manualshive.com logo in svg

Allied Telesis AR400 Series, Release Note

The Allied Telesis AR400 Series troubleshooting manual is available for free download from our website. This comprehensive manual provides users with detailed troubleshooting instructions and essential information to ensure optimal performance of their AR400 Series product. Experience seamless connectivity with our reliable network solutions.

Share
Download
background image

170

Enhancements to IPsec/VPN

Release Note

Software Version 2.8.1
C613-10477-00 REV B

This feature provides an alternative to using heartbeat exchanges. Heartbeat 
exchanges are more robust under denial of service attacks, and may be able to 
detect the problem before any network traffic is lost; however heartbeat 
exchanges may be incompatible with some third party equipment. 

Command Changes

The following table summarises the modified commands: 

Modifying the Message Retransmission Delay

This Software Version adds a new message retransmission option for ISAKMP 
policies, by adding a new 

msgbackoff

 parameter. This provides a choice of 

back-off patterns for ISAKMP policies which are configured to retransmit 
messages.

When 

incremental

 is specified, the delay between retransmissions 

increases in a linear manner, by twice the value set by the 

msgtimeout

 

parameter. That is, every retransmitted message is delayed by the last 
delay time plus twice the 

msgtimeout

 value.

When 

none

 is specified, the delay between retransmissions is static. All 

retransmissions are sent after the delay specified by the 

msgtimeout

 

parameter. 

The default for the parameter is 

incremental

. To set a back-off pattern for 

ISAKMP messages, use the 

msgbackoff 

parameter in the commands:

create isakmp policy=

name

 peer={

ipv4add

|

ipv6add

|any} 

[msgbackoff={incremental|none}]

 

[msgretrylimit=0..1024] 

[msgtimeout=1..86400] [other parameters]

set isakmp policy=

name

 [msgbackoff={incremental|none}]

 

[msgretrylimit=0..1024] [msgtimeout=1..86400] 

[other parameters]

The default value for the 

msgretrylimit

 is now 

8

, and the default for the 

msgtimeout

 limit is now 

4

. ISAKMP policies created without changing the 

defaults for these three parameters will have this message retransmission 
pattern:

1.

The router or switch sends the initial message.

2.

The router or switch retransmits the message 4 seconds later. 

3.

If a second retransmission is needed, this occurs 8 seconds (twice the value 
set by the 

msgtimeout

 parameter) after the first retransmission. 

Command

Change

create ipsec policy

New 

respondbadspi

 parameter.

set ipsec policy

New 

respondbadspi

 parameter.

show ipsec policy

New 

Respond Bad SPI

 parameter in the output for a 

specific policy.

show ipsec policy counter

New 

inBadSpiResponse

 parameter in output.

show isakmp counters

New

 badSpiRequests

badSpiFromKnownPeer

badSpiInAggrMode

badSpiSendNotifyUnset

 

parameters in output when 

counters

 is set to 

general

.

Summary of Contents for AR400 Series

Page 1: ...vement 27 Route Update Queue Length 29 Removing a Description from a Switch Port 30 Securing a Single VLAN through Switch Filters 30 Change of Debug Command Syntax 32 Enhanced Static Switch Filtering on Ports within a Trunk Group 32 Ethernet Protection Switching Ring EPSR 32 Command Reference Updates 33 PPPoE Access Concentrator 47 Command Reference Updates 47 MSTP Enhancement 50 Command Reference...

Page 2: ...103 Displaying Routes Learned from a Specific BGP Peer 104 Command Reference Updates 105 MLD and MLD Snooping Enhancements 112 MLD Packet Formats 112 ICMP type for MLDv2 Reports 112 MLD Snooping Group Membership Display 113 Change of Maximum Query Response Interval for MLD 113 Command Reference Updates 114 Extension to Range of Classifier fields for x900 Switches 117 Command Reference Updates 117 ...

Page 3: ...187 Traps on OSPF state changes 188 Trap on VRRP topology changes 189 Traps on MSTP state and topology changes 189 Restart Log 190 Trap on Login Failures 190 VLAN based port state changes 190 Trap on Memory Levels 191 Command Reference Updates 192 CDP over WAN Interfaces 193 Command Reference Updates 193 Permanent Assignments on AR400 Series Routers 197 ...

Page 4: ... be downloaded from the web site 2 Overview of New Features This section lists the new features and shows the product families on which each feature is supported 3 Descriptions of New Features These sections describe how to configure each new feature Caution Information in this document is subject to change without notice and does not represent a commitment on the part of Allied Telesis Inc While ...

Page 5: ...81 rez 89 281a hlp x900 48FE 89 281 rez 89 281a hlp AT 9812T sb 281 rez 9812_281 00_en_d rsc 98 281a hlp AT 9816GB sb 281 rez 9816_281 00_en_d rsc 98 281a hlp Rapier 24i 86s 281 rez r24i_281 00_en_d rsc rp 281a hlp Rapier 48i 86s 281 rez r16i_281 00_en_d rsc rp 281a hlp Rapier16fi 86s 281 rez r48i_281 00_en_d rsc rp 281a hlp AT 8824 86s 281 rez 8824_281 00_en_d rsc 88 281a hlp AT 8848 86s 281 rez ...

Page 6: ...ced Static Switch Filtering on Ports within a Trunk Group 9 9 9 9 9 Switching Ethernet Protection Switching Ring EPSR 9 9 9 MSTP MSTP Enhancement 9 9 9 9 9 9 9 STP STP Enhancement 9 9 9 9 9 9 9 9 Asyn Ports Making Asynchronous Ports Respond More Quickly 9 9 9 9 9 9 9 9 9 9 9 PPPoE PPPoE Access Concentrator 9 9 9 9 9 9 9 9 9 IGMP IGMP Proxy on x900 Series Switches 9 9 9 IGMP IGMP filtering extended...

Page 7: ...erval for MLD 9 9 9 9 9 9 9 9 9 Classifier Extension to Range of Classifier fields for x900 Switches 9 9 9 QoS Port Groups 9 9 9 QoS Storm protection 9 9 9 SCP Configuring Secure Copy 9 9 9 9 9 9 9 9 9 9 9 SCP Loading using Secure Copy 9 9 9 9 9 9 9 9 9 9 9 SCP Uploading using Secure Copy 9 9 9 9 9 9 9 9 9 9 9 SSL SSL Counter Enhancement 9 9 9 9 9 9 9 9 9 9 9 Firewall Firewall Licencing 9 9 9 9 9 ...

Page 8: ...ate and topology changes 9 9 9 9 9 9 9 SNMP MIBs Restart Log 9 9 9 9 9 9 9 9 9 9 9 SNMP MIBs Trap on Login Failures 9 9 9 9 9 9 9 9 9 9 9 SNMP MIBs VLAN based port state changes 9 9 9 9 9 9 9 9 9 9 9 SNMP MIBs Trap on Memory Levels 9 9 9 9 9 9 9 9 9 9 9 CDP CDP over WAN Interfaces 9 9 9 9 9 9 9 9 9 Permanent Assignments on AR400 Series Routers 9 AR400 AR7x5 AR750S Rapier AT 8800 AT 8700XL AT 8600 ...

Page 9: ...s nam set sys nam Command Changes The following table summarises the modified commands Extended Monitoring of CPU Utilisation This Software Version includes a new feature for monitoring CPU utilisation You can now set the router or switch to capture data about which specific functions the CPU is executing and the level of instantaneous usage the CPU is experiencing This allows you in conjunction w...

Page 10: ...ata entries are stored To stop capturing data and reset the start and stop parameters if they are set use the command disable cpu extended To remove data entries and reset the start and stop parameters in the activate cpu extended command use the command reset cpu utilisation This command interrupts active data capturing for a specific event However monitoring remains enabled and continues to coll...

Page 11: ... data capturing If CPU utilisation falls below the stop percentage before the router or switch has 500 data entries then the router or switch resumes data capturing the next time utilisation reaches the start percentage When the router or switch has 500 entries it stops collecting data Example To capture extended CPU utilisation data when CPU utilisation exceeds 70 and until it falls below 50 use ...

Page 12: ...n the MIB object sysContact If the new option none is specified no contact name is defined Any existing contact name is cleared The default is none set system location Syntax SET SYStem LOCation location NONE The location parameter specifies the location of the router or switch which is displayed in the output of the show system command stored in the MIB object sysLocation If the new option none i...

Page 13: ... over last 5 minutes 100 Average since router restarted 5 Average over last 5 minutes 6 Average over last minute 7 Average over last 10 seconds 41 Average over last second 100 Extended CPU Information State Enabled Current Time 21 44 49 04aa9a34 2573941241 Current Install 54 281 rez 5012892 Start percent Stop percent msSM Timestamp Util Caller Return1 Return2 Return3 04aa9a34 2573927208 100 0021a3...

Page 14: ...re the router or switch can begin capturing extended CPU utilisation data A shows if no percentage is set Stop percent Percentage of utilisation that the CPU must fall below before the router or switch stops capturing extended CPU utilisation data msSM Time when the router or switch captured the CPU utilisation sample The time format is milliseconds since midnight in hexadecimal notation Timestamp...

Page 15: ... keywords in a command that define the object or details of the action Parameter values can be numbers or text or can come from a list of items Now you can set the syntax so that parameters and values can be separated by either one of the following an equals sign a single space The set command assignmentoperator command lets you change the syntax When using aliases we suggest you use the sign in t...

Page 16: ...case sensitive Spaces must separate parameters Value The value assigned to a parameter Depending on the parameter a value can be an item from a list of option keywords a number arbitrary text Values are optional or required Enter values with the syntax parameter value or parameter value for details see Command Reference Updates Most values are not case sensitive except for text such as passwords O...

Page 17: ... summarises the changes new and modified commands To move the cursor to the You could only press Now you can also press the beginning of the command line Ctrl A Home key end of the command line Ctrl E End key Command Description show command history New command that displays past commands Please note that it replaces the Ctrl C shortcut create config New set option that lets you set the switch to ...

Page 18: ...curity officer privilege when the router or switch is in security mode Example To save the current dynamic configuration to a script file called test cfg use the command cre con test cfg Parameter Description CONfig Name of the configuration file or script to create If one already exists it is replaced The filename is in the format device filename ext and can be uppercase and lowercase letters dig...

Page 19: ...ke care when using aliases because they match any whole word on the command line Therefore if you separate a parameter with a space a matching alias could erroneously be substituted for the value Note that certain command handlers such as those for STT PERM and ACC always require the sign Example To set the command processor so that you can enter a space between parameters and values on the comman...

Page 20: ...h vrrp 20 134 sh vrrp 0 135 sh vrrp 21 136 sh vrrp 255 137 sh vrrp none 138 sh vrrp any 139 destroy qos queue2priomap queue 0 bwclass 2 vrrp none 140 destroy qos queue2priomap queue 0 bwclass 2 vrrp any 141 destroy qos queue2priomap queue 0 bwclass 2 vrrp 0 142 destroy qos queue2priomap queue 0 bwclass 2 vrrp 256 143 destroy qos queue2priomap queue 0 bwclass 2 vrrp 17 18 144 destroy qos queue2prio...

Page 21: ...reset file permanentredirect New command show file permanentredirect New command Parameter Description FIle Name of the text file where you want to send output One is created if it does not already exist The filename is in the format device filename txt and can be uppercase and lowercase letters digits _ and space device indicates the physical location where the file is stored The default is flash...

