Download Print this page

SMC Networks TigerAccess SMC7816M Management Manual

6-band vdsl2 switch

Hide thumbs Also See for TigerAccess SMC7816M:

Installation manual (96 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual

™

TigerAccess

EE

6-Band VDSL2 Switch

◆ 16 VDSL Downlink Ports (1 RJ-21 Connector)

◆ 2 Gigabit Ethernet Combination Ports (RJ-45/SFP)

◆ 1 Fast Ethernet Management Port (RJ-45)

◆ Non-blocking switching architecture

◆ Spanning Tree Protocol, RSTP, and MSTP

◆ Up to 12 LACP or static 8-port trunks

◆ Layer 2/3/4 CoS support through eight priority queues

◆ Layer 3/4 traffic priority with IP Precedence and IP DSCP

◆ Full support for VLANs with GVRP

◆ IGMP multicast filtering and snooping

◆ Manageable via console, Web, SNMP/RMON

◆ Security features: ACL, RADIUS, 802.1x

◆ VDSL line configuration using Long-Reach Ethernet

(LRE) commands, line profiles, and alarm profiles

Management Guide

SMC7816M/VSW

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the TigerAccess SMC7816M and is the answer not in the manual?

Questions and answers

Summary of Contents for SMC Networks TigerAccess SMC7816M

Page 1: Management Guide
™ TigerAccess 6-Band VDSL2 Switch ◆ 16 VDSL Downlink Ports (1 RJ-21 Connector) ◆ 2 Gigabit Ethernet Combination Ports (RJ-45/SFP) ◆ 1 Fast Ethernet Management Port (RJ-45) ◆ Non-blocking switching architecture ◆ Spanning Tree Protocol, RSTP, and MSTP ◆ Up to 12 LACP or static 8-port trunks ◆...
Page 3 TigerAccess Management Guide From SMC’s Tiger line of feature-rich workgroup LAN solutions 20 Mason Irvine, CA 92618 Phone: (949) 679-8000 Pub. # 149100012100H January 2007...
Page 4 Information furnished by SMC Networks, Inc. (SMC) is believed to be accurate and reliable. However, no responsibility is assumed by SMC for its use, nor for any infringements of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent or patent rights of SMC.
Page 5: Limited Warranty
IMITED ARRANTY Limited Warranty Statement: SMC Networks, Inc. (“SMC”) warrants its products to be free from defects in workmanship and materials, under normal use and service, for the applicable warranty term. All SMC products carry a standard 90-day limited warranty from the date of purchase from SMC or its Authorized Reseller.
Page 6 * SMC will provide warranty service for one year following discontinuance from the active SMC price list. Under the limited lifetime warranty, internal and external power supplies, fans, and cables are covered by a standard one-year warranty from date of purchase. SMC Networks, Inc. 20 Mason Irvine, CA 92618...
Page 7: Table Of Contents
Connecting to the Switch ........
Page 8 Displaying Bridge Extension Capabilities ......4-9 Setting the Switch’s IP Address ....... 4-11 Manual Configuration .
Page 9 Setting SNMPv3 Views ....... 5-24 User Authentication ......6-1 Configuring User Accounts .
Page 10 ABLE OF ONTENTS Port Configuration ......9-1 Displaying Connection Status ....... . . 9-1 Configuring Interface Connections .
Page 11 Configuring Interface Settings for MSTP ..... . 12-27 VLAN Configuration ......13-1 Selecting the VLAN Operation Mode .
Page 12 ABLE OF ONTENTS Quality of Service ......15-1 Configuring Quality of Service Parameters ..... 15-2 Configuring a Class Map .
Page 13 Console Connection ........18-1 Telnet Connection ........18-2 Entering Commands .
Page 14 ABLE OF ONTENTS show bme version ........20-10 show cpu utilization .
Page 15 SMTP Alert Commands ........20-48 logging sendmail host .
Page 16 ABLE OF ONTENTS Authentication Sequence ........22-5 authentication login .
Page 17 dot1x max-req ........22-36 dot1x port-control .
Page 18 ABLE OF ONTENTS Access Control List Commands ....24-1 IP ACLs ..........24-2 access-list ip .
Page 19 show interfaces counters ........25-14 show interfaces switchport ....... . . 25-16 Link Aggregation Commands .
Page 20 ABLE OF ONTENTS lre interleave-max-delay ......29-25 lre datarate ......... 29-26 lre rate-set .
Page 21 Displaying VDSL Information ......29-61 show lre band-plan ........29-62 show lre option-band .
Page 22 ABLE OF ONTENTS Spanning Tree Commands ....31-1 spanning-tree ..........31-3 spanning-tree mode .
Page 23 vlan ..........32-8 Configuring VLAN Interfaces .
Page 24 ABLE OF ONTENTS show queue bandwidth ....... . 33-9 show queue cos-map ....... . 33-10 Priority Commands (Layer 3 and 4) .
Page 25 ip igmp snooping query-interval ......35-9 ip igmp snooping query-max-response-time ....35-10 ip igmp snooping router-port-expire-time .
Page 26 ABLE OF ONTENTS DHCP Commands ......37-1 DHCP Client ip dhcp restart client ........37-1 DHCP Relay .
Page 27 Section IV Appendices Software Specifications ......A-1 Software Features ......... . . A-1 Management Features .
Page 28: Able Of Ontents
ABLE OF ONTENTS xxviii...
Page 29 Web Page Configuration Buttons ....3-4 Table 3-2 Switch Main Menu ....... 3-5 Table 4-1 Logging Levels .
Page 30 ABLES Table 20-4 show bme version - display description ... . . 20-11 Table 20-5 show cpu utilization - display description ... 20-12 Table 20-7 System Mode Commands .
Page 31 ABLES Table 24-1 Access Control List Commands ....24-1 Table 24-2 IP ACL Commands ......24-2 Table 24-3 MAC ACL Commands .
Page 32 ABLES Table 32-5 Commands for Displaying VLAN Information ..32-16 Table 32-6 Private VLAN Commands ..... . . 32-17 Table 32-7 Protocol-based VLAN Commands .
Page 33 System Health Information ..... . . 4-5 Figure 4-3 Switch Information ......4-8 Figure 4-4 Displaying Bridge Extension Configuration .
Page 34 IGURES Figure 6-5 SSH Server Settings ......6-17 Figure 6-6 802.1X Global Information ..... . 6-21 Figure 6-7 802.1X Global Configuration .
Page 35 IGURES Figure 10-5 VDSL Performance Statistics ....10-28 Figure 10-6 Alarm Profile Configuration ..... 10-35 Figure 10-7 CPE Information .
Page 36 IGURES Figure 14-10 IP Port Priority ....... 14-17 Figure 15-1 Configuring Class Maps ......15-5 Figure 15-2 Configuring Policy Maps .
Page 37: Section I Getting Started
ECTION ETTING TARTED This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface. Introduction ..........1-1...
Page 38 ETTING TARTED...
Page 39: Introduction
This switch provides a broad range of features for Layer 2 switching. It includes a management agent that allows you to configure the features listed in this manual. The default configuration can be used for most of the features provided by this switch. However, there are many options that you should configure to maximize the switch’s performance for your particular...
Page 40: Table 1-1 Key Features
EATURES Feature Description User Console, Telnet, web – User name / password, RADIUS, TACACS+ Authentication Web – HTTPS Telnet – SSH SNMP v1/2c - Community strings SNMP version 3 – MD5 or SHA password Port – IEEE 802.1X Client Security Private VLANs, IEEE 802.1X, MAC address filtering, IP/MAC address pair filtering, NetBIOS filtering, DHCP request/reply filtering...
Page 41: Description Of Software Features
RADIUS or TACACS+). Port-based authentication is also supported via the IEEE 802.1X protocol. This protocol uses Extensible Authentication Protocol over LANs (EAPOL) to request user credentials from the 802.1X client, and then uses the EAP between the switch and the authentication Table 1-1 Key Features (Continued) NTRODUCTION...
Page 42 Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped. Port Mirroring – The switch can unobtrusively mirror traffic from any port to a monitor port. You can then attach a protocol analyzer or RMON probe to this port to perform traffic analysis and verify connection integrity.
Page 43 Static Addresses – A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 44 VLAN members from being segmented from the rest of the group (as sometimes occurs with IEEE 802.1D STP). Virtual LANs – The switch supports up to 255 VLANs. A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network.
Page 45 IP frame’s Type of Service (ToS) octet or the number of the TCP/UDP port. When these services are enabled, the priorities are mapped to a Class of Service value by the switch, and the traffic then sent to the corresponding output queue.
Page 46 VLAN to ensure that it does not interfere with normal network traffic and to guarantee real-time delivery by setting the required priority level for the designated VLAN. The switch uses IGMP snooping or query to manage multicast group registration; and multicast profile filtering to control access to specific multicast services.
Page 47: System Defaults
System Defaults The switch’s system defaults are provided in the configuration file “Factory_Default_Config.cfg.” To reset the switch defaults, this file should be set as the startup configuration file (page 4-20). The following table lists some of the basic system defaults.
Page 48 YSTEM EFAULTS Table 1-2 System Defaults (Continued) Function Parameter Web Management HTTP Server HTTP Port Number HTTP Secure Server HTTP Secure Port Number SNMP SNMP Agent Community Strings Traps SNMP V3 Port Configuration Admin Status Auto-negotiation Flow Control Rate Limiting Input and output limits Port Trunking Static Trunks...
Page 49 Table 1-2 System Defaults (Continued) Function Parameter Virtual LANs Default VLAN PVID Acceptable Frame Type Ingress Filtering Switchport Mode (Egress Mode) GVRP (global) GVRP (port interface) QinQ Tunneling Traffic Ingress Port Priority Prioritization Queue Mode Weighted Round Robin IP Precedence Priority IP DSCP Priority IP Port Priority IP Settings...
Page 50: Table 1-2 System Defaults
YSTEM EFAULTS Table 1-2 System Defaults (Continued) Function Parameter Multicast Filtering IGMP Snooping IGMP Filtering/Throttling Multicast VLAN Registration Disabled System Log Status Messages Logged Messages Logged to Flash SMTP Email Alerts Event Handler SNTP Clock Synchronization 1-12 Default Snooping: Enabled Querier: Disabled Disabled Enabled...
Page 51: Initial Configuration
A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IP address for this switch is obtained via DHCP by default. To change this address, see “Setting an IP Address” on page 2-6.
Page 52: Required Connections
• Display system information and statistics Required Connections The switch provides an RS-232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch. A null-modem console cable is provided with the switch.
Page 53 DB-9 connector. 2. Connect the other end of the cable to the RS-232 serial port on the switch. 3. Make sure the terminal emulation software is set as follows: • Select the appropriate serial port (COM port 1 or COM port 2).
Page 54: Remote Connections
IP address, subnet mask, and default gateway using a console connection, DHCP or BOOTP protocol. An IP address for this switch is obtained via DHCP by default. To manually configure this address or enable dynamic address assignment via DHCP or BOOTP, see “Setting an IP Address”...
Page 55: Setting Passwords
Access to both CLI levels are controlled by user names and passwords. The switch has a default user name and password for each level. To log into the CLI at the Privileged Exec level using the default user name and password, perform these steps: 1.
Page 56: Setting An Ip Address
All ports are all configured as members of VLAN 1 by default. To manage the switch through uplink ports 17 or 18, configure an IP address for the VLAN to which these ports are assigned. To manage the switch through...
Page 57 Using the dedicated management port provides a back channel for troubleshooting when the switch cannot be reached through the data network. To provide additional security against eavesdropping on management traffic, leave the IP address for the data network (i.e., the VLAN containing ports 1-18) unconfigured.
Page 58: Manual Configuration
DHCP address allocation servers on the network. Manual Configuration You can manually assign an IP address to the switch. You may also need to specify a default gateway that resides between this device and management stations that exist on another network segment. Valid IP addresses consist of four decimal numbers, 0 to 255, separated by periods.
Page 59: Dynamic Configuration
Before you can assign an IP address to the switch, you must obtain the following information from your network administrator: • IP address for the switch • Network mask for this network • Default gateway for the network To assign an IP address to the switch, complete the following steps: 1.
Page 60 3. Type “end” to return to the Privileged Exec mode. Press <Enter>. 4. Reset the switch by entering the “reload” command. 5. Wait a few minutes for the switch to reboot, and then check the IP configuration settings by typing the “show ip interface” command.
Page 61: Enabling Snmp Management Access
The switch can be configured to accept management commands from Simple Network Management Protocol (SNMP) applications such as HP OpenView. You can configure the switch to (1) respond to SNMP requests or (2) generate SNMP traps. When SNMP management stations send requests to the switch (either to return information or to set a parameter), the switch provides the requested data or sets the specified parameter.
Page 62: Trap Receivers
ASIC ONFIGURATION To prevent unauthorized access to the switch from SNMP version 1 or 2c clients, it is recommended that you change the default community strings. To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmp-server community string mode,”...
Page 63: Configuring Access For Snmp Version 3 Clients
Console(config)# For a more detailed explanation on how to configure the switch for access from SNMP v3 clients, refer to “Simple Network Management Protocol” on page 5-1, or refer to the specific CLI commands for SNMP starting on page 21-1.
Page 64: Managing System Files
Diagnostic Code — Software that is run during system boot-up, also known as POST (Power On Self-Test). Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many diagnostic code files and configuration files as available flash memory space allows.
Page 65: Saving Configuration Settings
Saving Configuration Settings Configuration commands only modify the running configuration file and are not saved when the switch is rebooted. To save all your configuration changes in nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command.
Page 66 ANAGING YSTEM To save the current configuration settings, enter the following command: 1. From the Privileged Exec mode prompt, type “copy running-config startup-config” and press <Enter>. 2. Enter the name of the start-up file. Press <Enter>. Console#copy running-config startup-config Startup configuration file name []: startup \Write to FLASH Programming.
Page 67: Switch Management
Configuring the Switch ........
Page 68 WITCH ANAGEMENT...
Page 69: Configuring The Switch
Telnet. For more information on using the CLI, refer to Chapter 18 “Overview of the Command Line Interface.” Prior to accessing the switch from a web browser, be sure you have first performed the following tasks: 1. Configure the switch with a valid IP address, subnet mask, and default gateway using an out-of-band serial connection, BOOTP or DHCP protocol.
Page 70 If you log in as “admin” (Privileged Exec level), you can change the settings on any page. 3. If the path between your management station and this switch does not pass through any device that uses the Spanning Tree Algorithm, then you can set the switch port attached to your management station to fast forwarding (i.e., enable Admin...
Page 71: Navigating The Web Browser Interface
Home Page When your web browser connects with the switch’s web agent, the home page is displayed as shown below. The home page displays the Main Menu on the left side of the screen and System Information on the right side.
Page 72: Configuration Options
Panel Display The web agent displays an image of the switch’s ports. The Mode can be set to display different information for the ports, including Active (i.e., up or down), Duplex (i.e., half or full duplex), or Flow Control (i.e., with or without flow control). Clicking on the image of a port opens the Port Configuration page as described on page 9-4.
Page 73: Main Menu
Main Menu Using the onboard web agent, you can define system parameters, manage and control the switch, and all its ports, or monitor network conditions. The following table briefly describes the selections available from this program. Menu System System Information...
Page 74 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Reset SNTP Configuration Clock Time Zone SNMP Configuration Agent Status SNMPv3 Engine ID Remote Engine ID Users Remote Users Groups Views Security User Accounts Authentication Settings HTTPS Settings Settings Host-Key Settings...
Page 75 Table 3-2 Switch Main Menu (Continued) Menu 802.1X Information Configuration Port Configuration Statistics Configuration Mask Configuration Port Binding IP Filter DHCP Snooping Configuration Information IP Source Guard Configuration Packet Filter Base Filter IP/MAC Filter Port Port Information Trunk Information Port Configuration...
Page 76 ONFIGURING THE WITCH Table 3-2 Switch Main Menu (Continued) Menu Trunk Configuration Trunk Membership LACP Configuration Aggregation Port Port Counters Information Port Internal Information Port Neighbors Information Port Broadcast Control Trunk Broadcast Control Sets the broadcast storm threshold for each trunk...
Page 77 Controls various functions for VDSL chip on local switch port and for CPE, resetting the CPE, and upgrading firmware on CPE Displays entries for interface, address or VLAN Displays or edits static entries in the Address Table...
Page 78 Configures port settings for a specified MST instance 12-27 Configures trunk settings for a specified MST instance Configure the switch to operate in normal mode or one of the tunneling modes (QinQ or VLAN Swap) Enables GVRP VLAN registration protocol...
Page 79 Table 3-2 Switch Main Menu (Continued) Menu Static Membership by Port Port Configuration Trunk Configuration Private VLAN Status Link Status Protocol VLAN Configuration Port Configuration 802.1Q Tunneling VLAN Swap Priority Default Port Priority Default Trunk Priority Traffic Classes Traffic Classes Status...
Page 80 Displays the ports that are attached to a neighboring multicast router for each VLAN ID Assigns ports that are attached to a neighboring multicast router Displays all multicast groups active on this switch, including multicast IP addresses and VLAN ID Indicates multicast addresses associated with the selected VLAN...
Page 81 Table 3-2 Switch Main Menu (Continued) Menu IGMP Filter/Throttling Trunk Configuration Configuration Port Information Trunk Information Group IP Information Port Configuration Trunk Configuration Group Member Configuration General Configuration Static Host Table Cache AVIGATING THE Description Assigns IGMP filter profiles to trunk interfaces and...
Page 82 ONFIGURING THE WITCH 3-14...
Page 83: Basic Management Tasks
ASIC This chapter describes the basic functions required to set up management access to the switch, display or upgrade operating software, or reset the system. Displaying System Information You can easily identify the system by displaying the device name, location and contact information.
Page 84: Figure 4-1 System Information
ASIC ANAGEMENT • Web Secure Server Port – Shows the TCP port used by the HTTPS interface. • Telnet Server – Shows if management access via Telnet is enabled. • Telnet Server Port – Shows the TCP port used by the Telnet interface. •...
Page 85 CLI – Specify the hostname, location and contact information. Console(config)#hostname R&D 5 Console(config)#snmp-server location WC 9 Console(config)#snmp-server contact Ted Console(config)#exit Console#show system System Description: TigerAccess(TM) SMC7816M/VSW System OID String: 1.3.6.1.4.1.202.40.2 System Information System Up Time: seconds System Name: System Location: System Contact: MAC Address (Unit1): Web Server:...
Page 86: Displaying System Health
ASIC ANAGEMENT Displaying System Health Use the System Health Information page to display the status of the fans, internal temperature, main board, CPU, and system memory. Field Attributes General Status • Fan Status – The fan’s functioning status. • Fan Failed Times – The number of times the fan has failed since the system was booted.
Page 87: Figure 4-2 System Health Information
• Free Amount – Amount of memory currently free for use. • Freed / Total – Percentage of free memory compared to total memory. • Utilization Raising Alarm Threshold utilization alarm. (Range: 1-100%; Default: 90%) • Utilization Falling Alarm Threshold utilization alarm.
Page 88: System Memory
ASIC ANAGEMENT CLI – Use the following commands to display the status of the CPU and system memory. Console#show cpu utilization CPU current utilization Max utilization in 10s: 73% Avg utilization in 10s: 73% peak utilization: 73% peak utilization begin : 02:33:50 01/01/2001 peak utilization during: 10(s) utilization Raise utilization Falling threshold: 70%...
Page 89: Displaying Hardware/Software Versions
• Loader Version – Version number of loader code. • Boot-ROM Version – Version of Power-On Self-Test (POST) and boot code. • Operation Code Version – Version number of runtime code. • Role – Shows that this switch is operating as Master (i.e., stacking not supported). ISPLAYING ARDWARE...
Page 90: Figure 4-3 Switch Information
ASIC ANAGEMENT These additional parameters are displayed for the CLI. • Unit ID – Unit number in stack. • BME firmware version – Version number of Burst Mode Engine. Web – Click System, Switch Information. ASKS Figure 4-3 Switch Information...
Page 91: Displaying Bridge Extension Capabilities
GMRP (GARP Multicast Registration Protocol). • Traffic Classes – This switch provides mapping of user priorities to multiple traffic classes. (Refer to “Class of Service” on page 14-1.) • Static Entry Individual Port – This switch allows static filtering for unicast and multicast addresses.
Page 92: Figure 4-4 Displaying Bridge Extension Configuration
ASIC ANAGEMENT • Configurable PVID Tagging – This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to “VLAN Configuration” on page 13-1.) • Local VLAN Capable – This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs.
Page 93: Setting The Switch's Ip Address
Setting the Switch’s IP Address This section describes how to configure an IP interface for management access over the network. The IP address for this switch is obtained via DHCP by default. To manually configure an address, you need to change the switch’s default settings to values that are compatible with your...
Page 94: Manual Configuration
ASIC ANAGEMENT will not function until a reply has been received from the server. Requests will be broadcast periodically by the switch for an IP address. (DHCP/BOOTP values can include the IP address, subnet mask, and default gateway.) • IP Address – Address of the VLAN to which the management station is attached.
Page 95 CLI – Specify the management interface, IP address and default gateway. Console#config Console(config)#interface vlan 1 Console(config-if)#ip address 10.1.0.253 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 10.1.0.254 Console(config)#end Console#show ip interface IP Address and Netmask: Address Mode: Console# This example first sets up a dedicated VLAN for management access. It adds Port 19 (the management port) to that VLAN and also removes this port from the VLAN 1, which is left for use by the data network.
Page 96: Using Dhcp/Bootp
IP Address Mode to DHCP or BOOTP. Click Apply to save your changes. Then click Restart DHCP to immediately request a new address. Note that the switch will also broadcast a request for IP configuration settings on each power reset.
Page 97 This example first sets up a dedicated VLAN for management access. It adds Port 19 (the management port) to that VLAN and also removes this port from the VLAN 1, which is left for use by the data network. It then specifies the management interface, IP address and default gateway.
Page 98: Configuring Support For Jumbo Frames
(Default: Disabled) Web – Click System, Jumbo Frames. Enable or disable support for jumbo frames, and click Apply. Figure 4-7 Configuring Support for Jumbo Frames CLI – This example enables jumbo frames globally for the switch. Console(config)#jumbo frame Console(config)# 4-16...
Page 99: Managing Firmware
TFTP server, that file can later be downloaded to the switch to restore operation. You can also set the switch to use new firmware without overwriting the previous version. You must specify the method of file transfer, along with the file type and file names as required.
Page 100: Downloading System Software From A Server
“opcode,” enter the file name of the software to download, select a file on the switch to overwrite or specify a new file name, then click Apply. If you replaced the current firmware used for startup and want to start using the new operation code, reboot the system via the System/Reset menu.
Page 101: Figure 4-9 Setting The Startup Code
TFTP server, select “config” as the file type, then enter the source and destination file names. When the file has finished downloading, set the new file to start up the system, and then restart the switch. 4-19...
Page 102: Saving Or Restoring Configuration Settings
System will be restarted, continue <y/n>? Saving or Restoring Configuration Settings You can upload/download configuration settings to/from a TFTP server, or copy files to and from switch units in a stack. The configuration file can be later downloaded to restore the switch’s settings. Command Attributes •...
Page 103 - startup-config to tftp – Copies the startup configuration to a TFTP server. - tftp to file – Copies a file from a TFTP server to the switch. - tftp to running-config – Copies a file from a TFTP server to the running config.
Page 104: Downloading Configuration Settings From A Server
“tftp to file,” and enter the IP address of the TFTP server. Specify the name of the file to download, select a file on the switch to overwrite or specify a new file name, and then click Apply.
Page 105: Figure 4-12 Setting The Startup Configuration Settings
Figure 4-12 Setting the Startup Configuration Settings CLI – Enter the IP address of the TFTP server, specify the source file on the server, set the startup file name on the switch, and then restart the switch. Console#copy tftp startup-config TFTP server ip address: 192.168.1.19...
Page 106: Console Port Settings
Console Port Settings You can access the onboard configuration program by attaching a VT100 compatible device to the switch’s serial console port. Management access through the console port is controlled by various parameters, including a password, timeouts, and basic communication settings. These parameters can be configured via the web or CLI interface.
Page 107: Figure 4-13 Configuring The Console Port
device connected to the serial port. (Range: 9600, 19200, 38400, 57600, or 115200 baud, Auto; Default: Auto) • Stop Bits – Sets the number of the stop bits transmitted per byte. (Range: 1-2; Default: 1 stop bit) • Password – Specifies a password for the line connection. When a connection is started on a line with password protection, the system prompts for the password.
Page 108: Telnet Settings
These parameters can be configured via the web or CLI interface. Command Attributes • Telnet Status – Enables or disables Telnet access to the switch. (Default: Enabled) • Telnet Port Number – Sets the TCP port number for Telnet on the switch.
Page 109 • Login Timeout – Sets the interval that the system waits for a user to log into the CLI. If a login attempt is not detected within the timeout interval, the connection is terminated for the session. (Range: 0 - 300 seconds; Default: 300 seconds) •...
Page 110: Figure 4-14 Configuring The Telnet Interface
ASIC ANAGEMENT Web – Click System, Line, Telnet. Specify the connection parameters for Telnet access, then click Apply. Figure 4-14 Configuring the Telnet Interface CLI – Enter Line Configuration mode for a virtual terminal, then specify the connection parameters as required. To display the current virtual terminal settings, use the show line command from the Normal Exec level.
Page 111: Configuring Event Logging
Configuring Event Logging The switch allows you to control the logging of error messages, including the type of events that are recorded in switch memory, logging to a remote System Log (syslog) server, and displays a list of recent event messages.
Page 112: Figure 4-15 System Logs
* There are only Level 2, 5 and 6 error messages for the current firmware release. • RAM Level – Limits log messages saved to the switch’s temporary RAM memory for all levels up to the specified level. For example, if level 7 is specified, all messages from level 0 to level 7 will be logged to RAM.
Page 113: Remote Log Configuration
The attribute specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to process messages, such as sorting or storing messages in the corresponding database.
Page 114: Figure 4-16 Remote Logs
ASIC ANAGEMENT • Host IP Address – Specifies a new server IP address to add to the Host IP List. Web – Click System, Logs, Remote Logs. To add an IP address to the Host IP List, type the new IP address in the Host IP Address box, and then click Add.
Page 115: Displaying Log Messages
Displaying Log Messages Use the Logs page to scroll through the logged system and event messages. The switch can store up to 2048 log entries in temporary random access memory (RAM; i.e., memory flushed on power reset) and up to 4096 entries in permanent flash memory.
Page 116: Sending Simple Mail Transfer Protocol Alerts
7 to level 0. (Default: Level 7) • SMTP Server List – Specifies a list of up to three recipient SMTP servers. The switch attempts to connect to the other listed servers if the first fails. Use the New SMTP Server text field and the Add/Remove buttons to configure the list.
Page 117: Figure 4-18 Enabling And Configuring Smtp Alerts
ONFIGURING VENT OGGING Web – Click System, Log, SMTP. Enable SMTP, specify a source email address, and select the minimum severity level. To add an IP address to the SMTP Server List, type the new IP address in the SMTP Server field and click Add.
Page 118: Resetting The System
1. chris@matel.com SMTP Source Email Address: big-wheels@matel.com SMTP Status: Console# Resetting the System Web – Click System, Reset. Click the Reset button to restart the switch. When prompted, confirm that you want reset the switch. 4-36 ASKS Enabled Figure 4-19 Resetting the System...
Page 119: Setting The System Clock
You can also manually set the clock using the CLI. (See “calendar set” on page 20-58.) If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 120: Figure 4-20 Sntp Configuration
ANAGEMENT • SNTP Server – Sets the IP address for up to three time servers. The switch attempts to update the time from the first server, if this fails it attempts an update from the next server in the sequence.
Page 121: Setting The Time Zone
Setting the Time Zone SNTP uses Coordinated Universal Time (or UTC, formerly Greenwich Mean Time, or GMT) based on the time at the Earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Page 122 ASIC ANAGEMENT ASKS 4-40...
Page 123: Simple Network Management Protocol
MIB specifications and the protocol used to access this information over the network. The switch includes an onboard agent that supports SNMP versions 1, 2c, and 3. This agent continuously monitors the status of the switch hardware, as well as the traffic passing through its ports. A network management station can access this information using software such as HP OpenView.
Page 124: Table 5-1 Snmpv3 Security Models And Levels
“groups” that are defined by a security model and specified security levels. Each group also has a defined security access to set of MIB objects for reading and writing, which are known as “views.” The switch has a default view (all MIB objects) and default groups defined for security models v1 and v2c.
Page 125 Table 5-1 SNMPv3 Security Models and Levels (Continued) Model Level AuthNoPriv AuthPriv Note: The predefined default groups and view can be deleted from the system. You can then define customized groups and views for the SNMP clients that require access. Group Read View Write user defined...
Page 126: Enabling The Snmp Agent
IP Trap Managers should be listed in this table. For security reasons, you should consider removing the default strings. Command Attributes • SNMP Community Capability – The switch supports up to five community strings. • Current – Displays a list of the community strings currently configured.
Page 127: Figure 5-2 Configuring Snmp Community Strings
• Community String – A community string that acts like a password and permits access to the SNMP protocol. Default strings: “public” (read-only access), “private” (read/write access) Range: 1-32 characters, case sensitive • Access Mode – Specifies the access rights for the community string: - Read-Only –...
Page 128: Specifying Trap Managers And Trap Types
SNMP access for the host. • Notifications are issued by the switch as trap messages by default. The recipient of a trap message does not send a response to the switch. Traps are therefore not as reliable as inform messages, which include a request for acknowledgement of receipt.
Page 129 5. Specify a remote engine ID where the user resides (page 5-11). 6. Then configure a remote user (page 5-15). Command Attributes • Trap Manager Capability – This switch supports up to five trap managers. • Current – Displays a list of the trap managers currently configured.
Page 130 IMPLE ETWORK ANAGEMENT • Trap Inform – Notifications are sent as inform messages. Note that this option is only available for version 2c and 3 hosts. (Default: traps are used) - Timeout – The number of seconds to wait for an acknowledgment before resending an inform message.
Page 131: Figure 5-3 Configuring Snmp Trap Managers
Web – Click SNMP, Configuration. Enter the IP address and community string for each management station that will receive trap messages, specify the UDP port, SNMP trap version, trap security level (for v3 clients), trap inform settings (for v2c/v3 clients), and then click Add. Select the trap types required using the check boxes for Authentication and Link-up/ down traps, and then click Apply.
Page 132: Configuring Snmpv3 Management Access
The engine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets. A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engineID is deleted or changed, all SNMP users will be cleared.
Page 133: Specifying A Remote Engine Id
Web – Click SNMP, SNMPv3, Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. Figure 5-4 Setting the SNMPv3 Engine ID CLI – This example sets an SNMPv3 engine ID. Console(config)#snmp-server engine-id local 12345abcdef Console(config)#exit Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672...
Page 134: Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT Web – Click SNMP, SNMPv3, Remote Engine ID. Enter an ID of up to 26 hexadecimal characters and then click Save. CLI – This example specifies a remote SNMPv3 engine ID. Console(config)#snmp-server engine-id remote 54321 192.168.1.19 Console(config)#exit Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1...
Page 135 - AuthPriv – SNMP communications use both authentication and encryption (only available for the SNMPv3 security model). • Authentication Protocol – The method used for user authentication. (Options: MD5, SHA; Default: MD5) • Authentication Password – A minimum of eight plain text characters is required.
Page 136: Figure 5-6 Configuring Snmpv3 Users
IMPLE ETWORK ANAGEMENT Web – Click SNMP, SNMPv3, Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 137: Configuring Remote Snmpv3 Users
CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user chris group r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#exit Console#show snmp user EngineId: 80000034030001f488f5200000 User Name: chris Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile...
Page 138 IMPLE ETWORK ANAGEMENT • Security Model – The user security model; SNMP v1, v2c or v3. (Default: v1) • Security Level – The security level used for the user: - noAuthNoPriv – There is no authentication or encryption used in SNMP communications.
Page 139: Figure 5-7 Configuring Remote Snmpv3 Users
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Remote Users. Click New to configure a user name. In the New User page, define a name and assign it to a group, then click Add to save the configuration and return to the User Name list. To delete a user, check the box next to the user name, then click Delete.
