Edge-Core ECS4110-28T Management Manual Download Page 399

Page: 399 / 1514

HAPTER

| Security Measures

DoS Protection

– 399 –

S P

ROTECTION

Use the Security > DoS Protection page to protect against denial-of-service

(DoS) attacks. A DoS attack is an attempt to block the services provided by

a computer or network resource. This kind of attack tries to prevent an

Internet site or service from functioning efficiently or at all. In general, DoS

attacks are implemented by either forcing the target to reset, to consume

most of its resources so that it can no longer provide its intended service,

or to obstruct the communication media between the intended users and

the target so that they can no longer communicate adequately. This section

describes how to protect against DoS attacks.

CLI R

EFERENCES

◆

"Denial of Service Protection" on page 957

ARAMETERS

These parameters are displayed:

◆

Echo/Chargen Attack

– Attacks in which the echo service repeats

anything sent to it, and the chargen (character generator) service

generates a continuous stream of data. When used together, they

create an infinite loop and result in a denial-of-service.

(Default: Disabled)

◆

Echo/Chargen Attack Rate

– Maximum allowed rate.

(Range: 64-2000 kbits/second; Default: 1000 kbits/second)

◆

Smurf Attack

– Attacks in which a perpetrator generates a large

amount of spoofed ICMP Echo Request traffic to the broadcast

destination IP address (255.255.255.255), all of which uses a spoofed

source address of the intended victim. The victim should crash due to

the many interrupts required to send ICMP Echo response packets.

(Default: Enabled)

◆

TCP Flooding Attack

– Attacks in which a perpetrator sends a

succession of TCP SYN requests (with or without a spoofed-Source IP)

to a target and never returns ACK packets. These half-open

connections will bind resources on the target, and no new connections

can be made, resulting in a denial of service. (Default: Disabled)

◆

TCP Flooding Attack Rate

– Maximum allowed rate. (Range: 64-2000

kbits/second; Default: 1000 kbits/second)

◆

TCP Null Scan

– A TCP NULL scan message is used to identify listening

TCP ports. The scan uses a series of strangely configured TCP packets

which contain a sequence number of 0 and no flags. If the target's TCP

port is closed, the target replies with a TCP RST (reset) packet. If the

target TCP port is open, it simply discards the TCP NULL scan.

(Default: Enabled)

◆

TCP-SYN/FIN Scan

– A TCP SYN/FIN scan message is used to identify

listening TCP ports. The scan uses a series of strangely configured TCP

packets which contain SYN (synchronize) and FIN (finish) flags. If the

Summary of Contents for ECS4110-28T

Page 1: ...Management Guide www edge core com ECS4110 28T 28P 52T 52P 28 52 Port Gigabit Ethernet Layer 2 Switch...

Page 2: ......

Page 3: ...ITCH Layer 2 Managed Switch with 24 10 100 1000BASE T RJ 45 PoE Ports and 4 Gigabit SFP Ports ECS4110 52T GIGABIT ETHERNET SWITCH Layer 2 Managed Switch with 48 10 100 1000BASE T RJ 45 Ports and 4 Gig...

Page 4: ......

Page 5: ...e used throughout this guide to show information NOTE Emphasizes important information or calls your attention to related features or instructions CAUTION Alerts you to a potential hazard that could c...

Page 6: ...section Displaying Transceiver Data on page 170 Added Timout Mode under Configuring a Dynamic Trunk on page 179 Added the section Configuring Load Balancing on page 189 Updated information under Traff...

Page 7: ...ter list under Configuring Port Security on page 385 Added the parameter Re authentication Max Retries under Configuring Port Authenticator Settings for 802 1X on page 390 Updated the parameter list f...

Page 8: ...section Multicast VLAN Registration for IPv6 on page 621 Added new parameters under Configuring IPv6 Interface Settings on page 644 Added the section Specifying a DHCP Client Identifier on page 669 A...

Page 9: ...g on page 846 Added the command dot1x max reauth req on page 866 Added the section PPPoE Intermediate Agent on page 880 Added the commands mac learning on page 890 port security mac address as permane...

Page 10: ...iver Threshold Configuration on page 1009 Added the commands port channel load balance on page 1022 lacp timeout on page 1029 and show port channel load balance on page 1033 Added the commands power m...

Page 11: ...queue on page 1206 Updated syntax for the commands class map on page 1208 and match on page 1210 Added the commands ip igmp snooping priority on page 1228 clear ip igmp snooping groups dynamic on page...

Page 12: ...452 ipv6 nd raguard on page 1454 show ipv6 nd raguard on page 1456 and ipv6 nd reachable time on page 1455 Added the section ND Snooping on page 1458 Added the chapter IP Routing Commands on page 1467...

Page 13: ...tch 85 Configuration Options 85 Required Connections 86 Remote Connections 87 Basic Configuration 87 Console Connection 87 Setting Passwords 88 Setting an IP Address 89 Downloading a Configuration Fil...

Page 14: ...System Files 132 Automatic Operation Code Upgrade 133 Setting the System Clock 137 Setting the Time Manually 137 Setting the SNTP Polling Interval 138 Configuring NTP 139 Configuring Time Servers 140...

Page 15: ...IEEE 802 1Q VLANs 199 Configuring VLAN Groups 202 Adding Static Members to VLANs 205 Configuring Dynamic VLAN Registration 209 IEEE 802 1Q Tunneling 212 Enabling QinQ Tunneling on the Switch 216 Crea...

Page 16: ...ring ATC Thresholds and Responses 269 10 CLASS OF SERVICE 273 Layer 2 Queue Settings 273 Setting the Default Priority for Interfaces 273 Selecting the Queue Mode 274 Mapping CoS Values to Egress Queue...

Page 17: ...Port Link Detection 336 Configuring a MAC Address Filter 337 Displaying Secure MAC Address Information 339 Configuring HTTPS 341 Configuring Global Settings for HTTPS 341 Replacing the Default Secure...

Page 18: ...urce Guard 401 Configuring Static Bindings for IPv4 Source Guard 403 Displaying Information for Dynamic IPv4 Source Guard Bindings 405 IPv6 Source Guard 406 Configuring Ports for IPv6 Source Guard 406...

Page 19: ...mote SNMPv3 Users 469 Specifying Trap Managers 472 Creating SNMP Notification Logs 476 Showing SNMP Statistics 478 Remote Monitoring 480 Configuring RMON Alarms 481 Configuring RMON Events 483 Configu...

Page 20: ...us of Remote Interfaces 561 Configuring a Remote Loop Back Test 562 Displaying Results of Remote Loop Back Testing 564 15 MULTICAST FILTERING 567 Overview 567 Layer 2 IGMP Snooping and Query for IPv4...

Page 21: ...nfiguring MVR6 Domain Settings 624 Configuring MVR6 Group Address Profiles 625 Configuring MVR6 Interface Status 628 Assigning Static MVR6 Multicast Groups to Interfaces 630 Displaying MVR6 Receiver G...

Page 22: ...uting Protocols 682 Configuring IP Routing Interfaces 682 Configuring Local and Remote Interfaces 682 Using the Ping Function 683 Using the Trace Route Function 684 Address Resolution Protocol 686 Pro...

Page 23: ...ation 710 enable 711 quit 712 show history 712 configure 713 disable 714 reload Privileged Exec 714 show reload 715 end 715 exit 715 21 SYSTEM MANAGEMENT COMMANDS 717 Device Designation 717 hostname 7...

Page 24: ...show version 734 show watchdog 734 watchdog software 735 Frame Size 735 jumbo frame 735 File Management 736 General Commands 737 boot system 737 copy 738 delete 741 dir 742 whichboot 743 Automatic Cod...

Page 25: ...logging host 761 logging on 761 logging trap 762 clear log 763 show log 763 show logging 764 SMTP Alerts 766 logging sendmail 766 logging sendmail host 766 logging sendmail level 767 logging sendmail...

Page 26: ...e 785 Switch Clustering 786 cluster 787 cluster commander 787 cluster ip pool 788 cluster member 789 rcommand 789 show cluster 790 show cluster members 790 show cluster candidates 791 22 SNMP COMMANDS...

Page 27: ...snmp notify filter 813 Additional Trap Commands 813 memory 813 process cpu 814 23 REMOTE MONITORING COMMANDS 815 rmon alarm 816 rmon event 817 rmon collection history 818 rmon collection rmon1 819 sh...

Page 28: ...retransmit 836 tacacs server timeout 837 show tacacs server 837 AAA 838 aaa accounting commands 838 aaa accounting dot1x 839 aaa accounting exec 840 aaa accounting update 841 aaa authorization exec 8...

Page 29: ...n 862 General Commands 863 dot1x default 863 dot1x eapol pass through 864 dot1x system auth control 865 Authenticator Commands 865 dot1x intrusion action 865 dot1x max reauth req 866 dot1x max req 866...

Page 30: ...poe intermediate agent info 885 show pppoe intermediate agent statistics 886 25 GENERAL SECURITY MEASURES 889 Port Security 890 mac learning 890 port security 891 port security mac address as permanen...

Page 31: ...ow web auth 914 show web auth interface 914 show web auth summary 915 DHCPv4 Snooping 915 ip dhcp snooping 916 ip dhcp snooping information option 918 ip dhcp snooping information policy 919 ip dhcp s...

Page 32: ...g blocked 941 show ip source guard 941 show ip source guard binding 942 IPv6 Source Guard 943 ipv6 source guard binding 943 ipv6 source guard 945 ipv6 source guard max binding 946 show ipv6 source gua...

Page 33: ...ation 963 traffic segmentation session 964 traffic segmentation uplink downlink 965 traffic segmentation uplink to uplink 966 show traffic segmentation 967 26 ACCESS CONTROL LISTS 969 IPv4 ACLs 969 ac...

Page 34: ...description 998 discard 999 flowcontrol 1000 media type 1001 negotiation 1001 shutdown 1002 speed duplex 1002 clear counters 1004 show discard 1004 show interfaces brief 1005 show interfaces counters...

Page 35: ...terface 1026 lacp port priority 1027 lacp system priority 1028 lacp admin key Port Channel 1028 lacp timeout 1029 Trunk Status Display Commands 1030 show lacp 1030 show port channel load balance 1033...

Page 36: ...control auto control release 1066 auto traffic control control release 1067 SNMP Trap Commands 1067 snmp server enable port traps atc broadcast alarm clear 1067 snmp server enable port traps atc broad...

Page 37: ...dynamic 1087 show mac address table 1087 show mac address table aging time 1088 show mac address table count 1089 35 SPANNING TREE COMMANDS 1091 spanning tree 1092 spanning tree cisco prestandard 109...

Page 38: ...ree port priority 1112 spanning tree root guard 1113 spanning tree spanning disabled 1114 spanning tree tc prop stop 1114 spanning tree loopback detection release 1115 spanning tree protocol migration...

Page 39: ...configuration 1154 Editing VLAN Groups 1155 vlan database 1155 vlan 1156 Configuring VLAN Interfaces 1157 interface vlan 1157 switchport acceptable frame types 1158 switchport allowed vlan 1159 switc...

Page 40: ...vlan protocol group 1181 Configuring IP Subnet VLANs 1182 subnet vlan 1183 show subnet vlan 1184 Configuring MAC Based VLANs 1184 mac vlan 1185 show mac vlan 1186 Configuring Voice VLANs 1186 voice v...

Page 41: ...1217 set cos 1219 set ip dscp 1220 set phb 1221 service policy 1222 show class map 1223 show policy map 1223 show policy map interface 1224 40 MULTICAST FILTERING COMMANDS 1225 IGMP Snooping 1226 ip...

Page 42: ...ip igmp snooping statistics 1243 show ip igmp snooping 1243 show ip igmp snooping group 1244 show ip igmp snooping mrouter 1245 show ip igmp snooping statistics 1246 Static Multicast Routing 1249 ip i...

Page 43: ...dynamic 1269 clear ipv6 mld snooping statistics 1270 show ipv6 mld snooping 1270 show ipv6 mld snooping group 1271 show ipv6 mld snooping group source list 1271 show ipv6 mld snooping mrouter 1272 ML...

Page 44: ...293 show mvr associated profile 1295 show mvr interface 1295 show mvr members 1296 show mvr profile 1298 show mvr statistics 1298 MVR for IPv6 1303 mvr6 associated profile 1304 mvr6 domain 1305 mvr6 p...

Page 45: ...asic tlv port description 1330 lldp basic tlv system capabilities 1331 lldp basic tlv system description 1331 lldp basic tlv system name 1332 lldp dot1 tlv proto ident 1332 lldp dot1 tlv proto vid 133...

Page 46: ...1362 show ethernet cfm ma 1362 show ethernet cfm maintenance points local 1363 show ethernet cfm maintenance points local detail mep 1364 show ethernet cfm maintenance points remote detail 1365 Contin...

Page 47: ...r 1385 Delay Measure Operations 1386 ethernet cfm delay measure two way 1386 43 OAM COMMANDS 1389 efm oam 1390 efm oam critical link event 1390 efm oam link monitor frame 1391 efm oam link monitor fra...

Page 48: ...1414 ipv6 dhcp client rapid commit vlan 1414 ipv6 dhcp restart client vlan 1415 show ipv6 dhcp duid 1416 show ipv6 dhcp vlan 1417 DHCP Relay 1417 ip dhcp relay server 1417 ip dhcp restart relay 1418...

Page 49: ...iscovery 1452 ipv6 nd dad attempts 1452 ipv6 nd ns interval 1453 ipv6 nd raguard 1454 ipv6 nd reachable time 1455 clear ipv6 neighbors 1456 show ipv6 nd raguard 1456 show ipv6 neighbors 1457 ND Snoopi...

Page 50: ...abase 1470 show ip route summary 1471 SECTION IV APPENDICES 1473 A SOFTWARE SPECIFICATIONS 1475 Software Features 1475 Management Features 1476 Standards 1477 Management Information Bases 1477 B TROUB...

Page 51: ...uring NTP 140 Figure 15 Specifying SNTP Time Servers 141 Figure 16 Adding an NTP Time Servers 142 Figure 17 Showing the NTP Time Server List 142 Figure 18 Adding an NTP Authentication Key 143 Figure 1...

Page 52: ...unk 179 Figure 48 Showing Information for Static Trunks 179 Figure 49 Configuring Dynamic Trunks 179 Figure 50 Configuring the LACP Aggregator Admin Key 182 Figure 51 Enabling LACP on a Port 183 Figur...

Page 53: ...re 84 Displaying Protocol VLANs 222 Figure 85 Assigning Interfaces to Protocol VLANs 224 Figure 86 Showing the Interface to Protocol Group Mapping 224 Figure 87 Configuring IP Subnet VLANs 226 Figure...

Page 54: ...aying MSTP Interface Settings 262 Figure 120 Configuring Rate Limits 264 Figure 121 Configuring Storm Control 266 Figure 122 Storm Control by Limiting the Traffic Rate 266 Figure 123 Storm Control by...

Page 55: ...0 Figure 158 Showing AAA Accounting Methods 321 Figure 159 Configuring AAA Accounting Service for 802 1X Service 321 Figure 160 Configuring AAA Accounting Service for Exec Service 322 Figure 161 Displ...

Page 56: ...Figure 193 Configuring a Standard IPv6 ACL 364 Figure 194 Configuring an Extended IPv6 ACL 366 Figure 195 Configuring a MAC ACL 369 Figure 196 Configuring a ARP ACL 371 Figure 197 Binding a Port to a...

Page 57: ...228 Configuring Settings for System Memory Logs 423 Figure 229 Showing Error Messages Logged to System Memory 424 Figure 230 Configuring Settings for Remote Logging of Error Messages 425 Figure 231 C...

Page 58: ...Pv2c 475 Figure 264 Configuring Trap Managers SNMPv3 476 Figure 265 Showing Trap Managers 476 Figure 266 Creating SNMP Notification Logs 478 Figure 267 Showing SNMP Notification Logs 478 Figure 268 Sh...

Page 59: ...ains 532 Figure 301 Creating Maintenance Associations 535 Figure 302 Showing Maintenance Associations 536 Figure 303 Configuring Detailed Settings for Maintenance Associations 536 Figure 304 Configuri...

Page 60: ...Figure 337 Displaying IGMP Snooping Statistics VLAN 589 Figure 338 Displaying IGMP Snooping Statistics Port 589 Figure 339 Enabling IGMP Filtering and Throttling 591 Figure 340 Creating an IGMP Filte...

Page 61: ...Profiles 627 Figure 372 Assigning an MVR6 Group Address Profile to a Domain 627 Figure 373 Showing MVR6 Group Address Profiles Assigned to a Domain 628 Figure 374 Configuring Interface Settings for MV...

Page 62: ...PPPoE Intermediate Agent 676 Figure 407 Showing PPPoE Intermediate Agent Statistics 677 Figure 408 Virtual Interfaces and Layer 3 Routing 680 Figure 409 Pinging a Network Device 684 Figure 410 Tracing...

Page 63: ...FIGURES 63 Figure 428 Configuring VLAN Translation 1177...

Page 64: ...FIGURES 64...

Page 65: ...77 Table 15 CoS Priority Levels 277 Table 16 Mapping Internal Per hop Behavior to Hardware Queues 278 Table 17 Default Mapping of DSCP Values to Internal PHB Drop Values 282 Table 18 Default Mapping o...

Page 66: ...686 Table 46 ARP Statistics 690 Table 47 General Command Modes 702 Table 48 Configuration Command Modes 704 Table 49 Keystroke Commands 705 Table 50 Command Group Index 706 Table 51 General Commands 7...

Page 67: ...84 Telnet Server Commands 850 Table 85 Secure Shell Commands 853 Table 86 show ssh display description 862 Table 87 802 1X Port Authentication Commands 862 Table 88 Management IP Filter Commands 878...

Page 68: ...2 Table 119 show lacp sysid display description 1033 Table 120 PoE Commands 1035 Table 121 Maximum Number of Ports Providing Simultaneous Power 1038 Table 122 PoE Shut Down Sequence 1040 Table 123 sho...

Page 69: ...e 158 Priority Commands Layer 3 and 4 1200 Table 159 Default Mapping of CoS CFI to Internal PHB Drop Precedence 1201 Table 160 Default Mapping of DSCP Values to Internal PHB Drop Values 1202 Table 161...

Page 70: ...LLDP MED Location CA Types 1337 Table 191 CFM Commands 1347 Table 192 show ethernet cfm configuration traps display description 1361 Table 193 show ethernet cfm maintenance points local detail mep dis...

Page 71: ...lay description 1443 Table 215 show ipv6 mtu display description 1444 Table 216 show ipv6 traffic display description 1446 Table 217 show ipv6 neighbors display description 1457 Table 218 ND Snooping...

Page 72: ...TABLES 72...

Page 73: ...view of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these chapters Intro...

Page 74: ...SECTION I Getting Started 74...

Page 75: ...HTTPS General Security Measures AAA ARP Inspection DHCP Snooping with Option 82 relay information DoS Protection IP Source Guard PPPoE Intermediate Agent Port Authentication IEEE 802 1X Port Security...

Page 76: ...esses learning Store and Forward Switching Supported to ensure wire speed switching while eliminating bad frames Spanning Tree Algorithm Supports standard STP Rapid Spanning Tree Protocol RSTP and Mul...

Page 77: ...ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols PORT CONFIGURATION Y...

Page 78: ...rce IP MAC address pairs based on static entries or entries stored in the DHCP Snooping table IEEE 802 1D BRIDGE The switch supports IEEE 802 1D transparent bridging The address table facilitates data...

Page 79: ...fication through loop back messages and fault isolation with link trace messages VIRTUAL LANS The switch supports up to 4094 VLANs A Virtual LAN is a collection of network nodes that share the same co...

Page 80: ...to the corresponding output queue IP ROUTING The switch provides Layer 3 IP static routing To maintain a high rate of throughput the switch forwards all traffic passing within the same segment and ro...

Page 81: ...ILTERING Specific multicast traffic can be assigned to its own VLAN to ensure that it does not interfere with normal network traffic and to guarantee real time delivery by setting the required priorit...

Page 82: ...Timeout 600 seconds Authentication and Security Measures Privileged Exec Level Username admin Password admin Normal Exec Level Username guest Password guest Enable Privileged Exec from Normal Exec Lev...

Page 83: ...trol Rate Limiting Disabled Storm Control Broadcast Disabled 500 packets sec Multicast Disabled Unknown Unicast Disabled Auto Traffic Control Disabled Address Table Aging Time 300 seconds Spanning Tre...

Page 84: ...isabled DNS Proxy service Disabled BOOTP Disabled ARP Enabled Cache Timeout 20 minutes Proxy Disabled Multicast Filtering IGMP Snooping Layer 2 Snooping Enabled Querier Disabled Multicast VLAN Registr...

Page 85: ...t Explorer 6 Mozilla Firefox 4 or Google Chrome 29 or more recent versions The switch s web management interface can be accessed from any computer attached to the network The CLI program can be access...

Page 86: ...l for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or a PC running a terminal emulation program to the switch You can...

Page 87: ...here within the attached network The onboard configuration program can be accessed using Telnet from any computer attached to the network The switch can also be managed by any computer using a web bro...

Page 88: ...ive To prevent unauthorized access to the switch set the passwords as follows 1 Open the console interface with the default user name and password admin to access the Privileged Exec level 2 Type conf...

Page 89: ...d through the DHCPv6 server or manually configured as described in Assigning an IPv6 Address on page 90 MANUAL CONFIGURATION You can manually assign an IP address to the switch You may also need to sp...

Page 90: ...ss IP Version 6 on page 643 Link Local Address All link local addresses must be configured with a prefix in the range of FE80 FEBF Remember that this address type makes the switch accessible over IPv6...

Page 91: ...rk address and is expressed as a decimal number For example all IPv6 addresses that start with the first byte of 73 hexadecimal could be expressed as 73 0 0 0 0 0 0 0 8 or 73 8 To generate an IPv6 glo...

Page 92: ...backoff until IP configuration information is obtained from a BOOTP or DHCP server BOOTP and DHCP values can include the IP address subnet mask and default gateway If the DHCP BOOTP server is slow to...

Page 93: ...startup config Startup configuration file name startup Write to FLASH Programming Write to FLASH finish Success OBTAINING AN IPV6 ADDRESS Link Local Address There are several ways to configure IPv6 a...

Page 94: ...Global Configuration mode prompt type interface vlan 1 to access the interface configuration mode Press Enter 2 From the interface prompt type ipv6 address autoconfig and press Enter 3 Type ipv6 enabl...

Page 95: ...ration file based on information passed by the DHCP server it will not send any further DHCP client requests If the switch does not receive a DHCP response prior to completing the bootup process it wi...

Page 96: ...name bootfile Default Option 67 class Option66 67_1 DHCP Option 60 Vendor class two match if option vendor class identifier ecs4110 series cfg option tftp server name 192 168 255 101 option bootfile n...

Page 97: ...s to specified users and set the access level The default strings are public with read only access Authorized management stations are only able to retrieve MIB objects private with read write access A...

Page 98: ...ONFIGURING ACCESS FOR SNMP VERSION 3 CLIENTS To configure management access for SNMPv3 clients you need to first create a view that defines the portions of MIB that the client can read or write assign...

Page 99: ...the switch operations and provides the CLI and web management interfaces See Managing System Files on page 129 for more information Diagnostic Code Software that is run during system boot up also know...

Page 100: ...rrent configuration settings enter the following command 1 From the Privileged Exec mode prompt type copy running config startup config and press Enter 2 Enter the name of the start up file Press Ente...

Page 101: ...gement Tasks on page 123 Interface Configuration on page 155 VLAN Configuration on page 199 Address Table Settings on page 231 Spanning Tree Algorithm on page 239 Congestion Control on page 263 Class...

Page 102: ...SECTION II Web Configuration 102 General IP Routing on page 679...

Page 103: ...n page 89 2 Set user names and passwords using an out of band serial connection Access to the web agent is controlled by the same user names and passwords as the onboard configuration program See Sett...

Page 104: ...er connects with the switch s web agent the home page is displayed as shown below The home page displays the Main Menu on the left side of the screen and System Information on the right side The Main...

Page 105: ...can be set to display different information for the ports including Active i e up or down Duplex i e half or full duplex or Flow Control i e with or without flow control Figure 2 Front Panel Indicator...

Page 106: ...General Manual Manually sets the current time 137 SNTP Configures SNTP polling interval 138 NTP Configures NTP authentication parameters 139 Configure Time Server Configures a list of SNTP servers 14...

Page 107: ...d Member Specifies ports to group into static trunks 177 Show Member Shows the port members for the selected trunk 177 Configure General 177 Configure Configures trunk connection settings 177 Show Inf...

Page 108: ...ify Configures group name and administrative status 202 Edit Member by VLAN Specifies VLAN attributes per VLAN 205 Edit Member by Interface Specifies VLAN attributes per interface 205 Edit Member by I...

Page 109: ...Dynamic MAC Removes any learned entries from the forwarding database and clears the transmit and receive counts for any static or system configured entries 236 Mirror 237 Add Mirrors traffic matching...

Page 110: ...esponse to automatically release a response of rate limiting or to send related SNMP trap messages 269 Priority Default Priority Sets the default priority for each port or trunk 273 Queue Sets queue m...

Page 111: ...igned to the voice traffic 306 Security 309 AAA Authentication Authorization and Accounting 310 System Authentication Configures authentication sequence local RADIUS and TACACS 311 Server 312 Configur...

Page 112: ...gure Global Enables aging for authenticated MAC addresses and sets the time period after which a connected MAC address must be reauthenticated 333 Configure Interface 334 General Enables MAC authentic...

Page 113: ...ACLs mirrored to specified port 372 Show Hardware Counters Shows statistics for ACL hardware counters 374 ARP Inspection 375 Configure General Enables inspection globally configures validation of add...

Page 114: ...per port 406 Static Binding 409 Add Adds a static addresses to the source guard binding table 409 Show Shows static addresses in the source guard binding table 409 Dynamic Binding Displays the source...

Page 115: ...switch 456 Add Remote Engine Sets the SNMP v3 engine ID for a remote device 457 Show Remote Engine Shows configured engine ID for remote devices 457 Configure View 458 Add View Adds an SNMP v3 view o...

Page 116: ...tics on a physical interface 485 Statistics Enables collection of statistics on a physical interface 488 Show History Shows sampling parameters for each entry in the history group 485 Statistics Shows...

Page 117: ...ows list of configured maintenance associations 532 Configure MEP Configures Maintenance End Points 537 Add Configures MEPs at the domain boundary to provide management access for each maintenance ass...

Page 118: ...eneral Routing Interface 639 Add Address Configures an IP interface for a VLAN 639 Show Address Shows the IP interfaces assigned to a VLAN 639 Ping Sends ICMP echo request packets to another node on t...

Page 119: ...efines the default domain name appended to incomplete host names 663 Add Domain Name Defines a list of domain names that can be appended to incomplete host names 664 Show Domain Names Shows the config...

Page 120: ...d on the selected VLAN 576 Show Current Member Shows multicast addresses associated with the selected VLAN either through static or dynamic configuration 576 Interface 578 Configure VLAN Configures IG...

Page 121: ...ticast groups member ports the means by which each group was learned and the corresponding source list 602 MVR Multicast VLAN Registration 603 Configure Global Configures proxy switching and robustnes...

Page 122: ...lays MVR operational and active status 628 Configure Port Configures MVR attributes for a port 628 Configure Trunk Configures MVR attributes for a trunk 628 Configure Static Group Member 630 Add Stati...

Page 123: ...files Setting the System Clock Sets the current time manually or through specified NTP or SNTP servers Configuring the Console Port Sets console port connection parameters Configuring Telnet Settings...

Page 124: ...1 39 102 ECS4110 28T 1 3 6 1 4 1 259 10 1 39 103 ECS4110 28P 1 3 6 1 4 1 259 10 1 39 104 System Up Time Length of time the management agent has been up System Name Name assigned to the switch system S...

Page 125: ...Number of built in ports Hardware Version Hardware version of the main board Main Power Status Displays the status of the internal power supply Management Software Information Role Shows that this sw...

Page 126: ...hat run only up to 1 5 KB using jumbo frames significantly reduces the per packet overhead required to process protocol encapsulation fields CLI REFERENCES System Management Commands on page 717 USAGE...

Page 127: ...ters are displayed Extended Multicast Filtering Services This switch does not support the filtering of individual multicast addresses based on GMRP GARP Multicast Registration Protocol Traffic Classes...

Page 128: ...maximum number of VLANs supported on this switch Max Supported VLAN ID The maximum configurable VLAN identifier supported on this switch GMRP GARP Multicast Registration Protocol GMRP allows network d...

Page 129: ...When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note that Anonymous is set as the default user name PARAMETERS The following paramet...

Page 130: ...tion file name on the switch WEB INTERFACE To copy firmware files 1 Click System then File 2 Select Copy from the Action list 3 Select FTP Upload HTTP Upload or TFTP Upload as the file transfer method...

Page 131: ...onfig Copies the current configuration settings to a local file on the switch Destination File Name Copy to the currently designated startup file or to a new file The file name should not contain slas...

Page 132: ...ERFACE To set a file to use for system initialization 1 Click System then File 2 Select Set Start Up from the Action list 3 Mark the operation code or configuration file to be used at startup 4 Then c...

Page 133: ...GE GUIDELINES If this feature is enabled the switch searches the defined URL once during the bootup sequence FTP port 21 and TFTP port 69 are both supported Note that the TCP UDP port bindings cannot...

Page 134: ...heck the documentation for your server s operating system if you are unsure of its file system s behavior Note that the switch itself does not distinguish between upper and lower case file names and o...

Page 135: ...P protocol for the server connection username Defines the user name for the FTP connection If the user name is omitted then anonymous is the assumed user name for the connection password Defines the p...

Page 136: ...nd the password will be blank The image file is in the FTP root directory ftp switches upgrade 192 168 0 1 The user name is switches and the password is upgrade The image file is in the FTP root ftp s...

Page 137: ...ful dates and times for event entries You can also manually set the clock If the clock is not set manually or via SNTP the switch will only record the time from the factory default set at the last boo...

Page 138: ...ng the System Clock SETTING THE SNTP POLLING INTERVAL Use the System Time Configure General SNTP page to set the polling interval at which the switch will query the specified time servers CLI REFERENC...

Page 139: ...Authentication Status Enables authentication for time requests and updates between the switch and NTP servers Default Disabled You can enable NTP authentication to ensure that reliable updates are rec...

Page 140: ...er page to specify the IP address for up to three SNTP time servers CLI REFERENCES sntp server on page 772 PARAMETERS The following parameters are displayed SNTP Server IP Address Sets the IPv4 or IPv...

Page 141: ...time servers configured the responses received are filtered and compared to determine the most reliable and accurate time update for the switch Version Specifies the NTP version supported by the serve...

Page 142: ...key list CLI REFERENCES ntp authentication key on page 774 PARAMETERS The following parameters are displayed Authentication Key Specifies the number of the key in the NTP Authentication Key List to us...

Page 143: ...ct Add NTP Authentication Key from the Action list 4 Enter the index number and MD5 authentication key string 5 Click Apply Figure 18 Adding an NTP Authentication Key To show the list of configured NT...

Page 144: ...You can choose one of the 80 predefined time zone definitions or your can manually configure the parameters for your local time zone CLI REFERENCES clock timezone on page 780 PARAMETERS The following...

Page 145: ...ds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of failed logon attempts When the logon attempt threshold is reached the system interface become...

Page 146: ...E To configure parameters for the console port 1 Click System then Console 2 Specify the connection parameters as required 3 Click Apply Figure 21 Console Port Settings CONFIGURING TELNET SETTINGS Use...

Page 147: ...detected within the timeout interval the current session is terminated Range 60 65535 seconds Default 600 seconds Password Threshold Sets the password intrusion threshold which limits the number of f...

Page 148: ...cpu on page 729 PARAMETERS The following parameters are displayed Time Interval The interval at which to update the displayed utilization rate Options 1 5 10 30 60 seconds Default 1 second CPU Utiliza...

Page 149: ...utilization parameters CLI REFERENCES show memory on page 728 PARAMETERS The following parameters are displayed Free Size The amount of memory currently free for use Used Size The amount of memory al...

Page 150: ...lays information on the next scheduled reload and selected reload mode as shown in the following example The switch will be rebooted at March 9 12 00 00 2012 Remaining Time 0 days 2 hours 46 minutes 5...

Page 151: ...ularly Specifies a periodic interval at which to reload the switch Time HH The hour at which to reload Range 00 23 MM The minute at which to reload Range 00 59 Period Daily Every day Weekly Day of the...

Page 152: ...CHAPTER 4 Basic Management Tasks Resetting the System 152 Figure 25 Restarting the Switch Immediately Figure 26 Restarting the Switch In...

Page 153: ...CHAPTER 4 Basic Management Tasks Resetting the System 153 Figure 27 Restarting the Switch At Figure 28 Restarting the Switch Regularly...

Page 154: ...CHAPTER 4 Basic Management Tasks Resetting the System 154...

Page 155: ...rt form Displaying Transceiver Data Displays identifying information and operational parameters for optical transceivers which support DDM Configuring Transceiver Thresholds Configures thresholds for...

Page 156: ...operation modes must be specified in the capabilities list for an interface The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over a...

Page 157: ...0f Supports 1000 Mbps full duplex operation FC Flow control can eliminate frame loss by blocking traffic from end stations or segments connected directly to the switch when its buffers fill When enabl...

