | civic-address LLDP MED). civic_address_data: civic_address_data | ecs-elin - coordinate—address in coordinate system (6..160) bytes;...
  • Page 107  View LLDP configuration: console# show lldp configuration LLDP state: Enabled Timer: 30 Seconds Hold multiplier: 4 Reinit delay: 2 Seconds Tx delay: 2 Seconds Port State Optional TLVs Address ---------- ---------------- ------------------------ --------------- gi0/1 Rx and Tx PD, SN, SD 192.168.16.55 gi0/2 Rx and Tx...

  • Page 108: 10Oam Protocol Configuration

    System Name: sandbox2 System description: 24-port 10/100/1000 Ethernet Switch Port description: Ethernet Interface Time To Live: 112 802.3 MAC/PHY Configuration/Status Auto-negotiation support: Supported Auto-negotiation status: Enabled Auto-negotiation Advertised Capabilities: 1000BASE-T full duplex, 100BASE-TX full duplex mode, 100BASE-TX half duplex mode, 10BASE-T full duplex mode, 10BASE-T half duplex mode Operational MAU type: Unknown...
  • Page 109 Table 5.109 —Ethernet interface configuration mode commands Command Value/Default value Action ethernet oam Enable Ethernet OAM support for the port. -/disabled no ethernet oam Disable Ethernet OAM support for the configured port. ethernet oam link-monitor Define the error quantity threshold for the specific period (period frame threshold count is defined with ethernet oam link-monitor frame window count: (1..65535)/1...
  • Page 110 no ethernet oam Restore the default value. uni­directional detection discovery-time Privileged EXEC mode commands All commands are available to the privileged user. Command line request in privileged EXEC mode appears as follows: console# Table 5.110 —Privileged EXEC mode commands Command Value/Default value Action clear ethernet oam statistics...

  • Page 111: 11Cfm Protocol Configuration

    Unidirection: not supported Link monitor: supported Remote loopback: supported MIB retrieval: not supported Mtu size: 1500 5.15.11 CFM protocol configuration Ethernet CFM (Connectivity Fault Management), IEEE 802.1 ag enables monitoring, search and troubleshooting in Ethernet networks; allows to control the connection, isolate the faulty network segments and to identify the clients falling under networks restrictions.
  • Page 112 service vlan vlan { vlan-id number: (0..65535) Create CFM maintenance (MA) associated with VLAN (with 'vlan' vlan_id | name name | number number) and enter the maintenance configuration mode. Possible number} service names: - vlan_id—VLAN number - name—text string - number—numeric identifier no service vlan vlan_id Remove CFM maintenance (MA) associated with VLAN (with 'vlan' number).
  • Page 113 no ethernet cfm mep id number: (0..65535) Remove maintenance end point (MEP) from the interface. domain domain_name service {vlan-id vlan_id | name name | number number} Maintenance end point configuration mode commands Command line request in domain configuration mode appears as follows: console(config-if-cfm-mep)# Table 5.115 —CFM end point (MEP) configuration mode commands Command...

  • Page 114: 12Layer 2 Protocol Tunneling (L2Pt) Function Configuration

    show ethernet cfm statistics domain_name: (0..32) Show CFM statistics for the specific domain. domain domain_name service characters; {vlan-id vlan_id | name name | vlan_id: (1..4094) number number} name: (0..45) characters; number: (0..65535) show ethernet cfm statistics Show CFM statistics for the specific maintenance end point (MEP). id: (1..8191) mpid id 5.15.12 Layer 2 Protocol Tunneling (L2PT) function configuration...
  • Page 115  PDU-frame is transmitted to all VLAN ports with enabled tunneling  Encapsulated PDU-frame (initial frame with Destination MAC-address changed to tunneling) is transmitted to all VLAN ports with disabled tunneling. If setting is disabled:  PDU-frame is transmitted to handler of corresponding protocols. Decapsulation Ethernet-frames (with destination MAC address) interception is implemented on CPU.
  • Page 116 Table 5.118 –Ethernet-interface configuration mode commands Command Value/Default value Action l2protocol-tunnel {stp | lacp | Enable STP BPDU encapsulation mode. lldp | isis-l1 | isis­l2 | eth-fc} -/disabled no l2protocol-tunnel {stp | Disable STP BPDU encapsulation mode. lacp | lldp| isis-l1 | isis-l2 | eth-fc} l2protocol-tunnel cos cos Set CoS value for packed PDU-frames.

  • Page 117: Voice Vlan

    console#show l2protocol-tunnel MAC address for tunneled frames: 01:00:0c:cd:cd:d0 Port Protocol Shutdown Drop Encaps Decaps Drop Threshold Threshold Counter Counter Counter -------- --- -------- --------- --------- --------- --------- --------- gi1/0/1  Examples of messages about trigger action: 12-Nov-2015 14:32:35 %-I-DROP: Tunnel drop threshold 40 exceeded for interface gi1/0/1 12-Nov-2015 14:32:35 %-I-SHUTDOWN: Tunnel shutdown threshold 100 exceeded for interface gi1/0/1...

  • Page 118: Multicast Addressing

    Table 5.120 —Global configuration mode commands Command Value/Default value Action voice vlan aging-timeout Set the timeout for port that belongs to the Voice VLAN. If there timeout timeout: were no frames with VoIP equipment OUI for the definite time, (1..43200)/1440 the voice vlan will be removed from the current port.
  • Page 119 VLAN interface configuration mode commands Command line request in VLAN interface configuration mode appears as follows: console(config-if)# Table 5.123 —VLAN interface configuration mode commands Command Value/Default value Description bridge multicast mode Define the multicast data transmission mode. {mac­group | ipv4-group | - mac-group—multicast transmission based on VLAN and MAC ipv4-src-group} addresses...
  • Page 120 bridge multicast forbidden Deny the port to dynamically join the multicast group. ip­address - ip_multicast_address—multicast IP address ip_multicast_address {add | - add—add port(s) into the banned list remove} gigabitethernet - remove—remove port(s) from the banned list gi_port: (1..8/0/1..24); gi_port | tengigabitethernet Interface listing should be delimited with '–' and ','.
  • Page 121 no bridge multicast ipv6 Restore the default value. source ipv6_address group ipv6_multicast_address bridge multicast ipv6 Disable adding/removal of matches between the user IPv6 address forbidden source ipv6_address and the multicast address in the multicast addressing table for the group ipv6_multicast_address specific port.
  • Page 122 aging­time seconds vlan vlan_id mac address-table learning Enable MAC address learning in the current VLAN. vlan_id: vlan vlan_id (1..4094)/enabled by no mac address-table learning Disable MAC address learning in the current VLAN. default vlan vlan_id mac address-table static Add the source MAC address into the multicast addressing table. mac_address vlan vlan_id - mac-address—MAC address interface...
  • Page 123 Table 5.127 —EXEC mode commands Command Value Description show mac address-table Show MAC address table for the selected interface or for all [dynamic | static | secure] interfaces. gi_port: (1..8/0/1..24); [vlan vlan_id] [interface - dynamic—show dynamic records only te_port: (1..8/0/1..4); {gigabitethernet gi_port | - static—show static records only group: (1..24);...