Page 22: ...ytes Parameter cont Description cont Parameter Description FIle Name of the text file that you want to create The filename is in the format device filename txt and can be uppercase and lowercase letters digits _ and space device indicates the physical location where the file is stored The default is flash Default no default FORCE Overwrites the text file if one already exists If force is not speci...

Page 23: ... displays information about one text file or all that are permanently receiving output from commands or scripts Figure 3 Table 2 These files are typically created to collect data during debugging The file parameter displays information about a specific text file Figure 4 The filename option is in the format device filename txt and can be uppercase and lowercase letters digits _ and space Device in...

Page 24: ...he command sh fi perm TTY Current Limit File Instance Size 17 12345 204800 bgp txt File bgp txt TTY Instance 17 Current Size 12345 Limit 204800 Input s COMMAND enable bgp debug all Table 2 Parameters in output of the show file permanentredirect command Parameter Meaning TTY Instance Instance number for the TTY device Current Size Size of the text file in bytes Limit Limit of file size in bytes set...

Page 25: ...which adds complexity to the filtering process when packets are being sent between instances This Software Version allows you to select between two modes of using classifier based packet filtering in 48 port switches port specific filters first or non port specific filters first You can select different modes using the new set switch hwfilter mode command Selecting the right mode when setting up c...

Page 26: ...filter when the packet travels between ports on different switch instances When to Use Non Port Specific Mode Use the non port specific npsf mode when you want port specific filters to override the non port specific filters for certain circumstances In the following example the second port specific filter stops the first non port specific filter from discarding packets from port 50 create class 1 ...

Page 27: ...valent to entering the disable switch port command linkDown The port is physically disabled and the link is down This is equivalent to entering the disable switch port link disabled command vlanDisable The port is disabled only for the VLAN on which thrashing has occurred It can still receive and transmit traffic for any other VLANs of which it is a member When a MAC address is thrashing between t...

Page 28: ...n has been applied the port is automatically re enabled when the defined timeout expires You cannot manually re enable the port Port Types Limiting rapid MAC movement is supported on all port types It is also supported on trunked ports Command Changes The following table summarises the new and modified commands Command Change create switch trunk New thrashaction parameter New thrashtimeout paramet...

Page 29: ...witch hwrouteupdate 1 maximum The maximum depends on the amount of memory on the switch as shown in the table above The purpose of this feature is to enable you to tune the balance between the memory that the route update process uses and the speed with which large route updates are processed Output of the show switch command has been expanded to display information about the queue settings Comman...

Page 30: ...ing vlansecure on page 31 Without this enhancement the default situation a switch filter only allows a host to access the network through a particular port on the switch For example if you have a PC connected to port 15 in vlan2 and define the following filter the PC can only communicate when it is connected to port 15 add switch filter entry 0 dest pc mac address vlan 2 port 15 action forward Wit...

Page 31: ... To display which mode the filtering behaviour is in use the existing command show switch filter This command now displays the additional field VlanSecure which is either DISABLED or ENABLED Command Changes The following table summarises the new and modified commands swi filter Default behaviour vlansecure enabled port 15 port 16 vlan2 vlan1 Securing only the VLAN vlansecure disabled port 15 port ...

Page 32: ... goes link down the router or switch drops any traffic that is forwarded by a static switch filter out of that port In this Software Version when a port that is part of a trunk group goes link down the router or switch modifies any static switch filters defined to forward traffic out of that port It modifies the egress port for the switch filter entry to a port which is link up within the trunk gr...

Page 33: ...wn to disable all ports in the thrashing trunk until either the period specified by the thrashtimeout parameter has elapsed or until the ports or subset of ports in the trunk are re enabled by the enable switch port command If linkdown is specified the link state is down if portdisable is specified the link state remains up vlandisable to block all traffic on the VLAN where the address was learned...

Page 34: ...rt list ALL VLAN vlan name 1 4094 ALL where port list is a port number range specified as n m or comma separated list of numbers and or ranges Port numbers start at 1 and end at m where m is the highest numbered Ethernet switch port including uplink ports vlan name is a unique name from 1 to 32 characters Valid characters are uppercase and lowercase letters digits the underscore and hyphen Descrip...

Page 35: ...cessing that VLAN not other VLANs Example To turn on the default filtering behaviour use the command ena swi fil vlan enable switch port vlan Syntax ENAble SWItch POrt port list ALL VLAN vlan name 1 4094 ALL where port list is a port number range specified as n m or comma separated list of numbers and or ranges Port numbers start at 1 and end at m where m is the highest numbered Ethernet switch po...

Page 36: ...to none to apply no thrash limiting on the trunk learndisable to disable MAC address learning on all ports in the thrashing trunk until the period specified with the thrashtimeout parameter has elapsed The default is learndisable portdisable or linkdown to disable all ports in the thrashing trunk until either the period specified by the thrashtimeout parameter has elapsed or until the ports or sub...

Page 37: ...ific filters for certain circumstances If you add a port specific filter after the non port specific filters the router or switch may still use a matching non port specific filter when the packet travels between ports on different switch instances When you specify npsf the router or switch expects non port specific filters to be entered first Use this mode when you want port specific filters to ov...

Page 38: ...n the router or switch takes when it detects MAC address thrashing on a port Thrashing occurs when one or more ports repeatedly learn the same MAC addresses for example as a result of a network loop Take care with the thrashaction parameter because misuse can impair your network operation Set the thrashaction parameter to none to apply no thrash limiting to the port learndisable to disable MAC add...

Page 39: ...en ports in one second When the specified limit is reached the thrashaction specifed with the set switch port command is applied The default thrashlimit is 10 Example To set the switch thrash limit to 100 MAC movements per second use the command set swi thrashl 100 set switch trunk Syntax SET SWItch TRunk trunk SPeed 10M 100M 1000M 10G THRASHAction LEarndisable LINKDown NONE POrtdisable VLANdisabl...

Page 40: ...hrashaction vlandisable ingress filtering is automatically enabled on all ports in the trunk The thrashtimeout parameter specifies the time in seconds for which the switch employs the thrash action specified by the thrashaction parameter The thrashtimeout cannot be set to none if thrashaction learndisable If thrashtimeout none and thrashaction is then changed to learndisable then the router or swi...

Page 41: ...the trunk Disable Learning Learning is disabled on all ports in the trunk Disable Port All ports in the trunk are disabled but the links will remain up Link Down All ports in the trunk are disabled and the links will go down Disable Vlan All ports in the trunk are disabled for the VLAN that thrashing occurring on Address learn thrash timeout The thrashtimeout value to apply to any trunks created b...

Page 42: ... the show switch command when hardware learning delay is enabled Switch Configuration Switch Address 00 00 cd 12 78 03 Learning ON Ageing Timer ON IP route Learn delay 4 ms queue size 0 queue limit 1000000 percent in use 0 high water mark 0 queue maximum 1500000 queue default 1000000 Updating hardware status 0 Pending ...

Page 43: ... number of messages that have been seen on the queue since the switch last started up Queue maximum The maximum value to which you can set the queue size This depends on the amount of memory installed on the switch Queue default The default maximum number of entries in the queue This depends on the amount of memory installed on the switch Updating hardware status The number of entries that the sof...

Page 44: ...outer or switch and a summary of the current filters Figure 9 Modified example output from the show switch hwfilter command Switch Filters VlanSecure ENABLED Entry VLAN Destination Address Port Action Source 0 default 1 aa ab cd 00 00 01 1 Forward static 1 default 1 aa ab cd 00 00 02 1 Forward static 0 marketing 2 aa ab cd 00 00 01 2 Discard static 1 marketing 2 aa ab cd 00 00 02 2 Discard learn T...

Page 45: ...o intranet hub port 49 Status ENABLED Link State Up UpTime 02 35 26 Port Media Type ISO8802 3 CSMACD Configured speed duplex Autonegotiate Actual speed duplex 1000 Mbps full duplex MDI Configuration Polarity Manual MDI Loopback Off Configured master slave mode Not applicable Actual master slave mode Not applicable Acceptable Frames Type Admit All Frames Disabled egress queues Q0 Q3 4 BCast MCast r...

Page 46: ...ken when the address learn thrash limit is exceeded Disable Learning Address learning on the port is temporarily disabled Disable Port The port is disabled but the link remains up Link Down The port is disabled and the link is down Disable VLAN The port is disabled for the VLAN on which thrashing is occurring Address learn thrash timeout The time in seconds for which a port remains disabled after ...

Page 47: ...e to connect to the router or switch using this service To allow a PPPoE host to be defined on the router or switch as well as on an Access Concentrator service the acinterface parameter must be used The acinterface parameter specifies the interface to be used by the Access Concentrator service If none is specified the Access Concentrator service uses all valid interfaces A service can be offered ...

Page 48: ...e specified in the add ppp acservice command If multiple interfaces exist for the service you are prompted to specify an acinterface The default is none The acinterface parameter supercedes the now deprecated vlan parameter in this command set ppp acservice Syntax SET PPP ACservice service name ACRadius OFF ON MAXSessions 1 512 TEMPlate ppp template ACINTerface NONE interface Where interface is an...

Page 49: ...tput from the show ppp pppoe command PPPOE PPP1 Service Name bob Peer Mac Address 00 00 cd 00 ab a3 Interface eth0 Session ID a1a3 Maximum Segment Size 1292 Access Concentrator Mode Enabled Services bob Max sessions 2 Current Sessions 1 Template 1 Interface eth1 MAC RADIUS Authentication YES carol Max sessions 5 Current Sessions 0 Template 1 Interface vlan1 MAC RADIUS Authentication YES PPPOE Coun...

Page 50: ...orter alternative to using the disable mstp cist port command followed by the disable mstp msti port command Example To disable the CIST and all MSTIs on ports 10 15 use the command dis mstp po 10 15 enable mstp port Syntax ENAble MSTP POrt port list ALL where port list is a port number range specified as n m or comma separated list of port numbers and or ranges Port numbers start at 1 and end at ...

Page 51: ...escription The output of this command includes a new field Figure 12 Example output from the show stp port rstpstate command Command Change show stp port New Port field in output RSTP State Information STP Name default Bridge Level State Machine STATE Port Role Selection Role Selection Port 1 Port State Machines STATE Port Information Disabled Port Role Transitions Blocked Port Port State Transiti...

Page 52: ...t However bundling reduces terminal responsiveness A ten timer value of 100 milliseconds is generally a good compromise between responsiveness and processing overhead If you need to increase the port s responsiveness this enhancement enables you to reduce the length of the ten timer To do this use the new tentimervalue parameter in the set asyn command set asyn port number tentimervalue 20 100 oth...

Page 53: ...Character HArdware None PAGe 0 99 OFF PARity Even Mark None Odd SPace PRompt prompt DEFault OFf SECure ON OFf YES NO True False SERvice service name None SPeed AUTO 75 110 134 5 150 300 600 1200 1800 2000 24 00 4800 9600 14400 14 4K 19200 19 2K 28800 28 8K 38400 38 4K 57600 57 6K 115200 115 2K STopbits 1 2 TENtimervalue 20 100 TIMeout 1 65535 TYpe Dumb VT100 Description The new tentimervalue param...

Page 54: ...are Autobaud mode disabled Max tx queue length 16 TX queue length 3 Transmit frame none RX queue length 0 IP address none Max transmission unit 1500 Ten timer value 100 Table 12 New parameters in the output of the show asyn port number command Parameter Meaning Ten timer value The length of the ten timer in milliseconds When an asynchronous port is in ten mode it bundles together the characters th...