Page 158: ...e or manually fix the speed duplex mode and flow control For more information on command usage and a description of the parameters refer to Configuring by Port List on page 156 CLI REFERENCES Interfac...

Page 159: ...These parameters are displayed Port Port identifier Type Indicates the port type 100BASE FX 1000BASE T 1000BASE SFP Name Interface label Admin Shows if the port is enabled or disabled Oper Status Indi...

Page 160: ...ng as described in this section or from one or more source ports on remote switches to a destination port on this switch remote port mirroring as described in Configuring Remote Port Mirroring on page...

Page 161: ...e traffic on the source port Type Allows you to select which traffic to mirror to the target port Rx receive Tx transmit or Both Default Both WEB INTERFACE To configure a local mirror session 1 Click...

Page 162: ...to any RSPAN destination port monitoring the RSPAN VLAN as shown in the figure below Figure 35 Configuring Remote Port Mirroring CLI REFERENCES RSPAN Mirroring Commands on page 1048 COMMAND USAGE Traf...

Page 163: ...this switch RSPAN Ports Only ports can be configured as an RSPAN source destination or uplink static and dynamic trunks are not allowed A port can only be configured as one type of RSPAN interface so...

Page 164: ...raffic from one or more sources to one or more destinations Destination Specifies this device as a switch configured with a destination port which is to receive mirrored traffic for this session Remot...

Page 165: ...d and receive switched traffic and participate in any Layer 2 protocols to which it has been assigned Tag Specifies whether or not the traffic exiting the destination port to the monitoring device car...

Page 166: ...statistics including a total count of different frame types and sizes passing through each port All values displayed have been accumulated since the last system reboot and are shown as counts per seco...

Page 167: ...ed and which were addressed to a broadcast address at this sub layer including those that were discarded or not sent Received Unknown Packets The number of packets received via the interface which wer...

Page 168: ...ets Multicast Packets The total number of good packets received that were directed to this multicast address Undersize Packets The total number of packets received that were less than 64 octets long e...

Page 169: ...o show a list of port statistics 1 Click Interface Port Statistics 2 Select the statistics mode to display Interface Etherlike RMON or Utilization 3 Select a port from the drop down list 4 Use the Ref...

Page 170: ...tistics mode is chosen select a port from the drop down list If All ports statistics mode is chosen select the statistics type to display Figure 40 Showing Port Statistics Chart DISPLAYING TRANSCEIVER...

Page 171: ...tic information for SFP modules which support the SFF 8472 Specification for Diagnostic Monitoring Interface for Optical Transceivers This information allows administrators to remotely diagnose proble...

Page 172: ...Information Information on temperature supply voltage laser bias current laser power and received optical power The switch can display diagnostic information for SFP modules which support the SFF 8472...

Page 173: ...and reaches the low threshold A low threshold alarm or warning message is sent if the current value is less than or equal to the threshold and the last sample value was greater than the threshold Aft...

Page 174: ...AGE Cable diagnostics are performed using Time Domain Reflectometry TDR test methods TDR analyses the cable by sending a pulsed signal into the cable and then examining the reflection of that pulse Ca...

Page 175: ...he status and approximate distance to a fault or the approximate cable length if no fault is found To ensure more accurate measurement of the length to a fault first disable power saving mode on the l...

Page 176: ...be placed in standby mode Should one link in the trunk fail one of the standby ports will automatically be activated to replace it COMMAND USAGE Besides balancing the load across each port in the trun...

Page 177: ...switch are Cisco EtherChannel compatible To avoid creating a loop in the network be sure you add a static trunk via the configuration interface before connecting the ports and also disconnect the port...

Page 178: ...t Add Member from the Action list 4 Select a trunk identifier 5 Set the unit and port for an additional trunk member 6 Click Apply Figure 46 Adding Static Trunks Members To configure connection parame...

Page 179: ...rom the Action list Figure 48 Showing Information for Static Trunks CONFIGURING A DYNAMIC TRUNK Use the Interface Trunk Dynamic pages to set the administrative key for an aggregation group enable LACP...

Page 180: ...me value for a port to be allowed to join that group NOTE If the LACP admin key is not set when a channel group is formed i e it has a null value of 0 the operational value of this key is set to the s...

Page 181: ...t timeout value will be used Configure Aggregation Port General Port Port identifier Range 1 28 52 LACP Status Enables or disables LACP on a port Configure Aggregation Port Actor Partner Port Port num...

Page 182: ...iguring LACP settings for a port only applies to its administrative state not its operational state and will only take effect the next time an aggregate link is established with that port NOTE Configu...

Page 183: ...83 To enable LACP for a port 1 Click Interface Trunk Dynamic 2 Select Configure Aggregation Port from the Step list 3 Select Configure from the Action list 4 Click General 5 Enable LACP on the require...

Page 184: ...st 3 Select Configure from the Action list 4 Click Actor or Partner 5 Configure the required settings 6 Click Apply Figure 52 Configuring LACP Parameters on a Port To show the active members of a dyna...

Page 185: ...of the interface settings 5 Click Apply Figure 54 Configuring Connection Settings for a Dynamic Trunk To show connection parameters for a dynamic trunk 1 Click Interface Trunk Dynamic 2 Select Configu...

Page 186: ...Us transmitted from this channel group LACPDUs Received Number of valid LACPDUs received on this channel group Marker Sent Number of valid Marker PDUs transmitted from this channel group Marker Receiv...

Page 187: ...min State Oper State Administrative or operational values of the actor s state parameters Expired The actor s receive machine is in the expired state Defaulted The actor s receive machine is using def...

Page 188: ...artner Oper System ID LAG partner s system ID assigned by the LACP protocol Partner Admin Port Number Current administrative value of the port number for the protocol Partner Partner Oper Port Number...

Page 189: ...se the Interface Trunk Load Balance page to set the load distribution method used among ports in aggregated links CLI REFERENCES port channel load balance on page 1022 COMMAND USAGE This command appli...

Page 190: ...n MAC address is output on the same link in a trunk This mode works best for switch to switch trunk links where traffic through the switch is received from and destined for many different hosts Source...

Page 191: ...nificant reduction for cables of 20 meters or less and continue to ensure signal integrity The power saving methods provided by this switch include Power saving when there is no link partner Under nor...

Page 192: ...Power savings can only be implemented on Gigabit Ethernet ports when using twisted pair cabling Power savings mode on a active link only works when connection speed is 1 Gbps and line length is less t...

Page 193: ...e access to their uplink ports where security is less likely to be compromised ENABLING TRAFFIC SEGMENTATION Use the Interface Traffic Segmentation Configure Global page to enable traffic segmentation...

Page 194: ...ed on the settings specified by other functions such as VLANs and spanning tree protocol A port cannot be configured in both an uplink and downlink list A port can only be assigned to one traffic segm...

Page 195: ...face to the segmented group by setting the direction to uplink or downlink Default Uplink Interface Displays a list of ports or trunks Port Port Identifier Range 1 28 52 Trunk Trunk Identifier Range 1...

Page 196: ...ge 1162 COMMAND USAGE Use this feature to configure a tunnel across one or more intermediate switches which pass traffic for VLAN groups to which they do not belong The following figure shows VLANs 1...

Page 197: ...stance either STP RSTP or an MSTP instance depending on the selected STA mode If both VLAN trunking and ingress filtering are disabled on an interface packets with unknown VLAN tags will still be allo...

Page 198: ...CHAPTER 5 Interface Configuration VLAN Trunking 198 Figure 65 Configuring VLAN Trunking...

Page 199: ...traffic for each subnet into separate domains This switch provides a similar service at Layer 2 by using VLANs to organize any group of network nodes into separate broadcast domains VLANs confine broa...

Page 200: ...oup s in which it will participate By default all ports are assigned to VLAN 1 as untagged ports Add a port as a tagged port if you want it to carry traffic for one or more VLANs and any intermediate...

Page 201: ...assigned If an end station or its network adapter supports the IEEE 802 1Q VLAN protocol it can be configured to broadcast a message to your network indicating the VLAN groups it wants to join When t...

Page 202: ...the frame When the switch receives a tagged frame it will pass this frame onto the VLAN s indicated by the frame tag However when this switch receives an untagged frame from a VLAN unaware device it...

Page 203: ...e type This parameter must be enabled before you can assign an IP address to a VLAN see Setting the Switch s IP Address IP Version 4 on page 639 Show VLAN ID ID of configured VLAN VLAN Name Name of th...

Page 204: ...Select Modify from the Action list 3 Select the identifier of a configured VLAN 4 Modify the VLAN name operational status or Layer 3 Interface status as required 5 Click Apply Figure 69 Modifying Sett...

Page 205: ...t of ports or trunks Port Port Identifier Range 1 28 52 Trunk Trunk Identifier Range 1 16 Mode Indicates VLAN membership mode for an interface Default Hybrid Access Sets the port to operate as an unta...

Page 206: ...nt BPDU frames such as GVRP or STP However they do affect VLAN dependent BPDU frames such as GMRP Membership Type Select VLAN membership for each interface by marking the appropriate radio button for...

Page 207: ...e specified range must be configured on either the Edit Member by VLAN or Edit Member by Interface page WEB INTERFACE To configure static members by the VLAN index 1 Click VLAN Static 2 Select Edit Me...

Page 208: ...from the Action list 3 Set the Interface type to display as Port or Trunk 4 Enter an interface range 5 Modify the VLAN parameters as required Remember that the PVID acceptable frame type and ingress f...

Page 209: ...e GVRP must be globally enabled for the switch before this setting can take effect using the Configure General page When disabled any GVRP packets received on this port will be discarded and no GVRP r...

Page 210: ...AN Identifier of a VLAN this switch has joined through GVRP Interface Displays a list of ports or trunks which have joined the selected VLAN through GVRP WEB INTERFACE To configure GVRP on the switch...

Page 211: ...N Dynamic 2 Select Show Dynamic VLAN from the Step list 3 Select Show VLAN from the Action list Figure 76 Showing Dynamic VLANs Registered on the Switch To show the members of a dynamic VLAN 1 Click V...

Page 212: ...VLAN IDs QinQ tunneling expands VLAN space by using a VLAN in VLAN hierarchy preserving the customer s original tagged packets and adding SPVLAN tags to each frame also called double tagging A port c...

Page 213: ...tag is copied to the outer tag if it is a tagged or priority tagged packet 2 After successful source and destination lookup the ingress process sends the packet to the switching process with two tags...

Page 214: ...l to the TPID of the uplink port no new VLAN tag is added If the uplink port is not the member of the outer VLAN of the incoming packets the packet will be dropped when ingress filtering is enabled If...

Page 215: ...3 information are not supported on tunnel ports Spanning tree bridge protocol data unit BPDU filtering is automatically disabled on a tunnel port General Configuration Guidelines for QinQ 1 Enable Tun...

Page 216: ...hertype to identify 802 1Q tagged frames For example if 0x1234 is set as the custom 802 1Q ethertype on a trunk port incoming frames containing that ethertype are assigned to the VLAN contained in the...

Page 217: ...g these are also copied to the outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes acr...

Page 218: ...ect Add from the Action list 4 Select an interface from the Port list 5 Specify the CVID to SVID mapping for packets exiting the specified port 6 Click Apply Figure 80 Configuring CVLAN to SPVLAN Mapp...

Page 219: ...attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames Then use the Configure Interface page to set the access interface on the edge switch to Access mode and set the...

Page 220: ...s for each required protocol When a frame is received at a port its VLAN membership can then be determined based on the protocol type being used by the inbound packets COMMAND USAGE To configure proto...

Page 221: ...VLAN Group Range 1 2147483647 NOTE Traffic which matches IP Protocol Ethernet Frames is mapped to the VLAN VLAN 1 that has been configured with the switch s administrative IP IP Protocol Ethernet tra...

Page 222: ...he VLAN Protocol Configure Interface Add page to map a protocol group to a VLAN for each interface that will participate in the group CLI REFERENCES protocol vlan protocol group Configuring Interfaces...

Page 223: ...f ports or trunks Port Port Identifier Range 1 28 52 Trunk Trunk Identifier Range 1 16 Protocol Group ID Protocol Group ID assigned to the Protocol VLAN Group Range 1 2147483647 VLAN ID VLAN to which...

Page 224: ...nterfaces to Protocol VLANs To show the protocol groups mapped to a port or trunk 1 Click VLAN Protocol 2 Select Configure Interface from the Step list 3 Select Show from the Action list 4 Select a po...

Page 225: ...IP subnet consists of an IP address and a mask The specified VLAN need not be an existing VLAN When an untagged frame is received by a port the source IP address is checked against the IP subnet to VL...

Page 226: ...field 4 Enter a mask in the Subnet Mask field 5 Enter the identifier in the VLAN field Note that the specified VLAN need not already be configured 6 Enter a value to assign to untagged frames in the...

Page 227: ...supported concurrently priority is applied in this sequence and then port based VLANs last PARAMETERS These parameters are displayed MAC Address A source MAC address which is to be mapped to a specif...

Page 228: ...ield and a mask to indicate a range of addresses 4 Enter an identifier in the VLAN field Note that the specified VLAN need not already be configured 5 Enter a value to assign to untagged frames in the...

Page 229: ...ed the target port can receive a mirrored packet twice once from the source mirror port and again from the source mirrored VLAN The target port receives traffic from all monitored source VLANs and can...

Page 230: ...mirroring 1 Click VLAN Mirror 2 Select Add from the Action list 3 Select the source VLAN and select a target port 4 Click Apply Figure 91 Configuring VLAN Mirroring To show the VLANs to be mirrored 1...

Page 231: ...ed source address to a target port CONFIGURING MAC ADDRESS LEARNING Use the MAC Address Learning Status page to enable or disable MAC address learning on an interface CLI REFERENCES mac learning on pa...

Page 232: ...y Status see Configuring Port Security on page 385 is enabled on the same interface PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Port Port Identifier Range 1...

Page 233: ...ress is seen on another interface the address will be ignored and will not be written to the address table Static addresses will not be removed from the address table when a given interface link is do...

Page 234: ...dresses CHANGING THE AGING TIME Use the MAC Address Dynamic Configure Aging page to set the aging time for entries in the dynamic address table The aging time is used to age out dynamically learned fo...

Page 235: ...source address for traffic entering the switch When the destination address for inbound traffic is found in the database the packets intended for that address are forwarded directly to the associated...

Page 236: ...s Table CLEARING THE DYNAMIC ADDRESS TABLE Use the MAC Address Dynamic Clear Dynamic MAC page to remove any learned entries from the forwarding database CLI REFERENCES clear mac address table dynamic...

Page 237: ...1045 COMMAND USAGE When mirroring traffic from a MAC address ingress traffic with the specified source address entering any port in the switch other than the target port will be mirrored to the desti...

Page 238: ...from the source port Range 1 28 52 WEB INTERFACE To mirror packets based on a MAC address 1 Click MAC Address Mirror 2 Select Add from the Action list 3 Specify the source MAC address and destination...

Page 239: ...nt switch bridge or router in your network to ensure that only one route exists between any two stations on the network and provide backup links which automatically take over when a primary link goes...

Page 240: ...seconds compared to 30 seconds or more for STP by reducing the number of state changes before active ports start learning predefining an alternate route that can be used when a node or port fails and...

Page 241: ...s a virtual bridge node for communications with STP or RSTP nodes in the global network Figure 103 Spanning Tree Common Internal Common Internal MSTP connects all bridges and LAN segments with a singl...

Page 242: ...loopback detection is not enabled and an interface receives it s own BPDU then the interface will drop the loopback BPDU according to IEEE Standard 802 1w 2001 9 3 4 Note 1 NOTE Loopback detection wi...

Page 243: ...opback detection 1 Click Spanning Tree Loopback Detection 2 Click Port or Trunk to display the required interface type 3 Modify the required loopback detection attributes 4 Click Apply Figure 104 Conf...

Page 244: ...n delay expires RSTP restarts the migration delay timer and begins using RSTP BPDUs on that port Multiple Spanning Tree Protocol MSTP generates a unique spanning tree for each instance This provides m...

Page 245: ...VLAN Floods BPDUs to all other ports within the receiving port s native VLAN i e as determined by port s PVID This is the default To All Floods BPDUs to all other ports on the switch The setting has n...

Page 246: ...higher of 6 or 2 x Hello Time 1 Maximum The lower of 40 or 2 x Forward Delay 1 Forward Delay The maximum time in seconds this device will wait before changing states i e discarding to learning to forw...

Page 247: ...gion Revision and Region Name and are both required to uniquely identify an MST region WEB INTERFACE To configure global STA settings 1 Click Spanning Tree STA 2 Select Configure Global from the Step...

Page 248: ...CHAPTER 8 Spanning Tree Algorithm Configuring Global Settings for STA 248 Figure 106 Configuring Global Settings for STA RSTP Figure 107 Configuring Global Settings for STA MSTP...

Page 249: ...stance ID 0 for the Common Spanning Tree when spanning tree type is set to MSTP and MAC address where the address is taken from the switch system Designated Root The priority and MAC address of the de...

Page 250: ...indicate a point to point connection or shared media connection and edge port to indicate if the attached device can support fast forwarding References to ports in this section means interfaces which...

Page 251: ...em automatically detects the speed and duplex mode used on each port and configures the path cost according to the values shown below Path cost 0 is used to indicate auto configuration mode When the s...

Page 252: ...s not cause the spanning tree to initiate reconfiguration when the interface changes state and also overcomes other STA related timeout problems However remember that Edge Port should only be enabled...

Page 253: ...n administrator must manually enable the port Default Disabled BPDU Filter BPDU filtering allows you to avoid transmitting BPDUs on configured edge ports that are connected to end nodes By default STA...

Page 254: ...has been enabled on this interface BPDU Flooding Shows if BPDUs will be flooded to other ports when spanning tree is disabled globally on the switch or disabled on a specific port STA Status Displays...

Page 255: ...bridging device through which this switch must communicate with the root of the Spanning Tree Oper Path Cost The contribution of this port to the path cost of paths towards the spanning tree root whic...

Page 256: ...Step list 3 Select Show Information from the Action list Figure 111 Displaying Interface Settings for STA Alternate port receives more useful BPDUs from another bridge and is therefore not selected as...

Page 257: ...bridges within the same MSTI Region page 243 with the same set of instances and the same instance on each bridge with the same set of VLANs Also note that RSTP treats each MSTI region as a single nod...

Page 258: ...the MST instance identifier and the initial VLAN member Additional member can be added using the Spanning Tree MSTP Configure Global Add Member page If the priority is not specified the default value...

Page 259: ...e priority for an MSTP Instance 5 Click Apply Figure 114 Modifying the Priority for an MST Instance To display global settings for MSTP 1 Click Spanning Tree MSTP 2 Select Configure Global from the St...

Page 260: ...ect an MST instance from the MST ID list 5 Enter the VLAN group to add to the instance in the VLAN ID field Note that the specified member does not have to be a configured VLAN 6 Click Apply Figure 11...

Page 261: ...t in the Spanning Tree Protocol If the path cost for all ports on a switch are the same the port with the highest priority i e lowest value will be configured as an active link in the Spanning Tree Th...

Page 262: ...trunk 1 Click Spanning Tree MSTP 2 Select Configure Interface from the Step list 3 Select Configure from the Action list 4 Enter the priority and path cost for an interface 5 Click Apply Figure 118 Co...

Page 263: ...ITING Use the Traffic Rate Limit page to apply rate limiting to ingress or egress ports This function allows the network manager to control the maximum rate for traffic received or transmitted on an i...

Page 264: ...n a device on your network is malfunctioning or if application programs are not well designed or properly configured If there is too much traffic on your network performance can be severely degraded o...

Page 265: ...ands on the same interface PARAMETERS These parameters are displayed Interface Displays a list of ports or trunks Type Indicates interface type 100BASE FX 1000BASE T 1000BASE SFP Unknown Unicast Speci...

Page 266: ...m Fire Threshold The highest acceptable traffic rate When ingress traffic exceeds the threshold ATC sends a Storm Alarm Fire Trap and logs it Storm Alarm FireTRAP Alarm Fire Threshold 1 255kpps AlarmC...

Page 267: ...n only be manually re enabled using Manual Control Release see page 269 The traffic control response of rate limiting can be released automatically or manually The control response of shutting down a...

Page 268: ...trol response it must be manually re enabled using the Manual Control Release see page 269 PARAMETERS These parameters are displayed Broadcast Apply Timer The interval after the upper threshold has be...

Page 269: ...storm control is a software level control function Traffic storms can also be controlled at the hardware level using the Storm Control menu However only one of these control types can be applied to a...

Page 270: ...igured by the Auto Release Control attribute Range 1 255 kilo packets per second Default 250 kpps If rate limiting has been configured as a control response and Auto Control Release is enabled rate li...

Page 271: ...to Traffic Control 2 Select Configure Interface from the Step field 3 Enable or disable ATC as required set the control response specify whether or not to automatically release the control response of...

Page 272: ...CHAPTER 9 Congestion Control Automatic Traffic Control 272...

Page 273: ...cessing LAYER 2 QUEUE SETTINGS This section describes how to configure the default priority for untagged frames set the queue mode set the weights assigned to each queue and map class of service tags...

Page 274: ...Click Traffic Priority Default Priority 2 Select the interface type to display Port or Trunk 3 Modify the default priority for any interface 4 Click Apply Figure 126 Setting the Default Port Priority...

Page 275: ...ed at the egress ports by defining scheduling weights for WRR or the queuing mode that uses a combination of strict and weighted queuing The specified queue mode applies to all interfaces PARAMETERS T...

Page 276: ...lected the queue weight can be modified if required 4 If the queue mode that uses a combination of strict and weighted queueing is selected the queues which are serviced first must be specified by ena...

Page 277: ...p standard as shown in Table 14 This table indicates the default mapping of internal per hop behavior to the hardware queues The actual mapping may differ if the CoS priorities to internal DSCP values...

Page 278: ...Click Traffic Priority PHB to Queue 2 Select Configure from the Action list 3 Map an internal PHB to a hardware queue Depending on how an ingress packet is processed internally based on its CoS value...

Page 279: ...vices are enabled the priorities are mapped to a Class of Service value by the switch and the traffic then sent to the corresponding output queue Because different priority information may be containe...

Page 280: ...priority processing if the packet is tagged For an untagged packet the default port priority see page 273 is used for priority processing If the QoS mapping mode is set to CoS and the ingress packet...

Page 281: ...ds of forwarding CLI REFERENCES qos map dscp mutation on page 1202 COMMAND USAGE Enter per hop behavior and drop precedence for any of the DSCP values 0 63 This map is only used when the priority mapp...

Page 282: ...Values to Internal PHB Drop Values ingress dscp1 ingress dscp10 0 1 2 3 4 5 6 7 8 9 0 0 0 0 1 0 0 0 3 0 0 0 1 0 0 0 3 1 0 1 1 1 1 0 1 3 1 0 1 1 1 0 1 3 2 0 2 1 2 0 2 3 2 2 0 2 1 2 0 2 3 3 0 3 1 3 0 3...

Page 283: ...with a 802 1Q header but it is not an IP packet then the CoS CFI to PHB Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing Note that priority...

Page 284: ...ow 1 Red WEB INTERFACE To map CoS CFI values to internal PHB drop precedence 1 Click Traffic Priority CoS to DSCP 2 Select Configure from the Action list 3 Set the PHB and drop precedence for any of t...

Page 285: ...f Service Layer 3 4 Priority Settings 285 To show the CoS CFI to internal PHB drop precedence map 1 Click Traffic Priority CoS to DSCP 2 Select Show from the Action list Figure 136 Showing CoS to DSCP...

Page 286: ...CHAPTER 10 Class of Service Layer 3 4 Priority Settings 286...

Page 287: ...ferent kinds of traffic can be marked for different kinds of forwarding All switches or routers that access the Internet rely on class information to provide the same forwarding treatment to packets i...

Page 288: ...ured to monitor the maximum throughput and burst rate Then specify the action to take for conforming traffic or the action to take for a policy violation 5 Use the Configure Interface page to assign a...

Page 289: ...ing standard or extended IPv4 IPv6 ACLs and MAC ACLs IP DSCP A DSCP value Range 0 63 IP Precedence An IP Precedence value Range 0 7 IPv6 DSCP A DSCP value contained in an IPv6 packet Range 0 63 VLAN I...

Page 290: ...edit the rules for a class map 1 Click Traffic DiffServ 2 Select Configure Class from the Step list 3 Select Add Rule from the Action list 4 Select the name of a class map 5 Specify type of traffic f...

Page 291: ...A policy map is then configured which indicates the boundary parameters used for monitoring inbound traffic and the action to take for conforming and non conforming traffic A policy map may contain on...

Page 292: ...excess burst size and red otherwise The meter operates in one of two modes In the color blind mode the meter assumes that the packet stream is uncolored In color aware mode the meter assumes that som...

Page 293: ...eeding the maximum throughput or exceeding the peak burst size The PHB label is composed of five bits three bits for per hop behavior and two bits for the color scheme used to control queue congestion...

Page 294: ...packet is yellow and Tp is decremented by B else the packet is green and both Tp and Tc are decremented by B The trTCM can be used to mark a IP packet stream in a service where different decreasing le...

Page 295: ...Internal PHB Drop Values on page 282 Set IP DSCP Configures the service provided to ingress traffic by setting an IP DSCP value for a matching packet as specified in rule settings for a class map Rang...

Page 296: ...e value or drop a packet the switch will also mark the two color bits used to set the drop precedence of a packet for Random Early Detection The color modes include Color Blind which assumes that the...

Page 297: ...the peak information rate In addition to the actions defined by this command to transmit remark the DSCP service value or drop a packet the switch will also mark the two color bits used to set the dr...

Page 298: ...be dropped or the DSCP service level will be reduced Set IP DSCP Decreases DSCP priority for out of conformance traffic Range 0 63 Drop Drops out of conformance traffic Violate Specifies whether the...

Page 299: ...p list 3 Select Add Rule from the Action list 4 Select the name of a policy map 5 Set the CoS or per hop behavior for matching packets to specify the quality of service to be assigned to the matching...

Page 300: ...Policies 300 Figure 143 Adding Rules to a Policy Map To show the rules for a policy map 1 Click Traffic DiffServ 2 Select Configure Policy from the Step list 3 Select Show Rule from the Action list Fi...

Page 301: ...lity of Service Commands on page 1207 COMMAND USAGE First define a class map define a policy map and then bind the service policy to the required interface Only one policy map can be bound to an inter...

Page 302: ...o bind a policy map to a port 1 Click Traffic DiffServ 2 Select Configure Interface from the Step list 3 Check the box under the Ingress field to enable a policy map for a port 4 Select a policy map f...

Page 303: ...acket delays packet loss and jitter This is best achieved by assigning all VoIP traffic to a single Voice VLAN The use of a Voice VLAN has several advantages It provides security by isolating the VoIP...

Page 304: ...hip is not set to access mode see Adding Static Members to VLANs on page 205 PARAMETERS These parameters are displayed Auto Detection Status Enables the automatic detection of VoIP traffic on switch p...

Page 305: ...configure this feature CLI REFERENCES Configuring Voice VLANs on page 1186 PARAMETERS These parameters are displayed Telephony OUI Specifies a MAC address range to add to the list Format xx xx xx xx...

Page 306: ...bers used for VoIP equipment 1 Click Traffic VoIP 2 Select Configure OUI from the Step list 3 Select Show from the Action list Figure 148 Showing an OUI Telephony List CONFIGURING VOIP TRAFFIC PORTS U...

Page 307: ...e VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devices attached to the switch Packets received from non VoIP sour...

Page 308: ...will be removed from voice VLAN when VoIP traffic is no longer received on the port Alternatively if you clear the MAC address table manually then the switch will also start counting down the Remaini...

Page 309: ...ork Access authentication methods are infeasible or impractical Network Access Configure MAC authentication intrusion response dynamic VLAN assignment and dynamic QoS assignment HTTPS Provide a secure...

Page 310: ...ized as follows Authentication Identifies users that request access to the network Authorization Determines if users can access specific services Accounting Provides reports auditing and billing for s...

Page 311: ...local or remote authentication Local authentication restricts management access based on user names and passwords manually configured on the switch Remote authentication uses a remote access authentic...

Page 312: ...s 1 Click Security AAA System Authentication 2 Specify the authentication sequence i e one to three methods 3 Click Apply Figure 150 Configuring the Authentication Sequence CONFIGURING REMOTE LOGON AU...

Page 313: ...rd pair The user name password and privilege level must be configured on the authentication server The encryption methods used for the authentication process must also be configured or negotiated betw...

Page 314: ...on access for client Enclose any string containing blank spaces in double quotes Maximum length 48 characters Confirm Authentication Key Re type the string entered in the previous field to ensure no e...

Page 315: ...ge 1 64 characters Sequence at Priority Specifies the server and sequence to use for the group Range 1 5 for RADIUS 1 for TACACS When specifying the priority sequence for a sever the server index must...

Page 316: ...te Authentication Server TACACS To configure the RADIUS or TACACS server groups to use for accounting and authorization 1 Click Security AAA Server 2 Select Configure Group from the Step list 3 Select...

Page 317: ...the Action list Figure 155 Showing AAA Server Groups CONFIGURING AAA ACCOUNTING Use the Security AAA Accounting page to enable accounting of requested services for billing or security purposes and al...

Page 318: ...64 characters Note that the method name is only used to describe the accounting method configured on the specified RADIUS or TACACS servers No information is sent to the servers about the method to u...

Page 319: ...lays the accounting service Method Name Displays the user defined or default accounting method Server Group Name Displays the accounting server group Interface Displays the port console or Telnet inte...

Page 320: ...ting 2 Select Configure Method from the Step list 3 Select Add from the Action list 4 Select the accounting type 802 1X Command Exec 5 Specify the name of the accounting method and server group name 6...

Page 321: ...to specific interfaces console commands entered at specific privilege levels and local console Telnet or SSH connections 1 Click Security AAA Accounting 2 Select Configure Service from the Step list 3...

Page 322: ...hods and assigned server groups for specified service types 1 Click Security AAA Accounting 2 Select Show Information from the Step list 3 Click Summary Figure 161 Displaying a Summary of Applied AAA...

Page 323: ...RAMETERS These parameters are displayed Configure Method Authorization Type Specifies the service as Command Administrative authorization to apply to commands entered at specific CLI privilege levels...

Page 324: ...service Method Name Displays the user defined or default accounting method Server Group Name Displays the authorization server group Interface Displays the console or Telnet interface to which these r...

Page 325: ...Select Configure Method from the Step list 3 Select Show from the Action list Figure 164 Showing AAA Authorization Methods To configure the authorization method applied to local console Telnet or SSH...

Page 326: ...ad access for most configuration parameters However the administrator has write access for all parameters governing the onboard agent You should therefore assign a new administrator password as soon a...

Page 327: ...word Type Specifies the following options No Password No password is required for this user to log in Plain Password Plain text unencrypted password Encrypted Password Encrypted password The encrypted...

Page 328: ...on are infeasible or impractical The web authentication feature allows unauthenticated hosts to request and receive a DHCP assigned IP address and perform DNS queries All other traffic except for HTTP...

Page 329: ...e enabled for any port where required under the Configure Interface menu Session Timeout Configures how long an authenticated session stays active before it must re authenticate itself Range 300 3600...

Page 330: ...s for the port Host IP Address Indicates the IP address of each connected host Remaining Session Time Indicates the remaining time until the current authorization session for the host expires Apply En...

Page 331: ...work properly See Configuring Remote Logon Authentication Servers on page 312 NOTE MAC authentication cannot be configured on trunk ports CLI REFERENCES Network Access MAC Address Authentication on pa...

Page 332: ...e VLAN identifier list is carried in the RADIUS Tunnel Private Group ID attribute The VLAN list can contain multiple VLAN identifiers in the format 1u 2t 3u where u indicates an untagged VLAN and t a...

Page 333: ...conditions occur Illegal characters found in a profile value for example a non digital character in an 802 1p profile value Failure to configure the received profiles on the authenticated port When t...

Page 334: ...he reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process traffic through the port remains unaffected Range 120 1000000...

Page 335: ...02 1X on page 390 Dynamic VLAN Enables dynamic VLAN assignment for an authenticated port When enabled any VLAN identifiers returned by the RADIUS server through the 802 1X authentication process are a...

Page 336: ...when MAC Authentication or 802 1X Authentication fails and the dynamic VLAN and QoS assignments 5 Click Apply Figure 172 Configuring Interface Settings for Network Access CONFIGURING PORT LINK DETECTI...

Page 337: ...Configure Interface from the Step list 3 Click the Link Detection button 4 Modify the link detection status trigger condition and the response for any port 5 Click Apply Figure 173 Configuring Link D...

Page 338: ...MAC addresses as defined by the MAC Address Mask MAC Address Mask The filter rule will check for the range of MAC addresses defined by the MAC bit mask If you omit the mask the system will assign the...

Page 339: ...be displayed and selected entries can be removed from the table CLI REFERENCES Network Access MAC Address Authentication on page 895 PARAMETERS These parameters are displayed Query By Specifies parame...

Page 340: ...ecurity Network Access 2 Select Show Information from the Step list 3 Use the sort key to display addresses based MAC address interface or attribute 4 Restrict the displayed addresses by entering a sp...

Page 341: ...pecify in your browser https device port_number When you start HTTPS the connection is established in this way The client authenticates the server using the server s digital certificate The client and...

Page 342: ...t 3 Enable HTTPS and specify the port number if required 4 Click Apply Figure 177 Configuring HTTPS REPLACING THE DEFAULT SECURE SITE CERTIFICATE Use the Security HTTPS Copy Certificate page to replac...