Page 140: Configuring Snmpv3 Groups
IMPLE ETWORK ANAGEMENT CLI – Use the snmp-server user command to configure a new user name and assign it to a group. Console(config)#snmp-server user mark group r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)#exit Console#show snmp user No user exist.
Page 141: Table 5-2 Supported Notification Messages
• Notify View – The configured view for notifications. (Range: 1-64 characters) Table 5-2 Supported Notification Messages Object Label Object ID RFC 1493 Traps newRoot 1.3.6.1.2.1.17.0.1 topologyChange 1.3.6.1.2.1.17.0.2 SNMPv2 Traps coldStart 1.3.6.1.6.3.1.1.5.1 warmStart 1.3.6.1.6.3.1.1.5.2 SNMP ONFIGURING Description The newRoot trap indicates that the sending agent has become the new root of the Spanning Tree;...
Page 142 IMPLE ETWORK ANAGEMENT Table 5-2 Supported Notification Messages (Continued) Object Label Object ID 1.3.6.1.6.3.1.1.5.3 linkDown linkUp 1.3.6.1.6.3.1.1.5.4 authenticationFailure 1.3.6.1.6.3.1.1.5.5 5-20 ROTOCOL Description A linkDown trap signifies that the SNMP entity, acting in an agent role, has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state (but not from the...
Page 143 Table 5-2 Supported Notification Messages (Continued) Object Label Object ID RMON Events (V2) risingAlarm 1.3.6.1.2.1.16.0.1 fallingAlarm 1.3.6.1.2.1.16.0.2 Private Traps - swPowerStatus 1.3.6.1.4.1.202.40.2.6.2.1.0.1 ChangeTrap swFanFailureTrap 1.3.6.1.4.1.202.40.2.6.2.1.0.17 swFanRecoverTrap 1.3.6.1.4.1.202.40.2.6.2.1.0.18 swIpFilterRejectTrap 1.3.6.1.4.1.202.40.2.6.2.1.0.40 swSmtpConnFailure 1.3.6.1.4.1.202.40.2.6.2.1.0.41 Trap swMainBoardVer 1.3.6.1.4.1.202.40.2.6.2.1.0.56 MismatchNotificaiton swModuleVer 1.3.6.1.4.1.202.40.2.6.2.1.0.57 MismatchNotificaiton SNMP ONFIGURING Description The SNMP trap that is generated when an alarm entry crosses its...
Page 144 IMPLE ETWORK ANAGEMENT Table 5-2 Supported Notification Messages (Continued) Object Label Object ID swThermalRising 1.3.6.1.4.1.202.40.2.6.2.1.0.58 Notification swThermalFalling 1.3.6.1.4.1.202.40.2.6.2.1.0.59 Notification swModuleInsertion 1.3.6.1.4.1.202.40.2.6.2.1.0.60 Notificaiton swModuleRemoval 1.3.6.1.4.1.202.40.2.6.2.1.0.61 Notificaiton * These are legacy notifications and therefore must be enabled in conjunction with the corresponding traps on the SNMP Configuration menu (page 5-9). 5-22 ROTOCOL Description...
Page 145: Figure 5-8 Configuring Snmpv3 Groups
SNMP ONFIGURING ANAGEMENT CCESS Web – Click SNMP, SNMPv3, Groups. Click New to configure a new group. In the New Group page, define a name, assign a security model and level, and then select read, write, and notify views. Click Add to save the new group and return to the Groups list.
Page 146: Setting Snmpv3 Views
IMPLE ETWORK ANAGEMENT CLI – Use the snmp-server group command to configure a new group, specifying the security model and level, and restricting MIB access to defined read and write views. Console(config)#snmp-server group secure-users v3 priv read defaultview write defaultview notify defaultview Console(config)#exit Console#show snmp group Group Name: secure-users...
Page 147: Figure 5-9 Configuring Snmpv3 Views
In the New View page, define a name and specify OID subtrees in the switch MIB to be included or excluded in the view. Click Back to save the new view and return to the SNMPv3 Views list. For a specific view, click on View OID Subtrees to display the current configuration, or click on Edit OID Subtrees to make changes to the view settings.
Page 148 IMPLE ETWORK ANAGEMENT CLI – Use the snmp-server view command to configure a new view. This example view includes the MIB-2 interfaces table, and the wildcard mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)#exit Console#show snmp view View Name: ifEntry.a Subtree OID: 1.3.6.1.2.1.2.2.1.1.* View Type: included...
Page 149: User Authentication
You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 150: Figure 6-1 User Accounts
UTHENTICATION The default guest name is “guest” with the password “guest.” The default administrator name is “admin” with the password “admin.” Command Attributes • Account List – Displays the current list of user accounts and associated access levels. (Defaults: admin, and guest) •...
Page 151: Configuring Local/Remote Logon Authentication
You can manually configure access rights on the switch, or you can use a remote access authentication server based on RADIUS or TACACS+ protocols. Remote Authentication Dial-in User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) are logon...
Page 152: Command Usage
Command Attributes • Authentication – Select the authentication, or authentication sequence required: - Local – User authentication is performed only locally by the switch. - Radius – User authentication is performed using a RADIUS server only. - TACACS – User authentication is performed using a TACACS+ server only.
Page 153: Tacacs Settings
(Range: 1-30; Default: 2) - Timeout for a reply – The number of seconds the switch waits for a reply from the RADIUS server before it resends the request. (Range: 1-65535; Default: 5) •...
Page 154: Figure 6-2 Authentication Server Settings
UTHENTICATION Web – Click Security, Authentication Settings. To configure local or remote authentication preferences, specify the authentication sequence (i.e., one to three methods), fill in the parameters for RADIUS or TACACS+ authentication if selected, and click Apply. Figure 6-2 Authentication Server Settings CLI –...
Page 155: Configuring Https
Command Usage • Both the HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure both services to use the same UDP port. • If you enable HTTPS, you must indicate this in the URL that you specify in your browser: https://device[:port_number] •...
Page 156: Table 6-1 Https System Support
(Default: Enabled) • Change HTTPS Port Number – Specifies the UDP port number used for HTTPS/SSL connection to the switch’s web interface. (Default: Port 443) Web – Click Security, HTTPS Settings. Enable HTTPS and specify the port number, then click Apply.
Page 157: Replacing The Default Secure-Site Certificate
Source certificate file name: <certificate file name> Source private file name: <private key file name> Private password: <password for private key> Note: The switch must be reset for the new certificate to be activated. To reset the switch, type “reload” at the command prompt: Console#reload...
Page 158: Configuring The Secure Shell
Berkley remote access tools. SSH can also provide remote management access to this switch as a secure replacement for Telnet. When the client contacts the switch via the SSH protocol, the switch generates a public-key that the client uses along with a local user name and password for access authentication.
Page 159 51941746772984865468615717739390164779355942303577413098022737087794545240839 71752646358058176716709574804776117 3. Import Client’s Public Key to the Switch – Use the copy tftp public-key command (page 20-17) to copy a file containing the public key for all the SSH client’s granted management access to the switch. (Note that these clients must be configured locally on the switch via the User Accounts page as described on page 6-1.) The clients are subsequently...
Page 160 The switch compares the client's public key to those stored in memory. c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client.
Page 161: Generating The Host Key Pair
Authenticating SSH v2 Clients a. The client first queries the switch to determine if DSA public key authentication using a preferred algorithm is acceptable. b. If the specified algorithm is supported by the switch, it notifies the client to proceed with the authentication process. Otherwise, it rejects the request.
Page 162 DES (56-bit) or 3DES (168-bit) for data encryption. Note: The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • Save Host-Key from Memory to Flash – Saves the host key from RAM (i.e., volatile memory to flash memory).
Page 163: Figure 6-4 Ssh Host-Key Settings
ONFIGURING THE ECURE HELL Web – Click Security, SSH, Host-Key Settings. Select the host-key type from the drop-down box, select the option to save the host key from memory to flash (if required) prior to generating the key, and then click Generate.
Page 164: Configuring The Ssh Server
(Default: Disabled) • Version – The Secure Shell version number. Version 2.0 is displayed, but the switch supports management access via either SSH Version 1.5 or 2.0 clients. • SSH Authentication Timeout – Specifies the time interval in seconds that the SSH server waits for a response from a client during an authentication attempt.
Page 165: Figure 6-5 Ssh Server Settings
• SSH Server-Key Size – Specifies the SSH server key size. (Range: 512-896 bits; Default: 768) - The server key is a private key that is never shared outside the switch. - The host key is shared with the SSH client, and is fixed at 1024 bits.
Page 166 UTHENTICATION CLI – This example enables SSH, sets the authentication parameters, and displays the current configuration. It shows that the administrator has made a connection via SHH, and then disables this connection. Console(config)#ip ssh server Console(config)#ip ssh timeout 100 Console(config)#ip ssh authentication-retries 5 Console(config)#ip ssh server-key size 512 Console(config)#end Console#show ip ssh...
Page 167: Configuring 802.1X Port Authentication
RADIUS authentication server to verify user identity and access rights. When a client (i.e., Supplicant) connects to a switch port, the switch (i.e., Authenticator) responds with an EAPOL identity request. The client provides its identity (such as a user name) in an EAPOL response to the switch, which it forwards to the RADIUS server.
Page 168 • The IP address of the RADIUS server must be specified. • 802.1X must be enabled globally for the switch. • Each switch port that will be used must be set to dot1x “Auto” mode. • Each client that needs to be authenticated must have dot1x client software installed and properly configured.
Page 169: Displaying 802.1X Global Settings
Displaying 802.1X Global Settings The 802.1X protocol provides port authentication. Command Attributes 802.1X System Authentication Control – The global setting for 802.1X. Web – Click Security, 802.1X, Information. CLI – This example shows the default global setting for 802.1X. Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary...
Page 170: Configuring 802.1X Global Settings
UTHENTICATION Configuring 802.1X Global Settings The 802.1X protocol provides port authentication. The 802.1X protocol must be enabled globally for the switch system before port settings are active. Command Attributes 802.1X System Authentication Control – Sets the global setting for 802.1X. (Default: Disabled) Web –...
Page 171: Configuring Port Settings For 802.1X
EAP request packet to the client before it times out the authentication session. (Range: 1-10; Default 2) • Quiet Period – Sets the time that a switch port waits after the Max Request count has been exceeded before attempting to acquire a new client.
Page 172: Figure 6-8 802.1X Port Configuration
(Range: 1-65535 seconds; Default: 3600 seconds) • TX Period – Sets the time period during an authentication session that the switch waits before re-transmitting an EAP packet. (Range: 1-65535; Default: 30 seconds) • Authorized –...
Page 173 CLI – This example sets the 802.1X parameters on port 2. For a description of the additional fields displayed in this example, see “show dot1x” on page 22-41. Console(config)#interface ethernet 1/2 Console(config-if)#dot1x port-control auto Console(config-if)#dot1x re-authentication Console(config-if)#dot1x max-req 5 Console(config-if)#dot1x timeout quiet-period 40 Console(config-if)#dot1x timeout re-authperiod 5 Console(config-if)#dot1x timeout tx-period 40 Console(config-if)#end...
Page 174: Displaying 802.1X Statistics
Reauthentication State Machine State 802.1X is disabled on port 1/19 Console# Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. Parameter Rx EAPOL Start Rx EAPOL Logoff The number of EAPOL Logoff frames that have been...
Page 175: Figure 6-9 802.1X Port Statistics
Table 6-2 802.1X Statistics (Continued) Parameter Description Tx EAP Req/Id The number of EAP Req/Id frames that have been transmitted by this Authenticator. Tx EAP Req/Oth The number of EAP Request frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Web –...
Page 176: Filtering Ip Addresses For Management Access
• If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 177: Figure 6-10 Ip Filter
ILTERING Web – Click Security, IP Filter. Enter the IP addresses or range of addresses that are allowed management access to an interface, and click Add IP Filtering Entry. CLI – This example restricts management access for Telnet clients. Console(config)#management telnet-client 192.168.1.19 Console(config)#management telnet-client 192.168.1.25 192.168.1.30 Console(config)#exit Console#show management all-client...
Page 178 UTHENTICATION 6-30...
Page 179: Client Security
This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 180: Configuring Port Security
Security, Packet Filtering, IP Source Guard, and then DHCP Snooping. Configuring Port Security Port security is a feature that allows you to configure a switch port with one or more device MAC addresses that are authorized to access the network through that port.
Page 181 To use port security, specify a maximum number of addresses to allow on the port and then let the switch dynamically learn the <source MAC address, VLAN> pair for frames received on the port. Note that you can also manually add secure addresses to the port using the Static Address Table (page 11-1).
Page 182: Figure 7-1 Port Security
LIENT ECURITY • Max MAC Count – The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled) • Trunk – Trunk number if port is a member (page 9-9 and 9-11). Web –...
Page 183: Configuring Ip Source Guard
Configuring IP Source Guard IP Source Guard is a security feature that filters IP traffic on unsecure network interfaces based on static entries configured in the IP Source Guard table, or dynamic entries in the DHCP Snooping table. Command Usage •...
Page 184 - If IP source guard if enabled on an interface for which IP source bindings have not yet been configured (neither by static configuration in the IP source guard binding table nor dynamically learned from DHCP snooping), the switch will drop all IP traffic on that port, except for DHCP packets. Command Attributes IP Source Guard Binding •...
Page 185: Figure 7-2 Ip Source Guard Binding
IP Source Guard Filter • Port – Port for which to filter static entries. • Source IP – Filters traffic based on IP addresses stored in the binding table. • Source IP and MAC – Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Page 186: Configuring Dhcp Snooping
MAC address, IP address, lease time, VLAN identifier, and port identifier. • The rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. 23-14...
Page 187 * If the DHCP packet is from a client, such as a DECLINE or RELEASE message, the switch forwards the packet only if the corresponding entry is found in the binding table. * If the DHCP packet is from client, such as a DISCOVER, REQUEST, INFORM, DECLINE or RELEASE message, the packet is forwarded if MAC address verification is disabled.
Page 188 LIENT ECURITY • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted. Note that the switch will not add a dynamic entry for itself to the binding table when it receives an ACK message from a DHCP server.
Page 189 • DHCP Snooping Service Provider Mode – Once an IP address is assigned to the host by a DHCP server, the switch sets this entry to static mode in the MAC address table, and registers the host as a valid entry in the DHCP snooping table.
Page 190: Figure 7-3 Dhcp Snooping Configuration
LIENT ECURITY Web – Click DHCP Snooping, DHCP Snooping Configuration. Enable DHCP snooping status globally, enable it for the required VLANs, select whether or not to verify the client’s MAC address, configure those ports that will receive messages only from within the local network as trusted, and then click Apply.
Page 191: Displaying Dhcp Snooping Information
DHCP Snooping Dynamic Binding Table • Interface – Switch port for which a binding entry exists. • VLAN – VLAN for which DHCP snooping has been enabled. • MAC Address – Physical address associated with the entry.
Page 192: Figure 7-4 Dhcp Snooping Information
LIENT ECURITY Web – Click DHCP Snooping, DHCP Snooping Information. Figure 7-4 DHCP Snooping Information 7-14...
Page 193: Configuring Packet Filtering
Packet filtering provides security barriers between the customer and the service provider, as well as between different customers attached to the same local switch, by blocking NetBIOS traffic, DHCP service requests, and DHCP replies on specific ports. Note: Packet Filtering occupies valuable hardware resources. Using Private VLANs provides a more efficient alternative for separating the traffic sent to each subscriber (see “Configuring Private...
Page 194 - To specify a port list, use a hyphen to indicate a range of ports, or a comma to indicate a group of non-consecutive ports. - This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs.
Page 195 However, to ensure that this information is never sent out on the Internet, NetBIOS packet filtering should be enabled on all data ports if the switch is not operating behind a firewall. - When NetBIOS packet filtering is enabled, NetBIOS packets...
Page 196: Filtering Ip/Mac Address Pairs
LIENT ECURITY Web – Click Security, Packet Filter, Base Filter Configuration. Select the type of service packets to filter, and click Apply. Figure 7-5 Packet Filtering – Base Filter CLI – This example blocks DHCP service requests, DHCP reply packets, and all NetBIOS packets on port 1.
Page 197: Figure 7-6 Packet Filtering - Ip/Mac Filter
• This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs. One mask is allocated to IP-MAC packet filtering if any entries are defined. This mask will be released for use by other filtering functions if all IP-MAC packet filtering entries are deleted.
Page 198 LIENT ECURITY 7-20...
Page 199: Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule.
Page 200 • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
Page 201: Setting The Acl Name And Type
• Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress MAC ACL for egress ports. 2. User-defined rules in the Egress IP ACL for egress ports. 3.
Page 202: Configuring A Standard Ip Acl
CCESS ONTROL ISTS Web – Click Security, ACL, Configuration. Enter an ACL name in the Name field, select the list type (IP Standard, IP Extended, or MAC), and click Add to open the configuration page for the new list. CLI – This example creates a standard IP ACL named bill. Console(config)#access-list ip standard bill Console(config-std-acl)# Configuring a Standard IP ACL...
Page 203: Configuring An Extended Ip Acl
Web – Specify the action (i.e., Permit or Deny). Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Then click Add.
Page 204 CCESS ONTROL ISTS • Source/Destination Subnet Mask – Subnet mask for source or destination address. (See the description for SubMask on page 8-4.) • Service Type – Packet priority settings based on the following criteria: - Precedence – IP precedence level. (Range: 0-7) - TOS –...
Page 205: Figure 8-3 Acl Configuration - Extended Ip
Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or IP). If you select “Host,” enter a specific address. If you select “IP,” enter a subnet address and the mask for an address range. Set any other required criteria, such as service type, protocol type, or TCP control code.
Page 206: Configuring A Mac Acl
CCESS ONTROL ISTS 3. Permit all TCP packets from class C addresses 192.168.1.0 with the TCP control code set to “SYN.” Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any destination-port 80 Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0 any control-flag 2 2 Console(config-std-acl)# Configuring a MAC ACL Command Attributes...
Page 207: Figure 8-4 Acl Configuration - Mac
Command Usage Egress MAC ACLs only work for destination-mac-known packets, not for multicast, broadcast, or destination-mac-unknown packets. Web – Specify the action (i.e., Permit or Deny). Specify the source and/or destination addresses. Select the address type (Any, Host, or MAC). If you select “Host,”...
Page 208: Configuring Acl Masks
Rules matching subsequent entries in the mask are then checked in the specified order. The switch includes two system default masks that pass/filter packets matching the permit/deny rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ingress or egress ACL. A mask must be bound exclusively to one of the basic ACL types (i.e., Ingress...
Page 209: Configuring An Ip Acl Mask
Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask types to open the configuration page. Figure 8-5 Selecting ACL Mask Types CLI – This example creates an IP ingress mask, and then adds two rules. Each rule is checked in order of precedence to look for a match in the ACL entries.
Page 210 CCESS ONTROL ISTS • Source/Destination Subnet Mask – Source or destination address of rule must match this bitmask. (See the description for SubMask on page 8-4.) • Protocol Mask – Check the protocol field. • Service Type Mask – Check the rule for the specified priority type. (Options: Precedence, TOS, DSCP;...
Page 211: Figure 8-6 Acl Mask Configuration - Ip
ONFIGURING CCESS ONTROL ISTS Web – Configure the mask to match the required rules in the IP ingress or egress ACLs. Set the mask to check for any source or destination address, a specific host address, or an address range. Include other criteria to search for in the rules, such as a protocol type or one of the service types.
Page 212: Configuring A Mac Acl Mask
CCESS ONTROL ISTS CLI – This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255”...
Page 213: Figure 8-7 Acl Mask Configuration - Mac
ONFIGURING CCESS ONTROL ISTS Web – Configure the mask to match the required rules in the MAC ingress or egress ACLs. Set the mask to check for any source or destination address, a host address, or an address range. Use a bitmask to search for specific VLAN ID(s) or Ethernet type(s).
Page 214: Binding A Port To An Access Control List
• You must configure a mask for an ACL rule before you can bind it to a port. • This switch supports ACLs for both ingress and egress filtering. However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress filtering.
Page 215: Figure 8-8 Acl Port Binding
ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.
Page 216 CCESS ONTROL ISTS CLI – This examples assigns an IP and MAC ingress ACL to port 1, and an IP ingress ACL to port 2. Console(config)#interface ethernet 1/1 Console(config-if)#ip access-group tom in Console(config-if)#mac access-group jerry in Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#ip access-group tom in Console(config-if)# 8-18...
Page 217: Port Configuration
Displaying Connection Status You can use the Port Information or Trunk Information pages to display the current connection status, including link state, speed/duplex mode, flow control, and auto-negotiation. Field Attributes (Web) • Name – Interface label. • Type – Indicates the port type. (100BASE-TX, 1000BASE-T, or SFP) •...
Page 218: Figure 9-1 Port - Port Information
• Port type – Indicates the port type. (100BASE-TX, 1000BASE-T, SFP) • MAC address – The physical layer address for this port. (To access this item on the web, see “Setting the Switch’s IP Address” on page 4-11.) Configuration: • Name – Interface label.
Page 219 “Configuring Interface Connections” on page 3-48.) The following capabilities are supported. - 10half - Supports 10 Mbps half-duplex operation - 10full - Supports 10 Mbps full-duplex operation - 100half - Supports 100 Mbps half-duplex operation - 100full - Supports 100 Mbps full-duplex operation - 1000full - Supports 1000 Mbps full-duplex operation - Sym - Transmits and receives pause frames for flow control - FC - Supports flow control...
Page 220: Configuring Interface Connections
ONFIGURATION CLI – This example shows the connection status for Port 5. Console#show interfaces status ethernet 1/5 Information of Eth 1/13 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security: Max MAC count:...
Page 221 - FC - Supports flow control Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation ONFIGURING...
Page 222 ONFIGURATION and IEEE 802.3x for full-duplex operation. (Avoid using flow control on a port connected to a hub unless it is actually required to solve a problem. Otherwise back pressure jamming signals may degrade overall performance for the segment attached to the hub.) (Default: Autonegotiation is permanently disabled on ports 1-16, and enabled on ports 17-19;...
Page 223: Figure 9-2 Port - Port Configuration
Web – Click Port, Port Configuration or Trunk Configuration. Modify the required interface settings, and click Apply. Figure 9-2 Port - Port Configuration CLI – Select the interface, and then enter the required settings. Console(config)#interface ethernet 1/19 Console(config-if)#description RD SW#19 Console(config-if)#shutdown Console(config-if)#no shutdown Console(config-if)#no negotiation...
Page 224: Creating Trunk Groups
EtherChannel standard. On the other hand, LACP configured ports can automatically negotiate a trunked link with LACP-configured ports on another device. You can configure any number of ports on the switch as LACP, as long as they are not already configured as part of a static trunk. If ports on another device are also configured as LACP, the switch and the other device will negotiate a trunk link between them.
Page 225: Statically Configuring A Trunk
However, note that the static trunks on this switch are Cisco EtherChannel compatible. • To avoid creating a loop in the network, be sure you add a static...
Page 226: Figure 9-3 Static Trunk Configuration
Web – Click Port, Trunk Membership. Enter a trunk ID of 1-12 in the Trunk field, select any of the switch ports from the scroll-down port list, and click Add. After you have completed adding ports to the member list, click Apply.
Page 227: Enabling Lacp On Selected Ports
CLI – This example creates trunk 1 with ports 9 and 10. Just connect these ports to two static trunk ports on another switch to form a trunk. Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/9 Console(config-if)#channel-group 1 Console(config-if)#exit Console(config)#interface ethernet 1/10...
Page 228: Figure 9-4 Lacp Trunk Configuration
• A trunk formed with another switch using LACP will automatically be assigned the next available trunk ID. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 229: Configuring Lacp Parameters
CLI – The following example enables LACP for ports 1 to 6. Just connect these ports to LACP-enabled trunk ports on another switch to form a trunk. Console(config)#interface ethernet 1/1 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/6 Console(config-if)#lacp Console(config-if)#end Console#show interfaces status port-channel 1...
Page 230 - Ports must be configured with the same system priority to join the same LAG. - System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 231: Figure 9-5 Lacp - Aggregation Port
REATING RUNK ROUPS Web – Click Port, LACP, Aggregation Port. Set the System Priority, Admin Key, and Port Priority for the Port Actor. You can optionally configure these settings for the Port Partner. (Be aware that these settings only affect the administrative state of the partner, and will not take effect until the next time an aggregate link is formed with this device.) After you have completed setting the port LACP parameters, click Apply.
Page 232: Backup Mode
ONFIGURATION CLI – The following example configures LACP parameters for ports 1-10. Ports 1-8 are used as active members of the LAG, ports 9 and 10 are set to backup mode. Console(config)#interface ethernet 1/1 Console(config-if)#lacp actor system-priority 3 Console(config-if)#lacp actor admin-key 120 Console(config-if)#lacp actor port-priority 128 Console(config-if)#exit Console(config)#interface ethernet 1/10...
Page 233: Displaying Lacp Port Counters
Displaying LACP Port Counters You can display statistics for LACP protocol messages. Parameter LACPDUs Sent LACPDUs Received Number of valid LACPDUs received by this channel Marker Sent Marker Received Marker Unknown Pkts Marker Illegal Pkts Web – Click Port, LACP, Port Counters Information. Select a member port to display the corresponding information.
Page 234: Displaying Lacp Settings And Status For The Local Side
ONFIGURATION CLI – The following example displays LACP counters for port channel 1. Console#show lacp 1 counters Port channel: 1 ------------------------------------------------------------------- Eth 1/ 2 ------------------------------------------------------------------- LACPDUs Sent: LACPDUs Receive: Marker Sent: Marker Receive: LACPDUs Unknown Pkts: 0 LACPDUs Illegal Pkts: 0 Displaying LACP Settings and Status for the Local Side You can display configuration settings and the operational state for the local side of an link aggregation.
Page 235 Table 9-2 LACP Internal Configuration Information (Continued) Field Description LACPDUs Number of seconds before invalidating received LACPDU Internal information. Admin State, Administrative or operational values of the actor’s state Oper State parameters: • Expired – The actor’s receive machine is in the expired state; •...
Page 236: Figure 9-7 Lacp - Port Internal Information
ONFIGURATION Web – Click Port, LACP, Port Internal Information. Select a port channel to display the corresponding information. Figure 9-7 LACP - Port Internal Information CLI – The following example displays the LACP configuration settings and operational state for the local side of port channel 1. Console#show lacp 1 internal Port channel: 1 -------------------------------------------------------------------...
Page 237: Displaying Lacp Settings And Status For The Remote Side
Displaying LACP Settings and Status for the Remote Side You can display configuration settings and the operational state for the remote side of an link aggregation. Table 9-3 LACP Neighbor Configuration Information Field Partner Admin System Partner Oper System Partner Admin Port Number Partner Oper Port Number...
Page 238: Figure 9-8 Lacp - Port Neighbors Information
ONFIGURATION Web – Click Port, LACP, Port Neighbors Information. Select a port channel to display the corresponding information. Figure 9-8 LACP - Port Neighbors Information CLI – The following example displays the LACP configuration settings and operational state for the remote side of port channel 1. Console#show lacp 1 neighbors Port channel 1 neighbors -------------------------------------------------------------------...
Page 239: Setting Broadcast Storm Thresholds
Setting Broadcast Storm Thresholds Broadcast storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much broadcast traffic on your network, performance can be severely degraded or everything can come to complete halt.
Page 240: Figure 9-9 Port Broadcast Control
ONFIGURATION Web – Click Port, Port Broadcast Control or Trunk Broadcast Control. Check the Enabled box for any interface, set the threshold, and click Apply. CLI – Specify any interface, and then enter the threshold. The following disables broadcast storm control for port 1, and then sets broadcast suppression at 600 packets per second for port 2.
Page 241: Configuring Port Mirroring
Configuring Port Mirroring You can mirror traffic from any source port to a target port for real-time analysis. You can then attach a logic analyzer or RMON probe to the target port and study the traffic crossing the source port in a completely unobtrusive manner.
Page 242: Configuring Rate Limits
Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the switch. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 243: Figure 9-11 Rate Limit Configuration For Ethernet Interface
Note: You can also set an SNMP trap if traffic exceeds the configured rate limit using the CLI (see the “rate-limit trap-input” command on page 28-3). Command Attribute Rate Limit – Sets the input or output rate limit for an Ethernet interface, or the input rate limit for a VLAN port member, in increments of 64 Kbps.
Page 244: Figure 9-12 Rate Limit Configuration For Vlan Port Member
ONFIGURATION CLI - This example sets the rate limit for input and output traffic passing through port 1 to 64 Kbps. Console(config)#interface ethernet 1/1 Console(config-if)#rate-limit input 64 Console(config-if)#rate-limit output 64 Console(config-if)# Configuring the Rate Limit for a VLAN Port Member Web - Click Port, Rate Limit, Input VLAN Configuration.
Page 245: Showing Port Statistics
RMON MIB. Interfaces and Ethernet-like statistics display errors on the traffic passing through each port. This information can be used to identify potential problems with the switch (such as a faulty port or unusually heavy loading). RMON statistics provide access to a broad range of statistics, including a total count of different frame types and sizes passing through each port.
Page 246 ONFIGURATION Parameter Received Unknown Packets Received Errors Transmit Octets Transmit Unicast Packets Transmit Multicast Packets The total number of packets that higher-level Transmit Broadcast Packets Transmit Discarded Packets Transmit Errors Etherlike Statistics Alignment Errors Late Collisions 9-30 Table 9-4 Port Statistics (Continued) Description The number of packets received via the interface which were discarded because of an unknown or...
Page 247 Table 9-4 Port Statistics (Continued) Parameter FCS Errors Excessive Collisions Single Collision Frames Internal MAC Transmit Errors Multiple Collision Frames A count of successfully transmitted frames for which Carrier Sense Errors SQE Test Errors Frames Too Long Deferred Transmissions Internal MAC Receive Errors HOWING Description...
Page 248 ONFIGURATION Parameter RMON Statistics Drop Events Jabbers Received Bytes Collisions Received Frames Broadcast Frames Multicast Frames CRC/Alignment Errors Undersize Frames Oversize Frames Fragments 9-32 Table 9-4 Port Statistics (Continued) Description The total number of events in which packets were dropped due to lack of resources. The total number of frames received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either an FCS or...
Page 249 Table 9-4 Port Statistics (Continued) Parameter 64 Bytes Frames 65-127 Byte Frames 128-255 Byte Frames 256-511 Byte Frames 512-1023 Byte Frames 1024-1518 Byte Frames 1519-1536 Byte Frames HOWING Description The total number of frames (including bad packets) received and transmitted that were 64 octets in length (excluding framing bits but including FCS octets).
Page 250: Figure 9-13 Port Statistics
ONFIGURATION Web – Click Port, Port Statistics. Select the required interface, and click Query. You can also use the Refresh button at the bottom of the page to update the screen. 9-34 Figure 9-13 Port Statistics...
Page 251: P Ort S Tatistics
CLI – This example shows statistics for port 12. Console#show interfaces counters ethernet 1/12 Ethernet 1/12 Iftable stats: Octets input: 868453, Octets output: 3492122 Unicast input: 7315, Unitcast output: 6658 Discard input: 0, Discard output: 0 Error input: 0, Error output: 0 Unknown protos input: 0, QLen output: 0 Extended iftable stats: Multi-cast input: 0, Multi-cast output: 17027...
Page 252 ONFIGURATION 9-36...
Page 253: Vdsl Configuration
Alarm thresholds can be defined in a profile and then applied globally to the switch or to selected ports. The switch also provides an extensive listing of VDSL statistics.
Page 254 (Default: Enabled) The data rate on a VDSL line can be affected by factors such as temperature, humidity, and electro-magnetic radiation. When rate adaptation is enabled and the port links up, the switch will determine 10-2...
Page 255 ONFIGURING the optimal transmission rate for the current conditions, setting the rate within the bounds defined by the Data Rate. When rate adaptation is enabled and the signal quality deteriorates on any line or the link is re-established after being dropped, that port will automatically enter retraining and connect at the optimum rate if Auto-retraining is enabled (described later in this section).
Page 256 VDSL C ONFIGURATION Upstream power back-off (UPBO) is used to mitigate far-end crosstalk caused by upstream transmissions from shorter to longer loops. The bounding power levels specified in this table are used to reshape the PSD, ensuring that the signals on short to long loops are compatible. The transceiver will adjust its transmitted signal to conform to the power limitations set in this table.