  • Page 124: Igmp Snooping

    224-239.130|2.2.8 static gi0/1-8 224-239.130|2.2.8 dynamic gi0/9-11 Forbidden ports for multicast addresses: Vlan IP/MAC Address Ports ---- ------------------- ------------------- 224-239.130|2.2.3 gi0/8 224-239.130|2.2.8 gi0/8 5.17.2 IGMP snooping IGMP Snooping is used in multicast networks. The main task of IGMP Snooping is the provisioning of multicast traffic only for those ports, that have requested it.
  • Page 125 no ip igmp snooping vlan Zero the CoS value for outbound IGMP messages going to mrouter vlan_id cos port in the selected VLAN. ip igmp snooping vlan vlan_id Enable automatic port identification with connected multicast mrouter learn pim-dvmrp routers for the current VLAN group. vlan_id: (1..4094);...
  • Page 126 ip igmp snooping vlan vlan_id Enable mode in which switch sends report to query requests of proxy-report [version version] static groups that are configured on it. In this case IGMP- report/leave messages for static groups are ignored. - version– specify version of report/leave messages, which are sent by proxy-reporter.

  • Page 127: Mld Snooping-Multicast Traffic Control Protocol For Ipv6 Networks

    no switchport access Disable forwarding of IGMP queries from client Vlan to Multicast multicast-tv vlan Vlan and multicast traffic to client Vlan for the interface in 'access' mode. switchport trunk multicast-tv Enable forwarding of IGMP queries from VLAN, that the port vlan vlan_id [tagged] belongs to, to Multicast VLAN for the interface in 'trunk' mode.
  • Page 128 Table 5.132 —Global configuration mode commands Command Value/Default value Action ipv6 mld snooping [vlan Enable MLD snooipng. vlan_id] vlan_id: (1..4094)/disabled no ipv6 mld snooping [vlan Disable MLD snooping. vlan_id] ipv6 mld snooping vlan vlan_id Register multicast IPv6 address in the multicast addressing table static ipv6_multicast_address and statically add/remove group interfaces for the current VLAN.

  • Page 129: Multicast Traffic Restriction Functions

    ipv6 mld Define the quantity of MLD queries sent before the switch will last­member­query­count determine the absence of IPv6 multicast participants. count count: (1..7) no pv6 mld Restore the default value. last­member­query-count ipv6 mld Define the maximum response delay of the last group participant, last­member­query­interval that will be used for maximum response delay code calculation interval:...
  • Page 130 console(config)# Table 5.136 – Global configuration mode commands Command Value Action multicast snooping profile Enter multicast profile configuration mode. name name : (1..32) no multicast snooping profile Remove the selected multicast profile. characters name To delete the multicast profile, you should untether it from all the switch ports first.

  • Page 131: Igmp Proxy Multicast Routing

    Table 5.139 —EXEC mode commands Command Value/Default value Action show multicast snooping Show information on the current registered group quantity for all groups count ports, and the maximum possible quantity. show multicast snooping name: (1..32) Show information on configured multicast profiles. profile [name] characters 5.17.5 IGMP Proxy multicast routing...
  • Page 132 Table 5.141 —VLAN interface configuration mode commands Command Value/Default value Action ip igmp-proxy vlan vlan_id VLAN selected for configuration is the downlink interface. [version version] [cos cos] Command assigns the associated uplink interface used in routing. [dscp dscp] vlan_id: (1..4094); - version—IGMP version that will be used by the switch on this version: (1..3)/2;...

  • Page 133: Control Functions

    5.18 Control functions 5.18.1 AAA mechanism To ensure the system security, the switch uses AAA mechanism (Authentication, Authorization, Accounting).  Authentication—matching of the existing account in the security system.  Authorization (access level verification)—matching of the existing account in the system (passed authentication) and specific privileges.
  • Page 134 aaa authentication enable Define authentication method for privilege level escalation on log {default | list_name} method_list - default—use the following authentication methods - list_name—name of authentication method being activated when the user logs in. Method description (method_list): - enable—use password for authentication - line—use terminal password for authentication By default, the - none—do not use authentication...
  • Page 135 no ip http authentication aaa Restore the default value. login-authentication ip ftp authentication aaa login- Define the authentication method for FTP server access. When the authentication method_list method list is set, the additional method will be applied only when the main authentication method will return the error. - method_list—authentication method method_list: (local, - local—by local database name...
  • Page 136 system. Acct-Terminate-Cause (49) The reason for closing session. Nas-Port-Type (61) Show the client port type. Terminal configuration mode commands Command line request in terminal configuration mode appears as follows: console(config-line)# Table 5.146 —Terminal configuration mode commands Command Value/Default value Action login authentication {default | Define the log in authentication method for console, Telnet, SSH.

  • Page 137: Radius Protocol

    5.18.2 RADIUS protocol RADIUS protocol is used for authentication, authorization and accounting. RADIUS server operates with the user database, that contains authentication data for each user. Thus, RADIUS protocol provides additional security for access to network resources and the switch itself. Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)#...
  • Page 138 radius-server source-ipv6 Define the specific IPv6 address used as the default source address ip_address being sent in RADIUS protocol messages. no radius-server source-ipv6 Remove the specific IPv6 address used as the default source [ip_address] address being sent in RADIUS protocol messages. Define IPv6 switch interface address as the source address for RADIUS protocol messages.