Page 343: ...tem on page 150 or type reload at the command prompt Console reload CLI REFERENCES Web Server on page 847 PARAMETERS These parameters are displayed TFTP Server IP Address IP address of TFTP server whi...

Page 344: ...ell and rcp remote copy are not secure from hostile attacks Secure Shell SSH includes server client applications intended as a secure replacement for the older Berkeley remote access tools SSH can als...

Page 345: ...ear similar to the following example 10 1 0 54 1024 35 15684995401867669259333946775054617325313674890836547254 15020245593199868544358361651999923329781766065830956 10825913212890233 7654680172627257...

Page 346: ...1 5 Clients a The client sends its RSA public key to the switch b The switch compares the client s public key to those stored in memory c If a match is found the switch uses its secret key to generate...

Page 347: ...n page 853 PARAMETERS These parameters are displayed SSH Server Status Allows you to enable disable the SSH server on the switch Default Disabled Version The Secure Shell version number Version 2 0 is...

Page 348: ...After generating this key pair you must provide the host public key to SSH clients and import the client s public key to the switch as described in the section Importing User Public Keys on page 350...

Page 349: ...select this item prior to generating the host key pair Default Disabled WEB INTERFACE To generate the SSH host key pair 1 Click Security SSH 2 Select Configure Host Key from the Step list 3 Select Gen...

Page 350: ...rop down box selects the user who s public key you wish to manage Note that you must first create users on the User Accounts page see Configuring User Accounts on page 326 User Key Type The type of pu...

Page 351: ...name and the public key type from the respective drop down boxes input the TFTP server IP address and the public key source file name 5 Click Apply Figure 182 Copying the SSH User s Public Key To disp...

Page 352: ...ditions in an ACL one by one A packet will be accepted as soon as it matches a permit rule or dropped as soon as it matches a deny rule If no rules match the packet is accepted COMMAND USAGE The follo...

Page 353: ...n TCAM The above example is an ideal case for compression The worst case would be if no any ACE can be compressed in which case the used number of TCAM entries would be the same as without compression...

Page 354: ...which to start or end Periodic Specifies a periodic interval Start To Specifies the days of the week hours and minutes at which to start or end WEB INTERFACE To configure a time range 1 Click Security...

Page 355: ...Select Add Rule from the Action list 4 Select the name of time range from the drop down list 5 Select a mode option of Absolute or Periodic 6 Fill in the required parameters for the selected mode 7 Cl...

Page 356: ...Access Control Lists ACLs IP Source Guard filter rules Quality of Service QoS processes QinQ MAC based VLANs VLAN translation or traps For example when binding an ACL to a port each rule in an ACL wil...

Page 357: ...982 PARAMETERS These parameters are displayed ACL Name Name of the ACL Maximum length 32 characters Type The following filter modes are supported IP Standard IPv4 ACL mode filters packets based on th...

Page 358: ...gs used for ARP inspection see ARP Inspection on page 375 WEB INTERFACE To configure the name and type of an ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add from the Ac...

Page 359: ...bination of rules which permit or deny a packet Address Type Specifies the source IP address Use Any to include all possible addresses Host to specify a specific host address in the Address field or I...

Page 360: ...8 If you select Host enter a specific address If you select IP enter a subnet address and the mask for an address range 9 Click Apply Figure 191 Configuring a Standard IPv4 ACL CONFIGURING AN EXTENDED...

Page 361: ...specify a range of addresses with the Address and Subnet Mask fields Options Any Host IP Default Any Source Destination IP Address Source or destination IP address Source Destination Subnet Mask Subn...

Page 362: ...ing flags set SYN flag valid use control code 2 control bit mask 2 Both SYN and ACK valid use control code 18 control bit mask 18 SYN valid and ACK invalid use control code 2 control bit mask 18 Time...

Page 363: ...atching the selected type Action An ACL can contain any combination of rules which permit or deny a packet Source Address Type Specifies the source IP address Use Any to include all possible addresses...

Page 364: ...es to a Standard IPv6 ACL 1 Click Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IPv6 Standard from the Type list 5 Select the name of an ACL fr...

Page 365: ...ress An IPv6 address or network class The address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in...

Page 366: ...ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select IPv6 Extended from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i e P...

Page 367: ...o specify an address range with the Address and Bit Mask fields Options Any Host MAC Default Any Source Destination MAC Address Source or destination MAC address Source Destination Bit Mask Hexadecima...

Page 368: ...ick Security ACL 2 Select Configure ACL from the Step list 3 Select Add Rule from the Action list 4 Select MAC from the Type list 5 Select the name of an ACL from the Name list 6 Specify the action i...

Page 369: ...se parameters are displayed Type Selects the type of ACLs to show in the Name list Name Shows the names of ACLs matching the selected type Action An ACL can contain any combination of permit or deny r...

Page 370: ...tion MAC Bit Mask Hexadecimal mask for source or destination MAC address Log Logs a packet when it matches the access control entry WEB INTERFACE To add rules to an ARP ACL 1 Click Security ACL 2 Sele...

Page 371: ...assigned to a port CLI REFERENCES ip access group on page 975 show ip access group on page 975 mac access group on page 987 show mac access group on page 988 Time Range on page 782 COMMAND USAGE This...

Page 372: ...ACL Configure Interface Add Mirror page to mirror traffic matching an ACL from one or more source ports to a target port for real time analysis You can then attach a logic analyzer or RMON probe to th...

Page 373: ...CL ACL used for ingress packets WEB INTERFACE To bind an ACL to a port 1 Click Security ACL 2 Select Configure Interface from the Step list 3 Select Add Mirror from the Action list 4 Select a port 5 S...

Page 374: ...type of ACL Direction Displays statistics for ingress ACL Name The ACL bound this port Action Shows if action is to permit or deny specified packets Rules Shows the rules for the ACL bound to this po...

Page 375: ...ooping binding database see DHCP Snooping Global Configuration on page 415 This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs ARP Inspection c...

Page 376: ...EFERENCES ARP Inspection on page 948 COMMAND USAGE ARP Inspection Validation By default ARP Inspection Validation is disabled Specifying at least one of the following validations enables ARP Inspectio...

Page 377: ...will be replaced with the newest entry PARAMETERS These parameters are displayed ARP Inspection Status Enables ARP Inspection globally Default Disabled ARP Inspection Validation Enables extended ARP I...

Page 378: ...ARP Inspection on page 948 COMMAND USAGE ARP Inspection VLAN Filters ACLs By default no ARP Inspection ACLs are configured and the feature is disabled ARP Inspection ACLs are configured within the AR...

Page 379: ...s selected and static mode also selected the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database When an ARP ACL is selected but static mode is not...

Page 380: ...P Inspection and ARP Inspection Validation checks and will always be forwarded while those arriving on untrusted interfaces are subject to all configured ARP inspection tests Packet Rate Limit Sets th...

Page 381: ...rate limit Dropped ARP packets in the process of ARP inspection rate limit Count of ARP packets exceeding and dropped by ARP rate limiting ARP packets dropped by additional validation IP Count of ARP...

Page 382: ...og page to show information about entries stored in the log including the associated VLAN port and address components CLI REFERENCES show ip arp inspection log on page 956 PARAMETERS These parameters...

Page 383: ...Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on the switch from an invalid address the swi...

Page 384: ...ddress es for the Telnet group All Configures IP address es for all groups Start IP Address A single IP address or the starting address of a range End IP Address The end address of a range WEB INTERFA...

Page 385: ...rized MAC address attempts to use the switch port the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message CLI REFERENCES Port Secur...

Page 386: ...port that port cannot be set as an RSPAN uplink port source port or destination port Also when a port is configured as an RSPAN uplink port source port or destination port port security cannot be ena...

Page 387: ...ick Security Port Security 2 Mark the check box in the Security Status column to enable security set the action to take when an invalid address is detected on a port and set the maximum number of MAC...

Page 388: ...nsport Layer Security PEAP Protected Extensible Authentication Protocol or TTLS Tunneled Transport Layer Security The client responds to the appropriate method with its credentials such as a password...

Page 389: ...s are displayed System Authentication Control Sets the global setting for 802 1X Default Disabled EAPOL Pass Through Passes EAPOL frames through to all ports in STP forwarding state when dot1x is glob...

Page 390: ...obally for the switch and configure EAPOL Pass Through if required Then set the user name and password to use when the switch responds an MD5 challenge from the authentication server 4 Click Apply Fig...

Page 391: ...s by the setting the control mode to Force Authorized on this page and enabling the PAE supplicant on the Supplicant configuration page PARAMETERS These parameters are displayed Port Port number Statu...

Page 392: ...the time period during an authentication session that the switch waits before re transmitting an EAP packet Range 1 65535 Default 30 seconds Supplicant Timeout Sets the time that a switch port waits f...

Page 393: ...ge 202 and mapped on each port See Configuring Network Access for Ports on page 334 Supplicant List Supplicant MAC address of authorized client Authenticator PAE State Machine State Current state incl...

Page 394: ...henticator CONFIGURING PORT SUPPLICANT SETTINGS FOR 802 1X Use the Security Port Authentication Configure Interface Supplicant page to configure 802 1X port settings for supplicant requests issued fro...

Page 395: ...displayed Port Port number PAE Supplicant Enables PAE supplicant mode Default Disabled If the attached client must be authenticated through another device in the network supplicant status must be enab...

Page 396: ...w Statistics page to display statistics for dot1x protocol exchanges for any port CLI REFERENCES show dot1x on page 875 PARAMETERS These parameters are displayed Table 24 802 1X Statistics Parameter D...

Page 397: ...in which the frame type is not recognized Rx EAPOL Total The number of valid EAPOL frames of any type that have been received by this Supplicant Rx Last EAPOLVer The protocol version number carried in...

Page 398: ...y Port Authentication 2 Select Show Statistics from the Step list 3 Click Authenticator Figure 213 Showing Statistics for 802 1X Port Authenticator To display port supplicant statistics for 802 1X 1 C...

Page 399: ...Default 1000 kbits second Smurf Attack Attacks in which a perpetrator generates a large amount of spoofed ICMP Echo Request traffic to the broadcast destination IP address 255 255 255 255 all of which...

Page 400: ...Destination Unreachable packet It will be forced to send many ICMP packets eventually leading it to be unreachable by other clients Default Disabled UDP Flooding Attack Rate Maximum allowed rate Rang...

Page 401: ...curity IP Source Guard Port Configuration page to set the filtering type based on source IP address or source IP address and MAC address pairs IP Source Guard is used to filter traffic on an insecure...

Page 402: ...C option If a matching entry is found in the binding table and the entry type is static IP source guard binding or dynamic DHCP snooping binding the packet will be forwarded If IP source guard if enab...

Page 403: ...lease time which is indicated with a value of zero in the table CLI REFERENCES ip source guard binding on page 936 COMMAND USAGE Static addresses entered in the source guard binding table are automati...

Page 404: ...VLAN to which this entry is bound MAC Address Physical address associated with the entry Interface The port to which this entry is bound IP Address IP address corresponding to the client Lease Time Th...

Page 405: ...ble for a selected interface CLI REFERENCES show ip source guard binding on page 942 PARAMETERS These parameters are displayed Query by Port A port on this switch VLAN ID of a configured VLAN Range 1...

Page 406: ...ooping table when either snooping protocol is enabled see the DHCPv6 Snooping commands IPv6 source guard can be used to prevent traffic attacks caused when a host tries to use the IPv6 address of a ne...

Page 407: ...ed with an infinite lease time Dynamic entries learned via DHCPv6 snooping are configured by the DHCPv6 server itself If IPv6 source guard is enabled an inbound packet s source IPv6 address will be ch...

Page 408: ...must be set to a value higher than DHCPv6 snooping maximum bindings and ND snooping maximum bindings If IPv6 source guard ND snooping and DHCPv6 snooping are enabled on a port the dynamic bindings use...

Page 409: ...th same and MAC address and IPv6 address a new entry is added to binding table using static IPv6 source guard binding If there is an entry with same MAC address and IPv6 address and the type of entry...

Page 410: ...client Type Shows the entry type DHCP Dynamic DHCPv6 binding stateful address ND Dynamic Neighbor Discovery binding stateless address STA Static IPv6 Source Guard binding WEB INTERFACE To configure st...

Page 411: ...ted interface CLI REFERENCES show ipv6 source guard binding on page 948 PARAMETERS These parameters are displayed Query by Port A port on this switch VLAN ID of a configured VLAN Range 1 4094 MAC Addr...

Page 412: ...mation to a DHCP server This information can be useful in tracking an IP address back to a physical port COMMAND USAGE DHCP Snooping Process Network traffic may be disrupted when malicious DHCP messag...

Page 413: ...only if the corresponding entry is found in the binding table If the DHCP packet is from a client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address ve...

Page 414: ...by the switch and in reply packets sent back from the DHCP server This information may specify the MAC address or IP address of the requesting device that is the switch in this context By default the...

Page 415: ...fies the MAC address IP address or arbitrary identifier of the requesting device i e the switch in this context MAC Address Inserts a MAC address in the remote ID sub option for the DHCP snooping agen...

Page 416: ...snooping on specific VLANs CLI REFERENCES ip dhcp snooping vlan on page 921 COMMAND USAGE When DHCP snooping is enabled globally on the switch and enabled on the specified VLAN DHCP packet filtering w...

Page 417: ...Snooping Configure Interface page to configure switch ports as trusted or untrusted CLI REFERENCES ip dhcp snooping trust on page 923 COMMAND USAGE A trusted interface is an interface that is configu...

Page 418: ...Range 1 32 characters WEB INTERFACE To configure global settings for DHCP Snooping 1 Click IP Service DHCP Snooping 2 Select Configure Interface from the Step list 3 Set any ports within the local ne...

Page 419: ...namically learned snooping entries to flash memory This function can be used to store the currently learned dynamic DHCP snooping entries to flash memory These entries will be restored to the snooping...

Page 420: ...CHAPTER 13 Security Measures DHCP Snooping 420...

Page 421: ...1 SNMPv2c or SNMPv3 Remote Monitoring RMON Configures local collection of detailed statistics or events which can be subsequently retrieved through SNMP Switch Clustering Configures centralized manage...

Page 422: ...sh or RAM memory The default is for event levels 0 to 3 to be logged to flash and levels 0 to 7 to be logged to RAM CLI REFERENCES Event Logging on page 759 PARAMETERS These parameters are displayed S...

Page 423: ...source WEB INTERFACE To configure the logging of error messages to system memory 1 Click Administration Log System 2 Select Configure Global from the Step list 3 Enable or disable system logging set...

Page 424: ...ed by values of 16 to 23 The facility type is used by the syslog server to dispatch log messages to an appropriate service The attribute specifies the facility type tag sent in syslog messages see RFC...

Page 425: ...ogging events of a specified level The messages are sent to specified SMTP servers on the network and can be retrieved using POP or IMAP clients CLI REFERENCES SMTP Alerts on page 766 PARAMETERS These...

Page 426: ...pond For host name to IP address translation to function properly host name lookup must be enabled Configuring General DNS Service Parameters on page 663 and one or more DNS servers specified see Conf...

Page 427: ...UTES Use the Administration LLDP Configure Global page to set attributes for general functions such as globally enabling LLDP on the switch setting the message ageout time and setting the frequency fo...

Page 428: ...on about changes in LLDP neighbors that occur between SNMP notifications is not transmitted Only state changes that exist at the time of a notification are included in the transmission An SNMP agent s...

Page 429: ...mission of SNMP trap notifications about LLDP and LLDP MED changes Default Enabled This option sends out SNMP trap notifications to designated target stations at the interval specified by the Notifica...

Page 430: ...t address TLV that reports an address that is accessible on a port and protocol VLAN through the particular port should be accompanied by a port and protocol VLAN TLV that indicates the VLAN identifie...

Page 431: ...which power is delivered can be controlled the port pins selected to deliver power and the power class MAC PHY Configuration Status The MAC PHY configuration and status which includes information abou...

Page 432: ...ter ISO 3166 country code in capital ASCII letters Example DK DE or US Device entry refers to The type of device to which the location applies Location of DHCP server Location of network element close...

Page 433: ...ical location of the device attached to an interface including items such as the city street number building and room information The address location is specified as a type and value pair with the ci...

Page 434: ...specify the physical location of the attached device 1 Click Administration LLDP 2 Select Configure Interface from the Step list 3 Select Add CA Type from the Action list 4 Select an interface from th...

Page 435: ...rt information CLI REFERENCES show lldp info local device on page 1343 PARAMETERS These parameters are displayed Global Settings Chassis Type Identifies the chassis containing the IEEE 802 LAN entity...

Page 436: ...ss is available the address should be the MAC address for the CPU or for the port sending this advertisement Interface Settings The attributes listed below apply to both port and trunk interface types...

Page 437: ...863 is implemented the ifDescr object should be used for this field MED Capability The supported set of capabilities that define the primary function s of the interface LLDP MED Capabilities Network P...

Page 438: ...238 Displaying Local Device Information for LLDP Port Details DISPLAYING LLDP REMOTE DEVICE INFORMATION Use the Administration LLDP Show Remote Device Information page to display information about de...

Page 439: ...associated with the transmitting LLDP agent There are several ways in which a chassis may be identified and a chassis ID subtype is used to indicate the type of component being referenced by the chas...

Page 440: ...d protocol VLANs and whether the port based protocol VLANs are enabled on the given port associated with the remote system Remote VLAN Name List VLAN names associated with a port Remote Protocol Ident...

Page 441: ...Remote Power MDI Supported Shows whether MDI power is supported on the given port associated with the remote system Remote Power Pair Controllable Indicates whether the pair selection can be controll...

Page 442: ...c class of endpoint devices Class 2 Endpoint devices that supports media stream capabilities Class 3 Endpoint devices that directly supports end users of the IP communication systems Network Connectiv...

Page 443: ...in IEEE 802 1Q A value of zero indicates that the port is using priority tagged frames meaning that only the IEEE 802 1D priority level is significant and the default PVID of the ingress port is used...

Page 444: ...the end point device Manufacture Name The manufacturer of the end point device Asset ID The asset identifier of the end point device End point devices are typically assigned asset identifiers to facil...

Page 445: ...CHAPTER 14 Basic Administration Protocols Link Layer Discovery Protocol 445 Figure 240 Displaying Remote Device Information for LLDP Port Details...

Page 446: ...transmitted or received on all local interfaces CLI REFERENCES show lldp info statistics on page 1346 PARAMETERS These parameters are displayed General Statistics on Remote Devices Neighbor Entries Li...

Page 447: ...ed Number of LLDP PDUs received Frames Sent Number of LLDP PDUs transmitted TLVs Unrecognized A count of all TLVs not recognized by the receiving LLDP local agent TLVs Discarded A count of all LLDPDUs...

Page 448: ...e automatically turned on and off for connected devices and a per port power priority can be set so that the switch never exceeds its power budget When a device is connected to a switch port its power...

Page 449: ...y PoE devices connected to the switch Software Version The version of software running on the PoE controller subsystem in the switch Compatible Mode Allows the switch to detect and provide power to po...

Page 450: ...itch is based on 802 3af to which the 802 3af PDs will respond normally It then sends a second PoE Plus pulse that causes an 802 3at PD to respond as a Class 4 device and draw Class 4 current Afterwar...

Page 451: ...se the switch to exceed its budget power will not be provided to that port regardless of its priority setting If priority is not set for any ports and PoE consumption exceeds the maximum power provide...

Page 452: ...oE will be provided to an interface 3 Click Apply Figure 245 Setting a Port s PoE Budget SIMPLE NETWORK MANAGEMENT PROTOCOL Simple Network Management Protocol SNMP is a communication protocol designed...

Page 453: ...l and specified security levels Each group also has a defined security access to set of MIB objects for reading and writing which are known as views The switch has a default view all MIB objects and d...

Page 454: ...p page to specify trap managers so that key events are reported by this switch to your management station 3 Use the Administration SNMP Configure Engine page to change the local engine ID If you want...

Page 455: ...established or broken Default Enabled MAC Notification Traps Issues a trap when a dynamic MAC address is added or removed MAC Notification Trap Interval Specifies the interval between issuing two con...

Page 456: ...e ID If the local engine ID is deleted or changed all SNMP users will be cleared You will need to reconfigure all existing users PARAMETERS These parameters are displayed Engine ID A new engine ID can...

Page 457: ...oritative SNMP agent is the remote agent You therefore need to configure the remote agent s SNMP engine ID before you can send proxy requests or informs to it See Configuring Remote SNMPv3 Users on pa...

Page 458: ...o restrict user access to specified portions of the MIB tree The predefined view defaultview includes access to the entire MIB tree CLI REFERENCES snmp server view on page 806 PARAMETERS These paramet...

Page 459: ...e is included or excluded from the SNMP view WEB INTERFACE To configure an SNMP view of the switch s MIB database 1 Click Administration SNMP 2 Select Configure View from the Step list 3 Select Add Vi...

Page 460: ...the Action list 4 Select a view name from the list of existing views and specify an additional OID subtree in the switch s MIB database to be included or excluded in the view 5 Click Apply Figure 252...

Page 461: ...displayed Group Name The name of the SNMP group to which the user is assigned Range 1 32 characters Security Model The user security model SNMP v1 v2c or v3 Security Level The following security leve...

Page 462: ...s that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the notP...

Page 463: ...259 10 1 39 2 1 0 77 When ATC is released this trap is fired stpBpduGuardPortShutdownTrap 1 3 6 1 4 1 259 10 1 39 2 1 0 91 This trap will be sent when an interface is shut down because of BPDU guard...

Page 464: ...ecovery is done by LBD sfpThresholdAlarmWarnTrap 1 3 6 1 4 1 259 10 1 39 2 1 0 189 This trap is sent when the SFP s monitored value is not within alarm warning thresholds udldPortShutdownTrap 1 3 6 1...

Page 465: ...re Group from the Step list 3 Select Add from the Action list 4 Enter a group name assign a security model and level and then select read write and notify views 5 Click Apply Figure 254 Creating an SN...

Page 466: ...ssword and permits access to the SNMP protocol Range 1 32 characters case sensitive Default strings public Read Only private Read Write Access Mode Specifies the access rights for the community string...

Page 467: ...be configured with a specific security level and assigned to a group The SNMPv3 group restricts users to a specific read write and notify view CLI REFERENCES snmp server user on page 805 PARAMETERS T...

Page 468: ...bit DES is currently available Privacy Password Enter plain text characters for the privacy password Range 8 32 characters WEB INTERFACE To configure a local SNMPv3 user 1 Click Administration SNMP 2...

Page 469: ...notify view CLI REFERENCES snmp server user on page 805 COMMAND USAGE To grant management access to an SNMPv3 user on a remote device you must first specify the engine identifier for the SNMP agent on...

Page 470: ...for the authentication password Range 8 32 characters Privacy Protocol The encryption algorithm use for data privacy only 56 bit DES is currently available Privacy Password Enter plain text character...

Page 471: ...anagement Protocol 471 Figure 260 Configuring Remote SNMPv3 Users To show remote SNMPv3 users 1 Click Administration SNMP 2 Select Configure User from the Step list 3 Select Show SNMPv3 Remote User fr...

Page 472: ...received by the host However note that informs consume more system resources because they must be kept in memory until a response is received Informs also add to network traffic You should consider th...

Page 473: ...receive notification message i e the targeted recipient Version Specifies whether to send notifications as SNMP v1 v2c or v3 traps Notification Type Traps Notifications are sent as trap messages Infor...

Page 474: ...ange 0 255 Default 3 Local User Name The name of a local user which is used to identify the source of SNMPv3 trap messages sent from the local switch Range 1 32 characters If an account for the specif...

Page 475: ...onfigure trap managers 1 Click Administration SNMP 2 Select Configure Trap from the Step list 3 Select Add from the Action list 4 Fill in the required parameters based on the selected SNMP version 5 C...

Page 476: ...agers CREATING SNMP NOTIFICATION LOGS Use the Administration SNMP Configure Notify Filter Add page to create an SNMP notification log CLI REFERENCES nlm on page 810 snmp server notify filter on page 8...

Page 477: ...Based on the default settings used in RFC 3014 a notification log can contain up to 256 entries and the entry aging time is 1440 minutes Information recorded in a notification log and the entry aging...

Page 478: ...inistration SNMP Show Statistics page to show counters for SNMP input and output protocol data units CLI REFERENCES show snmp on page 797 PARAMETERS The following counters are displayed SNMP packets i...

Page 479: ...the SNMP protocol entity Set request PDUs The total number of SNMP Set Request PDUs which have been accepted and processed or generated by the SNMP protocol entity SNMP packets output The total numbe...

Page 480: ...it can automatically notify the network administrator of a failure and provide historical information about the event If it cannot connect to the management agent it will continue to perform any speci...

Page 481: ...y be sampled Note that etherStatsEntry n uniquely defines the MIB variable and etherStatsEntry n n defines the MIB variable plus the etherStatsIndex For example 1 3 6 1 2 1 16 1 1 1 6 1 denotes etherS...

Page 482: ...lling Event Index The index of the event to use if an alarm is triggered by monitored variables reaching or crossing below the falling threshold If there is no corresponding entry in the event control...

Page 483: ...ered The response can include logging the alarm or sending a message to a trap manager Alarms and corresponding events provide a way of immediately responding to critical network problems CLI REFERENC...

Page 484: ...and v2c hosts Although the community string can be set on this configuration page it is recommended that it be defined on the SNMP trap configuration page see Setting Community Access Strings on page...

Page 485: ...RMON Configure Interface Add History page to collect statistics on a physical interface to monitor network utilization packet types and errors A historical record of activity can be used to track down...

Page 486: ...e Show nor Show Details page for the port to which is normally assigned For example if control entry 15 is assigned to port 5 this index entry will be removed from the Show and Show Details page for p...

Page 487: ...ration RMON 2 Select Configure Interface from the Step list 3 Select Show from the Action list 4 Select a port from the list 5 Click History Figure 274 Showing Configured RMON History Samples To show...

Page 488: ...bled on an interface the entry must be deleted before any changes can be made The information collected for each entry includes input octets packets broadcast packets multicast packets undersize packe...

Page 489: ...76 Configuring an RMON Statistical Sample To show configured RMON statistical samples 1 Click Administration RMON 2 Select Configure Interface from the Step list 3 Select Show from the Action list 4 S...

Page 490: ...ary unit called the Commander which is used to manage all other Member switches in the cluster The management station can use either Telnet or the web interface to communicate directly with the Comman...

Page 491: ...Clustering on page 786 COMMAND USAGE First be sure that clustering is enabled on the switch the default is disabled then set the switch as a Cluster Commander Set a Cluster IP Pool that does not confl...

Page 492: ...e Step list 3 Set the required attributes for a Commander or a managed candidate 4 Click Apply Figure 279 Configuring a Switch Cluster CLUSTER MEMBER CONFIGURATION Use the Administration Cluster Confi...

Page 493: ...idates discovered by this switch or enter the MAC address of a candidate 5 Click Apply Figure 280 Configuring a Cluster Members To show the cluster members 1 Click Administration Cluster 2 Select Conf...

Page 494: ...The ID number of the Member switch Range 1 36 Role Indicates the current status of the switch in the cluster IP Address The internal cluster IP address assigned to the Member switch MAC Address The M...

Page 495: ...onomical than EAPS in that only one physical link is required between each node in the ring However since it can tolerate only one break in the ring it is not as robust as EAPS ERPS supports up to 255...

Page 496: ...pt blocked on the nodes adjacent to the recovered link The nodes adjacent to the recovered link transmit R APS NR no request message indicating they have no local request When the RPL owner receives a...

Page 497: ...restriction on which ring link on an ring may be set as the RPL For example the RPL of ERP1 could be set as the link between ring node C and D Ring nodes C and D that are common to both ERP1 and ERP2...

Page 498: ...onnectivity among all ring nodes until the failure is recovered 4 Configure ERPS timers Configure Domain Configure Details Set the Guard timer to prevent ring nodes from receiving outdated R APS messa...

Page 499: ...pply to ERPS One switch supports up to 26 ERPS rings each ring must have one Control VLAN and at most 255 Data VLANs Ring ports can not be a member of a trunk nor an LACP enabled port Dynamic VLANs ar...

Page 500: ...see ERPS Global Configuration on page 499 before a ring can start running Once enabled the RPL owner node and non owner node state machines will start and the ring will enter the active state Limitat...

Page 501: ...ed W E Shows information on the west and east ring port for this node West Port Shows the west ring port for this node East Port Shows the east ring port for this node Interface The port or trunk whic...

Page 502: ...he RPL owner specified and the control VLAN configured Once enabled the RPL owner node and non owner node state machines will start and the ring will enter idle state if no signal failures are detecte...

Page 503: ...ng a loop in the network or other problems which may occur under some situations The Control VLAN must not be configured as a Layer 3 interface with an IP address a dynamic VLAN with GVRP enabled nor...

Page 504: ...Idle state through the exchange of protocol messages Non revertive behavior for Protection Forced Switch FS and Manual Switch MS states are basically the same Non revertive behavior requires the RPL t...

Page 505: ...ly revert when all ring links and ring nodes have recovered and no external requests are active Non revertive operation is handled in the following way a The RPL Owner Node does not generate a respons...

Page 506: ...ng nodes to unblock any blocked non RPL that does not have an SF condition If it is an R APS NR RB message without a DNF indication all ring nodes flush their FDB This action unblocks the ring port wh...

Page 507: ...n reception of an R APS NR message and in the absence of any other higher priority request starts the WTB timer and waits for it to expire While the WTB timer is running any latent R APS MS message is...

Page 508: ...le a node that has one ring port in SF condition and detects that the condition has been cleared will continuously transmit R APS NR messages with its own Node ID as priority information over both rin...

Page 509: ...tual Channel Under certain circumstances it may not be desirable to use a virtual channel to interconnect the sub ring over an arbitrary Ethernet network In this situation the R APS messages are termi...

Page 510: ...traffic may flood onto the major ring The data traffic will become stable after the MAC addresses are learned again The major ring will not be broken but the bandwidth of data traffic on the major rin...

Page 511: ...ermittent link faults Faults will only be reported to the ring protection mechanism if this timer expires Range 0 10000 milliseconds in steps of 100 milliseconds In order to coordinate timing of prote...

Page 512: ...mer i e WTR or WTB is deactivated when any higher priority request preempts this delay timer The delay timers i e WTR and WTB may be started and stopped by the system A request to start running the de...

Page 513: ...ce MEP Specifies the CCM MEPs used to monitor the link on a ring node If a MEP is used to monitor the link status of an ERPS node with CFM continuity check messages then the MEG Level parameter on thi...

Page 514: ...Configure Details from the Action list 4 Configure the ERPS parameters for this node Note that spanning tree protocol cannot be configured on the ring ports nor can these ports be members of a static...

Page 515: ...et Ring Protection Switching 515 Figure 291 Creating an ERPS Ring To show the configured ERPS rings 1 Click Administration ERPS 2 Select Configure Domain from the Step list 3 Select Show from the Acti...

Page 516: ...re the FS command was issued transmits R APS messages indicating FS over both ring ports R APS FS messages are continuously transmitted by this ring node while the local FS command is the ring node s...

Page 517: ...table Recovery for forced switching under revertive and non revertive mode is described under the Revertive parameter When a ring is under an FS condition and the node at which an FS command was issue...

Page 518: ...r higher priority commands exist and assuming the ring node was in Idle state before the manual switch command was issued the ring node flushes its local FDB d A ring node accepting an R APS MS messag...

Page 519: ...teps are required to make a ring operating in non revertive mode return to Idle state from forced switch or manual switch state 1 Issue a Clear command to remove the forced switch command on the node...

Page 520: ...ross check messages which are used to verify a static list of remote maintenance points located on other devices in the same maintenance association against those found through continuity check messag...

Page 521: ...omain with DSAPs located on the domain boundary and Internal Service Access Points ISAPs inside the domain through which frames may pass between the DSAPs Figure 294 Single CFM Maintenance Domain The...

Page 522: ...within the same MA and MIPs to discover MEPs Connectivity faults are indicated when a known MEP stops sending CCMs or a remote MEP configured in a static list does not come up Configuration errors su...

Page 523: ...MEP List see Configuring Remote Maintenance End Points This allows CFM to automatically verify the functionality of these remote end points by cross checking the static list configured on this device...

Page 524: ...up and the switch starts cross checking the list of statically configured remote MEPs in the local maintenance domain Configure Remote MEP page see Configuring Remote Maintenance End Points against th...

Page 525: ...forwarding loop exists Connectivity Check MEP Down Sends a trap if this device loses connectivity with a remote maintenance end point MEP or connectivity has been restored to a remote MEP which has re...

Page 526: ...ng CFM processing on the switch first configure the required CFM domains maintenance associations and static MEPs Then set the delay time to wait for a remote MEP comes up before the switch starts cro...

Page 527: ...ng on that interface are released and all CFM frames entering that interface are forwarded as normal data traffic WEB INTERFACE To enable CFM on an interface 1 Click Administration CFM 2 Select Config...

Page 528: ...MA MIPs are automatically generated by the CFM protocol when the MIP Creation Type is set to Default or Explicit and the MIP creation state machine is invoked as defined in IEEE 802 1ag The default op...

Page 529: ...anaged objects to see whether the MEP fault notification generator state machine has been reset and repeat those steps until the fault is resolved Only the highest priority defect currently detected i...

Page 530: ...end point MEP is created at some lower MA Level None No MIP can be created for any MA configured in this domain Configuring Detailed Settings for a Maintenance Domain MD Index Domain index Range 1 655...