Page 257 VDSL P ONFIGURING LOBAL ETTINGS FOR ORTS Web – Click VDSL, Global Configuration. Configure the required items, and click Apply. (Note that the parameters in the following screen are all set to their default values.) 10-5...
Page 258: Figure 10-1 Vdsl Global Configuration
VDSL C ONFIGURATION Figure 10-1 VDSL Global Configuration CLI – This example displays sample settings for some of the VDSL global configuration commands. Console(config)#lre psd-breakpoint 5 Console(config)#lre psd-frequencies 1 3750 Console(config)#lre psd-value 1 240 Console(config)#lre psd-mask-level 5 Console(config)#lre upbo Console(config)#lre rate-adaption Console(config)#lre rate-set input 200000 Console(config)#lre auto-retraining Console(config)#lre pbo-config k1[0] 0 k1[1] -60000 k1[2] -60000...
Page 259: Configuring Interface Settings For Vdsl Ports
VDSL ports. It is recommended that ports that are not wired to CPEs be shut down in this way. This command can also be used to disable access to the switch from this port for troubleshooting or security reasons. • Start Up – Re-enabled a port that has been previously shut down.
Page 260 VDSL C ONFIGURATION Configuration Tables • Channel Mode – Sets the channel mode to fast or interleaved. (Default: Interleaved) Interleaving protects data against bursts of errors by using the Reed-Solomon error correction algorithm to spread the errors over a number of code words. A greater degree of interleaving provides more protection against noise pulses, but increases transmission delay and reduces the effective bandwidth.
Page 261 ONFIGURING • Region Ham Band – Sets the ham radio band that will be blocked to VDSL signals based on defined usage types. (Options: See Table 29-5, “HAM Band Notches for Usage Types,” on page 29-10. Default: none) Using a HAM band mask prevents interference with other systems (e.g., amateur radio) that use narrow band transmission in the VDSL frequency band.
Page 262 VDSL C ONFIGURATION • PSD Breakpoints – See “Configuring Global Settings for VDSL Ports” on page 10-1. • PSD Mask Level – See “Configuring Global Settings for VDSL Ports” on page 10-1. • UPBO – See “Configuring Global Settings for VDSL Ports” on page 10-1. •...
Page 263 When rate adaptation is enabled, the signal-to-noise ratio (SNR) is an indicator of link quality. The switch itself has no internal functions to ensure link quality. To ensure a stable link, you should add a margin to the theoretical minimum signal-to-noise ratio (SNR).
Page 264 VDSL C ONFIGURATION Web – Click VDSL, VDSL Port Configuration. Select one of the VDSL ports from the scroll-down list, set the required parameters, and click Apply. (Note that the parameters in the following screen are all set to their default values.) 10-12...
Page 265 VDSL P ONFIGURING NTERFACE ETTINGS FOR ORTS 10-13...
Page 266 VDSL C ONFIGURATION 10-14...
Page 267: Figure 10-2 Vdsl Port Configuration
VDSL P ONFIGURING NTERFACE ETTINGS FOR ORTS Figure 10-2 VDSL Port Configuration 10-15...
Page 268: Configuring Line Profiles
VDSL C ONFIGURATION CLI – This example displays sample settings for some of the VDSL port configuration commands. Console(config)#interface ethernet 1/1 Console(config-if)#lre reset remote Console(config-if)#lre retraining Console(config-if)#lre channel interleave Console(config-if)#lre interleave-max-delay down 6 Console(config-if)#lre ham-band 11 Console(config-if)#lre region-ham-band 34 Console(config-if)#lre band-plan 5 Console(config-if)#lre option-band 2 Console(config-if)#lre psd-breakpoint 5 Console(config-if)#lre psd-frequencies 1 3750...
Page 269 ONFIGURING ROFILES Web – Click VDSL, Line Profile Configuration. Select a line profile from the drop-down list above the Line Profile table of connection parameters, configure the required items in this table, and then click the Apply button beneath the table to store the profile settings. Now select the required line profile from the drop-down list in the Line Profile Mapping table, and click the Apply button next to the VDSL ports to apply the selected profile.
Page 270 VDSL C ONFIGURATION 10-18...
Page 271 ONFIGURING ROFILES 10-19...
Page 272: Figure 10-3 Line Profile Configuration
VDSL C ONFIGURATION CLI – This example displays sample settings for a line profile. Console(config)#line-profile southport Console(config-line-profile)#channel interleave Console(config-line-profile)#ham-band 11 Console(config-line-profile)#region-ham-band 34 Console(config-line-profile)#band-plan 5 Console(config-line-profile)#option-band 2 Console(config-line-profile)#down-max-inter-delay 6 Console(config-line-profile)#tone tx 2 Console(config-line-profile)#down-fast-max-datarate 190000 Console(config-line-profile)#max-power down 58 Console(config-line-profile)#min-protection down 5 Console(config-line-profile)#down-target-noise-mgn 12 Console(config-line-profile)#down-min-noise-mgn 12 Console(config-line-profile)#exit Console(config)#interface ethernet 1/1...
Page 273: Displaying Vdsl Status Information
Displaying VDSL Status Information This section describes the information displayed for VDSL configuration settings, signal status, and communication statistics. Field Attributes LRE Status – Communication status of the VDSL line Parameter Port Status Training Margin Line Protection (Slow Path) Downstream/ Upstream Delay Tx Total Power FE Tx Total Power...
Page 274: Table 10-2 Rate Status
VDSL C ONFIGURATION Parameter Avg SNR Margin Avg SNR LRE Rate Information – Data Rates for the VDSL line Parameter Port Status Line Rate Payload Rate Attainable Payload Rate Attainable Line Rate 10-22 Table 10-1 LRE Status (Continued) Description Average signal-to-noise margin above the SNR. Average signal-to-noise ratio.
Page 275: Figure 10-4 Vdsl Status Information
VDSL S ISPLAYING TATUS NFORMATION Web – Click VDSL, VDSL Status Information. Select a VDSL port from the drop-down list, and click Query. Figure 10-4 VDSL Status Information 10-23...
Page 276 VDSL C ONFIGURATION CLI – This example displays connection status and data rates for the selected VDSL port. Console#show lre 1/1 port 1 status : port 1 status : Downstream Training Margin: Upstream Training Margin: Downstream Line Protection (Slow Path): Upstream Line Protection (Slow Path): Downstream delay: Upstream delay:...
Page 277: Displaying Vdsl Performance Statistics
Displaying VDSL Performance Statistics This section describes the performance information displayed for VDSL lines, including common error conditions over predefined intervals. Field Attributes Error Statistics Parameter Loss of Frame Loss of Signal Loss of Power Errored Seconds Severely Errored Seconds Unavailable Seconds Number of seconds during which the VDSL transceiver is Ethernet Receive Performance Counters Table 10-4 Ethernet Receive Performance Counters...
Page 278: Table 10-5 Ethernet Transmit Performance Counters
VDSL C ONFIGURATION Table 10-4 Ethernet Receive Performance Counters (Continued) Parameter Alignment Errors Oversize Undersize CRC Errors Carrier Sense Errors Ethernet Transmit Performance Counters Table 10-5 Ethernet Transmit Performance Counters Parameter Frames Bytes Pause Frames 10-26 Description Number of alignment errors (missynchronized data packets).
Page 279: Table 10-6 H.d.l.c. Performance Counters
High-Level Data-Link Control (H.D.L.C.) Performance Counters Table 10-6 H.D.L.C. Performance Counters Parameter Description CRC Errors Number of CRC errors (FCS or alignment errors). Invalid Frames Number of frames not properly bounded by flags, not containing an integral number of octets prior to zero-bit insertion or following zero-bit extraction, containing an FCS error, or containing an incorrect address field.
Page 280: Figure 10-5 Vdsl Performance Statistics
VDSL C ONFIGURATION Web – Click VDSL, VDSL Performance Statistics. Select a VDSL port from the drop-down list, and click Query. Figure 10-5 VDSL Performance Statistics 10-28...
Page 281 CLI – This example displays performance information for the selected VDSL port. Console#show lre perf 1/1 port 1 performance counters since last reset : Loss of frame : 0 Loss of power : 0 Severely error seconds: 0 port 1 performance counters in current 15min interval : Loss of frame : 0 Loss of power : 0 Severely error seconds: 0...
Page 282: Configuring An Alarm Profile
VDSL C ONFIGURATION Configuring an Alarm Profile This section describes how to configure a list of threshold values for error states which can be applied to a selected group of ports. Command Attributes • Alarm Profile – Name of the profile. (Range: 1-31 alphanumeric characters) The default profile includes the default thresholds for VDSL lines.
Page 283 This parameter sets the threshold for the number of severely errored seconds within any 15 minute collection interval for performance data. If the number of severely errored seconds in a particular 15-minute collection interval reaches or exceeds this value, a vdslPerfSESsThreshNotification notification will be generated.
Page 284 VDSL C ONFIGURATION interval reaches or exceeds this value, a vdslPerfLossThreshNotification notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval. • thresh-15min-uass – Threshold for Unavailable Seconds (UASs) that can occur within any given 15 minutes.
Page 285 • init-failure – Threshold for initialization failures that can occur within any given 15 minutes. (Range: 0-900 seconds, where 0 disables the threshold; Default: 1) There are many factors which can cause an initialization failure, including lossOfFraming, lossOfSignal, lossOfPower, lossOfSignalQuality, lossOfLink, dataInitFailure, configInitFailure, protocolInitFailure, or noPeerVtuPresent.
Page 286 VDSL C ONFIGURATION Web – Click VDSL, Alarm Profile Configuration. Select a profile from the drop-down list above the Alarm Profile table of thresholds, configure the required items in this table, and then click the Apply button beneath the table to store the profile settings. Now select the required alarm profile from the drop-down list in the Alarm Profile Mapping table, and click the Apply button next to the VDSL ports to apply the selected profile.
Page 287: Figure 10-6 Alarm Profile Configuration
Figure 10-6 Alarm Profile Configuration CLI – This example displays sample settings for an alarm profile. Console(config)#alarm-profile southport Console(config-alarm-profile)#thresh-15min-ess 25 Console(config-alarm-profile)#thresh-15min-sess 15 Console(config-alarm-profile)#thresh-15min-lofs 15 Console(config-alarm-profile)#thresh-15min-lols 15 Console(config-alarm-profile)#thresh-15min-loss 15 Console(config-alarm-profile)#thresh-15min-uass 15 Console(config-alarm-profile)#thresh-15min-lprs 15 Console(config-alarm-profile)#init-failure 5 Console(config-line-profile)#exit Console(config)#interface ethernet 1/1 Console(config-if)#lre alarm-profile southport Console(config-if)# ONFIGURING AN LARM...
Page 288: Displaying Cpe Information
VDSL C ONFIGURATION Displaying CPE Information This section describes the information displayed for an attached CPE, including firmware module versions, and performance counters. Field Attributes CPE Firmware Versions Parameter Protocol Host Application Version BME Firmware Version AFE Hardware Version IFE Hardware Version Firmware Number Active Version...
Page 289: Table 10-9 Cpe Performance Counters
CPE Performance Counters Table 10-9 CPE Performance Counters Parameter cpe perfermance counters FeFEC_F FeCRC_F FeFEC_S FeCRC_S FeFLOS FeSEF FeFECUnCrr_F FeFECUnCrr_S INI Far End Counters (Ikanos Network Interface) TX_FRAME_CNT RX_FRAME_CNT TX_CRC_FRAME_CNT Transmitted frames with CRC errors RX_CRC_FRAME_CNT Received frames with CRC errors DROP_FRAME_CNT Error Seconds VDSL Port CRS Errors...
Page 290 VDSL C ONFIGURATION Web – Click VDSL, CPE Information. Select a VDSL port from the drop-down list, and click Query. 10-38...
Page 291: Figure 10-7 Cpe Information
CPE I ISPLAYING NFORMATION Figure 10-7 CPE Information 10-39...
Page 292 VDSL C ONFIGURATION CLI – This example displays information about the CPE attached to the selected VDSL port. Console#show cpe-info 1/1 Protocol ID: Ikanos EOC Protocol Protocol Version - Major: Protocol Version - Minor: Vendor ID (Value): Host Application Version: BME Firmware Version: RTOS Nucleus AFE Hardware Version:...
Page 293: Configuring Oam Functions And Upgrading Cpe Firmware
1. Use the “Copy BME Firmware to CO Firmware Buffer from TFTP Server” dialog box to download firmware from a TFTP server to reserved buffer space in the switch. 2. Under the OAM Remote Action field, click “Upgrade Firmware” to transfer the firmware to a remote CPE.
Page 294 CPE. (BME indicates the Burst Mode Engine used for digital signal processing.) Copying CPE Firmware to Buffer on Switch • Copy BME Firmware to CO Firmware Buffer from TFTP Server – Copies BME firmware used for upgrading CPEs from a TFTP server to reserved buffer space in the switch.
Page 295: Figure 10-8 Cpe Information
OAM functions listed under the Action field. Before upgrading firmware on an attached CPE, first download it to the reserved buffer space on the switch using the dialog box at the bottom of this screen.
Page 296 VDSL C ONFIGURATION CLI – This example shows how to perform common OAM functions, and how to download firmware to a CPE. Console(config)#interface ethernet 1/1 Console(config-if)#oam local clear counter port 1 : Console(config-if)#exit Console#copy tftp firmware TFTP server IP address: 192.168.1.19 Source file name: 724maccpe Success.
Page 297: Address Table Settings
Setting Static Addresses A static address can be assigned to a specific interface on this switch. Static addresses are bound to the assigned interface and will not be moved. When a static address is seen on another interface, the address will be ignored and will not be written to the address table.
Page 298: Displaying The Address Table
Displaying the Address Table The Dynamic Address Table contains the MAC addresses learned by monitoring the source address for traffic entering the switch. When the destination address for inbound traffic is found in the database, the packets intended for that address are forwarded directly to the associated port.
Page 299: Figure 11-2 Dynamic Addresses
Command Attributes • Interface – Indicates a port or trunk. • MAC Address – Physical address associated with this interface. • VLAN – ID of configured VLAN (1-4094). • Address Table Sort Key – You can sort the information displayed based on MAC address, VLAN or interface (port or trunk).
Page 300: Changing The Aging Time
DDRESS ABLE ETTINGS CLI – This example also displays the address table entries for port 1. Console#show mac-address-table interface ethernet 1/1 Interface Mac Address --------- ----------------- ---- ----------------- Eth 1/ 1 00-E0-29-94-34-DE Eth 1/ 1 00-20-9C-23-CD-60 Console# Changing the Aging Time You can set the aging time for entries in the dynamic address table.
Page 301: Spanning Tree Algorithm
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your network to ensure...
Page 302 PANNING LGORITHM Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the Root Bridge. If a bridge does not get a Hello BPDU after a predefined interval (Maximum Age), the bridge assumes that the link to the Root Bridge is down.
Page 303 maintain connectivity among each of the assigned VLAN groups. MSTP then builds a Internal Spanning Tree (IST) for the Region containing all commonly configured MSTP bridges. An MST Region consists of a group of interconnected bridges that have the same MST Configuration Identifiers (including the Region Name, Revision Level and Configuration Digest –...
Page 304: Displaying Global Settings
STA Information screen. Field Attributes • Spanning Tree State – Shows if the switch is enabled to participate in an STA-compliant network. • Bridge ID – A unique identifier for this bridge, consisting of the bridge...
Page 305 • Designated Root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. - Root Port – The number of the port on this switch that is closest to the root. This switch communicates with the root device through this port.
Page 306: Figure 12-1 Sta Information
PANNING LGORITHM configuration messages at regular intervals. If the root port ages out STA information (provided in the last configuration message), a new root port is selected from among the device ports attached to the network. (References to “ports” in this section means “interfaces,” which includes both ports and trunks.) •...
Page 307: Each Port
CLI – This command displays global STA settings, followed by settings for each port. Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: Spanning tree enable/disable: Instance: Vlans configuration: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.): Root Forward Delay (sec.):...
Page 308: Configuring Global Settings
RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU (i.e., STP BPDU) after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only...
Page 309 • Spanning Tree Type – Specifies the type of spanning tree used on this switch: - STP: Spanning Tree Protocol (IEEE 802.1D); i.e., when this option is selected, the switch will use RSTP set to STP forced compatibility mode). - RSTP: Rapid Spanning Tree (IEEE 802.1w); RSTP is the default.
Page 310 PANNING LGORITHM reconfigure. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN. If it is a root port, a new root port is selected from among the device ports attached to the network.
Page 311 Configuration Settings for MSTP • Max Instance Numbers – The maximum number of MSTP instances to which this switch can be assigned. (Default: 33) • Configuration Digest – An MD5 signature key that contains the VLAN ID to MST ID mapping table. In other words, this key is a mapping of all VLANs to the CIST.
Page 312: Figure 12-2 Sta Global Configuration
PANNING LGORITHM Web – Click Spanning Tree, STA, Configuration. Modify the required attributes, and click Apply. 12-12 Figure 12-2 STA Global Configuration...
Page 313: Displaying Interface Settings
CLI – This example enables Spanning Tree Protocol, sets the mode to MST, and then configures the STA and MSTP parameters. Console(config)#spanning-tree Console(config)#spanning-tree mode mstp Console(config)#spanning-tree priority 40000 Console(config)#spanning-tree hello-time 5 Console(config)#spanning-tree max-age 38 Console(config)#spanning-tree forward-time 20 Console(config)#spanning-tree pathcost method long Console(config)#spanning-tree transmission-limit 4 Console(config)#spanning-tree mst-configuration Console(config-mstp)#revision 1...
Page 314 PANNING LGORITHM - If two ports of a switch are connected to the same segment and there is no other STA device attached to this segment, the port with the smaller ID forwards packets and the other is discarding. - All ports are discarding when the switch is booted, then some of them change state to learning, and then to forwarding.
Page 315 • Priority – Defines the priority used for this port in the Spanning Tree Algorithm. If the path cost for all ports on a switch is the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 316: Figure 12-3 Sta Port Information
• Designated root – The priority and MAC address of the device in the Spanning Tree that this switch has accepted as the root device. • Fast forwarding – This field provides the same information as Admin Edge port, and is only included for backward compatibility with earlier products.
Page 317 CLI – This example shows the STA attributes for port 5. Console#show spanning-tree ethernet 1/5 1/ 5 information -------------------------------------------------------------- Admin Status: Role: State: External Admin Path Cost: 100000 Internal Admin Path Cost: 100000 External Oper Path Cost: Internal Oper Path Cost: Priority: Designated Cost: Designated Port:...
Page 318: Configuring Interface Settings
• Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 319: Table 12-1 Recommended Sta Path Cost Range
loops. Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled. - Default: 128 - Range: 0-240, in steps of 16 • Admin Path Cost – This parameter is used by the STA to determine the best path between devices.
Page 320 Edge Port should only be enabled for ports connected to an end-node device. (Default: Disabled) • Migration – If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode.
Page 321: Figure 12-4 Sta Port Configuration
Web – Click Spanning Tree, STA, Port Configuration or Trunk Configuration. Modify the required attributes, then click Apply. Figure 12-4 STA Port Configuration CLI – This example sets STA attributes for port 7. Console(config)#interface ethernet 1/7 Console(config-if)#no spanning-tree spanning-disabled Console(config-if)#spanning-tree port-priority 0 Console(config-if)#spanning-tree cost 50 Console(config-if)#spanning-tree link-type auto Console(config-if)#no spanning-tree edge-port...
Page 322: Configuring Multiple Spanning Trees
By default all VLANs are assigned to the Internal Spanning Tree (MST Instance 0) that connects all bridges and LANs within the MST region. This switch supports up to 65 instances. You should try to group VLANs which cover the same general area of your network. However, remember...
Page 323: Figure 12-5 Mstp Vlan Configuration
ONFIGURING ULTIPLE PANNING REES • VLANs in MST Instance – VLANs assigned this instance. • MST ID – Instance identifier to configure. (Range: 0-4094; Default: 0) • VLAN ID – VLAN to assign to this selected MST instance. (Range: 1-4093) The other global attributes are described under “Displaying Global Settings,”...
Page 324 PANNING LGORITHM CLI – This displays STA settings for instance 1, followed by settings for each port. Console#show spanning-tree mst 1 Spanning-tree information --------------------------------------------------------------- Spanning Tree Mode: Spanning Tree Enabled/Disabled: Instance: VLANs Configuration: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 325: Displaying Interface Settings For Mstp
CLI – This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Console(config)#spanning-tree mst-configuration Console(config-mst)#mst 1 priority 4096 Console(config-mstp)#mst 1 vlan 1-5 Console(config-mst)# Displaying Interface Settings for MSTP The MSTP Port Information and MSTP Trunk Information pages display the current status of ports and trunks in the selected MST instance.
Page 326: Spanning Tree
PANNING LGORITHM CLI – This displays STA settings for instance 0, followed by settings for each port. The settings for instance 0 are global settings that apply to the IST (page 12-4), the settings for other instances only apply to the local spanning tree.
Page 327: Configuring Interface Settings For Mstp
• Priority – Defines the priority used for this port in the Spanning Tree Protocol. If the path cost for all ports on a switch are the same, the port with the highest priority (i.e., lowest value) will be configured as an active link in the Spanning Tree.
Page 328 PANNING LGORITHM • Admin MST Path Cost – This parameter is used by the MSTP to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. (Path cost takes precedence over port priority.) (Range: 0 for auto-configuration, 1-65535 for the short path cost method , 1-200,000,000 for the long path cost method)
Page 329: Figure 12-7 Mstp Port Configuration
Web – Click Spanning Tree, MSTP, Port Configuration or Trunk Configuration. Enter the priority and path cost for an interface, and click Apply. Figure 12-7 MSTP Port Configuration CLI – This example sets the MSTP attributes for port 4. Console(config)#interface ethernet 1/4 Console(config-if)#spanning-tree mst port-priority 0 Console(config-if)#spanning-tree mst cost 50 Console(config-if)
Page 330 PANNING LGORITHM 12-30...
Page 331: Vlan Configuration
IEEE 802.1Q VLANs (page 13-2), private VLANs (page 13-18), or protocol VLANs (page 13-20). • QinQ – Sets the switch to QinQ mode, and allows the QinQ tunnel port to be configured. For an explanation of QinQ, see “Configuring IEEE 802.1Q Tunneling”...
Page 332: Ieee 802.1Q Vlans
VLAN C ONFIGURATION Web – Click VLAN, System Mode. Select the required mode, click Apply. CLI – This example sets the switch to operate in QinQ mode. Console(config)#system mode qinq Console(config)# IEEE 802.1Q VLANs In large networks, routers are used to isolate broadcast traffic for each subnet into separate domains.
Page 333 • Priority tagging Assigning Ports to VLANs Before enabling VLANs for the switch, you must first assign each port to the VLAN group(s) in which it will participate. By default all ports are assigned to VLAN 1 as untagged ports. Add a port as a tagged port if you...
Page 334 VLAN Classification – When the switch receives a frame, it classifies the frame in one of two ways. If the frame is untagged, the switch assigns the frame to an associated VLAN (based on the default VLAN ID of the receiving port).
Page 335: Forwarding Tagged/Untagged Frames
When the message arrives at another switch that supports GVRP, it will also place the receiving port in the specified VLANs, and pass the message on to all other ports. VLAN requirements are propagated in this way throughout the network. This allows GVRP-compliant devices to be automatically configured for VLAN groups based solely on endstation requests.
Page 336: Enabling Or Disabling Gvrp (Global Setting)
When forwarding a frame from this switch along a path that contains any VLAN-aware devices, the switch should include VLAN tags. When forwarding a frame from this switch along a path that does not contain any VLAN-aware devices (including the destination host), the switch must first strip off the VLAN tag before forwarding the frame.
Page 337: Displaying Basic Vlan Information
CLI – This example enables GVRP for the switch. Console(config)#bridge-ext gvrp Console(config)# Displaying Basic VLAN Information The VLAN Basic Information page displays basic information on the VLAN type supported by the switch. Field Attributes • VLAN Version Number specified in the IEEE 802.1Q standard.
Page 338: Displaying Current Vlans
• Up Time at Creation – Time this VLAN was created (i.e., System Up Time). • Status – Shows how this VLAN was added to the switch. - Dynamic GVRP: Automatically learned via GVRP. - Permanent: Added as a static entry.
Page 339: Figure 13-4 Vlan Current Table
Figure 13-4 VLAN Current Table Command Attributes (CLI) • VLAN – ID of configured VLAN (1-4094, no leading zeroes). • Type – Shows how this VLAN was added to the switch. - Dynamic: Automatically learned via GVRP. - Static: Added as a static entry.
Page 340: Creating Vlans
Console# Creating VLANs Use the VLAN Static List to create or remove VLAN groups. To propagate information about VLAN groups used on this switch to external network devices, you must specify a VLAN ID for each of these groups. Command Attributes •...
Page 341: Figure 13-5 Vlan Static List - Creating Vlans
• Remove – Removes a VLAN group from the current list. If any port is assigned to this group as untagged, it will be reassigned to VLAN group 1 as untagged. Web – Click VLAN, 802.1Q VLAN, Static List. To create a new VLAN, enter the VLAN ID and VLAN name, mark the Enable checkbox to activate the VLAN, and then click Add.
Page 342: Adding Static Members To Vlans (Vlan Index)
VLAN compliant devices, or untagged they are not connected to any VLAN-aware devices. Or configure a port as forbidden to prevent the switch from automatically adding it to a VLAN via the GVRP protocol. Notes: 1. You can also use the VLAN Static Membership by Port page to configure VLAN groups based on the port index (page 13-14).
Page 343: Figure 13-6 Vlan Static Table - Adding Static Members
- Forbidden: Interface is forbidden from automatically joining the VLAN via GVRP. For more information, see “Automatic VLAN Registration” on page 13-4. - None: Interface is not a member of the VLAN. Packets associated with this VLAN will not be transmitted by the interface. •...
Page 344: Adding Static Members To Vlans (Port Index)
VLAN C ONFIGURATION Adding Static Members to VLANs (Port Index) Use the VLAN Static Membership by Port menu to assign VLAN groups to the selected interface as a tagged member. Command Attributes • Interface – Port or trunk identifier. • Member – VLANs for which the selected interface is a tagged member. •...
Page 345: Configuring Vlan Behavior For Interfaces
Configuring VLAN Behavior for Interfaces You can configure VLAN behavior for specific interfaces, including the default VLAN identifier (PVID), accepted frame types, ingress filtering, GVRP status, and GARP timers. Command Usage • GVRP – GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network.
Page 346 BPDU frames, such as GMRP. • GVRP Status – Enables/disables GVRP for the interface. GVRP must be globally enabled for the switch before this setting can take effect. (See “Displaying Bridge Extension Capabilities” on page 4-9.) When disabled, any GVRP packets received on this port will be discarded and no GVRP registrations will be propagated from other ports.
Page 347: Figure 13-8 Vlan Port Configuration
belonging to the port’s default VLAN (i.e., associated with the PVID) are also transmitted as tagged frames. - Hybrid – Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. • Trunk Member – Indicates if a port is a member of a trunk. To add a trunk to the selected VLAN, use the last table on the VLAN Static Table page.
Page 348: Configuring Private Vlans
VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports. (Note that private VLANs and normal VLANs can exist simultaneously within the same switch.) Enabling Private VLANs Use the Private VLAN Status page to enable/disable the Private VLAN function.
Page 349: Configuring Private Vlan
Use the Private VLAN Link Status page to set ports as downlink or uplink ports. Ports designated as downlink ports can not communicate with any other ports on the switch except for the uplink ports. Uplink ports can communicate with any other ports on the switch and with any designated downlink ports.
Page 350: Configuring Protocol-Based Vlans
VLANs, including security and easy accessibility. To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol. When a frame is received at a port, its VLAN membership can then be determined based on the protocol type being used by the inbound packets.
Page 351: Configuring Protocol Groups
Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# 20. SNAP frame types are not supported by this switch due to hardware limitations. ONFIGURING – Frame type used by this protocol. (Options: Ethernet, VLAN ROTOCOL...
Page 352: Mapping Protocols To Vlans
VLAN C ONFIGURATION Mapping Protocols to VLANs Map a protocol group to a VLAN for each interface that will participate in the group. Command Usage • When creating a protocol-based VLAN, only assign interfaces using this configuration screen. If you assign interfaces using any of the other VLAN menus such as the VLAN Static Table (page 13-12) or VLAN Static Membership by Port menu (page 13-14), these interfaces will admit traffic of any protocol type into the associated VLAN.
Page 353: Protocol-Based Vlan
Web – Click VLAN, Protocol VLAN, Port Configuration. Select a a port or trunk, enter a protocol group ID, the corresponding VLAN ID, and click Apply. Figure 13-12 Protocol VLAN Port Configuration CLI – The following maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2.
Page 354: Configuring Ieee 802.1Q Tunneling
A port configured to support QinQ tunneling must be set to tunnel port mode. The Service Provider VLAN (SPVLAN) ID for the specific customer must be assigned to the QinQ tunnel port on the edge switch where the customer traffic enters the service provider’s network. Each customer requires a separate SPVLAN, but this VLAN will support all of the customer's internal VLANs.
Page 355 When a double-tagged packet enters another trunk port in an intermediate or core switch in the service provider’s network, the outer tag is stripped for packet processing. When the packet exits another trunk port on the same core switch, the same SPVLAN tag is again added to the packet.
Page 356 This outer tag is used for learning and switching packets. The priority of the inner tag is copied to the outer tag if it is a tagged or priority tagged packet (and this feature is enabled on the switch). 2. After successful source and destination lookup, the ingress process sends the packet to the switching process with two tags.
Page 357 VLAN is not listed in the VLAN table, the packet will be dropped. 4. After successful source and destination lookup, the packet is double tagged. The switch uses the TPID of 0x8100 to indicate that an incoming packet is double-tagged. If the outer tag of an incoming double-tagged packet is equal to the port TPID and the inner tag is 0x8100, it is treated as a double-tagged packet.
Page 358 General Configuration Guidelines for QinQ 1. Configure the switch to QinQ mode (see “Selecting the VLAN Operation Mode” on page 13-1). 2. Create a Service Provider VLAN, also referred to as an SPVLAN (see “Creating VLANs”...
Page 359 4. Set the Tag Protocol Identifier (TPID) value of the tunnel port. This step is required is the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames. The standard ethertype value is 0x8100. (See “Adding an Interface to a QinQ Tunnel” on page 13-30.) 5.
Page 360: Adding An Interface To A Qinq Tunnel
Adding an Interface to a QinQ Tunnel Follow the guidelines in the preceding section to set up a QinQ tunnel on the switch. Set the ingress port on the service provider’s network to dot1Q tunnel mode. Set the Tag Protocol Identifier (TPID) value of the tunnel port if the attached client is using a nonstandard 2-byte ethertype to identify 802.1Q tagged frames.
Page 361: Figure 13-13 Tunnel Port Configuration
necessary to support real-time services across the backbone network, then you may have to enable priority bit mapping from the inner to outer VLAN tag to ensure timely service. Web – Click VLAN, 802.1 Q Tunneling. Set the mode for the tunnel port to Dot1q-Tunnel, set the TPID if the client is using a non-standard ethertype to identify 802.1Q tagged frames, and specify whether or not to copy the priority bits from the inner VLAN tag to the outer tag.
Page 362 VLAN C ONFIGURATION CLI – This example configures the switch to copy the priority bits from the inner to outer VLAN tag, it then sets port 2 to tunnel mode, and indicates that the TPID used for 802.1Q tagged frames will be 9100 hexadecimal.
Page 363: Configuring Vlan Swapping
1. Configure the switch to VLAN-swap mode (see “Selecting the VLAN Operation Mode” on page 13-1). 2. For traffic entering the switch through a downlink port attached to a customer (i.e., inbound port and VLAN) and exiting through an uplink port attached to a service provider (i.e., outbound port and VLAN),...
Page 364: Field Attributes
• Entry Counts – The number of entries in the VLAN swapping table. • VLAN Swap Table – Contains each entry in the VLAN swapping table. • InPort – Port through which traffic is entering the switch. (Range: 1-18) • OutPort – Port through which traffic is leaving the switch. (Range: 1-18) •...
Page 365 CLI – This example configures VLAN swapping for upstream traffic between port 1 and port 18, exchanging VLAN ID 1 for VLAN ID 3. It then sets VLAN swapping for downstream traffic to exchange VLAN ID 3 for VLAN ID 1. Console(config)#system mode vlan-swap Console(config)#interface ethernet 1/1 Console(config-if)#switchport vlan swap 1 3 1/18...
Page 366 VLAN C ONFIGURATION 13-36...
Page 367: Class Of Service
Layer 2 Queue Settings Setting the Default Priority for Interfaces You can specify the default port priority for each interface on the switch. All untagged packets entering the switch are tagged with the specified default port priority, and then sorted into the appropriate priority queue at the output port.
Page 368: Figure 14-1 Default Port Priority
LASS OF ERVICE Command Attributes • Default Priority received on the specified interface. (Range: 0 - 7, Default: 0) • Number of Egress Traffic Classes – The number of queue buffers provided for each port. Web – Click Priority, Default Port Priority or Default Trunk Priority. Modify the default priority for any interface, then click Apply.
Page 369: Mapping Cos Values To Egress Queues
Console# Mapping CoS Values to Egress Queues This switch processes Class of Service (CoS) priority tagged traffic by using eight priority queues for each port, with service schedules based on strict or Weighted Round Robin (WRR). Up to eight separate traffic priorities are defined in IEEE 802.1p.
Page 370: Table 14-2 Cos Priority Levels