  • Page 139: Tacacs+ Protocol

    5.18.3 TACACS+ protocol TACACS+ protocol provides centralized security system for authentication of users gaining access to the device, while ensuring compatibility with RADIUS and other authentication processes. TACACS+ provides the following services:  Authentication. Used during login with usernames and passwords specified by users. ...

  • Page 140: Simple Network Management Protocol (Snmp)

    Table 5.152 —EXEC mode commands Command Value Action show tacacs [ip_address] Show TACACS+ server configuration and statistics. - ip_address—TACACS+ server IP address or name show tacacs statistics Show TACACS+ protocol statistics. Example use of commands  Add TACACS server located in the network node with IP address 192.168.16.34, server response timeout—4 seconds, secret key for data exchange with the server—secret, IP address of a switch used for data exchange with this server—192.168.16.38, server priority—...
  • Page 141 snmp-server community Define the community string value for SNMP data exchange. community [view viewname] - community—community string (password) for access via SNMP [ro | rw | su] [ipv4_address | - ro—read-only access community:(1..20) ipv6_address | ipv6z_address] - rw—read-write access characters; [mask | prefix_length] [use-acl - su—administrator access viewname: (1..30)
  • Page 142 snmp-server filter filter_name Remove SNMP filter rule. [OID] snmp-server host Define settings for inform and trap notification message {ipv4_address | ipv6_address | transmission to SNMPv1/v2 server. hostname} [traps | informs] community—community string notification message [version {1 | 2c | 3 [auth | transmission noauth | priv]}] community - version—define trap message type—...
  • Page 143 no snmp-server enable traps Disables SNMP trap message transmission on changes in table of mac-notification change learnt MAC addresses. snmp-server enable traps Enable SNMP trap message transmission on detection of MAC mac­notification flapping addresses flapping -/enabled no snmp-server enable traps Disable SNMP trap message transmission on detection of MAC mac-notification flapping addresses flapping...

  • Page 144: Remote Network Monitoring Protocol (Rmon)

    SNMP server with the address 192.168.16.3 in private community. console# configure console (config)# snmp-server enable console (config)# snmp-server contact support@eltex.nsk.ru console (config)# snmp-server location ”Okruzhnaya 29v” console (config)# snmp-server community public ro console (config)# snmp-server сommunity private rw 192.168.16.3 5.18.5 Remote network monitoring protocol (RMON)
  • Page 145 rmon alarm index Configure the alarm event trigger criteria. mib_object_id interval - index—alarm event index rthreshold fthreshold revent - mib_object_id—variable part identifier of the OID object fevent [type type] [startup - interval—time period when data is collected and compared to direction] [owner name] rising and falling thresholds - rthreshold—rising threshold...
  • Page 146 console> Table 5.158 —EXEC mode commands Command Value Action show rmon statistics Show the statistics for the Ethernet interface or port group, used {gigabitethernet gi_port | for the remote monitoring. tengigabitethernet te_port | gi_port: (1..8/0/1..24); port-channel group } te_port: (1..8/0/1..4); show rmon collection stats Show information on the requested statistics groups.
  • Page 147 Show information on statistics group for port 8: сonsole# show rmon collection stats gigabitethernet 1/0/8 Index Interface Interval Requested Samples Granted Samples Owner ----- --------- -------- ----------------- --------------- ------------------- gi0/8 Eltex Table 5.160 —Description of results Parameter Description Index Index, the unique identifier of the record.
  • Page 148 Table 5.161 —Description of results Parameter Description Record creation date and time. Time Quantity of data bytes (including bad packet bytes) received from the network (w/o Octets frame bits, but with checksum bits). Quantity of packets received (including bad packets) during the record generation Packets period.
  • Page 149  Show alarm events configuration with the index '1': console# show rmon alarm 1 Alarm 1 ------- OID: 1.3.6.1.2.1.2.2.1.10.1 Last sample Value: 878128 Interval: 30 Sample Type: delta Startup Alarm: rising Rising Threshold: 8700000 Falling Threshold: 78 Rising Event: 1 Falling Event: 1 Owner: CLI Table 5.163 —Description of results...

  • Page 150: Access Lists (Acl) For Device Management

    Index Description Type Community Owner Last time sent ----- ----------- ---------- ---------- -------- ------------------- Errors CLINov 10 2009 18:47:17 High Broadcast Log-Trap router Manager Nov 10 2009 18:48:48 Table 5.164 —Description of results Parameter Description Index Index, the unique identifier of the event. Description Comment that describes the event.
  • Page 151 management access-class Restrict device management by the specific access list. Activate {console-only | name} the specific access list. - console-only—device management is available via the console name: (1..32) only. characters no management access-class Remove the device management restriction by the specific access list.

  • Page 152: Access Configuration

    5.18.7 Access configuration 5.18.7.1 Telnet, SSH, HTTP and FTP These commands are designed for switch management access server configuration. TELNET and SSH server support by the switch allows to establish remote server connections for monitoring and configuration purposes. Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)# Table 5.169 —Global configuration mode commands...
  • Page 153 Remove the public key for the specific user. Command line request in individual public key generation mode appears as follows: console# configure console(config)# crypto key pubkey-chain ssh console(config-pubkey-chain)# user-key eltex rsa console(config-pubkey-key)# Table 5.171 —Individual public key generation mode commands Command...
  • Page 154 Example execution of commands Enable SSH server on the switch. Enable public key utilization. Create RSA key for eltex user: console# configure console(config)# ip ssh server console(config)# ip ssh pubkey-auth console(config)# crypto key pubkey-chain ssh console(config-pubkey-chain)# user-key eltex rsa console(config-pubkey-key)# key-string...

  • Page 155: Alarm Log, Syslog Protocol

    EXEC mode commands Command line request in EXEC mode appears as follows: console# Table 5.175 —EXEC mode commands Command Value/Default value Action show line [console | telnet | Show the terminal parameters. ssh] 5.19 Alarm log, SYSLOG protocol System logs allow to record device event history and manage occurred events in real time. Seven types of events are logged: emergencies, alerts, critical and non-critical errors, warnings, notifications, informational and debug messages.
  • Page 156 logging events spanning­tree Enable registration of interfaces state changes in STP port­state­change -/enabled no logging events Disable registration of interfaces state changes in STP spanning­tree port­state­change logging events spanning­tree Enable registration of topology changes in STP topology­change -/disable no logging events Disable registration of topology changes in STP spanning­tree topology­change file-system logging {copy |...

  • Page 157: Port Mirroring (Monitoring)

    Table 5.178 —Privileged EXEC mode command for the log file viewing Command Value/Default value Action clear logging Delete all messages from the internal buffer. clear logging file Delete all messages from the log file. show logging file Show log state, alert and debug messages stored in the log file. show logging Show log state, alert and debug messages stored in the internal buffer.
  • Page 158 no port monitor remote vlan Remove the remote monitoring VLAN. vlan_id [tx | rx] Ethernet interface configuration mode commands Command line request in Ethernet interface configuration mode appears as follows: console(config-if)# These commands cannot be executed in Ethernet interface range configuration mode. Table 5.180 —Commands available in Ethernet interface configuration mode Command Value/Default value...

  • Page 159: Sflow Function

     Show information on monitored and controlling ports. console# show ports monitor Source Port Destination Port Type Status ----------- ---------------- ------- ---------- gi0/18 gi0/13 RX,TX notReady 5.21 SFlow function SFlow is a technology that allows to monitor traffic in packet data networks by partial traffic selection for the following encapsulation into the special messages sent to the statistics server.

  • Page 160: Physical Layer Diagnostics Functions

    EXEC mode commands Command line request in EXEC mode appears as follows: console> Table 5.184 —Commands available in EXEC mode Command Value/Default value Action show sflow configuration Show sflow settings. [gigabitethernet gi_port | tengigabitethernet te_port] clear sflow statistics Clear sFlow statistics. If the interface is not defined, the command gi_port: (1..8/0/1..24);...
  • Page 161 The green-ethernet mode is enabled for the MES3000 series switches by default. Permissible measurement accuracy is defined by line parameters variety and amounts up to Privileged EXEC mode commands Command line request in privileged EXEC mode appears as follows: console# Table 5.185 —Copper-wire cable diagnostics commands Command Value...

  • Page 162: Optical Transceiver Diagnostics

     Test failed—physical fault  OK—pair is OK  Open—break  Short—pair contacts are shorted  Impedance-mismatch—impedance mismatch (line attenuation is too large)  Short-with-pair—pairs are shorted together  Not tested—testing is not performed  Show the last testing results: console# show cable-diagnostics tdr console#show cable-diagnostics tdr Port...
  • Page 163 Table 5.187 —Global configuration mode commands Command Value/Default value Action Define the minimum time interval between the generations of optical-transceiver threshold SYSLOG/SNMP informational messages. Messages are generated notify-interval interval interval: (30..3600)/600 when optical line parameters fall outside of the allowable limits. seconds no optical-transceiver Set the interval default value.
  • Page 164 show fiber-ports optical­transceiver theshold gi_port: (1..8/0/1..24); Show the current settings of the automatic monitoring for the [interface {gigabitethernet te_port: (1..8/0/1..4). selected port or all system ports. gi_port | tengigabitethernet te_port}] Example execution of the command sw1#show fiber-ports optical-transceiver interface gi1/0/24 detailed Port Temp Voltage Current...

  • Page 165: Ip Service Level Agreements (Ip Sla)

    5.23 IP Service Level Agreements (IP SLA) IP SLA (Internet Protocol Service Level Agreement) is an active monitoring technology used for measuring network performance and data transmission quality. Active monitoring involves continuous cyclic generation of traffic, collection of information on its movement through the network and recording of statistical data.

  • Page 166: Icmp Echo Operation

     Operational state of entry operation execution status: —  Active—operation is currently active and in cyclic execution.  Inactive— operation is inactive, in standby mode or available for configuration.  Type of operation IP SLA operation type. Can take one value from the list of supported —...

  • Page 167: Udp Jitter Operation

    tos byte Set the value of Type of Service byte transmitted in Differentiated Services Field of the IP packet header. byte: (1..255)/0 - byte—value of Type of Service byte in Differentiated Services Field. no tos Set the default Type of Service byte value. tag string Define the text tag for operation.
  • Page 168 Global configuration mode commands Command line request in global configuration mode appears as follows: console(config)# Table 5.195—Global configuration mode commands Command Value Action ip sla responder udp_jitter port Enable IP SLA Resonder and set the listening port for UDP Jitter operation.
  • Page 169  Example of statistics output for UDP Jitter operation: IP SLA Statistics for Index 2 Operational state of entry: Active Type of operation: udp-jitter Latest operation return code: OK Latest latency value: 7 ms Latency two-way values: Number of Latency two-way samples: 455 Latency Min/Avg/Max: 5/7/24 ms Latency one-way values: Number of SD Latency samples: 0...

  • Page 170: Security Functions

    5.24 Security functions 5.24.1 Port security functions For increased security purposes, the switch allows to configure specific ports in such a manner, that only certain devices could access the switch through this port. Port security function is based on the permitted MAC address identification.

  • Page 171: Port-Based Client Authentication (Ieee 802.1X Standard)

    port security mode Enable the MAC address learning restriction mode for the {max­addresses | lock} configured interface. - max-addresses—remove the current dynamically learnt addresses, related to this interface. Learning of address maximum quantity for the port is enabled. Repeated learning and aging is -/lock enabled.
  • Page 172 console(config)# Table 5.200 —Global configuration mode commands Value/ Command Action Default value dot1x system-auth-control Enable IEEE 802.1X authentication mode on the switch. -/force-authorized no dot1x Disable IEEE 802.1X authentication mode on the switch. system­auth­control aaa authentication dot1x Specify one or two authentication, authorization and accounting default {none | radius} methods for utilization on IEEE 802.1X interfaces.
  • Page 173 no dot1x max-req Restore the default value. dot1x timeout supp- Specify the period between the recurrent request transfers to EAP timeout period client. 1..65535/30 seconds no dot1x timeout supp- Restore the default value. timeout dot1x timeout server- Specify the period, during which the switch will wait for response timeout period from authentication server.
  • Page 174 gi0/12 Force Authorized Authorized* Disabled 3600 gi0/13 Force Authorized Authorized* Disabled 3600 gi0/14 Force Authorized Authorized* Disabled 3600 gi0/15 Force Authorized Authorized* Disabled 3600 gi0/16 Force Authorized Authorized* Disabled 3600 More: <space>, Quit: q, One line: <return> console# show dot1x interface gigabitethernet 1/0/12 802.1x is disabled Admin Oper...
  • Page 175 Authentication Method Established session authentication method. Termination Cause The reason for closing session. State The current value of the authentication state engine and output state engine. Authentication success Quantity of messages about the successful authentication received from the server. Authentication fails Quantity of messages about the unsuccessful authentication received from the server.
  • Page 176 port (multiple sessions mode). If the port fails authentication in multiple hosts mode, the access to network resources will be denied for every connected host. Also, advanced settings include administration of guest VLANs, accessed by users who failed the authentication. Access port (Access) cannot be the member of the unauthenticated VLAN.
  • Page 177 console(config-if)# Table 5.206 —Ethernet interface configuration mode commands Command Value/Default value Action dot1x host-mode Allow the presence of single/multiple clients on the authorized IEEE {multi-host | single-host | 802.1X port. multi-sessions} -/ multi-host - multi-host—multiple clients - single-host—single client - multi-sessions—multiple sessions dot1x violation-mode Define the action that should be performed when the device with {restrict | protect |...
  • Page 178 {password_string} attribute. The maximal size of transmitting string - 128 symbols. Restore the default value no dot1x mac- authentication format password dot1x radius-attributes Enable authentication based on ACL/assign QoS-Policy. filter-id -/disabled no dot1x radius-attributes Restore the default value. filter-id dot1x radius-attributes Enables Tunnel-Private-Group-ID (81) option processing in RADIUS vlan server messages.

  • Page 179: Dhcp Protocol Management And Option 82

    5.24.3 DHCP protocol management and Option 82 DHCP (Dynamic Host Configuration Protocol) is a network protocol that allows the client to request IP address and other parameters required for the proper network operations. DHCP is used by hackers for attacks on the device from the client side, forcing DHCP server to report all available addresses, and from the server side by spoofing.
  • Page 180 allowed-untrusted 82 from untrusted ports is disabled. no ip dhcp snooping Deny to receive DHCP packets with Option 82 from untrusted ports. information option allowed-untrusted ip dhcp snooping verify Enable verification of client and source MAC addresses received in DHCP packet from the untrusted port. Verification is enabled by default.
  • Page 181 Table 5.212 —Option 82 field format according to the TR-101 recommendations Field Information sent device hostname Circuit ID string appearance: eth <stacked/slotid/interfaceid>:<vlan> The last byte—number of the port that the device, which sent dhcp request, is connected to Enterprise number – 0089c1 Remote agent ID Device MAC address Table 5.213 —Option 82 field format in custom mode...
  • Page 182 Privileged EXEC mode commands Command line request in Privileged EXEC mode appears as follows: console# Table 5.215 —Privileged EXEC mode commands Command Value Action Add the client MAC address match to VLAN group and IP address for ip dhcp snooping binding the selected interface into the DHCP management file (database).

  • Page 183: Client Ip Address Protection (Ip-Source Guard)

    DHCP snooping is globally Enabled DHCP snooping is configured on following VLANs: 2, 5 DHCP snooping database: Enabled Relay agent Information option 82 is Enabled Option 82 on untrusted port is allowed Verification of hwaddr field is Enabled DHCP snooping file update frequency is configured to: 1200 secondsInterface Trusted Rate Limit (pps) ----------- --------- ------------------...
  • Page 184 console(config-if)# Table 5.218 —Ethernet interface configuration mode commands, interface group Command Value Action ip source-guard Enable client IP address protection for the configured interface. Function is disabled by default. no ip source-guard Disable client IP address protection for the configured interface. Privileged EXEC mode commands Command line request in Privileged EXEC mode appears as follows: console#...

  • Page 185: Arp Management (Arp Inspection)

     Enable IP address protection function for traffic filtering based on DHCP Snooping match table and IP Source Guard static matches. Create the static record in the match table for Ethernet 12 interface: client IP address—192.168.16.14, MAC address—00:60:70:4A:AB:AF. Interface in the 3rd VLAN group: console# configure console(config)# ip dhcp snooping...
  • Page 186 ip arp inspection logging Define the minimum interval between ARP information messages, interval {seconds | infinite} sent to the log. - set '0' value to generate messages immediately (0..86400, infinite)/5 - infinite—do not generate the log messages seconds no ip arp inspection Restore the default value.

  • Page 187: Mac Address Notification Configuration

    clear ip arp inspection statistics gi_port: (1..8/0/1..24); [gigabitethernet gi_port | te_port: (1..8/0/1..4) Clear ARP Inspection statistics. tengigabitethernet te_port group: (1..24) | port-channel group] vlan_id:(1 .. 4094) [vlan vlan_id] Example execution of commands  Enable ARP management and add the static match into the 'list' list: МАС address 00:60:70:AB:CC:CD, IP address 192.168.16.98 Assign the 'list' static ARP match list for the VLAN 11: console# configure...
  • Page 188 MAC address table state change events for the specified time, send SNMP notifications and save events to history. The command specifies the maximum quantity of MAC address mac address-table table state change events, saved to the history. If the history value notification change history [0..500]/1 equals 0, events will not be saved.

  • Page 189: Dhcp Relay Mediation Features

    5.25 DHCP Relay mediation features MES3000 switches support DHCP Relay agent function. DHCP Relay agent transfers DHCP packets from the client to the server and back when the DHCP server and the client located in different networks. Also, DHCP Relay agent adds extra options to the client DHCP requests (e.g. Option 82). DHCP Relay agent operating principle for the switch: the switch receives DHCP requests from the client, sends these requests to the server on behalf of the client (also placing options into request with necessary parameters for the client and adding its own...
  • Page 190 no ip dhcp relay Restore the default value information option format­type option ip dhcp relay information Option 82 format setting: option suboption-type - tr101 - set option 82 format according syntax adopted in TR-101 {tr101 | custom} recommendations. (Table 5.212) -custom - set option 82 format according to format in Table -/tr101 5.213...

  • Page 191: Lightweight Dhcpv6 Relay Agent (Ldra) Functions

    Servers: 192.168.16.38 Relay agent Information option is Enabled 5.26 Lightweight DHCPv6 Relay Agent (LDRA) functions The switch can provide relay agent function for DHCPv6 as well as DHCP for IPv4. This function is realized as Lightweight DHCPv6 Relay Agent according to RFC6221. As a relay agent, the switch inserts options 18 and 37 in clients DHCPv6-packets.