Page 531: ...the maintenance domains and authorized maintenance levels thereby setting the hierarchical relationship with other domains 5 Specify the manner in which MIPs can be created within each domain 6 Click...

Page 532: ...ions MA which define a unique CFM service instance Each MA can be identified by its parent MD the MD s maintenance level the VLAN assigned to the MA and the set of maintenance end points MEPs assigned...

Page 533: ...ut If a maintenance point fails to receive three consecutive CCMs from any other MEP in the same MA a connectivity failure is registered If a maintenance point receives a CCM with an invalid MEPID or...

Page 534: ...s The setting for this parameter is expressed as levels 4 through 7 which in turn map to specific intervals of time Options 4 1 second 5 10 seconds 6 1 minute 7 10 minutes Connectivity Check Enables t...

Page 535: ...1 Click Administration CFM 2 Select Configure MA from the Step list 3 Select Add from the Action list 4 Select an entry from the MD Index list 5 Specify the MAs assigned to each domain the VLAN throu...

Page 536: ...Click Administration CFM 2 Select Configure MA from the Step list 3 Select Configure Details from the Action list 4 Select an entry from MD Index and MA Index 5 Specify the CCM interval enable the tra...

Page 537: ...EP s MA or the direction it faces first delete the MEP and then create a new one PARAMETERS These parameters are displayed MD Index Domain index Range 1 65535 MA Index MA identifier Range 1 2147483647...

Page 538: ...ts CONFIGURING REMOTE MAINTENANCE END POINTS Use the Administration CFM Configure Remote MEP Add page to specify remote maintenance end points MEPs set on other CFM enabled devices within a common MA...

Page 539: ...e waits for remote MEPs to come up before starting the cross check operation can be configured on the Configure Global page see Configuring Global Settings for CFM SNMP traps for continuity check even...

Page 540: ...Trace page to transmit link trace messages LTMs These messages can isolate connectivity faults by tracing the path through a network to the designated target node i e a remote maintenance end point C...

Page 541: ...er Parameters controlling the link trace cache including operational state entry hold time and maximum size can be configured on the Configure Global page see Configuring Global Settings for CFM PARAM...

Page 542: ...d isolation after automatic detection of a fault or receipt of some other error report Loopback messages can also used to confirm the successful restoration or initiation of connectivity The receiving...

Page 543: ...ess can be entered in either of the following formats xx xx xx xx xx xx or xxxxxxxxxxxx Count The number of times the loopback message is sent Range 1 1024 Packet Size The size of the loopback message...

Page 544: ...a frame with DM request information and the receiving MEP responds with a frame with DM reply information with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of...

Page 545: ...asure messages Range 1 5 seconds Default 1 second Timeout The timeout to wait for a response Range 1 5 seconds Default 5 seconds WEB INTERFACE To transmit delay measure messages 1 Click Administration...

Page 546: ...the MEP is facing away from the switch and transmits CFM messages towards and receives them from the direction of the physical medium Up indicates that the MEP faces inward toward the switch cross con...

Page 547: ...ce point Direction The direction in which the MEP faces on the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows if the MEP will generate CCM messages MAC Address...

Page 548: ...FM 2 Select Show Information from the Step list 3 Select Show Local MEP Details from the Action list 4 Select an entry from MD Index and MA Index 5 Select a MEP ID Figure 312 Showing Detailed Informat...

Page 549: ...CFM 2 Select Show Information from the Step list 3 Select Show Local MIP from the Action list Figure 313 Showing Information on Local MIPs DISPLAYING REMOTE MEPS Use the Administration CFM Show Infor...

Page 550: ...CFM 2 Select Show Information from the Step list 3 Select Show Remote MEP from the Action list Figure 314 Showing Information on Remote MEPs DISPLAYING DETAILS FOR REMOTE MEPS Use the Administration...

Page 551: ...Up The port is functioning normally Blocked The port has been blocked by the Spanning Tree Protocol No port state Either no CCM has been received or nor port status TLV was received in the last CCM I...

Page 552: ...from MD Index and MA Index 5 Select a MEP ID Figure 315 Showing Detailed Information on Remote MEPs DISPLAYING THE LINK TRACE CACHE Use the Administration CFM Show Information Show Link Trace Cache pa...

Page 553: ...locked The ingress port can be identified but the target data frame was not forwarded when received on this port due to active topology management i e the bridge port is not in the forwarding state In...

Page 554: ...settings for the fault notification generator CLI REFERENCES show ethernet cfm fault notify generator on page 1385 PARAMETERS These parameters are displayed MEP ID Maintenance end point identifier MD...

Page 555: ...are displayed Level Maintenance level associated with this entry Primary VLAN VLAN in which this error occurred MEP ID Identifier of remote MEP Interface Port at which the error was recorded Remote MA...

Page 556: ...continuity check errors 1 Click Administration CFM 2 Select Show Information from the Step list 3 Select Show Continuity Check Error from the Action list Figure 318 Showing Continuity Check Errors OAM...

Page 557: ...nterface is not operational Passive Wait This value is returned only by OAM entities in passive mode and indicates the OAM entity is waiting to see if the peer device is OAM capable Active Send Local...

Page 558: ...events An errored frame is a frame in which one or more bits are errored An errored frame link event occurs if the threshold is reached or exceeded within the specified period If reporting is enabled...

Page 559: ...OAM messages passed across each port CLI REFERENCES show efm oam counters interface on page 1397 clear efm oam counters on page 1394 PARAMETERS These parameters are displayed Port Port identifier Ran...

Page 560: ...ND USAGE When a link event occurs no matter whether the location is local or remote this information is entered in OAM event log When the log system becomes full older events are automatically deleted...

Page 561: ...ction Shows if this function is supported by the OAM peer If supported this indicates that the OAM entity supports the transmission of OAMPDUs on links that are operating in unidirectional mode where...

Page 562: ...an OAM remote loop back test on the specified port The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loop back mode During a remote...

Page 563: ...ed during the last loopback test on this interface Loss Rate The percentage of packets for which there was no response WEB INTERFACE To initiate a loop back test to the peer device attached to the sel...

Page 564: ...Loop Back Show Test Result page to display the results of remote loop back testing for each port for which this information is available CLI REFERENCES show efm oam remote loopback interface on page...

Page 565: ...INTERFACE To display the results of remote loop back testing for each port for which this information is available 1 Click Administration OAM Remote Loop Back 2 Select Show Test Result from the Action...

Page 566: ...CHAPTER 14 Basic Administration Protocols OAM Configuration 566...

Page 567: ...r IPv6 Configures a single network wide multicast VLAN shared by hosts residing in other standard or private VLAN groups preserving security and data isolation OVERVIEW Multicasting is used to support...

Page 568: ...s only It then propagates the service request up to any neighboring multicast switch router to ensure that it will continue to receive the multicast service The purpose of IP multicast filtering is to...

Page 569: ...of these sources IGMPv3 hosts may also request that service be forwarded from any source except for those specified In this case traffic is filtered from sources in the Exclude list and forwarded fro...

Page 570: ...ONFIGURING IGMP SNOOPING AND QUERY PARAMETERS Use the Multicast IGMP Snooping General page to configure the switch to forward multicast traffic intelligently Based on the IGMP query and report message...

Page 571: ...s command the switch performs IGMP Snooping with Proxy Reporting as defined in DSL Forum TR 101 April 2006 including last leave and query suppression Last leave sends out a proxy query when the last m...

Page 572: ...a spanning tree receives a TCN for a VLAN where IGMP snooping is enabled it issues a global IGMP leave message or query solicitation When a switch receives this solicitation it floods it to all ports...

Page 573: ...e that is uplink port starts up the switch sends unsolicited reports for all currently learned multicast channels via the new upstream interface This command only applies when proxy reporting is enabl...

Page 574: ...face and a specified VLAN can be manually configured to join all the current multicast groups supported by the attached router This can ensure that multicast traffic is passed to all the appropriate i...

Page 575: ...y is static or dynamic Expire Time until this dynamic entry expires WEB INTERFACE To specify a static interface attached to a multicast router 1 Click Multicast IGMP Snooping Multicast Router 2 Select...

Page 576: ...nterfaces Attached a Multicast Router ASSIGNING INTERFACES TO MULTICAST SERVICES Use the Multicast IGMP Snooping IGMP Member Add Static Member page to statically assign a multicast service to an inter...

Page 577: ...cast group Multicast IP The IP address for a specific multicast service WEB INTERFACE To statically assign an interface to a multicast service 1 Click Multicast IGMP Snooping IGMP Member 2 Select Add...

Page 578: ...ches from different vendors In response to this problem the Multicast Router Discovery MRD protocol has been developed for use by IGMP snooping and multicast routing devices MRD is used to discover wh...

Page 579: ...erface with IP multicast forwarding and MRD enabled a router will respond with an Advertisement Multicast Router Termination These messages are sent when a router stops IP multicast routing functions...

Page 580: ...vice if a leave packet is received at that port and immediate leave is enabled for the parent VLAN Default Disabled If immediate leave is not used a multicast router or querier will send a group speci...

Page 581: ...upstream from the multicast router port If a proxy query address is not configured the switch will use the VLAN s IP address as the IP source address in general and group specific query messages sent...

Page 582: ...ting is enabled page 570 or IGMP querier is enabled page 570 Last Member Query Count The number of IGMP proxy group specific or group and source specific query messages that are sent out before the sy...

Page 583: ...igure and update the required parameters 4 Click Apply Figure 332 Configuring IGMP Snooping on a VLAN To show the interface settings for IGMP snooping 1 Click Multicast IGMP Snooping Interface 2 Selec...

Page 584: ...any IGMP query packets received on the specified interface If this switch is acting as a Querier this prevents it from being affected by messages received from another Querier Default Disabled Multica...

Page 585: ...rwarding traffic to downstream ports for the specified multicast group address Group Address IP multicast group address with subscribers directly attached or downstream from the switch or a static mul...

Page 586: ...TERS These parameters are displayed VLAN VLAN identifier Range 1 4094 Port Port identifier Range 1 28 52 Trunk Trunk identifier Range 1 16 Query Statistics Other Querier IP address of remote querier o...

Page 587: ...ed for this interface V3 Warning Count The number of times the query version received Version 3 does not match the version configured for this interface VLAN Port and Trunk Statistics Input Statistics...

Page 588: ...to invalid format rate limiting packet content not allowed or IGMP group report received Group The number of IGMP groups active on this interface WEB INTERFACE To display statistics for IGMP snooping...

Page 589: ...a VLAN Figure 337 Displaying IGMP Snooping Statistics VLAN To display IGMP snooping protocol related statistics for a port 1 Click Multicast IGMP Snooping Statistics 2 Select Show Port Statistics from...

Page 590: ...oup is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join report is dropped IGMP throttling sets a maximum number of multicast groups that a p...

Page 591: ...ering the same IP address for the start and end of the range PARAMETERS These parameters are displayed Add Profile ID Creates an IGMP profile Range 1 4294967295 Access Mode Sets the access mode of the...

Page 592: ...340 Creating an IGMP Filtering Profile To show the IGMP filter profiles 1 Click Multicast IGMP Snooping Filter 2 Select Configure Profile from the Step list 3 Select Show from the Action list Figure...

Page 593: ...MP FILTERING AND THROTTLING FOR INTERFACES Use the Multicast IGMP Snooping Filter Configure Interface page to assign and IGMP filter profile to interfaces on the switch or to throttle multicast traffi...

Page 594: ...ge 1 1023 Default 1023 Current Multicast Groups Displays the current multicast groups the interface has joined Throttling Action Mode Sets the action to take when the maximum number of multicast group...

Page 595: ...to IGMPv2 query report and leave messages MLDv2 control packets include MLDv2 query and report messages as well as MLDv1 report and done messages Remember that IGMP Snooping and MLD Snooping are indep...

Page 596: ...uery Interval The interval between sending MLD general queries Range 60 125 seconds Default 125 seconds This attribute applies when the switch is serving as the querier An MLD general query message is...

Page 597: ...ENCES ipv6 mld snooping vlan immediate leave on page 1267 PARAMETERS These parameters are displayed VLAN A VLAN identification number Range 1 4094 Immediate Leave Status Immediately deletes a member p...

Page 598: ...ctions MLD snooping may not always be able to locate the MLD querier Therefore if the MLD querier is a known multicast router switch connected over the network to an interface port or trunk on the swi...

Page 599: ...terface for an IPv6 Multicast Router To show the static interfaces attached to a multicast router 1 Click Multicast MLD Snooping Multicast Router 2 Select Show Static Multicast Router from the Action...

Page 600: ...group CLI REFERENCES ipv6 mld snooping vlan static on page 1269 clear ipv6 mld snooping groups dynamic on page 1269 COMMAND USAGE Static multicast addresses are never aged out When a multicast addres...

Page 601: ...pecify the interface attached to a multicast service through an MLD enabled switch or multicast router and enter the multicast IP address 4 Click Apply Figure 350 Assigning an Interface to an IPv6 Mul...

Page 602: ...nformation page to display known multicast groups member ports the means by which each group was learned and the corresponding source list CLI REFERENCES show ipv6 mld snooping group source list on pa...

Page 603: ...ded on the router s exclude list WEB INTERFACE To display known MLD multicast groups 1 Click Multicast MLD Snooping Group Information 2 Select the port or trunk and then select a multicast service ass...

Page 604: ...nd assign the profile to an MVR domain see Configuring MVR Group Address Profiles on page 608 3 Set the interfaces that will join the MVR as source ports or receiver ports see Configuring MVR Interfac...

Page 605: ...eam or router interfaces These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface Receiver ports must therefore be conf...

Page 606: ...which the source port has dynamically joined Always Forward By default the switch forwards any multicast streams within the address range set by a profile and bound to a domain The multicast streams a...

Page 607: ...s the channel for streaming multicast services using MVR MVR source ports should be configured as members of the MVR VLAN see Adding Static Members to VLANs on page 205 but MVR receiver ports should n...

Page 608: ...be assigned to all ingress multicast traffic and set the source IP address for all control packets sent upstream as required 5 Click Apply Figure 356 Configuring Domain Settings for MVR CONFIGURING MV...

Page 609: ...ng one or more MVR group addresses Range 1 21 characters Start IP Address Starting IP address for an MVR multicast group Range 224 0 1 0 239 255 255 255 End IP Address Ending IP address for an MVR mul...

Page 610: ...cast MVR 2 Select Configure Profile from the Step list 3 Select Show from the Action list Figure 358 Displaying MVR Group Address Profiles To assign an MVR group address profile to a domain 1 Click Mu...

Page 611: ...ly one subscriber attached to an interface is receiving multicast services you can enable the immediate leave function CLI REFERENCES MVR for IPv4 on page 1281 COMMAND USAGE A port configured as an MV...

Page 612: ...the group list Using immediate leave can speed up leave latency but should only be enabled on a port attached to one multicast subscriber to avoid disrupting services to other group members attached...

Page 613: ...s an MVR receiver Default Disabled By Group The receiver port is immediately removed from the multicast group identified in the leave message By Host IP The router querier will not send out a group sp...

Page 614: ...m 224 0 0 0 to 239 255 255 255 is used for multicast streams MVR group addresses cannot fall within the reserved IP multicast address range of 224 0 0 x Only IGMP version 2 or 3 hosts can issue multic...

Page 615: ...ect an MVR domain 5 Select a VLAN and interface to receive the multicast stream and then enter the multicast group address 6 Click Apply Figure 362 Assigning Static MVR Groups to an Interface To show...

Page 616: ...to the MVR VLAN VLAN Indicates the MVR VLAN receiving the multicast service Note that this may be different from the MVR VLAN if the group address has been statically assigned Port Shows the interface...

Page 617: ...ange 1 5 VLAN VLAN identifier Range 1 4094 Port Port identifier Range 1 28 52 Trunk Trunk identifier Range 1 16 Query Statistics Querier IP Address The IP address of the querier on this interface Quer...

Page 618: ...or group and source specific query messages received on this interface Drop The number of times a report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet co...

Page 619: ...r IPv4 619 WEB INTERFACE To display statistics for MVR query related messages 1 Click Multicast MVR 2 Select Show Statistics from the Step list 3 Select Show Query Statistics from the Action list 4 Se...

Page 620: ...stics from the Step list 3 Select Show VLAN Statistics from the Action list 4 Select an MVR domain 5 Select a VLAN Figure 366 Displaying MVR Statistics VLAN To display MVR protocol related statistics...

Page 621: ...VR6 Domain Settings on page 624 2 Create an MVR6 profile by specifying the multicast groups that will stream traffic to attached hosts and assign the profile to an MVR6 domain see Configuring MVR6 Gro...

Page 622: ...l downstream interfaces which require MVR proxy service When the source port receives report and leave messages it only forwards them to other source ports When receiver ports receive any query messag...

Page 623: ...domain The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address Dynamic When dynamic mode is enabled the...

Page 624: ...ssary conditions in the MVR6 environment are satisfied Running status is Active as long as MVR6 is enabled the specified MVR6 VLAN exists and a source port with a valid link has been configured see Co...

Page 625: ...t MVR6 Configure Profile and Associate Profile pages to assign the multicast group address for required services to one or more MVR6 domains CLI REFERENCES MVR for IPv6 on page 1303 COMMAND USAGE Use...

Page 626: ...for an MVR6 multicast group This parameter must be a full IPv6 address including the network prefix and host address bits End IPv6 Address Ending IP address for an MVR6 multicast group This parameter...

Page 627: ...ile from the Step list 3 Select Show from the Action list Figure 371 Displaying MVR6 Group Address Profiles To assign an MVR6 group address profile to a domain 1 Click Multicast MVR6 2 Select Associat...

Page 628: ...under MVR6 Receiver ports can belong to different VLANs but should not be configured as a member of the MVR6 VLAN MVR6 allows a receiver port to dynamically join or leave multicast groups sourced thr...

Page 629: ...pate in the MVR6 VLAN This is the default type Source An uplink port that can send and receive multicast data for the groups assigned to the MVR6 VLAN Note that the source port must be manually config...

Page 630: ...MVR6 2 Select Configure Interface from the Step list 3 Select Port or Trunk interface 4 Select an MVR6 domain 5 Set each port that will participate in the MVR6 protocol as a source port or receiver p...

Page 631: ...e displayed Domain ID An independent multicast domain Range 1 5 Interface Port or trunk identifier VLAN VLAN identifier Range 1 4094 Group IPv6 Address Defines a multicast service sent to the selected...

Page 632: ...eiver groups on each interface CLI REFERENCES show mvr6 members on page 1318 PARAMETERS These parameters are displayed Domain ID An independent multicast domain Range 1 5 Group IPv6 Address Multicast...

Page 633: ...an MVR6 domain Figure 377 Displaying MVR6 Receiver Groups DISPLAYING MVR6 STATISTICS Use the Multicast MVR6 Show Statistics pages to display MVR6 protocol related statistics for the specified interfa...

Page 634: ...leave messages received on this interface G Query The number of general query messages received on this interface G S S Query The number of group specific or group and source specific query messages r...

Page 635: ...IPv6 635 WEB INTERFACE To display statistics for MVR6 query related messages 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show Query Statistics from the Action list 4 Se...

Page 636: ...Pv6 636 To display MVR6 protocol related statistics for a VLAN 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show VLAN Statistics from the Action list 4 Select an MVR6 do...

Page 637: ...Pv6 637 To display MVR6 protocol related statistics for a port 1 Click Multicast MVR6 2 Select Show Statistics from the Step list 3 Select Show Port Statistics from the Action list 4 Select an MVR6 do...

Page 638: ...CHAPTER 15 Multicast Filtering Multicast VLAN Registration for IPv6 638...

Page 639: ...itch An IPv4 address is obtained via DHCP by default for VLAN 1 To configure a static address you need to change the switch s default settings to values that are compatible with your network You may a...

Page 640: ...ses can include the IP address subnet mask and default gateway Default DHCP IP Address Type Specifies a primary or secondary IP address An interface can have only one primary IP address but can have m...

Page 641: ...face and then enter the IP address and subnet mask 4 Click Apply Figure 381 Configuring a Static IPv4 Address To obtain an dynamic address through DHCP BOOTP for the switch 1 Click IP General Routing...

Page 642: ...a specific period of time If the address expires or the switch is moved to another network segment you will lose management access to the switch In this case you can reboot the switch or submit a cli...

Page 643: ...attached to the same local subnet Management traffic using this kind of address cannot be passed by any router outside of the subnet A link local address is easy to set up and may be useful for simple...

Page 644: ...al values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields WEB INTERFACE To configure an IPv6 default gateway for the switc...

Page 645: ...is to be used for management access or as a standard interface for a subnet By default all ports on the switch are members of VLAN 1 However the management station can be attached to a port belonging...

Page 646: ...interface before the MTU can be set If an IPv6 address has not been assigned to the switch N A is displayed in the MTU field ND DAD Attempts The number of consecutive neighbor solicitation messages se...

Page 647: ...imit configured by this parameter allows the router to detect unavailable neighbors During the neighbor discover process an IPv6 node will multicast neighbor solicitation messages to search for neighb...

Page 648: ...Advertisements RA convey information that enables nodes to auto configure on the network This information may include the default router address taken from the observed source address of the RA messag...

Page 649: ...nsidered reachable 6 Click Apply Figure 385 Configuring General Settings for an IPv6 Interface To configure RA Guard for the switch 1 Click IP IPv6 Configuration 2 Select Configure Interface from the...

Page 650: ...by entering the full address with a network prefix in the range of FE80 FEBF To connect to a larger network with multiple subnets you must configure a global unicast address There are several alterna...

Page 651: ...of the address Note that the value specified in the IPv6 Address field may include some of the high order host bits if the specified prefix length is less than 64 bits If the specified prefix length...

Page 652: ...cify the VLAN to configure select the address type and then enter an IPv6 address and prefix length 4 Click Apply Figure 387 Configuring an IPv6 Address SHOWING IPV6 ADDRESSES Use the IP IPv6 Configur...

Page 653: ...dress it is assigned IPv6 addresses that differ only in the high order bits e g due to multiple high order prefixes associated with different aggregations will map to the same solicited node address t...

Page 654: ...chable Positive confirmation was received within the last ReachableTime interval that the forward path to the neighbor was functioning While in REACH state the device takes no special action when send...

Page 655: ...t Control Message Protocol for Version 6 addresses is a network layer protocol that transmits message packets to report errors in processing IPv6 packets ICMP is therefore an integral part of the Inte...

Page 656: ...e for some of the datagrams Truncated Packets The number of input datagrams discarded because datagram frame didn t carry enough data Discards The number of input IPv6 datagrams for which no problems...

Page 657: ...lly fragmented at this output interface Fragment Failed The number of IPv6 datagrams that have been discarded because they needed to be fragmented at this output interface but could not be ICMPv6 Stat...

Page 658: ...sent by the interface Parameter Problem Message The number of ICMP Parameter Problem messages sent by the interface Echo Reply Messages The number of ICMP Echo Reply messages sent by the interface Ro...

Page 659: ...ting the Switch s IP Address IP Version 6 659 WEB INTERFACE To show the IPv6 statistics 1 Click IP IPv6 Configuration 2 Select Show Statistics from the Action list 3 Click IPv6 ICMPv6 or UDP Figure 39...

Page 660: ...CHAPTER 16 IP Configuration Setting the Switch s IP Address IP Version 6 660 Figure 391 Showing IPv6 Statistics ICMPv6 Figure 392 Showing IPv6 Statistics UDP...

Page 661: ...1444 PARAMETERS These parameters are displayed WEB INTERFACE To show the MTU reported from other devices 1 Click IP IPv6 Configuration 2 Select Show MTU from the Action list Figure 393 Showing Reporte...

Page 662: ...CHAPTER 16 IP Configuration Setting the Switch s IP Address IP Version 6 662...

Page 663: ...DOMAIN NAME SERVICE DNS service on this switch allows host names to be mapped to IP addresses using static table entries or by redirection to other name servers on the network When a client device des...

Page 664: ...or DNS CONFIGURING A LIST OF DOMAIN NAMES Use the IP Service DNS General Add Domain Name page to configure a list of domain names to be tried in sequential order CLI REFERENCES ip domain list on page...

Page 665: ...Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters WEB INTERFACE To create a list domain names 1 Click IP Service DNS 2 Select Add...

Page 666: ...until a response is received or the end of the list is reached with no response If all name servers are deleted DNS will automatically be disabled This is done by disabling the domain lookup status P...

Page 667: ...MAND USAGE Static entries may be used for local devices connected directly to the attached network or for commonly used resources located elsewhere on the network PARAMETERS These parameters are displ...

Page 668: ...ve been learned via the designated name servers CLI REFERENCES show dns cache on page 1408 COMMAND USAGE Servers or other network devices may support one or more connections via multiple IP addresses...

Page 669: ...TP or DHCP server you can relay DHCP client requests to a DHCP server on another subnet SPECIFYING A DHCP CLIENT IDENTIFIER Use the IP Service DHCP Client page to specify the DHCP client identifier fo...

Page 670: ...but the format used by both the client and server must be the same PARAMETERS These parameters are displayed in the web interface VLAN ID of configured VLAN Vendor Class ID The following options are...

Page 671: ...client is located Then the switch forwards the packet to the DHCP server When the server receives the DHCP request it allocates a free IP address for the DHCP client from its defined scope for the DHC...

Page 672: ...vers in order of preference 3 Click Apply Figure 404 Configuring DHCP Relay Service CONFIGURING THE PPPOE INTERMEDIATE AGENT This section describes how to configure the PPPoE Intermediate Agent PPPoE...

Page 673: ...e enabled on an interface Access Node Identifier String identifying this switch as an PPPoE IA to the PPPoE server Range 1 48 ASCII characters Default IP address of first IPv4 interface on the switch...

Page 674: ...d globally on the switch for this command to take effect Trust Status Sets an interface to trusted mode to indicate that it is connected to a PPPoE server Default Disabled Set any interfaces connectin...

Page 675: ...which the discovery packet was received entering the switch or access node where the intermediate agent resides Outgoing PAD Offer PADO and Session confirmation PADS packets sent from the PPPoE Serve...

Page 676: ...splayed Interface Port or trunk selection Received Received PPPoE active discovery messages All All PPPoE active discovery message types PADI PPPoE Active Discovery Initiation messages PADO PPPoE Acti...

Page 677: ...Agent 677 WEB INTERFACE To show statistics for PPPoE IA protocol messages 1 Click IP Service PPPoE Intermediate Agent 2 Select Show Statistics from the Step list 3 Select Port or Trunk interface type...

Page 678: ...CHAPTER 17 IP Services Configuring the PPPoE Intermediate Agent 678...

Page 679: ...switch is first booted default routing can only forward traffic between local IP interfaces As with all traditional routers static and dynamic routing functions must first be configured to work INITI...

Page 680: ...placing destination source MAC addresses for each hop Incrementing the hop count Decrementing the time to live Verifying and recalculating the Layer 3 checksum If the destination node is on the same s...

Page 681: ...ready there the switch broadcasts an ARP packet to all the ports on the destination VLAN to find out the destination MAC address After the MAC address is discovered the packet is reformatted and sent...

Page 682: ...twork prefix number to which the router interface is attached and the router s host number on that network In other words a router interface address defines the network segment that is connected to th...

Page 683: ...S Service Parameters on page 663 and one or more DNS servers specified see Configuring a List of Name Servers on page 666 or Configuring Static DNS Host to Address Entries on page 667 Probe Count Numb...

Page 684: ...vice USING THE TRACE ROUTE FUNCTION Use the IP General Trace Route page to show the route packets take to the specified destination CLI REFERENCES traceroute on page 1426 PARAMETERS These parameters a...

Page 685: ...e If the timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long sequence of these messages terminating only when the maxi...

Page 686: ...the destination IP address in the message However if it does match they write their own hardware address into the destination MAC address field and send the message back to the source hardware address...

Page 687: ...Default Disabled End stations that require Proxy ARP must view the entire network as a single network These nodes must therefore use a smaller subnet mask than that used by the router or other releva...

Page 688: ...cations may not respond to ARP requests or the response arrives too late causing network operations to time out Static entries will not be aged out or deleted when power is reset You can only remove a...

Page 689: ...NAMIC OR LOCAL ARP ENTRIES Use the IP ARP Show Information page to display dynamic or local entries in the ARP cache The ARP cache contains static entries and entries for local interfaces including su...

Page 690: ...e the IP ARP Show Information page to display statistics for ARP messages crossing all interfaces on this router CLI REFERENCES show ip traffic on page 1425 PARAMETERS These parameters are displayed T...

Page 691: ...automatically change in response to changes in network topology so you should only configure a small number of stable routes to ensure network accessibility CLI REFERENCES ip route on page 1468 ip sw...

Page 692: ...Next Hop IP address of the next router hop used for this route Distance An administrative distance indicating that this route can be overridden by other routing information Range 1 255 Default 1 WEB...

Page 693: ...e interface identifier and next hop information for each reachable destination network prefix based on the IP routing table When routing or topology changes occur in the network the routing table is u...

Page 694: ...icates the default gateway for this router Net Mask Network mask for the associated IP subnet This mask identifies the host address bits used for routing to specific subnets Next Hop The IP address of...

Page 695: ...on page 793 Remote Monitoring Commands on page 815 Authentication Commands on page 823 General Security Measures on page 889 Access Control Lists on page 969 Interface Commands on page 995 Link Aggre...

Page 696: ...s of Service Commands on page 1195 Quality of Service Commands on page 1207 Multicast Filtering Commands on page 1225 LLDP Commands on page 1323 CFM Commands on page 1347 OAM Commands on page 1389 Dom...

Page 697: ...nsole prompt enter the user name and password The default user names are admin and guest with corresponding passwords of admin and guest When the administrator user name and password is entered the CL...

Page 698: ...54 Console config If your corporate network is connected to another network outside your office or to the Internet you need to apply for a registered IP address However if you are attached to an isola...

Page 699: ...each command in the required order For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that req...

Page 700: ...table Show collision mac address debug State of each debugging option discard Discard packet dns DNS information dos protection Shows the system dos protection summary information dot1q tunnel dot1q t...

Page 701: ...rmation tech support Technical information time range Time range traffic segmentation Traffic segmentation information udld Displays UDLD information upgrade Shows upgrade information users Informatio...

Page 702: ...the up arrow key Any command displayed in the history list can be executed again or first modified and then executed Using the show history command displays a longer list of recently executed commands...

Page 703: ...is opened To end the CLI session enter Exit Console Username guest Password guest login password CLI session with the ECS4110 52T is opened To end the CLI session enter Exit Console enable Password pr...

Page 704: ...ime range for use by other functions such as Access Control Lists VLAN Configuration Includes the command to create VLAN groups To enter the Global Configuration mode enter the command configure in Pr...

Page 705: ...ne 749 MSTP spanning tree mst configuration Console config mstp 1098 Policy Map policy map Console config pmap 1211 Time Range time range Console config time range 783 VLAN vlan database Console confi...

Page 706: ...Delete key or backspace key Erases a mistake when entering a command Table 49 Keystroke Commands Continued Keystroke Function Table 50 Command Group Index Command Group Description Page General Basic...

Page 707: ...table or sets the aging time 1085 Spanning Tree Configures Spanning Tree settings for the switch 1091 ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings c...

Page 708: ...Spanning Tree NE Normal Exec PE Privileged Exec PM Policy Map Configuration VC VLAN Database Configuration IP Interface Configures IP address for the switch interfaces also configures ARP parameters a...

Page 709: ...estarts the system at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history bu...

Page 710: ...of week monthly day cancel at in regularity reload at A specified time at which to reload the switch hour The hour at which to reload Range 0 23 minute The minute at which to reload Range 0 59 month...

Page 711: ...02 10 43 2007 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privileged mode additional commands are available and certain commands...

Page 712: ...Exec COMMAND USAGE The quit and exit commands can both exit the configuration program EXAMPLE This example shows how to quit a CLI session Console quit Press ENTER to start session User Access Verific...

Page 713: ...tory buffer when you are in any of the configuration modes In this example the 2 command repeats the second command in the Execution history buffer config Console 2 Console config Console config confi...

Page 714: ...ed to the end of the prompt to indicate that the system is in normal access mode EXAMPLE Console disable Console RELATED COMMANDS enable 711 reload Privileged Exec This command restarts the system NOT...

Page 715: ...ays 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode DEFAULT SETTING None COMMAND MODE Global Configuration Interface Configuration Line Configuration VLAN Databa...

Page 716: ...EXAMPLE This example shows how to return to the Privileged Exec mode from the Global Configuration mode and then quit the CLI session Console config exit Console exit Press ENTER to start session Use...

Page 717: ...gers and version information Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the serial port includi...

Page 718: ...is automatically displayed before login as soon as a console or telnet connection has been established Table 54 Banner Commands Command Function Mode banner configure Configures the banner informatio...

Page 719: ...rted If for example a mistake is made in the company name it can be corrected with the banner configure company command EXAMPLE Console config banner configure Company EdgeCore Networks Responsible de...

Page 720: ...e company information displayed in the banner Use the no form to remove the company name from the banner display SYNTAX banner configure company name no banner configure company name The name of the c...

Page 721: ...COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure dc power info command interprets spaces as data input boundaries The use of underscores _ or ot...

Page 722: ...YNTAX banner configure equipment info manufacturer id mfr id floor floor id row row id rack rack id shelf rack sr id manufacturer mfr name no banner configure equipment info floor manufacturer manufac...