The priority levels recommended in the IEEE 802.1p standard for various network applications are shown in the following table. However, you can map the priority levels to the switch’s output queues in any way that benefits application traffic for your own network.
Page 371: Figure 14-2 Traffic Classes
0 1 2 3 4 5 6 7 Priority Queue: 0 1 2 3 4 5 6 7 * Mapping specific values for CoS priorities is implemented as an interface configuration command, but any changes will apply to the all interfaces on the switch. AYER UEUE ETTINGS...
Page 372: Selecting The Queue Mode
ERVICE Selecting the Queue Mode You can set the switch to service the queues based on a strict rule that requires all traffic in a higher priority queue to be processed before lower priority queues are serviced, Weighted Round-Robin (WRR) queuing that...
Page 373: Setting The Service Weight For Traffic Classes
Console# Setting the Service Weight for Traffic Classes This switch uses the Weighted Round Robin (WRR) algorithm to determine the frequency at which it services each priority queue. As described in “Mapping CoS Values to Egress Queues” on page 14-3, the traffic classes are mapped to one of the eight egress queues provided for each port.
Page 374: Figure 14-4 Queue Scheduling
LASS OF ERVICE Command Attributes • WRR Setting Table (i.e., queue). • Weight Value – Set a new weight for the selected traffic class. (Range: 0-15) Use queue weights 1-15 for queues allocated service time based on WRR. Queue weights must be configured in ascendant manner, assigning more weight to each higher numbered queue.
Page 375: Layer 3/4 Priority Settings
Because different priority information may be contained in the traffic, this switch maps priority values to the output queues in the following manner: • The precedence for priority mapping is IP Port Priority, IP Precedence or DSCP Priority, and then Default Port Priority.
Page 376: Selecting Ip Precedence/Dscp Priority
LASS OF ERVICE Selecting IP Precedence/DSCP Priority The switch allows you to choose between using IP Precedence or DSCP priority. Select one of the methods or disable this feature. Command Attributes • Disabled – Disables both priority services. (This is the default setting.) •...
Page 377: Mapping Ip Precedence
Mapping IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The default IP Precedence values are mapped one-to-one to Class of Service values (i.e., Precedence value 0 maps to CoS value 0, and so forth).
Page 378: Figure 14-6 Ip Precedence Priority
Precedence Priority Table, enter a value in the Class of Service Value field, and then click Apply. CLI – The following example globally enables IP Precedence service on the switch, maps IP Precedence value 1 to CoS value 0 (on port 1), and then displays the IP Precedence settings. Console(config)#map ip precedence...
Page 379: Mapping Dscp Priority
Mapping DSCP Priority The DSCP is six bits wide, allowing coding for up to 64 different forwarding behaviors. The DSCP replaces the ToS bits, but it retains backward compatibility with the three precedence bits so that non-DSCP compliant, ToS-enabled devices, will not conflict with the DSCP mapping. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding.
Page 380: Figure 14-7 Ip Dscp Priority
Class of Service Value field, then click Apply. CLI – The following example globally enables DSCP Priority service on the switch, maps DSCP value 0 to CoS value 1 (on port 1), and then displays the DSCP Priority settings.
Page 381: Mapping Ipv6 Traffic Classes
3/4 P AYER RIORITY ETTINGS Mapping IPv6 Traffic Classes The Traffic Class field in the IPv6 header may be used by originating nodes and/or forwarding routers to identify and distinguish between different classes or priorities for IPv6 packets. (See RFC 2460.) Command Usage Nodes that support a specific use of some or all of the IPv6 traffic class bits are permitted to change the value of those bits in packets that they...
Page 382: Mapping Ip Port Priority
LASS OF ERVICE CLI – The following example maps the Traffic Class value of 1 to CoS value 0. Console(config)#priority ipv6 1 0 Console(config)#end Console#show priority CPU TX Priority 0 PORT Traffic-Class Console# Mapping IP Port Priority You can also map network applications to Class of Service values based on the IP port number (i.e., TCP/UDP port number) in the frame header.
Page 383: Figure 14-10 Ip Port Priority
Figure 14-10 IP Port Priority CLI – The following example globally enables IP Port Priority service on the switch, maps HTTP traffic (on port 1) to CoS value 0, and then displays the IP Port Priority settings. Console(config)#map ip port...
Page 384 LASS OF ERVICE 14-18...
Page 385: Quality Of Service
HAPTER UALITY OF ERVICE The commands described in this section are used to configure Quality of Service (QoS) classification criteria and service policies. Differentiated Services (DiffServ) provides policy-based management mechanisms used for prioritizing network resources to meet the requirements of specific traffic types on a per hop basis.
Page 386: Configuring Quality Of Service Parameters
UALITY OF ERVICE Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map before creating a Policy Map. Otherwise, you will not be able to select a Class Map from the Policy Rule Settings screen (see page 15-9).
Page 387: Configuring A Class Map
Configuring a Class Map A class map is used for matching packets to a specified class. Command Usage • To configure a Class Map, follow these steps: - Open the Class Map page, and click Add Class. - When the Class Configuration page opens, fill in the “Class Name” field, and click Add.
Page 388 UALITY OF ERVICE Settings” page. Enter the criteria used to classify ingress traffic on this web page. • Remove Class – Removes the selected class. Class Configuration • Class Name – Name of the class map. (Range: 1-16 characters) • Type – Only one match command is permitted per class map, so the match-any field refers to the criteria specified by the lone match command.
Page 389: Figure 15-1 Configuring Class Maps
Web – Click QoS, DiffServ, then click Add Class to create a new class, or Edit Rules to change the rules of an existing class. Figure 15-1 Configuring Class Maps CLI - This example creates a class map call “rd-class,” and sets it to match packets marked for DSCP service value 3.
Page 390: Creating Qos Policies
UALITY OF ERVICE Creating QoS Policies This function creates a policy map that can be attached to multiple interfaces. Command Usage • To configure a Policy Map, follow these steps: - Create a Class Map as described on page 15-3. - Open the Policy Map page, and click Add Policy.
Page 391 Command Attributes Policy Map • Modify Name and Description – Configures the name and a brief description of a policy map. (Range: 1-16 characters for the name; 1-80 characters for the description) • Edit Classes – Opens the “Policy Rule Settings” page for the selected class entry.
Page 392 UALITY OF ERVICE • Remove Class – Deletes a class. - Policy Options - • Class Name – Name of class map. • Action – Configures the service provided to ingress traffic by setting a CoS, DSCP, or IP Precedence value in a matching packet (as specified in Match Class Settings on page 15-3).
Page 393: Figure 15-2 Configuring Policy Maps
ONFIGURING UALITY OF ERVICE ARAMETERS Web – Click QoS, DiffServ, Policy Map to display the list of existing policy maps. To add a new policy map click Add Policy. To configure the policy rule settings click Edit Classes. Figure 15-2 Configuring Policy Maps 15-9...
Page 394: Attaching A Policy Map To Ingress Queues
UALITY OF ERVICE CLI – This example creates a policy map called “rd-policy,” sets the average bandwidth the 1 Mbps, the burst rate to 1522 bps, and the response to reduce the DSCP value for violating packets to 0. Console(config)#policy-map rd_policy#3 Console(config-pmap)#class rd_class#3 Console(config-pmap-c)#set ip dscp 4 Console(config-pmap-c)#police 100000 1522 exceed-action...
Page 395: Figure 15-3 Service Policy Settings
Web – Click QoS, DiffServ, Service Policy Settings. Check Enabled and choose a Policy Map for a port from the scroll-down box, then click Apply. Figure 15-3 Service Policy Settings CLI - This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/5 Console(config-if)#service-policy input rd_policy#3 Console(config-if)#...
Page 396 UALITY OF ERVICE 15-12...
Page 397 If there is no multicast router attached to the local subnet, multicast traffic and query messages may not be received by the switch. In this case (Layer 2) IGMP Query can be used to actively ask the attached hosts if they want to receive a specific multicast service.
Page 398: Multicast Filtering
(the only option for IGMPv1 and v2 hosts unless statically configured on the switch), and a channel indicates a flow for which the hosts have requested service from a specific source.
Page 399 In this case, traffic is filtered from sources in the Exclude list, and forwarded from all other available sources. Notes: 1. When the switch is configured to use IGMPv3 snooping, the snooping version may be downgraded to version 2 or version 1, depending on the version of the IGMP query packets detected on each VLAN.
Page 400: Configuring Igmp Snooping And Query Parameters
Configuring IGMP Snooping and Query Parameters You can configure the switch to forward multicast traffic intelligently. Based on the IGMP query and report messages, the switch forwards traffic only to the ports that request multicast traffic. This prevents the switch from broadcasting the traffic to all ports and possibly disrupting network performance.
Page 401 This is also referred to as IGMP Snooping. (Default: Enabled) • Act as IGMP Querier — When enabled, the switch can serve as the Querier, which is responsible for asking hosts if they want to receive multicast traffic.
Page 402: Figure 16-1 Igmp Configuration
ULTICAST ILTERING Web – Click IGMP Snooping, IGMP Configuration. Adjust the IGMP settings as required, and then click Apply. (The default settings are shown below.) CLI – This example modifies the settings for multicast filtering, and then displays the current status. Console(config)#ip igmp snooping Console(config)#ip igmp snooping querier Console(config)#ip igmp snooping query-count 10...
Page 403: Displaying Interfaces Attached To A Multicast Router
• VLAN ID – ID of configured VLAN (1-4094). • Multicast Router List – Multicast routers dynamically discovered by this switch or those that are statically assigned to an interface on this switch. Web – Click IGMP Snooping, Multicast Router Port Information. Select the required VLAN ID from the scroll-down list to display the associated multicast routers.
Page 404: Specifying Static Interfaces For A Multicast Router
IGMP querier. Therefore, if the IGMP querier is a known multicast router/ switch connected over the network to an interface (port or trunk) on your switch, you can manually configure the interface (and a specified VLAN) to join all the current multicast groups supported by the attached router.
Page 405: Displaying Port Members Of Multicast Services
CLI – This example configures port 11 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 35-12 Console(config)#exit Console#show ip igmp snooping mrouter vlan 1 VLAN M'cast Router Port Type ---- ------------------ ------- Console# Displaying Port Members of Multicast Services You can display the port members associated with a specified VLAN and...
Page 406: Figure 16-4 Ip Multicast Registration Table
Web – Click IGMP Snooping, IP Multicast Registration Table. Select a VLAN ID and the IP address for a multicast service from the scroll-down lists. The switch will display all the interfaces that are propagating this multicast service. Figure 16-4 IP Multicast Registration Table CLI –...
Page 407: Assigning Ports To Multicast Services
Query Parameters” on page 16-4. For certain applications that require tighter control, you may need to statically configure a multicast service on the switch. First add all the ports attached to participating hosts to a common VLAN, and then assign the multicast service to that VLAN group.
Page 408: Figure 16-5 Igmp Member Port Table
ILTERING Web – Click IGMP Snooping, IGMP Member Port Table. Specify the interface attached to a multicast service (via an IGMP-enabled switch or multicast router), indicate the VLAN that will propagate the multicast service, specify the multicast IP address, and click Add. After you have completed adding ports to the member list, click Apply.
Page 409: Configuring Immediate Leave From Multicast Groups
Delay (see “Configuring IGMP Snooping and Query Parameters” on page 16-4). • If immediate leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only be enabled on an interface if it is connected to only one IGMP-enabled device, either a service host or a neighbor running IGMP snooping.
Page 410: Igmp Filtering And Throttling
IGMP throttling limits the number of simultaneous multicast groups a port can join. IGMP filtering enables you to assign a profile to a switch port that specifies multcast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses;...
Page 411: Enabling Igmp Filtering And Throttling
When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Page 412: Configuring Igmp Filter Profiles
ULTICAST ILTERING CLI – This example enables IGMP filtering and creates a profile number. It then displays the current status and the existing profile numbers. Console(config)#ip igmp filter Console(config)#ip igmp profile 19 Console(config-igmp-profile)#end Console#show ip igmp filter IGMP filter enable Console#show ip igmp profile IGMP Profile 19 IGMP Profile 50...
Page 413: Figure 16-8 Igmp Profile Configuration
• Current Multicast Address Range List – Lists multicast groups currently included in the profile. Select an entry and click the Remove button to delete it from the list. Web – Click IGMP Snooping, IGMP Profile Group Configuration. Select the profile number you want to configure; then click Query to display the current settings.
Page 414: Configuring Igmp Filtering And Throttling For Interfaces
When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Page 415: Figure 16-9 Igmp Filter And Throttling Port Configuration
Web – Click IGMP Snooping, IGMP Filter/Throttling Port Configuration or IGMP Filter/Throttling Trunk Configuration. Select a profile to assign to an interface, then set the throttling number and action. Click Apply. Figure 16-9 IGMP Filter and Throttling Port Configuration CLI – This example assigns IGMP profile number 19 to port 1, and then sets the throttling number and action.
Page 416: Multicast Vlan Registration
ULTICAST ILTERING Multicast VLAN Registration Multicast VLAN Registration (MVR) is a protocol that controls access to a single network-wide VLAN most commonly used for transmitting multicast traffic (such as television channels or video-on-demand) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all attached subscribers.
Page 417: Configuring Global Mvr Settings
General Configuration Guidelines for MVR 1. Enable MVR globally on the switch, select the MVR VLAN, and add the multicast groups that will stream traffic to attached hosts (see “Configuring Global MVR Settings” on page 16-21). 2. Set the interfaces that will join the MVR as source ports or receiver ports (see “Configuring MVR Interfaces”...
Page 418: Field Attributes
• MVR Domain – An independent multicast domain. (Range: 1-3; Default: 1) • MVR Status – When MVR is enabled on both the switch, any multicast data associated an MVR group is sent from all designated source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 419: Figure 16-10 Mvr Global Configuration
Web – Click MVR, Configuration. Select the MVR domain, enable MVR globally on the switch, select the MVR VLAN, add the multicast groups that will stream traffic to attached hosts, and then click Apply. Figure 16-10 MVR Global Configuration CLI – This example first enables IGMP snooping, enables MVR globally, and then configures a range of MVR group addresses.
Page 420: Displaying Mvr Interface Status
• Oper Status – Shows the link status. • MVR Status – Shows the MVR status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 421: Mvr Vlan
CLI – This example shows information about interfaces attached to the MVR VLAN. Console#show mvr interface ======================================================= MVR domain : 1 Port Type ------- -------- eth1/1 RECEIVER eth1/18 SOURCE Console# ULTICAST Status Immediate Leave ------------- --------------- ACTIVE/UP Disable ACTIVE/UP Disable VLAN R EGISTRATION 35-29...
Page 422: Configuring Mvr Interfaces
• Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the...
Page 423 - Non-MVR – An interface that does not participate in the MVR VLAN. (This is the default type.) • Immediate Leave – Configures the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group.
Page 424: Displaying Port Members Of Multicast Groups
ULTICAST ILTERING Web – Click MVR, Port Configuration or Trunk Configuration. CLI – This example configures an MVR source port and receiver port, and then enables immediate leave on the receiver port. Console(config)#interface ethernet 1/1 Console(config-if)#mvr type source Console(config-if)#exit Console(config)#interface ethernet 1/2 Console(config-if)#mvr type receiver Console(config-if)#mvr immediate Console(config-if)#...
Page 425: Figure 16-13 Mvr Group Ip Information
Web – Click MVR, Group IP Information. Figure 16-13 MVR Group IP Information CLI – This example following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN. Console#show mvr members MVR Group IP Status ---------------- -------- 225.0.0.1 ACTIVE...
Page 426: Assigning Static Multicast Groups To Interfaces
ULTICAST ILTERING Assigning Static Multicast Groups to Interfaces For multicast streams that will run for a long term and be associated with a stable set of hosts, you can statically bind the multicast group to the participating interfaces. Command Usage •...
Page 427: Figure 16-14 Mvr Group Member Configuration
Web – Click MVR, Group Member Configuration. Select a port or trunk from the “Interface” field, and click Query to display the assigned multicast groups. Select a multicast address from the displayed lists, and click the Add or Remove button to modify the Member list. Figure 16-14 MVR Group Member Configuration CLI –...
Page 428 ULTICAST ILTERING 16-32...
Page 429: Configuring General Dns Service Parameters
IP addresses using static table entries or by redirection to other name servers on the network. When a client device designates this switch as a DNS server, the client will attempt to resolve host names into IP addresses by forwarding DNS queries to the switch, and waiting for a response.
Page 430: Domain Name Service
OMAIN ERVICE • When more than one name server is specified, the servers are queried in the specified sequence until a response is received, or the end of the list is reached with no response. • If all name servers are deleted, DNS will automatically be disabled. This is done by disabling the domain lookup status.
Page 431: Configuring General Dns Service Parameters
DNS S ONFIGURING ENERAL ERVICE ARAMETERS Web – Select DNS, General Configuration. Set the default domain name or list of domain names, specify one or more name servers to use to use for address resolution, enable domain lookup status, and click Apply. Figure 17-1 DNS General Configuration 17-3...
Page 432: Configuring Static Dns Host To Address Entries
OMAIN ERVICE CLI - This example sets a default domain name and a domain list. However, remember that if a domain list is specified, the default domain name is not used. Console(config)#ip domain-name sample.com Console(config)#ip domain-list sample.com.uk Console(config)#ip domain-list sample.com.jp Console(config)#ip name-server 192.168.1.55 10.1.0.55 Console(config)#ip domain-lookup Console(config)#end...
Page 433: Figure 17-2 Dns Static Host Table
ONFIGURING Field Attributes • Host Name – Name of a host device that is mapped to one or more IP addresses. (Range: 1-127 characters) • IP Address – Internet address(es) associated with a host name. (Range: 1-8 addresses) • Alias – Displays the host names that are mapped to the same address(es) as a previously configured entry.
Page 434: Displaying The Dns Cache
OMAIN ERVICE CLI - This example maps two address to a host name, and then configures an alias host name for the same addresses. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 192.168.1.55 10.1.0.55 Console# Displaying the DNS Cache You can display entries in the DNS cache that have been learned via the designated name servers.
Page 435: Figure 17-3 Dns Cache
Web – Select DNS, Cache. CLI - This example displays all the resource records learned from the designated name servers. Console#show dns cache FLAG TYPE CNAME CNAME CNAME CNAME CNAME ALIAS CNAME ALIAS CNAME ALIAS CNAME Console# ISPLAYING THE Figure 17-3 DNS Cache 207.46.134.222 207.46.134.190 207.46.134.155...
Page 436 OMAIN ERVICE 17-8...
Page 437 ECTION OMMAND NTERFACE This section provides a detailed description of the Command Line Interface, along with examples for all of the commands. Overview of the Command Line Interface ..... . 18-1 General Commands .
Page 438 OMMAND NTERFACE IP Interface Commands ........38-1...
Page 439: Overview Of The Command Line Interface
Using the Command Line Interface Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet connection, the switch can be managed by entering command keywords and parameters at the prompt.
Page 440: Telnet Connection
Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Page 441: Entering Commands
2. At the prompt, enter the user name and system password. The CLI will display the “Vty-n#” prompt for the administrator to show that you are using privileged access mode (i.e., Privileged Exec), or “Vty-n>” for the guest to show that you are using normal access mode (i.e., Normal Exec), where n indicates the number of the current Telnet session.
Page 442: Minimum Abbreviation
VERVIEW OF THE • To enter multiple commands, enter each command in the required order. For example, to enable Privileged Exec command mode, and display the startup configuration, enter: Console>enable Console#show startup-config • To enter commands that require parameters, enter the required parameters after the command keyword.
Page 443: Showing Commands
Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords for the current command class (Normal Exec or Privileged Exec) or configuration class (Global, ACL, Interface, Line, or VLAN Database, or MSTP). You can also display a list of valid keywords for a specific command.
Page 444: Partial Keyword Lookup
The system configuration of starting up Information of system Login by TACACS server Display information about terminal lines System hardware and software status Switch VLAN Virtual Interface Information of interfaces counters Protocol-vlan information Information of interfaces status Information of interfaces switchport...
Page 445: Using Command History
Using Command History The CLI maintains a history of commands that have been entered. You can scroll back through the history of commands by pressing the up arrow key. Any command displayed in the history list can be executed again, or first modified and then executed.
Page 446: Exec Commands
VERVIEW OF THE Exec Commands When you open a new console session on the switch with the user name and password “guest,” the system enters the Normal Exec command mode (or guest mode), displaying the “Console>” command prompt. Only a limited number of the commands are available in this mode. You can access all commands only from the Privileged Exec command mode (or administrator mode).
Page 447 VDSL ports. • VDSL Alarm Profile - Creates a profile of alarm thresholds that can be applied globally to the switch or to a group of VDSL ports. • IGMP Profile - Sets a profile group and enters IGMP filter profile configuration mode.
Page 448: Table 18-2 Configuration Command Modes
VERVIEW OF THE To enter the other modes, at the configuration prompt type one of the following commands. Use the exit or end command to return to the Privileged Exec mode. Table 18-2 Configuration Command Modes Mode Command Line line {console | vty} Access access-list ip standard Control...
Page 449: Command Line Processing
For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 Console(config-if)#exit Console(config)# Command Line Processing Commands are not case sensitive. You can abbreviate commands and parameters as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Page 450: Command Groups
VERVIEW OF THE Table 18-3 Keystroke Commands (Continued) Keystroke Esc-F Delete key or backspace key Erases a mistake when entering a command. Command Groups The system commands can be broken down into the functional groups shown below Command Group General System Management Display and setting of system information, basic Simple Network Management...
Page 451 Controls the maximum rate for traffic transmitted or received on a port VDSL Configures communication parameters for VDSL ports on the switch and connected CPEs Address Table Configures the address table for filtering specified addresses, displays current entries, clears the table,...
Page 452 VERVIEW OF THE The access mode shown in the following tables is indicated by these abbreviations: ACL (Access Control List Configuration) CM (Class Map Configuration) NE (Normal Exec) GC (Global Configuration) IC (Interface Configuration) IPC (IGMP Profile Configuraiton) LC (Line Configuration) MST (Multiple Spanning Tree) PE (Privileged Exec) PM (Policy Map Configuration)
Page 453: General Commands
ENERAL These commands are used to control the command access mode, configuration mode, and other basic functions. Table 19-1 General Commands Command Function enable Activates privileged mode disable Returns to normal mode from privileged mode PE configure Activates global configuration mode show history Shows the command history buffer reload...
Page 454: General Commands
ENERAL OMMANDS enable This command activates Privileged Exec mode. In privileged mode, additional commands are available, and certain commands display additional information. See “Understanding Command Modes” on page 18-7. Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec.
Page 455: Disable
This command activates Global Configuration mode. You must enter this mode to modify any settings on the switch. You must also enter Global Configuration mode prior to enabling some of the other configuration modes, including Interface Configuration, Line Configuration, VLAN Database Configuration, and Multiple Spanning Tree Configuration.
Page 456: Show History
ENERAL OMMANDS Example Console#configure Console(config)# Related Commands end (19-6) show history This command shows the contents of the command history buffer. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The history buffer size is fixed at 10 Execution commands and 10 Configuration commands.
Page 457: Reload
Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system. Example This example shows how to reset the switch: Console#reload System will be restarted, continue <y/n>? y RELOAD 19-5...
Page 458: Prompt
ENERAL OMMANDS prompt This command customizes the CLI prompt. Use the no form to restore the default prompt. Syntax prompt string no prompt string - Any alphanumeric string to use for the CLI prompt. (Maximum length: 255 characters) Default Setting Console Command Mode Global Configuration...
Page 459: Exit
exit This command returns to the previous configuration mode or exits the configuration program. Default Setting None Command Mode Example This example shows how to return to the Privileged Exec mode from the Global Configuration mode, and then quit the CLI session: Console(config)#exit Console#exit Press ENTER to start session...
Page 460 ENERAL OMMANDS Example This example shows how to quit a CLI session: Console#quit Press ENTER to start session User Access Verification Username: 19-8...
Page 461: Table 20-1 System Management Commands
System Status Displays system configuration, active managers, and version information System Mode Configures the switch to operate in normal mode, QinQ mode, or VLAN swap mode Frame Size Enables support for jumbo frames File Management Manages code image or ECN330-switch...
Page 462: System Management Commands
- The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Example Console(config)#hostname RD#1 Console(config)# 20-2 OMMANDS Function Specifies the host name for the switch Sets the system contact string Sets the system location string Mode Page 20-2 21-5 21-5...
Page 463: System Status Commands
System Status Commands This section describes commands used to display system information. Command show startup-config show running-config show system show users show version show bme version Displays version information for VDSL chip, show cpu utilization show memory status show startup-config This command displays the configuration file stored in non-volatile memory that is used to start up the system.
Page 464 “!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for the switch - SNTP server settings - SNMP community strings - Users (names and access levels)
Page 465: Related Commands
Example Console#show startup-config building startup-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-20-1a-df-9c-a0_00</stackingMac> phymap 00-20-1a-df-9c-a0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community public ro snmp-server community private rw username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...
Page 466: Show Running-Config
“!” symbols, and includes the configuration mode command, and corresponding commands. This command displays the following information: - MAC address for the switch - SNTP server settings - SNMP community strings - Users (names, access levels, and encrypted passwords)
Page 467 Example Console#show running-config building running-config, please wait... !<stackingDB>00</stackingDB> !<stackingMac>01_00-30-f1-d4-73-a0_00</stackingMac> phymap 00-30-f1-d4-73-a0 SNTP server 0.0.0.0 0.0.0.0 0.0.0.0 snmp-server community private rw snmp-server community public ro username admin access-level 15 username admin password 7 21232f297a57a5a743894a0e4a801fc3 username guest access-level 0 username guest password 7 084e0343a0486ff05530df6c705c8bb4 enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca vlan database vlan 1 name DefaultVlan media ethernet state active...
Page 468: Show System
YSTEM ANAGEMENT Related Commands show startup-config (20-3) show system This command displays system information. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage • For a description of the items shown by this command, refer to “Displaying System Information” on page 4-1. •...
Page 469: Show Users
show users Shows all active console and Telnet sessions, including user name, idle time, and IP address of Telnet client. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage The session used to execute this command is indicated by a “*” symbol next to the Line (i.e., session) index number.
Page 470: Show Version
YSTEM ANAGEMENT show version This command displays hardware and software version information for the system. Command Mode Normal Exec, Privileged Exec Command Usage See “Displaying Hardware/Software Versions” on page 4-7 for detailed information on the items displayed by this command. Example Console#show version Unit1...
Page 471: Show Cpu Utilization
Example Console#show bme version Firmware Time RTOS AFE<num, ver> Console# Table 20-4 show bme version - display description Field Firmware Time RTOS show cpu utilization This command shows the CPU utilization parameters. Command Mode Normal Exec, Privileged Exec Example Console#show cpu utilization CPU current utilization Max utilization in 10s: 73% Avg utilization in 10s: 73%...
Page 472: Table 20-5 Show Cpu Utilization - Display Description
YSTEM ANAGEMENT Table 20-5 show cpu utilization - display description Field current utilization max utilization avg utilization peak utilization peak begin peak during rising threshold falling threshold * For information on setting these thresholds, see “Displaying System Health” on page 4-4 show memory status This command shows memory utilization parameters.
Page 473: System Mode Commands
Displays the switch system mode system mode This command sets the switch to operate in QinQ mode. Use the no form to restore the default setting of normal operating mode. Syntax system mode {normal | qinq | vlan-swap} no system mode •...
Page 474: Show System Mode
Command Usage Make sure that no dot1q-tunnel port is configured before exiting QinQ mode (see “switchport mode dot1q-tunnel” on page 32-27). If there are any dot1q-tunnel ports set on the switch, the no system mode command will fail. Example Console(config)#system mode qinq...
Page 475: Frame Size Commands
Command Mode Global Configuration Command Usage • This switch provides more efficient throughput for large sequential data transfers by supporting jumbo frames on Gigabit Ethernet ports up to 9216 bytes. Compared to standard Ethernet frames that run only up to 1.5 KB, using jumbo frames significantly reduces the per-packet overhead required to process protocol encapsulation fields.
Page 476: File Management Commands
Firmware can be uploaded and downloaded to or from a TFTP server. By saving runtime code to a file on a TFTP server, that file can later be downloaded to the switch to restore operation. The switch can also be set to use new firmware without overwriting the previous version.
Page 477: Copy
This command moves (upload/download) a code image or configuration file between the switch’s flash memory and a TFTP server. When you save the system code or configuration settings to a file on a TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the TFTP server and the quality of the network connection.
Page 478 31 characters for files on the switch. (Valid characters: A-Z, a-z, 0-9, “.”, “-”, “_”) • Due to the size limit of the flash memory, the switch supports only two operation code files. • The maximum number of user-defined configuration files depends on available memory.
Page 479: Tftp Server
• After using the firmware keyword to copy BME firmware for CPEs to reserved buffer space in the switch, first use the oam remote upgrade firmware command (page x) to transfer the firmware a remote CPE, and then use the oam remote firmware active command (page x) to activate the new firmware.
Page 480 \Write to FLASH finish. Success. Console# This example shows how to copy a secure-site certificate from an TFTP server. It then reboots the switch to activate the certificate: Console#copy tftp https-certificate TFTP server ip address: 10.1.0.19 Source certificate file name: SS-certificate...
Page 481 Console# This example shows how to copy BME firmware for CPEs to a reserved buffer on the switch, copy this firmware to a remote CPE, and then activate the new firmware. For more detailed information on these commands, refer to the copy tftp firmware, oam remote upgrade firmware, and oam remote firmware active (page 29-87, 29-90 and page 29-90).
Page 482: Delete
YSTEM ANAGEMENT delete This command deletes a file or image. Syntax delete filename filename - Name of configuration file or code image. Default Setting None Command Mode Privileged Exec Command Usage • If the file type is used for system startup, then this file cannot be deleted.
Page 483: Dir
The type of file or image to display includes: • boot-rom - Boot ROM (or diagnostic) image file. • config - Switch configuration file. • opcode - Run-time operation code image file. • filename - Name of configuration file or code image. If this file exists but contains errors, information on this file cannot be shown.
Page 484: Whichboot
YSTEM ANAGEMENT Example The following example shows how to display all file information: Console#dir File name ------------------------------------- Unit1: SMC7816M_VSW_Diag_V3.2.1.0.bix SMC7816M_VSW_Opcode_V3.2.2.5.bix Operation Code Factory_Default_Config.cfg startup1.cfg --------------------------------------------------------------------------- Console# whichboot This command displays which files were booted when the system powered Default Setting None Command Mode Privileged Exec...
Page 485: Boot System
boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom| config | opcode}: filename The type of file or image to set as a default includes: • boot-rom* - Boot ROM. •...
Page 486: Line Commands
YSTEM ANAGEMENT Line Commands You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal). Command line login...
Page 487: Line