  • Page 192: Pppoe Intermediate Agent Configuration

    no ipv6 dhcp-ldra Restore the default value information option format-type remote-id 5.27 PPPoE Intermediate Agent configuration The PPPoE IA is implemented according to requirements of DSL Forum TR-101 and is intended for use on switches on the access level. The function allows PPPoE Discovery packets to be supplemented with the information on access interface.
  • Page 193 Interface Configuration Mode Commands Command line request in the interface configuration mode appears as follows: console(config-if)# Table 5.235 Commands of interface configuration for Ethernet interface and a group of ports Command Value/Default Value Action [no] pppoe Enables/disables PPPoE Intermediate Agent for the interface. intermediate-agent [no] pppoe Assigns the circuit_id identifier added by the switch.

  • Page 194: Dhcp Server Configuration

    show pppoe intermediate­agent sessions gi_port: (1..8/0/1..24); Displays all registered client sessions. If the command does {interface {gigabitethernet te_port: (1..8/0/1..4) not explicitly specify an interface, all sessions are displayed gi_port | tengigabitethernet group: (1..24) sorted by interfaces. te_port | port-channel group}] clear pppoe mac_address:(H.H.H or Remove client session.
  • Page 195 Commands of the Configuration Mode for Static Addresses of DHCP Server Command line request in the configuration mode for DHCP server static addresses appears as follows: console# configure console(config)# ip dhcp pool host name console(config-dhcp)# Table 5.238 Commands of the configuration mode Command Value Action...
  • Page 196 to 8 space-delimited entries. Router IP address should be located in the same subnet as the client. no default-router Sets the default value. dns-server ip_address_list The list of DNS servers is Defines the list of DNS servers available to DHCP clients. not defined by default.

  • Page 197: Acl Configuration (Access Control Lists)

    show ip dhcp Displays DHCP server configuration. show ip dhcp Displays the IP addresses which will not be assigned to DHCP excluded-addresses clients by the DHCP server. show ip dhcp pool host Displays configuration for static addresses of the DHCP server: [ip_address | name] (1–32) characters - ip_address—client IP address;...
  • Page 198 ipv6 access-list access-list Creates a new advanced IPv6 ACL and enters its configuration mode (if the list has not been created yet) or the configuration mode of a previously created list. no ipv6 access-list Removes an IPv6 ACL. access-list mac access-list extended Creates a new MAC ACL and enters its configuration mode (if access-list the list has not been created yet) or the configuration mode of...

  • Page 199: Ipv4 Acl Configuration

    EXEC Mode Commands Command line in the EXEC mode appears as follows: console# Table 5.245 ACL display commands Command Value Action show time-range time name: (1...32) Displays time-range configuration. time_name characters 5.29.1 IPv4 ACL configuration The section provides values and description of main parameters which are used in IPv4 ACL configuration commands.
  • Page 200 icmp_type Type of ICMP messages used for ICMP packets filtration. Possible message codes of the icmp_type field: echo-reply, destination-unreachable, source-quench, redirect, alternate- host-address, echo-request, router-advertisement, router- solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobile- registration-request, mobile-registration-reply, domain_name- request, domain_name-reply, skip, photuris or the number of message type (0–255).
  • Page 201 permit arp Add a permit filtration record for the ARP protocol. Packets which fulfil {any/source-mac source-mac-wildcard } the record's requirements will be processed by the switch. {any/ destination mac destination mac wildcard} {any/sender-ip sender-ip-wildcard } {any/target-ip target-ip-wildcard} [vlan vlan_id] [index index] permit ip Add a permit filtration record for the ARP.

  • Page 202: Ipv6 Acl Configuration

    deny ip Add a deny filtration record for the ARP. Packets which fulfil the record's {any|source_mac source-mac-wildcard} requirements will be blocked by the switch. If the disable-port keyword is {any|destination_mac specified, the physical interface having received the packet will be destination_mac_wildcard} disabled.
  • Page 203 console# console# configure console(config)# ipv6 access-list MESipv6 console(config-ipv6-al)# Table 5.248 Main parameters of commands Parameter Value Action permit Permit Creates a permitting filtration rule in ACL. deny Deny Creates a denying filtration rule in ACL. protocol The field is used to specify a protocol (or all protocols) filtration will be based on.
  • Page 204 As soon as at least one record has been added to ACL, the following last records are added: permit-icmp any any nd-ns any permit-icmp any any nd-na any deny ipv6 any any The first two of these records enable search of IPv6 devices with the help of the ICMPv6 protocol.

  • Page 205: Mac Acl Configuration

    Adds a deny filtration record for the TCP. Packets which fulfil the record's deny tcp requirements will be blocked by the switch. If the disable-port keyword is {any|source_prefix/length} specified, the physical interface receiving the packet will be disabled. If {any | source_port} the log-input keyword is specified, the physical a message will be sent to { any|destination_prefix/length} the system log.
  • Page 206 destination Destination address Defines MAC address of the packet destination. destination_wildcard A bit mask applied to MAC The mask defines the bits of the MAC address which should be address of the packet ignored. "1" should be written to all ignored bites. The mask is destination.

  • Page 207: Configuration Of Protection From Dos Attacks

    offset—byte offset within a packet. Basic offset is considered as a starting point. mask—mask. Packet analysis is performed only for the bytes digits which have "1" specified as defined in the mask. value—the set value. no offset-list offset_list_name Removes a previously created list. 5.30 Configuration of Protection from DoS Attacks This type of commands provides means for blocking some widely spread types of DoS attacks.

  • Page 208: Quality Of Services (Qos)

    5.31 Quality of Services (QoS) All ports of switch apply FIFO principle for packets queue that means "first in—first out". This principle may cause some issues in case of intensive traffic because the device will ignore all packets which are not included to the FIFO queue buffer, i. e. such packets will be permanently lost. This can be solved by organising queues by traffic priority.
  • Page 209 class-map 1. Creates a list of criteria for traffic classification. class-map-name 2. Enters the configuration mode of criteria included to the list [match-all|match-any] and used for traffic classification. - match-all—all criteria from this list should be fulfilled; - match-any—any criterion from this list should be fulfilled. (1–32) characters The list of criteria may have one or two rules.
  • Page 210 weight4 The weight of any queue equals 1 by default. no wrr-queue bandwidth Sets the default value. priority-queue out Sets the number of priority queues. num-of-queues number-of-queues The WRR weight will be ignored for a priority queue. If N is not 0, then N higher queues will be considered as priority queues (WRR will be ignored).
  • Page 211 dp: (0–2) dropped; the first packets to drop have priority 0, then 1, 2, etc.). All packets have dp=0 drop - dscp-list—defines up to 8 DSCP values separated by spaces. priority by default. Valid for the qos advanced mode only. no qos map dscp-dp Sets the default values.
  • Page 212 Table 5.255 Commands of the configuration mode for the list of traffic classification criteria Command Value Action match access-group Adds a traffic classification criterion. Defines traffic filtration acl_name rules according to ACL for the classification. (1–32) characters Valid for the qos advanced mode only. no match access-group Removes a traffic classification criterion.
  • Page 213 only to outgoing interfaces. vlan_id: (1..4094) Valid for the qos advanced mode only. no set Deletes new values of IP packet. police Allows bandwidth limitation and at the same time guarantees committed_rate_kbps a certain data transfer rate. committed_burst_byte The "marked bucket" algorithm is used for work with [exceed-action {drop | bandwidth.
  • Page 214 Table 5.259 Commands for interface configuration of Ethernet interface and a group of ports Command Value Action Assigns a traffic classification strategy to an interface. service-policy input Interface supports only one traffic classification policy-map-name strategy for one direction. (1–32) characters Valid for the qos advanced mode only.
  • Page 215 Table 5.261 EXEC mode commands Command Value/Default value Action show qos Displays the QoS mode configured for the device. Displays the trusted mode in the basic mode. show class-map Displays lists of criteria used for traffic classification. class_map_name: (1..32) [class-map-name] characters Valid for the qos advanced mode only.

  • Page 216: Qos Statistics

    console(config-pmap-c)# police 1000 200000 exceed-action drop console(config-pmap-c)# exit console(config-pmap)# exit console(config)# interface gigabitethernet 1/0/14 console(config-if)# service-policy input traffic console(config-if)# exit console(config)# interface gigabitethernet 1/0/16 console(config-if)# service-policy input traffic console(config-if)# exit console(config)# 5.31.2 QoS Statistics Global Configuration Mode Commands Command line request in the global configuration mode appears as follows: console(config)# Table 5.262 Global configuration mode commands Command...

  • Page 217: Configuration Of Routing Protocol

    Table 5.264 EXEC mode commands Command Action clear qos statistics Clears QoS statistics. Displays QoS statistics. show qos statistics Example of commands execution:  Show information about state, configuration and statistics of Ethernet port (traffic classifying statistics mode) console#show interfaces GigabitEthernet 1/0/1 gigabitethernet 1/0/1 is down (not connected) Interface index is 49 Hardware is gigabitethernet, MAC address is a8:f9:4b:85:42:c1...
  • Page 218 Table 5.265– Commands of global configuration mode Command Value Action ip route prefix Creates static rule of routing. {mask | - prefix – target network (e.g. 172.7.0.0); prefix_length} - mask – network mask (in decimal system format); gateway [metric - prefix_length – prefix of network mask (number of distance] [reject] units in mask is 0..32);...

  • Page 219: Rip Configuration

    C - Connected (the route is taken from directly connected and acting interface), S – Static (static route prescribed in routing table). 10.9.1.0/24 Network address. First value in brackets stands for administrative distance (degree of confidence in router, [5/2] the higher the value the lower confidence in source); second value stands for metrics of the route.
  • Page 220 Commands of ip interface configuration mode Type of request of command line: Table 5.270 - Commands of ip interface configuration mode Command Value/Default value Action ip rip shutdown Enables routing process via RIP in this interface. no ip rip shutdown Disables routing process via RIP in this interface.

  • Page 221: Ospf Protocol Configuration

    5.32.3 OSPF Protocol Configuration OSPF (Open Shortest Path First) — dynamic routing protocol based on, channels status tracking technology (link-state technology) which uses Dijkstra algorithm for finding the shortest way. OSPF protocol is a protocol of internal gateway (IGP). OSPF protocol distributes information about available routes between routers of one independent system.
  • Page 222 Commands of ip interface configuration mode Type of request of command line: console(config-ip)# Table 5.273- Commands of ip interface configuration mode Command Value/Default value Action ospf Allows configuration of OSPF in the interface. -/disabled no ospf Forbids configuration of OSPF in the interface. ospf enable Enables routing via OSPF protocol in the interface.

  • Page 223: Bfd Protocol Configuration

    Commands of privileged EXEC mode Type of request of command line in privileged EXEC mode: console# Table 5.274 - Commands of privileged EXEC mode Command Value Action show ip ospf Displays OSPF configurations. show ip ospf neighbor Displays information about OSPF neighbours. show ip ospf neighbor A.B.C.D: Interface IP Displays information about OSPF neighbours on this IP interface.

  • Page 224: Configuration Of Virtual Router Redundancy Protocol (Vrrp)

    console(config-ip)# Table 5.276 - Commands of ip interface configuration mode Command Value/Default value Action bfd interval send_interval Enables BFD on interface and establishes intervals of sending and min_rx recv_interval receipt of BFD announces. Interval of sending is regulated by send_interval: (50..1000)/- send_interval parameter.
  • Page 225 vrrp vrid priority priority vrid: (1-255); priority: (1-254). By default: Setting the VRRP router priority. 255 for owner of IP address, 100 for the rest no vrrp vrid priority Setting the default value. vrrp vrid shutdown vrid: (1-255) Disabling the VRRP on this interface By default: disabled no vrrp vrid shutdown Enabling the VRRP on this interface...
  • Page 226 Interface: vlan 10 Virtual Router 1 Virtual Router name Supported version VRRPv3 State is Initializing Virtual IP addresses are 10.10.10.1(down) Source IP address is 0.0.0.0(default) Virtual MAC address is 00:00:5e:00:01:01 Advertisement interval is 1.000 sec Preemption enabled Priority is 255 MES3000 Ethernet switch series...

  • Page 227: Service Menu, Change Of Software

    SERVICE MENU, CHANGE OF SOFTWARE Startup Menu Startup menu is used for performance of specific processes, s.a.: update of software, removal of content of flash memory, restoration of password, diagnostics, setting the terminal operation rate, work with parameters of device stack. To enter Startup menu it is required to interrupt loading by pressing <Esc>...

  • Page 228: Update Of Software From Tftp Server

    Set Terminal Baud- To return to the menu Startup press <Enter>. Rate ==== Press Enter To Continue ==== In order to increase number of switch ports it is possible to join devices into stack. Device with ID1 will be master one, and the rest will be slave devices. MES3000 Switches can operate both, independently and within the stack For identification and setting mode of device operation within stack the stack menu is used (Stack menu).

  • Page 229: System Software Update

    Update of the software can be made by privileged user only. 6.2.1 System software update Loading of the device is performed from system software file which is stored in flash memory. When updating, the new file of system software is saved in specifically assigned section of the memory. When loading, the device launches active system software file.

  • Page 230: Update Of Loading File Of The Device (Initial Loader)

    console# show bootvar Image Filename Version Date Status ----- --------- --------- --------------------- ----------- image-1 2.5.44[0b70e656] 24-Nov-2015 17:28:25 Active* image-2 2.1.6 05-Jun-2011 16:14:03 Active Symbol "*" is used to mark file of software which will be executed during next loading. Reboot the switch by command reload. console# reload This command will reset the whole system and disconnect your current session.
  • Page 231 This command will reset the whole system and disconnect your current session. Do you want to continue (y/n) [n]? Confirm reboot by entering < y> MES3000 Ethernet switch series...

  • Page 232: Appendix A Samples Of Use And Configuration Of Device

    APPENDIX A SAMPLES OF USE AND CONFIGURATION OF DEVICE Configuration of multiple spanning trees (MSTP) MSTP allows to build multiple spanning trees for separate VLAN groups in switches of local network which allows to balance load. For simplicity lets consider case with three switches joined into ring topology.
  • Page 233 01-Oct-2006 01:09:34 %COPY-I-FILECPY: Files Copy - source URL running-config destination URL flash://startup-config 01-Oct-2006 01:09:44 %COPY-N-TRAP: The copy operation was completed successfully Copy succeeded console(config)# do copy startup-config tftp://192.168.16.2/mstp.conf 01-Oct-2006 01:10:44 %COPY-I-FILECPY: Files Copy - source URL flash://startup- config destination URL tftp://192.168.16.2/mstp.conf 01-Oct-2006 01:10:44 %COPY-N-TRAP: The copy operation was completed successfully Copy: 726 bytes copied in 00:00:01 [hh:mm:ss] console(config)# spanning-tree mst 1 priority 0...
  • Page 234 console(config-if)# exit console(config)# spanning-tree mst 2 priority 0 console(config)# end Configuration of selective-qinq Addition of SVLAN Specified here sample of switch configuration shows how to add mark SVLAN 20 to all VLAN except for VLAN 27. console# show running-config vlan database vlan 20,27 exit interface gigabitethernet 1/0/1...
  • Page 235 Configuration of IGMP Proxy function Routing function of multi address traffic IGMP Proxy gives the switch MES3000 possibility to recognize information received from processing messages of IGMP, about implement of interfaces to multi address groups and performs sending multi-address data between networks using these data. This sample describes configuration of IGMP Proxy function on the switch.
  • Page 236 console(config-if)# switchport mode access console(config-if)# switchport access vlan 100 console(config-if)# switchport access multicast-tv vlan 1000 console(config-if)# bridge multicast unregistered filtering console(config-if)# exit 4. Configure uplink port by allowing transfer of multi address traffic, traffic of users and control: console(config)# interface gi1/0/1 console(config-if)# switchport mode trunk console(config-if)# switchport trunk allowed vlan add 100-124,1000,1200 console(config-if)# exit...
  • Page 237 console(config-if)# switchport trunk allowed vlan add 100,1000-1001,1200 console(config-if)# exit 5. Configure IGMP Snooping globally and on interfaces, add marking rules of users' IGMP Reports: console(config)# ip igmp snooping console(config)# ip igmp snooping vlan 100 console(config)# ip igmp snooping map cpe vlan 5 multicast-tv vlan 1000 console(config)# ip igmp snooping map cpe vlan 6 multicast-tv vlan 1001 6.

  • Page 238: Appendix B Typical Networks Topologies Based On Eaps

    APPENDIX B TYPICAL NETWORKS TOPOLOGIES BASED ON EAPS 1. Topology simple "ring" In network topology there is only one ring. In this case it is required to define for it only EAPS domain. 2. Topology one domain with several "rings" In topology of network 3 rings (can be 2 or more) and 2 common hubs between them.
  • Page 239 3. Topology several domains with common "rings" In network topology 2 rings (can be more than two) with one common hub. In this case it is required to define EAPS domain for each ring. MES3000 Ethernet switch series...

  • Page 240: Appendix C Description Of Switch Processes

    APPENDIX C DESCRIPTION OF SWITCH PROCESSES Table - Description of switch processes Name of Description of process process 3SMA Aging for IP multicast 3SWF Transfer of packages between level 2 and network level 3SWQ Program processing of intercepted ACL packets AAAT Management and processing of AAA methods AATT...
  • Page 241 FTPM Management of FTP server (configuration query processing from CLI/SNMP) GOAH GoAhead web-server implementation GRN_ Green Ethernet implementation HCLT Receiving and processing configuration commands of lower level device HDEB Collection of statistics of operation of system tasks HLTX Sending packages from CPU to switch HOST Main host flow, idle run HSCS...
  • Page 242 SEAU Receiving events Address Update, lower level, transfer to lower level SELC Receiving events about change of port status, lower level, transfer to lower level SERX Receipt of events of receipt of package from switch to CPU, lower level SETX Receipt of events of end of package sending from CPU to switch, lower level SFMG sFlow Manager –...
  • Page 243 +7(383) 272-83-31 E-mail: techsupp@eltex.nsk.ru In official website of the Eltex Ltd. you can find technical documentation and software for products, advert to knowledge base, leave your interactive inquiry or ask for consultation from engineers of Service Center in our technical forum: http://eltex-co.ru/en...

This manual is also suitable for:

Mes3116fMes3108fMes3116Mes3124Mes3224Mes3124f ... Show all

Table of Contents

Save PDF