Page 723: ...None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The banner configure equipment location command interprets spaces as data input boundaries The use of undersco...

Page 724: ...igure lp number This command is used to configure the LP number information displayed in the banner Use the no form to restore the default setting SYNTAX banner configure lp number lp num no banner co...

Page 725: ...mber The phone number of the third manager Maximum length of each parameter 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE Input strings cannot contain spaces The b...

Page 726: ...e no form to restore the default setting SYNTAX banner configure note note info no banner configure note note info Miscellaneous information that does not fit the other banner categories or any other...

Page 727: ...section describes commands used to display system information Table 55 System Status Commands Command Function Mode show access list tcam utilization Shows utilization parameters for TCAM PE show memo...

Page 728: ...or a port the system will also use two PCEs EXAMPLE Console show access list tcam utilization Total Policy Control Entries 768 Free Policy Control Entries 756 Entries Used by System 12 Entries Used by...

Page 729: ...ation in the past 60 seconds Average Utilization 36 Maximum Utilization 39 Alarm Status Current Alarm Status Off Last Alarm Start Time Dec 28 11 20 01 2013 Last Alarm Duration Time 13 seconds Alarm Co...

Page 730: ...Multiple spanning tree instances name and interfaces IP address configured for management VLAN Interface settings Any configured settings for the console port and Telnet EXAMPLE Console show running...

Page 731: ...d in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and includes the configuration mode command and corresponding commands This comman...

Page 732: ...0 seconds System Name System Location System Contact MAC Address Unit 1 00 E0 0C 00 00 FD Web Server Enabled Web Server Port 80 Web Secure Server Enabled Web Secure Server Port 443 Telnet Server Enabl...

Page 733: ...ort 23 Jumbo Frame Disabled show users Shows all active console and Telnet sessions including user name idle time and IP address of Telnet client DEFAULT SETTING None COMMAND MODE Normal Exec Privileg...

Page 734: ...on on the items displayed by this command EXAMPLE Console show version Serial Number S123456 Hardware Version R0A EPLD Version 0 00 Number of Ports 52 Main Power Status Up Role Master Loader Version 0...

Page 735: ...and enables support for Layer 2 jumbo frames for Gigabit Ethernet ports Use the no form to disable it SYNTAX no jumbo frame DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Thi...

Page 736: ...ing runtime code the destination file name can be specified to replace the current image or the file can be first downloaded using a different name from the current runtime code file and then the new...

Page 737: ...booted PE Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server GC upgrade opcode path Specifies an FTP T...

Page 738: ...tings listed in the specified file to the running configuration file Keyword that allows you to copy to from a file ftp Keyword that allows you to copy to from an FTP server https certificate Keyword...

Page 739: ...tch to use HTTPS for a secure connection see the ip http secure server command When logging into an FTP server the interface prompts for a user name and password configured on the remote server Note t...

Page 740: ...his example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate Console copy tftp https certificate TFTP server ip address 10 1 0 19...

Page 741: ...sole delete This command deletes a file or image SYNTAX delete file name filename filename Name of configuration file or code image DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE If t...

Page 742: ...ystem displays all files File information is shown below EXAMPLE The following example shows how to display all file information Console dir File Name Type Startup Modify Time Size bytes Unit 1 ECS411...

Page 743: ...05 08 08 59 03 1588 Console Automatic Code Upgrade Commands upgrade opcode auto This command automatically upgrades the current operational code when a new version is detected on the server indicated...

Page 744: ...running config or show startup config commands EXAMPLE Console config upgrade opcode auto Console config upgrade opcode path tftp 192 168 0 1 sm24 Console config If a new image is found at the specifi...

Page 745: ...the following syntax must be used where filedir indicates the path to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted anonymous will be use...

Page 746: ...ed Path File Name ecs4110 series bix Console TFTP Configuration Commands ip tftp retry This command specifies the number of times the switch can retry transmitting a request to a TFTP server after wai...

Page 747: ...o ip tftp timeout seconds The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out Range 1 65535 seconds DEFAULT SETTING 5 seconds COMMAND MODE...

Page 748: ...generated by hardware LC exec timeout Sets the interval that the command interpreter waits until user input is detected LC login Enables password checking at login LC parity Defines the generation of...

Page 749: ...own as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections EXAMPLE To enter console line mode enter the following comman...

Page 750: ...ntil user input is detected Use the no form to restore the default SYNTAX exec timeout seconds no exec timeout seconds Integer that specifies the timeout interval Range 60 65535 seconds 0 no timeout D...

Page 751: ...mmand When using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default sett...

Page 752: ...as terminals and modems often require a specific parity bit setting EXAMPLE To specify no parity enter this command Console config line parity none Console config line password This command specifies...

Page 753: ...There is no need for you to manually configure encrypted passwords EXAMPLE Console config line password 0 secret Console config line RELATED COMMANDS login 751 password thresh 753 password thresh Thi...

Page 754: ...ime value SYNTAX silent time seconds no silent time seconds The number of seconds to disable console response Range 0 65535 where 0 means disabled DEFAULT SETTING Disabled COMMAND MODE Line Configurat...

Page 755: ...icates if the speed you selected is not supported EXAMPLE To specify 57600 bps enter this command Console config line speed 57600 Console config line stopbits This command sets the number of the stop...

Page 756: ...ion This command applies to both the local console and Telnet connections The timeout for Telnet cannot be disabled Using the command without specifying a timeout restores the default setting EXAMPLE...

Page 757: ...h width escape character The keyboard character used to escape from current line input ASCII number ASCII decimal equivalent Range 0 255 character Any valid keyboard character history The number of li...

Page 758: ...cess i e Telnet DEFAULT SETTING Shows all lines COMMAND MODE Normal Exec Privileged Exec EXAMPLE To show all lines enter this command Console show line Terminal Configuration for this session Length 2...

Page 759: ...64 This type has no effect on the kind of messages reported by the switch However it may be used by the syslog server to sort messages or to store messages in the corresponding database EXAMPLE Consol...

Page 760: ...ash errors level 3 0 RAM debugging level 7 0 COMMAND MODE Global Configuration COMMAND USAGE The message level specified for flash memory must be a higher priority i e numerically lower than that spec...

Page 761: ...to build up a list of host IP addresses The maximum number of host IP addresses allowed is five EXAMPLE Console config logging host 10 1 0 3 Console config logging on This command controls logging of...

Page 762: ...se the no form to disable remote logging SYNTAX logging trap level level no logging trap level level One of the syslog severity levels listed in the table on page 760 Messages sent include the selecte...

Page 763: ...COMMANDS show log 763 show log This command displays the log messages stored in local memory SYNTAX show log flash ram flash Event history stored in flash memory i e permanent memory ram Event histor...

Page 764: ...dmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event messages in temporary RAM i e memory flushed on power reset s...

Page 765: ...gging Shows if system logging has been enabled via the logging on command History logging in FLASH The message level s reported based on the logging history command History logging in RAM The message...

Page 766: ...that will be sent alert messages Use the no form to remove an SMTP server SYNTAX no logging sendmail host host host IPv4 or IPv6 address of an SMTP server that will be sent alert messages for event ha...

Page 767: ...n If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection EXAMPLE Console config logging sendmail host...

Page 768: ...ers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient EX...

Page 769: ...resses ted this company com SMTP Source Email Address bill this company com SMTP Status Enabled Console TIME The system clock can be dynamically set by polling a set of specified time servers NTP or S...

Page 770: ...p poll command NTP Commands ntp authenticate Enables authentication for NTP traffic GC ntp authentication key Configures authentication keys GC ntp client Enables the NTP client for time updates from...

Page 771: ...0 0 0 0 0 0 Current Server 137 92 140 80 Console RELATED COMMANDS sntp server 772 sntp poll 771 show sntp 772 sntp poll This command sets the interval between sending time requests when the switch is...

Page 772: ...servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time synchroni...

Page 773: ...e the no form to disable authentication SYNTAX no ntp authenticate DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE You can enable NTP authentication to ensure that reliable up...

Page 774: ...figuration COMMAND USAGE The key number specifies a key value in the NTP authentication key list Up to 255 keys can be configured on the switch Re enter this command for each server you want to config...

Page 775: ...uests based on the interval set via the ntp poll command EXAMPLE Console config ntp client Console config RELATED COMMANDS sntp client 770 ntp server 775 ntp server This command sets the IP addresses...

Page 776: ...e config ntp server 192 168 3 21 Console config ntp server 192 168 5 23 key 19 Console config RELATED COMMANDS ntp client 774 show ntp 776 show ntp This command displays the current time and configura...

Page 777: ...l begin b hour The hour summer time will begin Range 0 23 hours b minute The minute summer time will begin Range 0 59 minutes e date Day of the month when summer time will end Range 1 31 e month The m...

Page 778: ...predefined australia europe new zealand usa no clock summer time name Name of the timezone while summer time is in effect usually an acronym Range 1 30 characters DEFAULT SETTING Disabled COMMAND MOD...

Page 779: ...day The day of the week when summer time will begin Options sunday monday tuesday wednesday thursday friday saturday b month The month when summer time will begin Options january february march april...

Page 780: ...afternoons have more daylight and mornings have less This is known as Summer Time or Daylight Savings Time DST Typically clocks are adjusted forward one hour at the start of spring and then adjusted b...

Page 781: ...a time corresponding to your local time you must indicate the number of hours and minutes your time zone is east before or west after of UTC EXAMPLE Console config clock timezone Japan hours 8 minute...

Page 782: ...Privileged Exec EXAMPLE Console show calendar Current Time Dec 28 18 14 47 2013 Time Zone UTC 00 00 Summer Time Not configured Summer Time in Effect No Console TIME RANGE This section describes the co...

Page 783: ...of seven rules can be configured for a time range EXAMPLE Console config time range r d Console config time range RELATED COMMANDS Access Control Lists 969 absolute This command sets the time range fo...

Page 784: ...ngle occurrence of an event Console config time range r d Console config time range absolute start 1 1 1 april 2009 end 2 1 1 april 2009 Console config time range periodic This command sets the time r...

Page 785: ...ent time is within the absolute time range and one of the periodic time ranges EXAMPLE This example configures a time range for the periodic occurrence of an event Console config time range sales Cons...

Page 786: ...automatically discovers other cluster enabled switches in the network These Candidate switches only become cluster Members when manually selected by the administrator through the management station T...

Page 787: ...a Cluster IP Pool that does not conflict with any other IP subnets in the network Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member...

Page 788: ...o reset to the default address SYNTAX cluster ip pool ip address no cluster ip pool ip address The base IP address for IP addresses assigned to cluster Members The IP address must start 10 x x x DEFAU...

Page 789: ...r switch Range 1 36 DEFAULT SETTING No Members COMMAND MODE Global Configuration COMMAND USAGE The maximum number of cluster Members is 36 The maximum number of cluster Candidates is 100 EXAMPLE Conso...

Page 790: ...e switch clustering configuration COMMAND MODE Privileged Exec EXAMPLE Console show cluster Role commander Interval Heartbeat 30 Heartbeat Loss Count 3 seconds Number of Members 1 Number of Candidates...

Page 791: ...hows the discovered Candidate switches in the network COMMAND MODE Privileged Exec EXAMPLE Console show cluster candidates Cluster Candidates Role MAC Address Description Active member 00 E0 0C 00 00...

Page 792: ...CHAPTER 21 System Management Commands Switch Clustering 792...

Page 793: ...Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string GC show snmp Display...

Page 794: ...n multicast traffic exceeds the upper threshold for automatic storm control IC Port snmp server enable port traps atc multicast control apply Sends a trap when multicast traffic exceeds the upper thre...

Page 795: ...nity string ro rw no snmp server community string string Community string that acts like a password and permits access to the SNMP protocol Maximum length 32 characters case sensitive Maximum number o...

Page 796: ...tact string Use the no form to remove the system contact information SYNTAX snmp server contact string no snmp server contact string String that describes the system contact information Maximum length...

Page 797: ...input and output protocol data units and whether or not SNMP logging has been enabled with the snmp server enable traps command EXAMPLE Console show snmp SNMP Agent Enabled SNMP Traps Authentication E...

Page 798: ...page 1347 mac notification Keyword to issue trap when a dynamic MAC address is added or removed interval Specifies the interval between issuing two consecutive traps Range 1 3600 seconds Default 1 se...

Page 799: ...ion 1 2c 3 auth noauth priv udp port port no snmp server host host addr host addr IPv4 or IPv6 address of the host the targeted recipient Maximum host addresses 5 trap destination IP address entries i...

Page 800: ...raps or informs and to specify which SNMP notifications are sent globally For a host to receive notifications at least one snmp server enable traps command and the snmp server host command for that ho...

Page 801: ...r host command does not specify the SNMP version the default is to send SNMP version 1 notifications If you specify an SNMP Version 3 host then the community string is interpreted as an SNMP user name...

Page 802: ...p server enable port traps mac notification Console config show snmp server enable port traps This command shows if SNMP traps are enabled or disabled for the specified interfaces SYNTAX show snmp ser...

Page 803: ...ine ID is also used in combination with user passwords to generate the security keys for authenticating and encrypting SNMPv3 packets A remote engine ID is required when using SNMPv3 informs See the s...

Page 804: ...ith authentication and privacy See Simple Network Management Protocol on page 452 for further information about these authentication and encryption options readview Defines the view for read access 1...

Page 805: ...ord priv des56 priv password no snmp server user username v1 v2c v3 remote username Name of user connecting to the SNMP agent Range 1 32 characters groupname Name of an SNMP group to which the user is...

Page 806: ...is used to compute authentication privacy digests from the user s password If the remote engine ID is not first configured the snmp server user command specifying a remote user will fail SNMP password...

Page 807: ...MIB 2 interfaces table ifDescr The wild card is used to select all the index values in this table Console config snmp server view ifEntry 2 1 3 6 1 2 1 2 2 1 2 included Console config This view inclu...

Page 808: ...efaultview Write View none Notify View none Storage Type volatile Row Status active Group Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type vola...

Page 809: ...atus active Console Table 71 show snmp group display description Field Description Group Name Name of an SNMP group Security Model The SNMP version Read View The associated read view Write View The as...

Page 810: ...ommand enables or disables the specified notification log SYNTAX no nlm filter name filter name Notification log name Range 1 32 characters DEFAULT SETTING Enabled Row Status The row status of this en...

Page 811: ...ile name Range 1 32 characters ip address IPv4 or IPv6 address of a remote device The specified target host must already have been configured using the snmp server host command NOTE The notification l...

Page 812: ...rmation until a logging profile specified with this command is enabled with the nlm command Based on the default settings used in RFC 3014 a notification log can contain up to 256 entries and the entr...

Page 813: ...X memory rising rising threshold falling falling threshold no memory rising falling rising threshold Rising threshold for memory utilization alarm expressed in percentage Range 1 100 falling threshold...

Page 814: ...in percentage Range 1 100 falling threshold Falling threshold for CPU utilization alarm expressed in percentage Range 1 100 DEFAULT SETTING Rising Threshold 90 Falling Threshold 70 COMMAND MODE Globa...

Page 815: ...Event and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent the...

Page 816: ...ue and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483647 event index The index of the event to use if an alarm is triggered If...

Page 817: ...ndex index Index to this entry Range 1 65535 log Generates an RMON log entry when the event is triggered Log messages are processed based on the current configuration settings for event logging see Ev...

Page 818: ...polling interval Range 1 3600 seconds name Name of the person who created this entry Range 1 127 characters DEFAULT SETTING 1 3 6 1 2 1 16 1 1 1 6 1 1 3 6 1 2 1 16 1 1 1 6 28 52 Buckets 50 Interval 3...

Page 819: ...terval 60 owner mike Console config if rmon collection rmon1 This command enables the collection of statistics on a physical interface Use the no form to disable statistics collection SYNTAX rmon coll...

Page 820: ...t 0 show rmon events This command shows the settings for all configured events COMMAND MODE Privileged Exec EXAMPLE Console show rmon events Event 2 is valid owned by mike Description is urgent Event...

Page 821: ...entries in the statistics group COMMAND MODE Privileged Exec EXAMPLE Console show rmon statistics Interface 1 is valid and owned by Monitors 1 3 6 1 2 1 2 2 1 1 1 which has Received 164289 octets 2372...

Page 822: ...CHAPTER 23 Remote Monitoring Commands 822...

Page 823: ...cified command groups or individual commands Authentication Sequence Defines logon authentication method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS...

Page 824: ...nd administrators top level access The other levels can be used to configured specialized access profiles Level 0 7 provide the same default access privileges all within Normal Exec mode under the Con...

Page 825: ...enable 711 authentication enable 828 username This command adds named users requires authentication at login specifies or changes a user s password or specify that no password is required or specifie...

Page 826: ...command nopassword No password is required for this user to log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 32 ch...

Page 827: ...pecifies any command contained within the specified mode DEFAULT SETTING Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as...

Page 828: ...c command mode with the enable command Use the no form to restore the default SYNTAX authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS...

Page 829: ...nging command modes 824 authentication login This command defines the login authentication method and precedence Use the no form to restore the default SYNTAX authentication login local radius tacacs...

Page 830: ...ase of multiple user name password pairs with associated privilege levels for each user or group that require management access to a switch radius server acct port This command sets the RADIUS server...

Page 831: ...t 181 Console config radius server host This command specifies primary and backup RADIUS servers and authentication and accounting parameters that apply to each server Use the no form to remove a spec...

Page 832: ...812 acct port 1813 timeout 5 seconds retransmit 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server 1 host 192 168 1 20 acct port 181 timeout 10 retransmit 5 key green Console con...

Page 833: ...SETTING 2 COMMAND MODE Global Configuration EXAMPLE Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication re...

Page 834: ...Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication ser...

Page 835: ...P port used for authentication messages Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 timeout Number of seconds the switch...

Page 836: ...TACACS server TCP port used for authentication messages Range 1 65535 DEFAULT SETTING 49 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server port 181 Console config tacacs server re...

Page 837: ...Number of seconds the switch waits for a reply before resending a request Range 1 540 DEFAULT SETTING 5 COMMAND MODE Global Configuration EXAMPLE Console config tacacs server timeout 10 Console confi...

Page 838: ...able 81 AAA Commands Command Function Mode aaa accounting commands Enables accounting of Exec mode commands GC aaa accounting dot1x Enables accounting of 802 1X services GC aaa accounting exec Enables...

Page 839: ...e that the default and method name fields are only used to describe the accounting method s configured on the specified TACACS server and do not actually send any information to the server about the m...

Page 840: ...information to the servers about the methods to use EXAMPLE Console config aaa accounting dot1x default start stop group radius Console config aaa accounting exec This command enables the accounting o...

Page 841: ...to the servers about the methods to use EXAMPLE Console config aaa accounting exec default start stop group tacacs Console config aaa accounting update This command enables the sending of periodic upd...

Page 842: ...Specifies all TACACS hosts configured with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 64 characters DEFAULT...

Page 843: ...XAMPLE Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the gr...

Page 844: ...d list created with the aaa accounting dot1x command DEFAULT SETTING None COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 2 Console config if accounting dot1x tps Cons...

Page 845: ...a method list created with the aaa accounting exec command DEFAULT SETTING None COMMAND MODE Line Configuration EXAMPLE Console config line console Console config line accounting exec tps Console con...

Page 846: ...ot1x statistics username user name interface interface exec statistics statistics commands Displays command accounting information level Displays command accounting information for a specifiable comma...

Page 847: ...s command specifies the TCP port number used by the web browser interface Use the no form to use the default port SYNTAX ip http port port number no ip http port port number The TCP port to be used by...

Page 848: ...ttp server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console config ip http server Console config RELATED COMMANDS ip http port 847 show system 732 ip http secure port This com...

Page 849: ...e an encrypted connection to the switch s web interface Use the no form to disable this function SYNTAX no ip http secure server DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAG...

Page 850: ...S ip http secure port 848 copy tftp https certificate 738 show system 732 TELNET SERVER This section describes commands used to configure Telnet management access to the switch Table 83 HTTPS System S...

Page 851: ...n count no ip telnet max sessions session count The maximum number of allowed Telnet session Range 0 8 DEFAULT SETTING 4 sessions COMMAND MODE Global Configuration COMMAND USAGE A maximum of eight ses...

Page 852: ...se the no form to disable this function SYNTAX no ip telnet server DEFAULT SETTING Enabled COMMAND MODE Global Configuration EXAMPLE Console config ip telnet server Console config show ip telnet This...

Page 853: ...have to generate authentication keys on the switch and enable the SSH server Table 85 Secure Shell Commands Command Function Mode ip ssh authentication retries Specifies the number of retries allowed...

Page 854: ...tch Note that these clients must be configured locally on the switch with the username command The clients are subsequently authenticated using these keys The current firmware only accepts public key...

Page 855: ...the switch e The switch compares the checksum sent from the client against that computed for the original string it sent If the two check sums match this means that the client s private key correspon...

Page 856: ...ires 2 Console config RELATED COMMANDS show ip ssh 860 ip ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service SYNTAX no ip ssh server DEF...

Page 857: ...size key size The size of server key Range 512 896 bits DEFAULT SETTING 768 bits COMMAND MODE Global Configuration COMMAND USAGE The server key is a private key that is never shared outside the switc...

Page 858: ...config RELATED COMMANDS exec timeout 750 show ip ssh 860 delete public key This command deletes the specified user s public key SYNTAX delete public key username dsa rsa username Name of an SSH user...

Page 859: ...you must manually create a known hosts file and place the host public key in it The SSH server uses this host key to negotiate a session key and encryption method with the client trying to connect to...

Page 860: ...ey from RAM to flash memory SYNTAX ip ssh save host key DEFAULT SETTING Saves both the DSA and RSA key COMMAND MODE Privileged Exec EXAMPLE Console ip ssh save host key dsa Console RELATED COMMANDS ip...

Page 861: ...last string is the encoded modulus EXAMPLE Console show public key host Host RSA 1024 65537 13236940658254764031382795526536375927835525327972629521130241 071942106165575942459093923609695405036277525...

Page 862: ...ication negotiation state Values Negotiation Started Authentication Started Session Started Username The user name of the client Table 87 802 1X Port Authentication Commands Command Function Mode Gene...

Page 863: ...the interval for a supplicant to respond IC dot1x timeout tx period Sets the time period during an authentication session that the switch waits before re transmitting an EAP packet IC dot1x re authent...

Page 864: ...DE Global Configuration COMMAND USAGE When this device is functioning as intermediate node in the network and does not need to perform dot1x authentication the dot1x eapol pass through command can be...

Page 865: ...either to block all traffic or to assign all traffic for the port to a guest VLAN Use the no form to reset the default SYNTAX dot1x intrusion action block traffic guest vlan no dot1x intrusion action...

Page 866: ...T 2 COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x max reauth req 2 Console config if dot1x max req This command sets the maximum number of times...

Page 867: ...s multiple hosts to connect to this port with each host needing to be authenticated DEFAULT Single host COMMAND MODE Interface Configuration COMMAND USAGE The max count parameter specified by this com...

Page 868: ...force authorized COMMAND MODE Interface Configuration EXAMPLE Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables...

Page 869: ...ault SYNTAX dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 DEFAULT 60 seconds COMMAND MODE Interface Configuration EXAMPLE Console config...

Page 870: ...er than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to...

Page 871: ...terface SYNTAX dot1x re authenticate interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 COMMAND MODE Privileged Exec COMMAND USAGE The re authentication...

Page 872: ...name and password are used to identify this switch as a supplicant when responding to an MD5 challenge from the authenticator These parameters must be set when this switch passes client authentication...

Page 873: ...tity profile command which identify this switch as a supplicant and enable dot1x supplicant mode for those ports which must authenticate clients through a remote authenticator using this command In th...

Page 874: ...upplicant waits for a response from the authenticator for packets other than EAPOL Start EXAMPLE Console config interface eth 1 2 Console config if dot1x timeout auth period 60 Console config if dot1x...

Page 875: ...config if dot1x timeout start period 60 Console config if Information Display Commands show dot1x This command shows general port authentication related settings on the switch or a specific interface...

Page 876: ...transmitting EAP packet page 870 Supplicant Timeout Supplicant timeout Server Timeout Server timeout A RADIUS server must be set before the correct operational value of 10 seconds will be displayed i...

Page 877: ...ummary Port Type Operation Mode Control Mode Authorized Eth 1 1 Disabled Single Host Force Authorized Yes Eth 1 2 Disabled Single Host Force Authorized Yes Eth 1 49 Disabled Single Host Force Authoriz...

Page 878: ...d address all client Adds IP address es to all groups http client Adds IP address es to the web group snmp client Adds IP address es to the SNMP group telnet client Adds IP address es to the Telnet gr...

Page 879: ...range and re enter the addresses You can delete an address range just by specifying the start address or by specifying both the start address and end address EXAMPLE This example restricts management...

Page 880: ...rmediate agent Enables the PPPoE IA globally on the switch GC pppoe intermediate agent format type Sets the access node identifier and generic error message for the switch GC pppoe intermediate agent...

Page 881: ...ID tag inserted by the switch during the PPPoE discovery phase and sends this tag as a NAS port ID attribute in PPP authentication and AAA accounting requests to a RADIUS server PPPoE IA must be enab...

Page 882: ...ackets These messages are forwarded to all trusted ports designated by the pppoe intermediate agent trust command EXAMPLE Console config pppoe intermediate agent format type access node identifier bil...

Page 883: ...stage messages and uses the Circuit ID field of that tag as a NAS Port ID attribute in AAA access and accounting requests The switch intercepts PPPoE discovery frames from the client and inserts a uni...

Page 884: ...rface must be configured on the switch for the PPPoE IA to function EXAMPLE Console config interface ethernet 1 5 Console config if pppoe intermediate agent trust Console config if pppoe intermediate...

Page 885: ...AND MODE Privileged Exec EXAMPLE Console clear pppoe intermediate agent statistics Console show pppoe intermediate agent info This command displays configuration settings for the PPPoE Intermediate Ag...

Page 886: ...s command displays statistics for the PPPoE Intermediate Agent SYNTAX show pppoe intermediate agent statistics interface interface interface ethernet unit port unit Unit identifier Range 1 port Port n...

Page 887: ...ped Response from untrusted Response from an interface which not been configured as trusted Request towards untrusted Request sent to an interface which not been configured as trusted Malformed Corrup...

Page 888: ...CHAPTER 24 Authentication Commands PPPoE Intermediate Agent 888...

Page 889: ...figures host authentication on specific ports using 802 1X Network Access Configures MAC authentication and dynamic VLAN assignment Web Authentication Configures Web authentication Access Control List...

Page 890: ...d sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC address learning SYNTAX no mac learning DEFAULT SETTING Enabled...

Page 891: ...ole config interface ethernet 1 2 Console config if no mac learning Console config if RELATED COMMANDS show interfaces status 1007 port security This command enables or configures port security Use th...

Page 892: ...frames received on the port The specified maximum address count is effective when port security is enabled or disabled Note that you can manually add additional secure addresses to a port using the ma...

Page 893: ...as learned as static entries SYNTAX port security mac address as permanent interface interface interface Specifies a port interface ethernet unit port unit This is unit 1 port Port number Range 1 28 5...

Page 894: ...n detected or port security is disabled The MAC Filter ID field is configured by the network access port mac filter command If this field displays Disabled then any unknown source MAC address can be l...

Page 895: ...each host that attempts to connect to a switch port Traffic received from a specific MAC address is forwarded by the switch only if the source MAC address is successfully authenticated by a central RA...

Page 896: ...upon link up events IC network access link detection link up down Configures the link detection feature to detect and act upon both link up and link down events IC network access max mac count Sets th...

Page 897: ...mask address filter id Specifies a MAC address filter table Range 1 64 mac address Specifies a MAC address entry Format xx xx xx xx xx xx mask Specifies a MAC address bit mask for a range of addresses...

Page 898: ...tion time is a global setting and applies to all ports When the reauthentication time expires for a secure MAC address it is reauthenticated with the RADIUS server During the reauthentication process...

Page 899: ...n file EXAMPLE The following example enables the dynamic QoS feature on port 1 Console config interface ethernet 1 1 Console config if network access dynamic qos Console config if network access dynam...

Page 900: ...hentication is still treated as a success and the host assigned to the default untagged VLAN When the dynamic VLAN assignment status is changed on a port all authenticated addresses are cleared from t...

Page 901: ...ction DEFAULT SETTING Disabled COMMAND MODE Interface Configuration EXAMPLE Console config interface ethernet 1 1 Console config if network access link detection Console config if network access link...

Page 902: ...ake when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port DEFAULT SETTING Disabled COMMAND MODE Int...

Page 903: ...authenticated on a port interface via all forms of authentication Use the no form of this command to restore the default SYNTAX network access max mac count count no network access max mac count coun...

Page 904: ...aging time expires The maximum number of secure MAC addresses supported for the switch system is 1024 Configured static MAC addresses are added to the secure address table when seen on a switch port S...

Page 905: ...s filter table can be configured with the network access mac filter command Only one filter table can be assigned to a port EXAMPLE Console config interface ethernet 1 1 Console config if network acce...

Page 906: ...erface Configuration EXAMPLE Console config if mac authentication max mac count 32 Console config if clear network access Use this command to clear entries from the secure MAC addresses table SYNTAX c...

Page 907: ...ING Displays the settings for all interfaces COMMAND MODE Privileged Exec EXAMPLE Console show network access interface ethernet 1 1 Global secure port information Reauthentication Time 1800 MAC Addre...

Page 908: ...nge 1 port Port number Range 1 28 52 sort Sorts displayed entries by either MAC address or interface DEFAULT SETTING Displays all filters COMMAND MODE Privileged Exec COMMAND USAGE When using a bit ma...

Page 909: ...perform DNS queries All other traffic except for HTTP protocol traffic is blocked The switch intercepts HTTP protocol traffic and redirects it to a switch generated web page that facilitates user nam...

Page 910: ...ole config web auth system auth control Enables web authentication globally for the switch GC web auth Enables web authentication for an interface IC web auth re authenticate Port Ends all web authent...

Page 911: ...MODE Global Configuration EXAMPLE Console config web auth quiet period 120 Console config web auth session timeout This command defines the amount of time a web authentication session remains valid W...

Page 912: ...and web auth for an interface must be enabled for the web authentication feature to be active EXAMPLE Console config web auth system auth control Console config web auth This command enables web auth...

Page 913: ...OMMAND MODE Privileged Exec EXAMPLE Console web auth re authenticate interface ethernet 1 2 Console web auth re authenticate IP This command ends the web authentication session associated with the des...

Page 914: ...pts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics SYNTAX show web auth interface interface interface Specifies a port interfac...

Page 915: ...y GC ip dhcp snooping information option Enables or disables the use of DHCP Option 82 information and specifies frame format for the remote id GC ip dhcp snooping information policy Sets the informat...

Page 916: ...namic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and port identifier When DHCP snoo...

Page 917: ...is not a recognizable type it is dropped If a DHCP packet from a client passes the filtering criteria above it will only be forwarded to trusted ports in the same VLAN If a DHCP packet is from server...

Page 918: ...rmation mac address Inserts a MAC address in the remote ID sub option for the DHCP snooping agent that is the MAC address of the switch s CPU ip address Inserts an IP address in the remote ID sub opti...

Page 919: ...ill add option 82 information to the packet If an incoming packet is a DHCP reply packet with option 82 information enabling the DHCP snooping information option will remove option 82 information from...

Page 920: ...ch for DHCP snooping Use the no form to restore the default setting SYNTAX ip dhcp snooping limit rate rate no dhcp snooping limit rate rate The maximum number of DHCP packets that may be trapped for...

Page 921: ...orm to restore the default setting SYNTAX no ip dhcp snooping vlan vlan id vlan id ID of a configured VLAN Range 1 4094 DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE When DH...

Page 922: ...thernet Port Channel COMMAND USAGE DHCP provides a relay mechanism for sending information about the switch and its DHCP clients to the DHCP server DHCP Option 82 allows compatible DHCP servers to use...

Page 923: ...boption string Console config interface ethernet 1 1 Console config if ip dhcp snooping information option circuit id string mv2 Console config if ip dhcp snooping trust This command configures the sp...

Page 924: ...rface ethernet 1 5 Console config if no ip dhcp snooping trust Console config if RELATED COMMANDS ip dhcp snooping 916 ip dhcp snooping vlan 921 clear ip dhcp snooping binding This command clears DHCP...

Page 925: ...EXAMPLE Console ip dhcp snooping database flash Console show ip dhcp snooping This command shows the DHCP snooping configuration settings COMMAND MODE Privileged Exec EXAMPLE Console show ip dhcp sno...

Page 926: ...snooping option remote id Enables insertion of DHCPv6 Option 37 relay agent remote id GC ipv6 dhcp snooping option remote id policy Sets the information option policy for DHCPv6 client packets that in...

Page 927: ...d via DHCPv6 snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IPv6 address lease time binding type VLAN identifier and port identifier When DHCPv6 snoop...

Page 928: ...yes continue to C If not check failed and forward packet to trusted port C Check status code in IA option If successful and entry is in binding table update lease time and forward to original destinat...

Page 929: ...echanism for sending information about the switch and its DHCPv6 clients to the DHCPv6 server Known as DHCPv6 Option 37 it allows compatible DHCPv6 servers to use the information when assigning IP add...

Page 930: ...ion 37 information in DHCPv6 client request packets the switch s MAC address hexadecimal is used for the remote ID EXAMPLE This example enables the DHCPv6 Snooping Remote ID Option Console config ipv6...