line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} • console - Console terminal line. • vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line.
Page 488: Login
Command Mode Line Configuration Command Usage • There are three authentication modes provided by the switch itself at login: - login selects authentication by a single global password as specified by the password line configuration command. When using this method, the management interface starts in Normal Exec (NE) mode.
Page 489: Password
Example Console(config-line)#login local Console(config-line)# Related Commands username (22-2) password (20-29) password This command specifies the password for a line. Use the no form to remove the password. Syntax password {0 | 7} password no password • {0 | 7} - 0 means plain password, 7 means encrypted password •...
Page 490: Timeout Login Response
YSTEM ANAGEMENT configuration file from a TFTP server. There is no need for you to manually configure encrypted passwords. Example Console(config-line)#password 0 secret Console(config-line)# Related Commands login (20-28) password-thresh (20-32) timeout login response This command sets the interval that the system waits for a user to log into the CLI.
Page 491: Exec-Timeout
Example To set the timeout to two minutes, enter this command: Console(config-line)#timeout login response 120 Console(config-line)# exec-timeout This command sets the interval that the system waits until user input is detected. Use the no form to restore the default. Syntax exec-timeout [seconds] no exec-timeout seconds - Integer that specifies the timeout interval.
Page 492: Password-Thresh
YSTEM ANAGEMENT password-thresh This command sets the password intrusion threshold which limits the number of failed logon attempts. Use the no form to remove the threshold value. Syntax password-thresh [threshold] no password-thresh threshold - The number of allowed password attempts. (Range: 1-120;...
Page 493: Silent-Time
silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value. Syntax silent-time [seconds] no silent-time seconds - The number of seconds to disable console response.
Page 494: Parity
YSTEM ANAGEMENT Default Setting 8 data bits per character Command Mode Line Configuration Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character.
Page 495: Speed
Some baud rates available on devices connected to the port might not be supported. The system indicates if the speed you selected is not supported. If you select the “auto” option, the switch will automatically detect the baud rate configured on the attached terminal, and adjust the speed accordingly.
Page 496: Stopbits
YSTEM ANAGEMENT Example To specify 57600 bps, enter this command: Console(config-line)#speed 57600 Console(config-line)# stopbits This command sets the number of the stop bits transmitted per byte. Use the no form to restore the default setting. Syntax stopbits {1 | 2} •...
Page 497: Show Line
Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection. Example Console#disconnect 1 Console# Related Commands show ssh (22-31) show users (20-9) show line This command displays the terminal line’s parameters.
Page 498 YSTEM ANAGEMENT Example To show all lines, enter this command: Console#show line Console configuration: Password threshold: Interactive timeout: Disabled Login timeout: Disabled Silent time: Baudrate: Databits: Parity: Stopbits: VTY configuration: Password threshold: Interactive timeout: 600 sec Login timeout: 300 sec Console# 20-38 OMMANDS...
Page 499: Event Logging Commands
None Command Mode Global Configuration Command Usage The logging process controls error messages saved to switch memory or sent to remote syslog servers. You can use the logging history Table 20-12 Event Logging Commands Function Controls logging of error messages...
Page 500: Logging History
(20-40) logging trap (20-43) clear log (20-44) logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} •...
Page 501: Logging Host
Level Severity Name Description warnings errors critical alerts emergencies * There are only Level 2, 5 and 6 error messages for the current firmware release. Default Setting Flash: errors (level 3 - 0) RAM: warnings (level 7 - 0) Command Mode Global Configuration Command Usage The message level specified for flash memory must be a higher priority...
Page 502: Logging Facility
The command specifies the facility type tag sent in syslog messages. (See RFC 3164.) This type has no effect on the kind of messages reported by the switch. However, it may be used by the syslog server to sort messages or to store messages in the corresponding database.
Page 503: Logging Trap
logging trap This command enables the logging of system messages to a remote server, or limits the syslog messages saved to a remote server based on severity. Use this command without a specified level to enable remote logging. Use the no form to disable remote logging. Syntax logging trap [level] no logging trap...
Page 504: Clear Log
YSTEM ANAGEMENT clear log This command clears messages from the log buffer. Syntax clear log [flash | ram] • flash - Event history stored in flash memory (i.e., permanent memory). • ram - Event history stored in temporary RAM (i.e., memory flushed on power reset).
Page 505: Show Logging
This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} • flash - Displays settings for storing event messages in flash memory (i.e., permanent memory).
Page 506: Table 20-14 Show Logging Flash/Ram - Display Description
YSTEM ANAGEMENT Example The following example shows that system logging is enabled, the message level for flash memory is “errors” (i.e., default level 3 - 0), and the message level for RAM is “debugging” (i.e., default level 7 - 0). Console#show logging flash Syslog logging: History logging in FLASH: level errors...
Page 507: Show Log
Table 20-15 show logging trap - display description (Continued) Field REMOTELOG level type REMOTELOG server IP address Related Commands show logging sendmail (20-52) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} •...
Page 508: Smtp Alert Commands
YSTEM ANAGEMENT SMTP Alert Commands These commands configure SMTP event handling, and forwarding of alert messages to the specified SMTP servers and email recipients. Command logging sendmail host SMTP servers to receive alert messages logging sendmail level logging sendmail source-email logging sendmail destination-email logging sendmail...
Page 509: Logging Sendmail Level
• To send email alerts, the switch first opens a connection, sends all the email alerts waiting in the queue one by one, and finally closes the connection. • To open a connection, the switch first selects the server that successfully sent mail during the last connection, or the first server configured by this command.
Page 510: Logging Sendmail Source-Email
(Range: 1-41 characters) Default Setting None Command Mode Global Configuration Command Usage You may use an symbolic email address that identifies the switch, or the address of an administrator responsible for the switch. Example Console(config)#logging sendmail source-email bill@this-company.com Console(config)# logging sendmail destination-email This command specifies the email recipients of alert messages.
Page 511: Command Usage
Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command enables SMTP event handling. Use the no form to disable this function.
Page 512: Show Logging Sendmail
YSTEM ANAGEMENT show logging sendmail This command displays the settings for the SMTP event handler. Command Mode Normal Exec, Privileged Exec Example Console#show logging sendmail SMTP servers ----------------------------------------------- 192.168.1.19 SMTP minimum severity level: 7 SMTP destination email addresses ----------------------------------------------- ted@this-company.com SMTP source email address: bill@this-company.com SMTP status: Enabled Console#...
Page 513: Time Commands
(NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries. If the clock is not set, the switch will only record the time from the factory default set at the last bootup.
Page 514: Sntp Server
Command Usage • The time acquired from time servers is used to record accurate dates and times for log events. Without SNTP, the switch only records the time starting from the factory default set at the last bootup (i.e., 00:00:00, Jan. 1, 2001).
Page 515: Sntp Poll
(20-55) show sntp (20-56) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Page 516: Show Sntp
YSTEM ANAGEMENT Related Commands sntp client (20-53) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current SNTP mode...
Page 517: Clock Timezone
This command sets the time zone for the switch’s internal clock. Syntax clock timezone name hour hours minute minutes {before-utc | after-utc} • name - Name of timezone, usually an acronym. (Range: 1-29 characters) • hours - Number of hours before/after UTC. (Range: 0-13 hours) •...
Page 518: Calendar Set
ANAGEMENT calendar set This command sets the system clock. It may be used if there is no time server on your network, or if you have not configured the switch to receive signals from a time server. Syntax calendar set hour min sec {day month year | month day year} •...
Page 519 OMMANDS Example Console#show calendar 15:12:34 February 1 2002 Console# 20-59...
Page 520 YSTEM ANAGEMENT OMMANDS 20-60...
Page 521: Snmp Commands
SNMP C Controls access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Page 522: Snmp Commands
SNMP C OMMANDS Command snmp-server engine-id show snmp engine-id Shows the SNMP engine ID snmp-server view show snmp view snmp-server group show snmp group snmp-server user show snmp user snmp-server This command enables the SNMPv3 engine and services for all management clients (i.e., versions 1, 2c, 3).
Page 523: Show Snmp
show snmp This command can be used to check the status of SNMP communications. Default Setting None Command Mode Normal Exec, Privileged Exec Command Usage This command provides information on the community access strings, counter information for SNMP input and output protocol data units, and whether or not SNMP logging has been enabled with the snmp-server enable traps command.
Page 524: Snmp-Server Community
SNMP C OMMANDS snmp-server community This command defines the SNMP v1 and v2c community access string. Use the no form to remove the specified community string. Syntax snmp-server community string [ro|rw] no snmp-server community string • string - Community string that acts like a password and permits access to the SNMP protocol.
Page 525: Snmp-Server Contact
snmp-server contact This command sets the system contact string. Use the no form to remove the system contact information. Syntax snmp-server contact string no snmp-server contact string - String that describes the system contact information. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration...
Page 526: Snmp-Server Host
SNMP C OMMANDS Command Mode Global Configuration Example Console(config)#snmp-server location WC-19 Console(config)# Related Commands snmp-server contact (21-5) snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host.
Page 527 Command Usage • If you do not enter an snmp-server host command, no notifications are sent. In order to configure the switch to send SNMP notifications, you must enter at least one snmp-server host command. In order to enable multiple hosts, you must issue a separate snmp-server host command for each host.
Page 528 6. Specify a remote engine ID where the user resides (page 21-10). 7. Then configure a remote user (page 21-18). • The switch can send SNMP Version 1, 2c or 3 notifications to a host IP address, depending on the SNMP version that the management station supports.
Page 529: Snmp-Server Enable Traps
Otherwise, the authentication password and/or privacy password will not exist, and the switch will not authorize SNMP access for the host. However, if you specify a V3 host with the “noauth” option, an SNMP user account will be generated, and the switch will authorize SNMP access for the host.
Page 530: Snmp-Server Engine-Id
• engineid-string - String identifying the engine ID. (Range: 1-26 hexadecimal characters for the local engine ID and 10-64 for a remote engine ID) Default Setting A unique engine ID is automatically generated by the switch based on its MAC address. 21-10...
Page 531: Command Mode
• A local engine ID is automatically generated that is unique to the switch. This is referred to as the default engine ID. If the local engine ID is deleted or changed, all SNMP users will be cleared. You will need to reconfigure all existing users (page 21-18).
Page 532: Show Snmp Engine-Id
SNMP C OMMANDS show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID. Console#show snmp engine-id Local SNMP engineID: 8000002a8000000000e8666672 Local SNMP engineBoots: 1 Remote SNMP engineID 80000000030004e2b316c54321 Console# Table 21-2 show snmp engine-id - display description Field...
Page 533: Snmp-Server View
snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view. Syntax snmp-server view view-name oid-tree {included | excluded} no snmp-server view view-name • view-name - Name of an SNMP view. (Range: 1-64 characters) •...
Page 534: Show Snmp View
SNMP C OMMANDS This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp view This command shows information on the SNMP views. Command Mode Privileged Exec Example Console#show snmp view View Name: mib-2 Subtree OID: 1.2.2.3.6.2.1 View Type: included...
Page 535: Snmp-Server Group
snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group. Syntax snmp-server group groupname {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview] [notify notifyview] no snmp-server group groupname •...
Page 536: Show Snmp Group
OMMANDS • For additional information on the notification messages supported by this switch, see Table 5-2, “Supported Notification Messages,” on page 5-19. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command (page 21-9).
Page 537: Table 21-4 Show Snmp Group - Display Description
Group Name: public Security Model: v2c Read View: defaultview Write View: none Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: none Storage Type: volatile Row Status: active Group Name: private Security Model: v2c Read View: defaultview...
Page 538: Snmp-Server User
SNMP C OMMANDS snmp-server user This command adds a user to an SNMP group, restricting the user to a specific SNMP Read, Write, or Notify View. Use the no form to remove a user from an SNMP group. Syntax snmp-server user username groupname [remote ip-address] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56 priv-password]] no snmp-server user username {v1 | v2c | v3 | remote}...
Page 539: Command Usage
Command Usage • The SNMP engine ID is used to compute the authentication/privacy digests from the password. You should therefore configure the engine ID with the snmp-server engine-id command before using this configuration command. • Before you configure a remote user, use the snmp-server engine-id command (page 21-10) to specify the engine ID for the remote device where the user resides.
Page 540: Show Snmp User
SNMP C OMMANDS show snmp user This command shows information on SNMP users. Command Mode Privileged Exec Example Console#show snmp user EngineId: 800000ca030030f1df9ca00000 User Name: steve Authentication Protocol: md5 Privacy Protocol: des56 Storage Type: nonvolatile Row Status: active SNMP remote user EngineId: 80000000030004e2b316c54321 User Name: mark Authentication Protocol: mdt...
Page 541: Table 22-1 Authentication Commands
You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access the data ports.
Page 542: User Authentication Commands
User Account Commands The basic commands required for management access are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 20-26), user authentication via a remote authentication server (page 22-1), and host access authentication for specific ports (page 22-34).
Page 543: Default Setting
• password password - The authentication password for the user. (Maximum length: 8 characters plain text, 32 encrypted, case sensitive) Default Setting The default access level is Normal Exec. The factory defaults for the user names and passwords are: Table 22-3 Default Login Settings username access-level guest...
Page 544: Enable Password
UTHENTICATION enable password After initially logging onto the system, you should set the Privileged Exec password. Remember to record it in a safe place. This command controls access to the Privileged Exec level from the Normal Exec level. Use the no form to reset the default password.
Page 545: Authentication Sequence
Related Commands enable (19-2) authentication enable (22-7) Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence. Table 22-4 Authentication Sequence Commands Command authentication...
Page 546 UTHENTICATION Command Usage • RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.
Page 547: Authentication Enable
authentication enable This command defines the authentication method and precedence to use when changing from Exec command mode to Privileged Exec command mode with the enable command (see page 19-2). Use the no form to restore the default. Syntax authentication enable {[local] [radius] [tacacs]} no authentication enable •...
Page 548: Radius Client
RADIUS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Command radius-server host radius-server port...
Page 549: Radius-Server Host
• port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) • timeout - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) • retransmit - Number of times the switch will try to authenticate logon access via the RADIUS server.
Page 550: Radius-Server Port
UTHENTICATION radius-server port This command sets the RADIUS server network port. Use the no form to restore the default. Syntax radius-server port port_number no radius-server port port_number - RADIUS server UDP port used for authentication messages. (Range: 1-65535) Default Setting 1812 Command Mode Global Configuration...
Page 551: Radius-Server Retransmit
RADIUS server. Use the no form to restore the default. Syntax radius-server timeout number_of_seconds no radius-server timeout number_of_seconds - Number of seconds the switch waits for a reply before resending a request. (Range: 1-65535) Default Setting RADIUS C...
Page 552: Show Radius-Server
UTHENTICATION Command Mode Global Configuration Example Console(config)#radius-server timeout 10 Console(config)# show radius-server This command displays the current settings for the RADIUS server. Default Setting None Command Mode Privileged Exec Example Console#show radius-server Remote RADIUS server configuration: Global settings: Communication key with RADIUS server: ***** Server port number: Retransmit times: Request timeout:...
Page 553: Tacacs+ Client
TACACS-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user or group that require management access to a switch. Command tacacs-server host tacacs-server port...
Page 554: Tacacs-Server Port
UTHENTICATION tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port_number no tacacs-server port port_number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting Command Mode Global Configuration Example...
Page 555: Show Tacacs-Server
Specifies the UDP port number for HTTPS GC Table 22-7 Web Server Commands Function Specifies the port to be used by the web browser interface Allows the switch to be monitored or configured from a browser Enables HTTPS (HTTP/SSL) for encrypted communications ERVER OMMANDS 10.11.12.13...
Page 556: Ip Http Port
UTHENTICATION ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface. (Range: 1-65535) Default Setting Command Mode...
Page 557: Ip Http Secure-Server
This command enables the secure hypertext transfer protocol (HTTPS) over the Secure Socket Layer (SSL), providing secure access (i.e., an encrypted connection) to the switch’s web interface. Use the no form to disable this function. Syntax [no] ip http secure-server...
Page 558: Ip Http Secure-Port
(22-18) copy tftp https-certificate (20-17) ip http secure-port This command specifies the UDP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number –...
Page 559 Default Setting Command Mode Global Configuration Command Usage • You cannot configure the HTTP and HTTPS servers to use the same port. • If you change the HTTPS port number, clients attempting to connect to the HTTPS server must specify the port number in the URL, in this format: https://device:port_number Example Console(config)#ip http secure-port 1000...
Page 560: Telnet Server Commands
Console(config)#ip telnet server Console(config)#ip telnet port 123 Console(config)# 22-20 OMMANDS Table 22-9 Telnet Server Commands Function Allows the switch to be monitored or configured from Telnet; also specifies the port to be used by the Telnet interface Mode Page 22-16...
Page 561: Secure Shell Commands
This section describes the commands used to configure the SSH server. Note that you also need to install a SSH client on the management station when using this protocol to configure the switch. Note: The switch supports both SSH Version 1.5 and 2.0 clients. Command ip ssh server...
Page 562 22-5. If public key authentication is specified by the client, then you must configure authentication keys on both the client and the switch as described in the following section. Note that regardless of whether you use public key or password authentication, you still have to generate authentication keys on the switch and enable the SSH server.
Page 563 However, you do not need to configure the client’s keys. Public Key Authentication – When an SSH client attempts to contact the switch, the SSH server uses the host key pair to negotiate a session key and encryption method. Only clients that have a private key corresponding to the public keys stored on the switch can access it.
Page 564 UTHENTICATION c. If a match is found, the switch uses its secret key to generate a random 256-bit string as a challenge, encrypts this string with the user’s public key, and sends it to the client. d. The client uses its private key to decrypt the challenge string, computes the MD5 checksum, and sends the checksum back to the switch.
Page 565: Ip Ssh Server
This command enables the Secure Shell (SSH) server on this switch. Use the no form to disable this service. Syntax [no] ip ssh server Default Setting Disabled Command Mode Global Configuration Command Usage • The SSH server supports up to four client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Page 566: Ip Ssh Timeout
Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase. Once an SSH session has been established, the timeout for user input is controlled by the exec-timeout command for vty sessions.
Page 567: Ip Ssh Authentication-Retries
ip ssh authentication-retries This command configures the number of times the SSH server attempts to reauthenticate a user. Use the no form to restore the default setting. Syntax ip ssh authentication-retries count no ip ssh authentication-retries count – The number of authentication attempts permitted after which the interface is reset.
Page 568: Ip Ssh Crypto Host-Key Generate
UTHENTICATION Command Usage The server key is a private key that is never shared outside the switch. The host key is shared with the SSH client, and is fixed at 1024 bits. Example Console(config)#ip ssh server-key size 512 Console(config)# delete public-key This command deletes the specified user’s public key.
Page 569: Ip Ssh Crypto Zeroize
Command Mode Privileged Exec Command Usage • The switch uses only RSA Version 1 for SSHv1.5 clients and DSA Version 2 for SSHv2 clients. • This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
Page 570: Ip Ssh Save Host-Key
UTHENTICATION Command Mode Privileged Exec Command Usage • This command clears the host key from volatile memory (RAM). Use the no ip ssh save host-key command to clear the host key from flash memory. • The SSH server must be disabled before you can execute this command.
Page 571: Show Ip Ssh
show ip ssh This command displays the connection settings used when authenticating client access to the SSH server. Command Mode Privileged Exec Example Console#show ip ssh SSH Enabled - version 2.0 Negotiation timeout: 120 secs; Authentication retries: 3 Server key size: 768 bits Console# show ssh This command displays the current SSH server connections.
Page 572: Show Public-Key
UTHENTICATION Table 22-11 show ssh - display description (Continued) Field Description Username The user name of the client. Encryption The encryption method is automatically negotiated between the client and server. Options for SSHv1.5 include: DES, 3DES Options for SSHv2.0 can include different algorithms for the client-to-server (ctos) and server-to-client (stoc): aes128-cbc-hmac-sha1 aes192-cbc-hmac-sha1...
Page 573: Privileged Exec
Command Mode Privileged Exec Command Usage • If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed. • When an RSA key is displayed, the first field indicates the size of the host key (e.g., 1024), the second field is the encoded public exponent (e.g., 35), and the last string is the encoded modulus.
Page 574: 802.1X Port Authentication
UTHENTICATION 802.1X Port Authentication The switch supports IEEE 802.1X (dot1x) port-based access control that prevents unauthorized access to the network by requiring users to first submit credentials for authentication. Client authentication is controlled centrally by a RADIUS server using EAP (Extensible Authentication Protocol).
Page 575: Dot1X System-Auth-Control
Command dot1x timeout tx-period Sets the time period during an show dot1x dot1x system-auth-control This command enables IEEE 802.1X port authentication globally on the switch. Use the no form to restore the default. Syntax [no] dot1x system-auth-control Default Setting Disabled...
Page 576: Dot1X Max-Req
UTHENTICATION dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default. Syntax dot1x max-req count no dot1x max-req count –...
Page 577: Dot1X Operation-Mode
Default force-authorized Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x port-control auto Console(config-if)# dot1x operation-mode This command allows single or multiple hosts (clients) to connect to an 802.1X-authorized port. Use the no form with no keywords to restore the default to single host.
Page 578: Dot1X Re-Authenticate
UTHENTICATION • In “multi-host” mode, only one host connected to a port needs to pass authentication for all other hosts to be granted network access. Similarly, a port can become unauthorized for all hosts if one attached host fails re-authentication or sends an EAPOL logoff message. Example Console(config)#interface eth 1/2 Console(config-if)#dot1x operation-mode multi-host max-count 10...
Page 579: Dot1X Re-Authentication
(22-40) dot1x timeout quiet-period This command sets the time that a switch port waits after the Max Request Count has been exceeded before attempting to acquire a new client. Use the no form to reset the default.
Page 580: Dot1X Timeout Re-Authperiod
UTHENTICATION Default 60 seconds Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout quiet-period 350 Console(config-if)# dot1x timeout re-authperiod This command sets the time period after which a connected client must be re-authenticated. Use the no form of this command to reset the default. Syntax dot1x timeout re-authperiod seconds no dot1x timeout re-authperiod...
Page 581: Dot1X Timeout Tx-Period
This command sets the time that an interface on the switch waits during an authentication session before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout tx-period seconds no dot1x timeout tx-period seconds - The number of seconds.
Page 582 This command displays the following information: • Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch. • 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.1X, including the following...
Page 583 - Port-control - Supplicant - Current Identifier – The integer (0-255) used by the • Authenticator State Machine - State - Reauth Count • Backend State Machine - State - Request Count - Identifier(Server) – Identifier carried in the most recent EAP •...
Page 584: A Uthentication C Ommands
UTHENTICATION Example Console#show dot1x Global 802.1X Parameters system-auth-control: enable 802.1X Port Summary Port Name Status disabled disabled 1/17 disabled 1/18 enabled 802.1X Port Details 802.1X is enabled on port 1/1 802.1X is enabled on port 18 reauth-enabled: reauth-period: quiet-period: tx-period: supplicant-timeout: server-timeout: reauth-max:...
Page 585: Management Ip Filter Commands
Displays the switch to be monitored or management This command specifies the client IP addresses that are allowed management access to the switch through various protocols. Use the no form to restore the default setting. Syntax [no] management {all-client | http-client | snmp-client | telnet-client} start-address [end-address] •...
Page 586: Show Management
UTHENTICATION Command Usage • If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Page 587 Command Mode Privileged Exec Example Console#show management all-client Management Ip Filter HTTP-Client: Start IP address ----------------------------------------------- 1. 192.168.1.19 2. 192.168.1.25 SNMP-Client: Start IP address ----------------------------------------------- 1. 192.168.1.19 2. 192.168.1.25 TELNET-Client: Start IP address ----------------------------------------------- 1. 192.168.1.19 2. 192.168.1.25 Console# ANAGEMENT End IP address 192.168.1.19 192.168.1.30...
Page 588 UTHENTICATION OMMANDS 22-48...
Page 589: Client Security Commands
LIENT ECURITY OMMANDS This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Private VLANs and port-based authentication using IEEE 802.1X are commonly used for these purposes.
Page 590: Port Security Commands
Port Security Commands These commands can be used to enable port security on a port. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network.
Page 591: Port Security
Command port security mac-address-table static Maps a static address to a port in a VLAN GC show mac-address-table Displays entries in the bridge-forwarding port security This command enables or configures port security. Use the no form without any keywords to disable port security. Use the no form with the appropriate keyword to restore the default settings for a response to security violation or for the maximum number of allowed addresses.
Page 592 ECURITY OMMANDS Command Usage • If you enable port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the dynamic or static address table will be accepted.
Page 593: Packet Filtering Commands
Packet Filtering Commands This section describes commands used to configure packet filtering for inbound traffic. Command filter ipmac filter netbios filter dhcp-request filter dhcp show filter Note: Packet Filtering occupies valuable hardware resources. Using Private VLANs provides a more efficient alternative for separating the traffic sent to each subscriber (see “Configuring Private VLANs”...
Page 594 • To specify a MAC address use either of the following hexidecimal formats: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx • This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs. One mask is allocated to IP-MAC packet filtering if any entries are defined.
Page 595: Filter Netbios
However, to ensure that this information is never sent out on the Internet, NetBIOS packet filtering should be enabled on all data ports if the switch is not operating behind a firewall. • When NetBIOS packet filtering is enabled, NetBIOS packets...
Page 596: Filter Dhcp-Request
LIENT ECURITY OMMANDS • This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs. Three masks are allocated to NetBIOS packet filtering if enabled on any interface. These masks will be released for use by other filtering functions if NetBIOS packet filtering is disabled on all interfaces.
Page 597: Filter Dhcp
• To specify a port list, use a hyphen to indicate a range of ports, or a comma to indicate a group of non-consecutive ports. • This switch provides a total of 7 masks for filtering functions, including IP-MAC address packet filtering, NetBIOS packet filtering, DHCP packet filtering, and ACLs.
Page 598: Show Filter
LIENT ECURITY OMMANDS for use by other filtering functions if DHCP packet filtering is disabled on all interfaces. Example Console(config)#filter dhcp add 1/1 Console(config)# show filter This command displays the packet filter settings. Command Mode Privileged Exec Example Console#sh filter PORT DHCP[request] restricted...
Page 599: Ip Source Guard Commands
This command configures the switch to filter inbound traffic based source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard •...
Page 600 LIENT ECURITY OMMANDS Default Setting Disabled Command Mode Interface Configuration (Ethernet) Command Usage • Source guard is used to filter traffic on an unsecure port which receives messages from outside the network or firewall, and therefore may be subject to traffic attacks caused by a host trying to use the IP address of a neighbor.
Page 601 - If IP source guard if enabled on an interface for which IP source bindings (dynamically learned via DHCP snooping or manually configured) are not yet configured, the switch will drop all IP traffic on that port, except for DHCP packets.
Page 602: Ip Source-Guard Binding
LIENT ECURITY OMMANDS ip source-guard binding This command adds a static address to the source-guard binding table. Use the no form to remove a static entry. Syntax ip source-guard binding mac-address vlan vlan-id ip-address interface ethernet unit/port no ip source-guard binding mac-address vlan vlan-id •...
Page 603: Show Ip Source-Guard
- If there is an entry with same VLAN ID and MAC address, and the type of entry is static IP source guard binding, then the new entry will replace the old one. - If there is an entry with same VLAN ID and MAC address, and the type of the entry is dynamic DHCP snooping binding, then the new entry will replace the old one and the entry type will be changed to static IP source guard binding.
Page 604: Show Ip Source-Guard Binding
LIENT ECURITY OMMANDS show ip source-guard binding This command shows the source guard binding table. Command Mode Privileged Exec Example Console#show ip source-guard binding MacAddress IpAddress Interface ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 Console# 23-16 Lease(sec) Type 0 Static-IP-SG-binding VLAN 1 Eth 1/5...
Page 605: Dhcp Snooping Commands
DHCP Snooping Commands DHCP snooping allows a switch to protect a network from rogue DHCP servers or other devices which send port-related information to a DHCP server. This information can be useful in tracking an IP address back to a physical port.
Page 606: Ip Dhcp Snooping
• When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. • Filtering rules are implemented as follows: - If the global DHCP snooping is disabled, all DHCP packets are forwarded.
Page 607 • If the DHCP snooping is globally disabled, all dynamic bindings are removed from the binding table. • Additional considerations when the switch itself is a DHCP client – The port(s) through which the switch submits a client request to the DHCP server must be configured as trusted (ip dhcp snooping trust, page 23-24).
Page 608: Ip Dhcp Snooping Vlan
ECURITY OMMANDS from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch. Console(config)#ip dhcp snooping Console(config)# Related Commands ip dhcp snooping vlan (23-20) ip dhcp snooping trust (23-24) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN.
Page 609: Ip Dhcp Snooping Verify Mac-Address
• When DHCP snooping is globally enabled, configuration changes for specific VLANs have the following effects: - If DHCP snooping is disabled on a VLAN, all dynamic bindings learned for this VLAN are removed from the binding table. Example This example enables DHCP snooping for VLAN 1. Console(config)#ip dhcp snooping vlan 1 Console(config)# Related Commands...
Page 610: Ip Dhcp Snooping Database Write
This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset. However, note that the lease time shown for a dynamic entry that has been restored from flash memory will no longer be valid.
Page 611: Ip Dhcp Snooping Client Limit
DHCP snooping table as a valid entry. • If the lease time assigned by the DHCP server expires, or the connection between the switch and CPE is broken for any reason, the entry will be reset to a dynamic state.
Page 612: Ip Dhcp Snooping Trust
LIENT ECURITY OMMANDS acknowledgement packets sent by the DHCP server in response to host requests will be blocked by the switch. Example This example sets the client limit to its maximum value on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping client limit 48...