Page 55: ...E x900 48FE N AT 9924T AT 9924SP AT 9924T 4SP x900 24XT x900 24XT N In a network with a simple tree topology you can use IGMP proxy to simplify the configuration of multicast routing The router or switch at the root of the tree must run a multicast routing protocol but all other routers and switches in the network can be configured as IGMP proxy agents The IGMP proxy agent must be configured with ...

Page 56: ...and on the interface for IGMP proxy to function When this message Is received on this interface Then the IGMP proxy agent Report downstream adds the membership subscription to the multicast group membership database forwards the report message on the upstream interface if the membership subscription is for a new multicast group upstream discards the message without processing Leave downstream remo...

Page 57: ...ltering extended to all IGMP message types IGMP filtering lets you manage the distribution of multicast services on each switch port by controlling which multicast groups the hosts attached to a switch port can join IGMP filtering is applied to multicast streams forwarded by IGMP IGMP Snooping or MVR Filtering of IGMP membership reports was supported in a previous software version This software ve...

Page 58: ...padd ipadd ipadd msgtype query report leave action include exclude To remove a filter from a switch port use the command set switch port port list all igmpfilter none other options To destroy a filter first remove the filter from all ports that it is applied to then use the command destroy igmp filter filter id To display information about IGMP filters use the command show igmp filter filter id To...

Page 59: ...erval use the command set ip igmp interface interface querytimeout none 0 1 65535 To display information about IGMP and the IGMP proxy agent use the command show ip igmp Command Changes The following table summarises the new and modified commands Message IGMP No general query within time interval seconds on interface Severity 5 IMPORTANT Module 5 IPG Log Type 021 MSGS Log Subtype 002 WARN Recommen...

Page 60: ...group address or a range of IP multicast group addresses to match Set groupaddress to 0 0 0 0 to filter IGMP general query messages a multicast address or a range of multicast addresses to filter IGMP group specific query messages report messages and leave messages The action parameter specifies the action to take when an IGMP message with a message type matching msgtype and a group address matchi...

Page 61: ... decimal notation Description The new igmpproxy parameter specifies the status of IGMP proxying for the specified interface If you specify off the interface does not do IGMP Proxy If you specify upstream the interface passes IGMP messages in the upstream direction A router or switch can have only one interface when the IGMP proxy direction is upstream If you specify downstream the interface can re...

Page 62: ...concatenating a Layer 2 interface type an interface instance and optionally a hyphen followed by a logical interface number from 0 to 15 If a logical interface is not specified 0 is assumed Description This new command enables the monitoring of incoming IGMP general query messages on an interface and generates a log message and an SNMP trap if an IGMP general query message is not received on the i...

Page 63: ...tric 1 16 SAMode Block Passthrough VJC False NO OFF ON True YES VLANPRiority 0 7 None VLantag 1 4094 None where interface is an interface name formed by concatenating a Layer 2 interface type an interface instance and optionally a hyphen followed by a logical interface number from 0 to 15 If a logical interface is not specified 0 is assumed ipadd is an IP address in dotted decimal notation Descrip...

Page 64: ...opped 0 Table 13 New parameters in the output of the show igmp filter command Parameter Meaning Msg Type The type of IGMP message being filtered by this entry one of Leave Query or Report Reports Queries Leaves The total number of IGMP messages of the specified type that were received and processed on all the switch ports that this filter is attached to Recd The number of IGMP messages of the spec...

Page 65: ...Robustness Variable 2 Query Response Interval 100 1 10secs Disabled All groups ports 1 5 7 Interface Name vlan1 DR Status Enabled Other Querier timeout 164 secs IGMP Proxy Upstream General Query Reception Timeout None Group List Group 224 0 1 22 Last Adv 10 194 254 254 Refresh time 184 secs Ports 24 Group 224 0 1 22 Static association Refresh time Infinity Ports 11 14 17 19 Static Ports 17 19 All ...

Page 66: ...physical interface This Software Version expands logical Ethernet interfaces not VLAN to 1000 per physical eth interface Logical Eth interfaces can be numbered from 0 to 999 for example eth0 0 to eth0 999 Note that if you use the GUI to view interfaces and have configured a large number the Interface page may take several minutes to display The add ip interface and set ip interface commands reflec...

Page 67: ...raffic policy priority routing The type parameter is optional to ensure that this Software Version is backwards compatible with configuration scripts written using an earlier Software Version When type is not specified the router or switch determines the filter type based on the value of the filter number and the specified parameters Filters with a specified policy parameter are policy filters Fil...

Page 68: ...address it broadcasts an ARP Request message over the egress IP interface If the router or switch does not receive a reply within a particular time it notifies the sending device that the destination is unknown This enhancement lets you increase the length of time that the router or switch waits for a response which is useful for routers or switches that communicate with devices that are slow to r...

Page 69: ... feature is enabled you can add an ARP entry with a multicast MAC address using the add ip arp command Accepting Packets with Conflicting Addresses Enabling macdisparity also allows the router or switch to accept packets with conflicting IP and MAC addresses Normally the router or switch discards these packets as being invalid Conflicting IP and MAC addresses include A multicast IP address with a ...

Page 70: ...errupted when a port within a trunk group goes link down In previous Software Versions when a port that is part of a trunk group goes link down the router or switch drops any traffic that is forwarded by a static ARP entry out of that port In this Software Version when a port that is part of a trunk group goes link down the router or switch modifies any static ARP entries defined to forward traffi...

Page 71: ...NTry 1 255 Policy filter ADD IP FILter 0 999 POLIcy 0 15 SOurce ipadd TYPE POLIcy SMask ipadd SPort port name port id DEStination ipadd DMask ipadd DPort port name port id ICMPCode icmp code name icmp code id ICmptype icmp type name icmp type id LOG 4 1600 Dump Header None OPtions False OFF ON NO True YES PROTocol protocol Any Icmp Ospf Tcp Udp SEssion Any Established Start SIze size ENTry 1 255 P...

Page 72: ...ed the router or switch determines the filter type based on the IP filter number and the specified parameters Filters with a specified policy parameter are policy filters Filters with a specified priority parameter are priority filters Filters with a specified action parameter are either traffic or routing filters If the filter number set is between 0 to 99 they are traffic filters between 100 to ...

Page 73: ...igured on the router or switch use the command ena ip mac reset ip counter Syntax RESET IP COUnter ALL ARP CAChe ICmp INTerface IP MULticast ROUt e SNmp UDP Description This command sets IP counters to zero The counter parameter specifies particular counters depending on the option and all resets all of them You can now specify cache as an option for the counter parameter Example To reset the IP r...

Page 74: ...de icmp code name icmp code id ICmptype icmp type name icmp type id LOG 4 1600 Dump Header None OPtions False OFF ON NO True YES PROTocol protocol Any Icmp Ospf Tcp Udp SEssion Any Established Start SIze size ENTry 1 255 Description This command changes a pattern in an IP traffic filter policy filter priority filter or routing filter You can now specify a greater range of filter numbers in the set...

Page 75: ... 168 1 1 ppp0 Secondary Name Server Not Set Source Routed Packets Discarded Remote IP address assignment DISABLED DNS Relay DISABLED IP ARP LOG ENABLED IP ARP refresh by hit ENABLED IP MAC address disparity DISABLED Routing Protocols RIP Neighbours 0 EGP Status DISABLED Autonomous System Number Not Set Transfer RIP to EGP Disabled ARP aging timer multiplier 4 1024 2048 secs Arp wait timeout 1 secs...

Page 76: ...3 eth0 2 Forward 1 3 10 1 1 4 192 168 100 3 eth0 3 Forward 1 3 10 1 1 5 192 168 100 3 eth0 4 Forward 1 3 10 1 1 6 192 168 100 3 eth0 5 Forward 1 3 10 1 1 7 192 168 100 3 eth0 6 Forward 1 3 10 1 1 8 192 168 100 3 eth0 7 Forward 1 3 10 1 1 9 192 168 100 3 eth0 8 Forward 1 3 10 1 1 10 192 168 100 3 eth0 9 Forward 1 3 10 1 1 11 192 168 100 3 eth0 10 Forward 1 3 Table 16 Parameters in output of the new...

Page 77: ...put from the show ip counter cache command Type One of the following Forward Local GenBcast SpcBcast MultOsp MultLmtd MultNorm MultLocl Age Age of the entry which increases over time but is reduced when the entry is used Count Number of times the entry was found Table 16 Parameters in output of the new show ip cache command cont Parameter Meaning Cache Counters hits 304 rejects 0 deletes 0 Table 1...

Page 78: ...est Address Dest Mask Prot C T Options Pattern Type Act Pol Pri Logging Matches 2 Traffic 1 Any 192 168 166 2 255 255 255 255 Any Yes Any 192 168 163 39 255 255 255 255 Any No General Include Off 0 2 Any 192 168 163 21 255 255 255 255 Any Yes 23 192 168 163 39 255 255 255 255 TCP No General Exclude Off 0 Requests 0 Passes 0 Fails 0 Table 18 New parameters in output of the show ip filter command Pa...

Page 79: ...Download upload of files using the Trivial File Transfer Protocol SNMP Transfer of device management data using the Simple Network Management Protocol DHCP SVR External network node configuration by the router or switch acting as a Dynamic Host Configuration Protocol Server DHCP CLT Communications by the router or switch when acting as a client using the Dynamic Host Configuration Protocol BOOTP C...

Page 80: ...rsion enables you to display the state of all active UDP over IPv6 sessions by using the following new command show ipv6 udp Command Changes The following table summarises the new command IPv6 Tunnel Expansion This Software Version increases the maximum number of simultaneous IPv6 tunnels available on these routers from 100 to 256 AR770S AR750S Static IPv6 tunnels and 6 to 4 tunnels share this res...

Page 81: ...outer or switch for the given process A blank address indicates that the UDP session is active but either no packets have been transmitted yet or packets have been transmitted without specifying the source IP address Remote Port The UDP port number used for the UDP session on the remote device A value of zero indicates that UDP packets from any remote port will be accepted for the session Process ...

Page 82: ...des control and payload messages into a human readable format For control packets all of the message is decoded For payload packets only the header is decoded The first 64 bytes of the encapsulated frame is also displayed but remains in hexadecimal format For an example of decoded control and payload packets see the enable l2tp debug command in the Command Reference Updates section To disable deco...

Page 83: ... Proxy Authentication responses from the router or switch You can now disable Proxy Authentication on the router or switch for situations where the third party equipment is not compatible Use proxyauth off in the command add l2tp ip ipadd ipadd ppptemplate 0 31 number off on startup pre13 off on proxyauth off on tosreflect off on false true no yes The default for proxyauth is on Proxy Authenticati...

Page 84: ...disable l2tp debug Syntax DISable L2TP DEBug ALL DECode PKT STAte CALL 1 65535 TUNnel 1 65535 Parameter Description PROXYAuth Whether the router or switch acting as an LNS performs Proxy Authentication of the PPP user if the LAC provides Authentication information Default on ON The LNS performs Proxy Authentication OFF The LNS does not perform Proxy Authentication Parameter Description DEBug The d...

Page 85: ...ter this time all debugging modes are automatically disabled Default no time limit set debugging continues until turned off using the disable l2tp debug command 18 07 20 L2TP DECODE Rx TID 0 CID 0 from 192 168 1 1 1701 Header Version 2 Type Control Flags T L S Length 107 Tunnel ID 0 Session ID 0 Sequence Numbers Ns 0 Nr 0 Attribute Value Pairs AVPs Message Type 0 Flags M Len 8 Value SCCRQ Protocol...