Page 931: ...e default setting SYNTAX no ipv6 dhcp snooping vlan vlan id vlan range vlan id ID of a configured VLAN Range 1 4094 vlan range A consecutive range of VLANs indicated by the use a hyphen or a random gr...

Page 932: ...v6 dhcp snooping max binding count no ipv6 dhcp snooping max binding count Maximum number of entries Range 1 5 DEFAULT SETTING 5 COMMAND MODE Interface Configuration Ethernet Port Channel EXAMPLE This...

Page 933: ...Pv6 snooping bindings associated with this port are removed Additional considerations when the switch itself is a DHCPv6 client The port s through which it submits a client request to the DHCPv6 serve...

Page 934: ...AMPLE Console config clear ipv6 dhcp snooping database flash Console config show ipv6 dhcp snooping This command shows the DHCPv6 snooping configuration settings COMMAND MODE Privileged Exec EXAMPLE C...

Page 935: ...1 5 NA Link layer Address 00 12 cf 01 02 03 IPv6 Address Lifetime VLAN Port Type 2001 b000 1 2591912 1 Eth 1 3 NA Console show ipv6 dhcp snooping statistics This command shows statistics for DHCPv6 sn...

Page 936: ...Specifies the binding mode acl Adds binding to ACL table mac Adds binding to MAC address mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ip address A valid unicast...

Page 937: ...tatic bindings are processed as follows If there is no entry with same VLAN ID and MAC address a new entry is added to binding table using the type of static IP source guard binding If there is an ent...

Page 938: ...selected port Use the sip option to check the VLAN ID source IP address and port number against all entries in the binding table Use the sip mac option to check these same parameters plus the source M...

Page 939: ...ly learned via DHCP snooping or manually configured are not yet configured the switch will drop all IP traffic on that port except for DHCP packets Only unicast addresses are accepted for static bindi...

Page 940: ...onfig interface ethernet 1 5 Console config if ip source guard max binding 1 Console config if ip source guard mode This command sets the source guard learning mode to search for addresses in the ACL...

Page 941: ...witch overwrites the oldest record with new blocked records Use the clear ip source guard binding blocked command to clear this table EXAMPLE This command clears the blocked record table Console confi...

Page 942: ...ic Shows static entries configured with the ip source guard binding command see page 936 acl Shows static entries in the ACL binding table mac Shows static entries in the MAC address binding table blo...

Page 943: ...rce guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ipv6 address Corresponding IPv6 address This address must be entered acc...

Page 944: ...ings are processed as follows If there is no entry with same and MAC address and IPv6 address a new entry is added to binding table using static IPv6 source guard binding If there is an entry with sam...

Page 945: ...Pv6 packets allowed by DHCPv6 snooping A port access control list ACL is applied to the interface Traffic is then filtered based upon dynamic entries learned via ND snooping or DHCPv6 snooping or stat...

Page 946: ...esses are accepted for static bindings EXAMPLE This example enables IP source guard on port 5 Console config interface ethernet 1 5 Console config if ipv6 source guard sip Console config if RELATED CO...

Page 947: ...lower value precedence is given to deleting entries learned through DHCPv6 snooping ND snooping and then manually configured IPv6 source guard static bindings until the number of entries in the bindi...

Page 948: ...ng each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination dropping any invalid ARP packets ARP Inspection determines the validity of an A...

Page 949: ...heir manner of switching matches that of all other packets Disabling and then re enabling global ARP Inspection will not affect the ARP Inspection configuration for any VLANs ip arp inspection limit S...

Page 950: ...range of VLANs indicated by the use a hyphen or a random group of VLANs with each entry separated by a comma static ARP packets are only validated against the specified ACL address bindings in the DH...

Page 951: ...he ip arp inspection command before this command will be accepted by the switch By default logging is active for ARP Inspection and cannot be disabled When the switch drops a packet it places an entry...

Page 952: ...ip Checks the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP multicast addresses Sender IP addresses are checked in all ARP requests and response...

Page 953: ...ction is enabled globally and enabled on selected VLANs all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine When ARP...

Page 954: ...AND USAGE This command applies to both trusted and untrusted ports When the rate of incoming ARP packets exceeds the configured limit the switch drops all ARP packets in excess of the limit EXAMPLE Co...

Page 955: ...n Global IP ARP Inspection status disabled Log Message Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspec...

Page 956: ...cs ARP packets received before rate limit 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0...

Page 957: ...mmunicate adequately This section describes commands used to protect against DoS attacks Table 103 DoS Protection Commands Command Function Mode dos protection echo chargen Protects against DoS echo c...

Page 958: ...ge 64 2000 kbits second DEFAULT SETTING Disabled 1000 kbits second COMMAND MODE Global Configuration EXAMPLE Console config dos protection echo chargen 65 Console config dos protection smurf This comm...

Page 959: ...2000 kbits second DEFAULT SETTING Disabled 1000 kbits second COMMAND MODE Global Configuration EXAMPLE Console config dos protection tcp flooding 65 Console config dos protection tcp null scan This c...

Page 960: ...d COMMAND MODE Global Configuration EXAMPLE Console config dos protection syn fin scan Console config dos protection tcp udp port zero This command protects against DoS attacks in which the UDP or TCP...

Page 961: ...tion EXAMPLE Console config dos protection tcp xmas scan Console config dos protection udp flooding This command protects against DoS UDP flooding attacks in which a perpetrator sends a large number o...

Page 962: ...available CPU time Use the no form to disable this feature SYNTAX dos protection win nuke bit rate in kilo rate no dos protection udp flooding rate Maximum allowed rate Range 64 2000 kbits second DEFA...

Page 963: ...X no traffic segmentation DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Traffic segmentation provides port based security and isolation between ports within the VLAN Data tr...

Page 964: ...n globally on the switch Console config traffic segmentation Console config traffic segmentation session This command creates a traffic segmentation client session Use the no form to remove a client s...

Page 965: ...raffic segmentation session session id uplink interface list downlink interface list downlink interface list session id Traffic segmentation session Range 1 4 uplink Specifies an uplink interface down...

Page 966: ...onfig traffic segmentation uplink ethernet 1 10 downlink ethernet 1 5 8 Console config traffic segmentation uplink to uplink This command specifies whether or not traffic can be forwarded between upli...

Page 967: ...ntation This command displays the configured traffic segments COMMAND MODE Privileged Exec EXAMPLE Console show traffic segmentation Private VLAN Status Enabled Uplink to Uplink Mode Forwarding Sessio...

Page 968: ...CHAPTER 25 General Security Measures Port based Traffic Segmentation 968...

Page 969: ...v4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses DSCP traffic class or next header type MAC ACLs...

Page 970: ...her more specific criteria acl name Name of the ACL Maximum length 32 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you cre...

Page 971: ...NG None COMMAND MODE Standard IPv4 ACL COMMAND USAGE New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated...

Page 972: ...address bitmask host source any destination address bitmask host destination precedence precedence dscp dscp source port sport bitmask destination port dport port bitmask control flag control flags f...

Page 973: ...specify both Precedence and ToS in the same rule However if DSCP is used then neither Precedence nor ToS can be specified The control code bitmask is a decimal number representing an equivalent bit m...

Page 974: ...through Console config ext acl permit 10 7 1 1 255 255 255 0 any Console config ext acl This allows TCP packets from class C addresses 192 168 1 0 to any destination address when set for destination...

Page 975: ...bles counter for ACL statistics DEFAULT SETTING None COMMAND MODE Interface Configuration Ethernet COMMAND USAGE Only one ACL can be bound to a port If an ACL is already bound to a port and you bind a...

Page 976: ...configure ACLs based on IPv6 addresses DSCP traffic class or next header type To configure IPv6 ACLs first create an access list containing the required permit or deny rules and then bind the access...

Page 977: ...e ACL Maximum length 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny...

Page 978: ...rated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields prefix length A decimal value indicating h...

Page 979: ...lon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields destination ipv6 address An IPv6 d...

Page 980: ...ting RFC 2460 44 Fragment RFC 2460 51 Authentication RFC 2402 50 Encapsulating Security Payload RFC 2406 60 Destination Options RFC 2460 EXAMPLE This example accepts any incoming packets if the destin...

Page 981: ...TTING None COMMAND MODE Interface Configuration Ethernet COMMAND USAGE A port can only be bound to one ACL If a port is already bound to an ACL and you bind it to a different ACL the switch will repla...

Page 982: ...name standard Specifies a standard IPv6 ACL extended Specifies an extended IPv6 ACL acl name Name of the ACL Maximum length 32 characters COMMAND MODE Privileged Exec EXAMPLE Console show ipv6 access...

Page 983: ...t mac acl name acl name Name of the ACL Maximum length 32 characters no spaces or other special characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new AC...

Page 984: ...source ip network mask any host destination ip destination ip network mask ipv6 any host source ipv6 source ipv6 prefix length any host destination ipv6 destination ipv6 prefix length protocol protoco...

Page 985: ...rt sport port bitmask l4 destination port dport port bitmask permit deny untagged eth2 any host source source address bitmask any host destination destination address bitmask ethertype ethertype ether...

Page 986: ...mask23 Bitmask for MAC address in hexadecimal format network mask Network mask for IP subnet This mask identifies the host address bits used for routing to specific subnets prefix length Length of IPv...

Page 987: ...on address 00 e0 29 94 34 de where the Ethernet type is 0800 Console config mac acl permit any host 00 e0 29 94 34 de ethertype 0800 Console config mac acl RELATED COMMANDS access list mac 983 Time Ra...

Page 988: ...s list 988 Time Range 782 show mac access group This command shows the ports assigned to MAC ACLs COMMAND MODE Privileged Exec EXAMPLE Console show mac access group Interface ethernet 1 5 MAC access l...

Page 989: ...ACL Maximum length 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny c...

Page 990: ...ss bitmask log no permit deny response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitma...

Page 991: ...mac any any Console config mac acl RELATED COMMANDS access list arp 989 show access list arp This command displays the rules for configured ARP ACLs SYNTAX show access list arp acl name acl name Name...

Page 992: ...nit identifier Range 1 port Port number Range 1 28 52 acl name Name of the ACL Maximum length 32 characters COMMAND MODE Privileged Exec EXAMPLE Console clear access list hardware counters Console sho...

Page 993: ...ss rules for Standard IPv6 ACLs mac Shows ingress rules for MAC ACLs tcam utilization Shows the percentage of user configured ACL rules as a percentage of total ACL rules acl name Name of the ACL Maxi...

Page 994: ...CHAPTER 26 Access Control Lists ACL Information 994...

Page 995: ...clear counters Clears statistics on an interface PE show discard Displays if CDP and PVST packets are being discarded PE show interfaces brief Displays a summary of key information including operation...

Page 996: ...C transceiver threshold tx power Sets thresholds for the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message IC transceiver threshold voltage Set...

Page 997: ...configuration file An example of the value which a network manager might store in this object for a WAN interface is the Telco s circuit number identifier of the interface EXAMPLE The following exampl...

Page 998: ...ill negotiate the best settings for a link based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol comma...

Page 999: ...description RD SW 3 Console config if discard This command discards CDP or PVST packets Use the no form to forward the specified packet type to other ports configured the same way SYNTAX no discard cd...

Page 1000: ...essure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation To force flow control on or off with the flowcontrol or no flowcontrol command use the no ne...

Page 1001: ...rced 1000sfp Console config if negotiation This command enables auto negotiation for a given interface Use the no form to disable auto negotiation SYNTAX no negotiation DEFAULT SETTING Enabled COMMAND...

Page 1002: ...command allows you to disable a port due to abnormal behavior e g excessive collisions and then re enable it after the problem has been resolved You may also want to disable a port for security reason...

Page 1003: ...process cannot be guaranteed when connecting to other types of switches To force operation to the speed and duplex mode specified in a speed duplex command use the no negotiation command to disable au...

Page 1004: ...the current management session However if you log out and back into the management interface the statistics displayed will show the absolute value accumulated since the last power reset EXAMPLE The f...

Page 1005: ...uto 1000BASE T None Eth 1 4 Down 1 0 Auto 1000BASE T None Eth 1 5 Down 1 0 Auto 1000BASE T None Eth 1 6 Down 1 0 Auto 1000BASE T None show interfaces counters This command displays interface statistic...

Page 1006: ...erred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frames Too Long 0 Carrier Sense Errors 0 Symbol Errors RMON Stats 0 Drop Eve...

Page 1007: ...us on page 159 EXAMPLE Console show interfaces status ethernet 1 21 Information of Eth 1 21 Port Type 1000BASE T MAC Address B4 0E DC 34 E6 3D Configuration Name Port Admin Up Speed Duplex Auto Capabi...

Page 1008: ...faces is displayed EXAMPLE This example shows the configuration setting for port 21 Console show interfaces switchport ethernet 1 21 Information of Eth 1 21 Broadcast Threshold Enabled 500 packets sec...

Page 1009: ...ess Egress Rate Limit Shows if rate limiting is enabled and the current rate limit page 783 VLAN Membership Mode Indicates membership mode as Trunk or Hybrid page 1161 Ingress Rule Shows if ingress fi...

Page 1010: ...sole config if transceiver threshold auto Console transceiver threshold current This command sets thresholds for transceiver current which can be used to trigger an alarm or warning message SYNTAX tra...

Page 1011: ...reshold events are triggered as described above to avoid a hysteresis effect which would continuously trigger event messages if the power level were to fluctuate just above and below either the high t...

Page 1012: ...nagement station configured by the snmp server host command EXAMPLE The following example sets alarm thresholds for the signal power received at port 1 Console config interface ethernet 1 52 Console c...

Page 1013: ...esholds for the transceiver temperature at port 1 Console config interface ethernet 1 52 Console config if transceiver threshold temperature low alarm 97 Console config if transceiver threshold temper...

Page 1014: ...g example sets alarm thresholds for the signal power transmitted at port 1 Console config interface ethernet 1 52 Console config if transceiver threshold tx power low alarm 8 Console config if transce...

Page 1015: ...face ethernet 1 52 Console config if transceiver threshold voltage low alarm 4 Console config if transceiver threshold voltage high alarm 2 Console show interfaces transceiver This command displays id...

Page 1016: ...PN SMC1GSFP SX Vendor Rev V1 1 Vendor SN A492101711 Date Code 09 05 19 DDM Information Temperature 35 64 degree C Vcc 3 25 V Bias Current 12 13 mA TX Power 2 36 dBm RX Power 24 20 dBm DDM Thresholds L...

Page 1017: ...nsceiver threshold ethernet 1 52 Information of Eth 1 52 DDM Thresholds Transceiver monitor Disabled Transceiver threshold auto Enabled Low Alarm Low Warning High Warning High Alarm Temperature Celsiu...

Page 1018: ...e reference range Ports are linked down while running cable diagnostics To ensure more accurate measurement of the length to a fault first disable power saving mode using the no power save command on...

Page 1019: ...save This command enables power savings mode on the specified port SYNTAX no power save COMMAND MODE Interface Configuration Ethernet Ports 1 24 48 COMMAND USAGE IEEE 802 3 defines the Ethernet stand...

Page 1020: ...ength is shorter When cable length is shorter power consumption can be reduced since signal attenuation is proportional to cable length When power savings mode is enabled the switch analyzes cable len...

Page 1021: ...connection must be configured as trunk ports Table 115 Link Aggregation Commands Command Function Mode Manual Configuration Commands interface port channel Configures a trunk and enters interface con...

Page 1022: ...med i e it has the null value of 0 this key is set to the same value as the port admin key lacp admin key Ethernet Interface used by the interfaces that joined the group However if the port channel ad...

Page 1023: ...or many different hosts Do not use this mode for switch to router trunk links where the destination MAC address is the same for all traffic src dst ip All traffic with the same source and destination...

Page 1024: ...ove a port group from a trunk Use no interface port channel to remove a trunk from the switch EXAMPLE The following example creates trunk 1 and then adds port 10 Console config interface port channel...

Page 1025: ...fig if interface ethernet 1 11 Console config if lacp Console config if interface ethernet 1 12 Console config if lacp Console config if end Console show interfaces status port channel 1 Information o...

Page 1026: ...the LACP system priority matches 2 the LACP port admin key matches and 3 the LACP port channel key matches if configured If the port channel admin key lacp admin key Port Channel is not set when a ch...

Page 1027: ...s selected to replace the downed link However if two or more ports have the same LACP port priority the port with the lowest physical port number will be selected as the backup port If an LAG already...

Page 1028: ...mbined with the switch s MAC address to form the LAG identifier This identifier is used to indicate a specific LAG during LACP negotiations with other systems Once the remote side of a link has been e...

Page 1029: ...ult value the operational key is based upon LACP PDUs received from the partner and the channel admin key is reset to the default value The trunk identifier will also be changed by this process EXAMPL...

Page 1030: ...c port channel is constructed again that timeout value will be used EXAMPLE Console config interface port channel 1 Console config if lacp timeout short Console config if Trunk Status Display Commands...

Page 1031: ...PDUs transmitted from this channel group Marker Received Number of valid Marker PDUs received by this channel group LACPDUs Unknown Pkts Number of frames received that either 1 Carry the Slow Protocol...

Page 1032: ...llection is currently enabled and is not expected to be disabled in the absence of administrative changes or changes in received protocol information Synchronization The System considers this link to...

Page 1033: ...Load Balance Mode Destination IP address Console Port Oper Priority Priority value assigned to this aggregation port by the partner Admin Key Current administrative value of the Key for the protocol p...

Page 1034: ...CHAPTER 28 Link Aggregation Commands Trunk Status Display Commands 1034...

Page 1035: ...nd provide power to powered devices that were designed prior to the IEEE 802 3af PoE standard Use the no form to disable this feature SYNTAX no power inline compatible DEFAULT SETTING Enabled Table 12...

Page 1036: ...rs connected to the RJ 45 ports EXAMPLE Console config power inline compatible Console config end Console show power inline status Unit 1 Unit 1 Compatible mode Disabled Time Max Used Interface Admin...

Page 1037: ...y detect if a PoE compliant device is connected to the specified port and turn power on or off accordingly Use the no form to turn off power for a port or the no form with the time range keyword to re...

Page 1038: ...Configuration COMMAND USAGE For the ECS4110 28P the total PoE power delivered by all ports cannot exceed the maximum power budget of 390W For the ECS4110 52P the total PoE power delivered by all port...

Page 1039: ...rity settings to control the supplied power For example A device connected to a low priority port that causes the switch to exceed its budget is not supplied power If a device is connected to a critic...

Page 1040: ...move this binding SYNTAX power inline time range time range name no power inline time range time range name Name of the time range Range 1 30 characters DEFAULT SETTING None COMMAND MODE Interface Con...

Page 1041: ...00 mW 0 mW Low Eth 1 5 Enabled Off 34200 mW 0 mW Low Eth 1 6 Enabled Off 34200 mW 0 mW Low Eth 1 7 Enabled Off 34200 mW 0 mW Low Eth 1 8 Enabled Off 34200 mW 0 mW Low Eth 1 9 Enabled Off 34200 mW 0 mW...

Page 1042: ...e show power inline time range ethernet 1 5 Interface Time Range Name Status Eth 1 5 r d Inactive Console RELATED COMMANDS power inline 1037 show power mainpower Use this command to display the curren...

Page 1043: ...PoE Maximum Allocation Power The overall maximum power which is currently allocated by the power mainpower maximum allocation command System Operation Status The current operating power status displa...

Page 1044: ...CHAPTER 29 Power over Ethernet Commands 1044...

Page 1045: ...id mac address mac address access list acl name no port monitor interface vlan vlan id mac address mac address access list acl name interface ethernet unit port source port unit Unit identifier Range...

Page 1046: ...net interface with the interface configuration command and then use the port monitor command to specify the source of the traffic to mirror Note that the destination port cannot be a trunk or trunk me...

Page 1047: ...ethernet 1 6 both Console config if This example configures port 2 to monitor packets matching the MAC address 00 12 CF XX XX XX received by port 1 Console config access list mac m1 Console config ma...

Page 1048: ...for analysis on a local destination port Configuration Guidelines Take the following steps to configure an RSPAN session 1 Use the vlan rspan command to configure a VLAN to use for RSPAN Default VLAN...

Page 1049: ...command cannot be used as the destination for RSPAN traffic Only one mirror session is allowed including both local and remote mirroring If local mirroring is enabled then no session can be configured...

Page 1050: ...e a consecutive list of ports or a comma between non consecutive ports ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 rx Mirror received packets tx Mirror transmitted p...

Page 1051: ...N tag untagged Traffic exiting the destination port is untagged DEFAULT SETTING Traffic exiting the destination port is untagged COMMAND MODE Global Configuration COMMAND USAGE Only one destination po...

Page 1052: ...intermediate switch transparently passing mirrored traffic from one or more sources to one or more destinations destination Specifies this device as a switch configured with a destination port which i...

Page 1053: ...ession is allowed including both local and remote mirroring If local mirroring is enabled with the port monitor command then no session can be configured for RSPAN COMMAND MODE Global Configuration CO...

Page 1054: ...nsole show rspan session RSPAN Session ID 1 Source Ports mirrored ports None RX Only None TX Only None BOTH None Destination Port monitor port Eth 1 2 Destination Tagged Mode Untagged Switch Role Dest...

Page 1055: ...o limit traffic into or out of the network Packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured w...

Page 1056: ...fied interface output Output rate for specified interface rate Maximum value in kbps Range 64 1000000 kbps DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND U...

Page 1057: ...adcast multicast unknown unicast broadcast Specifies storm control for broadcast traffic multicast Specifies storm control for multicast traffic unicast Specifies storm control for unknown unicast tra...

Page 1058: ...MMANDS show interfaces switchport 1008 AUTOMATIC TRAFFIC CONTROL COMMANDS Automatic Traffic Control ATC configures bounding thresholds for broadcast and multicast storms which can be used to trigger c...

Page 1059: ...res IC Port snmp server enable port traps atc multicast alarm clear Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port snmp...

Page 1060: ...hreshold after the release timer expires traffic control for rate limiting will be stopped and a Traffic Control Release Trap sent and logged Note that if the control action has shut down a port it ca...

Page 1061: ...n be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port Threshold Commands auto traffic control apply timer This command sets the time...

Page 1062: ...st multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm contr...

Page 1063: ...packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port EXAMPLE This exa...

Page 1064: ...re enabled by automatic traffic control It can only be manually re enabled using the auto traffic control control release command EXAMPLE This example sets the control response for broadcast traffic o...

Page 1065: ...nd EXAMPLE This example sets the clear threshold for automatic storm control for broadcast traffic on port 1 Console config interface ethernet 1 1 Console config if auto traffic control broadcast alar...

Page 1066: ...ole config if auto traffic control auto control release This command automatically releases a control response of rate limiting after the time specified in the auto traffic control release timer comma...

Page 1067: ...en triggered EXAMPLE Console config interface ethernet 1 1 Console config if auto traffic control broadcast control release Console config if SNMP Trap Commands snmp server enable port traps atc broad...

Page 1068: ...roadcast alarm fire Console config if RELATED COMMANDS auto traffic control alarm fire threshold 1065 snmp server enable port traps atc broadcast control apply This command sends a trap when broadcast...

Page 1069: ...roadcast control release Console config if RELATED COMMANDS auto traffic control alarm clear threshold 1064 auto traffic control action 1063 auto traffic control release timer 1062 snmp server enable...

Page 1070: ...ulticast alarm fire Console config if RELATED COMMANDS auto traffic control alarm fire threshold 1065 snmp server enable port traps atc multicast control apply This command sends a trap when multicast...

Page 1071: ...Interface Configuration Ethernet EXAMPLE Console config interface ethernet 1 1 Console config if snmp server enable port traps atc multicast control release Console config if RELATED COMMANDS auto tra...

Page 1072: ...tifier Range 1 port Port number Range 1 28 52 COMMAND MODE Privileged Exec EXAMPLE Console show auto traffic control interface ethernet 1 1 Eth 1 1 Information Storm Control Broadcast Multicast State...

Page 1073: ...nterface or when an interface is released from a shutdown state caused by a loopback event a trap message is sent and the event recorded in the system log Loopback detection must be enabled both globa...

Page 1074: ...e protocol on port 1 and then enables general loopback detection for that port Console config loopback detection Console config interface ethernet 1 1 Console config if no spanning tree loopback detec...

Page 1075: ...operation regardless of the remaining recover time EXAMPLE This example sets the loopback detection mode to block user traffic Console config loopback detection action block Console config loopback de...

Page 1076: ...onfiguration EXAMPLE Console config loopback detection transmit interval 60 Console config loopback detection trap This command sends a trap when a loopback condition is detected or when the switch re...

Page 1077: ...etection feature SYNTAX loopback detection release COMMAND MODE Privileged Exec EXAMPLE Console loopback detection release Console config show loopback detection This command shows loopback detection...

Page 1078: ...n Port Information Port Admin State Oper State Eth 1 1 Enabled Normal Eth 1 2 Disabled Disabled Eth 1 3 Disabled Disabled Console show loopback detection ethernet 1 1 Loopback Detection Information of...

Page 1079: ...erval message interval no message interval message interval The interval at which a port sends UDLD probe messages after linkup or detection phases Range 7 90 seconds DEFAULT SETTING 15 seconds COMMAN...

Page 1080: ...detection process is always based on information received in UDLD messages whether that s information about the exchange of proper neighbor identification or the absence of such Hence albeit bound by...

Page 1081: ...E UDLD requires that all the devices connected to the same LAN segment be running the protocol in order for a potential mis configuration to be detected and for prompt corrective action to be taken Wh...

Page 1082: ...th 1 3 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 4 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 5 Disabled Normal Disabled 7 s Unknown 5 s Console show udld interface ethernet 1 1 Interface UDL...

Page 1083: ...e link is down or not connected to a UDLD capable device The state is Bidirectional if the link has a normal two way connection to a UDLD capable device All other states indicate mis wiring Msg Invl T...

Page 1084: ...CHAPTER 33 UniDirectional Link Detection Commands 1084...

Page 1085: ...seconds COMMAND MODE Global Configuration COMMAND USAGE The aging time is used to age out dynamically learned forwarding information Table 135 Address Table Commands Command Function Mode mac address...

Page 1086: ...he switch is reset permanent Assignment is permanent DEFAULT SETTING No static addresses are defined The default mode is permanent COMMAND MODE Global Configuration COMMAND USAGE The static address fo...

Page 1087: ...c address table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database SYNTAX show mac address table address mac address mask interface interfac...

Page 1088: ...bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 16K EXAMPLE Console show...

Page 1089: ...e SYNTAX show mac address table count interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 16 DEFAULT SETTING No...

Page 1090: ...CHAPTER 34 Address Table Commands 1090...

Page 1091: ...ystem bpdu flooding Floods BPDUs to all other ports or just to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission li...

Page 1092: ...ing tree mst cost Configures the path cost of an instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPD...

Page 1093: ...co IOS Release 12 2 25 SEC do not fully follow the IEEE standard causing some state machine procedures to function incorrectly The command forces the spanning tree protocol to function in a manner com...

Page 1094: ...sole config spanning tree forward time 20 Console config spanning tree hello time This command configures the spanning tree bridge hello time globally for this switch Use the no form to restore the de...

Page 1095: ...onverge All device ports except for designated ports should receive configuration messages at regular intervals Any port that ages out STA information provided in the last configuration message become...

Page 1096: ...1D BPDU after a port s migration delay timer expires the switch assumes it is connected to an 802 1D bridge and starts using only 802 1D BPDUs RSTP Mode If RSTP is using 802 1D BPDUs on a port and rec...

Page 1097: ...th between devices Therefore lower values should be assigned to ports attached to faster media and higher values assigned to ports with slower media Note that path cost page 1105 takes precedence over...

Page 1098: ...e lowest MAC address will then become the root device EXAMPLE Console config spanning tree priority 40000 Console config spanning tree mst configuration This command changes to Multiple Spanning Tree...

Page 1099: ...port s PVID DEFAULT SETTING Floods to all other ports in the same VLAN COMMAND MODE Global Configuration COMMAND USAGE The spanning tree system bpdu flooding command has no effect if BPDU flooding is...

Page 1100: ...stance within a region and the internal spanning tree IST that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU Each bridge decrements the h...

Page 1101: ...tance Use the no form to remove the specified VLANs Using the no form without any VLAN parameters to remove all VLANs SYNTAX no mst instance id vlan vlan range instance id Instance identifier of the s...

Page 1102: ...Use the no form to clear the name SYNTAX name name name Name of the spanning tree DEFAULT SETTING Switch s MAC address COMMAND MODE MST Configuration COMMAND USAGE The MST region name and revision num...

Page 1103: ...the no form to disable this feature SYNTAX no spanning tree bpdu filter DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command stops all Bridge...

Page 1104: ...s DEFAULT SETTING BPDU Guard Disabled Auto Recovery Disabled Auto Recovery Interval 300 seconds COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE An edge port should only be con...

Page 1105: ...the short path cost method is selected and the default path cost recommended by the IEEE 8021w standard exceeds 65 535 the default is set to 65 535 COMMAND MODE Interface Configuration Ethernet Port C...

Page 1106: ...e is an edge port DEFAULT SETTING Auto COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE You can enable this option if an interface is attached to a LAN segment that is at the e...

Page 1107: ...two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interfac...

Page 1108: ...block shutdown duration no spanning tree loopback detection action block Blocks user traffic shutdown Shuts down the interface duration The duration to shut down the interface Range 60 86400 seconds...

Page 1109: ...hen the port will only be returned to the forwarding state if one of the following conditions is satisfied The port receives any other BPDU except for it s own or The port s link status changes to lin...

Page 1110: ...nce identifier of the spanning tree Range 0 4094 cost Path cost for an interface Range 0 for auto configuration 1 65535 for short path cost method28 1 200 000 000 for long path cost method The recomme...

Page 1111: ...panning Tree Use the no form to restore the default SYNTAX spanning tree mst instance id port priority priority no spanning tree mst instance id port priority instance id Instance identifier of the sp...

Page 1112: ...n the receiving port s native VLAN as specified by the spanning tree system bpdu flooding command The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port by...

Page 1113: ...Port Channel COMMAND USAGE A bridge with a lower bridge identifier or same identifier and lower MAC address can take over as the root bridge at any time When Root Guard is enabled and the switch recei...

Page 1114: ...t Channel EXAMPLE This example disables the spanning tree algorithm for port 5 Console config interface ethernet 1 5 Console config if spanning tree spanning disabled Console config if spanning tree t...

Page 1115: ...ge 1 16 COMMAND MODE Privileged Exec COMMAND USAGE Use this command to release an interface from discarding state if loopback detection release mode is set to manual by the spanning tree loopback dete...

Page 1116: ...instance within the multiple spanning tree MST SYNTAX show spanning tree interface mst instance id brief stp enabled only interface ethernet unit port unit Unit identifier Range 1 port Port number Ra...

Page 1117: ...panning Tree Enabled Disabled Enabled Instance 0 VLANs Configured 1 4094 Priority 32768 Bridge Hello Time sec 2 Bridge Max Age sec 20 Bridge Forward Delay sec 15 Root Hello Time sec 2 Root Max Age sec...

Page 1118: ...Disabled Enabled Designated Root 32768 0000E89382A0 Current Root Port 0 Current Root Cost 0 Interface Pri Designated Designated Oper STP Role State Oper Bridge ID Port ID Cost Status Edge Eth 1 1 128...

Page 1119: ...ERPS node id Sets the MAC address for a ring node ERPS non erps dev protect Sends non standard health check packets when in protection state ERPS non revertive Enables non revertive mode which require...

Page 1120: ...t link faults and the wtr timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure 5 Configure the ERPS Control VLAN CVLAN Use the control vlan...

Page 1121: ...specific ring erps This command enables ERPS on the switch Use the no form to disable this feature SYNTAX no erps DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE ERPS must be...

Page 1122: ...d for sending and receiving ERPS protocol messages Use the no form to remove the Control VLAN SYNTAX no control vlan vlan id vlan id VLAN ID Range 1 4094 DEFAULT SETTING None COMMAND MODE ERPS Configu...

Page 1123: ...d 2 tagged Console config if exit Console config erps domain rd1 Console config erps control vlan 2 Console config erps enable This command activates the current ERPS ring Use the no form to disable t...

Page 1124: ...aximum expected forwarding delay for an R APS message to pass around the ring A side effect of the guard timer is that during its duration a node will be unaware of new or existing ring requests trans...

Page 1125: ...kets Use the no form to remove the current setting SYNTAX major domain name no major domain name Name of the ERPS ring used for sending control packets Range 1 32 characters DEFAULT SETTING None COMMA...

Page 1126: ...check messages are used to monitor the link status of an ERPS ring node as specified by the mep monitor command then the MEG level set by the meg level command must match the authorized maintenance l...

Page 1127: ...how ERPS recovers from a node failure refer to Ethernet Ring Protection Switching on page 495 EXAMPLE Console config erps mep monitor east mep 1 Console config erps RELATED COMMANDS ethernet cfm domai...

Page 1128: ...re SYNTAX no non erps dev protect DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE The RPL owner node detects a failed link when it receives R APS SF signal fault messages from n...

Page 1129: ...le state EXAMPLE Console config erps non erps dev protect Console config erps non revertive This command enables non revertive mode which requires the protection state on the RPL to manually cleared U...

Page 1130: ...he RPL Owner Node c When the WTR timer expires without the presence of any other higher priority request the RPL Owner Node initiates reversion by blocking its traffic channel over the RPL transmittin...