Page 613: Show Ip Dhcp Snooping
• Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted. Example This example sets port 5 to untrusted. Console(config)#interface ethernet 1/5...
Page 614: Show Ip Dhcp Snooping Binding
LIENT ECURITY OMMANDS show ip dhcp snooping binding This command shows the DHCP snooping binding table entries. Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MacAddress IpAddress ----------------- --------------- ---------- -------------------- ---- -------- 11-22-33-44-55-66 192.168.0.99 Console# 23-26 Lease(sec) Type 0 Static-DHCPSNP VLAN Interface 1 Eth 1/5...
Page 615: Table 24-1 Access Control List Commands
CCESS Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the rules are checked, and then bind the list to a specific port.
Page 616: Access Control List Commands
CCESS ONTROL IP ACLs The commands in this section configure ACLs based on IP addresses, TCP/UDP port number, protocol type, and TCP control code. To configure IP ACLs, first create an access list containing the required permit or deny rules, set a precedence mask to control the filter sequence, and then bind the access list to one or more ports Command access-list ip...
Page 617: Access-List Ip
access-list ip This command adds an IP access list and enters configuration mode for standard or extended IP ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl_name • standard – Specifies an ACL that filters packets based on the source IP address.
Page 618: Permit, Deny (Standard Ip Acl)
CCESS ONTROL permit, deny (Standard IP ACL) This command adds a rule to a Standard IP ACL. The rule sets a filter condition for packets emanating from the specified source. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | source bitmask | host source} •...
Page 619: Permit, Deny (Extended Ip Acl)
permit, deny (Extended IP ACL) This command adds a rule to an Extended IP ACL. The rule sets a filter condition for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Page 620 CCESS ONTROL • control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) • flag-bitmask – Decimal number representing the code bits to match. Default Setting None Command Mode Extended IP ACL Command Usage •...
Page 621: Show Ip Access-List
Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.0 to any destination address when set for destination TCP port 80 (i.e., HTTP).
Page 622: Access-List Ip Mask-Precedence
CCESS ONTROL Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny 24-4 ip access-group (24-14) access-list ip mask-precedence This command changes to the IP Mask mode used to configure access control masks.
Page 623: Mask (Ip Acl)
Example Console(config)#access-list ip mask-precedence in Console(config-ip-mask-acl)# Related Commands mask (IP ACL) (24-9) ip access-group (24-14) mask (IP ACL) This command defines a mask for IP ACLs. This mask defines the fields to check in the IP header. Use the no form to remove a mask. Syntax [no] mask [protocol] {any | host | source-bitmask}...
Page 624 CCESS ONTROL Default Setting None Command Mode IP Mask Command Usage • Packets crossing a port are checked against all the rules in the ACL until a match is found. The order in which these packets are checked is determined by the mask, and not the order in which the ACL rules were entered.
Page 625 This shows that the entries in the mask override the precedence in which the rules are entered into the ACL. In the following example, packets with the source address 10.1.1.1 are dropped because the “deny 10.1.1.1 255.255.255.255” rule has the higher precedence according the “mask host any”...
Page 626 CCESS ONTROL This shows how to create an extended ACL with an egress mask to drop packets leaving network 171.69.198.0 when the Layer 4 source port is 23. Console(config)#access-list ip extended A3 Console(config-ext-acl)#deny host 171.69.198.5 any Console(config-ext-acl)#deny 171.69.198.0 255.255.255.0 any source-port 23 Console(config-ext-acl)#end Console#show access-list...
Page 627 This is a more comprehensive example. It denies any TCP packets in which the SYN bit is ON, and permits all other packets. It then sets the ingress mask to check the deny rule first, and finally binds port 1 to this ACL.
Page 628: Show Access-List Ip Mask-Precedence
CCESS ONTROL show access-list ip mask-precedence This command shows the ingress or egress rule masks for IP ACLs. Syntax show access-list ip mask-precedence [in | out] • in – Ingress mask precedence for ingress ACLs. • out – Egress mask precedence for egress ACLs. Command Mode Privileged Exec Example...
Page 629: Show Ip Access-Group
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 630: Mac Acls
CCESS ONTROL MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, set a precedence mask to control the filter sequence, and then bind the access list to one or more ports Command access-list mac...
Page 631: Access-List Mac
access-list mac This command adds a MAC access list and enters MAC ACL configuration mode. Use the no form to remove the specified ACL. Syntax [no] access-list mac acl_name acl_name – Name of the ACL. (Maximum length: 16 characters) Default Setting None Command Mode Global Configuration...
Page 632: Permit, Deny (Mac Acl)
CCESS ONTROL permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule. Syntax [no] {permit | deny} {any | host source | source address-bitmask}...
Page 633: Related Commands
• source – Source MAC address. • destination – Destination MAC address range with bitmask. • address-bitmask format). • vid – VLAN ID. (Range: 1-4093) • vid-bitmask • protocol – A specific Ethernet protocol number. (Range: 600-fff hex.) • protocol-bitmask Default Setting None Command Mode...
Page 634: Show Mac Access-List
CCESS ONTROL show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl_name] acl_name – Name of the ACL. (Maximum length: 16 characters) Command Mode Privileged Exec Example Console#show mac access-list MAC access-list jerry: permit any 00-e0-29-94-34-de ethertype 0800 Console# Related Commands...
Page 635: Mask (Mac Acl)
Command Usage • You must configure a mask for an ACL rule before you can bind it to a port or set the queue or frame priorities associated with the rule. • A mask can only be used by all ingress ACLs or all egress ACLs. •...
Page 636 CCESS ONTROL • ethertype – Check the Ethernet type field. • ethertype-bitmask – Ethernet type of rule must match this bitmask. Default Setting None Command Mode MAC Mask Command Usage • Up to seven masks can be assigned to an ingress or egress ACL. •...
Page 637 Example This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask. Console(config)#access-list mac M4 Console(config-mac-acl)#permit any any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 Console(config-mac-acl)#end Console#show access-list...
Page 638: Show Access-List Mac Mask-Precedence
CCESS ONTROL This example creates an Egress MAC ACL. Console(config)#access-list mac M5 Console(config-mac-acl)#deny tagged-802.3 host 00-11-11-11-11-11 any Console(config-mac-acl)#deny tagged-eth2 00-11-11-11-11-11 ff-ff-ff-ff-ff-ff any vid 3 ethertype 0806 Console(config-mac-acl)#end Console#show access-list MAC access-list M5: deny tagged-802.3 host 00-11-11-11-11-11 any deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 ethertype 0806 Console(config)#access-list mac mask-precedence out Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any Console(config-mac-mask-acl)#exit...
Page 639: Mac Access-Group
• If a port is already bound to an ACL and you bind it to a different ACL, the switch will replace the old binding with the new one. • You must configure a mask for an ACL rule before you can bind it to a port.
Page 640: Acl Information
CCESS ONTROL show mac access-group This command shows the ports assigned to MAC ACLs. Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (24-25) ACL Information This section describes commands used to display ACL information. Command show access-list show access-group...
Page 641: Show Access-Group
Example Console#show access-list IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 IP extended access-list bob: permit 10.7.1.1 255.255.255.0 any permit 192.168.1.0 255.255.255.0 any destination-port 80 80 permit 192.168.1.0 255.255.255.0 any protocol tcp control-code 2 2 MAC access-list jerry: permit any host 00-30-29-94-34-de ethertype 800 800 IP extended access-list A6: deny tcp any any control-flag 2 2...
Page 642 CCESS ONTROL OMMANDS 24-28...
Page 643: Interface Commands
NTERFACE These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN. Table 25-1 Interface Commands Command interface description speed-duplex negotiation capabilities flowcontrol media-type switchport mdix shutdown switchport packet-rate Configures broadcast and multicast clear counters show interfaces status Displays status for the specified Function...
Page 644: Interface
NTERFACE OMMANDS Table 25-1 Interface Commands (Continued) Command show interfaces counters show interfaces switchport interface This command configures an interface type and enter interface configuration mode. Use the no form to remove a trunk. Syntax interface interface no interface port-channel channel-id •...
Page 645: Description
description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface. (Range: 1-64 characters) Default Setting None Command Mode...
Page 646 NTERFACE OMMANDS Default Setting • Auto-negotiation is permanently disabled on Ports 1-16, and enabled by default on Ports 17-19. • When auto-negotiation is disabled, the default speed-duplex setting is: - Fast Ethernet ports – 100full (100 Mbps full-duplex) - Gigabit Ethernet ports – 1000full (1 Gbps full-duplex) Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage...
Page 647: Negotiation
1000BASE-T port or trunk. • When auto-negotiation is enabled the switch negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must manually specify the link attributes with the speed-duplex and flowcontrol commands.
Page 648: Capabilities
Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. • When auto-negotiation is enabled with the negotiation command, the switch will negotiate the best settings for a link based on the capabilites command. When auto-negotiation is disabled, you must 25-6...
Page 649: Flowcontrol
1000BASE-T port or trunk. • Flow control can eliminate frame loss by “blocking” traffic from end stations or segments connected directly to the switch when its buffers fill. When enabled, back pressure is used for half-duplex operation and IEEE 802.3-2002 (formally IEEE 802.3x) for full-duplex operation.
Page 650: Media-Type
NTERFACE OMMANDS • To force flow control on or off (with the flowcontrol or no flowcontrol command), use the no negotiation command to disable auto-negotiation on the selected interface. • When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To enable flow control under auto-negotiation, “flowcontrol”...
Page 651: Switchport Mdix
SFP port has a valid link. Default Setting sfp-preferred-auto Command Mode Interface Configuration (Ethernet - Ports 17-18) Example This forces the switch to use the built-in RJ-45 port for the combination port 18. Console(config)#interface ethernet 1/18 Console(config-if)#media-type copper-forced Console(config-if)# switchport mdix This command sets pinout configuration to automatic detection or fixed mode for MDI/MDI-X signaling on the Gigabit Ethernet uplink ports.
Page 652: Shutdown
NTERFACE OMMANDS Command Mode Interface Configuration (Ethernet - Port 17-18) Command Usage Auto-negotiation must be enabled to use the “auto” option for this command. It must be disabled to force the pinout setting to one of the fixed modes of “normal” (MDI) or “crossover” (MDI-X). One side of a link must be configured with MDI pinouts and the other side with MDI-X pinouts to ensure that signals sent from the transmit pins on one side of the link are received on the receive pins by the link...
Page 653: Switchport Packet-Rate
Example The following example disables port 5. Console(config)#interface ethernet 1/5 Console(config-if)#shutdown Console(config-if)# switchport packet-rate This command configures broadcast and multicast and unknown unicast storm control. Use the no form to restore the default setting. Syntax switchport {broadcast | multicast | unknown-unicast} packet-rate rate no switchport {broadcast | multicast | unknown-unicast} •...
Page 654: Clear Counters
NTERFACE OMMANDS Example The following shows how to configure broadcast storm control at 600 packets per second: Console(config)#interface ethernet 1/5 Console(config-if)#switchport broadcast packet-rate 600 Console(config-if)# clear counters This command clears statistics on an interface. Syntax clear counters interface interface • ethernet unit/port - unit - Stack unit.
Page 655: Show Interfaces Status
show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) • vlan vlan-id (Range: 1-4093) Default Setting Shows the status for all interfaces.
Page 656: Show Interfaces Counters
NTERFACE OMMANDS Example Console#show interfaces status ethernet 1/5 Information of Eth 1/5 Basic information: Port type: Mac address: Configuration: Name: Port admin: Speed-duplex: Capabilities: 1000full Broadcast storm: Broadcast storm limit: Flow control: LACP: Port security: Max MAC count: Port security action: Media type: Current status: Link status:...
Page 657 Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. For a description of the items displayed by this command, see “Showing Port Statistics” on page 9-29. Example Console#show interfaces counters ethernet 1/17 Ethernet 1/17 Iftable Stats: Octets Input: 30658, Octets Output: 196550...
Page 658: Show Interfaces Switchport
NTERFACE OMMANDS show interfaces switchport This command displays the administrative and operational status of the specified interfaces. Syntax show interfaces switchport [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) •...
Page 659: Table 25-2 Show Interfaces Switchport - Display Description
Table 25-2 show interfaces switchport - display description Field Description Broadcast threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 25-11). LACP status Shows if Link Aggregation Control Protocol has been enabled or disabled (page 26-4).
Page 660 NTERFACE OMMANDS 25-18...
Page 661 For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 12 trunks. For example, a trunk consisting of two 1000 Mbps ports can support an aggregate bandwidth of 4 Gbps when operating at full duplex.
Page 662: Guidelines For Creating Trunks
GGREGATION Table 26-1 Link Aggregation Commands (Continued) Command lacp admin-key lacp port-priority Trunk Status Display Commands show interfaces status port-channel show lacp Guidelines for Creating Trunks General Guidelines – • Finish configuring port trunks before you connect the corresponding network cables between switches to avoid creating a loop. •...
Page 663: Channel-Group
• When configuring static trunks, the switches must comply with the Cisco EtherChannel standard. • Use no channel-group to remove a port group from a trunk. • Use no interfaces port-channel to remove a trunk from the switch. CHANNEL GROUP...
Page 664: Lacp
• A trunk formed with another switch using LACP will automatically be assigned the next available port-channel ID. • If the target switch has also enabled LACP on the connected ports, the trunk will be activated automatically. • If more than eight ports attached to the same target switch have LACP enabled, the additional ports will be placed in standby mode, and will only be enabled if one of the active links fails.
Page 665 Example The following shows LACP enabled on ports 10-12. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status port-channel 1 command shows that Trunk1 has been established. Console(config)#interface ethernet 1/10 Console(config-if)#lacp Console(config-if)#exit Console(config)#interface ethernet 1/11...
Page 666: Lacp System-Priority
• Port must be configured with the same system priority to join the same LAG. • System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems.
Page 667: Lacp Admin-Key (Ethernet Interface)
lacp admin-key (Ethernet Interface) This command configures a port's LACP administration key. Use the no form to restore the default setting. Syntax lacp {actor | partner} admin-key key [no] lacp {actor | partner} admin-key • actor - The local side an aggregate link. •...
Page 668: Lacp Admin-Key (Port Channel)
Syntax lacp admin-key key [no] lacp admin-key key - The port channel admin key is used to identify a specific link aggregation group (LAG) during local LACP setup on this switch. (Range: 0-65535) Default Setting Command Mode Interface Configuration (Port Channel) Command Usage •...
Page 669: Lacp Port-Priority
lacp port-priority This command configures LACP port priority. Use the no form to restore the default setting. Syntax lacp {actor | partner} port-priority priority no lacp {actor | partner} port-priority • actor - The local side an aggregate link. • partner - The remote side of an aggregate link. •...
Page 670: Show Lacp
GGREGATION show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sys-id} • port-channel - Local identifier for a link aggregation group. (Range: 1-12) • counters - Statistics for LACP protocol messages. • internal - Configuration settings and operational state for local side.
Page 671: Table 26-2 Show Lacp Counters - Display Description
Table 26-2 show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. Marker Sent Number of valid Marker PDUs transmitted from this channel group.
Page 672 GGREGATION Table 26-3 show lacp internal - display description (Continued) Field LACPDUs Internal LACP System Priority LACP Port Priority Admin State, Oper State 26-12 OMMANDS Description Number of seconds before invalidating received LACPDU information. LACP system priority assigned to this port channel. LACP port priority assigned to this interface within the channel group.
Page 673: Table 26-4 Show Lacp Neighbors - Display Description
Console#show lacp 1 neighbors Port channel 1 neighbors ------------------------------------------------------------------- Eth 1/1 ------------------------------------------------------------------- Partner Admin System ID: Partner Oper System ID: Partner Admin Port Number: 2 Partner Oper Port Number: Port Admin Priority: Port Oper Priority: Admin Key: Oper Key: Admin State: Oper State: Table 26-4 show lacp neighbors - display description Field...
Page 674: Table 26-5 Show Lacp Sysid - Display Description
32768 32768 32768 32768 32768 32768 32768 32768 32768 32768 Description A link aggregation group configured on this switch. LACP system priority for this channel group. System MAC address. System MAC Address 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-8F-2C-A7 00-30-F1-D4-73-A0 00-30-F1-D4-73-A0...
Page 675: Mirror Port Commands
IRROR This section describes how to mirror traffic from a source port to a target port. Command port monitor show port monitor Shows the configuration for a mirror port port monitor This command configures a mirror session. Use the no form to clear a mirror session.
Page 676: Show Port Monitor
However, you should avoid sending too much traffic to the destination port from multiple source ports. Example The following example configures the switch to mirror all packets from port 6 to 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 both...
Page 677 Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX). Example The following shows mirroring configured from port 6 to port 11: Console(config)#interface ethernet 1/11 Console(config-if)#port monitor ethernet 1/6 Console(config-if)#end Console#show port monitor Port Mirroring ------------------------------------- Destination port(listen port):Eth1/1...
Page 678 IRROR OMMANDS 27-4...
Page 679: Rate Limit Commands
This function allows the network manager to control the maximum rate for traffic transmitted or received on an interface. Rate limiting is configured on interfaces at the edge of a network to limit traffic into or out of the network. Traffic that falls within the rate limit is transmitted, while packets that exceed the acceptable amount of traffic are dropped.
Page 680: Rate-Limit
IMIT OMMANDS rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to restore the default rate. Use the no form to restore the default status of disabled. Syntax rate-limit {input | output | vlan vlan-id} [rate] no rate-limit {input | output | vlan [vlan-id]} •...
Page 681: Rate-Limit Trap-Input
rate-limit trap-input This command sets an SNMP trap if traffic exceeds the configured rate limit. Use the no form to restore the default setting. Syntax rate-limit snmp-trap-input [up upper-discard-boundary down lower-discard-boundary] no snmp-rate-limit trap-input • upper-discard-boundary – The packet discard rate (per 10 second interval) above which the system sends a trap-input notification.
Page 682: Show Rate-Limit Vlan
IMIT OMMANDS • For further information on the type of notification messages that can be sent by the system, refer to the information about trap and inform messages described under the snmp-server host command on page 21-6. Example This example sets an upper discard boundary of 500 packets / 10 seconds, and a lower discard boundary of 10 packets / 10 seconds.
Page 683: Table 29-1 Vdsl Commands
Alarm thresholds can be defined in a profile and then applied globally to the switch or to selected ports. The switch also provides an extensive listing of VDSL statistics.
Page 684: Vdsl Commands
VDSL C OMMANDS Long-Reach Ethernet Commands This section describes how to configure communication parameters for VDSL ports such as specifying data band usage plans, setting notches within the frequency bands to avoid interference with ham radio signals, setting a mask for power spectral density to meet regional or local limitations for transmitting signals on phone lines, setting an acceptable target for the signal-to-noise ratio, and enabling automatic rate adaptation.
Page 685: Long-Reach Ethernet Commands
Table 29-2 Long-Reach Ethernet Commands (Continued) Command Function lre max-power Sets the maximum aggregate downstream or upstream power lre min-protection Configures the minimum level of impulse noise protection for all bearer channels lre channel Sets the channel mode to fast or interleaved Sets the maximum interleave delay interleave-max-delay...
Page 686: Lre Band-Plan
• This switch is specifically designed to support Band Plan 5 – G.993.2, Annex C for Japan. Careful testing should be carried out before using any other band plans. The following table lists the predefined band plans.
Page 687: Table 29-3 Vdsl2 Band Plans
Table 29-3 VDSL2 Band Plans Index Designator 998-138-8500 Long Reach 998-138-12000 High Data Rate 998-640-30000 100/100 997-138-8500 Flex-138-4400 998-138-4400 997-138-4400 998-138-4400-optBand 997-138-4400-optBand 998-138-12000 4K Tones 997-138-12000 4K Tones 998-138-17000 4K Tones Example This example sets the band plan to 998-640-30000. Console(config)#interface ethernet 1/1 Console(config-if)#lre band-plan 5 Console(config-if)#...
Page 688: Lre Option-Band
VDSL C OMMANDS lre option-band This command sets the frequencies to be used for the optional Upstream Band 0 (US0). Use the no form to restore the default status. Syntax lre option-band value no lre option-band value – Index of predefined frequency bounds for US0. Note that each option includes a range for the low and high end frequencies.
Page 689: Lre Ham-Band
lre ham-band This command sets the Handheld Amateur Radio (HAM) band that will be blocked to VDSL signals based on defined frequencies. Use the no form to restore the default status. Syntax lre ham-band value no lre ham-band value – HAM band mask. (See Table 29-4, “HAM Band Notches,”...
Page 690 VDSL C OMMANDS Index Name RFI-BAND04 RFI-BAND05 RFI-BAND06 RFI-BAND07 RFI-BAND08 RFI-BAND09 RFI-BAND10 RFI-BAND11 RFI-BAND12 RFI-BAND13 RFI-BAND14 RFI-BAND15 RFI-BAND16 RFI-BAND17 RFI-BAND18 RFI-BAND19 RFI-BAND20 RFI-BAND21 RESET-ALL-OFF null frequency mask 29-8 Table 29-4 HAM Band Notches (Continued) Frequency 3.500 - 3.575 MHz 3.500 - 3.800 MHz 3.500 - 4.000 MHz 3.747 - 3.754 MHz 3.791 - 3.805 MHz...
Page 691: Lre Region-Ham-Band
Example This example sets a HAM band notch in the transmitted power spectrum in the 10.000 - 10.150 MHz transmission band (also called the 30 meter band). Console(config)#interface ethernet 1/1 Console(config-if)#lre ham-band 11 Console(config-if)# Related Commands show lre ham-band (29-64) lre region-ham-band (29-9) lre region-ham-band This command sets the ham radio band that will be blocked to VDSL...
Page 692: Table 29-5 Ham Band Notches For Usage Types
VDSL C OMMANDS • Using a HAM band mask prevents interference with other systems (e.g., amateur radio) that use narrow band transmission in the VDSL frequency band. The selected frequency range will not be used to transmit data on the VDSL line. You may need to specify a mask if required by local regulations or if specific incidents of interference are reported within a service area.
Page 693 Table 29-5 HAM Band Notches for Usage Types (Continued) Index Name Frequency RFI-BAND18 10.005 - 10.100 MHz Aeronautical RFI-BAND19 10.100 - 10.150 MHz Amateur Radio RFI-BAND20 11.175 - 11.400 MHz Aeronautical RFI-BAND21 11.600 - 12.100 MHz DRM Radio RFI-BAND22 12.570 - 12.585 MHz GMDSS RFI-BAND23 13.200 - 13.360 MHz Aeronautical RFI-BAND24 13.570 - 13.870 MHz DRM Radio RFI-BAND25 14.000 - 14.350 MHz Amateur Radio...
Page 694: Lre Psd-Breakpoints
VDSL C OMMANDS Example This example sets a HAM band notch in the transmitted power spectrum to avoid interference with CB radios. Console(config)#interface ethernet 1/1 Console(config-if)#lre region-ham-band 34 Console(config-if)# Related Commands show lre region-ham-band (29-65) lre ham-band (29-7) lre psd-breakpoints This command sets the number of frequency breakpoints in the PSD mask.
Page 695: Lre Psd-Frequencies
PSD Mask required for compliance with local regulations, or set mask limits for upstream power backoff. The methods used to calculate these various PSD masks, and local regulations governing the power spectrum used on VDSL lines are all described in ITU-T G.993.2. •...
Page 696: Global Configuration
VDSL C OMMANDS Command Mode Global Configuration Interface Configuration (VDSL Port) Command Usage • Enter this command in global configuration mode to configure frequency breakpoints for all VDSL ports, or in interface mode to configure them for a specific VDSL port. •...
Page 697: Lre Psd-Value
lre psd-value This command defines a power level for each of the PSD breakpoints. Use the no form to restore the default setting. Syntax lre psd-value breakpoint psd-value no lre psd-value breakpoint • breakpoint – Frequency breakpoint within the power spectral density (PSD) as defined by the lre psd-breakpoints command (page 29-12).
Page 698: Lre Psd-Mask-Level
• Enter this command in global configuration mode to set a predefined PSD mask for all VDSL ports, or in interface mode to set a mask for a specific VDSL port. Note that this switch is specifically designed to meet the requirements for G.993.2, Annex C for Japan. We do not therefore recommend changing the mask without careful testing.
Page 699: Table 29-6 Psd Mask Options
• The following table lists the predefined band plans. Table 29-6 PSD Mask Options Index Designator Default PSD ANSI M1_CAB ANSI M2_CAB ETSI M1_CAB ETSI M2_CAB ANNEX F ANSI M1_EX ANSI M2_EX ETSI M1_EX ETSI M2_EX Reserved PSD K PSD_CHINA ETSI_M1_EX_P1 ETSI_M2_EX_P1 Example...
Page 700: Lre Pbo-Config
VDSL C OMMANDS lre pbo-config This command sets a mask to reduce the power spectral density (PSD) of transmitted signals at specified frequency breakpoints for upstream power backoff. Use the no form to restore the default status. Syntax lre pbo-config K1[0] Rx_PSD1 K1[1] Rx_PSD2 K1[2] Rx_PSD3 K1[3] Rx_PSD4 K1[4] Rx_PSD5 K1[5] Rx_PSD6 K2[0] Tx_PSD1 K2[1] Tx_PSD2 K2[2] Tx_PSD3...
Page 701: Lre Upbo
• The transceiver will adjust its transmitted signal to conform to the power limitations set by the lre pbo-config command. • If upstream power backoff is enabled with the lre upbo command (page 29-19), the transceiver will automatically reduce the PSD at each frequency breakpoint set the by the lre psd-breakpoints (page 29-12) and lre psd-frequencies (page 29-13) commands.
Page 702: Command Usage
VDSL port. • Upstream power backoff (UPBO) should be configured when there are VDSL connections of different lengths attached to this switch. UPBO is required to improve the spectral compatibility on lines of different lengths by reducing the transmitted power on shorter lines.
Page 703: Lre Tone
lre tone This command disables VDSL signals at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. Use the no form to restore the default setting. Syntax lre tone {tx | rx} value no lre tone {tx | rx} •...
Page 704: Lre Max-Power
VDSL C OMMANDS Example The following disables all tone beneath 640 kHz on the upstream band plan. Console(config)# Console(config)#lre tone tx 2 Console(config)# Related Commands show lre tone (29-71) lre max-power This command sets the maximum aggregate downstream or upstream power.
Page 705: Lre Min-Protection
Example The following sets the maximum downstream power on port 1 to 14.5 dBm. Console(config)#interface ethernet 1/1 Console(config-if)#lre max-power down 58 Console(config-if)# lre min-protection This command configures the minimum level of impulse noise protection for all bearer channels. Use the no form to restore the default setting. Syntax lre min-protection {down | up} value no lre max-power {down | up}...
Page 706: Lre Channel
VDSL C OMMANDS • Note that this parameter only applies to interleaved channels. Refer to ITU-T G.993.2 for a full description of the methods used to calculate the minimum level of impulse noise protection. Example Console(config)#interface ethernet 1/1 Console(config-if)#lr min-protection down 5 Console(config-if)# lre channel This command sets the channel mode to fast or interleaved.
Page 707: Lre Interleave-Max-Delay
Related Commands lre interleave-max-delay (29-25) lre interleave-max-delay This command sets the maximum interleave delay. Use the no form to restore the default status. Syntax lre interleave-max-delay {down | up} value no lre interleave-max-delay {down | up} • down – Downstream bands. •...
Page 708: Lre Datarate
VDSL C OMMANDS Related Commands lre channel (29-24) show lre interleave-max-delay (29-72) lre datarate This command specifies the minimum and maximum data rate for downstream and upstream fast or slow (interleaved) channels. Use the no form to restore the default setting. Syntax lre datarate {down | up} {slow | fast} {max | min} value no lre datarate {down | up} {slow | fast} {max | min}...
Page 709: Lre Rate-Set
Example The following sets the minimum and maximum data rates for the downstream fast channel on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#lre datarate down fast max 190000 Console(config-if)#lre datarate down fast min 640 Console(config-if)# Related Commands show lre rate-adaption (29-75) show lre datarate (29-73) lre rate-set (29-27) lre rate-set...
Page 710: Lre Noise-Mgn Target
VDSL C OMMANDS Related Commands lre datarate (29-26) lre noise-mgn target This command configures the targeted signal-to-noise margin that VDSL ports must achieve to successfully complete initialization. Use the no form to restore the default setting. Syntax lre noise-mgn target {down | up} value no lre noise-mgn target {down | up} •...
Page 711: Lre Noise-Mgn Min
• When rate adaptation is enabled (see Command Usage, page 29-32), the signal-to-noise ratio (SNR) is an indicator of link quality. The switch itself has no internal functions to ensure link quality. To ensure a stable link, you should add a margin to the theoretical minimum signal-to-noise ratio (SNR).
Page 712: Lre Shutdown
CPE. Use the no form to re-enabled a port. Syntax lre reset {local | remote} • local – VDSL2 chip at specified switch port. • remote – VDSL2 chip at CPE connected to specified switch port. 29-30...
Page 713: Lre Auto-Retraining
Console(config-if)#lre reset remote Console(config-if)#lre reset local Console(config-if)# lre auto-retraining This command initiates automatic retraining to find the optimal transmission rate when the switch re-establishes the link to a port. Use the no form to disable this feature. Syntax [no] lre auto-retraining Default...
Page 714: Lre Retraining
VDSL C OMMANDS Related Commands lre datarate (29-26) lre retraining This command manually initiates the rate adaptation method to find the optimal transmission rate based on existing line conditions. Use the no form to disable this feature. Default Disabled Command Mode Interface Configuration (VDSL Port) Command Usage •...
Page 715: Lre Rate-Adaption
• The data rate on a VDSL line can be affected by factors such as temperature, humidity, and electro-magnetic radiation. When rate adaptation is enabled and the port links up, the switch will determine the optimal transmission rate for the current conditions, setting the rate within the bounds defined by the lre datarate command (page 29-26).
Page 716: Lre Apply
This command applies all global VDSL settings to each VDSL port on the switch or to a specified port, overwriting any previous settings configured for specific interfaces. Use the no form to restore the default setting. Command Mode...
Page 717: Table 29-7 Line Profile Commands
Line Profile Commands This section describes how to configure a list of communication parameters such as data rates and acceptable noise margins which can be applied to all VDSL ports or to a selected group of ports. Command line-profile lre line-profile band-plan option-band ham-band...
Page 718: Line-Profile
VDSL C OMMANDS Command down-fast-max-datarate down-fast-min-datarate up-fast-max-datarate up-fast-min-datarate down-slow-max-datarate down-slow-min-datarate up-slow-max-datarate up-slow-min-datarate down-target-noise-mgn up-target-noise-mgn down-min-noise-mgn up-min-noise-mgn VDSL Line Profile configuration mode. line-profile This command enters VDSL Line Profile configuration mode. Syntax line-profile profile-name profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Global Configuration...
Page 719: Lre Line-Profile
• First create a profile of VDSL configuration settings using the other commands described in this section, then enter Global Configuration mode to apply the profile to all VDSL ports on the switch using the lre line-profile command. Or use the interface command to select a specific port, and then use the lre line profile command to apply the settings to that interface.
Page 720: Band-Plan
VDSL C OMMANDS Example The following applies the line profile named southport to all VDSL ports. Console(config)#lre line-profile southport Console(config)# band-plan This command sets the frequency bands used for VDSL signals based on a set of predefined plans. Use the no form to restore the default status. Syntax band-plan value no band-plan...
Page 721: Option-Band
option-band This command sets the frequencies to be used for optional Upstream Band 0 (US0). Use the no form to restore the default status. Syntax option-band value no option-band value – Index of predefined frequency bounds for US0. (Options:0 - No optional band 1 - ITU-T G993.2, Annex A, 6-32, 26-138 kHz 2 - ITU-T G993.2, Annex B, 32-64, 138-276 kHz 3 - ITU-T G993.2, Annex B, 6-64, 26-276 kHz...
Page 722: Ham-Band
VDSL C OMMANDS ham-band This command sets the Handheld Amateur Radio (HAM) band that will be blocked to VDSL signals based on defined frequencies. Use the no form to restore the default status. Syntax ham-band value no ham-band value – HAM band mask. (See Table 29-4, “HAM Band Notches,”...
Page 723: Region-Ham-Band
region-ham-band This command sets the ham radio band that will be blocked to VDSL signals based on defined usage types. Use the no form to restore the default status. Syntax region-ham-band value no region-ham-band value – HAM band mask for designated usage type. (See Table 29-5, “HAM Band Notches for Usage Types,”...
Page 724: Tone
VDSL C OMMANDS tone This command disables VDSL signals at frequencies less than or equal to 640 KHz, 1.1 MHz or 2.2 MHz. Use the no form to restore the default setting. Syntax lre tone {tx | rx} value no lre tone {tx | rx} •...
Page 725: Max-Power
Example The following disables all tone beneath 640 kHz on the upstream band plan. Console(config-line-profile)#tone tx 2 Console(config-line-profile)# Related Commands lre tone (29-21) max-power This command sets the maximum aggregate downstream or upstream power. Use the no form to restore the default setting. Syntax max-power {down | up} value no max-power {down | up}...
Page 726: Min-Protection
VDSL C OMMANDS min-protection This command configures the minimum level of impulse noise protection for all bearer channels. Use the no form to restore the default setting. Syntax min-protection {down | up} value no max-power {down | up} • down – Downstream bands. •...
Page 727: Channel
Related Commands lre min-protection (29-23) channel This command sets the channel mode to fast or interleaved. Use the no form to restore the default status. Syntax channel mode no channel mode – Channel mode (Options: fast, interleave) Default Setting interleaved Command Mode VDSL Line Profile Command Usage...
Page 728: Down/Up-Max-Inter-Delay
VDSL C OMMANDS down/up-max-inter-delay These commands set the maximum interleave delay on a downstream/ upstream channel. Use the no form to restore the default settings to the profile. Syntax {down|up}-max-inter-delay value no {down|up}-max-inter-delay • down – Downstream bands. • up – Upstream bands. •...
Page 729: Down/Up-Fast/Slow-Max/Min-Datarate
Related Commands lre interleave-max-delay (29-25) down/up-fast/slow-max/min-datarate These commands set the maximum/minimum data rate on a fast/slow downstream/upstream channel. Use the no form to restore the default settings to the profile. Syntax {down|up}-{fast|slow}-{max|min}-datarate value no {down|up}-{fast|slow}-{max|min}-datarate • down – Downstream bands. •...
Page 730: Down/Up-Target-Noise-Mgn
VDSL C OMMANDS Example The following sets the minimum and maximum data rates for the downstream fast channel on port 1. Console(config-line-profile)#down-fast-max-datarate 190000 Console(config-line-profile)#down-fast-min-datarate 640 Console(config-line-profile)# Related Commands lre datarate (29-26) down/up-target-noise-mgn These commands set the targeted signal-to-noise margin that VDSL ports must achieve to successfully complete initialization on a downstream/ upstream channel.
Page 731: Down/Up-Min-Noise-Mgn
Example The following sets an SNR of 12 dB for the downstream channels and 18 dB for the upstream channels. Console(config-line-profile)#down-target-noise-mgn 12 Console(config-line-profile)#up-target-noise-mgn 18 Console(config-line-profile)# Related Commands lre noise-mgn target (29-28) down/up-min-noise-mgn These commands set the minimum acceptable signal-to-noise margin on a downstream/upstream channel.
Page 732 • When rate adaptation is enabled (see Command Usage, page 29-32), the signal-to-noise ratio (SNR) is an indicator of link quality. The switch itself has no internal functions to ensure link quality. To ensure a stable link, you should add a margin to the theoretical minimum signal-to-noise ratio (SNR).
Page 733: Table 29-8 Alarm Profile Commands
Alarm Profile Commands This section describes how to configure a list of threshold values for error states which can be applied all VDSL ports or to a selected group of ports. Command alarm-profile lre alarm-profile init-failure thresh-15min-ess thresh-15min-lofs Sets threshold for Loss of Framing in the thresh-15min-lols Sets threshold for Loss of Link in the past 15 thresh-15min-loss Sets threshold for Loss of Signal in the past thresh-15min-lprs Sets threshold for Loss of Power in the past...
Page 734: Alarm-Profile
VDSL C OMMANDS alarm-profile This command enters VDSL Alarm Profile configuration mode. Use the no form to delete an alarm profile. Syntax [no] alarm-profile profile-name profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Global Configuration Command Usage All commands entered in this mode are stored under the named profile, and take effect only when this profile is applied to a set of VDSL ports.
Page 735: Init-Failure
First create a profile of VDSL alarm thresholds using the other commands described in this section, then enter Global Configuration mode to apply the profile to all VDSL ports on the switch using the lre alarm-profile command. Or use the interface command to select a specific port, and then use the lre alarm-profile command to apply the settings to that interface.
Page 736: Thresh-15Min-Ess
VDSL C OMMANDS the status of remote transceivers is obtained via the embedded operation channel (EOC), this information may be unavailable for units that are unreachable via the EOC during a line error condition. Therefore, not all conditions may always be included in its current status.
Page 737: Thresh-15Min-Lofs
Command Usage • An Errored Second is a one-second interval containing one or more CRC anomalies, or one or more Loss of Signal (LOS) or Loss of Framing (LOF) defects. • This command sets the threshold for the number of errored seconds within any 15 minute collection interval for performance data.
Page 738: Thresh-15Min-Lols
VDSL C OMMANDS Command Usage This command sets the threshold for the number of seconds during which there is loss of framing within any 15 minute collection interval for performance data. If loss of framing in a particular 15-minute collection interval reaches or exceeds this value, a vdslPerfLofsThreshNotification notification will be generated.
Page 739: Thresh-15Min-Loss
notification will be generated. (Refer to RFC 3728 for information on this notification message.) No more than one notification will be sent per interval. Example The following sets the LOLs threshold to 15. Console(config-alarm-profile)#thresh-15min-lols 15 Console(config-alarm-profile)# thresh-15min-loss This command sets the threshold for Loss of Signal seconds (LOSs) that can occur within any given 15 minutes.
Page 740: Thresh-15Min-Lprs
VDSL C OMMANDS Example The following sets the LOSs threshold to 15. Console(config-alarm-profile)#thresh-15min-loss 15 Console(config-alarm-profile)# thresh-15min-lprs This command sets the threshold for Loss of Power Seconds (LPRs) that can occur within any given 15 minutes. Use the no form to restore the default setting.
Page 741: Thresh-15Min-Sess
thresh-15min-sess This command sets the threshold for Severely Errored Seconds (SESs) that can occur within any given 15 minutes. Use the no form to restore the default setting. Syntax thresh-15min-sess value value – Threshold for Severely Errored Seconds. (Range: 0-900 seconds; 0 disables the threshold) Default Setting Command Mode VDSL Alarm Profile...
Page 742: Thresh-15Min-Uass
VDSL C OMMANDS thresh-15min-uass This command sets the threshold for Unavailable Seconds (UASs) that can occur within any given 15 minutes. Use the no form to restore the default setting. Syntax thresh-15min- value – Threshold for Unavailable Seconds. (Range: 0-900 seconds; 0 disables the threshold) Default Setting Command Mode VDSL Alarm Profile...
Page 743: Displaying Vdsl Information
Displaying VDSL Information This section describes the commands used to display information on VDSL configuration settings, signal status, and communication statistics. Table 29-9 Commands for Displaying VDSL Information Command Displaying Configuration Settings show lre band-plan show lre option-band show lre ham-band show lre region-ham-band show lre psd...
Page 744: Show Lre Band-Plan
VDSL C OMMANDS Table 29-9 Commands for Displaying VDSL Information (Continued) Command show lre noise-mgn Displays the targeted signal-to-noise margin show lre rate-adaption show lre config show lre line-profile Displays a specified line profile which may show lre alarm-profile Displaying System Status show lre show lre phys-info show lre rate-info...
Page 745: Show Lre Option-Band
Command Usage • Use this command without the interface parameter to display the band plans used for all VDSL ports on the switch, or with an interface to display the band plan used for a specific port. • The band plan options provided by this switch are described by ITU-T Standards G.997 and G.998.
Page 746: Command Usage
Command Usage • Use this command without the interface parameter to display the optional US0 band used for all VDSL ports on the switch, or with an interface to display the optional band used for a specific port. • Refer to the lre option-band command on page 29-6 for a list of the frequency bounds for the optional band supported by this switch.
Page 747: Show Lre Region-Ham-Band
Example This example shows that the HAM band in the 1.810 - 1.825 MHz range is blocked to VDSL signals for Port 1. Console#sh lre ham-band 1/1 RFI-BAND01: 1.810 - 1.825 MHz: ANNEX F : RFI-BAND02: 1.810 - 2.000 MHz: ETSI, T1E1 : RFI-BAND03: 1.9075 - 1.9125 MHz: ANNEX F : RFI-BAND04: 3.500 - 3.575 MHz: ANNEX F : RFI-BAND05: 3.500 - 3.800 MHz: ETSI :...
Page 748 Command Usage • Use this command without the interface parameter to display the HAM band usage filter used for all VDSL ports on the switch, or with an interface to display the filter used for a specific port. • Refer to Table 29-5, “HAM Band Notches for Usage Types,” on page 29-10 for a list of the stop bands for radio usage types supported by this switch.
Page 749: Show Lre Psd
Command Usage • Use this command without the interface parameter to display the PSD used for all VDSL ports on the switch, or with an interface to display it used for a specific port. • The Power Spectral Density (PSD) defines the power spectrum used over all of the VDSL upstream and downstream channels.
Page 750: Show Lre Psd-Mask-Level
VDSL C OMMANDS 3000 kHz : 3008 kHz : 3750 kHz : 3758 kHz : 4500 kHz : 4508 kHz : 5200 kHz : 5208 kHz : 7000 kHz : 7008 kHz : 8500 kHz : 8508 kHz : 12000 kHz : 12008 kHz : 16700 kHz : 16708 kHz :...
Page 751: Show Lre Pbo-Config
Command Usage • Use this command without the interface parameter to display the predefined PSD mask used for all VDSL ports on the switch, or with an interface to display it used for a specific port. • Refer to Table 29-6, “PSD Mask Options,” on page 29-17 for a list of the PSD mask options supported by this switch.
Page 752: Show Lre Upbo
Command Usage • Use this command without the interface parameter to display the UPBO status used for all VDSL ports on the switch, or with an interface to display it used for a specific port. • If UPBO is enabled by the lre upbo command (page 29-19), the...
Page 753: Show Lre Tone
Command Usage Use this command without the interface parameter to show if VDSL signals are disabled at low-end frequencies for all VDSL ports on the switch, or with an interface to display this information for a specific port. Example This example shows the default setting for disabled low-end frequencies.
Page 754: Show Lre Interleave-Max-Delay
Command Usage • Use this command without the interface parameter to show the maximum interleave delay for all VDSL ports on the switch, or with an interface to display this information for a specific port. • Interleave delay applies only to the interleave (slow) channel and...
Page 755: Show Lre Datarate
Command Usage • Use this command without the interface parameter to show the data rate bounds for all VDSL ports on the switch, or with an interface to display this information for a specific port. • No bounds are set for the slow channels by default. Bounding data...
Page 756: Show Lre Noise-Mgn
Command Usage • Use this command without the interface parameter to show the SNR target for all VDSL ports on the switch, or with an interface to display this information for a specific port. • Each transceiver must achieve the targeted noise margin with a Bit Error Rate (BER) of 10 initialization.
Page 757: Show Lre Rate-Adaption
Command Usage • Use this command without the interface parameter to show if rate adaptation has been enabled for all VDSL ports on the switch, or with an interface to display this information for a specific port. • The data rate on a VDSL line can be affected by factors such as temperature, humidity, and electro-magnetic radiation.
Page 758: Show Lre Config
Privileged Exec Command Usage Use this command without the interface parameter to show the VDSL settings for all VDSL ports on the switch, or with an interface to display this information for a specific port. Example This example shows the VDSL configuration settings for Port 1.
Page 759: Show Lre Line-Profile
Related Commands lre apply (29-34) show lre line-profile This command displays a specified line profile which may be applied selected VDSL ports. Syntax show lre line-profile [profile-name] profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Privileged Exec Command Usage Use this command without a profile name to show the settings for all configured line profiles, or with a profile name to display the settings...
Page 760: Show Lre Alarm-Profile
VDSL C OMMANDS Related Commands line-profile (29-36) lre line-profile (29-37) show lre alarm-profile This command displays a specified alarm profile which may be applied selected VDSL ports. Syntax show lre alarm-profile [profile-name] profile-name – Name of the profile. (Range: 1-31 alphanumeric characters) Command Mode Privileged Exec...
Page 761: Show Lre
show lre This command displays the communication status of the VDSL line. Syntax show lre unit/port • unit - Stack unit. (Range: 1) • port - Port number. (Range: 1-16) Command Mode Privileged Exec Example Console#show lre 1/1 port 1 status : port 1 status : Downstream Training Margin: Upstream Training Margin:...
Page 762: Show Lre Phys-Info
VDSL C OMMANDS Table 29-10 show lre - display description (Continued) Field Line Protection (Slow Path) Downstream/Upstream delay Tx total power FE Tx total power VDSL Estimated Loop Length Estimated length of the VDSL connection; used G.Hs Estimated Loop Length Estimated length of the VDSL connection; used Current framing mode Far end capabilities mask SNR Margin...
Page 763: Table 29-11 Show Lre Phys-Info - Display Description
Example Console#show lre phys-info 1/1 port 1/1 Phys info: Phys current line rate : Phys current attainable rate : Phys current output power : Phys current atn : Console# Table 29-11 show lre phys-info - display description Field Phys current line rate Phys current attainable rate Maximum currently attainable data rate in steps of Phys current output power Measured total output power transmitted by this Phys current atn...
Page 764: Show Lre Perf
VDSL C OMMANDS Example Console#show lre rate-info 1/1 port 1 Rate informaition : Downstream line rate: Upstream line rate: Fast Downstream payload rate: Slow Downstream payload rate: Fast Upstream payload rate: Slow Upstream payload rate: Downstream attainable payload rate: Downstream attainable line rate: Upstream attainable payload rate: Upstream attainable line rate: Console#...
Page 765: Command Usage
Command Usage Use this command without the interface parameter to show performance information for all VDSL ports on the switch, or with an interface to display this information for a specific port. For a description of the displayed items, refer to the “Alarm Profile Commands”...
Page 766 VDSL C OMMANDS Table 29-13 show lre phys-info - display description (Continued) Field Loss of power Errored seconds Severely errored seconds Unavaliable seconds Number of seconds during which the VDSL transceiver is Ethernet Receive Performance Counters Frames Bytes Pause Frames Broadcast Frames Dropped Frames Alignment Errors...
Page 767 Table 29-13 show lre phys-info - display description (Continued) Field Description Ethernet Transmit Performance Counters Frames Number of frames (unicast, broadcast and multicast) transmitted. Bytes Number of bytes of data transmitted onto the network. This statistic can be used as a reasonable indication of Ethernet utilization.
Page 768: Cpe Configuration
Clears statistical data (in VDSL chip) for a specified VDSL port Enables firmware upgrade on the CPE CPEs from a TFTP server to reserved buffer space in the switch Copies BME firmware to the CPE Activates alternate BME firmware version on Displays system information for a CPE...
Page 769: Efm Remote Eeprom-Write
• After using the copy tftp firmware command to copy BME firmware for CPEs to reserved buffer space in the switch, use the oam remote upgrade firmware command (page 29-90) to transfer the firmware to a remote CPE, and then use the oam remote firmware active command (page 29-90) to activate the new firmware.
Page 770 VDSL C OMMANDS Example This example shows how to copy BME firmware for CPEs to a reserved buffer on the switch, copy this firmware to a remote CPE, and then activate the new firmware. Console#show cpe-info 1/16 Protocol ID: Protocol Version - Major:...
Page 771 Console#configure Console(config)#interface ethernet 1/16 Console(config-if)#oam remote upgrade firmware Console(config)#end Console#show cpe-info 1/16 Protocol ID: Protocol Version - Major: Protocol Version - Minor: Vendor ID (Value): Host Application Version: BME Firmware Version: 2006, AFE Hardware Version: IFE Hardware Version: Firmware Number: Active Version: verId 1: <-------...
Page 772: Oam Remote Upgrade Firmware
• After using the copy tftp firmware command (page 29-87) to copy BME firmware for CPEs to reserved buffer space in the switch, use the oam remote upgrade firmware command to transfer the firmware to a remote CPE, and then use the oam remote firmware active command (page 29-90) to activate the new firmware.
Page 773: Show Cpe-Info
(page 29-90). • After using the copy tftp firmware command (page 29-87) to copy BME firmware for CPEs to reserved buffer space in the switch, use the oam remote upgrade firmware command (page 29-90) to transfer the firmware to a remote CPE, and then use the oam remote firmware active command (page 29-90) to activate the new firmware.
Page 774: Table 29-15 Show Cpe-Info - Display Description
VDSL C OMMANDS Example Console#show cpe-info 1/1 Protocol ID: Protocol Version - Major: Protocol Version - Minor: Vendor ID (Value): Host Application Version: BME Firmware Version: RTOS Nucleus AFE Hardware Version: IFE Hardware Version: Firmware Number: Active Version: verId 1: verId 2: CO Firmware Buffer is empty now Console#...
Page 775: Address Table Commands
DDRESS These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time. Table 30-1 Address Table Commands Command mac-address-table static clear mac-address-table dynamic show mac-address-table mac-address-table aging-time Sets the aging time of the address show mac-address-table aging-time HAPTER...
Page 776: Address Table Commands
• port-channel channel-id (Range: 1-12) • vlan-id - VLAN ID (Range: 1-4093) • action - - delete-on-reset - Assignment lasts until the switch is reset. - permanent - Assignment is permanent. Default Setting No static addresses are defined. The default mode is permanent.
Page 777: Clear Mac-Address-Table Dynamic
• A static address cannot be learned on another port until the address is removed with the no form of this command. Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address-table dynamic This command removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries.
Page 778: Show Mac-Address-Table
DDRESS ABLE OMMANDS show mac-address-table This command shows classes of entries in the bridge-forwarding database. Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] • mac-address - MAC address. • mask - Bits to match in the address. •...
Page 779: Mac-Address-Table Aging-Time
• The maximum number of address entries is 8191. Example Console#show mac-address-table Interface MAC Address --------- ----------------- ---- ----------------- Eth 1/ 1 00-e0-29-94-34-de Console# mac-address-table aging-time This command sets the aging time for entries in the address table. Use the no form to restore the default aging time.
Page 780: Show Mac-Address-Table Aging-Time
DDRESS ABLE OMMANDS show mac-address-table aging-time This command shows the aging time for entries in the address table. Default Setting None Command Mode Privileged Exec Example Console#show mac-address-table aging-time Aging time: 300 sec. Console# 30-6...
Page 781: Spanning Tree Commands
PANNING This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface. Table 31-1 Spanning Tree Commands Command spanning-tree spanning-tree mode spanning-tree forward-time spanning-tree hello-time Configures the spanning tree bridge...
Page 782: Spanning Tree Commands
PANNING OMMANDS Table 31-1 Spanning Tree Commands (Continued) Command revision max-hops spanning-tree spanning-disabled spanning-tree cost spanning-tree port-priority spanning-tree edge-port Enables fast forwarding for edge ports IC spanning-tree portfast spanning-tree link-type spanning-tree mst cost spanning-tree mst port-priority spanning-tree protocol-migration show spanning-tree show spanning-tree mst configuration 31-2...
Page 783: Spanning-Tree
The Spanning Tree Algorithm (STA) can be used to detect and disable network loops, and to provide backup links between switches, bridges or routers. This allows the switch to interact with other bridging devices (that is, an STA-compliant switch, bridge or router) in your...
Page 784: Spanning-Tree Mode
RSTP node transmits, as described below: - STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs.
Page 785: Spanning-Tree Forward-Time
Changing modes stops all spanning-tree instances for the previous mode and restarts the system in the new mode, temporarily disrupting user traffic. Example The following example configures the switch to use Rapid Spanning Tree: Console(config)#spanning-tree mode rstp Console(config)# spanning-tree forward-time This command configures the spanning tree bridge forward time globally for this switch.
Page 786: Spanning-Tree Hello-Time
Console(config)#spanning-tree forward-time 20 Console(config)# spanning-tree hello-time This command configures the spanning tree bridge hello time globally for this switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds).
Page 787: Spanning-Tree Max-Age
(31-5) spanning-tree max-age (31-7) spanning-tree max-age This command configures the spanning tree bridge maximum age globally for this switch. Use the no form to restore the default. Syntax spanning-tree max-age seconds no spanning-tree max-age seconds - Time in seconds. (Range: 6-40 seconds) The minimum value is the higher of 6 or [2 x (hello-time + 1)].
Page 788: Spanning-Tree Priority
(31-5) spanning-tree hello-time (31-6) spanning-tree priority This command configures the spanning tree priority globally for this switch. Use the no form to restore the default. Syntax spanning-tree priority priority no spanning-tree priority priority - Priority of the bridge. (Range: 0 - 65535) (Range –...
Page 789: Spanning-Tree Pathcost Method
spanning-tree pathcost method This command configures the path cost method used for Rapid Spanning Tree and Multiple Spanning Tree. Use the no form to restore the default. Syntax spanning-tree pathcost method {long | short} no spanning-tree pathcost method • long - Specifies 32-bit based values that range from 1-200,000,000. This method is based on the IEEE 802.1w Rapid Spanning Tree Protocol.
Page 790: Spanning-Tree Transmission-Limit
This command changes to Multiple Spanning Tree (MST) configuration mode. Default Setting • No VLANs are mapped to any MST instance. • The region name is set the switch’s MAC address. Command Mode Global Configuration Example Console(config)#spanning-tree mst-configuration...
Page 791: Mst Vlan
• By default all VLANs are assigned to the Internal Spanning Tree (MSTI 0) that connects all bridges and LANs within the MST region. This switch supports up to 58 instances. You should try to group VLANs which cover the same general area of your network. However,...
Page 792: Mst Priority
MAC address will then become the root device. • You can set this switch to act as the MSTI root device by specifying a priority of 0, or as the MSTI alternate device by specifying a priority of 16384.
Page 793: Name
Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name name - Name of the spanning tree.
Page 794: Revision
The MST region name (page 31-13) and revision number are used to designate a unique MST region. A bridge (i.e., spanning-tree compliant device such as this switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances.
Page 795: Spanning-Tree Spanning-Disabled
Default Setting Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU.
Page 796: Spanning-Tree Cost
PANNING OMMANDS Example This example disables the spanning tree algorithm for port 5. Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree spanning-disabled Console(config-if)# spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost...
Page 797: Table 31-4 Default Sta Path Costs
Default Setting By default, the system automatically detects the speed and duplex mode used on each port, and configures the path cost according to the values shown below. Path cost “0” is used to indicate auto-configuration mode. When the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65,535, the default is set to 65,535.
Page 798: Spanning-Tree Port-Priority
• This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 799: Spanning-Tree Portfast
Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • You can enable this option if an interface is attached to a LAN segment that is at the end of a bridged LAN or to an end node. Since end nodes cannot cause forwarding loops, they can pass directly through to the spanning tree forwarding state.
Page 800 PANNING OMMANDS Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • This command is used to enable/disable the fast spanning-tree mode for the selected port. In this mode, ports skip the Discarding and Learning states, and proceed straight to Forwarding. •...
Page 801: Spanning-Tree Link-Type
• When automatic detection is selected, the switch derives the link type from the duplex mode. A full-duplex interface is considered a point-to-point link, while a half-duplex interface is assumed to be on a shared link.
Page 802: Spanning-Tree Mst Cost
PANNING OMMANDS spanning-tree mst cost This command configures the path cost on a spanning instance in the Multiple Spanning Tree. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree mst instance_id cost cost no spanning-tree mst instance_id cost •...
Page 803: Spanning-Tree Mst Port-Priority
Command Usage This command defines the priority for the use of an interface in the multiple spanning-tree. If the path cost for all interfaces on a switch are the same, the interface with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree.
Page 804: Spanning-Tree Protocol-Migration
Command Mode Privileged Exec Command Usage If at any time the switch detects STP BPDUs, including Configuration or Topology Change Notification BPDUs, it will automatically set the selected interface to forced STP-compatible mode. However, you can also use the spanning-tree protocol-migration command at any time to manually re-check the appropriate BPDU format to send on the selected interfaces (i.e., RSTP or STP-compatible).
Page 805: Show Spanning-Tree
Command Usage • Use the show spanning-tree command with no parameters to display the spanning tree configuration for the switch for the Common Spanning Tree (CST) and for every interface in the tree. • Use the show spanning-tree interface command to display the spanning tree configuration for an interface within the Common Spanning Tree (CST).
Page 806 PANNING OMMANDS description of the items displayed for specific interfaces, see “Displaying Interface Settings” on page 12-13. Example Console#show spanning-tree Spanning-tree information --------------------------------------------------------------- Spanning tree mode: Spanning tree enable/disable: Instance: Vlans configuration: Priority: Bridge Hello Time (sec.): Bridge Max Age (sec.): Bridge Forward Delay (sec.): Root Hello Time (sec.): Root Max Age (sec.):...
Page 807: Show Spanning-Tree Mst Configuration
show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode Privileged Exec Example Console#show spanning-tree mst configuration Mstp Configuration Information -------------------------------------------------------------- Configuration name: R&D Revision level:0 Instance Vlans -------------------------------------------------------------- Console# SHOW SPANNING TREE MST CONFIGURATION 31-27...
Page 808 PANNING OMMANDS 31-28...
Page 809: Vlan Commands
VLAN C A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Page 810: Gvrp And Bridge Extension Commands
Configures forbidden VLANs for show gvrp configuration garp timer show garp timer bridge-ext gvrp This command enables GVRP globally for the switch. Use the no form to disable it. Syntax [no] bridge-ext gvrp Default Setting Disabled...
Page 811: Show Bridge-Ext
GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network. This function should be enabled to permit automatic VLAN registration, and to support VLANs which extend beyond the local switch. Example Console(config)#bridge-ext gvrp...
Page 812: Switchport Gvrp
VLAN C OMMANDS switchport gvrp This command enables GVRP for a port. Use the no form to disable it. Syntax [no] switchport gvrp Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show gvrp configuration This command shows if GVRP is enabled.
Page 813: Garp Timer
garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer_value no garp timer {join | leave | leaveall} •...
Page 814: Show Garp Timer
VLAN C OMMANDS Example Console(config)#interface ethernet 1/1 Console(config-if)#garp timer join 100 Console(config-if)# Related Commands show garp timer (32-6) show garp timer This command shows the GARP timers for the selected interface. Syntax show garp timer [interface] interface • ethernet unit/port - unit - Stack unit.
Page 815: Editing Vlan Groups
Editing VLAN Groups Table 32-3 Commands for Editing VLAN Groups Command vlan database vlan vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately. Default Setting None Command Mode Global Configuration Command Usage •...
Page 816: Vlan
• no vlan vlan-id name removes the VLAN name. • no vlan vlan-id state returns the VLAN to the default state (i.e., active). • You can configure up to 255 VLANs on the switch. Example The following example adds a VLAN, using VLAN ID 105 and name RD5.
Page 817: Configuring Vlan Interfaces
Related Commands show vlan (32-16) Configuring VLAN Interfaces Table 32-4 Commands for Configuring VLAN Interfaces Command interface vlan switchport mode switchport acceptable-frame-types switchport ingress-filtering switchport native vlan switchport allowed vlan Configures the VLANs associated with switchport gvrp switchport forbidden vlan switchport priority default interface vlan...
Page 818: Switchport Mode
VLAN C OMMANDS Default Setting None Command Mode Global Configuration Example The following example shows how to set the interface configuration mode to VLAN 1, and then assign an IP address to the VLAN: Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.254 255.255.255.0 Console(config-if)# Related Commands shutdown (25-10)
Page 819: Switchport Acceptable-Frame-Types
Example The following shows how to set the configuration mode to port 1, and then set the switchport mode to hybrid: Console(config)#interface ethernet 1/1 Console(config-if)#switchport mode hybrid Console(config-if)# Related Commands switchport acceptable-frame-types (32-11) switchport acceptable-frame-types This command configures the acceptable frame types for a port. Use the no form to restore the default.
Page 820: Switchport Ingress-Filtering
VLAN C OMMANDS Related Commands switchport mode (32-10) switchport ingress-filtering This command enables ingress filtering for an interface. Use the no form to restore the default. Syntax [no] switchport ingress-filtering Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage •...
Page 821: Switchport Native Vlan
switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port. (Range: 1-4093, no leading zeroes) Default Setting VLAN 1...
Page 822: Switchport Allowed Vlan
VLAN groups as a tagged member. • Frames are always tagged within the switch. The tagged/untagged parameter used when adding a VLAN to an interface tells the switch whether to keep or remove the tag from a frame on egress.
Page 823: Switchport Forbidden Vlan
• If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface. Example The following example shows how to add VLANs 1, 2, 5 and 6 to the allowed list as tagged VLANs for port 1: Console(config)#interface ethernet 1/1 Console(config-if)#switchport allowed vlan add 1,2,5,6 tagged...
Page 824: Displaying Vlan Information
VLAN C OMMANDS Example The following example shows how to prevent port 1 from being added to VLAN 3: Console(config)#interface ethernet 1/1 Console(config-if)#switchport forbidden vlan add 3 Console(config-if)# Displaying VLAN Information This section describes commands used to display VLAN information. Table 32-5 Commands for Displaying VLAN Information Command show vlan...
Page 825: Configuring Private Vlans
Example The following example shows how to display information for VLAN 1: Console#show vlan id 1 VLAN ID: Type: Name: Status: Ports/Port Channels: Console# Configuring Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. This section describes commands used to configure private VlANs.
Page 826 VLAN groups. • Private VLANs and normal VLANs can exist simultaneously within the same switch. Traffic may pass freely between uplink ports in private VLANs and ports in normal VLANs.
Page 827: Show Pvlan
show pvlan This command displays the configured private VLAN. Command Mode Privileged Exec Example This example shows the information displayed when no group is defined. Console(config)#pvlan Console(config)#pvlan up-link ethernet 1/18 down-link ethernet 1/1-5 Console(config)#end Console#show pvlan Private VLAN status: Enabled Up-link port: Ethernet 1/18 Down-link port:...
Page 828: Configuring Protocol-Based Vlans
VLANs, including security and easy accessibility. To avoid these problems, you can configure this switch with protocol-based VLANs that divide the physical network into logical VLAN groups for each required protocol. When a frame is received at a port, its VLAN membership can then be determined based on the protocol type in use by the inbound packets.
Page 829: Configuring Protocol - Based Vlan
IP and ARP protocol types: Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type ip Console(config)#protocol-vlan protocol-group 1 add frame-type ethernet protocol-type arp Console(config)# 36. SNAP frame types are not supported by this switch due to hardware limitations. ONFIGURING ROTOCOL VLAN BASED 32-21...
Page 830: Protocol-Vlan Protocol-Group (Configuring Interfaces)
VLAN C OMMANDS protocol-vlan protocol-group (Configuring Interfaces) This command maps a protocol group to a VLAN for the current interface. Use the no form to remove the protocol mapping for this interface. Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan •...
Page 831: Show Protocol-Vlan Protocol-Group
Example The following example maps the traffic entering Port 1 which matches the protocol type specified in protocol group 1 to VLAN 2. Console(config)#interface ethernet 1/1 Console(config-if)#protocol-vlan protocol-group 1 vlan 2 Console(config-if)# show protocol-vlan protocol-group This command shows the frame and protocol type associated with protocol groups.
Page 832: Show Interfaces Protocol-Vlan Protocol-Group
VLAN C OMMANDS show interfaces protocol-vlan protocol-group This command shows the mapping from protocol groups to VLANs for the selected interfaces. Syntax show interfaces protocol-vlan protocol-group [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) •...
Page 833: Configuring Ieee 802.1Q Tunneling
General Configuration Guidelines for QinQ Configure the switch to QinQ mode (system mode, page 20-13). Create a SPVLAN (vlan, page 32-8). Configure the QinQ tunnel port to dot1Q tunnel port mode (switchport mode dot1q-tunnel, page 32-27).
Page 834: Qinq Priority Map
VLAN tag (used by the service provider). Use the no form to disable this feature. Syntax [no] qinq priority map Default Setting Disabled Command Mode Global Configuration Command Usage • Use the switchport mode command to set the switch to QinQ mode before entering this command. 32-26...
Page 835: Switchport Mode Dot1Q-Tunnel
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • Use the switchport mode command to set the switch to QinQ mode before entering this command. • When a tunnel port receives a packet from the customer, the customer tag (regardless of whether there are one or more tag layers) is copied IEEE 802.1Q T...
Page 836: Show Dot1Q-Tunnel
VLAN C OMMANDS to the service provider’s outer tag. The Tag Protocol Identifier (TPID) of the tunnel port is used for the outer tag. The default is for the standard ethertype value 0x8100, but may be changed to a non-standard value using the switchport dot1q-ethertype command (page 32-29).
Page 837: Switchport Dot1Q-Ethertype
• Use the switchport dot1q-ethertype command to set a custom 802.1Q ethertype value on the selected interface. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames. For example, if 0x1234 is set as the custom 802.1Q ethertype on a tunnel...
Page 838: Configuring Vlan Swapping
QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network. However, if any switch in the path crossing the service provider’s network does not support this feature, then the local switches connected directly to the customer can be manually configured to swap the customer’s VLAN ID...
Page 839: Switchport Vlan Swap
Interface Configuration (Ethernet) Command Usage • Use the system mode vlan-swap command (page 20-13) to enable VLAN swap mode globally on the switch, then use the switchport vlan swap command to map the customer VLAN ID to the service provider’s VLAN ID.
Page 840: Show Vlan-Swap
VLAN C OMMANDS • VLAN swapping only supports one-to-one mapping of VLAN IDs between a VDSL port and an uplink port. • VLAN IDs must be mapped for both the upstream and downstream direction. • The maximum number of VLAN swap entries is 64 per port groups 1-8, 9-16, 17, and 18.
Page 841 Example Console#show vlan swap vlan-swap enable ethernet 1/1 invlan outvlan ethernet 1/18 invlan outvlan Console# ONFIGURING outport 1/18 outport VLAN S WAPPING 32-33...
Page 842 VLAN C OMMANDS 32-34...
Page 843: Class Of Service Commands
LASS OF The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Page 844: Class Of Service Commands
LASS OF ERVICE Command show priority show queue mode Port-based Priority Settings switchport priority default queue bandwidth queue cos-map show queue bandwidth show queue cos-map Shows the class-of-service map show interfaces switchport priority bits This command sets the priority bits in the VLAN tag of packets sent by the CPU.
Page 845: Priority Commands (Layer 2)
Global Configuration Command Usage • The switch can be set to service the port queues based on strict priority, WRR, or a combination of strict and weighted queueing. • Strict priority requires all traffic in a higher priority queue to be processed before lower priority queues are serviced.
Page 846: Show Priority
ERVICE • Weighted Round-Robin (WRR) specifies a relative weight of each queue that determines the percentage of service time the switch services each queue before moving on to the next queue. This prevents the head-of-line blocking that can occur with strict priority queuing.
Page 847: Show Queue Mode
Related Commands priority bits (33-2) priority ipv6 (33-17) show queue mode This command shows the current queue mode. Default Setting None Command Mode Privileged Exec Example Console#show queue mode Wrr status: Enabled Console# switchport priority default This command sets a priority for incoming untagged frames. Use the no form to restore the default value.
Page 848: Command Usage
If the incoming frame is an IEEE 802.1Q VLAN tagged frame, the IEEE 802.1p User Priority bits will be used. • This switch provides eight priority queues for each port. It is configured to use Weighted Round Robin, which can be viewed with the show queue bandwidth command.
Page 849: Queue Bandwidth
queue bandwidth This command assigns weighted round-robin (WRR) weights to the eight class of service (CoS) priority queues, or specifies a high-priority queue when the queue mode is set to hybrid. Use the no form to restore the default weights. Syntax queue bandwidth weight1...weight8 no queue bandwidth...
Page 850: Queue Cos-Map
7, where 7 is the highest priority. Default Setting This switch supports Class of Service by using eight priority queues, with Weighted Round Robin queuing for each port. Eight separate traffic classes are defined in IEEE 802.1p. The default priority levels are assigned according to recommendations in the IEEE 802.1p...
Page 851: Show Queue Bandwidth
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage CoS values assigned at the ingress port are also used at the egress port. This command sets the CoS priority for all interfaces. Example The following example shows how to change the CoS assignments to a one-to-one mapping: Console(config)#interface ethernet 1/1 Console(config-if)#queue cos-map 0 0...
Page 852: Show Queue Cos-Map
LASS OF ERVICE Example Console#show queue bandwidth Information of Eth 1/1 Queue ID Weight -------- ------ show queue cos-map This command shows the class of service priority map. Syntax show queue cos-map [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number.
Page 853: Priority Commands (Layer 3 And 4)
Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and Layer 4 traffic priority on the switch. Table 33-4 Priority Commands (Layer 3 and 4) Command map ip port map ip port map ip precedence...
Page 854: Map Ip Port (Global Configuration)
LASS OF ERVICE map ip port (Global Configuration) This command enables IP port mapping (i.e., class of service mapping for TCP/UDP sockets). Use the no form to disable IP port mapping. Syntax [no] map ip port Default Setting Disabled Command Mode Global Configuration Command Usage The precedence for priority mapping is IP Port, IP Precedence or IP...
Page 855: Map Ip Precedence (Global Configuration)
Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage • The precedence for priority mapping is IP Port, IP Precedence or IP DSCP, and default switchport priority. • Up to 8 entries can be specified for IP Port priority mapping. •...
Page 856: Map Ip Precedence (Interface Configuration)
LASS OF ERVICE Example The following example shows how to enable IP precedence mapping globally: Console(config)#map ip precedence Console(config)# map ip precedence (Interface Configuration) This command sets IP precedence priority (i.e., IP Type of Service priority). Use the no form to restore the default table. Syntax map ip precedence ip-precedence-value cos cos-value no map ip precedence...
Page 857: Map Ip Dscp (Global Configuration)
Example The following example shows how to map IP precedence value 1 to CoS value 0: Console(config)#interface ethernet 1/5 Console(config-if)#map ip precedence 1 cos 0 Console(config-if)# map ip dscp (Global Configuration) This command enables IP DSCP mapping (i.e., Differentiated Services Code Point mapping).
Page 858: Map Ip Dscp (Interface Configuration)
LASS OF ERVICE map ip dscp (Interface Configuration) This command sets IP DSCP priority (i.e., Differentiated Services Code Point priority). Use the no form to restore the default table. Syntax map ip dscp dscp-value cos cos-value no map ip dscp •...
Page 859: Priority Ipv6
Example The following example shows how to map IP DSCP value 1 to CoS value Console(config)#interface ethernet 1/5 Console(config-if)#map ip dscp 1 cos 0 Console(config-if)# priority ipv6 This command assigns IPv6 traffic classes to one of the Class-of-Service values. Use the no form to restore the default setting. Syntax priority ipv6 interface traffic-class cos-value no queue mode...
Page 860: Show Map Ip Port
LASS OF ERVICE Example The following example maps the Traffic Class value of 1 to CoS value 0: Console(config)#priority ipv6 1 0 Console(config)# show map ip port This command shows the IP port priority map. Syntax show map ip port [interface] interface •...
Page 861: Show Map Ip Precedence
show map ip precedence This command shows the IP precedence priority map. Syntax show map ip precedence [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode...
Page 862: Show Map Ip Dscp
LASS OF ERVICE show map ip dscp This command shows the IP DSCP priority map. Syntax show map ip dscp [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) • port-channel channel-id (Range: 1-12) Default Setting None Command Mode...
Page 863 The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Page 864: Quality Of Service Commands
UALITY OF ERVICE Table 34-1 Quality of Service Commands (Continued) Command show policy-map show policy-map interface To create a service policy for a specific category of ingress traffic, follow these steps: Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode.
Page 865: Class-Map
Notes: 1. You can configure up to 16 rules per Class Map. You can also include multiple classes in a Policy Map. 2. You should create a Class Map (page 34-3) before creating a Policy Map (page 34-6). Otherwise, you will not be able to specify a Class Map with the class command (page 34-7) after entering Policy-Map Configuration mode.
Page 866: Match
UALITY OF ERVICE • The class map is used with a policy map (page 34-6) to create a service policy (page 34-10) for a specific interface that defines packet classification, service tagging, and bandwidth policing. Example This example creates a class map call “rd_class,” and sets it to match packets marked for DSCP service value 3: Console(config)#class-map rd_class match-any Console(config-cmap)#match ip dscp 3...
Page 867 command to specify the fields within ingress packets that must match to qualify for this class map. • Only one match command can be entered per class map. • The class map uses the Access Control List filtering engine, so you must also set an ACL mask to enable filtering for the criteria specified in the match command.
Page 868: Policy-Map
UALITY OF ERVICE policy-map This command creates a policy map that can be attached to multiple interfaces, and enters Policy Map configuration mode. Use the no form to delete a policy map and return to Global configuration mode. Syntax [no] policy-map policy-map-name policy-map-name - Name of the policy map.
Page 869: Class
class This command defines a traffic classification upon which a policy can act, and enters Policy Map Class configuration mode. Use the no form to delete a class map and return to Policy Map configuration mode. Syntax [no] class class-map-name class-map-name - Name of the class map.
Page 870: Set
UALITY OF ERVICE Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 871: Police
police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets. Console(config)#policy-map rd_policy Console(config-pmap)#class rd_class Console(config-pmap-c)#set ip dscp 3 Console(config-pmap-c)#police 100000 1522 exceed-action drop Console(config-pmap-c)# police This command defines an policer for classified traffic.
Page 872: Service-Policy
UALITY OF ERVICE Example This example creates a policy called “rd_policy,” uses the class command to specify the previously defined “rd_class,” uses the set command to classify the service that incoming packets will receive, and then uses the police command to limit the average bandwidth to 100,000 Kbps, the burst rate to 1522 bytes, and configure the response to drop any violating packets.
Page 873: Show Class-Map
Example This example applies a service policy to an ingress interface. Console(config)#interface ethernet 1/1 Console(config-if)#service-policy input rd_policy Console(config-if)# show class-map This command displays the QoS class maps which define matching criteria used for classifying traffic. Syntax show class-map [class-map-name] class-map-name - Name of the class map. (Range: 1-16 characters) Default Setting Displays all class maps.
Page 874: Show Policy-Map
UALITY OF ERVICE show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations. Syntax show policy-map [policy-map-name [class class-map-name]] • policy-map-name - Name of the policy map. (Range: 1-16 characters) •...
Page 875 Command Mode Privileged Exec Example Console#show policy-map interface ethernet 1/5 Service-policy rd_policy input Console# SHOW POLICY MAP INTERFACE 34-13...
Page 876 UALITY OF ERVICE OMMANDS 34-14...
Page 877 ULTICAST This switch uses IGMP (Internet Group Management Protocol) to query for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/router to ensure that it will continue to receive the multicast service.
Page 878: Multicast Filtering Commands
Shows the IGMP snooping and query show mac-address-table multicast ip igmp snooping This command enables IGMP snooping on this switch. Use the no form to disable it. Syntax [no] ip igmp snooping Default Setting Enabled...
Page 879: Ip Igmp Snooping Vlan Static
Example The following example enables IGMP snooping. Console(config)#ip igmp snooping Console(config)# ip igmp snooping vlan static This command adds a port to a multicast group. Use the no form to remove the port. Syntax [no] ip igmp snooping vlan vlan-id static ip-address interface •...
Page 880: Ip Igmp Snooping Version
• All systems on the subnet must support the same version. If there are legacy devices in your network that only support Version 1, you will also have to configure this switch to use Version 1. • Some commands are only enabled for IGMPv2, including ip igmp query-max-response-time and ip igmp query-timeout.
Page 881: Ip Igmp Snooping Immediate-Leave
Note that the timeout period is determined by the ip igmp snooping query-max-response-time (see page 35-10). • If immediate-leave is enabled, the switch assumes that only one host is connected to the interface. Therefore, immediate leave should only...
Page 882: Show Ip Igmp Snooping
ULTICAST ILTERING show ip igmp snooping This command shows the IGMP snooping configuration. Default Setting None Command Mode Privileged Exec Command Usage See “Configuring IGMP Snooping and Query Parameters” on page 16-4 for a description of the displayed items. Example The following shows the current IGMP snooping configuration: Console#show ip igmp snooping Service status:...
Page 883: Igmp Query Commands
---- --------------- ------------ ------- 224.1.2.3 Console# IGMP Query Commands This section describes commands used to configure Layer 2 IGMP query on the switch. Command ip igmp snooping querier Allows this device to act as the ip igmp snooping query-count ip igmp snooping...
Page 884: Ip Igmp Snooping Querier
ULTICAST ILTERING ip igmp snooping querier This command enables the switch as an IGMP querier. Use the no form to disable it. Syntax [no] ip igmp snooping querier Default Setting Enabled Command Mode Global Configuration Command Usage If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Page 885: Ip Igmp Snooping Query-Interval
This command configures the query interval. Use the no form to restore the default. Syntax ip igmp snooping query-interval seconds no ip igmp snooping query-interval seconds - The frequency at which the switch sends IGMP host-query messages. (Range: 60-125) Default Setting 125 seconds Command Mode...
Page 886: Ip Igmp Snooping Query-Max-Response-Time
Global Configuration Command Usage • The switch must be using IGMPv2 for this command to take effect. • This command defines the time after a query, during which a response is expected from a multicast client. If a querier has sent a number of...
Page 887: Ip Igmp Snooping Router-Port-Expire-Time
- The time the switch waits after the previous querier stops before it considers the router port (i.e., the interface which had been receiving query packets) to have expired.
Page 888: Table 35-4 Static Multicast Routing Commands
Depending on your network connections, IGMP snooping may not always be able to locate the IGMP querier. Therefore, if the IGMP querier is a known multicast router/switch connected over the network to an interface (port or trunk) on your router, you can manually configure that interface to join all the current multicast groups.
Page 889: Show Ip Igmp Snooping Mrouter
Example The following shows how to configure port 11 as a multicast router port within VLAN 1: Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/11 Console(config)# show ip igmp snooping mrouter This command displays information on statically configured and dynamically learned multicast router ports. Syntax show ip igmp snooping mrouter [vlan vlan-id] vlan-id - VLAN ID (Range: 1-4093)
Page 890: Igmp Filtering And Throttling Commands
The IGMP filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and IGMP throttling limits the number of simultaneous multicast groups a port can join. Table 35-5 IGMP Filtering and Throttling Commands...
Page 891: Ip Igmp Filter (Global Configuration)
Global Configuration Command Usage • IGMP filtering enables you to assign a profile to a switch port that specifies multcast groups that are permitted or denied on the port. An IGMP filter profile can contain one or more, or a range of multicast addresses;...
Page 892: Ip Igmp Profile
ULTICAST ILTERING ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number. (Range: 1-4294967295) Default Setting Disabled...
Page 893: Range
Command Usage • Each profile has only one access mode; either permit or deny. • When the access mode is set to permit, IGMP join reports are processed when a multicast group falls within the controlled range. When the access mode is set to deny, IGMP join reports are only processed when a multicast group is not in the controlled range.
Page 894: Ip Igmp Filter (Interface Configuration)
ILTERING ip igmp filter (Interface Configuration) This command assigns an IGMP filtering profile to an interface on the switch. Use the no form to remove a profile from an interface. Syntax [no] ip igmp filter profile-number profile-number - An IGMP filter profile number.
Page 895: Default Setting
When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped.
Page 896: Command Usage
ILTERING Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new IGMP join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Page 897: Show Ip Igmp Profile
239.1.1.1 239.1.1.1 range 239.2.3.1 239.2.3.100 Console# show ip igmp profile This command displays IGMP filtering profiles created on the switch. Syntax show ip igmp profile [profile-number] profile-number - An existing IGMP filter profile number. (Range: 1-4294967295) Default Setting...
Page 898: Show Ip Igmp Throttle Interface
ULTICAST ILTERING show ip igmp throttle interface This command displays the interface settings for IGMP throttling. Syntax show ip igmp throttle interface [interface] interface • ethernet unit/port - unit - Stack unit. (Range: 1) - port - Port number. (Range: 1-19) •...
Page 899: Multicast Vlan Registration Commands
Multicast VLAN Registration Commands This section describes commands used to configure Multicast VLAN Registration (MVR). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR VLAN is sent to all subscribers.
Page 900: Mvr (Global Configuration)
(Global Configuration) This command enables Multicast VLAN Registration (MVR) globally on the switch, enables a specific MVR domain using the domain keyword, statically configures MVR multicast group IP address(es) using the group keyword, or specifies the MVR VLAN identifier using the vlan keyword.
Page 901 • Use the mvr group command to statically configure all multicast group addresses that will join an MVR VLAN. Any multicast data associated with an MVR group is sent from all source ports, and to all receiver ports that have registered to receive data from that multicast group.
Page 902: Mvr (Interface Configuration)
ULTICAST ILTERING mvr (Interface Configuration) This command configures an interface as a static member of an MVR domain using the group keyword, or configures an interface as an MVR receiver or source port using the type keyword. Use the no form to restore the default settings.
Page 903 Example The following configures one source port and several receiver ports on the switch, enables immediate leave on one of the receiver ports, and statically assigns a multicast group to another receiver port: Console(config)#interface ethernet 1/5...
Page 904: Mvr Immediate
When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Page 905: Show Mvr
show mvr This command shows information about the global MVR configuration settings when entered without any keywords, the interfaces attached to the MVR VLAN using the interface keyword, or the multicast groups assigned to the MVR VLAN using the members keyword. Syntax show mvr [interface [interface] | members [ip-address]] •...
Page 906: Table 35-7 Show Mvr - Display Description
OMMANDS Description An independent multicast domain. Shows if MVR is globally enabled on the switch. Indicates whether or not all necessary conditions in the MVR environment are satisfied. (Running status is true as long as MVR Status is enabled, and the specified MVR VLAN exists.)
Page 907: Table 35-8 Show Mvr Interface - Display Description
Shows the MVR status and interface status. MVR status for source ports is “ACTIVE” if MVR is globally enabled on the switch. MVR status for receiver ports is “ACTIVE” only if there are subscribers receiving multicast traffic from one of the MVR groups, or a multicast group has been statically assigned to an interface.
Page 908: Table 35-9 Show Mvr Members - Display Description
ULTICAST ILTERING The following shows information about the interfaces associated with multicast groups assigned to the MVR VLAN: Console#show mvr members =================================== MVR domain : 1 MVR Group IP ---------------- 225.0.0.1 225.0.0.2 225.0.0.3 225.0.0.4 225.0.0.5 225.0.0.6 225.0.0.7 225.0.0.8 225.0.0.9 225.0.0.10 =================================== MVR domain : 2 MVR Group IP...
Page 909: Table 36-1 Dns Commands
OMAIN These commands are used to configure Domain Naming System (DNS) services. You can manually configure entries in the DNS domain name to IP address mapping table, configure default domain names, or specify one or more name servers to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Page 910: Domain Name Service Commands
OMAIN ERVICE Command show dns cache clear dns cache ip host This command creates a static entry in the DNS table that maps a host name to an IP address. Use the no form to remove an entry. Syntax [no] ip host name address1 [address2 … address8] •...
Page 911: Clear Host
Example This example maps two address to a host name. Console(config)#ip host rd5 192.168.1.55 10.1.0.55 Console(config)#end Console#show hosts Hostname Inet address 10.1.0.55 192.168.1.55 Alias Console# clear host This command deletes entries from the DNS table. Syntax clear host {name | *} •...
Page 912: Ip Domain-Name
OMAIN ERVICE ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name...
Page 913: Ip Domain-List
• Domain names are added to the end of the list one at a time. • When an incomplete host name is received by the DNS service on this switch, it will work through the domain list, appending each domain name in the list to the host name, and checking with the specified name servers for a match.
Page 914: Ip Name-Server
OMAIN ERVICE Example This example adds two domain names to the current list and then displays the list. Console(config)#ip domain-list sample.com.jp Console(config)#ip domain-list sample.com.uk Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: Console#...
Page 915: Ip Domain-Lookup
Example This example adds two domain-name servers to the list and then displays the list. Console(config)#ip domain-server 192.168.1.55 10.1.0.55 Console(config)#end Console#show dns Domain Lookup Status: DNS disabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands...
Page 916: Show Hosts
OMAIN ERVICE Example This example enables DNS and then displays the configuration. Console(config)#ip domain-lookup Console(config)#end Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: .sample.com Domain Name List: .sample.com.jp .sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Related Commands ip domain-name (36-4) ip name-server (36-6) show hosts This command displays the static host name-to-address mapping table.
Page 917: Show Dns
show dns This command displays the configuration of the DNS service. Command Mode Privileged Exec Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache.
Page 918: Clear Dns Cache
OMAIN ERVICE Table 36-2 show dns cache - display description Field FLAG TYPE DOMAIN clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache FLAG Console# 36-10 OMMANDS Description The entry number for each resource record.
Page 919: Dhcp Commands
These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client and relay functions. You can configure any VLAN interface to be automatically assigned an IP address via DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Page 920: Dhcp Relay
DHCP C OMMANDS Command Usage • This command issues a BOOTP or DHCP client request for any IP interface that has been set to BOOTP or DHCP mode via the ip address command. • DHCP requires the server to reassign the client’s last address if available.
Page 921: Ip Dhcp Relay Server
• This command is used to configure DHCP relay for host devices attached to the switch. If DHCP relay service is enabled (by specifying the address for at least one DHCP server), and this switch sees a DHCP request broadcast, it inserts its own IP address into the request so the DHCP server will know the subnet where the client is located.
Page 922: Ip Dhcp Information Option
This command enables DHCP Option 82 information relay, and specifies the frame format to use when Option 82 information is generated by the switch. Use the no form of this command to disable this feature. Syntax ip dhcp information option {circuit-id | remote-id} no ip dhcp information option •...
Page 923: Dhcp R Elay
• If Option 82 is enabled on the switch, client information will be included in any relayed request packet received through the management interface according to this criteria. Table 37-4 Inserting Option 82 Information DHCP DHCP † Snooping Relay Enabled...
Page 924: Ip Dhcp Information Policy
DHCP C OMMANDS the reply packet was received. If the DHCP packet’s broadcast flag is off, the switch uses the Option 82 information to identify the interface connected to the requesting client and unicasts the reply packet to the client.
Page 925: Show Ip Dhcp Relay Server
• Refer to the Usage Guidelines under the ip dhcp information option command (page 37-4) for information on when Option 82 information is processed by the switch. • When the Option 82 policy is set to “keep” the original information in the request packet, the frame type specified by the ip dhcp information option command is ignored.
Page 926: Dhcp C Ommands
DHCP C OMMANDS Example Console#show ip dhcp relay server Ip Dhcp Relay Status: Enable Ip Dhcp Relay Server: 192.168.10.19 DHCP Information Option Circuitid Status: disable DHCP Information Option Remoteid Status: disable DHCP Information Policy: replace Console# Related Commands ip dhcp relay server (37-3) 37-8...
Page 927: Ip Interface Commands
IP I NTERFACE An IP address may be used for management access to the switch over your network. An IP address is obtained via DHCP by default for VLAN 1. You can manually configure a specific IP address, or direct the switch to obtain an address from a BOOTP or DHCP server when it is powered on.
Page 928: Ip Address
Command Usage • You must assign an IP address to this device to gain management access over the network or to connect the switch to existing IP subnets. You can manually configure a specific IP address, or direct the device to obtain an address from a BOOTP or DHCP server. Valid IP addresses consist of four numbers, 0 to 255, separated by periods.
Page 929: Ip Default-Gateway
VLAN 1). This defines the management VLAN, the only VLAN through which you can gain management access to the switch. If you assign an IP address to any other VLAN, the new IP address overrides the original IP address and this becomes the new management VLAN.
Page 930: Show Ip Interface
IP I NTERFACE OMMANDS Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 10.1.1.254 Console(config)# Related Commands show ip redirects (38-4) show ip interface This command displays the settings of an IP interface. Command Mode Privileged Exec Example Console#show ip interface Console#...
Page 931: Ping
ping This command sends ICMP echo request packets to another node on the network. Syntax ping host [count count][size size] • host - IP address or IP alias of the host. • count - Number of packets to send. (Range: 1-16, default: 5) •...
Page 932 IP I NTERFACE OMMANDS Example Console#ping 10.1.0.9 Type ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.9: 5 packets transmitted, 5 packets received (100%), 0 packets lost (0%)
Page 933 ECTION PPENDICES This section provides additional information on the following topics. Software Specifications ........A-1 Troubleshooting .
Page 934 PPENDICES...
Page 935: Software Specifications
OFTWARE Software Features Authentication Local, RADIUS, TACACS+, Port (802.1X), HTTPS, SSH, Port Security Access Control Lists IP, MAC Fast Ethernet ports - 173 rules, 7 masks shared by 8-port groups Gigabit Ethernet ports - 52 rules, 7 masks DHCP Client, Relay BOOTP Client DNS Proxy Port Configuration...
Page 936: Port Trunking
OFTWARE PECIFICATIONS Rate Limits Input/output limit Range (configured per port) Port Trunking Static trunks (Cisco EtherChannel compliant) Dynamic trunks (Link Aggregation Control Protocol) Spanning Tree Algorithm Spanning Tree Protocol (STP, IEEE 802.1D) Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) VLAN Support Up to 256 groups;...
Page 937: In-Band Management
3 OAM channels (IB, eoc, VOC) between VTU-C and VTU-R HDLC or 802.3ah EFM framing Upstream power back off CPE firmware-upgrade via eoc channel Remote CPE management, reset, auto-configuration and performance monitoring Additional Features BOOTP client SNTP (Simple Network Time Protocol) SNMP (Simple Network Management Protocol) RMON (Remote Monitoring, groups 1,2,3,9) SMTP Email Alerts...
Page 938: Management Information Bases
OFTWARE PECIFICATIONS IEEE 802.1Q VLAN IEEE 802.1v Protocol-based VLANs IEEE 802.1s Multiple Spanning Tree Protocol IEEE 802.1w Rapid Spanning Tree Protocol IEEE 802.1X Port Authentication IEEE 802.3-2002 Ethernet, Fast Ethernet, Gigabit Ethernet Link Aggregation Control Protocol (LACP) Full-duplex flow control (ISO/IEC 8802-3) IEEE 802.3ac VLAN tagging ITU-T G.993.1 (VDSL) and G.993.2 (VDSL2) ITU-T G.994.1 (VDSL handshake compliance)
Page 939 ANAGEMENT NFORMATION ASES Entity MIB (RFC 2737) Ether-like MIB (RFC 2665) Extended Bridge MIB (RFC 2674) Extensible SNMP Agents MIB (RFC 2742) Forwarding Table MIB (RFC 2096) IGMP MIB (RFC 2933) Interface Group MIB (RFC 2233) Interfaces Evolution MIB (RFC 2863) IP MIB (RFC 2011) IP Multicasting related MIBs MAU MIB (RFC 3636)
Page 940 OFTWARE PECIFICATIONS...
Page 941: Troubleshooting
IP interface to which it is connected. • If you are trying to connect to the switch via the IP address for a tagged VLAN group, your management station, and the ports connecting intermediate switches in the network, must be configured with the appropriate tag.
Page 942 • Be sure you have generated a public key on the switch, and exported this key to the SSH client. • Be sure you have set up an account on the switch for each SSH user, including user name, authentication level, and password.
Page 943: Using System Logs
Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging.
Page 944 ROUBLESHOOTING...
Page 945: Glossary
Access Control List (ACL) ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. Boot Protocol (BOOTP) used to provide bootup information for network devices, BOOTP is including IP address information, the address of the TFTP server that contains the devices system files, and the name of the boot file.
Page 946 EAPOL is a client authentication protocol used by this switch to verify the network access rights for any device that is plugged into the switch. A user name and password is requested by the switch, and then passed to an authentication server (e.g., RADIUS) for verification.
Page 947 An IEEE standard for the Multiple Spanning Tree Protocol (MSTP) which provides independent spanning trees for VLAN groups. IEEE 802.1X Port Authentication controls access to the switch ports by requiring users to first enter a user ID and password for authentication. LOSSARY...
Page 948: Ip Multicast Filtering
Internet Group Management Protocol (IGMP) A protocol through which hosts can register with their local router for multicast services. If there is more than one multicast switch/router on a given subnetwork, one of the devices is made the “querier” and assumes responsibility for keeping track of group membership.
Page 949: Link Aggregation Control Protocol (Lacp)
IP Precedence The Type of Service (ToS) octet in the IPv4 header includes three precedence bits defining eight different priority levels ranging from highest priority for network control packets to lowest priority for routine traffic. The eight values are mapped one-to-one to the Class of Service categories by default, but may be configured differently to suit the requirements for specific network applications.
Page 950: Multicast Switching
LOSSARY Multicast Switching A process whereby the switch filters incoming multicast frames for services for which no attached host has registered, or forwards them to all ports contained within the designated multicast VLAN group. Network Time Protocol (NTP) NTP provides the mechanisms to synchronize time across the network.
Page 951: Private Vlans
Private Branch Exchange (PBX) A telephone exchange local to a particular organization who use, rather than provide, telephone services. Private VLANs Private VLANs provide port-based security and isolation between ports within the assigned VLAN. Data traffic on downlink ports can only be forwarded to, and from, uplink ports.
Page 952 A secure replacement for remote access functions, including Telnet. SSH can authenticate users with a cryptographic key, and encrypt data connections between management clients and the switch. Simple Mail Transfer Protocol (SMTP) A standard host-to-host mail transport protocol that operates over TCP, port 25.
Page 953 Terminal Access Controller Access Control System Plus (TACACS+) TACACS+ is a logon authentication protocol that uses software running on a central server to control access to TACACS-compliant devices on the network. Transmission Control Protocol/Internet Protocol (TCP/IP) Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol.
Page 954: Virtual Lan (Vlan)
LOSSARY Very high data rate Digital Subscriber Line 2 (VDSL2) VDSL2 as defined in ITU-T Recommendation G.993.2 is an enhancement to the first VDSL standard (G.993.1). It supports transmission at a bi-directional net data rate (the sum of upstream and downstream rates) of up to 200 Mbps on twisted pair cables using a bandwidth of up to 30 MHz.
Page 955: Index
Numerics 802.1Q tunnel 13-24 32-25 description 13-24 interface configuration 13-30 – 32-27 32-29 mode selection 13-30 TPID 13-30 32-29 802.1X, port authentication 6-19 acceptable frame type 13-15 Access Control List See ACL Extended IP 8-2 MAC 8-2 24-16 Standard IP 8-2 address table 11-1 30-1 aging time 11-4...
Page 956 NDEX verifying MAC addresses 7-10 VLAN configuration 7-10 Differentiated Code Point Service See DSCP Differentiated Services See DiffServ DiffServ 15-2 34-1 binding policy to interface 15-10 34-10 class map 15-3 34-3 34-7 policy map 15-6 34-6 service policy 15-10 34-10 default domain name 17-1 displaying the cache 17-6 domain name list 17-1...
Page 957 Layer 2 16-2 35-2 query 16-2 35-8 query, Layer 2 16-4 35-7 snooping 16-2 35-2 snooping, configuring 16-4 snooping, setting immediate leave 16-13 35-5 ingress filtering 13-15 32-12 internal temperature status 4-4 IP address BOOTP/DHCP 4-14 38-2 setting 2-6 38-2 IP port priority enabling 14-16 33-12...
Page 958 NDEX assigning static multicast groups 16-30 35-26 setting interface type 16-26 35-28 setting multicast groups 16-21 specifying a VLAN 16-21 using immediate leave 16-26 35-28 packet filtering 7-15 23-5 DHCP replies 7-16 23-9 DHCP requests 7-16 IP/MAC address pairs 7-18 NetBIOS traffic 7-17 password, line 20-29 passwords 2-5...
Page 959 11-1 statistics, port 9-29 25-14 STP 12-1 12-8 31-4 Also see STA switch settings, saving or restoring 4-20 20-16 system clock, setting 4-37 system mode, normal, QinQ or VLAN-swap 13-1 20-13 system software, downloading from server 4-18...
Page 960 NDEX ham band notch 10-8 ham band region/usage notch 10-9 29-9 impulse noise protection 10-10 interface settings 10-7 line profiles 10-16 29-35 maximum data rate 10-10 maximum power 10-10 OAM functions 10-41 option band 10-9 29-6 PSD breakpoints 10-1 PSD frequencies at breakpoints 10-1 29-13 PSD mask level 10-2 29-16...
Page 962 FOR TECHNICAL SUPPORT, CALL: From U.S.A. and Canada (24 hours a day, 7 days a week) (800) SMC-4-YOU; (949) 679-8000; Fax: (949) 679-1481 From Europe: Contact details can be found on www.smc-europe.com or www.smc.com INTERNET E-mail addresses: techsupport@smc.com european.techsupport@smc-europe.com Driver updates: http://www.smc.com/index.cfm?action=tech_support_drivers_downloads World Wide Web: http://www.smc.com...

This manual is also suitable for:

Tigeraccess smc7816vsw Tigeraccess ee smc7816m/vsw