Page 86: ...ted the packet to a peer Rx Indicates that the router or switch received the packet from a peer TID The local tunnel ID number associated with the packet CID The local call ID number associated with the packet The first packet received from a peer will state the IP range and port number of the call instead of a call ID number Header Header information for the packet This specifies the version type...

Page 87: ...ToS Reflect off Proxy Authentication on Table 22 Parameters in the output of the show l2tp ip command Parameter Meaning Proxy Authentication Whether the router or switch acting as an LNS performs Proxy Authentication for the PPP user if the LAC provides Authentication information one of on or off Tunnel ID 3 State established Started 08 Apr 2006 11 04 50 Debug decode Table 23 Parameters in the out...

Page 88: ...all command for a specific call Call ID 52221 Tunnel ID 19223 Server Type LAC Started 01 Apr 2006 16 45 51 Username not set Sequence Numbers off Debug decode Table 24 Parameters in the output of the show l2tp tunnel call command for a specific call Parameter Meaning Debug Whether debugging is disabled or enabled on the tunnel If enabled the type of debugging is displayed one of state packet or dec...

Page 89: ...SSA border router using the commands add ospf area backbone area number stubarea nssa nssastability 1 3600 nssatranslator candidate always other options set ospf area backbone area number stubarea nssa nssastability 1 3600 nssatranslator candidate always other options If you set nssatranslator to always the NSSA router will unconditionally translate Type 7 LSAs as long as it has NSSA border router...

Page 90: ...ability parameter This allows a more stable transition to the newly elected translator and minimises excessive flushing of translated Type 7 LSAs The nssatranslator and nssastability parameters are only valid when stubarea is set to nssa You can display the current translator role for an area using the command show ospf area area number You can display the current translator role for all areas usi...

Page 91: ...f redistribute protocol bgp interface rip static To change a route redistribution definition use the command set ospf redistribute protocol bgp interface rip static other options To display the currently configured route redistribution definitions use the command show ospf redistribute Interaction with global OSPF parameters You can still use the asexternal bgpfilter bgpimport bgplimit rip and sta...

Page 92: ...erface routes and the advertisement of external routes If you set asexternal to on or nssa OSPF imported interface routes for interfaces that were not OSPF interfaces with the following exceptions Routes that were Local and within an active OSPF range Routes that exactly matched an OSPF host or stub network These routes were advertised as a stub link in the router LSA of the area to which the acti...

Page 93: ...ic range for metric and tag parameters delete ospf redistribute New bgp interface and rip options for protocol parameter disable ospf debug New redistribute option for debug parameter enable ospf debug New redistribute option for debug parameter set ospf Modified behaviour of asexternal bgpimport rip and staticexport parameters set ospf redistribute New bgp interface and rip options for protocol p...

Page 94: ... router status If you specify candidate the router or switch will participate in the NSSA translator election process The NSSA border router with the highest router identifier is elected as the translator Once elected the router or switch will translate Type 7 LSAs until it loses border router status or another NSSA border router with a higher router identifier is elected as the translator The def...

Page 95: ...statically configured routes The new limit parameter specifies the maximum number of routes that can be redistributed into OSPF for the specified protocol The default is 1000 If you add a BGP redistribution definition the limit parameter overwrites the setting of the bgplimit parameter in the set ospf command on page 97 The modified metric parameter specifies the route metric that OSPF assigns to ...

Page 96: ...bug Syntax DISable OSPF DEBug ALL IFSTate NBRSTate PACket REDistribute SPF STA te Description The modified debug parameter specifies the debugging options to disable If all is specified all debugging options are disabled If ifstate is specified interface state debugging is disabled If nbrstate is specified neighbour state debugging is disabled If packet is specified OSPF packet debugging is disabl...

Page 97: ...STUB ASExternal NONE NO OFF False INRoutemap routemap NONE METRIC 0 16777215 PASSiveinterfacedefault ON OFF True False YES NO REFBANDWIDTH 10 10000 RIP OFF EXport IMport BOTH ROuterid ipadd PTPStub ON OFF YES NO True False STATicexport YES NO TYPE 1 2 where ipadd is an IP address in dotted decimal notation routemap is the name of an IP route map Description No parameters or options have changed Ho...

Page 98: ... NSSA The nssatranslator parameter is only valid when stubarea is set to nssa The new nssastability parameter specifies the additional time in seconds that the router or switch will continue to translate Type 7 LSAs after losing the translator role An elected translator loses its translator role when another NSSA border router with a higher router identifier is elected as translator or an NSSA rou...

Page 99: ...ype 1 routes or metric2 for Type 2 routes If you assign a route map that sets the metric the route map overrides the setting in this parameter The default is 20 The modified tag parameter specifies a number OSPF uses to label routes that it redistributes If you specify original the original route tag is preserved in the redistributed route If you assign a route map that sets the tag the route map ...

Page 100: ... count 10 LSA sum of checksums 345bf Ranges Range 192 168 25 0 Mask 255 255 255 0 Range 192 168 250 0 Mask 255 255 255 0 Interfaces ppp23 Type Point to point State ptp eth0 Type Broadcast State otherDR Table 25 New parameters in output of the show ospf area command for a specific area Parameter Meaning Role NSSA translator role one of CANDIDATE or ALWAYS This field is only displayed when NSSA is Y...

Page 101: ...g source from which OSPF imports the routes for this redistribution definition one of BGP Interface RIP or Static Metric The route metric that OSPF assigns to routes that it redistributes from this protocol or Original if the original route metric is preserved Tag The numeric tag that OSPF uses to label routes that it imports from this protocol or Original if the original tag is preserved Type The...

Page 102: ...totallimit 0 1000 Thresholds Together the backoff and low parameters create upper and lower thresholds which trigger and maintain BGP backoff When memory usage exceeds the upper threshold BGP backoff is triggered BGP continues to back off until memory usage falls below the lower threshold At this stage BGP begins processing again unless the total or consecutive backoff limits were reached Both thr...

Page 103: ... The enhanced parameters add bgp peer ipadd description none description inroutemap none routemap outroutemap none routemap other options set bgp peer ipadd description none description inroutemap none routemap outroutemap none routemap other options peertemplate template definitions The enhanced parameters add bgp peertemplate 1 30 description none description inroutemap none routemap outroutemap...

Page 104: ...ck the new Routes learned field Displaying Information about Routes from a Peer To display information about each route learned from a specific peer use the new peer parameter in the command show bgp route prefix peer ipadd other optional parameters Command Changes The following table summarises the modified commands Command Change add bgp peer New none option for description inroutemap and outrou...

Page 105: ...Fault 0 3600 NEXthopself NO YES OUTFilter NONE prefixlist name OUTPathfilter NONE 1 99 OUTRoutemap NONE routemap PASSword password PRIVateasfilter NO YES SENdcommunity NO YES ADD BGP PEer ipadd POLICYTemplate 1 30 REMoteas 1 65534 AUthentication MD5 NONE DEFaultoriginate NO YES DESCription NONE description EHOps DEFault 1 255 FASTFallover NO YES PASSword password Parameter Description DESCription ...

Page 106: ...backoff BGP backoff delays BGP processing when the system memory utilisation is high BGP backoff is disabled by default however it automatically enables the first time a peer is added Example To disable BGP backoff use the command dis bgp bac Parameter Description DESCription A description for the peers that use the template which has no effect on their operation The new none option allows you to ...

Page 107: ... BACkoff 20 100 BASEtime 0 100 CONSecutive 0 1000 LOW 15 99 MULtiplier 1 1000 STep 1 1000 TOTallimit 0 1000 Example To back BGP processing off when the system memory is 90 utilised and reinstate it when system memory is at 80 use the command set bgp bac 90 low 80 Parameter Description BACkoff The percentage of total system memory use that triggers BGP to back off from 20 to 100 This must be set hi...

Page 108: ...ES SET BGP PEer ipadd POLICYTemplate 1 30 AUthentication MD5 NONE DEFaultoriginate NO YES DESCription NONE description EHOps DEFault 1 255 FASTFallover NO YES PASSword password REMoteas 1 65534 Example To remove the outroutemap for a BGP peer whose IP address is 192 168 1 1 use the command set bgp pe 192 168 1 1 outr none Parameter Description DESCription A description of the peer which has no eff...

Page 109: ...1 99 OUTRoutemap NONE routemap PRIVateasfilter NO YES SENdcommunity NO YES Parameter Description DESCription A description for the peers that use the template which has no effect on their operation The new none option allows you to not specify a description or remove a previously specified description Default none INRoutemap The route map that filters and or modifies prefixes from peers that use t...

Page 110: ...stablished if peers are disabled BACKED OFF is displayed when system memory use has reached its upper threshold and BGP processing is halted PEER DISABLED is displayed when the consecutive or total backoff limits have been reached and system memory use is still above the lower threshold DISABLED is displayed when backoff functionality has been disabled by the user Mem Upper Threshold Value The per...

Page 111: ... switch only displays routes that it learned from that peer If you specify the router or switch s router ID it displays all locally originated routes The peer parameter has no default Note that this enhancement did not change any fields in the output of the show bgp route command it simply provides another method of filtering the displayed routes Peer 192 168 10 1 Description State Idle Policy Tem...

Page 112: ...op limit of 1 a link local source address and the other format requirements of RFC 3810 This enhancement did not affect any commands ICMP type for MLDv2 Reports MLD Report messages now have an ICMP type of 143 by default as specified by RFC 3810 The previous value was 255 If you need to maintain backwards compatibility with earlier releases that use an ICMP type of 255 you can do so by using the n...

Page 113: ...summarises the modified command Change of Maximum Query Response Interval for MLD This Software Version changes the valid range for the MLD query response interval The maximum interval is now 8387 seconds in accordance with RFC 2710 To set the query response interval use the command set ipv6 mld qrinterval 1 8387 Note that if the router or switch acts as an MLDv1 querier and qrinterval is set to m...

Page 114: ...s the interface can process MLDv2 reports that have an ICMP type of 255 This is compatible with early Allied Telesis implementations of MLD If you specify no the interface can only process MLD Report messages that have an ICMP type of 143 as specified by RFC 3810 The default is no set ipv6 mld Syntax SET IPV6 MLD ROBustness 2 65535 DEFault QINterval 1 65535 DEFault QRInterval 1 8387 DEFault SQInte...

Page 115: ... in Figure 32 and the new output is in Figure 33 In this example port 9 is in the All Routers group and is shown in bold MLD Protocol Status ENABLED Robustness 2 Query Interval 125 secs Query Response Interval 10 secs Startup Query Interval 31 secs Startup Query Count 2 Last Listener Query Interval 1 secs Last Listener Query Count 2 Interface vlan100 Version 2 V2 Draft Compatible NO Is querier YES...

Page 116: ...le output from the show mldsnooping command Figure 33 New example output from the show mldsnooping command Interface vlan300 vlan300 Multicast Address All Routers Ports 9 Multicast Address ff01 1 0 0101 Ports 1 2 9 Interface vlan300 vlan300 Multicast Address All Routers Ports 9 Multicast Address ff01 1 0 0101 Ports 1 2 ...

Page 117: ...d Reference Updates This section describes the changed portions of modified commands and output screens The new parameters and options are shown in bold for modified commands Command Change create classifier New parameters macsmask macdmask tcpflags icmptype icmpcode igmptype eipbyte01 16 set classifier New parameters macsmask macdmask tcpflags icmptype icmpcode igmptype eipbyte01 16 show classifi...

Page 118: ...TE07 byteoffset bytevalue bytemask EIPBYTE08 byteoffset bytevalue bytemask EIPBYTE09 byteoffset bytevalue bytemask EIPBYTE10 byteoffset bytevalue bytemask EIPBYTE11 byteoffset bytevalue bytemask EIPBYTE12 byteoffset bytevalue bytemask EIPBYTE13 byteoffset bytevalue bytemask EIPBYTE14 byteoffset bytevalue bytemask EIPBYTE15 byteoffset bytevalue bytemask EIPBYTE16 byteoffset bytevalue bytemask where...

Page 119: ...ot been specified or ipprotocol igmp has been specified If any is specified the IGMP type is ignored The default is any The eipbyte01 to eipbyte16 parameters each specify the properties of a single byte field to match in the Layer 3 header and data of a non IPv4 and non IPv6 packet The eipbyte01 parameter must be used as the first byte field and additional byte fields must increment sequentially f...

Page 120: ...BYTE02 byteoffset bytevalue bytemask EIPBYTE03 byteoffset bytevalue bytemask EIPBYTE04 byteoffset bytevalue bytemask EIPBYTE05 byteoffset bytevalue bytemask EIPBYTE06 byteoffset bytevalue bytemask EIPBYTE07 byteoffset bytevalue bytemask EIPBYTE08 byteoffset bytevalue bytemask EIPBYTE09 byteoffset bytevalue bytemask EIPBYTE10 byteoffset bytevalue bytemask EIPBYTE11 byteoffset bytevalue bytemask EIP...

Page 121: ...offset bytevalue bytemask EIPBYTE05 byteoffset bytevalue bytemask EIPBYTE06 byteoffset bytevalue bytemask EIPBYTE07 byteoffset bytevalue bytemask EIPBYTE08 byteoffset bytevalue bytemask EIPBYTE09 byteoffset bytevalue bytemask EIPBYTE10 byteoffset bytevalue bytemask EIPBYTE11 byteoffset bytevalue bytemask EIPBYTE12 byteoffset bytevalue bytemask EIPBYTE13 byteoffset bytevalue bytemask EIPBYTE14 byte...

Page 122: ...ETHII UNTAGGED Protocol 0800 IP EthII S IP Address 192 168 123 123 32 D IP Address 192 168 123 123 32 IP Protocol TCP S TCP Port 23 D TCP Port 23 TCP Flags SYN FIN Classifier Rules Rule 21 M Type L2UCAST VLAN vlan1234 1234 E Format ETHII UNTAGGED Protocol 0800 IP EthII S IP Address 192 168 123 123 32 D IP Address 192 168 123 123 32 IP Protocol ICMP ICMP code 7 HOSTUNKNOWN ICMP type 3 UNREACHABLE C...

Page 123: ... Addr mask A MAC address that specifies a 48 bit binary mask to apply to the destination MAC address before determining a match A 1 in the mask means that the value of the bit in that position is used to determine a match and a 0 means that the bit is ignored The default mask value is ff ff ff ff ff ff S MAC Addr mask A MAC address that specifies a 48 bit binary mask to apply to the source MAC add...

Page 124: ...te 16 Each Layer 3 Byte field specifies the properties of a single byte field to match in the Layer 3 part of non IPv4 and IPv6 packets Offset The offset of a byte from the start of Layer 3 This specifies the location of the byte to match Value The hexadecimal value to match at the location specified by Offset Mask A hexadecimal number that specifies an eight bit binary mask to apply to the value ...

Page 125: ...for metering Metering marks packets with a bandwidth class number that indicates whether the packet is within specific bandwidth limits Downstream QoS processes then determine how to handle the packets depending on their respective bandwidth class For individual ports the metering process separately measures the data rate coming into each port However with port groups metering collectively measure...

Page 126: ...storm protection several actions are possible when a storm is detected You can disable the port physically You can disable the port logically You can disable the port for a particular VLAN Enhanced mode must be enabled with the set switch enhancedmode command in the Switching chapter before you can configure storm protection When a storm is detected on a port a message is automatically recorded in...

Page 127: ...gured action Action What the switch does when it detects a storm on a port Timeout The length of time the port remains disabled after a port has been disabled due to a packet storm Command Change create qos policy set qos policy New dtcstormstatus parameter New dtcstormwindow parameter New dtcstormrate parameter New dtcstormaction parameter New dtcstormtimeout parameter show qos policy Output for ...

Page 128: ...e qos policy Syntax CREate QOS POLIcy id list dtcstormstatus enable disable dtcstormwindow windowsize none dtcstormrate rate none dtcstormaction linkdown portdisable dtcstormtimeout timeoutlength none other parameters Parameter Description PORTgroup Port group to which you want to add a port The group list consists of one or more port groups a range specified with a hyphen such as 1 4 a comma sepa...

Page 129: ...f milliseconds from 100 to 60 000 NONE Storm protection is inactive DTCSTORMRate Storm protection is activated when this rate of traffic is exceeded Required when storm protection is enabled If the value of dtcstormwindow is less than one second the rate is averaged over the last second Default none Rate Bits per second from 1Kbps to 10Gbps specified in Kbps Mbps or Gbps If you do not specify a un...

Page 130: ...imeoutlength none other parameters Parameter Description PORTgroup Port group that you want to create The group list consists of one or more port groups a range specified with a hyphen such as 1 4 a comma separated list of numbers and or ranges an integer from 1 to 32 Default no default POrt Port to add to this port group The port list consists of one or more ports a range specified with a hyphen ...

Page 131: ...te Bits per second from 1Kbps to 10Gbps specified in Kbps Mbps or Gbps If you do not specify a unit it uses Kbps If you specify Mbps or Gbps the rate may contain a decimal fraction with up to 3 decimal places for example 1 25 Mbps NONE Storm protection is inactive STORMAction Action QoS takes when a storm is detected on a port Default portdisable LINKDown Operationally disables ports to which the ...

Page 132: ...an belong to any you want to destroy The group list consists of one or more port groups a range specified with a hyphen such as 1 4 a comma separated list of numbers and or ranges an integer from 1 to 32 Example To destroy the port group 1 use the command dest qos portg 1 Parameter Description PORTgroup Port group from which you want to delete a port The group id can be an integer from 1 to 32 Def...

Page 133: ...e dtcstormaction linkdown portdisable dtcstormtimeout timeoutlength none other parameters Parameter Description PORTgroup Port group for which you want to clear counters The group list consists of one or more port groups a range specified with a hyphen such as 1 4 a comma separated list of numbers and or ranges an integer from 1 to 32 Default no default TRafficclass Traffic class counters to clear...

Page 134: ...nd the rate is averaged over the last second Default none Rate Bits per second from 1Kbps to 10Gbps specified in Kbps Mbps or Gbps If you do not specify a unit it uses Kbps If you specify Mbps or Gbps the rate may contain a decimal fraction with up to 3 decimal places for example 1 25 Mbps NONE Storm protection is inactive DTCSTORMAction Action QoS takes when a storm is detected on a port Default ...

Page 135: ...nt Description cont Parameter Description STORMStatus Whether storm protection is enabled for the default traffic class Default disabled STORMWindow Time between the polling of traffic class counters that checks whether storm protection should be activated Required when storm protection is enabled Default none windowsize Number of milliseconds from 100 to 60 000 NONE Storm protection is inactive S...

Page 136: ...eout Length of time the port remains disabled after a storm is detected Default none timeoutlength Duration in seconds from 1 to 86400 NONE The port remains disabled until you enable it again with the enable switch port or enable switch port vlan command in the Switching chapter Table 31 Parameters in output of the show qos trafficclass 18 command Parameter Meaning Status Whether storm protection ...

Page 137: ...dthClass YES Premarking USEMARKVALUE Remarking UESDSCPMAP Mark value 0 Action SENDVLANPORT VLAN 2 PORT 4 Storm Protection Status ENABLED Action PORTDISABLE Rate 1kbps Window 100ms Timeout None Table 32 New parameters in output of the show qos policy command Parameter Meaning Port Group s Assigned to ID of the port group that is assigned to the policy Trunk s Assigned to Trunks to which the policy ...

Page 138: ...l ports Default Queue 2 Force Default Queue No Red Curve 2 New parameters in output of the show qos port 1 command Parameter Meaning Port Group ID of the port group to which the port belongs Trunk Group ID of the trunk group to which the port belongs Parameter Meaning PORTgroup Specifies a port group for which to display information Default all group list Integer from 1 to 32 Figure 41 Table 33 AL...

Page 139: ...the port group Policy Assigned Policy Assigned to Policy attached to the port group Ports Ports that belong to the port group Parameter Meaning PORTgroup Specifies a port group for which to display information Default all group list Integer from 1 to 32 ALL All port groups no value Displays summary information about all port groups TRafficclass Traffic class attached to the port group Figure 42 Ta...

Page 140: ...ss2 bytes 0 BwConformanceClass3 bytes 0 Dropped bytes 0 Default Traffic Class Aggregate Bytes 0 BwConformanceClass1 bytes 0 BwConformanceClass2 bytes 0 BwConformanceClass3 bytes 0 Dropped bytes 0 Port Group 2 Policy 2 Traffic Class 2 Aggregate Bytes 0 BwConformanceClass1 bytes 0 BwConformanceClass2 bytes 0 BwConformanceClass3 bytes 0 Dropped bytes 0 Default Traffic Class Aggregate Bytes 0 BwConfor...

Page 141: ...is traffic class counted BwConformanceClass1 bytes Number of bytes that conforms with band with class 1 BwConformanceClass2 bytes Number of bytes that conforms with band with class 2 BwConformanceClass3 bytes Number of bytes that conforms with band with class 3 Dropped bytes Number of bytes this traffic class discarded Identifier 18 Description Interactive Voice Policy Assigned to 1 Flow Groups 8 ...

Page 142: ...witch both SSH and SCP must be enabled on the SSH server If SSH is disabled SCP will not work Use the command enable ssh server scp enabled other options Secure copy can be disabled on the SSH server This allows you to disable SCP while still allowing other SSH sessions Use either of these commands enable ssh server scp disabled other options set ssh server scp disabled other options You can check...

Page 143: ...plays whether the router or switch is acting as a client or server Use the command show ssh session scp To see details about SCP file transfers such as the number of successful or failed file transfers use the command show ssh counter scp Removing sessions SSH and SCP sessions can now be deleted without disabling the SSH server When a SSH session begins it is assigned an ID number This number is u...

Page 144: ... a suitable client on a remote device and the SSH server on the router or switch Secure Copy connections cannot load to the bootblock Loading Files to the Switch The router or switch can load files from a remote server using SCP To do this do both of the following Check the server is running SCP and set a username Set either a password or RSA keyid on the server to authenticate the user If using R...

Page 145: ...running as a SSH server with SCP enabled Configure the user to allow them to connect using SSH Set either a password or RSA key id on the router or switch to authenticate the user If using RSA authentication set the public key onto the router or switch Example In this example the username is Alice and the client machine is running Linux The router or switch has the IP address 192 168 1 1 To copy t...

Page 146: ...s do all of the following Check the router or switch is running as a SSH server with SCP enabled Configure the user so that they are allowed to use SSH Set either a password or RSA keyid on the router or switch to authenticate the user If using RSA authentication set the public key onto the router or switch Example In this example the username is Alice and the client machine is running Linux The r...

Page 147: ... is specified all connections are closed except the sessions that are listening on the TCP port for new SSH connections Example To stop the current manager sessions in the following example output use the command del ssh se 2 4 5 disable ssh debug Syntax DISable SSH DEBug SSH SCP ALL Description This new command disables the SSH server debugging facility If ssh is specified debugging is turned off...

Page 148: ...nd SCP is turned on Debugging is disabled by default Example To enable debugging of SCP use the command ena ssh deb scp enable ssh server Syntax ENAble SSH SERver HOSTKey key id SERVERKey key id EXPirytime 0 168 LOGintimeout 1 600 SCP ENAbled DISabled Description This command enables the Secure Shell server The new scp parameter allows you to enable or disable Secure Copy service for the Secure Sh...

Page 149: ...cfg in flash memory use this command loa met scp fi downloads abc cfg se 172 16 8 5 des fl usern john pass secret Parameter Description METhod The method used to download the file When scp is specified Secure Copy is used Default tftp or the method set in the set loader command KEYid The ID number of a RSA private or public key that is held on the router or switch The server receiving the load req...

Page 150: ...ified with the load and upload commands can be specified as defaults with the set loader command Parameters not specified in the load or upload commands use this default Parameter Description METhod The method used to download the file When scp is specified Secure Copy is the default method for loading and uploading Default tftp KEYid The ID number of a RSA private or public key that is held on th...

Page 151: ... that the SSH session becomes established regardless of whether the user has logged in or not If the SSH client idle timeout period is modified while there are established SSH sessions the idle timers for those sessions are reset so that they use the new timeout value Any idle time accumulated by those sessions prior to the modification is lost Default 0 0 The idle timer remains off and the sessio...

Page 152: ...mple output from the show loader command Parameter Description SCP Whether the SSH server supports SCP connections Default enabled ENAbled Allows SCP connections DISabled Does not allow SCP connections Loader Information Defaults Method SCP File Destination File Server 192 168 1 1 HTTP Proxy Proxy Port Default 80 Username alice Asyn Destination Flash Delay sec 0 Current Load Method SCP Table 35 Mo...

Page 153: ...able 36 Modified parameters in output of the show ssh command Parameter Meaning SSH Server Whether the Secure Shell server is enabled or disabled SCP Service Whether Secure Copy is enabled or disabled Services Available List of the available Secure Shell services one or more of Shell Cmd or SCP Debug Whether debugging is active on the server This can be set to debug SSH SCP ALL or NONE Version Com...

Page 154: ...h downloadTotal The total number of load requests received by the router or switch uploadSuccess The number of successful upload requests downloadSuccess The number of successful load requests uploadFailed The number of failed upload requests All uncompleted requests are counted as failed except those cancelled by using the reset loader command Example reasons for failure include a request from an...

Page 155: ...ns are displayed Figure 39 on page 156 Table 40 on page 156 If no parameter is specified the command defaults to all Figure 48 Example output from the show ssh session ssh command Figure 49 Example output from the show ssh session ssh command writeFileFailed The number of write failures A write failure results in a load failure Table 37 Modified parameters in output of the show ssh counter scp all...

Page 156: ...ecure Shell session Type The type of Secure Copy connection either Server The router or switch is operating as a SCP server Client The router or switch is operating as a SCP client Operation The current type of file copying either Download The file is copying to the router or switch Upload The file is copying to a remote machine Filename The name of the file being copied Filesize The size of the f...

Page 157: ...load the file When scp is specified Secure Copy is used Default tftp or the method set in the set loader command KEYid The ID number of a RSA private or public key that is held on the router or switch The server receiving the upload request must have the public key for this authentication to work The key id is a decimal number from 0 to 65535 Default no default PASSword The password for server aut...

Page 158: ...ference Updates This section describes the changed portions of the modified command and output screens For modified commands and output new parameters options and fields are shown in bold show ssl counters Syntax SHow SSL COUnters Description The new badSessionIdLen fields display counts of hello messages with session ID lengths greater than 32 bytes received by the SSL client and server Command C...

Page 159: ...il tls 0 badSessionIdLen 0 Client clientStart 0 inHelloRequest 0 outClientHello 0 inServerHello 0 outCert 0 inCert 0 outCKE 0 inCertRequest 0 outCertVerify 0 inSKE 0 outChangeCS 0 inHelloDone 0 outFinished 0 inChangeCipherSpec 0 inFinished 0 sslVersionFail 0 missingMessageFail 0 certRequestNoRSA 0 noCert 0 rxFinBeforeChangeCS 0 hsHashFail md5 0 hsHashFail sha 0 hsHashFail tls 0 badSessionIdLen 1 T...

Page 160: ...you to specify whether the SIP ALG translates the Call ID field of SIP packets before sending them out onto the public network When NAT is configured on the router or switch the SIP ALG translates the private IP addresses embedded in SIP packets into globally routable IP addresses before sending the packets out onto the public network This includes changing the IP address part in the Call ID field...

Page 161: ...The following table summarises the new and modified commands Firewall Policy Rules Expansion This Software Version increases the total number of rules and application rules apprules that a firewall policy can associate with an interface to 2099 In previous Software Versions the maximum number was 699 The rules and apprules are cumulative That is a policy cannot assign more than 2099 rules and appr...

Page 162: ...displayed by using the show firewall sipalg counter command Example To reset the counters for the SIP ALG use the command reset fire sipa cou set firewall sipalg Syntax SET FIREwall SIPAlg CALLIdtranslation ON OFF YES NO True False Description This new command modifies how the SIP ALG operates on the router or switch The callidtranslation parameter specifies whether the Call ID field of a SIP mess...

Page 163: ...information about the specified policy or all policies The new rule parameter allows you to display only a specific rule or subset of rules for each policy Firewall Configuration Status enabled Enabled Notify Options all Notify Port 1 Notify Mail To root netman company com Maximum Packet Fragments 20 Sessions Maximum 4000 Peak 2589 Active 400 Table 42 New parameters in output of the show firewall ...

Page 164: ...Figure 52 on page 164 Table 43 on page 165 The Call ID is a unique call identifier assigned to the SIP session by the device that initiated the session Not valid with the ip or summary commands SUMmary Displays summary information for all the active sessions on the router or switch Figure 53 on page 166 Table 44 on page 166 Not valid with the ip or callid commands Figure 52 Example output from the...

Page 165: ... to identify a current SIP session FROM The SIP URI address of the device that initiated the SIP session request FROM tag The tag number assigned to the SIP session by the device that initiated the SIP session request The router or switch uses this along with the TO tag and Call ID to identify a current SIP session Direction The location of the devices using the SIP session and who initiated the c...

Page 166: ...789 20 20 20 1 1874680886 198 18 1 2 sip 1234 20 20 20 1 private to public 2 12 15 11 22 Feb 2006 sip 3456 20 20 20 1 1721829112 202 12 9 172 sip 1982 20 20 20 1 public to private Table 44 Parameters in output of the show firewall sipalg summary command Parameter Meaning SIP ALG Configuration The current SIP ALG settings on the router or switch Status Whether the SIP ALG is enabled or disabled on ...

Page 167: ...RI address of the device that initiated the SIP session request To The SIP URI address of the device that received the SIP session request Table 44 Parameters in output of the show firewall sipalg summary command cont Parameter Meaning SIP ALG Session Counters Current SIP sessions 1 Current audio sessions 2 SIP sessions created since start up or reset 6 Audio sessions created since start up or res...

Page 168: ... switch use the command show fire sipa cou SIP messages ignored since start up or reset Total number of SIP messages received that the SIP ALG ignored because the message was an unsupported type These messages are forwarded without the SIP ALG altering them Table 45 Parameters in output of the show firewall sipalg counter command cont Parameter Meaning ...

Page 169: ... is only valid for connections where The peer IP address is a static IPv4 address IPsec tunnel mode is used This is specified by setting the mode parameter to tunnel in the create ipsec saspecification command The ISAKMP policy for the peer has the mode parameter set to main and the sendnotify parameter set to true The IPsec policy for the peer has the action parameter set to ipsec the keymanageme...

Page 170: ...msgtimeout parameter The default for the parameter is incremental To set a back off pattern for ISAKMP messages use the msgbackoff parameter in the commands create isakmp policy name peer ipv4add ipv6add any msgbackoff incremental none msgretrylimit 0 1024 msgtimeout 1 86400 other parameters set isakmp policy name msgbackoff incremental none msgretrylimit 0 1024 msgtimeout 1 86400 other parameters...

Page 171: ... retryikeattempts 0 16 continuous other parameters set isakmp policy name peer ipv4add ipv6add any retryikeattempts 0 16 continuous other parameters The retryikeattempts parameter is only valid when a specific peer IP address is configured in both the ISAKMP and IPsec policies This feature is designed for permanent VPN connections By default retryikeattempts is set at 0 and negotiations are not re...

Page 172: ...icence If you need more VPN tunnels contact your authorised distributor or reseller Other products do not need a special feature licence for more VPN tunnels Command changes The following table summarises the modified command Command Change create isakmp policy New retryikeattempts parameter set isakmp policy New retryikeattempts parameter show isakmp counters New retryIkeAttemptsPh1 and retryIkeA...

Page 173: ...ue False RMAsk ipv4add RNAme ANy system name RPort ANy port OPaque SASElectorfrompkt ALL LADdress LPort NONE RADdress RPort TRAnsportprotocol SRCInterface interface TRAnsportprotocol ANy EGp ESp GRe ICmp OPaque OSpf RSvp TCp UDp protocol UDPHeartbeat True False UDPPort port UDPTunnel True False USEPFSKey True False Parameter Description RESPondbadspi Whether the router or switch sends a notificati...

Page 174: ...se SETCommitbit ON OFf TRue FAlse SRCInterface interface XAUth CLient SErver NONE XAUTHName username XAUTHPasswd password XAUTHType GEneric RAdius Parameter Description MSGBACkoff The back off pattern used when ISAKMP messages are retransmitted The initial transmission time is set using the msgtimeout parameter Default incremental INCREMental The delay between retransmissions increases in a linear...

Page 175: ... exchange fails then ISAKMP will attempt the key exchange again If a phase 2 exchange fails the exchange is attempted over new ISAKMP SAs Default 0 0 No retry attempts occur 1 16 The specified number of retry attempts occur CONTinuous Retry attempts occur continuously until either the connection is established or 24 hours has passed After the first 16 attempts a five minute delay occurs between at...

Page 176: ... RADdress RPort TRAnsportprotocol SRCInterface interface TRAnsportprotocol ANy EGp ESp GRe ICmp OPaque OSpf RSvp TCp UDp protocol UDPHeartbeat True False UDPPort port UDPTunnel True False USEPFSKey True False Parameter Description RESPondbadspi Whether the router or switch sends a notification to the peer when an IPsec packet is received with an unknown SPI value This establishes an ISAKMP SA to t...

Page 177: ...bit ON OFf TRue FAlse SRCInterface interface XAUth CLient SErver NOne XAUTHName username XAUTHPasswd password XAUTHType GEneric RAdius Parameter Description MSGBACkoff The back off pattern used when ISAKMP messages are retransmitted The initial transmission time is set using the msgtimeout parameter Default incremental INCREMental The delay between retransmissions increases in a linear manner Ever...

Page 178: ...e connection is established or 24 hours has passed After the first 16 attempts a five minute delay occurs between attempts IPSEC Module Configuration Module Status ENABLED IPsec over UDP Status OPEN Listen Port 2746 VPNs Maximum 1 Current 0 Peak 0 Table 46 New parameters in output of the show ipsec command Parameter Meaning VPNs Information about Virtual Private Network VPN tunnels Maximum The max...

Page 179: ...Isakmp Policy Name my_isakmp_policy Bundle Specification 2 Peer IP Address Dynamic FALSE Peer IP address Any FALSE Local IP Address Dynamic FALSE Peer IP Address 192 168 10 1 Local IP Address 232 163 2 3 Use PFS Key TRUE Respond Bad SPI TRUE Group 1 Table 47 Modified parameters in output of the show ipsec policy command for a specific policy Parameter Meaning Respond Bad SPI Whether the router or ...

Page 180: ...ProcessStart 4373 inProcessFailImm 0 inProcessFail 0 inProcessDone 4373 inEndOfBundle 0 inPrematureEndBundle 0 inBundleSaMatchFail 0 inPolicyActionFail 0 inPolSelectMatchFail 0 inBundleReplaced 0 inBundleSoftExpire 0 inBundleExpire 0 inBadDecryptedPkt 0 inBadSpiResponse 0 Table 48 Modified parameters from the show ipsec policy counter command Parameter Meaning inBadSpiResponse The number of bad SP...

Page 181: ...NoSa 0 acquireEquivFound 0 acqPh2EquivInProgress 0 acqPh1XcgStartFailed 0 acqPh2XcgStartFailed 0 acquireQueued 0 acqPeerAddrNameIncons 0 acquirePrenegNoPolicy 0 badSpiRequests 0 badSpiFromKnownPeer 0 badSpiInAggrMode 0 badSpiSendNotifyUnset 0 msgInitPh1p5StartFail 0 doneGood 0 donePhase1Failed 0 doneSendConNoSa 0 msgTx 0 msgTxd 0 txEncryptNoExchange 0 msgTxEncryptNoEncoPrc 0 msgTxStartEncrypt 0 tx...

Page 182: ...cation messages when the policy specifies main mode for phase 1 exchanges badSpiSendNotifyUnset The number of bad SPI requests rejected because the ISAKMP policy was not configured to send notification messages retryIkeAttemptsPh1 The number of phase 1 exchanges initiated due to an exchange failing These exchanges are only initiated for policies configured with retryikeattempts retryIkeAttemptsPh2...

Page 183: ... Encrypted FALSE Expecting message TRUE Has SA TRUE Initiator Cookie d464cc30b348efa7 Responder Cookie 0000000000000000 Message Id 00000000 Set Commit bit FALSE Commit bit received FALSE Send notifies TRUE Send deletes FALSE Message Retry Limit 5 Packet Retry Counter 5 Message Back off Incremental Table 51 Modified parameters in output of the show isakmp exchange command for a specific exchange Pa...

Page 184: ... policy Parameter Meaning Message Back off The back off pattern used when ISAKMP messages are retransmitted Either the back off time between message retransmissions gets larger Incremental or remains the same None Retry IKE Attempts The number of consecutive times that IKE attempts to complete an exchange if exchange failures are occurring either a number from 0 to 16 or continuous The value is se...

Page 185: ...E Local address 202 36 163 161 Remote Address 202 36 163 201 Time of establishment Commit bit set FALSE Send notifies TRUE Send deletes FALSE Message Retry Limit 5 Initial Message Retry Timeout s 20 Message Back off None Table 53 Modified parameters in output of the show isakmp sa command for a specific Security Association Parameter Meaning Message Back off The back off pattern used when ISAKMP m...

Page 186: ... in the MIB represent the SHDSL line from the perspective of a central site terminal unit STU C a remote site terminal unit STU R a regenerator unit SRU The objects defined in this MIB reside in the mib 1 subtree under the Transmission Group defined in MIB II and have the object identifier is hdsl2ShdslMIB transmission 48 Objects in the SHDSL MIB are organised into the following groups The Span Co...

Page 187: ...s all groups in the SHDSL MIB However the implementation of some objects differs from RFC 3276 In particular the following objects defined with read write access are implemented as read only Logging SNMP operation The SNMP agent now generates the following log message when there is insufficient system memory to process a get or set request Object Name Object ID hdsl2ShdslSpanConfNumRepeaters 1 3 6...

Page 188: ...interface that changed state for interfaces with an IP address ospfAddressLessIf the ifIndex of the interface that changed state for addressless interfaces ospfIfState the new state of the interface The ospfVirtIfStateChange trap ospfTraps 1 is generated when a virtual OSPF interface changes state and contains the following objects ospfRouterId the router ID of the originator of the trap ospfVirtI...

Page 189: ...The vrrpTrapNewMaster trap vrrpNotifications 1 is generated when the sending agent becomes the new VRRP master and contains the following object vrrpOperMasterIpAddr the primary IP address of the new master Traps on MSTP state and topology changes The IEEE draft ruzin mstp mib 04 defines a portion of the Management Information Base MIB for managing Multiple and Rapid Spanning Tree Protocols Object...

Page 190: ...jects and a trap for monitoring login failures This software version defines the following new objects and trap in the ttyTraps tty 100 subtree loginFailureUser ttyTraps 1 is the username that generated the login failure loginFailureIPAddress ttyTraps 2 is the IP address the failed login attempt originated from loginFailureAttempts ttyTraps 3 is the number of failed login attempts The loginFailure...

Page 191: ... prefix memory enterprises 1 alliedTelesyn 207 mibObject 8 brouterMib 4 atRouter 4 sysinfo 3 7 and contains objects that describe system memory This software version defines the following new trap in the memory Group The lowMemoryTrap trap memory 11 is generated when system free memory falls below buffer level 0 and contains the following objects freeMemory memory 1 the percentage of free memory a...

Page 192: ... Description The output of this command includes a new field Figure 63 Example output from the show buffer command Memory DRAM 16384 kB Free Memory 48 Free fast buffers 1799 Total fast buffers 1802 Free buffers 4013 Total buffers 4096 Buffer level 3 125 don t process input frames Buffer level 2 250 don t do monitor or command output Buffer level 1 500 don t buffer up log messages Buffer level 0 15...

Page 193: ...s of modified commands and output screens The new parameters and options are shown in bold for modified commands Command Change disable lldp cdp interface New pppm option for interface parameter disable lldp cdp ppptemplate New command enable lldp cdp debug New ppp option for debug parameter enable lldp cdp interface New pppm option for interface parameter enable lldp cdp ppptemplate New command s...

Page 194: ...s enabled by default on all interfaces even when it is disabled on the router or switch Example To disable CDP operation on PPP interface 1 of the router or switch use the command dis lldp cdp int ppp1 disable lldp cdp ppptemplate Syntax DISable LLDP CDP PPPTemplate template Where template is a number from 0 to 31 Description This new command disables CDP listening on interfaces that are dynamical...

Page 195: ...on of CDP advertisements begins and neighbour entries are added as they are discovered CDP is enabled by default for all interfaces but you must first enable CDP using the enable lldp cdp command enable lldp cdp ppptemplate Syntax ENAble LLDP CDP PPPTemplate template Where template is a number from 0 to 31 Description This new command enables CDP listening on interfaces that are dynamically create...

Page 196: ... the interface number Description This command displays information about the interfaces on which CDP is currently enabled Figure 65 Example output from the show lldp cdp interface command CDP general information Enabled Yes Number of CDP neighbours 14 SysUpTime 12345 42s CDP processing time 3 385727s PPP Templates Enabled 1 4 PPP Templates Disabled 2 3 Triggers CDP neighbour add CDP neighbour rem...

Page 197: ...is Software Version adds support for permanent assignments on AR400 Series routers Permanent assignments provide a method for creating permanent links between terminal ports on routers For information and command syntax see the Permanent Assignments chapter of the Software Reference for Software Version 2 7 6 or 2 8 1 ...

Page 198: ......

Page 199: ... 1 6 Configuring EPSR 1 7 Single Domain Single Ring Network 1 7 Single Ring Dual Domain Network 1 9 EPSR and Spanning Tree Operation 1 13 Command Reference 1 15 add epsr datavlan 1 16 create epsr 1 17 delete epsr datavlan 1 19 destroy epsr 1 20 disable epsr 1 21 disable epsr debug 1 22 enable epsr 1 23 enable epsr debug 1 24 purge epsr 1 25 set epsr 1 26 set epsr port 1 27 show epsr 1 28 show epsr...

Page 200: ...rts On the master node one port is configured to be the primary port and the other the secondary port Figure 1 1 Simple EPSR ring configuration EPSR Instances and Domains Each physical EPSR ring contains one or more EPSR instances An EPSR instance can be thought of as a component of an EPSR ring existing on a single node A set of instances across the whole ring is called a domain Therefore a ring ...

Page 201: ...ode controls the ring operation It issues healthcheck messages at regular intervals from its primary port and monitors their arrival back at its secondary port after they have circled the ring Under normal operating conditions the master node s secondary port is always in the blocking state to all data VLAN traffic This is to prevent data loops forming within the ring This port however operates in...

Page 202: ... failover timer expires before the transmitted healthcheck message is received by the master node s secondary port the master node assumes that there is a fault in the ring and implements its fault recovery procedures Because this detection method relies on a timer expiry its operation is inherently slower than the transit node unsolicited detection method described next Transit Node Unsolicited F...

Page 203: ...rts As the data starts to flow in in the ring s new configuration each of the nodes master and transit re learn their layer 2 addresses During this period the master node continues to send health check messages over the control VLAN This situation continues until the faulty link or node is repaired Figure 1 2 shows the flow of control frames under fault conditions Figure 1 2 EPSR Fault Detection M...

Page 204: ...te that the transit nodes do not enter the forward state until they have received the Ring Up Flush message This is to prevent the possibility of a loop condition occurring caused by the transit nodes moving into the forwarding state before the master node secondary port is able to return to the blocking state During such a period the ring would have no ports blocked Master Node With the link rest...

Page 205: ...n Single Ring Network This example shows a very simple single ring single domain configuration with no connecting lobes Figure 1 3 EPSR Single Domain Single Ring Network Master Node Other Ports Other Ports Other Ports Control VLAN control_ring Transit Node 3 Transit Node 1 Transit Node 2 EPSR 3 eps P S Date VLAN data_ring Other Ports Port 1 Primary Port 2 Secondary C o n trol VLAN D a t a V L A N ...

Page 206: ...ing port 1 2 frame tagged Remove the Default VLAN from ports 1 2 del vlan default po 1 2 EPSR Configuration create epsr domain_one mode master controlvlan control_ring primaryport 1 add epsr domain_one datavlan data_ring enable epsr domain_one For Transit Nodes 1 2 3 Set the Acceptable Frame Types parameter to admit only VLAN tagged frames on ports 1 and 2 set switch port 1 acc vlan set switch por...

Page 207: ...main network are shown in Figure 1 6 on page 1 10 Figure 1 7 on page 1 11 and Figure 1 8 on page 1 12 Control VLAN control_ring Ring_A Transit Node 1 Ring_A Transit Node Ring_A Transit Node 3 Ring_B Master Node Ring_B Master Node Ring_A Transit Node Ring_B Transit Node Ring_B Transit Node Ring_A EPSR 4 eps Date VLAN data_ring Ring_A Control VLAN control_ring Ring_B EPSR Ring Date VLAN data_ring Ri...

Page 208: ...te vlan data_ring_B vid 30 VLAN Port Configuration Ring_A add vlan control_ring_A port 1 2 frame tagged add vlan data_ring_A port 1 2 frame tagged Remove the Default VLAN from ports 1 2 del vlan default po 1 2 Ring_B add vlan control_ring_B port 3 4 frame tagged add vlan data_ring_B port 3 4 frame tagged Remove the Default VLAN from ports 3 4 del vlan default po 3 4 EPSR Configuration create epsr ...

Page 209: ... control_ring_B vid 3 create vlan Data_ring_B vid 30 VLAN Port Configuration Ring_A add vlan control_ring_A port 1 2 frame tagged add vlan data_ring_A port 1 2 frame tagged Remove the Default VLAN from ports 1 2 del vlan default po 1 2 Ring_B add vlan control_ring_B port 3 4 frame tagged add vlan data_ring_B port 3 4 frame tagged Remove the Default VLAN from ports 3 4 del vlan default po 3 4 EPSR ...

Page 210: ...create vlan control_ring_A vid 2 create vlan data_ring_A vid 20 VLAN Port Configuration Ring_B add vlan control_ring_B port 3 4 frame tagged add vlan data_ring_B port 3 4 frame tagged Remove the Default VLAN from ports 3 4 del vlan default po 3 4 Ring_A add vlan control_ring_A port 1 2 frame tagged add vlan data_ring_A port 1 2 frame tagged Remove the Default VLAN from ports 1 2 del vlan default p...

Page 211: ...id EPSR STP configurations Such a configuration might have a high speed fibre loop topology backbone controlled and managed using EPSR Lobes could extend out from each loop node into a user mesh network Any loops existing within this mesh network would be controlled and managed using STP RSTP Figure 1 9 on page 1 13 shows a basic combined EPSR STP network Figure 1 9 EPSR and Spanning Tree Operatio...

Page 212: ...n create epsr domain_one mode master controlvlan control_ring primaryport 1 add epsr domain_one datavlan data_ring enable epsr domain_one For Transit Node 3 Set the Acceptable Frame Types parameter to admit only VLAN tagged frames on ports 1 and 2 set switch port 1 acc vlan set switch port 2 acc vlan Create VLANs create vlan control_ring vid 2 create vlan data_ring vid 100 VLAN Port Configuration ...

Page 213: ...r to your switch s Software References For Transit Nodes 2 and 4 Set the Acceptable Frame Types parameter to admit only VLAN tagged frames on ports 1 and 2 set switch port 1 acc vlan set switch port 2 acc vlan Create VLANs create vlan control_ring vid 2 create vlan data_ring vid 100 VLAN Port Configuration add vlan control_ring port 1 2 frame tagged add vlan data_ring port 1 2 frame tagged Remove ...

Page 214: ...EPSR instance Also adding the VLAN to the EPSR instance before adding the ports to the data VLAN reduces the possibility of creating loops while configuring the ring Examples To add the vlan2 VLAN to the EPSR instance called blue use the command add epsr blue vlan vlan2 Related Commands create epsr create vlan delete epsr datavlan show epsr Parameter Description EPSR The name of the EPSR instance ...

Page 215: ...ng s ports of the EPSR instance The control VLAN cannot be part of another EPSR instance as either a control or data VLAN If trunked ports are included as a ring port as long as one of the trunked ports is up the ring port is considered to be up SNMP traps and log messages will display the lowest number port as the ring port s port number for the trunk Ports enabled for LACP STP GARP or VLAN Assig...

Page 216: ...00 milliseconds 100ms to 32767 seconds 32767s Only configured for the master node If no unit suffix is specified the value is read as seconds If ms is specified the value must be a multiple of 100 ms Default 1s FAilovertime The time period that a master node allows for a healthcheck frame to circle the loop before declaring that the EPSR ring has broken This time period is measured from the time t...

Page 217: ...the EPSR instance called blue use the command del epsr blue vlan vlan2 Related Commands add epsr vlan show epsr Parameter Description EPSR The name of the EPSR instance to delete The epsr name can be a character string 1 to 15 characters long Valid characters are uppercase letters A Z lowercase letters a z digits 0 9 the underscore character _ the hyphen character The epsr name cannot be ALL Defau...

Page 218: ...command on page 11 113 Ingress filtering is automatically enabled to ports that are added to EPSR Similarly ingress filtering is automatically disabled on ports used by an EPSR instance that is destroyed unless its ports form part of another EPSR ring instance Examples To destroy the EPSR instance called blue use the command dest epsr blue Related Commands create epsr show epsr Parameter Descripti...

Page 219: ...and disable the ports using the disable switch port command on page 11 131 unplug the ports delete the ports from the VLAN using the delete vlan port command Examples To disable the EPSR instance called blue use the command dis epsr blue Related Commands enable epsr show epsr Parameter Description EPSR The EPSR instance to be disabled Default no default epsr name The name of the EPSR instance This...

Page 220: ...and Parameter Description EPSR The EPSR instance on which debugging is to be disabled Default no default epsr name The name of the EPSR instance This can be a character string 1 to 15 characters long Valid characters are uppercase letters A Z lowercase letters a z digits 0 9 the underscore character _ the hyphen character The epsr name cannot be ALL ALL All EPSR instances Debug The debugging modes...

Page 221: ...instance called blue use the command ena epsr blue Related Commands create epsr disable epsr show epsr Parameter Description EPSR The EPSR instance to be enabled Default no default epsr name The name of the EPSR instance This can be a character string 1 to 15 characters long Valid characters are uppercase letters A Z lowercase letters a z digits 0 9 the underscore character _ the hyphen character ...

Page 222: ...o default INFo General information about the EPSR instance selected MSG Decoded display of received and transmitted EPSR frames PKT Raw ASCII display of received and transmitted EPSR frames STAte EPSR state transitions ALL All debug options OUTput When this parameter is set to console all debugging information will be sent to the console By default the debugging data is sent to the port that recei...

Page 223: ...ANs of any EPSR instances are still configured in a ring formation purging EPSR could cause a loop in the network To avoid creating loops take one or more of these steps before running this command disable the ports using the disable switch port command unplug the ports delete the ports from the VLAN using the delete vlan port command Examples To purge all EPSRs use the command pur epsr Related Co...

Page 224: ...ed the value is read as seconds If ms is specified the value must be a multiple of 100 ms Default 1s FAilovertime The time period that a master node allows for a healthcheck frame to circle the loop before declaring that the EPSR ring has broken This time period is measured from the time the frame leaves the master node s primary port to the time it is received at the master node s secondary port ...

Page 225: ... on page 1 21 If a ring port for the EPSR instance is also a member of a trunk group you can run this command by entering any one of the ports within the trunk group Examples To set port 1 to be a primary port for the EPSR instance called blue use the command set epsr blue po 1 ty prim Related Commands create epsr show epsr Parameter Description EPSR The EPSR to be set for the port Default no defa...

Page 226: ...ters a z digits 0 9 the underscore character _ the hyphen character The epsr name cannot be ALL ALL All EPSR instances EPSR Information Name blue Mode Master Status Enabled State Complete Control VLAN vlan2 2 Data VLAN s vlan100 100 vlan101 101 vlan102 102 Primary Port 1 Primary Port Status Forwarding Secondary Port 2 Secondary Port Status Blocked Hello Time 1 s Failover Time 2 s Ring Flap Time 0 ...

Page 227: ...when the EPSR instance is disabled This parameter is only shown for a master node Hello Time The rate that the TAPS protocol health control messages are transmitted from master node It is specified in the create epsr command The unit symbol following the value shows whether the time is measured in seconds or milliseconds Failover Time The time period that a master node waits for a healthcheck fram...

Page 228: ...rameter is only shown for a transit node Second Port The second ring port for the EPSR instance This parameter is only shown for a transit node Second Port Status The status of the second ring port either Unknown Forwarding Down or Blocked Unknown is displayed when the EPSR instance is disabled This parameter is only shown for a transit node Second Port Direction Indicates connectivity of the seco...

Page 229: ...Unter Displays the counter information about the specified EPSR instance or all EPSR instances EPSR Counters Name blue Receive Transmit Total EPSR Packets 0 Total EPSR Packets 0 Health 0 Health 0 Ring Up 0 Ring Up 0 Ring Down 0 Ring Down 0 Link Down 0 Link Down 0 Invalid EPSR Packets 0 Name red Receive Transmit Total EPSR Packets 0 Total EPSR Packets 0 Health 0 Health 0 Ring Up 0 Ring Up 0 Ring Do...

Page 230: ... of invalid EPSR control packets received Transmit EPSR packets transmitted Total EPSR Packets The total number of EPSR control packets transmitted Health The number of healthcheck packets transmitted Ring Up The number of ring up packets transmitted Ring Down The number of ring down packets transmitted Link Down The number of link down packets transmitted Table 1 3 Parameters displayed in output ...

Page 231: ...LL All EPSR instances DEBug Displays the debugging information about the specified EPSR instance or all EPSR instances EPSR Name Enabled Debug Modes Output Timeout blue MSG STATE Asyn 0 16 None red None Table 1 4 Parameters displayed in the output of the show epsr debug command Parameter Meaning EPSR Name The name of the EPSR instance Enabled Debug Modes List of debug modes that are enabled for th...

Page 232: ......

Reviews:

No comments

Related manuals for AR400 Series

IBM AS/400 Hardware User Manual preview
AS/400
Brand: IBM Pages: 104
IBM System Storage TS3100 Setup, Operator, And Service Manual preview
System Storage TS3100
Brand: IBM Pages: 375
Lattice Semiconductor ECP5 Versa Quick Start Manual preview
ECP5 Versa
Brand: Lattice Semiconductor Pages: 15
XMOS xCORE-200 Multi-channel Audio board Design Manual preview
xCORE-200 Multi-channel Audio board
Brand: XMOS Pages: 112
Oracle Talari E1000 Installation Manual preview
Talari E1000
Brand: Oracle Pages: 24
Black Box JPM083A Manual preview
JPM083A
Brand: Black Box Pages: 9
MikroTik RouterBOARD Groove Quick Setup Manual And Warranty Information preview
RouterBOARD Groove
Brand: MikroTik Pages: 4
Mylex eXtremeRAID 1100 Installation Manual preview
eXtremeRAID 1100
Brand: Mylex Pages: 74
Speedtouch IPQoS Configuration Manual preview
IPQoS
Brand: Speedtouch Pages: 124
Juniper NFX250 Quick Start Manual preview
NFX250
Brand: Juniper Pages: 7
Ubiquiti UniFi Cloud Key Quick Start Manual preview
UniFi Cloud Key
Brand: Ubiquiti Pages: 13
Techroutes TSR 2800-30 Hardware Installation Manual preview
TSR 2800-30
Brand: Techroutes Pages: 20
Crystal Vision TANDEM HD-21 User Manual preview
TANDEM HD-21
Brand: Crystal Vision Pages: 54
Uniflair PCOWeb Instruction Manual preview
PCOWeb
Brand: Uniflair Pages: 24
National Instruments SC-2040 User Manual preview
SC-2040
Brand: National Instruments Pages: 56
ZyXEL Communications PK5000Z How To Configure preview
PK5000Z
Brand: ZyXEL Communications Pages: 3
Intel BX80637I53570K Specification preview
BX80637I53570K
Brand: Intel Pages: 54
ADTRAN 239 T1 HDSL4 Installation And Maintenance Manual preview
239 T1 HDSL4
Brand: ADTRAN Pages: 20

Brands by name

Popular brands

Load more brands