Page 1131: ...mode is handled in the following way a The reception of an R APS NR message causes the RPL Owner Node to start the WTB timer b The WTB timer is cancelled if during the WTB period a higher priority re...

Page 1132: ...its own Node ID it unblocks any ring port which does not have an SF condition and stops transmitting R APS NR message on both ring ports Recovery with revertive mode is handled in the following way a...

Page 1133: ...disable this feature SYNTAX no propagate tc DEFAULT SETTING Disabled COMMAND MODE ERPS Configuration COMMAND USAGE When a secondary ring detects a topology change it can pass a message about this even...

Page 1134: ...sole config erps raps def mac Console config erps raps without vc This command terminates the R APS channel at the primary ring to sub ring interconnection nodes Use the no form to restore the default...

Page 1135: ...tance over an R APS virtual channel Figure 424 Sub ring with Virtual Channel Sub ring without R APS Virtual Channel Under certain circumstances it may not be desirable to use a virtual channel to inte...

Page 1136: ...ge 1 port Port number Range 1 12 port channel channel id Range 1 12 DEFAULT SETTING Not associated COMMAND MODE ERPS Configuration COMMAND USAGE Each node must be connected to two neighbors on the rin...

Page 1137: ...Configuration COMMAND USAGE The RPL neighbor node when configured is a ring node adjacent to the RPL that is responsible for blocking its end of the RPL under normal conditions i e the ring is establ...

Page 1138: ...it during Protection state that is when a signal fault is detected on the ring or the protection state is enabled with the erps forced switch or erps manual switch command The east and west connectio...

Page 1139: ...he version number is automatically set to 1 when a ring node supporting only the functionalities of G 8032v1 exists on the same ring with other nodes that support G 8032v2 When ring nodes running G 80...

Page 1140: ...and clears statistics including SF NR NR RB FS MS Event and Health protocol messages SYNTAX clear erps statistics domain ring name ring name Name of a specific ERPS ring Range 1 12 characters COMMAND...

Page 1141: ...ort SYNTAX erps forced switch domain ring name east west ring name Name of a specific ERPS ring Range 1 12 characters east East ring port west West ring port COMMAND MODE Privileged Exec COMMAND USAGE...

Page 1142: ...ed except on a ring node having a prior local forced switch request The ring nodes where further forced switch commands are issued block the traffic channel and R APS channel on the ring port at which...

Page 1143: ...omain r d west Console erps manual switch This command blocks the specified ring port in the absence of a failure or an erps forced switch command SYNTAX erps manual switch domain ring name east west...

Page 1144: ...Protection switching on a manual switch request is completed when the above actions are performed by each ring node At this point traffic flows around the ring are resumed From this point on the foll...

Page 1145: ...ertive r d 1 Yes 2 1 1 Idle RPL Owner Yes W E Interface Port State Local SF Local FS Local MS MEP RPL West Eth 1 1 Blocking No No No Yes East Eth 1 3 Forwarding No No No No Console Table 141 show erps...

Page 1146: ...pe Shows ERPS node type as None RPL Owner or RPL Neighbor Revertive Shows if revertive or non revertive recovery is selected Interface Information W E Shows information on the west and east ring port...

Page 1147: ...f a sub ring in another Ethernet ring or network R APS Def MAC Indicates if the switch s MAC address is used to identify the node in R APS messages Propagate TC Shows if the ring is configured to prop...

Page 1148: ...ured as a ring port Local SF A signal fault generated on a link to the local node Local Clear SF The number of times a clear command was issued to terminate protection state entered through a forced s...

Page 1149: ...ng ingress and egress tagging mode ingress filtering PVID and GVRP Displaying VLAN Information Displays VLAN groups status port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 8...

Page 1150: ...D USAGE GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Page 1151: ...AGE Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Page 1152: ...in the forbidden list COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN...

Page 1153: ...c COMMAND USAGE See Displaying Bridge Extension Capabilities on page 127 for a description of the displayed items EXAMPLE Console show bridge ext Maximum Supported VLAN Numbers 4094 Maximum Supported...

Page 1154: ...ve All Timer 1000 centiseconds Console RELATED COMMANDS garp timer 1151 show gvrp configuration This command shows if GVRP is enabled SYNTAX show gvrp configuration interface interface ethernet unit p...

Page 1155: ...tings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the runn...

Page 1156: ...AN used for mirroring traffic from remote switches The VLAN used for RSPAN cannot include VLAN 1 the switch s default VLAN Nor should it include VLAN 4093 which is used for switch clustering Configuri...

Page 1157: ...mands and save the configuration settings To change a Layer 3 normal VLAN back to a Layer 2 VLAN use the no interface command Table 147 Commands for Configuring VLAN Interfaces Command Function Mode i...

Page 1158: ...estore the default SYNTAX switchport acceptable frame types all tagged no switchport acceptable frame types all The port accepts all frames tagged or untagged tagged The port only receives tagged fram...

Page 1159: ...ommand If a VLAN list is specified only the last VLAN in the list will be added to the interface A port or a trunk with switchport mode set to hybrid must be assigned to at least one VLAN as untagged...

Page 1160: ...Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VLANs for which it is not a member these frames will be flooded to all other ports...

Page 1161: ...ID are also transmitted as tagged frames DEFAULT SETTING All ports are in hybrid mode with the PVID set to VLAN 1 COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Access mode i...

Page 1162: ...EXAMPLE The following example shows how to set the PVID for port 1 to VLAN 3 Console config interface ethernet 1 1 Console config if switchport native vlan 3 Console config if vlan trunking This comm...

Page 1163: ...e command If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa To prevent loops from forming in the spanning tree all unknown VLANs will be bound...

Page 1164: ...tive Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Eth1 7 S Eth1 8 S Eth1 9 S Eth1 10 S Eth1 11 S Eth1 12 S Eth1 13 S Eth1 14 S Eth1 15 S Eth1 16 S Eth1 17 S Eth1 18 S Eth1...

Page 1165: ...ol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is...

Page 1166: ...el uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable to disable spanning tree on these ports dot1q tunn...

Page 1167: ...ntrol command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are one...

Page 1168: ...When priority bits are found in the inner tag these are also copied to the outer tag This allows the service provider to differentiate service based on the indicated priority and appropriate methods...

Page 1169: ...ethernet 1 1 Console config if switchport allowed vlan add 100 200 300 untagged Console config if switchport dot1q tunnel mode access 5 Configure the following selective QinQ mapping entries Console...

Page 1170: ...ce Configuration Ethernet Port Channel COMMAND USAGE Use the switchport dot1q tunnel tpid command to set a custom 802 1Q ethertype value on the selected interface This feature allows the switch to int...

Page 1171: ...dot1q tunnel system tunnel control Console config interface ethernet 1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport do...

Page 1172: ...mains in the customer s network L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider s network In this way normally segrega...

Page 1173: ...tag it is filtered decapsulated and processed locally by the switch if the protocol is supported When a protocol packet is received on an access port i e an 802 1Q trunk port connecting the edge swit...

Page 1174: ...t it is forwarded to the following ports in the same S VLAN a other access ports for which L2PT is disabled and b all uplink ports recognized as a GBPT protocol packet i e having the destination addre...

Page 1175: ...E Refer to the Command Usage section for the l2protocol tunnel tunnel dmac command For L2PT to function properly QinQ must be enabled on the switch using the dot1q tunnel system tunnel control command...

Page 1176: ...inal vlan new vlan no switchport vlan translation original vlan original vlan The original VLAN ID Range 1 4094 new vlan The new VLAN ID Range 1 4094 DEFAULT SETTING Disabled COMMAND MODE Interface Co...

Page 1177: ...s If VLAN translation is set on an interface with this command and the same interface is also configured as a QinQ access port with the switchport dot1q tunnel mode command VLAN tag assignments will b...

Page 1178: ...pating in a specific protocol This kind of configuration deprives users of the basic benefits of VLANs including security and easy accessibility To avoid these problems you can configure this switch w...

Page 1179: ...ols to a group Use the no form to remove a protocol group SYNTAX protocol vlan protocol group group id add remove frame type frame protocol type protocol no protocol vlan protocol group group id group...

Page 1180: ...D MODE Interface Configuration Ethernet Port Channel COMMAND USAGE When creating a protocol based VLAN only assign interfaces via this command If you assign interfaces using any of the other VLAN comm...

Page 1181: ...group group id group id Group identifier for a protocol group Range 1 2147483647 DEFAULT SETTING All protocol groups are displayed COMMAND MODE Privileged Exec EXAMPLE This shows protocol group 1 conf...

Page 1182: ...ssification all untagged frames received by a port are classified as belonging to the VLAN whose VID PVID is associated with that port When IP subnet based VLAN classification is enabled the source ad...

Page 1183: ...ty 0 COMMAND MODE Global Configuration COMMAND USAGE Each IP subnet can be mapped to only one VLAN ID An IP subnet consists of an IP address and a subnet mask The specified VLAN need not be an existin...

Page 1184: ...192 168 12 252 255 255 255 254 8 0 192 168 12 254 255 255 255 255 9 0 192 168 12 255 255 255 255 255 10 0 Console CONFIGURING MAC BASED VLANS When using IEEE 802 1Q port based VLAN classification all...

Page 1185: ...gress traffic Range 0 7 where 7 is the highest priority DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The MAC to VLAN mapping applies to all ports on the switch Source MAC addre...

Page 1186: ...VLAN for the network and set a CoS priority for the VoIP traffic VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover conne...

Page 1187: ...a single VLAN VoIP traffic can be detected on switch ports by using the source MAC address of packets or by using LLDP IEEE 802 1AB to discover connected VoIP devices When VoIP traffic is detected on...

Page 1188: ...the port The VoIP aging time starts to count down when the OUI s MAC address expires from the MAC address table Therefore the MAC address aging time should be added to the overall aging time For examp...

Page 1189: ...devices Range 1 32 characters DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE VoIP devices attached to the switch can be identified by the manufacturer s Organizational Unique Id...

Page 1190: ...tchport voice vlan rule command When OUI is selected be sure to configure the MAC address ranges in the Telephony OUI list using the voice vlan mac address command All ports are set to VLAN hybrid mod...

Page 1191: ...Use the no form to disable the detection method on the port SYNTAX no switchport voice vlan rule oui lldp oui Traffic from VoIP devices is detected by the Organizationally Unique Identifier OUI of the...

Page 1192: ...port that are tagged with the voice VLAN ID VoIP traffic is identified by source MAC addresses configured in the Telephony OUI list or through LLDP that discovers VoIP devices attached to the switch P...

Page 1193: ...to Enabled OUI 6 100 Eth 1 2 Disabled Disabled OUI 6 NA Eth 1 3 Manual Enabled OUI 5 100 Eth 1 4 Auto Enabled OUI 6 100 Eth 1 5 Disabled Disabled OUI 6 NA Eth 1 6 Disabled Disabled OUI 6 NA Eth 1 7 Di...

Page 1194: ...CHAPTER 37 VLAN Commands Configuring Voice VLANs 1194...

Page 1195: ...ayer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for i...

Page 1196: ...cates a strict queue DEFAULT SETTING WRR COMMAND MODE Global Configuration COMMAND USAGE The switch can be set to service the port queues based on strict priority WRR or a combination of strict and we...

Page 1197: ...igns weights to the four class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore t...

Page 1198: ...ty mapping is IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged fra...

Page 1199: ...default 5 Console config if RELATED COMMANDS show interfaces switchport 1008 show queue mode This command shows the current queue mode COMMAND MODE Privileged Exec EXAMPLE Console show queue mode Queu...

Page 1200: ...al format Range 0 1 Table 158 Priority Commands Layer 3 and 4 Command Function Mode qos map cos dscp Maps CoS CFI values in incoming packets to per hop behavior and drop precedence values for internal...

Page 1201: ...n the CoS CFI to PHB Drop Precedence mapping table is used to generate priority and drop precedence values for internal processing Note that priority tags in the original packet are not modified by th...

Page 1202: ...ode command and the ingress packet type is IPv4 Two QoS domains can have different DSCP definitions so the DSCP to PHB Drop Precedence mutation map can be used to modify one set of DSCP values to matc...

Page 1203: ...hardware output queues to use based on the internal per hop behavior value Use the no form to restore the default settings SYNTAX qos map phb queue queue id from phb0 phb7 no map phb queue phb0 phb7...

Page 1204: ...n the DSCP value in the ingress packet If the QoS mapping mode is set to DSCP and a non IP packet is received the packet s CoS and CFI Canonical Format Indicator values are used for priority processin...

Page 1205: ...is set to DSCP by the qos map trust mode command and the ingress packet type is IPv4 EXAMPLE The ingress DSCP is composed of d1 most significant digit in the left column and d2 least significant digi...

Page 1206: ...0 1 2 3 4 5 6 7 Queue 1 0 0 1 2 2 3 3 Console show qos map trust mode This command shows the QoS mapping mode SYNTAX show qos map trust mode interface interface interface ethernet unit port unit Unit...

Page 1207: ...classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer...

Page 1208: ...dscp command to modify the per hop behavior the class of service value in the VLAN tag or the priority bits in the IP header IP DSCP value for the matching traffic class and use one of the police comm...

Page 1209: ...ass maps may be added to the policy map nor any changes made to the assigned class maps with the match or set commands EXAMPLE This example creates a class map call rd class and sets it to match packe...

Page 1210: ...ND USAGE First enter the class map command to designate a class map and enter the Class Map configuration mode Then use match commands to specify the fields within ingress packets that must match to q...

Page 1211: ...onfig cmap rename This command redefines the name of a class map or policy map SYNTAX rename map name map name Name of the class map or policy map Range 1 32 characters COMMAND MODE Class Map Configur...

Page 1212: ...rd policy Console config pmap class rd class Console config pmap c set cos 3 Console config pmap c police flow 100000 4000 conform action transmit violate action drop Console config pmap c class This...

Page 1213: ...ow 100000 4000 conform action transmit violate action drop Console config pmap c police flow This command defines an enforcer for classified traffic based on the metered flow rate Use the no form to r...

Page 1214: ...ze The token bucket C is initially full that is the token count Tc 0 BC Thereafter the token count Tc is updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else Tc...

Page 1215: ...st Excess burst size BE in bytes Range 0 1600000 at a granularity of 4k bytes conform action Action to take when rate is within the CIR and BC There are enough tokens in bucket BC to service the packe...

Page 1216: ...ken count Tc 0 BC and the token count Te 0 BE Thereafter the token counts Tc and Te are updated CIR times per second as follows If Tc is less than BC Tc is incremented by one else if Te is less then B...

Page 1217: ...e trtcm color blind trtcm color aware committed rate committed burst peak rate peak burst conform action transmit exceed action drop new dscp violate action drop new dscp trtcm color blind Two rate th...

Page 1218: ...ol queue congestion A packet is marked red if it exceeds the PIR Otherwise it is marked either yellow or green depending on whether it exceeds or doesn t exceed the CIR The trTCM is useful for ingress...

Page 1219: ...on other aspects of trTCM EXAMPLE This example creates a policy called rd policy uses the class command to specify the previously defined rd class uses the set phb command to classify the service that...

Page 1220: ...average bandwidth to 100 000 Kbps the burst rate to 4000 bytes and configure the response to drop any violating packets Console config policy map rd policy Console config pmap class rd class Console c...

Page 1221: ...vices IP traffic by setting a per hop behavior value for a matching packet as specified by the match command for internal processing Use the no form to remove this setting SYNTAX no set phb phb value...

Page 1222: ...es a policy map defined by the policy map command to the ingress side of a particular interface Use the no form to remove this mapping SYNTAX no service policy input policy map name input Apply to the...

Page 1223: ...Match ip dscp 10 Match access list rd access Match ip dscp 0 Class Map match any rd class 2 Match ip precedence 5 Class Map match any rd class 3 Match vlan 1 Console show policy map This command displ...

Page 1224: ...ap rd policy class rd class set PHB 3 Console show policy map interface This command displays the service policy assigned to the specified interface SYNTAX show policy map interface interface input in...

Page 1225: ...ing displays current snooping settings and displays the multicast service and group members Static Multicast Routing Configures static multicast router ports which forward all inbound multicast traffi...

Page 1226: ...ed IGMP reports when proxy reporting is enabled GC ip igmp snooping version Configures the IGMP version for snooping GC ip igmp snooping version exclusive Discards received IGMP messages which use a v...

Page 1227: ...p snooping Console config ip igmp snooping vlan static Adds an interface as a member of a multicast group GC ip igmp snooping vlan version Configures the IGMP version for snooping GC ip igmp snooping...

Page 1228: ...fic such as a video conference or to set a low priority for normal multicast traffic not sensitive to latency EXAMPLE Console config ip igmp snooping priority 6 Console config RELATED COMMANDS show ip...

Page 1229: ...guration EXAMPLE Console config ip igmp snooping proxy reporting Console config ip igmp snooping querier This command enables the switch as an IGMP querier Use the no form to disable it SYNTAX no ip i...

Page 1230: ...ption 2 Also when the switch is acting in the role of a multicast host such as when using proxy routing it should ignore version 2 or 3 queries that do not contain the Router Alert option EXAMPLE Cons...

Page 1231: ...ived and all the uplink ports are subsequently deleted a time out mechanism is used to delete all of the currently learned multicast channels When a new uplink port starts up the switch sends unsolici...

Page 1232: ...When a switch receives this solicitation it floods it to all ports in the VLAN where the spanning tree change occurred When an upstream multicast router receives this solicitation it will also immedia...

Page 1233: ...command specifies how often the upstream interface should transmit unsolicited IGMP reports when proxy reporting is enabled Use the no form to restore the default value SYNTAX ip igmp snooping unsolic...

Page 1234: ...and versions 2 and 3 are backward compatible so the switch can operate with other devices regardless of the snooping version employed If the IGMP snooping version is configured on a VLAN this setting...

Page 1235: ...ooping vlan general query suppression This command suppresses general queries except for ports attached to downstream multicast hosts Use the no form to flood general queries to all ports except for t...

Page 1236: ...ssage is received The router querier stops forwarding traffic for that group only if no host replies to the query within the time out period The time out for this release is currently defined by Last...

Page 1237: ...ere are no more group members Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabl...

Page 1238: ...lan id VLAN ID Range 1 4094 DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE Multicast Router Discovery MRD uses multicast router advertisement multicast router solicitation an...

Page 1239: ...proxy address source address vlan id VLAN ID Range 1 4094 source address The source address used for proxied IGMP query and report and leave messages Any valid IP unicast address DEFAULT SETTING 0 0 0...

Page 1240: ...e address of the last IGMP message received from a downstream host in report and leave messages sent upstream from the multicast router port EXAMPLE The following example sets the source address for p...

Page 1241: ...queries Use the no form to restore the default SYNTAX ip igmp snooping vlan vlan id query resp intvl interval no ip igmp snooping vlan vlan id query resp intvl vlan id VLAN ID Range 1 4094 interval T...

Page 1242: ...SAGE Static multicast entries are never aged out When a multicast entry is assigned to an interface in a specific VLAN the corresponding traffic can only be forwarded to ports within that VLAN EXAMPLE...

Page 1243: ...port channel channel id Range 1 16 vlan vlan id VLAN identifier Range 1 4094 COMMAND MODE Privileged Exec EXAMPLE Console clear ip igmp snooping statistics Console show ip igmp snooping This command...

Page 1244: ...eave Disabled Last Member Query Interval 10 unit 1 10s Last Member Query Count 2 General Query Suppression Disabled Query Interval 125 Query Response Interval 100 unit 1 10s Proxy Query Address 0 0 0...

Page 1245: ...ag R Router port M Group member port H Host counts number of hosts join the group on this port P Port counts number of ports join the group Up time Group elapsed time d h m s Expire Group remaining ti...

Page 1246: ...SYNTAX show ip igmp snooping statistics input interface interface output interface interface query vlan vlan id interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52...

Page 1247: ...p The number of times a report leave or query was dropped Packets may be dropped due to invalid format rate limiting or packet content not allowed Join Succ The number of times a multicast group was s...

Page 1248: ...terface Self Querier Expire Time after which local querier is assumed to have expired Self Querier Uptime Time local querier has been up General Query Received The number of general queries received o...

Page 1249: ...AULT SETTING No static multicast router ports are configured COMMAND MODE Global Configuration COMMAND USAGE Depending on your network connections IGMP snooping may not always be able to locate the IG...

Page 1250: ...P filter profile configuration mode GC permit deny Sets a profile access mode to permit or deny IPC range Specifies one or a range of multicast addresses for a profile IPC ip igmp authentication Enabl...

Page 1251: ...eived on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group is denied the IGMP join...

Page 1252: ...IGMP Profile Configuration COMMAND USAGE Each profile has only one access mode either permit or deny When the access mode is set to permit IGMP join reports are processed when a multicast group falls...

Page 1253: ...n Ethernet Port Channel COMMAND USAGE If IGMP authentication is enabled on an interface and a join report is received on the interface the switch will send an access request to the RADIUS server to pe...

Page 1254: ...to EXCLUDE filter mode for the specified multicast address The Source Address fields in this Group Record contain the interface s new source list for the specified multicast address if not empty When...

Page 1255: ...rface A profile can also be assigned to a trunk interface When ports are configured as trunk members the trunk uses the filtering profile assigned to the first port member in the trunk EXAMPLE Console...

Page 1256: ...x groups 10 Console config if ip igmp max groups action This command sets the IGMP throttling action for an interface on the switch SYNTAX ip igmp max groups action deny replace deny The new multicast...

Page 1257: ...Querier this prevents it from being affected by messages received from another Querier EXAMPLE Console config interface ethernet 1 1 Console config if ip igmp query drop vlan 2 Console config if ip mu...

Page 1258: ...AND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays information for all interfaces EXAMPLE Console show ip igmp authentication Ethernet 1 1 Enabled Ether...

Page 1259: ...1 1 Range 239 2 3 1 239 2 3 100 Console show ip igmp profile This command displays IGMP filtering profiles created on the switch SYNTAX show ip igmp profile profile number profile number An existing I...

Page 1260: ...6 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ip igmp query drop interface ethernet...

Page 1261: ...Console show ip multicast data drop This command shows if the specified interface is configured to drop multicast data packets SYNTAX show ip igmp throttle interface interface interface ethernet unit...

Page 1262: ...s without source list Table 171 MLD Snooping Commands Command Function Mode ipv6 mld snooping Enables MLD Snooping globally GC ipv6 mld snooping querier Allows the switch to act as the querier for MLD...

Page 1263: ...the no form to disable this feature SYNTAX no ipv6 mld snooping querier DEFAULT SETTING Disabled COMMAND MODE Global Configuration COMMAND USAGE If enabled the switch will serve as querier if elected...

Page 1264: ...gures the interval between sending MLD general queries Use the no form to restore the default SYNTAX ipv6 mld snooping query interval interval no ipv6 mld snooping query interval interval The interval...

Page 1265: ...d to an MLD Query message before the switch deletes the group if it is the last member EXAMPLE Console config ipv6 mld snooping query max response time seconds 15 Console config ipv6 mld snooping robu...

Page 1266: ...The router port expire time is the time the switch waits after the previous querier stops before it considers the router port i e the interface that had been receiving query packets to have expired E...

Page 1267: ...ipv6 mld snooping version This command configures the MLD snooping version Use the no form to restore the default SYNTAX ipv6 mld snooping version 1 2 1 MLD version 1 2 MLD version 2 DEFAULT SETTING...

Page 1268: ...le MLD immediate leave Console config interface vlan 1 Console config if ipv6 mld snooping immediate leave Console config if ipv6 mld snooping vlan mrouter This command statically configures an IPv6 m...

Page 1269: ...v6 address interface vlan VLAN ID Range 1 4094 ipv6 address An IPv6 address of a multicast group Format X X X X X interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 po...

Page 1270: ...ce ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 16 vlan vlan id VLAN identifier Range 1 4094 COMMAND MODE Privileged Exec EXAMPLE Cons...

Page 1271: ...IPv6 Address Member port Type 1 FF02 01 01 01 01 Eth 1 1 MLD Snooping 1 FF02 01 01 01 02 Eth 1 1 Multicast Data 1 FF02 01 01 01 02 Eth 1 1 User Console show ipv6 mld snooping group source list This co...

Page 1272: ...pe Expire 1 Eth 1 2 Static Console MLD FILTERING AND THROTTLING In certain switch applications the administrator may want to control the multicast services that are available to end users For example...

Page 1273: ...ltering and throttling only applies to dynamically learned multicast groups it does not apply to statically configured groups The MLD filtering feature operates in the same manner when MVR is used to...

Page 1274: ...USAGE A profile defines the multicast groups that a subscriber is permitted or denied to join The same profile can be applied to many interfaces but only one profile can be assigned to one interface E...

Page 1275: ...e low ipv6 address high ipv6 address low ipv6 address A valid IPv6 address X X X X X of a multicast group or start of a group range high ipv6 address A valid IPv6 address X X X X X for the end of a mu...

Page 1276: ...hat an interface can join Use the no form restore the default setting SYNTAX ipv6 mld max groups number no ipv6 mld max groups number The maximum number of multicast groups an interface can join at th...

Page 1277: ...deny The new multicast group join report is dropped replace The new multicast group replaces an existing group DEFAULT SETTING Deny COMMAND MODE Interface Configuration Ethernet COMMAND USAGE When th...

Page 1278: ...ulticast data drop Use this command to enable multicast data guard mode on a port interface Use the no form of the command to disable multicast data guard SYNTAX no ipv6 multicast data drop DEFAULT SE...

Page 1279: ...e ff05 101 ff05 103 Console show ipv6 mld profile This command displays MLD filtering profiles created on the switch SYNTAX show ipv6 mld profile profile number profile number An existing MLD filter p...

Page 1280: ...DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Using this command without specifying an interface displays all interfaces EXAMPLE Console show ipv6 mld query drop interface ethernet...

Page 1281: ...hich the subscribers belong Table 173 Multicast VLAN Registration for IPv4 Commands Command Function Mode mvr Globally enables MVR GC mvr associated profile Binds the MVR group addresses specified in...

Page 1282: ...oup Statically binds a multicast group to a port IC clear mrv groups dynamic Clears multicast group information dynamically learned through MVR PE clear mrv statistics Clears MRV statistics PE show mv...

Page 1283: ...iguration EXAMPLE The following an MVR group address profile to domain 1 Console config mvr domain 1 associated profile rd Console config RELATED COMMANDS mvr profile 1284 mvr domain This command enab...

Page 1284: ...This command can be used to set a high priority for low latency multicast traffic such as a video conference or to set a low priority for normal multicast traffic not sensitive to latency EXAMPLE Con...

Page 1285: ...streams received in excess of this limitation will be flooded to all ports in the associated domain EXAMPLE The following example maps a range of MVR group addresses to a profile Console config mvr p...

Page 1286: ...ownstream or router interfaces These interfaces perform the standard MVR router functions by maintaining a database of all MVR subscriptions on the downstream interface Receiver ports must therefore b...

Page 1287: ...e default setting SYNTAX mvr robustness value value no mvr robustness value value The robustness used for all interfaces Range 1 255 DEFAULT SETTING 2 COMMAND MODE Global Configuration COMMAND USAGE T...

Page 1288: ...switch only forwards multicast streams which the source port has dynamically joined In other words both the receiver port and source port must subscribe to a multicast group before a multicast stream...

Page 1289: ...is also the VLAN to which all source ports must be assigned Range 1 4094 DEFAULT SETTING VLAN 1 COMMAND MODE Global Configuration COMMAND USAGE This command specifies the VLAN through which MVR multic...

Page 1290: ...g for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list If the by host ip option is used the router querier will not...

Page 1291: ...MVR VLAN IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN Also note that VLAN membership for MVR receiver ports c...

Page 1292: ...receiver port is a member of any configured multicast group COMMAND MODE Interface Configuration Ethernet Port Channel COMMAND USAGE Multicast groups can be statically assigned to a receiver port usi...

Page 1293: ...s This command clears MRV statistics SYNTAX clear mrv statistics interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Ra...

Page 1294: ...proxy switching is enabled MVR Robustness Value Shows the number of reports or query messages sent when proxy switching is enabled MVR Proxy Query Interval The interval at which the receiver port sen...

Page 1295: ...8 1 23 10 testing 228 2 23 1 228 2 23 10 Console show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN SYNTAX show mvr domain domain id interface dom...

Page 1296: ...eated by IGMP protocol sort by port The multicast groups associated with an interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id R...

Page 1297: ...rt Up time Expire Count 234 5 6 7 1 00 00 09 17 2 P 1 Eth 1 1 S 2 Eth 1 2 R Console The following example shows detailed information about a specific multicast address Console show mvr domain 1 member...

Page 1298: ...put interface interface output interface interface query summary interface interface mvr vlan domain id An independent multicast domain Range 1 5 interface ethernet unit port unit Unit identifier Rang...

Page 1299: ...0 1 0 Eth 1 2 5 1 4 1 DVLAN 1 7 2 3 0 MVLAN 1 7 2 3 0 Console Table 177 show mvr statistics input display description Field Description Interface Shows interfaces attached to the MVR Report The numbe...

Page 1300: ...ace G S S Query The number of group specific or group and source specific query messages sent from this interface Table 179 show mvr statistics query display description Field Description Other Querie...

Page 1301: ...of Groups Number of groups learned on this port Querier Transmit General Number of general queries transmitted Group Specific Number of group specific queries transmitted Received General Number of ge...

Page 1302: ...erface mvr vlan description Field Description Domain An independent multicast domain Number of Groups Number of groups learned on this port Querier Other Querier Other IGMP querier s IP address Other...

Page 1303: ...p Number of report leave messages dropped by MVR source port Others Drop Number of report leave messages dropped for other reasons Table 181 show mvr statistics summary interface mvr vlan description...

Page 1304: ...igures an interface as an MVR receiver or source port IC mvr6 vlan group Statically binds a multicast group to a port IC clear mvr6 groups dynamic Clears multicast group information dynamically learne...

Page 1305: ...en MVR6 is enabled on a domain any multicast data associated with an MVR6 group is sent from all designated source ports to all receiver ports that have registered to receive data from that multicast...

Page 1306: ...s bits end ip address Ending IPv6 address for an MVR multicast group This parameter must be a full IPv6 address including the network prefix and host address bits DEFAULT SETTING No profiles are defin...

Page 1307: ...val interval The interval at which the receiver port sends out general queries Range 2 31744 seconds DEFAULT SETTING 125 seconds COMMAND MODE Global Configuration COMMAND USAGE This command sets the g...

Page 1308: ...re MVR proxy service When the source port receives report and leave messages it only forwards them to other source ports When receiver ports receive any query messages they are dropped When changes oc...

Page 1309: ...umber of times group specific queries are sent to downstream receiver ports This command only takes effect when MVR6 proxy switching is enabled EXAMPLE Console config mvr6 robustness value 5 Console c...

Page 1310: ...to all MVR control packets sent upstream on the specified domain Use the no form to restore the default setting SYNTAX mvr6 domain domain id upstream source ip source ip address no mvr6 domain domain...

Page 1311: ...of the MVR VLAN using the switchport allowed vlan command and switchport native vlan command but MVR receiver ports should not be statically configured as members of this VLAN EXAMPLE The following ex...

Page 1312: ...deleted Using immediate leave can speed up leave latency but should only be enabled on a port attached to only one multicast subscriber to avoid disrupting services to other group members attached to...

Page 1313: ...as joined through the MVR6 protocol or which have been assigned through the mvr6 vlan group command All source ports must belong to the MVR6 VLAN Subscribers should not be directly connected to source...

Page 1314: ...IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined f...

Page 1315: ...E If the interface option is not used then all MVR6 statistics are cleared Otherwise using the interface option will only clear the MVR6 statistics of the specified interface EXAMPLE The following sho...

Page 1316: ...ast traffic forwarded into the MVR6 VLAN MVR6 Proxy Switching Shows if MVR proxy switching is enabled MVR6 Robustness Value Shows the number of reports or query messages sent when proxy switching is e...

Page 1317: ...ivileged Exec EXAMPLE The following displays information about the interfaces attached to the MVR6 VLAN in domain 1 Console show mvr6 domain 1 interface MVR6 Domain 1 Port Type Status Immediate Leave...

Page 1318: ...lowing shows information about the number of multicast forwarding entries currently active in domain 1 Console show mvr6 domain 1 members MVR6 Domain 1 MVR6 Forwarding Entry Count 1 Flag S Source port...

Page 1319: ...f05 101 2 00 00 03 18 2 P 2 Eth1 2 S 1 Eth1 4 R 0 H Console show mvr6 profile This command shows all configured MVR profiles COMMAND MODE Privileged Exec EXAMPLE The following shows all configured MVR...

Page 1320: ...r all domains COMMAND MODE Privileged Exec EXAMPLE The following shows MVR6 protocol related statistics received Console show mvr6 domain 1 statistics input MVR6 Domain 1 MVR6 VLAN 2 Input Statistics...

Page 1321: ...ved 0 Specific Query Sent 0 Console Drop The number of times a report leave or query was dropped Packets may be dropped due to invalid format rate limiting packet content not allowed or MVR group repo...

Page 1322: ...this querier is assumed to have expired Self Querier Address This querier s IPv6 address Self Querier Uptime This querier s time up Self Querier Expire Time This querier s expire time General Query R...

Page 1323: ...d Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many...

Page 1324: ...sion of SNMP trap notifications about LLDP MED changes IC lldp med tlv ext poe2 Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage information IC...

Page 1325: ...e default setting SYNTAX lldp holdtime multiplier value no lldp holdtime multiplier value Calculates the TTL in seconds based on the following rule minimum of Transmission Interval Holdtime Multiplier...

Page 1326: ...the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefore integral to the rapid availability of Emergency Call Service EXAMPLE Console config lldp med fast start count 6 Con...

Page 1327: ...e periodic transmit interval for LLDP advertisements Use the no form to restore the default setting SYNTAX lldp refresh interval seconds no lldp refresh delay seconds Specifies the periodic interval a...

Page 1328: ...se the no form to restore the default setting SYNTAX lldp tx delay seconds no lldp tx delay seconds Specifies the transmit delay Range 1 8192 seconds DEFAULT SETTING 2 seconds COMMAND MODE Global Conf...

Page 1329: ...figures an LLDP enabled port to advertise the management address for this device Use the no form to disable this feature SYNTAX no lldp basic tlv management ip address DEFAULT SETTING Enabled COMMAND...

Page 1330: ...nt address reported by this TLV EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv management ip address Console config if lldp basic tlv port description This command conf...

Page 1331: ...LE Console config interface ethernet 1 1 Console config if lldp basic tlv system capabilities Console config if lldp basic tlv system description This command configures an LLDP enabled port to advert...

Page 1332: ...and is in turn based on the hostname command EXAMPLE Console config interface ethernet 1 1 Console config if lldp basic tlv system name Console config if lldp dot1 tlv proto ident This command configu...

Page 1333: ...age 1178 EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot1 tlv proto vid Console config if lldp dot1 tlv pvid This command configures an LLDP enabled port to advertise its d...

Page 1334: ...E Console config interface ethernet 1 1 Console config if no lldp dot1 tlv vlan name Console config if lldp dot3 tlv link agg This command configures an LLDP enabled port to advertise link aggregation...

Page 1335: ...and operational Multistation Access Unit MAU type EXAMPLE Console config interface ethernet 1 1 Console config if no lldp dot3 tlv mac phy Console config if lldp dot3 tlv max frame This command confi...

Page 1336: ...EXAMPLE Console config interface ethernet 1 1 Console config if lldp dot3 tlv poe Console config if lldp med location civic addr This command configures an LLDP MED enabled port to advertise its loca...

Page 1337: ...ation as long as the total does not exceed 250 characters For the location options defined for device type normally option 2 is used to specify the location of the client device In situations where th...

Page 1338: ...cations about LLDP MED changes Use the no form to disable LLDP MED notifications SYNTAX no lldp med notification DEFAULT SETTING Disabled COMMAND MODE Interface Configuration Ethernet Port Channel COM...

Page 1339: ...or backup power the Endpoint Device could use this information to decide to enter power conservation mode Note that this device does not support PoE capabilities This command only applies to the ES41...

Page 1340: ...This option advertises location identification details EXAMPLE Console config interface ethernet 1 1 Console config if lldp med tlv location Console config if lldp med tlv med cap This command configu...

Page 1341: ...network policy configurations frequently result in voice quality degradation or complete service disruption EXAMPLE Console config interface ethernet 1 1 Console config if lldp med tlv network policy...

Page 1342: ...sole config if show lldp config This command shows LLDP configuration settings for all ports SYNTAX show lldp config detail interface detail Shows configuration summary interface ethernet unit port un...

Page 1343: ...g max frame MED Notification Status Enabled MED Enabled TLVs Advertised med cap network policy location ext poe inventory MED Location Identification Location Data Format Civic Address LCI Country Nam...

Page 1344: ...00 1A 7E AC 2B 16 Ethernet Port on unit 1 port 4 Console show lldp info local device detail ethernet 1 1 LLDP Local Port Information Detail Port Eth 1 1 Port ID Type MAC Address Port ID B4 0E DC 34 96...

Page 1345: ...C 0A 81 B7 C7 E1 Time To Live 120 seconds Port Description Ethernet Port on unit 1 port 1 System Description ECS3510 28P System Capabilities Bridge Enabled Capabilities Bridge Management Address 192 1...

Page 1346: ...switch show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated 49 seconds New Neighbor Entries Count 4 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Count 0 Ne...

Page 1347: ...s Fault notification is also provided by SNMP alarms which are automatically generated by maintenance points when connectivity faults or configuration errors are detected in the local maintenance doma...

Page 1348: ...enance association GC snmp server enable traps ethernet cfm cc Enables SNMP traps for CFM continuity check events GC mep archive hold time Sets the time that data from a missing MEP is kept in the con...

Page 1349: ...net cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace cache C...

Page 1350: ...events discovered by continuity check messages page 1369 or cross check messages page 1373 Defining CFM Structures ethernet cfm ais level This command configures the maintenance level at which Alarm...

Page 1351: ...43 alphanumeric characters DEFAULT SETTING Enabled COMMAND MODE Global Configuration COMMAND USAGE Each MA name must be unique within the CFM domain Frames with AIS information can be issued at the cl...

Page 1352: ...numeric characters DEFAULT SETTING 1 second COMMAND MODE Global Configuration EXAMPLE This example sets the interval for sending frames with AIS information at 60 seconds Console config ethernet cfm a...

Page 1353: ...P resumes loss of continuity alarm generation upon detecting loss of continuity defect conditions in the absence of AIS messages EXAMPLE This example suppresses sending frames with AIS information Con...

Page 1354: ...n between the domain service access points DSAPs within each MA defined for a domain and are manually configured using the ethernet cfm mep command In contrast MIPs are interconnection points that mak...

Page 1355: ...main index 1 name voip level 3 mip creation explicit Console config ether cfm RELATED COMMANDS ma index name 1356 ethernet cfm enable This command enables CFM processing globally on the switch Use the...

Page 1356: ...a maintenance end point MEP is created at some lower MA Level none No MIP can be created for this MA DEFAULT SETTING 10 seconds COMMAND MODE CFM Domain Configuration COMMAND USAGE The maintenance doma...

Page 1357: ...d or ITU T SG13 SG15 Y 1731 defined ICC based format Use the no form to restore the default setting SYNTAX ma index index name format character string icc based no ma index index name format index MA...

Page 1358: ...d then the MEP is facing away from the switch and transmits CFM messages towards and receives them from the direction of the physical medium DEFAULT SETTING No MEPs are configured The MEP faces outwar...

Page 1359: ...ed on that interface When CFM is disabled hardware resources previously used for CFM processing on that interface are released and all CFM frames entering that interface are forwarded as normal data t...

Page 1360: ...aps interface interface global Displays global settings including CFM global status cross check start delay and link trace parameters traps Displays the status of all continuity check and cross check...

Page 1361: ...remote MEP which as an expired entry in the archived database CC Mep Down Trap Sends a trap if this device loses connectivity with a remote MEP or connectivity has been restored to a remote MEP which...

Page 1362: ...ion Archive Hold Time m 1 rd 0 default 100 Console show ethernet cfm ma This command displays the configured maintenance associations SYNTAX show ethernet cfm ma level level level Maintenance level Ra...

Page 1363: ...umber Range 1 28 52 port channel channel id Range 1 16 level id Maintenance level for this domain Range 0 7 DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Use the mep keyword with thi...

Page 1364: ...Range 1 port Port number Range 1 28 52 port channel channel id Range 1 16 level id Maintenance level for this domain Range 0 7 DEFAULT SETTING None COMMAND MODE Privileged Exec EXAMPLE This example sh...

Page 1365: ...vel Maintenance level of the local maintenance point Direction The direction in which the MEP faces on the Bridge port up or down Interface The port to which this MEP is attached CC Status Shows if th...

Page 1366: ...Port State Up Interface State Up Crosscheck Status Enabled Console Table 194 show ethernet cfm maintenance points remote detail display Field Description MAC Address MAC address of the remote maintena...

Page 1367: ...vity failures in an MA If any MEP fails to receive three consecutive CCMs from any other MEPs in its MA a connectivity failure Port State Port states include Up The port is functioning normally Blocke...

Page 1368: ...ission of continuity check messages CCMs within a specified maintenance association Use the no form to disable the transmission of these messages SYNTAX no ethernet cfm cc enable md domain name ma ma...

Page 1369: ...CCM with the same MPID as its own but with a different source MAC address indicating that a CFM configuration error exists loop Sends a trap if this device receives a CCM with the same source MAC addr...

Page 1370: ...MEP Range 1 65535 minutes DEFAULT SETTING 100 minutes COMMAND MODE CFM Domain Configuration COMMAND USAGE A change to the hold time only applies to entries stored in the database after this command i...

Page 1371: ...t cfm errors This command clears continuity check errors logged for the specified maintenance domain or maintenance level SYNTAX clear ethernet cfm errors domain domain name level level id domain name...

Page 1372: ...r more of the VIDs in this MA can pass through the bridge port no MEP is configured facing outward down on any bridge port for this MA and some other MA y at a higher maintenance level and associated...

Page 1373: ...he MEPs learned through CCMs The cross check start delay should be configured to a value greater than or equal to the continuity check message interval to avoid generating unnecessary traps EXAMPLE Th...

Page 1374: ...emote MEP that is not configured in the static list A ma up trap is sent if cross checking is enabled and a CCM is received from all remote MEPs configured in the static list for this maintenance asso...

Page 1375: ...x 1 name rd vlan 1 Console config ether cfm mep crosscheck mpid 2 ma rd Console config ether cfm ethernet cfm mep crosscheck This command enables cross checking between the static list of MEPs assigne...

Page 1376: ...rnet cfm maintenance points remote crosscheck domain domain name mpid mpid domain name Domain name Range 1 43 alphanumeric characters mpid Maintenance end point identifier Range 1 8191 DEFAULT SETTING...

Page 1377: ...rom each MIP along the path and from the target MEP Information stored in the cache includes the maintenance domain name MA name MEPID sequence number and TTL value EXAMPLE This example enables link t...

Page 1378: ...cache Range 1 4095 entries DEFAULT SETTING 100 entries COMMAND MODE Global Configuration COMMAND USAGE Before setting the cache size the cache must first be enabled with the ethernet cfm linktrace ca...

Page 1379: ...ps DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE Link trace messages can be targeted to MEPs not MIPs Before sending a link trace message be sure you have configured the target MEP f...

Page 1380: ...ethernet cfm linktrace cache This command displays the contents of the link trace cache COMMAND MODE Privileged Exec EXAMPLE Console show ethernet cfm linktrace cache Hops MA IP Alias Ingress MAC Ing...

Page 1381: ...operationally Down MEP that has another Down MEP at a higher MD level on the same bridge port that is causing the bridge port s MAC_Operational parameter to be false IngBlocked The ingress port can b...

Page 1382: ...matic detection of a fault or receipt of some other error report Loopback messages can also used to confirm the successful restoration or initiation of connectivity The receiving maintenance point sho...

Page 1383: ...setting SYNTAX mep fault notify lowest priority priority no fault notify lowest priority priority Lowest priority default allowed to generate a fault alarm Range 1 6 DEFAULT SETTING Priority level 2...

Page 1384: ...Def All defects 2 macRemErrXcon DefMACstatus DefRemoteCCM DefErrorCCM or DefXconCCM 3 remErrXcon DefErrorCCM DefXconCCM or DefRemoteCCM 4 errXcon DefErrorCCM or DefXconCCM 5 xcon DefXconCCM 6 noXcon N...

Page 1385: ...example sets the reset time after which another fault alarm can be generated Console config ethernet cfm domain index 1 name voip level 3 Console config ether cfm mep fault notify reset time 7 Consol...

Page 1386: ...association name Range 1 43 alphanumeric characters count The number of times to retry sending the message if no response is received before the specified timeout Range 1 5 interval The transmission...

Page 1387: ...P responds with a frame with DM reply information with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of receiving a frame with DM request information and TxTim...

Page 1388: ...CHAPTER 42 CFM Commands Delay Measure Operations 1388...

Page 1389: ...nitor period for errored frame link events IC efm oam mode Sets the OAM operational mode to active or passive IC clear efm oam counters Clears statistical counters for various OAMPDU message types PE...

Page 1390: ...ace ethernet 1 1 Console config if efm oam Console config if efm oam critical link event This command enables reporting of critical event or dying gasp Use the no form to disable this function SYNTAX...

Page 1391: ...itical link event dying gasp Console config if efm oam link monitor frame This command enables reporting of errored frame link events Use the no form to disable this function SYNTAX no efm oam link mo...

Page 1392: ...LV includes the number of errored frames detected during the specified period EXAMPLE Console config interface ethernet 1 1 Console config if efm oam link monitor frame threshold 5 Console config if e...

Page 1393: ...sets the OAM mode on the specified port Use the no form to restore the default setting SYNTAX efm oam mode active passive no efm oam mode active All OAM functions are enabled passive All OAM functions...

Page 1394: ...ports Range 1 28 52 COMMAND MODE Privileged Exec EXAMPLE Console clear efm oam counters Console RELATED COMMANDS show efm oam counters interface 1397 clear efm oam event log This command clears all e...

Page 1395: ...d to start OAM remote loop back test mode on the specified port Afterwards use the efm oam remote loopback test command page 1396 to start sending test packets Then use the efm oam remote loopback sto...

Page 1396: ...command to perform an OAM remote loopback test on the specified port The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mod...

Page 1397: ...ification 0 0 1 1 Loopback Control 1 0 1 1 Organization Specific 76 0 Console show efm oam event log interface This command displays the OAM event log for the specified port s or for all ports that ha...

Page 1398: ...nsole clear efm oam event log Use he clear efm oam event log command to clear the event log Console show efm oam event log interface 1 1 Console This command can show OAM dying gasp changes for link p...

Page 1399: ...9 0 01 Console show efm oam status interface This command displays OAM configuration settings and event counters SYNTAX show efm oam status interface interface list brief interface unit port unit Unit...

Page 1400: ...nformation about attached OAM enabled devices SYNTAX show efm oam status remote interface interface list interface list unit port unit Unit identifier Range 1 port Port number or list of ports To ente...

Page 1401: ...ame Name of the host Do not include the initial dot that separates the host name from the domain name Range 1 68 characters DEFAULT SETTING None Table 201 Address Table Commands Command Function Mode...

Page 1402: ...the default domain name is not used EXAMPLE This example adds two domain names to the current list and then displays the list Console config ip domain list sample com jp Console config ip domain list...

Page 1403: ...03 ip name server 1405 ip domain name This command defines the default domain name appended to incomplete host names i e host names passed from a client that are not formatted with dotted notation Use...

Page 1404: ...ip host name address name Name of an IPv4 host Range 1 100 characters address Corresponding IPv4 address DEFAULT SETTING No static entries COMMAND MODE Global Configuration COMMAND USAGE Use the no ip...

Page 1405: ...main name servers DEFAULT SETTING None COMMAND MODE Global Configuration COMMAND USAGE The listed name servers are queried in the specified sequence until a response is received or the end of the list...

Page 1406: ...values One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING No static entries COMMAND MODE Global Configuration...

Page 1407: ...r host command to clear dynamic entries or the no ip host command to clear static entries EXAMPLE This example clears all dynamic entries from the DNS table Console config clear host Console config sh...

Page 1408: ...nsole show hosts No Flag Type IP Address TTL Domain 0 2 Address 192 168 1 55 rd5 1 2 Address 2001 DB8 1 12 rd6 3 4 Address 209 131 36 158 65 www real wa1 b yahoo com 4 4 CNAME POINTER TO 3 65 www yaho...

Page 1409: ...stored in the cache Type This field includes Address which specifies the primary name for the owner and CNAME which specifies multiple domain names or aliases which are mapped to the same IP address a...

Page 1410: ...CHAPTER 44 Domain Name Service Commands 1410...

Page 1411: ...and Group Function DHCP Client Allows interfaces to dynamically acquire IP address information DHCP Relay Relays DHCP requests from local hosts to a remote DHCP server Table 205 DHCP Client Commands C...

Page 1412: ...2132 Option 60 This information is used to convey configuration settings or other identification information about a client but the specific string to use should be supplied by your service provider...

Page 1413: ...client This command submits a BOOTP or DHCP client request DEFAULT SETTING None COMMAND MODE Privileged Exec COMMAND USAGE This command issues a BOOTP or DHCP client request for any IP interface that...

Page 1414: ...pecified interface Use the no form to disable this option SYNTAX no ipv6 dhcp client rapid commit vlan vlan id vlan id VLAN ID specified as a single number a range of consecutive numbers separated by...

Page 1415: ...configuration flag set the switch may also attempt to acquire other non address configuration information such as a default gateway or DNS server when DHCPv6 is restarted Prior to submitting a client...

Page 1416: ...commit vlan command and on the DHCPv6 server message exchange can be reduced from the normal four step process to a two step exchange of only solicit and reply messages EXAMPLE The following command...

Page 1417: ...F FEF9 A494 DUID 0001 0001 48CFB0D5 F48F2A006801 Server address FE80 250 FCFF FEF9 A405 DUID 0001 0001 38CF5AB0 F48F2A003917 Console DHCP RELAY This section describes commands used to the switch to re...

Page 1418: ...IP address for at least one DHCP server Otherwise the switch s DHCP relay agent will not forward client requests to a DHCP server Up to five DHCP servers can be specified in order of preference If any...

Page 1419: ...client s subnet and sends a DHCP response back to the DHCP relay agent i e this switch This switch then broadcasts the DHCP response received from the server to the client EXAMPLE In the following ex...

Page 1420: ...CHAPTER 45 DHCP Commands DHCP Relay 1420...

Page 1421: ...must manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway between this device and...

Page 1422: ...efault gateway Refer to the ip default gateway command which provides the same function bootp Obtains IP address from BOOTP dhcp Obtains IP address from DHCP DEFAULT SETTING DHCP COMMAND MODE Interfac...

Page 1423: ...s In other words secondary addresses need to be specified if more than one IP subnet can be accessed through this interface Note that a secondary address cannot be configured prior to setting the prim...

Page 1424: ...is established COMMAND MODE Global Configuration COMMAND USAGE The default gateway can also be defined using the following Global configuration command ip route 0 0 0 0 0 0 0 0 gateway address Static...

Page 1425: ...VLAN 1 is Administrative Up Link Up Address is 70 72 CF 94 22 34 Index 1001 MTU 1500 Address Mode is DHCP IP Address 192 168 0 5 Mask 255 255 255 0 Proxy ARP is disabled DHCP relay server 0 0 0 0 Con...

Page 1426: ...ress mask request messages address mask reply messages ICMP sent output errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messag...

Page 1427: ...e timer goes off before a response is returned the trace function prints a series of asterisks and the Request Timed Out message A long sequence of these messages terminating only when the maximum tim...

Page 1428: ...ination unreachable The gateway for this destination indicates that the destination is unreachable Network or host unreachable The gateway found no corresponding entry in the route table When pinging...

Page 1429: ...ontrol addresses This cache includes entries for hosts and other routers on local network interfaces defined on this router The maximum number of static entries allowed in the ARP cache is 128 You may...

Page 1430: ...rk These nodes must therefore use a smaller subnet mask than that used by the router or other relevant network devices Extensive use of Proxy ARP can degrade router performance because it may lead to...

Page 1431: ...ach cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type other indicates local addresses for this router EXAMPLE This example displays all...

Page 1432: ...ateway Displays the current IPv6 default gateway NE PE show ipv6 interface Displays the usability and configured settings for IPv6 interfaces NE PE show ipv6 mtu Displays maximum transmission unit MTU...

Page 1433: ...e colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different...

Page 1434: ...ress to indicate the appropriate number of zeros required to fill the undefined fields To connect to a larger network with multiple subnets you must configure a global unicast address This address can...

Page 1435: ...tion is based on the modified EUI 64 form of the interface identifier i e the switch s MAC address Use the no form to remove the address generated by this command SYNTAX no ipv6 address autoconfig DEF...

Page 1436: ...t interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime...

Page 1437: ...precedence over the interface identifier If a duplicate address is detected a warning message is sent to the console IPv6 addresses are 16 bytes long of which the bottom 8 bytes typically form a uniq...

Page 1438: ...nds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console RELATED COMMANDS ipv6 address autoconfig 1435 show ipv6...

Page 1439: ...config interface vlan 1 Console config if ipv6 address FE80 269 3EF9 FE19 6779 link local Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address fe80 269 3e...

Page 1440: ...IPv6 for an interface that has been explicitly configured with an IPv6 address EXAMPLE In this example IPv6 is enabled on VLAN 1 and the link local address FE80 2E0 CFF FE00 FD 64 is automatically gen...

Page 1441: ...advertisements sent from this device The maximum value set by this command cannot exceed the MTU of the physical interface which is currently fixed at 1500 bytes IPv6 routers do not fragment IPv6 pac...

Page 1442: ...refix The IPv6 network portion of the address assigned to the interface The prefix must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal value...

Page 1443: ...of multicast traffic Link local multicast addresses cover the same types as used by link local unicast addresses including all nodes FF02 1 all routers FF02 2 and solicited nodes FF02 1 FFXX XXXX as d...

Page 1444: ...with an acceptable MTU to this switch COMMAND MODE Normal Exec Privileged Exec EXAMPLE The following example shows the MTU cache for this device Console show ipv6 mtu MTU Since Destination Address 140...

Page 1445: ...0 forwarded datagrams 22 requests 0 discards 0 no routes 0 generated fragments 0 fragment succeeded 0 fragment failed ICMPv6 Statistics ICMPv6 received 0 input 0 errors 0 destination unreachable messa...

Page 1446: ...d because the destination address was not a local address unknown protocols The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol...

Page 1447: ...tagrams if any such packets met this discretionary discard criterion no routes The number of input datagrams discarded because no route could be found to transmit them to their destination generated f...

Page 1448: ...number of ICMP Destination Unreachable messages sent by the interface packet too big messages The number of ICMP Packet Too Big messages sent by the interface time exceeded messages The number of ICM...

Page 1449: ...e number of zeros required to fill the undefined fields host name A host name string which can be resolved into an IPv6 address through a domain name server count Number of packets to send Range 1 16...

Page 1450: ...n IPv6 address before trying to resolve it into an IPv4 address EXAMPLE Console ping6 FE80 2E0 CFF FE00 FC 1 64 Type ESC to abort PING to FE80 2E0 CFF FE00 FC 1 64 by 5 32 byte payload ICMP packets ti...

Page 1451: ...erminates when the destination responds when the maximum timeout TTL is exceeded or the maximum number of hops is exceeded The traceroute command first sends probe datagrams with the TTL value set at...

Page 1452: ...hat interface are placed in a pending state Duplicate address detection is automatically restarted when the interface is administratively re activated An interface that is re activated restarts duplic...

Page 1453: ...s enabled number of DAD attempts 5 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time...

Page 1454: ...nterface vlan 1 Console config pv6 nd ns interval 30000 Console config end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link local address fe80 200 e8ff fe90 0 64 Global unicast address es...

Page 1455: ...nsole config if ipv6 nd reachable time This command configures the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred SYNTAX ipv6 nd...

Page 1456: ...ig interface vlan 1 Console config pv6 nd reachable time 1000 Console config clear ipv6 neighbors This command deletes all dynamic entries in the IPv6 neighbor discovery cache COMMAND MODE Privileged...

Page 1457: ...on may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields DEFAULT SETTING All IPv6 neighbor discovery cache entries are displayed COMMAND MODE Pri...

Page 1458: ...target but it has not yet returned a neighbor advertisement message I2 Invalid An invalidated mapping Setting the state to invalid dis associates the interface identified with this entry from the ind...

Page 1459: ...to detect retransmit count Sets the number of times to send an NS message to determine if a binding is still valid GC ipv6 nd snooping auto detect retransmit interval Sets the interval between sending...

Page 1460: ...ther security filtering protocols e g IPv6 Source Guard as described below If an NS message is received on an trusted interface it is forwarded without further processing If an NS message is received...

Page 1461: ...he dynamic binding table still exists If it does not receive an RA message in response after the configured timeout the entry is dropped If the switch receives an RA message before the timeout expires...

Page 1462: ...to determine if a dynamic user binding is still valid Use the no form to restore the default setting SYNTAX ipv6 nd snooping auto detect retransmit interval retransmit interval no ipv6 nd snooping aut...

Page 1463: ...usted interface the switch will add an entry in the prefix table based upon the Prefix Information contained in the message If an RA message is not received for a table entry with the same prefix for...

Page 1464: ...COMMAND USAGE In general interfaces facing toward to the network core or toward routers supporting the Network Discovery protocol are configured as trusted interfaces RA messages received from a trus...

Page 1465: ...ping prefix Console show ipv6 nd snooping prefix Prefix entry timeout seconds Prefix Len Valid Time Expire VLAN Interface Console show ipv6 nd snooping This command shows the configuration settings fo...

Page 1466: ...face 0013 49aa 3926 2001 b001 211 95ff fe84 cb9e 100 1 Eth 1 1 0012 cf01 0203 2001 1 3400 2 Eth 1 2 Console show ipv6 nd snooping prefix This command shows all entries in the address prefix table SYNT...

Page 1467: ...namic routing These commands are used to connect between different local subnetworks or to connect the router to the enterprise network GLOBAL ROUTING CONFIGURATION Table 203 IP Routing Commands Comma...

Page 1468: ...mic route is less than that configured for the static route Range 1 255 Default 1 Removes all static routing table entries DEFAULT SETTING No static routes are configured COMMAND MODE Global Configura...

Page 1469: ...L3 switch in this mode for light routing requirements EXAMPLE Console config ip sw route Console config show ip route This command displays information in the Forwarding Information Base FIB SYNTAX s...

Page 1470: ...rwarding may still be displayed by using the show ip route database command EXAMPLE Console show ip route Codes C connected S static R RIP B BGP O OSPF IA OSPF inter area N1 OSPF NSSA external type 1...

Page 1471: ...ummary This command displays summary information for the routing table COMMAND MODE Privileged Exec EXAMPLE In the following example the numeric identifier following the named routing table that is th...

Page 1472: ...CHAPTER 46 IP Routing Commands IPv4 Commands 1472...

Page 1473: ...1473 SECTION IV APPENDICES This section provides additional information and includes these items Software Specifications on page 1475 Troubleshooting on page 1479 License Information on page 1481...

Page 1474: ...SECTION IV Appendices 1474...

Page 1475: ...full duplex 1000BASE SX LX LH 1000 Mbps at full duplex SFP FLOW CONTROL Full Duplex IEEE 802 3 2005 Half Duplex Back pressure STORM CONTROL Broadcast multicast or unicast traffic throttled above a cri...

Page 1476: ...olicies MULTICAST FILTERING IGMP Snooping Layer 2 Multicast VLAN Registration ADDITIONAL FEATURES BOOTP Client DHCP Client DNS Client Proxy LLDP Link Layer Discover Protocol RMON Remote Monitoring gro...

Page 1477: ...duplex flow control ISO IEC 8802 3 IEEE 802 3ac VLAN tagging DHCP Client RFC 2131 DHCPv6 Client RFC 3315 HTTPS ICMP RFC 792 IGMP RFC 1112 IGMPv2 RFC 2236 IGMPv3 RFC 3376 partial support IPv4 IGMP RFC...

Page 1478: ...P Bridge MIB RFC 2674P Port Access Entity MIB IEEE 802 1X Port Access Entity Equipment MIB Power Ethernet MIB RFC 3621 Private MIB Q Bridge MIB RFC 2674Q Quality of Service MIB RADIUS Authentication C...

Page 1479: ...t Telnet SSH sessions permitted Try connecting again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH...

Page 1480: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Page 1481: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Page 1482: ...you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this Lice...

Page 1483: ...s These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License...

Page 1484: ...k for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two go...

Page 1485: ...aintenance points fault verification through loop back messages and fault isolation with link trace messages COS Class of Service is supported by prioritizing packets based on the required level of se...

Page 1486: ...he switch and then passed to an authentication server e g RADIUS for verification EAPOL is implemented as part of the IEEE 802 1X Port Authentication standard ERPS Ethernet Ring Protection Switching c...

Page 1487: ...otocol is a network layer protocol that reports errors in processing IP packets ICMP is also used by routers to feed back information about better routing choices IEEE 802 1D Specifies a general metho...

Page 1488: ...the lowest IP address in the subnetwork IGMP PROXY Proxies multicast group membership information onto the upstream interface based on IGMP messages monitored on downstream interfaces and forwards mu...

Page 1489: ...ng that it takes a message and converts it into a fixed string of digits also called a message digest MIB Management Information Base An acronym for Management Information Base It is a set of database...

Page 1490: ...nd displaying remote device information OUT OF BAND MANAGEMENT Management of the network from a station not attached to the network PORT AUTHENTICATION See IEEE 802 1X PORT MIRRORING A method whereby...

Page 1491: ...based on periodic updates from a Network Time Protocol NTP server Updates can be requested from a specific NTP server or can be received via broadcasts sent by NTP servers SSH Secure Shell is a secur...

Page 1492: ...ow or just unnecessary UTC Universal Time Coordinate UTC is a time scale that couples Greenwich Mean Time based solely on the Earth s rotation rate with highly accurate atomic time The UTC does not ha...

Page 1493: ...re note 726 boot system 737 bridge ext gvrp 1150 C calendar set 781 capabilities 997 channel group 1024 class 1212 class map 1208 clear access list hardware counters 992 clear arp cache 1430 clear cou...

Page 1494: ...period 869 dot1x timeout re authperiod 869 dot1x timeout start period 875 dot1x timeout supp timeout 870 dot1x timeout tx period 870 E efm oam 1390 efm oam critical link event 1390 efm oam link monit...

Page 1495: ...cn query solicit 1232 ip igmp snooping unregistered data flood 1232 ip igmp snooping unsolicited report interval 1233 ip igmp snooping version 1234 ip igmp snooping version exclusive 1234 ip igmp snoo...

Page 1496: ...system priority 1028 lacp timeout 1029 line 749 lldp 1325 lldp admin status 1329 lldp basic tlv management ip address 1329 lldp basic tlv port description 1330 lldp basic tlv system capabilities 1331...

Page 1497: ...n 899 network access guest vlan 900 network access link detection 901 network access link detection link down 901 network access link detection link up 902 network access link detection link up down 9...

Page 1498: ...cam utilization 728 show accounting 846 show arp 1431 show auto traffic control 1071 show auto traffic control interface 1072 show banner 727 show bridge ext 1153 show cable diagnostics 1018 show cale...

Page 1499: ...rface 1280 show ipv6 mtu 1444 show ipv6 nd raguard 1456 show ipv6 nd snooping 1465 show ipv6 nd snooping binding 1466 show ipv6 nd snooping prefix 1466 show ipv6 neighbors 1457 show ipv6 source guard...

Page 1500: ...trol release 1069 snmp server enable port traps atc multicast alarm clear 1069 snmp server enable port traps atc multicast alarm fire 1070 snmp server enable port traps atc multicast control apply 107...

Page 1501: ...e diagnostics 1017 timeout login response 756 time range 783 traceroute 1426 traceroute6 1450 traffic segmentation 963 traffic segmentation session 964 traffic segmentation uplink downlink 965 traffic...

Page 1502: ...COMMAND LIST 1502...

Page 1503: ...57 359 969 971 IPv6 Extended 357 365 976 979 IPv6 Standard 357 363 976 978 MAC 358 367 983 time range 353 782 Address Resolution Protocol See ARP address table 231 1085 aging time 234 1085 aging time...

Page 1504: ...87 command line interface See CLI committed burst size QoS policy 295 296 297 1213 1215 1217 committed information rate QoS policy 295 296 297 1213 1215 1217 community string 97 466 795 configuration...

Page 1505: ...68 1408 domain name list 663 1404 enabling lookup 663 1402 name server list 663 1405 static entries IPv4 667 1404 static entries IPv6 1406 Domain Name Service See DNS domain service access point CFM 5...

Page 1506: ...ofile 591 1251 1252 filtering creating profile 591 1251 filtering group range 591 1252 groups displaying 577 1244 Layer 2 568 1226 query 568 570 1229 query enabling 573 services displaying 585 1244 sn...

Page 1507: ...237 layer 2 protocol tunnel 1175 license information GNU 1481 Link Layer Discovery Protocol Media Endpoint Discovery See LLDP MED Link Layer Discovery Protocol See LLDP link trace cache CFM 552 1377 1...

Page 1508: ...ic router port 598 1268 querier 596 1263 querier enabling 596 1263 query interval 596 1264 query maximum response time 596 1265 robustness value 596 1265 static port assignment 600 1269 static router...

Page 1509: ...tem clock 141 773 776 O OAM active mode 557 1393 displaying settings and status 556 1397 1400 enabling on switch ports 556 1390 errored frame link events 1391 1392 event log displaying 560 1397 messag...

Page 1510: ...rTCM police meter 296 1215 trTCM 293 1217 trTCM police meter 297 1217 QoS policy committed information rate 295 296 297 1213 1215 1217 QoS policy peak information rate 297 1217 Quality of Service See...

Page 1511: ...iguring 250 1103 1114 interface settings displaying 254 1116 link type 251 255 1107 loopback detection 242 1107 maximum age 246 1095 MSTP interface settings configuring 261 1110 1111 MSTP path cost 26...

Page 1512: ...ring port members by interface 1158 1161 configuring port members VLAN index 207 creating 202 1156 description 199 displaying port members 207 1164 displaying port members by interface 208 displaying...

Page 1513: ......

Page 1514: ...ECS4110 28T ECS4110 28P ECS4110 52T ECS4110 52P E072014 ST R02 150200000929A...

Search results

Summary of Contents for ECS4110-28T

Reviews:

Edge-Core ECS4110-28T, Management Manual, Page: 399 / 1514

Search results

Summary of Contents for ECS4110-28T

Reviews: