Home
/
Edge-Core
/
ECS4120-28F
/
Reference Manual

Edge-Core ECS4120-28F, Reference Manual, Page: 333 / 938

Share

Page: 333 / 938

Edge-Core ECS4120-28F Reference Manual Download Page 333

Chapter 9

| General Security Measures

IPv4 Source Guard

– 333 –

ip source-guard

This command configures the switch to filter inbound traffic based on source IP
address, or source IP address and corresponding MAC address. Use the

no

form to

disable this function.

Syntax

ip source-guard

{

sip

|

sip-mac

}

no

ip source-guard

sip

- Filters traffic based on IP addresses stored in the binding table.

sip-mac

- Filters traffic based on IP addresses and corresponding MAC

addresses stored in the binding table.

Default Setting

Disabled

Command Mode

Interface Configuration (Ethernet)

Command Usage

◆

Source guard is used to filter traffic on an insecure port which receives
messages from outside the network or fire wall, and therefore may be subject
to traffic attacks caused by a host trying to use the IP address of a neighbor.

◆

Setting source guard mode to “sip” or “sip-mac” enables this function on the
selected port. Use the “sip” option to check the VLAN ID, source IP address, and
port number against all entries in the binding table. Use the “sip-mac” option
to check these same parameters, plus the source MAC address. Use the

no ip

source guard

command to disable this function on the selected port.

◆

When enabled, traffic is filtered based upon dynamic entries learned via DHCP
snooping, or static addresses configured in the source guard binding table.

◆

Table entries include a MAC address, IP address, lease time, entry type (Static-IP-
SG-Binding, Dynamic-DHCP-Binding, VLAN identifier, and port identifier.

◆

Static addresses entered in the source guard binding table with the

command are automatically configured with an infinite lease

time. Dynamic entries learned via DHCP snooping are configured by the DHCP
server itself.

◆

If the IP source guard is enabled, an inbound packet’s IP address (sip option) or
both its IP address and corresponding MAC address (sip-mac option) will be
checked against the binding table. If no matching entry is found, the packet
will be dropped.

◆

Filtering rules are implemented as follows:

■

If DHCPv4 snooping is disabled (see

), IP source guard will check

the VLAN ID, source IP address, port number, and source MAC address (for

«
...
331
332
333
334
335
...
»

Summary of Contents for ECS4120-28F

Page 1: ...CLI Reference Guide www edge core com ECS4120 28F 28F I ECS4120 28T 28P ECS4120 52T 28 52 Port Layer 2 Gigabit Ethernet Switch Software Release v1 0 2 25...

Page 2: ...perature 0 C 50 C ECS4120 28F I Gigabit Ethernet Switch L2 Gigabit Ethernet Switch with 20 100 1000 SFP Ports 4 10 100 1000 BASE T RJ 45 100 1000 SFP Combo Ports 4 10 Gigabit SFP Ports and DC Power Su...

Page 3: ...ribes the switch s command line interface CLI For more detailed information on the switch s key features refer to the Administrator s Guide The guide includes these sections Section I Getting Started...

Page 4: ...age the system or equipment Revision History This section summarizes the changes in each revision of this guide Revision Date Change Description v1 0 2 25 09 2017 Added ECS4120 28F I ip dhcp l2 relay...

Page 5: ...iguring the Switch for Remote Management 51 Setting an IP Address 51 Enabling SNMP Management Access 57 Managing System Files 59 Upgrading the Operation Code 60 Saving or Restoring Configuration Setti...

Page 6: ...on Commands 76 Partial Keyword Lookup 78 Negating the Effect of Commands 78 Using Command History 78 Understanding Command Modes 78 Exec Commands 79 Configuration Commands 80 Command Line Processing...

Page 7: ...manager info 103 banner configure mux 104 banner configure note 104 show banner 105 System Status 105 show access list tcam utilization 106 show location led status 107 show memory 107 show process c...

Page 8: ...ode reload 130 show upgrade 131 TFTP Configuration Commands 131 ip tftp retry 131 ip tftp timeout 132 show ip tftp 132 Line 133 line 134 databits 134 exec timeout 135 login 136 parity 137 password 137...

Page 9: ...w logging sendmail 154 Time 154 SNTP Commands 155 sntp client 155 sntp poll 156 sntp server 157 show sntp 157 NTP Commands 158 ntp authenticate 158 ntp authentication key 159 ntp client 160 ntp server...

Page 10: ...80 snmp server contact 180 snmp server location 181 show snmp 181 SNMP Target Host Commands 182 snmp server enable traps 182 snmp server host 184 snmp server enable port traps mac notification 186 sho...

Page 11: ...mon events 208 show rmon history 209 show rmon statistics 209 7 Flow Sampling Commands 211 sflow owner 212 sflow polling instance 213 sflow sampling instance 214 show sflow 215 8 Authentication Comman...

Page 12: ...accounting dot1x 232 aaa accounting exec 233 aaa accounting update 234 aaa authorization exec 235 aaa group server 236 server 236 accounting dot1x 237 accounting exec 237 authorization exec 238 show a...

Page 13: ...auth control 257 Authenticator Commands 258 dot1x intrusion action 258 dot1x max reauth req 259 dot1x max req 259 dot1x operation mode 260 dot1x port control 261 dot1x re authentication 261 dot1x tim...

Page 14: ...283 Network Access MAC Address Authentication 285 network access aging 286 network access mac filter 287 mac authentication reauth time 288 network access dynamic qos 288 network access dynamic vlan 2...

Page 15: ...ption remote id 311 ip dhcp snooping information option tr101 board id 312 information policy 312 ip dhcp snooping limit rate 313 ip dhcp snooping verify mac address 314 ip dhcp snooping vlan 314 ip d...

Page 16: ...nding 337 IPv6 Source Guard 338 ipv6 source guard binding 338 ipv6 source guard 340 ipv6 source guard max binding 341 show ipv6 source guard 342 show ipv6 source guard binding 343 ARP Inspection 343 i...

Page 17: ...ss Control Lists 361 IPv4 ACLs 361 access list ip 362 permit deny Standard IP ACL 363 permit deny Extended IPv4 ACL 364 ip access group 366 show ip access group 367 show ip access list 367 IPv6 ACLs 3...

Page 18: ...l 391 history 392 media type 392 negotiation 393 shutdown 394 speed duplex 395 switchport block 396 switchport mtu 397 clear counters 398 show discard 399 show interfaces brief 399 show interfaces cou...

Page 19: ...guration Commands 427 port channel load balance 427 channel group 428 Dynamic Configuration Commands 429 lacp 429 lacp admin key Ethernet Interface 430 lacp port priority 431 lacp system priority 432...

Page 20: ...ntrol release timer 464 auto traffic control 465 auto traffic control action 465 auto traffic control alarm clear threshold 466 auto traffic control alarm fire threshold 467 auto traffic control auto...

Page 21: ...loopback detection 479 17 UniDirectional Link Detection Commands 481 udld detection interval 481 udld message interval 482 udld recovery 483 udld recovery interval 483 udld aggressive 484 udld port 4...

Page 22: ...ee loopback detection 511 spanning tree loopback detection action 512 spanning tree loopback detection release mode 513 spanning tree loopback detection trap 514 spanning tree mst cost 514 spanning tr...

Page 23: ...41 rpl neighbor 542 rpl owner 542 version 543 wtr timer 544 clear erps statistics 545 erps clear 545 erps forced switch 546 erps manual switch 548 show erps 549 21 VLAN Commands 555 GVRP and Bridge Ex...

Page 24: ...ce match cvid 575 switchport dot1q tunnel tpid 578 show dot1q tunnel 579 Configuring L2PT Tunneling 580 l2protocol tunnel tunnel dmac 580 switchport l2protocol tunnel 582 show l2protocol tunnel 583 Co...

Page 25: ...rity default 604 show queue mode 605 show queue weight 605 Priority Commands Layer 3 and 4 606 qos map phb queue 607 qos map cos dscp 608 qos map default drop precedence 609 qos map dscp cos 610 qos m...

Page 26: ...2 ip igmp snooping proxy reporting 642 ip igmp snooping querier 643 ip igmp snooping router alert option check 644 ip igmp snooping router port expire time 644 ip igmp snooping tcn flood 645 ip igmp s...

Page 27: ...nooping vlan mrouter 663 IGMP Filtering and Throttling 664 ip igmp filter Global Configuration 665 ip igmp profile 666 permit deny 666 range 667 ip igmp authentication 667 ip igmp filter Interface Con...

Page 28: ...ow ipv6 mld snooping 686 show ipv6 mld snooping group 686 show ipv6 mld snooping group source list 687 show ipv6 mld snooping mrouter 688 show ipv6 mld snooping statistics 688 MLD Filtering and Thrott...

Page 29: ...1 show mvr 712 show mvr associated profile 713 show mvr interface 713 show mvr members 714 show mvr profile 716 show mvr statistics 716 MVR for IPv6 722 mvr6 associated profile 723 mvr6 domain 723 mvr...

Page 30: ...lldp basic tlv management ip address 751 lldp basic tlv port description 752 lldp basic tlv system capabilities 753 lldp basic tlv system description 753 lldp basic tlv system name 754 lldp dot1 tlv...

Page 31: ...name 782 ma index name format 783 ethernet cfm mep 784 ethernet cfm port enable 785 clear ethernet cfm ais mpid 785 show ethernet cfm configuration 786 show ethernet cfm md 788 show ethernet cfm ma 78...

Page 32: ...rnet cfm linktrace cache 806 Loopback Operations 807 ethernet cfm loopback 807 Fault Generator Operations 808 mep fault notify alarm time 808 mep fault notify lowest priority 809 mep fault notify rese...

Page 33: ...r dns cache 833 clear host 833 show dns 833 show dns cache 834 show hosts 834 29 DHCP Commands 837 DHCP Client 837 DHCP for IPv4 837 ip dhcp client class id 837 ip dhcp restart client 839 DHCP for IPv...

Page 34: ...ties 862 ipv6 default gateway 862 ipv6 address 863 ipv6 address autoconfig 864 ipv6 address eui 64 865 ipv6 address link local 867 ipv6 enable 869 ipv6 mtu 870 show ipv6 default gateway 871 show ipv6...

Page 35: ...ing binding 894 clear ipv6 nd snooping prefix 894 show ipv6 nd snooping 895 show ipv6 nd snooping binding 895 show ipv6 nd snooping prefix 896 30 IP Routing Commands 897 Global Routing Configuration 8...

Page 36: ...Contents 36...

Page 37: ...y Shutting Down a Port 463 Figure 3 Non ERPS Device Protection 533 Figure 4 Sub ring with Virtual Channel 540 Figure 5 Sub ring without Virtual Channel 540 Figure 6 Configuring VLAN Trunking 570 Figur...

Page 38: ...Figures 38...

Page 39: ...tion 109 Table 13 show system display description 114 Table 14 show version display description 116 Table 15 Fan Control Commands 117 Table 16 Frame Size Commands 118 Table 17 Flash File Commands 120...

Page 40: ...erver Commands 243 Table 46 Secure Shell Commands 246 Table 47 show ssh display description 255 Table 48 802 1X Port Authentication Commands 255 Table 49 Management IP Filter Commands 267 Table 50 PPP...

Page 41: ...ption 436 Table 80 show lacp neighbors display description 437 Table 81 show lacp sysid display description 438 Table 82 PoE Commands 439 Table 83 Maximum Number of Ports Providing Simultaneous Power...

Page 42: ...AN Commands 594 Table 118 Priority Commands 601 Table 119 Priority Commands Layer 2 601 Table 120 Priority Commands Layer 3 and 4 606 Table 121 Mapping Internal Per hop Behavior to Hardware Queues 607...

Page 43: ...150 show mvr6 members display description 739 Table 151 show mvr6 statistics input display description 740 Table 152 show mvr6 statistics output display description 741 Table 153 show mvr6 statistics...

Page 44: ...asic IP Configuration Commands 850 Table 178 Address Resolution Protocol Commands 857 Table 179 IPv6 Configuration Commands 861 Table 180 show ipv6 interface display description 872 Table 181 show ipv...

Page 45: ...ides an overview of the switch and introduces some basic concepts about network switches It also describes the basic settings required to access the management interface This section includes these ch...

Page 46: ...Section I Getting Started 46...

Page 47: ...standard web browser such as Internet Explorer 11 Mozilla Firefox 52 or Google Chrome 57 or more recent versions The switch s web management interface can be accessed from any computer attached to th...

Page 48: ...RS 232 serial port that enables a connection to a PC or terminal for monitoring and configuring the switch A null modem console cable is provided with the switch Attach a VT100 compatible terminal or...

Page 49: ...e connection press Enter The User Access Verification procedure starts 2 At the User Name prompt enter admin 3 At the Password prompt also enter admin The password characters are not displayed on the...

Page 50: ...rface is VLAN 1 which includes ports 1 28 52 When configuring the network interface the IP address subnet mask and default gateway may all be set using a console connection or DHCP protocol as describ...

Page 51: ...or can automatically generate a unique IPv6 host address based on the local subnet address prefix received in router advertisement messages An IPv6 link local address for use in a local network can al...

Page 52: ...host portion of the address An IPv6 prefix or address must be formatted according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be use...

Page 53: ...Prefix for this network IP address for the switch Default gateway for the network For networks that encompass several different subnets you must define the full address including a network prefix and...

Page 54: ...is 0 milliseconds ND advertised router lifetime is 1800 seconds Console show ipv6 default gateway ipv6 default gateway 2001 DB8 2222 7272 254 Console Dynamic Configuration Obtaining an IPv4 Address If...

Page 55: ...ter the startup file name and press Enter Console config interface vlan 1 Console config if ip address dhcp Console config if end Console show ip interface VLAN 1 is Administrative Up Link Up Address...

Page 56: ...gured to automatically generate a unique host address based on the local subnet address prefix received in router advertisement messages and subsequently from a DHCPv6 server For more information see...

Page 57: ...h includes an SNMP agent that supports SNMP version 1 2c and 3 clients To provide management access for version 1 or 2c clients you must specify a community string The switch provides a default MIB Vi...

Page 58: ...r host command From the Privileged Exec level global configuration mode prompt type snmp server host host address community string version 1 2c 3 auth noauth priv where host address is the IP address...

Page 59: ...by the CLI program the web interface or SNMP The switch s file system allows files to be uploaded and downloaded copied deleted and set as a start up file The types of files are Configuration This fil...

Page 60: ...e Upgrading the Operation Code The following example shows how to download new firmware to the switch and activate it The TFTP server could be any standards compliant server running on Windows or Linu...

Page 61: ...g startup config command always sets the new file as the startup file To select a previously saved configuration file use the boot system config filename command The maximum number of saved configurat...

Page 62: ...upgrade file location URL must be a valid IPv4 IP address DNS host names are not recognized Valid IP addresses consist of four numbers 0 to 255 separated by periods The path to the directory must als...

Page 63: ...ing normal operations data switching etc of the switch During the automatic search and transfer process the administrator cannot transfer or update another operation code image configuration file publ...

Page 64: ...and the switch will follow these steps when it boots up a It will search for a new version of the image at the location specified by upgrade opcode path command The name for the new image stored on th...

Page 65: ...x entry for a switch requesting service it should reply with the TFTP server name and boot file name Note that the vendor class identifier can be formatted in either text or hexadecimal but the format...

Page 66: ...DHCP client request sent by this switch includes a parameter request list asking for this information Besides these items the client request also includes a vendor class identifier that allows the DH...

Page 67: ...ple Network Time Protocol SNTP or Network Time Protocol NTP can be used to set the switch s internal clock based on periodic updates from a time server Maintaining an accurate time on the switch enabl...

Page 68: ...command Console show calendar Current Time Apr 2 15 56 12 2013 Time Zone UTC 08 00 Summer Time SUMMER offset 60 minutes Apr 2 2013 00 00 to Jun 30 2013 00 00 Summer Time in Effect Yes Console Configu...

Page 69: ...tion key 45 md5 thisiskey45 Console config ntp authenticate Console config ntp server 192 168 3 20 Console config ntp server 192 168 3 21 Console config ntp server 192 168 5 23 key 19 Console config e...

Page 70: ...Chapter 1 Initial Switch Configuration Setting the System Clock 70...

Page 71: ...mmands on page 177 Remote Monitoring Commands on page 203 Flow Sampling Commands on page 211 Authentication Commands on page 217 General Security Measures on page 279 Access Control Lists on page 361...

Page 72: ...s on page 523 Class of Service Commands on page 601 Quality of Service Commands on page 621 Multicast Filtering Commands on page 639 LLDP Commands on page 745 CFM Commands on page 773 OAM Commands on...

Page 73: ...er name and password is entered the CLI displays the Console prompt and enters privileged access mode i e Privileged Exec But when the guest user name and password is entered the CLI displays the Cons...

Page 74: ...olated network then you can use any IP address that matches the network segment to which you are attached After you configure the switch with an IP address you can open a Telnet session by performing...

Page 75: ...For example to enable Privileged Exec command mode and display the startup configuration enter Console enable Console show startup config To enter commands that require parameters enter the required p...

Page 76: ...each debugging option discard Discard packet dns DNS information dos protection Shows the system dos protection summary information dot1q tunnel dot1q tunnel dot1x 802 1X content efm Ethernet First M...

Page 77: ...time range Time range traffic segmentation Traffic segmentation information udld Displays UDLD information upgrade Shows upgrade information users Information about users logged in version System hard...

Page 78: ...effect for all applicable commands Using Command History The CLI maintains a history of commands that have been entered You can scroll back through the history of commands by pressing the up arrow ke...

Page 79: ...e by entering the enable command followed by the privileged level password super To enter Privileged Exec mode enter the following user names and passwords Username admin Password admin login password...

Page 80: ...examining end to end connections between Provider Edge devices or between Customer Edge devices Class Map Configuration Creates a DiffServ class map for a specified traffic type ERPS Configuration The...

Page 81: ...p access list ip standard access list ip extended access list ipv6 standard access list ipv6 extended access list mac Console config arp acl Console config std acl Console config ext acl Console confi...

Page 82: ...for command line processing Table 5 Keystroke Commands Keystroke Function Ctrl A Shifts cursor to start of command line Ctrl B Shifts cursor to the left one character Ctrl C Terminates the current tas...

Page 83: ...clients attached to common data ports and prevents unauthorized access by configuring valid static or dynamic addresses web authentication MAC address authentication filtering DHCP requests and replie...

Page 84: ...Services 621 Multicast Filtering Configures IGMP multicast filtering query profile and proxy parameters specifies ports attachedtoamulticastrouter also configures multicast VLAN registration and IPv6...

Page 85: ...Command Line Interface CLI Command Groups 85 IPC IGMP Profile Configuration LC Line Configuration MST Multiple Spanning Tree NE Normal Exec PE Privileged Exec PM Policy Map Configuration VC VLAN Data...

Page 86: ...Chapter 2 Using the Command Line Interface CLI Command Groups 86...

Page 87: ...at a specified time after a specified delay or at a periodic interval GC enable Activates privileged mode NE quit Exits a CLI session NE PE show history Shows the command history buffer NE PE configur...

Page 88: ...d daily weekly day of week monthly day of month cancel at in regularly reload at A specified time at which to reload the switch hour The hour at which to reload Range 0 23 minute The minute at which t...

Page 89: ...inutes Console config reload in minute 30 Rebooting at January 1 02 10 43 2015 Are you sure to reboot the system at the specified time y n enable This command activates Privileged Exec mode In privile...

Page 90: ...command exits the configuration program Default Setting None Command Mode Normal Exec Privileged Exec Command Usage The quit and exit commands can both exit the configuration program Example This exam...

Page 91: ...command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode and commands from the Configuration command history buffer when you are in any of...

Page 92: ...nderstanding Command Modes on page 78 Default Setting None Command Mode Privileged Exec Command Usage The character is appended to the end of the prompt to indicate that the system is in normal access...

Page 93: ...s 29 minutes The switch will be rebooted at January 1 02 11 50 2015 Remaining Time 0 days 0 hours 29 minutes 52 seconds Console end This command returns to Privileged Exec mode Default Setting None Co...

Page 94: ...ed Exec mode from the Global Configuration mode and then quit the CLI session Console config exit CLI exit session WARNING MONITORED ACTIONS AND ACCESSES Station s information Floor Row Rack Sub Rack...

Page 95: ...ormation Fan Control Forces fans to full speed Frame Size Enables support for jumbo frames File Management Manages code image or switch configuration files Line Sets communication parameters for the s...

Page 96: ...line prompt Example Console config hostname RD 1 Console config Banner Information These commands are used to configure and manage administrative information about the switch its exact data center loc...

Page 97: ...is not supported If for example a mistake is made in the company name it can be corrected with the banner configure company command banner configure department Configures the Department information th...

Page 98: ...or 2 Row 7 Rack 25 Electrical circuit ec 177743209 xb Number of LP 12 Position of the equipment in the MUX 1 23 IP LAN 192 168 1 1 Note This is a random note about this managed switch and can contain...

Page 99: ...rack electrical circuit floor id The floor number row id The row number rack id The rack number ec id The electrical circuit ID Maximum length of each parameter 32 characters Default Setting None Comm...

Page 100: ...on letter characters is suggested for situations where white space is necessary for clarity Example Console config banner configure department R D Console config banner configure equipment info This c...

Page 101: ...e equipment location This command is used to configure the equipment location information displayed in the banner Use the no form to restore the default setting Syntax banner configure equipment locat...

Page 102: ...her unobtrusive non letter characters is suggested for situations where white space is necessary for clarity Example Console config banner configure ip lan 192 168 1 1 255 255 255 0 Console config ban...

Page 103: ...ber The phone number of the first manager mgr2 name The name of the second manager mgr2 number The phone number of the second manager mgr3 name The name of the third manager mgr3 number The phone numb...

Page 104: ...usive non letter characters is suggested for situations where white space is necessary for clarity Example Console config banner configure mux telco 8734212kx_PVC 1 23 Console config banner configure...

Page 105: ...3 555 1219 Station s information 710_Network_Path _Indianapolis Edge Core ECS4120 28T Floor Row Rack Sub Rack 3 10 15 12 DC power supply Power Source A Floor Row Rack Electrical circuit 3 15 24 48v id...

Page 106: ...s MAC differServ DE4 Egress IPv4 differServ DE6S Egress IPv6 standard differServ DE6E Egress IPv6 extended differServ W Web authentication I IP source guard I6 IPv6 source guard C CPU interface show p...

Page 107: ...n led status This command shows if location LED function is enabled or not Command Mode Privileged Exec Example Console show location led status Location Led Status On Console show memory This command...

Page 108: ...atus Off Last Alarm Start Time Jun 9 15 10 09 2011 Last Alarm Duration Time 10 seconds Alarm Configuration Rising Threshold 90 Falling Threshold 70 Console Related Commands process cpu 199 show proces...

Page 109: ...ermark If the percentage of CPU usage time is higher than the high watermark the switch stops packet flow to the CPU allowing it to catch up with packets already in the buffer until usage time falls b...

Page 110: ...00 0 00 0 00 SFLOW_TD 0 00 0 00 0 00 SNMP_GROUP 0 00 0 00 0 00 SNMP_TD 0 00 0 00 0 00 SNTP_TD 0 00 0 00 0 00 SSH_TD 0 00 0 00 0 00 STA_GROUP 0 00 0 00 0 00 STKCTRL_GROUP 0 00 0 00 0 00 STKTPLG_GROUP...

Page 111: ...strings Users names access levels and encrypted passwords VLAN database VLAN ID name and state VLAN configuration settings for each interface Multiple spanning tree instances name and interfaces IP ad...

Page 112: ...command to compare the information in running memory to the information stored in non volatile memory This command displays settings for key command modes Each mode group is separated by symbols and i...

Page 113: ...detectors in the switch The first detector is near the air flow intake vents The second detector is near the switch ASIC and CPU Example Console show system System Description ECS4120 28T System OID S...

Page 114: ...ice type System OID String MIB II object ID for switch s network management subsystem System Up Time Length of time the management agent has been up System Name Name assigned to the switch system Syst...

Page 115: ...one Eth 1 4 Down 1 0 Auto 1000BASE T None Eth 1 5 Down 1 0 Auto 1000BASE T None show users Shows all active console and Telnet sessions including user name idle time and IP address of Telnet client De...

Page 116: ...isplay description Parameter Description Serial Number The serial number of the switch Hardware Version Hardware version of the main board EPLD Version Version number of Erasable Programmable Logic De...

Page 117: ...itors key processes and automatically reboots the system if any of these processes are not responding correctly Syntax watchdog software disable enable Default Setting Disabled Command Mode Privileged...

Page 118: ...ort for Layer 2 jumbo frames for Gigabit and 10 Gigabit Ethernet ports Use the no form to disable it Syntax no jumbo frame Default Setting Disabled Command Mode Global Configuration Command Usage This...

Page 119: ...6 mtu 873 File Management Managing Firmware Firmware can be uploaded and downloaded to or from an FTP TFTP server or through the USB port By saving runtime code to a file on an FTP TFTP server that fi...

Page 120: ...les booted PE Automatic Code Upgrade Commands upgrade opcode auto Automatically upgrades the current image when a new version is detected on the indicated server GC upgrade opcode path Specifies an FT...

Page 121: ...OM config Configuration file opcode Run time operation code filename Name of configuration file or code image The colon is required Default Setting None Command Mode Global Configuration Command Usage...

Page 122: ...tps certificate public key running config startup config copy usbdisk file add to running config Keyword that adds the settings listed in the specified file to the running configuration file Keyword t...

Page 123: ...information on specifying an https certificate see Replacing the Default Secure site Certificate in the Web Management Guide For information on configuring the switch to use HTTPS for a secure connect...

Page 124: ...up Write to FLASH Programming Write to FLASH finish Success Console This example shows how to copy a secure site certificate from an TFTP server It then reboots the switch to activate the certificate...

Page 125: ...disk name filename public key username dsa rsa file Keyword that allows you to delete a file usbdisk System file on a USB memory stick or disk name Keyword indicating a file filename Name of configura...

Page 126: ...ic image file config Switch configuration file opcode Run time operation code image file usbdisk System file on a USB memory stick or disk filename Name of configuration file or code image If this fil...

Page 127: ...command prepares the USB memory device to be safely removed from the switch Syntax umount usbdisk Default Setting None Command Mode Privileged Exec Command Usage Before disconnecting a USB memory dev...

Page 128: ...ode Upgrade Commands upgrade opcode auto This command automatically upgrades the current operational code when a new version is detected on the server indicated by the upgrade opcode path command Use...

Page 129: ...sole config upgrade opcode auto Console config upgrade opcode path tftp 192 168 0 1 sm24 Console config If a new image is found at the specified location the following type of messages will be display...

Page 130: ...tax must be used where filedir indicates the path to the directory containing the new image ftp username password 192 168 0 1 filedir If the user name is omitted anonymous will be used for the connect...

Page 131: ...oad Status Disabled Path File Name ECS4120 Series bix Console TFTP Configuration Commands ip tftp retry This command specifies the number of times the switch can retry transmitting a request to a TFTP...

Page 132: ...o ip tftp timeout seconds The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out Range 1 65535 seconds Default Setting 5 seconds Command Mode...

Page 133: ...val that the command interpreter waits until user input is detected LC login Enables password checking at login LC parity Defines the generation of a parity bit LC password Specifies a password on a l...

Page 134: ...wn as VTY in screen displays such as show users However the serial communication parameters e g databits do not affect Telnet connections Example To enter console line mode enter the following command...

Page 135: ...ntil user input is detected Use the no form to restore the default Syntax exec timeout seconds no exec timeout seconds Integer that specifies the timeout interval Range 60 65535 seconds 0 no timeout D...

Page 136: ...n using this method the management interface starts in Normal Exec NE mode login local selects authentication via the user name and password specified by the username command i e default setting When...

Page 137: ...nals and modems often require a specific parity bit setting Example To specify no parity enter this command Console config line console parity none Console config line console password This command sp...

Page 138: ...no need for you to manually configure encrypted passwords Example Console config line console password 0 secret Console config line console Related Commands login 136 password thresh 138 password thr...

Page 139: ...ter the number of unsuccessful logon attempts exceeds the threshold set by the password thresh command Use the no form to remove the silent time value Syntax silent time seconds no silent time seconds...

Page 140: ...d Usage Set the speed to match the baud rate of the device connected to the serial port Some baud rates available on devices connected to the port might not be supported The system indicates if the sp...

Page 141: ...onds Integer that specifies the timeout interval Range 10 300 seconds Default Setting 300 seconds Command Mode Line Configuration Command Usage If a login attempt is not detected within the timeout in...

Page 142: ...settings including escape character lines displayed terminal type width and command history Use the no form with the appropriate keyword to restore the default setting Syntax terminal escape characte...

Page 143: ...onsole terminal length 48 Console show line This command displays the terminal line s parameters Syntax show line console vty console Console terminal line vty Virtual terminal for remote console acce...

Page 144: ...ber that indicates the facility used by the syslog server to dispatch log messages to an appropriate service Range 16 23 Default Setting 23 Command Mode Global Configuration Table 20 Event Logging Com...

Page 145: ...am flash Event history stored in flash memory i e permanent memory ram Event history stored in temporary RAM i e memory flushed on power reset level One of the levels listed below Messages sent includ...

Page 146: ...port udp port no logging host host ip address host ip address The IPv4 or IPv6 address of a syslog server udp port UDP port number used by the remote server Range 1 65535 Default Setting UPD Port 514...

Page 147: ...is command enables the logging of system messages to a remote server or limits the syslog messages saved to a remote server based on severity Use this command without a specified level to enable remot...

Page 148: ...Default Setting Flash and RAM Command Mode Privileged Exec Example Console clear log Console Related Commands show log 148 show log This command displays the log messages stored in local memory Syntax...

Page 149: ...o a remote syslog server Syntax show logging flash ram sendmail trap flash Displays settings for storing event messages in flash memory i e permanent memory ram Displays settings for storing event mes...

Page 150: ...yslog logging Shows if system logging has been enabled via the logging on command History Logging in Flash The message level s reported based on the logging history command Table 23 show logging trap...

Page 151: ...servers that will be sent alert messages Use the no form to remove an SMTP server Syntax no logging sendmail host ip address ip address IPv4 address of an SMTP server that will be sent alert messages...

Page 152: ...mail again If it still fails the system will repeat the process at a periodic interval A trap will be triggered if the switch cannot successfully open a connection Example Console config logging send...

Page 153: ...ers Default Setting None Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages However you must enter a separate command to specify each recipient Ex...

Page 154: ...ted this company com SMTP Source Email Address bill this company com SMTP Status Enabled Console Time The system clock can be dynamically set by polling a set of specified time servers NTP or SNTP Ma...

Page 155: ...sed on the interval set via the sntp poll command NTP Commands ntp authenticate Enables authentication for NTP traffic GC ntp authentication key Configures authentication keys GC ntp client Enables th...

Page 156: ...1 0 19 Current Server 137 92 140 80 Console Related Commands sntp server 157 sntp poll 156 show sntp 157 sntp poll This command sets the interval between sending time requests when the switch is set t...

Page 157: ...time servers from which the switch will poll for time updates when set to SNTP client mode The client will poll the time servers in the order specified until a response is received It issues time sync...

Page 158: ...form to disable authentication Syntax no ntp authenticate Default Setting Disabled Command Mode Global Configuration Command Usage You can enable NTP authentication to ensure that reliable updates are...

Page 159: ...to 32 case sensitive printable ASCII characters no spaces Default Setting None Command Mode Global Configuration Command Usage The key number specifies a key value in the NTP authentication key list U...

Page 160: ...starting from the factory default set at the last bootup i e 00 00 00 Jan 1 2015 This command enables client time requests to time servers specified via the ntp servers command It issues time synchro...

Page 161: ...ntp authenticate command you must also configure at least one key number using the ntp authentication key command Use the no form of this command without an argument to clear all configured servers in...

Page 162: ...me Name of the time zone while summer time is in effect usually an acronym Range 1 30 characters b date Day of the month when summer time will begin Range 1 31 b month The month when summer time will...

Page 163: ...g example sets the 2015 Summer Time ahead by 60 minutes on March 9th and returns to normal time on November 2nd Console config clock summer time DEST date march 9 2015 01 59 november 2 2014 01 59 60 C...

Page 164: ...llows the user to manually configure the start end and offset times of summer time daylight savings time for the switch on a recurring basis Use the no form to disable summer time Syntax clock summer...

Page 165: ...utes Default Setting Disabled Command Mode Global Configuration Command Usage In some countries or regions clocks are adjusted through the summer months so that afternoons have more daylight and morni...

Page 166: ...and sets the local time zone relative to the Coordinated Universal Time UTC formerly Greenwich Mean Time or GMT based on the earth s prime meridian zero degrees longitude To display a time correspondi...

Page 167: ...lock cannot be manually configured Example This example shows how to set the system clock to 15 12 34 February 1st 2015 Console calendar set 15 12 34 1 February 2015 Console show calendar This command...

Page 168: ...e Command Mode Global Configuration Command Usage This command sets a time range for use by other functions such as Access Control Lists A maximum of eight rules can be configured for a time range Exa...

Page 169: ...er year Year 4 digit Range 2013 2037 Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured you must use the no form of this command to remove t...

Page 170: ...eekdays weekend Weekends hour Hour in 24 hour format Range 0 23 minute Minute Range 0 59 Default Setting None Command Mode Time Range Configuration Command Usage If a time range is already configured...

Page 171: ...e as long as they are connected to the same local network Using Switch Clustering A switch cluster has a primary unit called the Commander which is used to manage all other Member switches in the clus...

Page 172: ...2 2 Add the participating ports to this VLAN see Configuring VLAN Interfaces on page 564 and set them to hybrid mode tagged members PVID 1 and acceptable frame type all Note Cluster Member switches ca...

Page 173: ...as cluster Commander Syntax no cluster commander Default Setting Disabled Command Mode Global Configuration Command Usage Once a switch has been configured to be a cluster Commander it automatically...

Page 174: ...ember IDs can only be between 1 and 36 Set a Cluster IP Pool that does not conflict with addresses in the network IP subnet Cluster IP addresses are assigned to switches when they become Members and a...

Page 175: ...and id member id member id The ID number of the Member switch Range 1 16 Command Mode Privileged Exec Command Usage This command only operates through a Telnet connection to the Commander switch Manag...

Page 176: ...Mode Privileged Exec Example Console show cluster members Cluster Members ID 1 Role Active member IP Address 10 254 254 2 MAC Address 00 E0 0C 00 00 FE Description ECS4120 Series Console show cluster...

Page 177: ...p server community Sets up the community access string to permit access to SNMP commands GC snmp server contact Sets the system contact string GC snmp server location Sets the system location string G...

Page 178: ...rm clear Sends a trap when multicast traffic falls beneath the lower threshold after a storm control response has been triggered IC Port snmp server enable port traps atc multicast alarm fire Sends a...

Page 179: ...ditional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising and falling threshold for the CPU utilization alarm GC process cpu g...

Page 180: ...MIB objects rw Specifies read write access Authorized management stations are able to both retrieve and modify MIB objects Default Setting public Read only access Authorized management stations are o...

Page 181: ...cation Maximum length 255 characters Default Setting None Command Mode Global Configuration Example Console config snmp server location WC 19 Console config Related Commands snmp server contact 180 sh...

Page 182: ...such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Logging Disabled Console SNMP Target Host Commands snmp server enable traps This command enables this device to s...

Page 183: ...mmand with a keyword only the notification type related to that keyword is enabled The snmp server enable traps command is used in conjunction with the snmp server host command Use the snmp server hos...

Page 184: ...tring Password like community string sent with the notification operation to SNMP V1 and V2c hosts Although you can set this string using the snmp server host command by itself we recommend defining i...

Page 185: ...t page 179 2 Create a view with the required notification messages page 191 3 Create a group that includes the required notify view page 188 4 Allow the switch to send SNMP traps i e notifications pag...

Page 186: ...ved Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage This command can enable MAC authentication traps on the current interface only if they are also en...

Page 187: ...Range 1 64 hexadecimal characters Default Setting A unique engine ID is automatically generated by the switch based on its MAC address Command Mode Global Configuration Command Usage An SNMP engine is...

Page 188: ...mand adds an SNMP group mapping SNMP users to SNMP views Use the no form to remove an SNMP group Syntax snmp server group groupname v1 v2c v3 auth noauth priv read readview write writeview notify noti...

Page 189: ...server user This command adds a user to an SNMP group restricting the user to a specific SNMP Read Write or Notify View Use the no form to remove a user from an SNMP group Syntax snmp server user user...

Page 190: ...dentifier must be configured to authorize management access for SNMPv3 clients or to identify the source of SNMPv3 trap messages sent from the local switch Remote users i e the command specifies a rem...

Page 191: ...mp server view view name view name Name of an SNMP view Range 1 32 characters oid tree Object identifier of a branch within the MIB tree Wild cards can be used to mask a specific portion of the OID st...

Page 192: ...e Boots 29 Remote SNMP EngineID IP address 80000000030004e2b316c54321 192 168 1 19 Console show snmp group Four default groups are provided SNMPv1 read only access and read write access and SNMPv2c re...

Page 193: ...up Name private Security Model v1 Read View defaultview Write View defaultview Notify View none Storage Type volatile Row Status active Group Name private Security Model v2c Read View defaultview Writ...

Page 194: ...ion and privacy Authentication Protocol MD5 Privacy Protocol DES56 Storage Type Nonvolatile Row Status Active Console show snmp view This command shows information on the SNMP views Command Mode Privi...

Page 195: ...fault Setting None Command Mode Global Configuration Command Usage Notification logging is enabled by default but will not start recording information until a logging profile specified by the snmp ser...

Page 196: ...NMP often need a mechanism for recording Notification information as a hedge against lost notifications whether there are Traps or Informs that may exceed retransmission limits The Notification Log MI...

Page 197: ...aging time can only be configured using SNMP from a network management station When a trap host is created with the snmp server host command a default notify filter will be created as shown in the ex...

Page 198: ...lt setting Syntax memory rising rising threshold falling falling threshold no memory rising falling rising threshold Rising threshold for memory utilization alarm expressed in percentage Range 1 100 f...

Page 199: ...alarm expressed in percentage Range 1 100 falling threshold Falling threshold for CPU utilization alarm expressed in percentage Range 1 100 Default Setting Rising Threshold 90 Falling Threshold 70 Co...

Page 200: ...alls beneath the low watermark max threshold If the number of packets being processed per second by the CPU is higher than the maximum threshold the switch stops packet flow to the CPU allowing it to...

Page 201: ...rop beneath the minimum threshold before the alarm is terminated and then exceed the maximum threshold again before another alarm is triggered Example Console config process cpu guard high watermark 8...

Page 202: ...Chapter 5 SNMP Commands Additional Trap Commands 202...

Page 203: ...vent and Alarm groups When RMON is enabled the system gradually builds up information about its physical interfaces storing this information in the relevant RMON database group A management agent then...

Page 204: ...e sampling period delta The last sample is subtracted from the current value and the difference is then compared to the thresholds threshold An alarm threshold for the sampled variable Range 0 2147483...

Page 205: ...a response event for an alarm Use the no form to remove an event Syntax rmon event index log trap community description string owner name no rmon event index index Index to this entry Range 1 65535 lo...

Page 206: ...ts number interval seconds interval seconds owner name buckets number interval seconds no rmon collection history controlEntry index index Index to this entry Range 1 65535 number The number of bucket...

Page 207: ...e for port 8 Console config interface ethernet 1 5 Console config if rmon collection history controlEntry 15 Console config if end Console show running config interface ethernet 1 5 rmon collection hi...

Page 208: ...Example Console config interface ethernet 1 1 Console config if rmon collection rmon1 controlentry 1 owner mike Console config if show rmon alarms This command shows the settings for all configured a...

Page 209: ...agments and 0 jabbers packets 0 CRC alignment errors and 0 collisions of dropped packet events is 0 Network utilization is estimated at 0 show rmon statistics This command shows the information collec...

Page 210: ...Chapter 6 Remote Monitoring Commands 210...

Page 211: ...nterface Moreover the processor and memory load imposed by the sFlow agent is minimal since local analysis does not take place Note The terms collector receiver and owner in the context of this chapte...

Page 212: ...low collector A full IPv6 address including the network prefix and host address bits An IPv6 address consists of 8 colon separated 16 bit hexadecimal values One double colon may be used to indicate th...

Page 213: ...enables an sFlow polling data source for a specified interface that polls periodically based on a specified time interval Use the no form to remove the polling data source instance from the switch s...

Page 214: ...flow sampling interfaceinterface instanceinstance id receiver owner name sampling rate sample rate max header size max header size no sflow sample interface interface instance instance id interface Th...

Page 215: ...nsole show sflow This command shows the global and interface settings for the sFlow process Syntax show sflow interface interface owner owner name interface interface interface ethernet unit port unit...

Page 216: ...Chapter 7 Flow Sampling Commands 216...

Page 217: ...ation method and precedence RADIUS Client Configures settings for authentication via a RADIUS server TACACS Client Configures settings for authentication via a TACACS server AAA Configures authenticat...

Page 218: ...nd administrators top level access The other levels can be used to configured specialized access profiles Level 0 7 provide the same default access privileges all within Normal Exec mode under the Con...

Page 219: ...ommand adds named users requires authentication at login specifies or changes a user s password or specify that no password is required or specifies or changes a user s access level Use the no form to...

Page 220: ...o log in 0 7 0 means plain password 7 means encrypted password password password The authentication password for the user Maximum length 32 characters plain text or encrypted case sensitive Default Se...

Page 221: ...ecifies any command contained within the specified mode Default Setting Privilege level 0 provides access to a limited number of the commands which display the current status of the switch as well as...

Page 222: ...c command mode with the enable command Use the no form to restore the default Syntax authentication enable local radius tacacs no authentication enable local Use local password only radius Use RADIUS...

Page 223: ...onfig Related Commands enable password sets the password for changing command modes 218 authentication login This command defines the login authentication method and precedence Use the no form to rest...

Page 224: ...DIUS aware devices on the network An authentication server contains a database of multiple user name password pairs with associated privilege levels for each user or group that require management acce...

Page 225: ...tion Example Console config radius server auth port 181 Console config radius server host This command specifies primary and backup RADIUS servers and authentication and accounting parameters that app...

Page 226: ...Range 1 65535 Default Setting auth port 1812 acct port 1813 timeout 5 seconds retransmit 2 Command Mode Global Configuration Example Console config radius server 1 host 192 168 1 20 port 181 timeout...

Page 227: ...etting 2 Command Mode Global Configuration Example Console config radius server retransmit 5 Console config radius server timeout This command sets the interval between transmitting authentication req...

Page 228: ...Controller Access Control System TACACS is a logon authentication protocol that uses software running on a central server to control access to TACACS aware devices on the network An authentication ser...

Page 229: ...server TCP port used for authentication messages Range 1 65535 retransmit Number of times the switch will try to authenticate logon access via the TACACS server Range 1 30 timeout Number of seconds t...

Page 230: ...rt number TACACS server TCP port used for authentication messages Range 1 65535 Default Setting 49 Command Mode Global Configuration Example Console config tacacs server port 181 Console config tacacs...

Page 231: ...s Number of seconds the switch waits for a reply before resending a request Range 1 540 Default Setting 5 Command Mode Global Configuration Example Console config tacacs server timeout 10 Console conf...

Page 232: ...accounting method for service requests Range 1 64 characters start stop Records accounting from starting point and stopping point Table 42 AAA Commands Command Function Mode aaa accounting dot1x Enabl...

Page 233: ...Console config aaa accounting dot1x default start stop group radius Console config aaa accounting exec This command enables the accounting of requested Exec services for network access Use the no for...

Page 234: ...nfig aaa accounting exec default start stop group tacacs Console config aaa accounting update This command enables the sending of periodic updates to the accounting server Use the no form to disable a...

Page 235: ...osts configured with the tacacs server host command server group Specifies the name of a server group configured with the aaa group server command Range 1 256 characters Default Setting Authorization...

Page 236: ...xample Console config aaa group server radius tps Console config sg radius server This command adds a security server to an AAA server group Use the no form to remove the associated server from the gr...

Page 237: ...g dot1x command list name Specifies a method list created with the aaa accounting dot1x command Default Setting None Command Mode Interface Configuration Example Console config interface ethernet 1 2...

Page 238: ...Specifies the default method list created with the aaa authorization exec command list name Specifies a method list created with the aaa authorization exec command Default Setting None Command Mode L...

Page 239: ...2 Accounting Type EXEC Method List default Group List tacacs Interface vty Console Web Server This section describes commands used to configure web browser management access to the switch Note Users...

Page 240: ...nge 1 65535 Default Setting 80 Command Mode Global Configuration Example Console config ip http port 769 Console config Related Commands ip http server 240 show system 113 ip http server This command...

Page 241: ...not configure the HTTP and HTTPS servers to use the same port If you change the HTTPS port number clients attempting to connect to the HTTPS server must specify the port number in the URL in this form...

Page 242: ...establish a secure encrypted connection A padlock icon should appear in the status bar for Internet Explorer 11 Mozilla Firefox 52 or Google Chrome 57 or more recent versions The following web browser...

Page 243: ...telnet max sessions session count The maximum number of allowed Telnet session Range 0 8 Default Setting 8 sessions Command Mode Global Configuration Command Usage A maximum of eight sessions can be...

Page 244: ...o telnet port port number The TCP port number to be used by the browser interface Range 1 65535 Default Setting 23 Command Mode Global Configuration Example Console config ip telnet port 123 Console c...

Page 245: ...ed Exec Example Console telnet 192 168 2 254 Connect To 192 168 2 254 WARNING MONITORED ACTIONS AND ACCESSES User Access Verification Username Console config show ip telnet This command displays the c...

Page 246: ...have to generate authentication keys on the switch and enable the SSH server Table 46 Secure Shell Commands Command Function Mode ip ssh authentication retries Specifies the number of retries allowed...

Page 247: ...d locally on the switch with the username command The clients are subsequently authenticated using these keys The current firmware only accepts public key files based on standard UNIX format as shown...

Page 248: ...um sent from the client against that computed for the original string it sent If the two checksums match this means that the client s private key corresponds to an authorized public key and the client...

Page 249: ...ires 2 Console config Related Commands show ip ssh 253 ip ssh server This command enables the Secure Shell SSH server on this switch Use the no form to disable this service Syntax no ip ssh server Def...

Page 250: ...sh server key size key size The size of server key Range 512 896 bits Default Setting 768 bits Command Mode Global Configuration Command Usage The server key is a private key that is never shared outs...

Page 251: ...nput is controlled by the exec timeout command for vty sessions Example Console config ip ssh timeout 60 Console config Related Commands exec timeout 135 show ip ssh 253 delete public key This command...

Page 252: ...host key command to save the host key pair to flash memory Some SSH client programs automatically add the public key to the known hosts file as part of the configuration process Otherwise you must ma...

Page 253: ...e dsa Console Related Commands ip ssh crypto host key generate 252 ip ssh save host key 253 no ip ssh server 249 ip ssh save host key This command saves the host key from RAM to flash memory Syntax ip...

Page 254: ...hod used by SSH is based on the Digital Signature Standard DSS and the last string is the encoded modulus Example Console show public key host Host RSA 1024 65537 1323694065825476403138279552653637592...

Page 255: ...ell version number State The authentication negotiation state Values Negotiation Started Authentication Started Session Started Username The user name of the client Table 48 802 1X Port Authentication...

Page 256: ...e hosts on an dot1x port IC dot1x port control Sets dot1x mode for a port interface IC dot1x re authentication Enables re authentication for all ports IC dot1x timeout quiet period Sets the time that...

Page 257: ...hrough command can be used to forward EAPOL frames from other switches on to the authentication servers thereby allowing the authentication process to still be carried out by switches located on the e...

Page 258: ...fic guest vlan no dot1x intrusion action block traffic Blocks traffic on this port guest vlan Assigns the user to the Guest VLAN Default block traffic Command Mode Interface Configuration Command Usag...

Page 259: ...2 Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x max reauth req 2 Console config if dot1x max req This command sets the maximum number of times...

Page 260: ...s multiple hosts to connect to this port with each host needing to be authenticated Default Single host Command Mode Interface Configuration Command Usage The max count parameter specified by this com...

Page 261: ...force authorized Command Mode Interface Configuration Example Console config interface eth 1 2 Console config if dot1x port control auto Console config if dot1x re authentication This command enables...

Page 262: ...ault Syntax dot1x timeout quiet period seconds no dot1x timeout quiet period seconds The number of seconds Range 1 65535 Default 60 seconds Command Mode Interface Configuration Example Console config...

Page 263: ...r than EAP request identity frames If dot1x authentication is enabled on a port the switch will initiate authentication when the port link state comes up It will send an EAP request identity frame to...

Page 264: ...erface Syntax dot1x re authenticate interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Command Usage The re authentication...

Page 265: ...X including the following items Type Administrative state for port access control Enabled Authenticator or Supplicant Operation Mode Allows single or multiple hosts page 260 Control Mode Dot1x port co...

Page 266: ...The integer 0 255 used by the Authenticator to identify the current authentication session Backend State Machine State Current state including request response success fail timeout idle initialize Req...

Page 267: ...Supplicant 00 e0 29 94 34 65 Authenticator PAE State Machine State Authenticated Reauth Count 0 Current Identifier 3 Backend State Machine State Idle Request Count 0 Identifier Server 2 Reauthenticat...

Page 268: ...are open to all IP addresses by default Once you add an entry to a filter list access to that interface is restricted to the specified addresses If anyone tries to access a management interface on th...

Page 269: ...snmp client telnet client all client Displays IP addresses for all groups http client Displays IP addresses for the web group snmp client Displays IP addresses for the SNMP group telnet client Display...

Page 270: ...ent s PPPoE Active Discovery Request and Table 50 PPPoE Intermediate Agent Commands Command Function Mode pppoe intermediate agent Enables the PPPoE IA globally on the switch GC pppoe intermediate age...

Page 271: ...e the default settings Syntax pppoe intermediate agent format type access node identifier id string generic error message error message no pppoe intermediate agent format type access node identifier g...

Page 272: ...rface ethernet 1 5 Console config if pppoe intermediate agent port enable Console config if pppoe intermediate agent port format type This command sets the circuit id or remote id for an interface Use...

Page 273: ...the switch and should be stripped out of PADO and PADS packets which are to be passed directly to end node clients using the pppoe intermediate agent vendor tag strip command If the remote id is unspe...

Page 274: ...no pppoe intermediate agent trust Default Setting Untrusted Command Mode Interface Configuration Ethernet Port Channel Command Usage Set any interfaces connecting the switch to a PPPoE Server as trust...

Page 275: ...lear pppoe intermediate agent statistics This command clears statistical counters for the PPPoE Intermediate Agent Syntax clear pppoe intermediate agent statistics interface interface interface ethern...

Page 276: ...ermediate agent info interface ethernet 1 1 Interface PPPoE IA Trusted Vendor Tag Strip Admin Circuit ID Admin Remote ID Eth 1 1 No No No Oper Circuit ID Oper Remote ID 1 1 vid FC 0A 81 B7 C7 E1 Conso...

Page 277: ...nitiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted R...

Page 278: ...Chapter 8 Authentication Commands PPPoE Intermediate Agent 278...

Page 279: ...uthentication and dynamic VLAN assignment Web Authentication Configures Web authentication Access Control Lists Provides filtering for IP frames based on address protocol TCP UDP port number or TCP co...

Page 280: ...ch can automatically take action by disabling the port and sending a trap message mac learning This command enables MAC address learning on the selected interface Use the no form to disable MAC addres...

Page 281: ...ng example disables MAC address learning for port 2 Console config interface ethernet 1 2 Console config if no mac learning Console config if Related Commands show interfaces status 407 port security...

Page 282: ...VLAN for frames received on the port The specified maximum address count is effective when port security is enabled or disabled Note that you can manually add additional secure addresses to a port us...

Page 283: ...as static entries Syntax port security mac address as permanent interface interface interface Specifies a port interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52...

Page 284: ...MAC address These fields are not applicable if no intrusion has been detected or port security is disabled The MAC Filter ID field is configured by the network access port mac filter command If this f...

Page 285: ...on MAC 00 10 22 00 00 01 Last Time Detected Intrusion MAC 2010 7 29 15 13 03 Console Network Access MAC Address Authentication Network Access authentication controls access to the network by authentic...

Page 286: ...k detection link up down Configures the link detection feature to detect and act upon both link up and link down events IC network access max mac count Setsthemaximum numberof MAC addresses thatcanbe...

Page 287: ...le config network access aging Console config network access mac filter Use this command to add a MAC address into a filter table Use the no form of this command to remove the specified MAC address Sy...

Page 288: ...reauth time seconds The reauthentication time period Range 120 1000000 seconds Default Setting 1800 Command Mode Global Configuration Command Usage The reauthentication time is a global setting and ap...

Page 289: ...ote Any configuration changes for dynamic QoS are not saved to the switch configuration file Example The following example enables the dynamic QoS feature on port 1 Console config interface ethernet 1...

Page 290: ...on a port and the RADIUS server returns no VLAN configuration the authentication is still treated as a success and the host assigned to the default untagged VLAN When the dynamic VLAN assignment statu...

Page 291: ...ed to the guest VLAN in case of failed authentication if switchport mode is set to Hybrid Example Console config interface ethernet 1 1 Console config if network access guest vlan 25 Console config if...

Page 292: ...sable the port Default Setting Disabled Command Mode Interface Configuration Example Console config interface ethernet 1 1 Console config if network access link detection link down action trap Console...

Page 293: ...onse to take when port security is violated shutdown Disable port only trap Issue SNMP trap message only trap and shutdown Issue SNMP trap message and disable the port Default Setting Disabled Command...

Page 294: ...on a port the authentication process sends a Password Authentication Protocol PAP request to a configured RADIUS server The user name and password are both equal to the MAC address being authenticate...

Page 295: ...ype attribute set to 802 Example Console config if network access mode mac authentication Console config if network access port mac filter Use this command to enable the specified MAC address filter U...

Page 296: ...e Configuration Example Console config if mac authentication intrusion action block traffic Console config if mac authentication max mac count Use this command to set the maximum number of MAC address...

Page 297: ...x xx xx xx interface Specifies a port interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Default Setting None Command Mode Privileged Exec Example Console clear n...

Page 298: ...ommand to display secure MAC address table entries Syntax show network access mac address table static dynamic address mac address mask interface interface sort address interface static Specifies stat...

Page 299: ...ss filter table Range 1 64 Default Setting Displays all filters Command Mode Privileged Exec Example Console show network access mac filter Filter ID MAC Address MAC Mask 1 00 00 01 02 03 08 FF FF FF...

Page 300: ...b auth login attempts Defines the limit for failed web authentication login attempts GC web auth quiet period Defines the amount of time to wait after the limit for failed login attempts is exceeded G...

Page 301: ...ation again Range 1 180 seconds Default Setting 60 seconds Command Mode Global Configuration Example Console config web auth quiet period 120 Console config web auth session timeout This command defin...

Page 302: ...mmand Usage Both web auth system auth control for the switch and web auth for an interface must be enabled for the web authentication feature to be active Example Console config web auth system auth c...

Page 303: ...tifier Range 1 port Port number Range 1 28 52 Default Setting None Command Mode Privileged Exec Example Console web auth re authenticate interface ethernet 1 2 Console web auth re authenticate IP This...

Page 304: ...3600 Quiet Period 60 Max Login Attempts 3 Console show web auth interface This command displays interface specific web authentication parameters and statistics Syntax show web auth interface interfac...

Page 305: ...s or disables the use of DHCP Option 82 information and specifies frame format for the remote id GC ipdhcpsnoopinginformation option encode no subtype Disables use of sub type and sub length for the C...

Page 306: ...are filtered based upon dynamic entries learned via DHCP snooping Table entries are only learned for trusted interfaces Each entry includes a MAC address IP address lease time VLAN identifier and por...

Page 307: ...rom client such as a DISCOVER REQUEST INFORM DECLINE or RELEASE message the packet is forwarded if MAC address verification is disabled as specified by the ip dhcp snooping verify mac address command...

Page 308: ...d keyword to set the remote ID to the switch s MAC address encoded in hexadecimal Syntax ip dhcp snooping information option encode no subtype remote id ip address encode ascii hex mac address encode...

Page 309: ...e DHCP Option 82 information to be inserted into packets When enabled the switch will only add remove option 82 information in incoming DHCP packets but not relay them Packets are processed as follows...

Page 310: ...which received the DHCP request If the packet arrives over a trunk the value is the ifIndex of the trunk vlan Tag of the VLAN which received the DHCP request Note that the sub type and sub length fiel...

Page 311: ...management interface encode Indicates encoding in ASCII or hexadecimal string An arbitrary string inserted into the remote identifier field Range 1 32 characters tr101 node identifier The remote ID ge...

Page 312: ...ts the board ID to 0 Console config ip dhcp snooping information option tr101 board id 0 Console config information policy This command sets the DHCP snooping information option policy for DHCP client...

Page 313: ...e Console config ip dhcp snooping information policy drop Console config ip dhcp snooping limit rate This command sets the maximum number of DHCP packets that can be trapped by the switch for DHCP sno...

Page 314: ...the client s hardware address in the DHCP packet the packet is dropped Example This example enables MAC address verification Console config ip dhcp snooping verify mac address Console config Related C...

Page 315: ...Related Commands ip dhcp snooping 306 ip dhcp snooping trust 317 ip dhcp snooping information option circuit id This command specifies DHCP Option 82 circuit id suboption information Use the no form...

Page 316: ...ring Default is the MAC address of the switch s CPU This field is set by the ip dhcp snooping information option command eth The second field is the fixed string eth slot The slot represents the stack...

Page 317: ...ce Use the no form to restore the default setting Syntax ip dhcp snooping max number max number no dhcp snooping max number max number Maximum number of DHCP clients Range 1 32 Default Setting 16 Comm...

Page 318: ...with the no ip dhcp snooping trust command When an untrusted port is changed to a trusted port all the dynamic DHCP snooping bindings associated with this port are removed Additional considerations wh...

Page 319: ...sh Console ip dhcp snooping database flash This command writes all dynamically learned snooping entries to flash memory Command Mode Privileged Exec Command Usage This command can be used to store the...

Page 320: ...ing Information Policy replace DHCP Snooping is configured on the following VLANs Verify Source MAC Address enabled DHCP Snooping Rate Limit unlimited Interface Trusted Max Number Circuit ID mode Circ...

Page 321: ...ode ipv6 dhcp snooping Enables DHCPv6 snooping globally GC ipv6 dhcp snooping option remote id Enables insertion of DHCPv6 Option 37 relay agent remote id GC ipv6 dhcp snooping option remote id policy...

Page 322: ...If DHCPv6 snooping is enabled globally and also enabled on the VLAN where the DHCPv6 packet is received DHCPv6 packets are forwarded for a trusted port as described below If DHCPv6 snooping is enable...

Page 323: ...to binding table update lease time and forward to original destination Otherwise remove binding entry and check failed If a DHCPv6 Relay packet is received check the relay message option in Relay Forw...

Page 324: ...ts DHCPv6 clients to the DHCPv6 server Known as DHCPv6 Option 37 it allows compatible DHCPv6 servers to use the information when assigning IP addresses or to set other services or policies for clients...

Page 325: ...option remote id Console config ipv6 dhcp snooping option remote id policy This command sets the remote id option policy for DHCPv6 client packets that include Option 37 information Use the no form to...

Page 326: ...fault Setting Disabled Command Mode Global Configuration Command Usage When DHCPv6 snooping enabled globally using the ipv6 dhcp snooping command and enabled on a VLAN with this command DHCPv6 packet...

Page 327: ...ommand configures the specified interface as trusted Use the no form to restore the default setting Syntax no ipv6 dhcp snooping trust Default Setting All interfaces are untrusted Command Mode Interfa...

Page 328: ...e config if Related Commands ipv6 dhcp snooping 321 ipv6 dhcp snooping vlan 326 clear ipv6 dhcp snooping binding This command clears DHCPv6 snooping binding table entries from RAM Use this command wit...

Page 329: ...status disabled DHCPv6 Snooping remote id option status enabled DHCPv6 Snooping remote id policy drop DHCPv6 Snooping is configured on the following VLANs 1 Interface Trusted Max binding Current bindi...

Page 330: ...igured entries in the IPv4 Source Guard table or dynamic entries in the DHCPv4 Snooping table when enabled see DHCPv4 Snooping on page 305 IPv4 source guard can be used to prevent traffic attacks caus...

Page 331: ...p address A valid unicast IP address including classful types A B or C unit Unit identifier Range 1 port list Physical port number or list of port numbers Separate nonconsecutive port numbers with a c...

Page 332: ...s and the type of the entry is dynamic DHCP snooping binding then the new entry will replace the old one and the entry type will be changed to static IP source guard binding Note that a static IP sour...

Page 333: ...nst all entries in the binding table Use the sip mac option to check these same parameters plus the source MAC address Use the no ip source guard command to disable this function on the selected port...

Page 334: ...t port except for DHCP packets allowed by DHCP snooping Only unicast addresses are accepted for static bindings Example This example enables IP source guard on port 5 Console config interface ethernet...

Page 335: ...the number of MAC addresses learned per port Authenticated IP traffic with different source MAC addresses cannot be learned if it would exceed this maximum number Example This example sets the maximu...

Page 336: ...d This command clears source guard binding table entries from RAM Syntax clear ip source guard binding blocked Command Mode Privileged Exec Command Usage When IP Source Guard detects an invalid packet...

Page 337: ...ce dhcp snooping Shows dynamic entries configured with DHCP Snooping commands see page 305 static Shows static entries configured with the ip source guard binding command acl Shows static entries in t...

Page 338: ...terface no ipv6 source guard binding mac address vlan vlan id mac address A valid unicast MAC address vlan id ID of a configured VLAN Range 1 4094 ipv6 address Corresponding IPv6 address This address...

Page 339: ...same MAC address and a different VLAN ID cannot be added to the binding table Static bindings are processed as follows If there is no entry with same and MAC address and IPv6 address a new entry is a...

Page 340: ...an interface the switch initially blocks all IPv6 traffic received on that interface except for ND packets allowed by ND snooping and DHCPv6 packets allowed by DHCPv6 snooping A port access control li...

Page 341: ...which IPv6 source bindings dynamically learned via ND snooping or DHCPv6 snooping or manually configured are not yet configured the switch will drop all IPv6 traffic on that port except for ND packet...

Page 342: ...l be added to the IPv6 source guard binding table If IPv6 source guard is enabled on a port and the maximum number of allowed bindings is changed to a lower value precedence is given to deleting entri...

Page 343: ...middle attacks This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropri...

Page 344: ...of address components in an ARP packet GC ip arp inspection vlan Enables ARP Inspection for a specified VLAN or range of VLANs GC ip arp inspection limit Sets a rate limit for the ARP packets received...

Page 345: ...p arp inspection filter arp acl name vlan vlan id vlan range static no ip arp inspection filter arp acl name vlan vlan id vlan range arp acl name Name of an ARP ACL Maximum length 16 characters vlan i...

Page 346: ...conds The interval at which log messages are sent Range 0 86400 Default Setting Message Number 20 Interval 10 seconds Command Mode Global Configuration Command Usage ARP Inspection must be enabled wit...

Page 347: ...en enabled packets with different MAC addresses are classified as invalid and are dropped ip Checks the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and a...

Page 348: ...tion is enabled globally and enabled on selected VLANs all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine When ARP I...

Page 349: ...and Usage This command applies to both trusted and untrusted ports When the rate of incoming ARP packets exceeds the configured limit the switch drops all ARP packets in excess of the limit Example Co...

Page 350: ...Global IP ARP Inspection Status disabled Log Message Interval 10 s Log Message Number 1 Need Additional Validation s Yes Additional Validation Type Destination MAC address Console show ip arp inspect...

Page 351: ...statistics ARP packets received 150 ARP packets dropped due to rate limt 5 Total ARP packets processed by ARP Inspection 150 ARP packets dropped by additional validation source MAC address 0 ARP pack...

Page 352: ...n no longer communicate adequately This section describes commands used to protect against DoS attacks dos protection land This command protects against DoS LAND Local Area Network Denial attacks in w...

Page 353: ...tax no dos protection tcp null scan Default Setting Disabled Command Mode Global Configuration Command Usage In these packets all TCP flags are 0 Example Console config dos protection tcp null scan Co...

Page 354: ...rget s TCP port is closed the target replies with a TCP RST packet If the target TCP port is open it simply discards the TCP XMAS scan Use the no form to disable this feature Syntax no dos protection...

Page 355: ...x no traffic segmentation Default Setting Disabled Command Mode Global Configuration Command Usage Traffic segmentation provides port based security and isolation between ports within the VLAN Data tr...

Page 356: ...lly on the switch Console config traffic segmentation Console config traffic segmentation session This command creates a traffic segmentation client session Use the no form to remove a client session...

Page 357: ...raffic segmentation session session id uplink interface list downlink interface list downlink interface list session id Traffic segmentation session Range 1 4 uplink Specifies an uplink interface down...

Page 358: ...nfig traffic segmentation uplink ethernet 1 10 downlink ethernet 1 5 8 Console config traffic segmentation uplink to uplink This command specifies whether or not traffic can be forwarded between uplin...

Page 359: ...tation This command displays the configured traffic segments Command Mode Privileged Exec Example Console show traffic segmentation Private VLAN Status Enabled Uplink to Uplink Mode Forwarding Session...

Page 360: ...Chapter 9 General Security Measures Port based Traffic Segmentation 360...

Page 361: ...roup Function IPv4 ACLs Configures ACLs based on IPv4 addresses TCP UDP port number protocol type and TCP control code IPv6 ACLs Configures ACLs based on IPv6 addresses MAC ACLs Configures ACLs based...

Page 362: ...n IP address and other more specific criteria acl name Name of the ACL Maximum length 32 characters Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or en...

Page 363: ...ng None Command Mode Standard IPv4 ACL Command Usage New rules are appended to the end of the list Address bit masks are similar to a subnet mask containing four integers from 0 to 255 each separated...

Page 364: ...ort dport port bitmask permit deny tcp any source address bitmask host source any destination address bitmask host destination precedence precedence tos tos dscp dscp source port sport bitmask destina...

Page 365: ...s to indicate ignore The bit mask is bitwise ANDed with the specified source IP address and then compared with the address for each IP packet entering the port s to which this ACL has been assigned Yo...

Page 366: ...xt acl This permits all TCP packets from class C addresses 192 168 1 0 with the TCP control code set to SYN Console config ext acl permit tcp 192 168 1 0 255 255 255 0 any control flag 2 2 Console con...

Page 367: ...e Range 168 show ip access group This command shows the ports assigned to IP ACLs Command Mode Privileged Exec Example Console show ip access group Interface ethernet 1 2 IP access list david in Conso...

Page 368: ...access list ipv6 standard extended acl name standard Specifies an ACL that filters packets based on the source IP address extended Specifies an ACL that filters packets based on the destination IP add...

Page 369: ...ard IPv6 ACL The rule sets a filter condition for packets emanating from the specified source Use the no form to remove a rule Syntax permit deny any host source ipv6 address source ipv6 address prefi...

Page 370: ...o form to remove a rule Syntax permit deny any host destination ipv6 address destination ipv6 address prefix length time range time range name no permit deny any host destination ipv6 address destinat...

Page 371: ...ess group acl name in out time range time range name counter no ipv6 access group acl name in out acl name Name of the ACL Maximum length 32 characters in Indicates that this list applies to ingress p...

Page 372: ...um length 32 characters Command Mode Privileged Exec Example Console show ipv6 access list standard IPv6 standard access list david permit host 2009 DB9 2229 79 permit 2009 DB9 2229 5 64 Console Relat...

Page 373: ...s Default Setting None Command Mode Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the...

Page 374: ...ote The default is for Ethernet II packets permit deny tagged eth2 any host source source address bitmask any host destination destination address bitmask vid vid vid bitmask ethertype protocol protoc...

Page 375: ...Any MAC source or destination address host A specific MAC address source Source MAC address destination Destination MAC address range with bitmask address bitmask5 Bitmask for MAC address in hexadecim...

Page 376: ...name counter no mac access group acl name in out acl name Name of the ACL Maximum length 32 characters in Indicates that this list applies to ingress packets out Indicates that this list applies to e...

Page 377: ...list M5 in Console Related Commands mac access group 376 show mac access list This command displays the rules for configured MAC ACLs Syntax show mac access list acl name acl name Name of the ACL Maxi...

Page 378: ...de Global Configuration Command Usage When you create a new ACL or enter configuration mode for an existing ACL use the permit or deny command to add new rules to the bottom of the list To create an A...

Page 379: ...s bitmask log no permit deny response ip any host source ip source ip ip address bitmask any host destination ip destination ip ip address bitmask mac any host source mac source mac mac address bitmas...

Page 380: ...ccess list arp acl name acl name Name of the ACL Maximum length 32 characters Command Mode Privileged Exec Example Console show access list arp ARP access list factory permit response ip any 192 168 0...

Page 381: ...face name acl name in Clears counter for ingress rules out Clears counter for egress rules interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 acl name Name of the...

Page 382: ...ACLs ip standard Shows ingress or egress rules for Standard IPv4 ACLs ipv6 extended Shows ingress or egress rules for Extended IPv6 ACLs ipv6 standard Shows ingress or egress rules for Standard IPv6...

Page 383: ...er 10 Access Control Lists ACL Information 383 MAC access list jerry permit any host 00 30 29 94 34 de ethertype 800 800 IP extended access list A6 deny tcp any any control flag 2 2 permit any any Con...

Page 384: ...Chapter 10 Access Control Lists ACL Information 384...

Page 385: ...port type to use for combination RJ 45 SFP ports IC negotiation Enables autonegotiation of a given interface IC shutdown Disables an interface IC speed duplex Configures the speed and duplex operation...

Page 386: ...or the transceiver power level of the transmitted signal which can be used to trigger an alarm or warning message IC transceiver threshold voltage Sets thresholds for the transceiver voltage which can...

Page 387: ...unit port list unit Unit identifier Range 1 port list Physical port number or list of port numbers Separate nonconsecutive port numbers with a comma and no spaces or use a hyphen to designate a range...

Page 388: ...eters to remove an advertised capability or the no form without parameters to restore the default values Syntax no capabilities 1000full 100full 100half 10full 10half flowcontrol symmetric 1000full Su...

Page 389: ...nk based on the capabilities command When auto negotiation is disabled you must manually specify the link attributes with the speed duplex and flowcontrol commands Example The following example config...

Page 390: ...n RD SW 3 Console config if discard This command discards CDP or PVST packets Use the no form to forward the specified packet type to other ports configured the same way SYNTAX no discard cdp pvst cdp...

Page 391: ...connected directly to the switch when its buffers fill When enabled back pressure is used for half duplex operation and IEEE 802 3 2002 formally IEEE 802 3x for full duplex operation To force flow co...

Page 392: ...ute interval 7 buckets Command Mode Interface Configuration Ethernet Port Channel Example This example sets a interval of 15 minutes for sampling standard statisical values on port 1 Console config in...

Page 393: ...bles auto negotiation for a given interface Use the no form to disable auto negotiation Syntax no negotiation Default Setting Enabled Command Mode Interface Configuration Ethernet Port Channel Command...

Page 394: ...iation Console config if Related Commands capabilities 388 speed duplex 395 flowcontrol 391 shutdown This command disables an interface To restart a disabled interface use the no form Syntax no shutdo...

Page 395: ...guration Ethernet Port Channel Command Usage The 1000BASE T standard does not support forced mode Auto negotiation should always be used to establish a connection over any 1000BASE T port or trunk If...

Page 396: ...roadcast packets multicast Specifies unknown multicast packets unicast Specifies unknown unicast packets Command Mode Interface Configuration Ethernet Port Channel Default Setting Disabled Command Usa...

Page 397: ...hat an ingress port is a tagged port or a QinQ ingress port In other words any additional size for example a tagged field of 4 bytes added by the chip will not be considered when comparing the egress...

Page 398: ...counters interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 26 Default Setting None Command Mode Privileged Exec Comman...

Page 399: ...Usage If an SFP transceiver is inserted in a port the Type field will show the SFP type as interpreted from Ethernet Compliance Codes Data Byte 6 in Address A0h The Ethernet Compliance Code is a bitma...

Page 400: ...mple Console show interfaces counters ethernet 1 1 Ethernet 1 1 IF table Stats 2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 E...

Page 401: ...interface including framing characters Unicast Input The number of subnetwork unicast packets delivered to a higher layer protocol Unicast Output The total number of packets that higher level protoco...

Page 402: ...y transmitted frames for which transmission is inhibited by exactly one collision Multiple Collision Frames A count of successfully transmitted frames for which transmission is inhibited by more than...

Page 403: ...ddress Undersize Packets The total number of packets received that were less than 64 octets long excluding framing bits but including FCS octets and were otherwise well formed Oversize Packets The tot...

Page 404: ...containing previous samples Range 1 96 count The number of historical samples to display Range 1 96 input Ingress traffic output Egress traffic Default Setting Shows historical statistics for all inte...

Page 405: ...ets Input Unicast Multicast Broadcast 00d 01 45 01 0 00 105421 688 30 8 Discards Errors Unknown Proto 0 0 0 Octets Output Unicast Multicast Broadcast 0 00 859987 947 373 1 Discards Errors 0 0 Interfac...

Page 406: ...Multicast Broadcast 0 00 48334 54 19 0 Discards Errors 0 0 Previous Entries Start Time Octets Input Unicast Multicast Broadcast 00d 00 05 37 1400912 9381 1895 50 00d 00 06 37 1566090 10660 2195 50 00d...

Page 407: ...1 1 Information of Eth 1 1 Basic Information Port Type 1000BASE T MAC Address 00 00 0C 00 00 FE Configuration Name Port Admin Up Speed duplex Auto Capabilities 10half 10full 100half 100full 1000full...

Page 408: ...isplayed Example This example shows the configuration setting for port 1 Console show interfaces switchport ethernet 1 1 Information of Eth 1 1 Broadcast Threshold Enabled 500 packets second Multicast...

Page 409: ...sabled page 567 Acceptable Frame Type Shows if acceptable VLAN frames include all types or tagged frames only page 565 Native VLAN Indicates the default Port VLAN ID page 569 Priority for Untagged Tra...

Page 410: ...e ethernet 1 25 Console config if transceiver monitor Console transceiver threshold auto This command uses default threshold settings obtained from the transceiver to determine when an alarm or warnin...

Page 411: ...alue is greater than or equal to the threshold and the last sample value was less than the threshold After a rising event has been generated another such event will not be generated until the sampled...

Page 412: ...Sets the low power threshold for an alarm message low warning Sets the low power threshold for a warning message threshold value The power threshold of the received signal Range 4000 820 in units of...

Page 413: ...re threshold for a warning message low alarm Sets the low temperature threshold for an alarm message low warning Sets the low temperature threshold for a warning message threshold value The threshold...

Page 414: ...alarm Sets the low power threshold for an alarm message low warning Sets the low power threshold for a warning message threshold value The power threshold of the transmitted signal Range 4000 820 in u...

Page 415: ...reshold for a warning message low alarm Sets the low voltage threshold for an alarm message low warning Sets the low voltage threshold for a warning message threshold value The threshold of the transc...

Page 416: ...ing Shows all SFP interfaces Command Mode Privileged Exec Command Usage The switch can display diagnostic information for SFP modules which support the SFF 8472 Specification for Diagnostic Monitoring...

Page 417: ...rt unit Unit identifier Range 1 port Port number ECS4120 28F SFP Ports 25 2819 Other models SFP SFP Ports Default Setting Shows all SFP interfaces Command Mode Privileged Exec Command Usage The switch...

Page 418: ...ble diagnostics This command performs cable diagnostics on the specified port to diagnose any cable faults short open etc and report the cable length Syntax test cable diagnostics interface interface...

Page 419: ...outine did not complete successfully Ports must have auto negotiation enabled Ports are linked down while running cable diagnostics This cable test is only accurate for Ethernet cables 7 100 meters lo...

Page 420: ...ostics test Syntax show cable diagnostics interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number ECS4120 28F 28F I 21 24 Other models 1 24 48 Command Mode Privi...

Page 421: ...op back test Syntax show loop internal interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Example Console show loop in...

Page 422: ...itter and most of the receive circuitry entering Sleep Mode In this mode the low power energy detection circuit continuously checks for energy on the cable If none is detected the MAC interface is als...

Page 423: ...power savings Syntax show power save interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number ECS4120 28F 28F I 21 24 Other models 1 24 48 Command Mode Privilege...

Page 424: ...Chapter 11 Interface Commands Power Savings 424...

Page 425: ...rface port channel Configures a trunk and enters interface configuration mode for the trunk GC port channel load balance Sets the load distribution method among ports in aggregated links GC channel gr...

Page 426: ...ports in a trunk have to be treated as a whole when moved from to added or deleted from a VLAN via the specified port channel STP VLAN and IGMP settings can only be made for the entire trunk via the s...

Page 427: ...nd dynamic trunks on the switch To ensure that the switch traffic load is distributed evenly across all links in a trunk select the source and destination addresses used in the load balance calculatio...

Page 428: ...eived from many different hosts src mac All traffic with the same source MAC address is output on the same link in a trunk This mode works best for switch to switch trunk links where traffic through t...

Page 429: ...orm to disable it Syntax no lacp Default Setting Disabled Command Mode Interface Configuration Ethernet Command Usage The ports on both ends of an LACP trunk must be configured for full duplex either...

Page 430: ...143 packets second Unknown Unicast Storm Disabled Unknown Unicast Storm Limit 262143 packets second Flow Control Disabled VLAN Trunking Disabled MAC Learning Enabled Link up down Trap Enabled MTU 1518...

Page 431: ...in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state Note Configuring the partner admin key does not affect remote or local...

Page 432: ...P operational settings are already in use on that side Configuring LACP settings for the partner only applies to its administrative state not its operational state and will only take effect the next t...

Page 433: ...x lacp admin key key no lacp admin key key The port channel admin key is used to identify a specific link aggregation group LAG during local LACP setup on this switch Range 0 65535 Default Setting 0 C...

Page 434: ...nsmitted LACPDUs When the partner switch receives an LACPDU set with a short timeout from the actor switch the partner adjusts the transmit LACPDU interval to 1 second When it receives an LACPDU set w...

Page 435: ...Us Sent 12 LACPDUs Received 6 Marker Sent 0 Marker Received 0 LACPDUs Unknown Pkts 0 LACPDUs Illegal Pkts 0 Table 78 show lacp counters display description Field Description LACPDUs Sent Number of val...

Page 436: ...achine is in the expired state Defaulted The actor s receive machine is using defaulted operational partner information administratively configured for the partner Distributing If false distribution o...

Page 437: ...F1 D4 73 A0 10 32768 00 30 F1 D4 73 A0 11 32768 00 30 F1 D4 73 A0 12 32768 00 30 F1 D4 73 A0 Table 80 show lacp neighbors display description Field Description Partner Admin System ID LAG partner s s...

Page 438: ...Console show port channel load balance Trunk Load Balance Mode Destination IP address Console Table 81 show lacp sysid display description Field Description Channel group A link aggregation group con...

Page 439: ...e the power available to all switch ports Use the no form to restore the default setting Syntax power mainpower maximum allocation milliwatts milliwatts The power budget for the switch Range 37000 370...

Page 440: ...cted to the specified port and turn power on or off accordingly Use the no form to turn off power for a port or the no form with the time range keyword to remove the time range settings Syntax power i...

Page 441: ...Configuration ECS4120 28P Ethernet ports 1 24 Command Usage The total PoE power delivered by all ports cannot exceed the maximum power budget of 370W All the RJ 45 ports support both the IEEE 802 3af...

Page 442: ...s budget is not supplied power If a device is connected to a critical or high priority port that would cause the switch to exceed its power budget as determined during bootup power is provided to the...

Page 443: ...thernet 1 1 Console config if power inline time range rd Console config if Related Commands time range 168 show power inline status This command displays the current power status for all ports or for...

Page 444: ...range name Name of the time range Range 1 30 characters interface ethernet unit Unit identifier Range 1 port Port number Range 1 24 48 Command Mode Privileged Exec Example Console show power inline ti...

Page 445: ...0 Watts System Operation Status On PoE Power Consumption 7 3 Watts Software Version Version 1 6 0 7 Console Table 85 show power mainpower display description Field Description PoE Maximum Available Po...

Page 446: ...Chapter 13 Power over Ethernet Commands 446...

Page 447: ...t monitor interface rx tx both no port monitor interface interface ethernet unit port source port unit Unit identifier Range 1 port Port number Range 1 28 rx Mirror received packets tx Mirror transmit...

Page 448: ...an Ethernet interface with the interface configuration command and then use the port monitor command to specify the source of the traffic to mirror Note that the destination port cannot be a trunk or...

Page 449: ...igured from port 6 to port 5 Console config interface ethernet 1 5 Console config if port monitor ethernet 1 6 Console config if end Console show port monitor Port Mirroring Destination Port listen po...

Page 450: ...c and dynamic trunks are not allowed A port can only be configured as one type of RSPAN interface source destination or uplink Also note that the source port and destination port cannot be configured...

Page 451: ...y cannot be enabled on that port rspan source Use this command to specify the source port and traffic type to be mirrored remotely Use the no form to disable RSPAN on the specified port or with a traf...

Page 452: ...ession session id destination interface interface tagged untagged no rspan session session id destination interface interface session id A number identifying this RSPAN session Range 1 interface ether...

Page 453: ...LAN Syntax no rspan session session id remote vlan vlan id source intermediate destination uplink interface session id A number identifying this RSPAN session Range 1 vlan id ID of configured RSPAN VL...

Page 454: ...members to an RSPAN VLAN Also note that the show vlan command will not display any members for an RSPAN VLAN but will only show configured RSPAN VLAN identifiers Example The following example enables...

Page 455: ...sion id session id A number identifying this RSPAN session Range 1 Command Mode Privileged Exec Example Console show rspan session RSPAN Session ID 1 Source Ports mirrored ports None RX Only None TX O...

Page 456: ...Chapter 14 Port Mirroring Commands RSPAN Mirroring Commands 456...

Page 457: ...o limit traffic into or out of the network Packets that exceed the acceptable amount of traffic are dropped Rate limiting can be applied to individual ports or trunks When an interface is configured w...

Page 458: ...fied interface rate Maximum value in Kbps Range 64 1000000 Kbits per second for 1G Ethernet ports 64 10000000 Kbits per second for 10G Ethernet ports Default Setting Disabled Command Mode Interface Co...

Page 459: ...ting Syntax switchport broadcast multicast unknown unicast packet rate rate no switchport broadcast multicast unknown unicast broadcast Specifies storm control for broadcast traffic multicast Specifie...

Page 460: ...e Example The following shows how to configure broadcast storm control at 600 kilobits per second Console config interface ethernet 1 5 Console config if switchport broadcast packet rate 600 Console c...

Page 461: ...shold after a storm control response has been triggered and the release timer expires IC Port snmp server enable port traps atc multicast alarm clear Sends a trap when multicast traffic falls beneath...

Page 462: ...eshold after the release timer expires traffic control for rate limiting will be stopped and a Traffic Control Release Trap sent and logged Note that if the control action has shut down a port it can...

Page 463: ...be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port Threshold Commands auto traffic control apply timer This command sets the time a...

Page 464: ...st multicast release timer seconds no auto traffic control broadcast multicast release timer broadcast Specifies automatic storm control for broadcast traffic multicast Specifies automatic storm contr...

Page 465: ...packet rate command However only one of these control types can be applied to a port Enabling automatic storm control on a port will disable hardware level storm control on that port Example This exam...

Page 466: ...e enabled by automatic traffic control It can only be manually re enabled using the auto traffic control control release command Example This example sets the control response for broadcast traffic on...

Page 467: ...d Example This example sets the clear threshold for automatic storm control for broadcast traffic on port 1 Console config interface ethernet 1 1 Console config if auto traffic control broadcast alarm...

Page 468: ...automatically releases a control response of rate limiting after the time specified in the auto traffic control release timer command has expired Syntax auto traffic control broadcast multicast auto...

Page 469: ...ivileged Exec Command Usage This command can be used to manually stop a control response of rate limiting or port shutdown any time after the specified action has been triggered Example Console config...

Page 470: ...ap Syntax no snmp server enable port traps atc broadcast alarm fire Default Setting Disabled Command Mode Interface Configuration Ethernet Example Console config interface ethernet 1 1 Console config...

Page 471: ...to disable this trap Syntax no snmp server enable port traps atc broadcast control release Default Setting Disabled Command Mode Interface Configuration Ethernet Example Console config interface ethe...

Page 472: ...form to disable this trap Syntax no snmp server enable port traps atc multicast alarm fire Default Setting Disabled Command Mode Interface Configuration Ethernet Example Console config interface ether...

Page 473: ...e release timer expires Use the no form to disable this trap Syntax no snmp server enable port traps atc multicast control release Default Setting Disabled Command Mode Interface Configuration Etherne...

Page 474: ...ace interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 Command Mode Privileged Exec Example Console show auto traffic control interface ethernet 1 1 Eth 1 1 Infor...

Page 475: ...detected on an interface or when a interface is released from a shutdown state caused by a loopback event a trap message is sent and the event recorded in the system log Loopback detection must be ena...

Page 476: ...the spanning tree protocol on port 1 and then enables general loopback detection for that port Console config loopback detection Console config interface ethernet 1 1 Console config if no spanning tr...

Page 477: ...anged any ports placed in shutdown state by the loopback detection process will be immediately restored to operation regardless of the remaining recover time Example This example sets the loopback det...

Page 478: ...se the no form to restore the default setting Syntax loopback detection transmit interval seconds no loopback detection transmit interval seconds The transmission interval for loopback detection contr...

Page 479: ...Console config loopback detection trap both Console config loopback detection release This command releases all interfaces currently shut down by the loopback detection feature Syntax loopback detecti...

Page 480: ...s Enabled Transmit Interval 10 Recover Time 60 Action Shutdown Trap None Loopback Detection Port Information Port Admin State Oper State Eth 1 1 Enabled Normal Eth 1 2 Disabled Disabled Eth 1 3 Disabl...

Page 481: ...interval detection interval The amount of time the switch remains in detection state after discovering a neighbor through UDLD Range 5 255 seconds Default Setting 5 seconds Command Mode Global Config...

Page 482: ...messages after linkup or detection phases Range 7 90 seconds Default Setting 15 seconds Command Mode Global Configuration Command Usage During the detection phase messages are exchanged at the maximum...

Page 483: ...e config udld recovery Console config udld recovery interval This command specifies the period after which to automatically recover from UDLD disabled port state Use the no form to restore the default...

Page 484: ...connectivity UDLD follows a conservative approach to minimize false positives during the detection process and deems a port to be in undetermined state In other words normal mode will shut down a port...

Page 485: ...ompt corrective action to be taken Whenever a UDLD device learns about a new neighbor or receives a resynchronization request from an out of synch neighbor it re starts the detection process on its si...

Page 486: ...1 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 2 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 3 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 4 Disabled Normal Disabled 7 s Unknown 5 s Eth 1 5 D...

Page 487: ...Multiple neighbors Port State Shows the UDLD port state Unknown Bidirectional Unidirectional Transmit to receive loop Mismatch with neighbor state reported Neighbor s echo is empty The state is Unkno...

Page 488: ...Chapter 17 UniDirectional Link Detection Commands 488...

Page 489: ...guration Command Usage The aging time is used to age out dynamically learned forwarding information Example Console config mac address table aging time 100 Console config Table 96 Address Table Comman...

Page 490: ...switch is reset permanent Assignment is permanent Default Setting No static addresses are defined The default mode is permanent Command Mode Global Configuration Command Usage The static address for a...

Page 491: ...address table dynamic Console show mac address table This command shows classes of entries in the bridge forwarding database Syntax show mac address table address mac address mask interface interface...

Page 492: ...to match a bit and 1 means to ignore a bit For example a mask of 00 00 00 00 00 00 means an exact match and a mask of FF FF FF FF FF FF means any The maximum number of address entries is 16K Example C...

Page 493: ...ce Syntax show mac address table count interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 26 Default Setting N...

Page 494: ...Chapter 18 Address Table Commands 494...

Page 495: ...to all other ports in the same VLAN when global spanning tree is disabled GC spanning tree transmission limit Configures the transmission limit for RSTP MSTP GC max hops Configures the maximum number...

Page 496: ...ing tree mst cost Configures the path cost of an instance in the MST IC spanning tree mst port priority Configures the priority of an instance in the MST IC spanning tree port bpdu flooding Floods BPD...

Page 497: ...0 seconds The minimum value is the higher of 4 or max age 2 1 Default Setting 15 seconds Command Mode Global Configuration Command Usage This command sets the maximum time in seconds a port will wait...

Page 498: ...nterval in seconds at which the root device transmits a configuration message Example Console config spanning tree hello time 5 Console config Related Commands spanning tree forward time 497 spanning...

Page 499: ...ee hello time 498 spanning tree mode This command selects the spanning tree mode for this switch Use the no form to restore the default Syntax spanning tree mode stp rstp mstp no spanning tree mode st...

Page 500: ...participate in a specific set of spanning tree instances A spanning tree instance can exist only on bridges that have compatible VLAN instance assignments Be careful when switching between spanning t...

Page 501: ...ng Console config spanning tree priority This command configures the spanning tree priority globally for this switch Use the no form to restore the default Syntax spanning tree priority priority no sp...

Page 502: ...506 max hops 503 spanning tree system bpdu flooding This command configures the system to flood BPDUs to all other ports on the switch or just to all other ports in the same VLAN when spanning tree is...

Page 503: ...no form to restore the default Syntax spanning tree transmission limit count no spanning tree transmission limit count The transmission limit in seconds Range 1 10 Default Setting 3 Command Mode Globa...

Page 504: ...instance Use the no form to restore the default Syntax mst instance id priority priority no mst instance id priority instance id Instance identifier of the spanning tree Range 0 4094 priority Priority...

Page 505: ...e pathways across the network thereby balancing the traffic load preventing wide scale disruption when a bridge node in a single instance fails and allowing for faster convergence of a new topology fo...

Page 506: ...the same region must be configured with the same MST instances Example Console config mstp name R D Console config mstp Related Commands revision 506 revision This command configures the revision numb...

Page 507: ...g time This function is designed to work in conjunction with edge ports which should only connect end stations to the switch and therefore do not need to process BPDUs However note that if a trunking...

Page 508: ...nterface Configuration Ethernet Port Channel Command Usage An edge port should only be connected to end nodes which do not generate BPDUs If a BPDU is received on an edge port this indicates an invali...

Page 509: ...Ethernet Port Channel Command Usage This command is used by the Spanning Tree Algorithm to determine the best path between devices Therefore lower values should be assigned to ports attached to faster...

Page 510: ...t cause forwarding loops they can pass directly through to the spanning tree forwarding state Specifying Edge Ports provides quicker convergence for devices such as workstations or servers retains the...

Page 511: ...two or more bridges When automatic detection is selected the switch derives the link type from the duplex mode A full duplex interface is considered a point to point link while a half duplex interfac...

Page 512: ...shutdown duration no spanning tree loopback detection action block Blocks user traffic shutdown Shuts down the interface duration The duration to shut down the interface Range 60 86400 seconds Defaul...

Page 513: ...en the port will only be returned to the forwarding state if one of the following conditions is satisfied The port receives any other BPDU except for it s own or The port s link status changes to link...

Page 514: ...terface Range 0 for auto configuration 1 65535 for short path cost method21 1 200 000 000 for long path cost method The recommended path cost range is listed in Table 98 on page 509 Default Setting By...

Page 515: ...t instance id port priority priority no spanning tree mst instance id port priority instance id Instance identifier of the spanning tree Range 0 4094 priority Priority for an interface Range 0 240 in...

Page 516: ...the receiving port s native VLAN as specified by the spanning tree system bpdu flooding command The spanning tree system bpdu flooding command has no effect if BPDU flooding is disabled on a port by...

Page 517: ...nd prevents a designated port from taking superior BPDUs into account and allowing a new STP root port to be elected Use the no form to disable this feature Syntax no spanning tree root guard Default...

Page 518: ...ee spanning disabled This command disables the spanning tree algorithm for the specified interface Use the no form to re enable the spanning tree algorithm for the specified interface Syntax no spanni...

Page 519: ...detection release This command manually releases a port placed in discarding state by loopback detection Syntax spanning tree loopback detection release interface interface ethernet unit port unit Un...

Page 520: ...wever you can also use the spanning tree protocol migration command at any time to manually re check the appropriate BPDU format to send on the selected interfaces i e RSTP or STP compatible Example C...

Page 521: ...ing Tree MST including global settings and settings for all interfaces Example Console show spanning tree Spanning Tree Mode MSTP Spanning Tree Enabled Disabled Enabled Instance 0 VLANs Configured 1 4...

Page 522: ...tion Block Root Guard Status Disabled BPDU Guard Status Disabled BPDU Guard Auto Recovery Disabled BPDU Guard Auto Recovery Interval 300 BPDU Filter Status Disabled TC Propagate Stop Disabled show spa...

Page 523: ...the CCM MEPs used to monitor the link on a ring node ERPS node id Sets the MAC address for a ring node ERPS non erps dev protect Sends non standard health check packets when in protection state ERPS...

Page 524: ...APS messages the holdoff timer command to filter out intermittent link faults and the wtr timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal fail...

Page 525: ...ERPS status information Use the show erps command to display general ERPS status information or detailed ERPS status information for a specific ring erps This command enables ERPS on the switch Use th...

Page 526: ...erps domain r d id 1 Console config erps control vlan This command specifies a dedicated VLAN used for sending and receiving ERPS protocol messages Use the no form to remove the Control VLAN Syntax no...

Page 527: ...erface ethernet 1 11 Console config if switchport allowed vlan add 2 tagged Console config if exit Console config erps domain rd1 Console config erps control vlan 2 Console config erps enable This com...

Page 528: ...Mode ERPS Configuration Command Usage The guard timer duration should be greater than the maximum expected forwarding delay for an R APS message to pass around the ring A side effect of the guard time...

Page 529: ...ff timer 300 Console config erps major domain This command specifies the ERPS ring used for sending control packets Use the no form to remove the current setting Syntax major domain name no major doma...

Page 530: ...s used to ensure that received R APS PDUs are directed for this ring A unique level should be configured for each local ring if there are many R APS PDUs passing through this switch If CFM continuity...

Page 531: ...then the MEG level set by the meg level command must match the authorized maintenance level of the CFM domain to which the specified MEP belongs To ensure complete monitoring of a ring node use the m...

Page 532: ...very operations For example a node that has one ring port in SF condition and detects that the condition has been cleared will continuously transmit R APS NR messages with its own Node ID as priority...

Page 533: ...wn in the following figure and node E detected CCM loss it would send an R APS SF message to the RPL owner and block the link to node D isolating that non ERPS device Figure 3 Non ERPS Device Protecti...

Page 534: ...the RPL is blocked as a result of ring protection reversion or until there is another higher priority request e g an SF condition in the ring A ring node that has one ring port in an SF condition and...

Page 535: ...ed the RPL Owner Node blocks its RPL port and transmits an R APS NR RB message in both directions repeatedly d Upon receiving an R APS NR RB message any blocking node should unblock its non failed rin...

Page 536: ...g node blocks the ring port attached to the RPL transmits an R APS NR RB message on both ring ports informing the ring that the RPL is blocked and flushes its FDB c The acceptance of the R APS NR RB m...

Page 537: ...ce of the R APS NR RB message causes all ring nodes to unblock any blocked non RPL that does not have an SF condition If it is an R APS NR RB message without a DNF indication all Ethernet Ring Nodes f...

Page 538: ...ion switching When the MAC addresses are cleared data traffic may flood onto the major ring The data traffic will become stable after the MAC addresses are learned again The major ring will not be bro...

Page 539: ...nnel When using a virtual channel to tunnel R APS messages between interconnection points on a sub ring the R APS virtual channel may or may not follow the same path as the traffic channel over the ne...

Page 540: ...tween some of the sub ring s ring nodes No R APS messages are inserted or extracted by other rings or sub rings at the interconnection nodes where a sub ring is attached Hence there is no need for eit...

Page 541: ...ports Alternatively the closest neighbor to the east should be the next node in the ring in a clockwise direction and the closest neighbor to the west should be the next node in the ring in a counter...

Page 542: ...is not responsible for activating the reversion behavior Only one RPL owner can be configured on a ring If the switch is set as the RPL owner for an ERPS domain the west ring port is set as one end o...

Page 543: ...his command specifies compatibility with ERPS version 1 or 2 Syntax version 1 2 1 ERPS version 1 based on ITU T G 8032 Y 1344 2 ERPS version 2 based on ITU T G 8032 Y 1344 Version 2 Default Setting 2...

Page 544: ...erify that the ring has stabilized before blocking the RPL after recovery from a signal failure Use the no form to restore the default setting Syntax wtr timer minutes minutes The wait to restore time...

Page 545: ...when the node is operating in revertive mode Syntax erps clear domain ring name ring name Name of a specific ERPS ring Range 1 12 characters Command Mode Privileged Exec Command Usage Two steps are re...

Page 546: ...issued transmits R APS messages indicating FS over both ring ports R APS FS messages are continuously transmitted by this ring node while the local FS command is the ring node s highest priority comm...

Page 547: ...ve the priorities as specified in the following table Recovery for forced switching under revertive and non revertive mode is described under the Command Usage section for the non revertive command Wh...

Page 548: ...anual switch command was issued blocks the traffic channel and R APS channel on the ring port to which the command was issued and unblocks the other ring port b If no other higher priority commands ex...

Page 549: ...ommand which receives an R APS MS message with a different Node ID clears its manual switch request and starts transmitting R APS NR messages The ring node keeps the ring port blocked due to the previ...

Page 550: ...ages Enabled Shows if the specified ring is enabled Ver Shows the ERPS version MEL The maintenance entity group MEG level providing a communication channel for ring automatic protection switching R AP...

Page 551: ...ception of traffic is blocked and the forwarding of R APS messages is blocked but the transmission of locally generated R APS messages is allowed and the reception of all R APS messages is allowed For...

Page 552: ...APS messages Propagate TC Shows if the ring is configured to propagate topology change notification messages Non ERPS Device Protect Shows if the RPL owner node is configured to send non standard heal...

Page 553: ...al Clear SF The number of times a clear command was issued to terminate protection state entered through a forced switch or manual switch SF The number of signal fault messages NR The number of no req...

Page 554: ...Chapter 20 ERPS Commands 554...

Page 555: ...s port members and MAC addresses Configuring IEEE 802 1Q Tunneling Configures 802 1Q Tunneling QinQ Tunneling Configuring L2PT Tunneling1 1 These functions are not compatible Configures Layer 2 Protoc...

Page 556: ...Usage GVRP defines a way for switches to exchange VLAN information in order to register VLAN members on ports across the network This function should be enabled to permit automatic VLAN registration...

Page 557: ...age Group Address Registration Protocol is used by GVRP and GMRP to register or deregister client attributes for client services within a bridged LAN The default values for the GARP timers are indepen...

Page 558: ...e Configuration Ethernet Port Channel Command Usage This command prevents a VLAN from being automatically added to the specified interface via GVRP If a VLAN has been added to the set of allowed VLANs...

Page 559: ...Yes VLAN Version Number 2 VLAN Learning IVL Configurable PVID Tagging Yes Local VLAN Capable No Traffic Classes Enabled Global GVRP Status Disabled Console Table 107 show bridge ext display descriptio...

Page 560: ...ging This switch allows you to override the default Port VLAN ID PVID used in frame tags and egress status VLAN Tagged or Untagged on each port Refer to the switchport allowed vlan command Local VLAN...

Page 561: ...ration interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 26 Default Setting Shows both global and interface specific co...

Page 562: ...tings by entering the show vlan command Use the interface vlan command mode to define the port membership mode and add or remove ports from a VLAN The results of these commands are written to the runn...

Page 563: ...AN used for mirroring traffic from remote switches The VLAN used for RSPAN cannot include VLAN 1 the switch s default VLAN Nor should it include VLAN 4093 which is used for switch clustering Configuri...

Page 564: ...254 255 255 255 0 Console config if Table 109 Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport accep...

Page 565: ...accepts all frames tagged or untagged tagged The port only receives tagged frames Default Setting All frame types Command Mode Interface Configuration Ethernet Port Channel Command Usage When set to...

Page 566: ...ove vlan list List of VLAN identifiers to remove Default Setting All ports are assigned to VLAN 1 by default The default frame type is untagged Command Mode Interface Configuration Ethernet Port Chann...

Page 567: ...Disabled Command Mode Interface Configuration Ethernet Port Channel Command Usage Ingress filtering only affects tagged frames If ingress filtering is disabled and a port receives frames tagged for VL...

Page 568: ...its tagged frames that identify the source VLAN Note that frames belonging to the port s default VLAN i e associated with the PVID are also transmitted as tagged frames Default Setting Hybrid mode wit...

Page 569: ...t to any VLAN for which it is an untagged member If acceptable frame types is set to all or switchport mode is set to hybrid the PVID will be inserted into all untagged frames entering the ingress por...

Page 570: ...nking is mutually exclusive with the access switchport mode see the switchport mode command If VLAN trunking is enabled on an interface then that interface cannot be set to access mode and vice versa...

Page 571: ...ple shows how to display information for VLAN 1 Console show vlan id 1 VLAN ID 1 Type Static Name DefaultVlan Status Active Ports Port Channels Eth1 1 S Eth1 2 S Eth1 3 S Eth1 4 S Eth1 5 S Eth1 6 S Et...

Page 572: ...ol Identifier TPID value of the tunnel access port This step is required if the attached client is using a nonstandard 2 byte ethertype to identify 802 1Q tagged frames The standard ethertype value is...

Page 573: ...is enabled be aware that a tunnel access or tunnel uplink port may be disabled if the spanning tree structure is automatically reconfigured to overcome a break in the tree It is therefore advisable t...

Page 574: ...ontrol command before the switchport dot1q tunnel mode interface command can take effect When a tunnel uplink port receives a packet from a customer the customer tag regardless of whether there are on...

Page 575: ...nsures consistent treatment of priority tagged packets across the S VLAN Example Console config interface ethernet 1 1 Console config if switchport dot1q tunnel priority map Console config if switchpo...

Page 576: ...face and service provider interfaces as uplink interfaces that is a network to network interface Use the switchport dot1q tunnel mode uplink command to set an interface to access or uplink mode When t...

Page 577: ...selective QinQ mapping entries Console config interface ethernet 1 1 Console config if switchport dot1q tunnel service 100 match cvid 10 Console config if switchport dot1q tunnel service 200 match cvi...

Page 578: ...ws the switch to interoperate with third party switches that do not use the standard 0x8100 ethertype to identify 802 1Q tagged frames For example 0x1234 is set as the custom 802 1Q ethertype on a tru...

Page 579: ...1 1 Console config if switchport dot1q tunnel mode access Console config if interface ethernet 1 2 Console config if switchport dot1q tunnel mode uplink Console config if end Console show dot1q tunnel...

Page 580: ...reates disconnected protocol domains in the customer s network L2PT can be used to pass various types of protocol packets belonging to the same customer transparently across a service provider s netwo...

Page 581: ...ess 01 80 C2 00 00 01 0A S VLAN tag it is filtered decapsulated and processed locally by the switch if the protocol is supported When a protocol packet is received on an access port i e an 802 1Q trun...

Page 582: ...ion address 01 00 0C CD CD D0 and L2PT is enabled on this port it is forwarded to other access ports in the same S VLAN for which L2PT is enabled L2PT is disabled on this port it is forwarded to the f...

Page 583: ...mmand and the interface configured to 802 1Q tunnel mode using the switchport dot1q tunnel mode command Example Console config dot1q tunnel system tunnel control Console config interface ethernet 1 1...

Page 584: ...etting Disabled Command Mode Interface Configuration Ethernet Command Usage If the next switch upstream does not support QinQ tunneling then use this command to map the customer s VLAN ID to the servi...

Page 585: ...s example configures VLAN translation for Port 1 as described in the Command Usage section above Console config vlan database Console config vlan vlan 10 media ethernet state active Console config vla...

Page 586: ...eceived at a port its VLAN membership can then be determined based on the protocol type in use by the inbound packets To configure protocol based VLANs follow these steps 1 First configure VLAN groups...

Page 587: ...ifier of this protocol group Range 1 2147483647 frame23 Frame type used by this protocol Options ethernet rfc_1042 llc_other protocol Protocol type The only option for the llc_other frame type is ipx_...

Page 588: ...other VLAN commands such as the vlan command these interfaces will admit traffic of any protocol type into the associated VLAN When MAC based IP subnet based and protocol based VLANs are supported co...

Page 589: ...This shows protocol group 1 configured for IP over Ethernet Console show protocol vlan protocol group Protocol Group ID Frame Type Protocol Type 1 ethernet 08 00 Console show interfaces protocol vlan...

Page 590: ...to the VLAN indicated in the entry If no IP subnet is matched the untagged frames are classified as belonging to the receiving port s VLAN ID PVID subnet vlan This command configures IP Subnet VLAN a...

Page 591: ...dress When MAC based IP subnet based or protocol based VLANs are supported concurrently priority is applied in this sequence and then port based VLANs last Example The following example assigns traffi...

Page 592: ...he VLAN indicated in the entry If no MAC address is matched the untagged frames are classified as belonging to the receiving port s VLAN ID PVID mac vlan This command configures MAC address to VLAN ma...

Page 593: ...riority is applied in this sequence and then port based VLANs last Example The following example assigns traffic from source MAC address 00 00 00 11 22 33 to VLAN 10 Console config mac vlan mac addres...

Page 594: ...sabled Command Mode Global Configuration Command Usage When IP telephony is deployed in an enterprise network it is recommended to isolate the Voice over IP VoIP network traffic from other data traffi...

Page 595: ...sets the Voice VLAN ID time out Use the no form to restore the default Syntax voice vlan aging minutes no voice vlan minutes Specifies the port Voice VLAN membership time out Range 5 43200 minutes De...

Page 596: ...identifies VoIP devices in the network Format xx xx xx xx xx xx or xxxxxxxxxxxx for example 01 23 45 00 00 00 mask address Identifies a range of MAC addresses Format xx xx xx xx xx xx or xxxxxxxxxxxx...

Page 597: ...VLAN when VoIP traffic is detected on the port Default Setting Disabled Command Mode Interface Configuration Command Usage When auto is selected you must select the method to use for detecting VoIP t...

Page 598: ...packet is overwritten with the new priority when the Voice VLAN feature is active for the port Example The following example sets the CoS priority to 5 on port 1 Console config interface ethernet 1 1...

Page 599: ...tchport voice vlan security This command enables security filtering for VoIP traffic on a port Use the no form to disable filtering on a port Syntax no switchport voice vlan security Default Setting D...

Page 600: ...emaining aging time will display NA Example Console show voice vlan status Global Voice VLAN Status Voice VLAN Status Enabled Voice VLAN ID 1234 Voice VLAN aging time 1440 minutes Voice VLAN Port Summ...

Page 601: ...ayer 2 Configures the queue mode queue weights and default priority for untagged frames Priority Commands Layer 3 and 4 Sets the default priority processing method CoS or DSCP maps priority tags for i...

Page 602: ...ct queue Default Setting WRR Command Mode Interface Configuration Ethernet Port Channel Command Usage The switch can be set to service the port queues based on strict priority WRR or a combination of...

Page 603: ...eight class of service CoS priority queues when using weighted queuing or one of the queuing modes that use a combination of strict and weighted queuing Use the no form to restore the default weights...

Page 604: ...rity mapping is IP DSCP and then default switchport priority The default priority applies for an untagged frame received on a port set to accept all frame types i e receives both untagged and tagged f...

Page 605: ...config if Related Commands show interfaces switchport 408 show queue mode This command shows the current queue mode Command Mode Privileged Exec Example Console show queue mode Unit Port queue mode 1...

Page 606: ...and drop precedence values for internal priority processing IC qos map ip prec dscp Maps IP Precedence values in incoming packets to per hop behavior and drop precedence values for internal priority...

Page 607: ...D of the priority queue Range 0 7 where 7 is the highest priority queue DEFAULT SETTING Command Mode Global Configuration Command Usage Enter a queue identifier followed by the keyword from and then u...

Page 608: ...meter to 0 to indicate that the MAC address information carried in the frame is in canonical format Range 0 1 DEFAULT SETTING Command Mode Interface Configuration Port Static Aggregation Command Usage...

Page 609: ...to restore the default settings Syntax qos map default drop precedence drop precedence from phb0 phb7 no map default drop precedence phb0 phb7 drop precedence Drop precedence used for controlling traf...

Page 610: ...Range 0 7 cfi value Canonical Format Indicator Set to this parameter to 0 to indicate that the MAC address information carried in the frame is in canonical format Range 0 1 phb Per hop behavior or the...

Page 611: ...tion Range 0 Green 3 Yellow 1 Red dscp DSCP value in ingress packets Range 0 63 DEFAULT SETTING Command Mode Interface Configuration Port Static Aggregation Table 125 Default Mapping of DSCP Values to...

Page 612: ...P value of 1 to a per hop behavior of 3 and a drop precedence of 1 Referring to Table 125 note that the DSCP value for these packets is now set to 25 3x23 1 and passed on to the egress interface Conso...

Page 613: ...precedence used for controlling traffic congestion Range 0 Green 3 Yellow 1 Red DEFAULT SETTING Command Mode Interface Configuration Port Static Aggregation Command Usage Enter up to eight paired valu...

Page 614: ...ingress packet type is IPv4 then priority processing will be based on the DSCP value in the ingress packet If the QoS mapping mode is set to either IP Precedence or DSCP and a non IP packet is receive...

Page 615: ...Console show qos map cos dscp interface ethernet 1 5 CoS Information of Eth 1 5 CoS DSCP map x y x phb y drop precedence CoS CFI 0 1 0 0 0 0 0 1 1 0 1 0 2 2 0 2 0 3 3 0 3 0 4 4 0 4 0 5 5 0 5 0 6 6 0 6...

Page 616: ...cedence to CoS values Syntax show qos map dscp cos interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id Range 1 26 Command Mo...

Page 617: ...in the top row in other words ingress DSCP d1 10 d2 and the corresponding Internal DSCP and drop precedence is shown at the intersecting cell in the table Console show qos map dscp mutation interface...

Page 618: ...ss IP precedence to internal DSCP map Syntax show qos map ip prec dscp interface interface interface ethernet unit port unit Stack unit Range 1 port Port number Range 1 28 52 port channel channel id R...

Page 619: ...d Exec Example Console show qos map phb queue interface ethernet 1 5 Information of Eth 1 5 PHB queue map PHB 0 1 2 3 4 5 6 7 queue 2 0 1 3 4 5 6 7 Console show qos map trust mode This command shows t...

Page 620: ...Chapter 22 Class of Service Commands Priority Commands Layer 3 and 4 620...

Page 621: ...classified traffic based on a metered flow rate PM C police srtcm color Defines an enforcer for classified traffic based on a single rate three color meter PM C police trtcm color Defines an enforcer...

Page 622: ...or the priority bits in the IP header IP DSCP value for the matching traffic class and use one of the police commands to monitor parameters such as the average flow and burst rate and drop any traffic...

Page 623: ...fig cmap match ip dscp 3 Console config cmap Related Commands show class map 636 description This command specifies the description of a class map or policy map Syntax description string string Descri...

Page 624: ...uded in the ACL will be ignored If match criteria includes an IP ACL or IP priority rule then a VLAN rule cannot be included in the same class map If match criteria includes a MAC ACL or VLAN rule the...

Page 625: ...1 Console config cmap rename rd class 9 Console config cmap policy map This command creates a policy map that can be attached to multiple interfaces and enters Policy Map configuration mode Use the no...

Page 626: ...pon which a policy can act and enters Policy Map Class configuration mode Use the no form to delete a class map Syntax no class class map name class map name Name of the class map Range 1 32 character...

Page 627: ...new dscp violate action drop new dscp committed rate Committed information rate CIR in kilobits per second Range 0 10000000 kbps or maximum port speed whichever is lower committed burst Committed burs...

Page 628: ...efined rd class uses the set phb command to classify the service that incoming packets will receive and then uses the police flow command to limit the average bandwidth to 100 000 Kbps the burst rate...

Page 629: ...e class maps for ingress ports The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters Committed Information Rate CIR Committed Burst S...

Page 630: ...n precolored as yellow or green and if Te t B 0 the packets is yellow and Te is decremented by B down to the minimum value of 0 else the packet is red and neither Tc nor Te is decremented The metering...

Page 631: ...0 10000000 bytes conform action Action to take when rate is within the CIR and BP Packet size does not exceed BP and there are enough tokens in bucket BC to service the packet the packet is set green...

Page 632: ...s incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC When a packet of size B bytes arrives at time t the following happens if t...

Page 633: ...ode Policy Map Class Configuration Command Usage The set cos command is used to set the CoS value in the VLAN tag for matching packets The set cos and set phb command function at the same level of pri...

Page 634: ...uses the set ip dscp command to classify the service that incoming packets will receive and then uses the police flow command to limit the average bandwidth to 100 000 Kbps the burst rate to 4000 byt...

Page 635: ...uses the police flow command to limit the average bandwidth to 100 000 Kbps the burst rate to 4000 bytes and configure the response to drop any violating packets Console config policy map rd policy C...

Page 636: ...ass map Range 1 32 characters Default Setting Displays all class maps Command Mode Privileged Exec Example Console show class map Class Map match any rd class 1 Description Match IP DSCP 10 Match acce...

Page 637: ...licy map rd policy class rd class Policy Map rd policy class rd class set phb 3 Console show policy map interface This command displays the service policy assigned to the specified interface Syntax sh...

Page 638: ...Chapter 23 Quality of Service Commands 638...

Page 639: ...ing Configures static multicast router ports which forward all inbound multicast traffic to the attached VLANs IGMP Filtering and Throttling Configures IGMP filtering and throttling MLD Snooping Confi...

Page 640: ...leave packet is received at that port and immediate leave is enabled for the parent VLAN GC ip igmp snooping vlan last memb query count Configures thenumberofIGMPproxyquerymessagesthat are sent out b...

Page 641: ...disabled globally snooping can still be configured per VLAN interface but the interface settings will not take effect until snooping is re enabled globally Example The following example enables IGMP...

Page 642: ...icast traffic such as a video conference or to set a low priority for normal multicast traffic not sensitive to latency Example Console config ip igmp snooping priority 6 Console config Related Comman...

Page 643: ...m this device If the IGMP proxy reporting is configured on a VLAN this setting takes precedence over the global configuration Example Console config ip igmp snooping proxy reporting Console config ip...

Page 644: ...th a large source list and the Maximum Response Time set to a large value To protect against this kind of attack 1 routers should not forward queries This is easier to accomplish if the query carries...

Page 645: ...time until the topology has stabilized and the new locations of all multicast receivers are learned If a topology change notification TCN is received and all the uplink ports are subsequently deleted...

Page 646: ...Command Usage When the root bridge in a spanning tree receives a topology change notification for a VLAN where IGMP snooping is enabled it issues a global IGMP leave message query solicitation When a...

Page 647: ...is flooded throughout the VLAN Example Console config ip igmp snooping unregistered data flood Console config ip igmp snooping unsolicited report interval This command specifies how often the upstrea...

Page 648: ...ult Setting Global IGMP Version 2 VLAN Not configured based on global setting Command Mode Global Configuration Command Usage This command configures the IGMP report query version used by IGMP snoopin...

Page 649: ...usive is disabled on a VLAN then this setting is based on the global setting If it is enabled on a VLAN then this setting takes precedence over the global setting When this function is disabled the cu...

Page 650: ...group Default Setting Disabled Command Mode Global Configuration Command Usage If immediate leave is not used a multicast router or querier will send a group specific query message when an IGMPv2 v3...

Page 651: ...re the system assumes there are no more local members Use the no form to restore the default Syntax ip igmp snooping vlan vlan id last memb query count count no ip igmp snooping vlan vlan id last memb...

Page 652: ...ed by the switch it checks to see if this host is the last to leave the group by sending out an IGMP group specific or group and source specific query message and starts a timer If no reports are rece...

Page 653: ...timer as a part of a router s start up procedure during the restart of a multicast forwarding interface and on receipt of a solicitation message When the multicast services provided to a VLAN is relat...

Page 654: ...s Used for Proxy Reporting When IGMP Proxy Reporting is disabled the switch will use a null IP address for the source of IGMP query and report messages unless a proxy query address has been set When I...

Page 655: ...downstream hosts all receivers build an IGMP report for the multicast groups they have joined This command applies when the switch is serving as the querier page 643 or as a proxy host when IGMP snoo...

Page 656: ...static ip address interface vlan id VLAN ID Range 1 4094 ip address IP address for multicast group interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port channe...

Page 657: ...le clear ip igmp snooping groups dynamic Console clear ip igmp snooping statistics This command clears IGMP snooping statistics Syntax clear ip igmp snooping statistics interface interface interface e...

Page 658: ...lood Disabled 802 1p Forwarding Priority Disabled Unsolicited Report Interval 400 s Version Exclusive Disabled Version 2 Proxy Reporting Disabled Querier Disabled VLAN 1 IGMP Snooping Enabled IGMP Sno...

Page 659: ...ugh IGMP snooping sort by port Display entries sorted by port user Display only the user configured multicast entries vlan id VLAN ID 1 4094 Default Setting None Command Mode Privileged Exec Command U...

Page 660: ...e following shows the ports in VLAN 1 which are attached to multicast routers Console show ip igmp snooping mrouter vlan 1 VLAN M cast Router Port Type Expire 1 Eth 1 4 Dynamic 0 4 28 1 Eth 1 10 Stati...

Page 661: ...P membership reports received on this interface Leave The number of leave messages received on this interface G Query The number of general query messages received on this interface G S S Query The nu...

Page 662: ...n Other Querier IP address of remote querier on this interface Other Querier Expire Time after which remote querier is assumed to have expired Other Querier Uptime Time remote querier has been up Self...

Page 663: ...ed Command Mode Global Configuration Command Usage Depending on your network connections IGMP snooping may not always be able to locate the IGMP querier Therefore if the IGMP querier is a known multic...

Page 664: ...oups a port can join Table 134 IGMP Filtering and Throttling Commands Command Function Mode ip igmp filter Enables IGMP filtering and throttling on the switch GC ip igmp profile Sets a profile number...

Page 665: ...ed IGMP join reports received on the port are checked against the filter profile If a requested multicast group is permitted the IGMP join report is forwarded as normal If a requested multicast group...

Page 666: ...many interfaces but only one profile can be assigned to one interface Each profile has only one access mode either permit or deny Example Console config ip igmp profile 19 Console config igmp profile...

Page 667: ...tting None Command Mode IGMP Profile Configuration Command Usage Enter this command multiple times to specify more than one multicast address or address range for a profile Example Console config ip i...

Page 668: ...rejoins the same group the join report needs to again be authenticated When receiving an IGMP v3 report message the switch will send the access request to the RADIUS server only when the record type...

Page 669: ...IGMP filter profile number Range 1 4294967295 Default Setting None Command Mode Interface Configuration Command Usage The IGMP filtering profile must first be created with the ip igmp profile command...

Page 670: ...ne of two actions either deny or replace see the ip igmp max groups action command If the action is set to deny any new IGMP join reports will be dropped If the action is set to replace the switch ran...

Page 671: ...on replace Console config if ip igmp query drop This command drops any received IGMP query packets Use the no form to restore the default setting Syntax no ip igmp query drop Default Setting Disabled...

Page 672: ...igmp authentication This command displays the interface settings for IGMP authentication Syntax show ip igmp authentication interface interface interface ethernet unit port unit Unit identifier Range...

Page 673: ...mand Mode Privileged Exec Example Console show ip igmp filter IGMP filter enabled Console show ip igmp filter interface ethernet 1 1 Ethernet 1 1 information IGMP Profile 19 Deny Range 239 1 1 1 239 1...

Page 674: ...identifier Range 1 port Port number Range 1 28 52 port channel channel id Range 1 26 Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface...

Page 675: ...urrent Multicast Groups 0 Console show ip multicast data drop This command shows if the specified interface is configured to drop multicast data packets Syntax show ip igmp throttle interface interfac...

Page 676: ...or MLD snooping GC ipv6 mld snooping query interval Configures the interval between sending MLD general query messages GC ipv6 mld snooping query max response time Configures the maximum response time...

Page 677: ...rm to disable this feature Syntax no ipv6 mld snooping querier Default Setting Disabled Command Mode Global Configuration clear ipv6 mld snooping statistics Clears MLD snooping statistics PE show ipv6...

Page 678: ...ng querier Console config ipv6 mld snooping query interval This command configures the interval between sending MLD general queries Use the no form to restore the default Syntax ipv6 mld snooping quer...

Page 679: ...tes the group if it is the last member Example Console config ipv6 mld snooping query max response time seconds 15 Console config ipv6 mld snooping proxy reporting This command enables IGMP Snooping w...

Page 680: ...will be removed from the receiver list for a multicast service when no MLD reports are detected in response to a number of MLD queries The robustness variable sets the number of queries on ports for w...

Page 681: ...x ipv6 mld snooping unknown multicast mode flood to router port no ipv6 mld snooping unknown multicast mode flood Floods the unknown multicast data packets to all ports to router port Forwards the unk...

Page 682: ...conds Default Setting 400 seconds Command Mode Global Configuration Command Usage When a new upstream interface that is uplink port starts up the switch sends unsolicited reports for all currently lea...

Page 683: ...message when an MLD group leave message is received The router querier stops forwarding traffic for that group only if no host replies to the query within the specified timeout period If MLD immediat...

Page 684: ...t or trunk on the switch you can manually configure that interface to join all the current multicast groups Example The following shows how to configure port 1 as a multicast router port within VLAN 1...

Page 685: ...mic Command Mode Privileged Exec Command Usage This command only clears entries learned though MLD snooping Statically configured multicast address are not cleared Example Console clear ipv6 mld snoop...

Page 686: ...guration settings Example The following shows MLD Snooping configuration information Console show ipv6 mld snooping Service Status Disabled Querier Status Disabled Robustness 2 Query Interval 125 sec...

Page 687: ...x show ipv6 mld snooping group source list ipv6 address vlan vlan id ipv6 address An IPv6 address of a multicast group Format X X X X X vlan id VLAN ID 1 4094 Command Mode Privileged Exec Example The...

Page 688: ...Port Type Expire 1 Eth 1 2 Static Console show ipv6 mld snooping statistics This command shows MLD snooping protocol statistics for the specified interface Syntax show ipv6 mld snooping statistics in...

Page 689: ...ng Commands Command Function Mode ipv6 mld filter Enables MLD filtering and throttling on the switch GC ipv6 mld profile Sets a profile number and enters MLD filter profile configuration mode GC permi...

Page 690: ...ed on the port are checked against the filter profile If a requested multicast group is permitted the MLD join report is forwarded as normal If a requested multicast group is denied the MLD join repor...

Page 691: ...ommands show ipv6 mld profile permit deny This command sets the access mode for an MLD filter profile Use the no form to delete a profile number Syntax permit deny Default Setting deny Command Mode ML...

Page 692: ...s command multiple times to specify more than one multicast address or address range for a profile Example Console config mld profile range ff01 0101 ff01 0202 Console config mld profile ipv6 mld filt...

Page 693: ...e MLD throttling sets a maximum number of multicast groups that a port can join at the same time When the maximum number of groups is reached on a port the switch can take one of two actions either de...

Page 694: ...action is set to deny any new MLD join reports will be dropped If the action is set to replace the switch randomly removes an existing group and replaces it with the new multicast group Example Consol...

Page 695: ...op Default Setting Disabled Command Mode Interface Configuration Ethernet Port Channel Example Console config interface ethernet 1 3 Console config if ipv6 multicast data drop Console config if show i...

Page 696: ...rofile number Range 1 4294967295 Default Setting None Command Mode Privileged Exec Example Console show ipv6 mld profile MLD Profile 19 MLD Profile 50 Console show ipv6 mld profile 19 MLD Profile 19 D...

Page 697: ...d displays the interface settings for MLD throttling Syntax show ipv6 mld throttle interface interface interface ethernet unit port unit Unit identifier Range 1 port Port number Range 1 28 52 port cha...

Page 698: ...up addresses to a profile GC mvr proxy query interval Configures theintervalatwhichthereceiverportsendsout general queries GC mvr proxy switching Enables MVR proxy switching where the source port acts...

Page 699: ...fied in a profile to an MVR domain Use the no form of this command to remove the binding Syntax no mvr domain domain id associated profile profile name domain id An independent multicast domain Range...

Page 700: ...r a specific domain Use the no form of this command to disable MVR for a domain Syntax no mvr domain domain id domain id An independent multicast domain Range 1 5 Default Setting Disabled Command Mode...

Page 701: ...icast traffic such as a video conference or to set a low priority for normal multicast traffic not sensitive to latency Example Console config mvr priority 6 Console config Related Commands show mvr m...

Page 702: ...excess of this limitation will be flooded to all ports in the associated domain Example The following example maps a range of MVR group addresses to a profile Console config mvr profile rd 228 1 23 1...

Page 703: ...the MVR VLAN Range 0 6 where 6 is the highest priority Default Setting Disabled Command Mode Global Configuration Command Usage This command can be used to set a high priority for low latency multicas...

Page 704: ...hen the source port receives report and leave messages it only forwards them to other source ports When receiver ports receive any query messages they are dropped When changes occurring in the downstr...

Page 705: ...of times group specific queries are sent to downstream receiver ports This command only takes effect when MVR proxy switching is enabled Example Console config mvr robustness value 5 Console config Re...

Page 706: ...ified in a profile and bound to a domain Example Console config mvr source port mode dynamic Console config mvr upstream source ip This command configures the source IP address assigned to all MVR con...

Page 707: ...d Range 1 4094 Default Setting VLAN 1 Command Mode Global Configuration Command Usage This command specifies the VLAN through which MVR multicast data is received This is the VLAN to which all source...

Page 708: ...er port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list If the by host ip option is used the router...

Page 709: ...red as a member of the MVR VLAN IGMP snooping can also be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR VLAN Also note that VLAN membership fo...

Page 710: ...255 255 255 Default Setting No receiver port is a member of any configured multicast group Command Mode Interface Configuration Ethernet Port Channel Command Usage Multicast groups can be statically...

Page 711: ...learned though MVR Statically configured multicast address are not cleared Example Console clear mvr groups dynamic Console clear mvr statistics This command clears MVR statistics Syntax clear mvr st...

Page 712: ...ast VLAN 1 MVR Current Learned Groups 10 MVR Upstream Source IP 192 168 0 3 Table 139 show mvr display description Field Description MVR 802 1p Forwarding Priority Priority assigned to multicast traff...

Page 713: ...r End IP Addr rd 228 1 23 1 228 1 23 10 testing 228 2 23 1 228 2 23 10 Console show mvr interface This command shows MVR configuration settings for interfaces attached to the MVR VLAN Syntax show mvr...

Page 714: ...ch port Syntax show mvr domain domain id members ip address host ip address interface igmp sort by port interface unknown user domain id An independent multicast domain Range 1 5 ip address IPv4 addre...

Page 715: ...ulticast forwarding entries currently active in domain 1 Console show mvr domain 1 members MVR Domain 1 MVR Forwarding Entry Count 1 Flag S Source port R Receiver port H Host counts number of hosts jo...

Page 716: ...statistics This command shows MVR protocol related statistics for the specified interface Syntax show mvr domain domain id statistics input interface interface output interface interface query summary...

Page 717: ...ucc Group Eth 1 1 23 11 4 10 5 20 9 Eth 1 2 12 15 8 3 5 19 4 VLAN 1 2 0 0 2 2 20 9 Console Table 142 show mvr statistics input display description Field Description Interface Shows interfaces attached...

Page 718: ...General Query Received 0 General Query Sent 8 Specific Query Received 0 Specific Query Sent 3 Warn Rate Limit 0 sec V1 Warning Count 0 V2 Warning Count 0 V3 Warning Count 0 Console Table 143 show mvr...

Page 719: ...Self Querier This querier s IP address Self Querier Expire This querier s expire time Self Querier Uptime This querier s time up General Query Received The number of general queries received on this...

Page 720: ...op 0 V3 Warning Count 0 Source Port Drop 0 Others Drop 0 Console Received General Number of general queries received Group Specific Number of group specific queries received V Warning Count Number of...

Page 721: ...General Number of general queries received Group Specific Number of group specific queries received V Warning Count Number of queries received on MVR that were configured by IGMP version 1 2 or 3 Rep...

Page 722: ...iver port sends out general queries GC mvr6 proxy switching Enables MVR proxy switching where the source port acts as a host and the receiver port acts as an MVR router with querier service enabled GC...

Page 723: ...p range an MRV6 profile can only be associated with one MVR6 domain Example The following an MVR6 group address profile to domain 1 Console config mvr6 domain 1 associated profile rd Console config mv...

Page 724: ...command assigns a priority to all multicast traffic in the MVR6 VLAN Use the no form of this command to restore the default setting Syntax mvr6 priority priority no mvr6 priority priority The CoS pri...

Page 725: ...onfigure all multicast group addresses that will join the MVR6 VLAN Any multicast data associated with an MVR6 group is sent from all source ports and to all receiver ports that have registered to rec...

Page 726: ...hen proxy switching is enabled with the mvr6 proxy switching command Example This example sets the proxy query interval for MVR6 Console config mvr6 proxy query interval 100 Console config mvr6 proxy...

Page 727: ...is created and sent to the upstream source port which in turn forwards this information upstream When MVR6 proxy switching is disabled Any membership reports received from receiver source ports are f...

Page 728: ...mvr6 source port mode dynamic Default Setting Forwards all multicast streams which have been specified in a profile and bound to a domain Command Mode Global Configuration Command Usage By default th...

Page 729: ...ddress The source IPv6 address assigned to all MVR6 control packets sent upstream This parameter must be a full IPv6 address including the network prefix and host address bits Default Setting All MVR6...

Page 730: ...mmand Usage MVR6 source ports can be configured as members of the MVR6 VLAN using the switchport allowed vlan command and switchport native vlan command but MVR6 receiver ports should not be staticall...

Page 731: ...nables immediate leave on a receiver port Console config interface ethernet 1 5 Console config if mvr6 domain 1 immediate leave Console config if mvr6 type This command configures an interface as an M...

Page 732: ...port in another domain Example The following configures one source port and several receiver ports on the switch Console config interface ethernet 1 5 Console config if mvr6 domain 1 type source Cons...

Page 733: ...thernet 1 1 LLDP Remote Devices Information Detail Index 1 Chassis Type MAC Address Chassis ID 00 E0 0C 10 90 00 Port ID Type MAC Address Port ID 00 E0 0C 10 90 04 Time To Live 120 seconds Console sho...

Page 734: ...hosts join the group on this port P Port counts number of forwarding ports Up time Group elapsed time d h m s Expire Group remaining time m s Group Address VLAN Port Up time Expire Count ff01 8 0 0 P...

Page 735: ...he interface option will only clear MVR6 statistics for the specified interface Example Console clear mvr6 statistics Console show mvr6 This command shows information about MVR6 domain settings includ...

Page 736: ...ch the receiver port sends out general queries MVR6 Source Port Mode Shows if the switch only forwards multicast streams which the source port has dynamically joined or always forwards multicast strea...

Page 737: ...Example The following displays information about the interfaces attached to the MVR6 VLAN in domain 1 Console show mvr6 domain 1 interface MVR6 Domain 1 Port Type Status Immediate Leave Static Group...

Page 738: ...hows information about the number of multicast forwarding entries currently active in domain 1 Console show mvr6 domain 1 members MVR6 Domain 1 MVR6 Forwarding Entry Count 1 Flag S Source port R Recei...

Page 739: ...f00 1 2 00 00 03 18 2 P 2 Eth1 2 S 1 Eth1 4 R 0 H Console show mvr6 profile This command shows all configured MVR6 profiles Command Mode Privileged Exec Example The following shows all configured MVR...

Page 740: ...id VLAN ID Range 1 4094 query Displays MVR query related statistics summary Displays MVR summary information mvr vlan Displays summary statistics for the MVR VLAN Default Setting Displays statistics f...

Page 741: ...umber of general query messages received on this interface G S S Query The number of group specific or group and source specific query messages received on this interface Drop The number of times a re...

Page 742: ...independent multicast domain Number of Groups Number of groups learned on this port Querier Transmit General Number of general queries transmitted Group Specific Number of group specific queries trans...

Page 743: ...cs summary interface mvr vlan description Field Description Domain An independent multicast domain Number of Groups Number of groups learned on this port Querier Other Addr Other IGMP querier s IP add...

Page 744: ...ports received Leave Number of leaves received Join Success Number of join reports processed successfully Filter Drop Number of report leave messages dropped by IGMP filter Source Port Drop Number of...

Page 745: ...Function Mode lldp Enables LLDP globally on the switch GC lldp holdtime multiplier Configures the time to live TTL value sent in LLDP advertisements GC lldp med fast start count Configures how many m...

Page 746: ...es the transmission of SNMP trap notifications about LLDP MED changes IC lldp med tlv ext poe Configures an LLDP MED enabled port to advertise its extended Power over Ethernet configuration and usage...

Page 747: ...plier value no lldp holdtime multiplier value Calculates the TTL in seconds based on the following rule minimum of Transmission Interval Holdtime Multiplier or 65536 Range 2 10 Default Setting Holdtim...

Page 748: ...Command Usage This parameter is part of the timer which ensures that the LLDP MED Fast Start mechanism is active for the port LLDP MED Fast Start is critical to the timely startup of LLDP and therefo...

Page 749: ...the value of lldpStatsRemTableLastChangeTime to detect any lldpRemTablesChange notification events missed due to throttling or transmission loss Example Console config lldp notification interval 30 C...

Page 750: ...ciated with this port is deleted Example Console config lldp reinit delay 10 Console config lldp tx delay This command configures a delay between the successive transmission of advertisements initiate...

Page 751: ...ive LLDP PDUs tx only Only transmit LLDP PDUs tx rx Both transmit and receive LLDP Protocol Data Units PDUs Default Setting tx rx Command Mode Interface Configuration Ethernet Port Channel Example Con...

Page 752: ...a Layer 3 device an individual LLDP PDU may contain more than one management address TLV Every management address TLV that reports an address that is accessible on a port and protocol VLAN through th...

Page 753: ...r not these primary functions are enabled The information advertised by this TLV is described in IEEE 802 1AB Example Console config interface ethernet 1 1 Console config if lldp basic tlv system capa...

Page 754: ...tem name is taken from the sysName object in RFC 3418 which contains the system s administratively assigned name and is in turn based on the hostname command Example Console config interface ethernet...

Page 755: ...rtises the port based protocol VLANs configured on this interface see Configuring Protocol based VLANs on page 586 Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv prot...

Page 756: ...s been assigned See switchport allowed vlan and protocol vlan protocol group Configuring Interfaces Example Console config interface ethernet 1 1 Console config if no lldp dot1 tlv vlan name Console c...

Page 757: ...rtises MAC PHY configuration status which includes information about auto negotiation support capabilities and operational Multistation Access Unit MAU type Example Console config interface ethernet 1...

Page 758: ...ower is delivered can be controlled the port pins selected to deliver power and the power class Example Console config interface ethernet 1 1 Console config if lldp dot3 tlv poe Console config if lldp...

Page 759: ...some of the CA type numbers and provides examples Any number of CA type and value pairs can be specified for the civic address location as long as the total does not exceed 250 characters For the loca...

Page 760: ...civic addr what 2 Console config if lldp med notification This command enables the transmission of SNMP trap notifications about LLDP MED changes Use the no form to disable LLDP MED notifications Syn...

Page 761: ...ity from the switch and power state of the switch including whether the switch is operating from primary or backup power the Endpoint Device could use this information to decide to enter power conserv...

Page 762: ...This option advertises location identification details Example Console config interface ethernet 1 1 Console config if lldp med tlv location Console config if lldp med tlv med cap This command configu...

Page 763: ...diagnosis of VLAN configuration mismatches on a port Improper network policy configurations frequently result in voice quality degradation or complete service disruption Example Console config interfa...

Page 764: ...on events missed due to throttling or transmission loss Example Console config interface ethernet 1 1 Console config if lldp notification Console config if show lldp config This command shows LLDP con...

Page 765: ...stem name system description system capabilities management ip address 802 1 specific TLVs Advertised port vid vlan name proto vlan proto ident 802 3 specific TLVs Advertised mac phy poe link agg max...

Page 766: ...lities Support Bridge Router System Capabilities Enabled Bridge Router Management Address 192 168 0 3 IPv4 LLDP Local Port Information Port Port ID Type Port ID Port Description Eth 1 1 MAC Address 00...

Page 767: ...ther related fields Console show lldp info remote device LLDP Remote Devices Information Local Port Chassis ID Port ID System Name Eth 1 1 00 E0 0C 10 90 00 00 E0 0C 10 90 07 Console show lldp info re...

Page 768: ...emote link aggregation capable Yes Remote link aggregation enable No Remote link aggregation port ID 0 Remote Max Frame Size 1518 LLDP MED Capability Device Class Network Connectivity Supported Capabi...

Page 769: ...le Console show lldp info statistics LLDP Device Statistics Neighbor Entries List Last Updated 2450279 seconds New Neighbor Entries Count 1 Neighbor Entries Deleted Count 0 Neighbor Entries Dropped Co...

Page 770: ...ddress LCI Country Name TW What 2 Extended Power via MDI Power Type PSE Power Source Unknown Power Priority Unknown Power Value 0 Watts Inventory Hardware Revision R0A Firmware Revision 1 2 6 0 Softwa...

Page 771: ...Count 0 Neighbor Entries Ageout Count 0 LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded Eth 1 1 822 821 0 Eth 1 2 0 0 0 Eth 1 3 0 0 0 Eth 1 4 0 0 0 Eth 1 5 849 862 0 Console...

Page 772: ...Chapter 25 LLDP Commands 772...

Page 773: ...supported through loop back messages and fault isolation through link trace messages Fault notification is also provided by SNMP alarms which are automatically generated by maintenance points when con...

Page 774: ...continuity check database PE Continuity Check Operations ethernet cfm cc ma interval Sets the transmission delay between continuity check messages GC ethernet cfm cc enable Enables transmission of con...

Page 775: ...cfm linktrace cache size Sets the maximum size for the link trace cache GC ethernet cfm linktrace Sends CFM link trace messages to the MAC address for a MEP PE clear ethernet cfm linktrace cache Clea...

Page 776: ...the interval at which continuity check messages are sent page 793 or setting the start up delay for the cross check operation page 799 You can also enable SNMP traps for events discovered by continui...

Page 777: ...3 alphanumeric characters Default Setting Disabled Command Mode Global Configuration Command Usage Each MA name must be unique within the CFM domain Frames with AIS information can be issued at the cl...

Page 778: ...le This example sets the interval for sending frames with AIS information at 60 seconds Console config ethernet cfm ais period 60 md voip ma rd Console config ethernet cfm ais suppress alarm This comm...

Page 779: ...resses sending frames with AIS information Console config ethernet cfm ais suppress alarm md voip ma rd Console config ethernet cfm domain This command defines a CFM maintenance domain sets the author...

Page 780: ...tion points that make up all possible paths between the DSAPs within an MA MIPs are automatically generated by the CFM protocol when the mip creation option in this command is set to default or explic...

Page 781: ...e 782 ethernet cfm enable This command enables CFM processing globally on the switch Use the no form to disable CFM processing globally Syntax no ethernet cfm enable Default Setting Disabled Command M...

Page 782: ...s MA on any bridge port through which the MA s VID can pass explicit MIPs can be created this MA only on bridge ports through which the MA s VID can pass and only if a maintenance end point MEP is cre...

Page 783: ...e rd vlan 1 mip creation default Console config ether cfm ma index name format This command specifies the name format for the maintenance association as IEEE 802 1ag character based or ITU T SG13 SG15...

Page 784: ...d then the MEP is facing away from the switch and transmits CFM messages towards and receives them from the direction of the physical medium Default Setting No MEPs are configured The MEP faces outwar...

Page 785: ...d on that interface When CFM is disabled hardware resources previously used for CFM processing on that interface are released and all CFM frames entering that interface are forwarded as normal data tr...

Page 786: ...s interface interface global Displays global settings including CFM global status cross check start delay and link trace parameters traps Displays the status of all continuity check and cross check tr...

Page 787: ...a remote MEP which as an expired entry in the archived database CC Mep Down Trap Sends a trap if this device loses connectivity with a remote MEP or connectivityhasbeenrestoredto aremoteMEPwhich has...

Page 788: ...on Archive Hold Time m 1 rd 0 default 100 Console show ethernet cfm ma This command displays the configured maintenance associations Syntax show ethernet cfm ma level level level Maintenance level Ran...

Page 789: ...number Range 1 28 52 port channel channel id Range 1 26 level id Maintenance level for this domain Range 0 7 Default Setting None Command Mode Privileged Exec Command Usage Use the mep keyword with th...

Page 790: ...ange 1 8 port Port number Range 1 28 52 port channel channel id Range 1 26 level id Maintenance level for this domain Range 0 7 Default Setting None Command Mode Privileged Exec Example This example s...

Page 791: ...racter string unsigned Integer 16 or RFC 2865 VPN ID Level Maintenance level of the local maintenance point Direction The direction in which the MEP faces on the Bridge port up or down Interface The p...

Page 792: ...scheck Status Enabled Console Table 160 show ethernet cfm maintenance points remote detail display Field Description MAC Address MAC address of the remote maintenance point If a CCM for the specified...

Page 793: ...n MA If any MEP fails to receive three consecutive CCMs from any other MEPs in its MA a connectivity failure is registered The interval at which Port State Port states include Up The port is functioni...

Page 794: ...y check messages CCMs within a specified maintenance association Use the no form to disable the transmission of these messages Syntax no ethernet cfm cc enable md domain name ma ma name domain name Do...

Page 795: ...CM with the same MPID as its own but with a different source MAC address indicating that a CFM configuration error exists loop Sends a trap if this device receives a CCM with the same source MAC addre...

Page 796: ...MEP Range 1 65535 minutes Default Setting 100 minutes Command Mode CFM Domain Configuration Command Usage A change to the hold time only applies to entries stored in the database after this command is...

Page 797: ...t cfm errors This command clears continuity check errors logged for the specified maintenance domain or maintenance level Syntax clear ethernet cfm errors domain domain name level level id domain name...

Page 798: ...more of the VIDs in this MA can pass through the bridge port no MEP is configured facing outward down on any bridge port for this MA and some other MA y at a higher maintenance level and associated w...

Page 799: ...The cross check start delay should be configured to a value greater than or equal to the continuity check message interval to avoid generating unnecessary traps Example This example sets the maximum d...

Page 800: ...red in the static list A ma up trap is sent if cross checking is enabled and a CCM is received from all remote MEPs configured in the static list for this maintenance association Example This example...

Page 801: ...x 1 name rd vlan 1 Console config ether cfm mep crosscheck mpid 2 ma rd Console config ether cfm ethernet cfm mep crosscheck This command enables cross checking between the static list of MEPs assigne...

Page 802: ...rnet cfm maintenance points remote crosscheck domain domain name mpid mpid domain name Domain name Range 1 43 alphanumeric characters mpid Maintenance end point identifier Range 1 8191 Default Setting...

Page 803: ...om each MIP along the path and from the target MEP Information stored in the cache includes the maintenance domain name MA name MEPID sequence number and TTL value Example This example enables link tr...

Page 804: ...m linktrace cache command If the cache reaches the maximum number of specified entries or the size is set to a value less than the current number of stored entries no new entries are added To add addi...

Page 805: ...mote crosscheck command to verify that a MAC address has been learned for the target MEP Link trace messages LTMs are sent as multicast CFM frames and forwarded from MIP to MIP with each MIP generatin...

Page 806: ...ded Shows whether or not this link trace message was forwarded A message is not forwarded if received by the target MEP Ingress MAC MAC address of the ingress port on the target device Egress MAC MAC...

Page 807: ...phanumeric characters transmit count The number of times the loopback message is sent Range 1 1024 packet size The size of the loopback message Range 64 1518 bytes Default Setting Loop back count One...

Page 808: ...opback reply When using the command line or web interface the source MEP used by to send a loopback message is chosen by the CFM protocol However when using SNMP the source MEP can be specified by the...

Page 809: ...e CFM Domain Configuration Command Usage A fault alarm can generate an SNMP notification It is issued when the MEP fault notification generator state machine detects that a configured time period see...

Page 810: ...n be generated Range 3 10 seconds Table 163 Remote MEP Priority Levels Priority Level Level Name Description 1 allDef All defects 2 macRemErrXcon DefMACstatus DefRemoteCCM DefErrorCCM or DefXconCCM 3...

Page 811: ...mpid Maintenance end point identifier Range 1 8191 Default Setting None Command Mode Privileged Exec Example This example shows the fault notification settings configured for one MEP Console show eth...

Page 812: ...ats xx xx xx xx xx xx or xxxxxxxxxxxx domain name Domain name Range 1 43 alphanumeric characters ma name Maintenance association name Range 1 43 alphanumeric characters count The number of times to re...

Page 813: ...reply information with TxTimeStampf copied from the DM request information RxTimeStampf Timestamp at the time of receiving a frame with DM request information and TxTimeStampb Timestamp at the time o...

Page 814: ...Chapter 26 CFM Commands Delay Measure Operations 814...

Page 815: ...nitor period for errored frame link events IC efm oam mode Sets the OAM operational mode to active or passive IC clear efm oam counters Clears statistical counters for various OAMPDU message types PE...

Page 816: ...onsole config interface ethernet 1 1 Console config if efm oam Console config if efm oam critical link event This command enables reporting of critical event or dying gasp Use the no form to disable t...

Page 817: ...function Syntax no efm oam link monitor frame Default Setting Enabled Command Mode Interface Configuration Command Usage An errored frame is a frame in which one or more bits are errored If this feat...

Page 818: ...is command sets the monitor period for errored frame link events Use the no form to restore the default setting Syntax efm oam link monitor frame window size no efm oam link monitor frame window size...

Page 819: ...ce Configuration Command Usage When set to active mode the selected interface will initiate the OAM discovery process When in passive mode it can only respond to discovery messages Example Console con...

Page 820: ...separate nonconsecutive port identifiers with a comma and no spaces use a hyphen to designate a range of ports Range 1 28 52 Command Mode Privileged Exec Example Console clear efm oam event log Consol...

Page 821: ...e loopback mode During a remote loopback test the remote OAM entity loops back every frame except for OAMPDUs and pause frames During loopback testing both the switch and remote device are permitted t...

Page 822: ...er it is finished Example Console efm oam remote loopback test 1 1 Loopback test is processing press ESC to suspend Port OAM loopback Tx OAM loopback Rx Loss Rate 1 2 1990 1016 48 94 Console show efm...

Page 823: ...w entries Example Console show efm oam event log interface 1 1 OAM event log of Eth 1 1 00 24 07 2001 01 01 Unit 1 Port 1 Dying Gasp at Remote Console This command can show OAM link status changes for...

Page 824: ...dying gasp bit and display dying gasp event clear Console show efm oam remote loopback interface This command displays the results of an OAM remote loopback test Syntax show efm oam remote loopback in...

Page 825: ...Errored Frame Threshold 1 Console show efm oam status interface 1 1 brief local OAM in loopback remote OAM in loopback Port Admin Mode Remote Dying Critical Errored State Loopback Gasp Event Frame 1 1...

Page 826: ...Chapter 27 OAM Commands 826 1 1 00 12 CF 6A 07 F6 000084 Enabled Disabled Enabled Disabled Console...

Page 827: ...when an outside host namely a DNS client intends to get an IP address for a host name through the switch In this case it will not add the domain suffix to query name server s That means that the DNS...

Page 828: ...hen an incomplete host name is received by the DNS service on this switch it will work through the domain list appending each domain name in the list to the host name and checking with the specified n...

Page 829: ...ed and the switch receives a DHCP packet containing a DNS field with a list of DNS servers then the switch will automatically enable DNS host name to address translation If all name servers are delete...

Page 830: ...fault Setting None Command Mode Global Configuration Example Console config ip domain name sample com Console config end Console show dns Domain Lookup Status DNS Disabled Default Domain Name sample c...

Page 831: ...erver from this list Syntax no ip name server server address1 server address2 server address6 server address1 IPv4 or IPv6 address of domain name server server address2 server address6 IPv4 or IPv6 ad...

Page 832: ...ress Corresponding IPv6 address This address must be entered according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may be used in the ad...

Page 833: ...entries from the DNS table Syntax clear host name name Name of the host Range 1 127 characters Removes all entries Default Setting None Command Mode Privileged Exec Command Usage Use the clear host c...

Page 834: ...POINTER TO 3 115 www wa1 b yahoo com Console show hosts This command displays the static host name to address mapping table Command Mode Privileged Exec Table 168 show dns cache display description F...

Page 835: ...b yahoo com Console Table 169 show hosts display description Field Description No The entry number for each resource record Flag The field displays 2 for a static entry or 4 for a dynamic entry store...

Page 836: ...Chapter 28 Domain Name Service Commands 836...

Page 837: ...or class identifier for the current interface Use the no form to remove the class identifier from the DHCP packet Syntax ip dhcp client class id text text hex hex no ip dhcp client class id text A tex...

Page 838: ...HCP option 66 67 parameters are not carried in a DHCP server reply To ask for a DHCP reply with option 66 67 information the DHCP client request sent by this switch includes a parameter request list a...

Page 839: ...est for any IP interface that has been set to BOOTP or DHCP mode through the ip address command DHCP requires the server to reassign the client s last address if available If the BOOTP or DHCP server...

Page 840: ...v6 clients can obtain configuration parameters from a server through a normal four message exchange solicit advertise request reply or through a rapid two message exchange solicit reply The rapid comm...

Page 841: ...ay Default Setting Enabled Example Console config ip dhcp l3 relay Console config Table 174 DHCP Relay Option 82 Commands Command Function Mode ip dhcp l2 relay Enables DHCP L2 relay service and DHCP...

Page 842: ...DHCP server will know the subnet where the client is located Then the switch forwards the packet to a DHCP server on another network When the server receives the DHCP request it allocates a free IP a...

Page 843: ...ID sub type Enabled Command Mode Global Configuration Usage Guidelines Using this command with or without any keywords will enable DHCP Option 82 information relay You must also specify the IP address...

Page 844: ...drop the original DHCP request packet is flooded onto the VLAN which received the packet but is not relayed DHCP reply packets received by the relay agent are handled as follows When the relay agent...

Page 845: ...or receives a reply packet with a zero relay agent address through the management VLAN A DHCP relay server has been set on the switch and the switch receives a reply packet on a non management VLAN Us...

Page 846: ...acket to the DHCP server Default Setting drop Command Mode Global Configuration Usage Guidelines Refer to the Usage Guidelines under the ip dhcp relay information option command for information on whe...

Page 847: ...disabled DHCP option policy drop DHCP relay server address 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 DHCP sub option format extra subtype included DHCP relay is configured on the following VLANs 1 4094...

Page 848: ...Chapter 29 DHCP Commands DHCP Relay Option 82 848...

Page 849: ...is not suitable you can manually configure a new address to manage the switch over your network or to connect the switch to existing IP subnets You may also need to a establish a default gateway betw...

Page 850: ...example the subnet 255 255 224 0 would be 19 secondary Specifies a secondary IP address default gateway The default gateway Refer to the ip default gateway command which provides the same function bo...

Page 851: ...numbers 0 to 255 separated by periods Anything other than this format will not be accepted by the configuration program An interface can have only one primary IP address but can have many secondary IP...

Page 852: ...ntax ip default gateway gateway no ip default gateway gateway IP address of the default gateway Default Setting No default gateway is established Command Mode Global Configuration Command Usage The de...

Page 853: ...level 1 L2 IS IS level 2 ia IS IS inter area candidate default C 192 168 2 0 24 is directly connected VLAN1 Console config Related Commands ip address 850 ip route 780 ipv6 default gateway 862 show ip...

Page 854: ...CMP Statistics ICMP received input errors destination unreachable messages time exceeded messages parameter problem message echo request messages echo reply messages redirect messages timestamp reques...

Page 855: ...to discard the datagram and return an error message The trace function then sends several probe messages at each subsequent TTL level and displays the round trip time for each message Not all devices...

Page 856: ...count 5 size 32 bytes Command Mode Normal Exec Privileged Exec Command Usage Use the ping command to see if another site on the network can be reached The following are some results of the ping comma...

Page 857: ...switch arp This command adds a static entry in the Address Resolution Protocol ARP cache Use the no form to remove an entry from the cache Syntax arp ip address hardware address no arp ip address ip a...

Page 858: ...n only be removed through the configuration interface Example Console config arp 10 1 0 19 01 02 03 04 05 06 Console config Related Commands clear arp cache 860 show arp 860 ip proxy arp This command...

Page 859: ...ARP cache Range 300 86400 86400 seconds is one day Default Setting 1200 seconds 20 minutes Command Mode Global Configuration Command Usage When a ARP entry expires it is deleted from the cache and an...

Page 860: ...on about the ARP cache The first line shows the cache timeout It also shows each cache entry including the IP address MAC address type static dynamic other and VLAN interface Note that entry type othe...

Page 861: ...ion unit MTU for IPv6 packets sent on an interface IC clear ipv6 traffic Resets IPv6 traffic counters PE ping6 Sends IPv6 ICMP echo request packets to another node on the network PE traceroute6 Shows...

Page 862: ...zeros required to fill the undefined fields The same link local address may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zon...

Page 863: ...and Mode Interface Configuration VLAN Command Usage All IPv6 addresses must be according to RFC 2373 IPv6 Addressing Architecture using 8 colon separated 16 bit hexadecimal values One double colon may...

Page 864: ...router lifetime is 1800 seconds Console Related Commands ipv6 address eui 64 865 ipv6 address autoconfig 864 show ipv6 interface 871 ip address 850 ipv6 address autoconfig This command enables statele...

Page 865: ...enabled Link Local Address FE80 2E0 CFF FE00 FD 64 Global Unicast Address es 2002 1000 AA22 BB66 1000 64 subnet is 2002 1000 AA22 BB66 64 AUTOCONFIG valid lifetime 1 preferred lifetime 1 Joined Group...

Page 866: ...its If the specified prefix length exceeds 64 bits then the network portion of the address will take precedence over the interface identifier If a duplicate address is detected a warning message is se...

Page 867: ...of DAD attempts 1 ND retransmit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND reachable time is 30000 milliseconds ND advertised reachable time is 0 millisecond...

Page 868: ...a prefix in the range of FE80 FEBF is required for link local addresses and the first 16 bit group in the host address is padded with a zero in the form 0269 Console config interface vlan 1 Console co...

Page 869: ...al segment this interface will be disabled and a warning message displayed on the console The no ipv6 enable command does not disable IPv6 for an interface that has been explicitly configured with an...

Page 870: ...VLAN Command Usage If a non default value is configured an MTU option is included in the router advertisements sent from this device The maximum value set by this command cannot exceed the MTU of the...

Page 871: ...rational status and the addresses configured for each interface vlan id VLAN ID Range 1 4094 ipv6 prefix The IPv6 network portion of the address assigned to the interface The prefix must be formatted...

Page 872: ...d to join the all nodes multicast addresses FF01 1 and FF02 1 for all IPv6 nodes within scope 1 interface local and scope 2 link local respectively FF01 1 16 is the transient interface local multicast...

Page 873: ...1280 00 04 50 FE80 203 A0FF FED6 141D Console ND advertised retransmit interval The retransmit interval is included in all router advertisements sent out of an interface so that nodes on the same lin...

Page 874: ...rwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics ICMPv6 received input errors destination unreachable messages packet too big me...

Page 875: ...nk MTU of outgoing interface no routes The number of input datagrams discarded because no route could be found to transmit them to their destination address errors The number of input datagrams discar...

Page 876: ...ted via this entity and the Source Route processing was successful Note that for a successfully forwarded datagram the counter of the outgoing interface is incremented requests The total number of IPv...

Page 877: ...ce group membership response messages The number of ICMPv6 Group Membership Response messages received by the interface group membership reduction messages The number of ICMPv6 Group Membership Reduct...

Page 878: ...to fill the undefined fields redirect messages The number of Redirect messages sent For a host this object will always be zero since hosts do not send redirects group membership query messages The num...

Page 879: ...xample FE80 7272 1 identifies VLAN 1 as the interface from which the ping is sent When pinging a host name be sure the DNS server has been enabled see page 829 If necessary local devices can also be s...

Page 880: ...may be used by different interfaces nodes in different zones RFC 4007 Therefore when specifying a link local address include zone id information indicating the VLAN identifier after the delimiter For...

Page 881: ...ate address detection Duplicate address detection determines if a new unicast IPv6 address already exists on the network before it is assigned to an interface Duplicate address detection is stopped on...

Page 882: ...ss detection process is still on going Console config interface vlan 1 Console config if ipv6 nd dad attempts 5 Console config if end Console show ipv6 interface VLAN 1 is up IPv6 is enabled Link loca...

Page 883: ...d specifies the interval between transmitting neighbor solicitation messages when resolving an address or when probing the reachability of a neighbor Therefore avoid using very short intervals for nor...

Page 884: ...iguration Ethernet Port Channel Command Usage IPv6 Router Advertisements RA convey information that enables nodes to auto configure on the network This information may include the default router addre...

Page 885: ...is parameter allows the router to detect unavailable neighbors During the neighbor discover process an IPv6 node will multicast neighbor solicitation messages to search for neighbor nodes For a neighb...

Page 886: ...1 28 52 port channel channel id Range 1 26 Command Mode Privileged Exec Example Console show ipv6 nd raguard interface ethernet 1 1 Interface RA Guard Eth 1 1 Yes Console show ipv6 neighbors This com...

Page 887: ...ositive confirmation was received within the last ReachableTime interval that the forward path to the neighbor was functioning While in REACHABLE state the device takes no special action when sending...

Page 888: ...packet in response it knows that the target still exists and updates the lifetime of the binding otherwise it deletes the binding This section describes commands used to configure ND Snooping Table 1...

Page 889: ...e it is dropped If received on a trusted interface the switch adds an entry in the prefix table according to the Prefix Information option in the RA message The prefix table records prefix prefix leng...

Page 890: ...s not receive an RA message in response after the configured timeout the entry is dropped If the switch receives an RA message before the timeout expires it resets the lifetime for the dynamic binding...

Page 891: ...ch the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval see the ipv6 nd snooping auto detect retransmit interval command...

Page 892: ...n the prefix table Use the no form to restore the default setting Syntax ipv6 nd snooping prefix timeout timeout no ipv6 nd snooping prefix timeout timeout The time to wait for an RA message to confir...

Page 893: ...ig ipv6 nd snooping trust This command configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table or NS messages can be forwarded without va...

Page 894: ...Exec Example Console clear ipv6 nd snooping binding Console show ipv6 nd snooping binding MAC Address IPv6 Address Lifetime VLAN Interface Console clear ipv6 nd snooping prefix This command clears al...

Page 895: ...auto detection retransmit interval 1 second ND Snooping is configured on the following VLANs VLAN 1 Interface Trusted Max binding Eth 1 1 Yes 1 Eth 1 2 No 5 Eth 1 3 No 5 Eth 1 4 No 5 Eth 1 5 No 5 sho...

Page 896: ...ss prefix table Syntax show ipv6 nd snooping prefix interface vlan vlan_id vlan id VLAN ID Range 1 4094 Command Mode Privileged Exec Example Console show ipv6 nd snooping prefix Prefix entry timeout 1...

Page 897: ...ction includes commands for static routing These commands are used to connect between different local subnetworks or to connect the router to the enterprise network Global Routing Configuration Table...

Page 898: ...administrative distance for the route Range 1 255 Default 1 Removes all static routing table entries Default Setting No static routes are configured Command Mode Global Configuration Command Usage Up...

Page 899: ...flected in the FIB The FIB is distinct from the routing table or Routing Information Base which holds all routing information received from routing peers The forwarding information base contains uniqu...

Page 900: ...ute database Codes C connected S static R RIP B BGP O OSPF IA OSPF inter area N1 OSPF NSSA external type 1 N2 OSPF NSSA external type 2 E1 OSPF external type 1 E2 OSPF external type 2 i IS IS L1 IS IS...

Page 901: ...901 Section III Appendices This section provides additional information and includes these items Troubleshooting on page 903 License Information on page 905...

Page 902: ...Section III Appendices 902...

Page 903: ...ing again at a later time Cannot connect using Secure Shell If you cannot connect using SSH you may have exceeded the maximum number of concurrent Telnet SSH sessions permitted Try connecting again at...

Page 904: ...Repeat the sequence of commands or other actions that lead up to the error 7 Make a list of the commands or circumstances that led to the fault Also make a list of any error messages displayed 8 Set...

Page 905: ...of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that yo...

Page 906: ...you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this Lice...

Page 907: ...These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License...

Page 908: ...k for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two go...

Page 909: ...ority may be set according to the port default the packet s priority bit in the VLAN tag TCP UDP port number IP Precedence bit or DSCP priority bit DHCP Dynamic Host Control Protocol Provides a framew...

Page 910: ...rived from a 48 bit link layer address by inserting the hexadecimal number FFFE between the upper three bytes OUI field and the lower 3 bytes serial number of the link layer address To ensure that the...

Page 911: ...ls access to the switch ports by requiring users to first enter a user ID and password for authentication IEEE 802 3ac Defines frame extensions for VLAN tagging IEEE 802 3x Defines Ethernet frame star...

Page 912: ...a Communications Protocol This is related directly to the hardware interface for network devices and passes on traffic based on MAC addresses Link Aggregation See Port Trunk LLDP Link Layer Discovery...

Page 913: ...work The time servers operate in a hierarchical master slave configuration in order to synchronize local clocks within the subnet and to national time standards via wire or radio OAM Operation Adminis...

Page 914: ...fer Protocol is a standard host to host mail transport protocol that operates over TCP port 25 SNMP Simple Network Management Protocol The application protocol in the Internet suite of protocols which...

Page 915: ...onnection less datagrams that may be discarded before reaching their targets UDP is useful when TCP would be too complex too slow or just unnecessary UTC Universal Time Coordinate UTC is a time scale...

Page 916: ...Glossary 916...

Page 917: ...et 166 capabilities 388 channel group 428 class 626 class map 622 clear access list hardware counters 381 clear arp cache 860 clear counters 398 clear dns cache 833 clear efm oam counters 819 clear ef...

Page 918: ...le password 218 end 93 erps 525 erps clear 545 erps domain 525 erps forced switch 546 erps manual switch 548 ethernet cfm ais level 776 ethernet cfm ais ma 777 ethernet cfm ais period 778 ethernet cfm...

Page 919: ...y intvl 652 ip igmp snooping vlan mrd 652 ip igmp snooping vlan mrouter 663 ip igmp snooping vlan proxy address 653 ip igmp snooping vlan query interval 655 ip igmp snooping vlan query resp intvl 655...

Page 920: ...d location civic addr 758 lldp med notification 760 lldp med tlv ext poe 761 lldp med tlv inventory 761 lldp med tlv location 762 lldp med tlv med cap 762 lldp med tlv network policy 763 lldp notifica...

Page 921: ...137 password 137 password thresh 138 periodic 170 permit deny 666 permit deny 691 permit deny ARP ACL 379 permit deny Extended IPv4 ACL 364 permit deny Extended IPv6 ACL 370 permit deny MAC ACL 374 p...

Page 922: ...fm oam event log interface 823 show efm oam remote loopback interface 824 show efm oam status remote interface 825 show efm oam status interface 824 show erps 549 show ethernet cfm configuration 786 s...

Page 923: ...show logging 149 show logging sendmail 154 show loop internal 421 show loopback detection 479 show mac access group 377 show mac access list 377 show mac address table 491 show mac address table agin...

Page 924: ...ly 472 snmp server enable port traps atc multicast control release 473 snmp server enable port traps mac notification 186 snmp server enable traps 182 snmp server engine id 187 snmp server group 188 s...

Page 925: ...raffic segmentation session 356 traffic segmentation uplink downlink 357 traffic segmentation uplink to uplink 358 transceiver monitor 410 transceiver threshold current 411 transceiver threshold rx po...

Page 926: ...CLI Commands 926...

Page 927: ...Standard 361 363 IPv6 Extended 368 370 IPv6 Standard 368 369 MAC 373 time range 168 address table 489 aging time 489 aging time displaying 492 aging time setting 489 administrative users displaying 11...

Page 928: ...65 configuration files restoring defaults 119 configuration settings restoring 61 119 122 saving 61 119 122 console port required connections 48 continuity check errors CFM 797 798 continuity check m...

Page 929: ...ing 631 two rate three color meter 631 violating traffic configuring response 627 628 631 DNS default domain name 830 displaying the cache 834 domain name list 830 domain names appended 828 enabling l...

Page 930: ...filter parameters 665 670 filtering throttling 664 filtering throttling enabling 665 filtering throttling interface configuration 667 671 filtering throttling status 665 filtering configuring profile...

Page 931: ...2 L LACP admin key 430 configuration 425 group attributes configuring 433 group members configuring 429 432 local parameters 435 partner parameters 435 protocol message statistics 435 protocol paramet...

Page 932: ...throttling enabling 690 filtering throttling interface configuration 692 694 filtering throttling status 690 MLD snooping 676 configuring 676 enabling 677 immediate leave 683 immediate leave status 6...

Page 933: ...mic QoS assignment 288 dynamic VLAN assignment 289 guest VLAN 290 MAC address aging 286 MAC address filter 287 port configuration 294 reauthentication 288 secure MAC information 298 299 NTP authentica...

Page 934: ...Port to PHB drop precedence 612 IP precedence to PHB drop precedence 613 matching class settings 623 PHB to drop precedence for untagged packets 609 PHB to queue 607 PHB drop precedence to CoS CFI 610...

Page 935: ...SSH 246 authentication retries 249 configuring 246 downloading public keys for clients 122 125 generating host key pair 252 server configuring 249 timeout 250 STA 495 BPDU filter 507 BPDU flooding 516...

Page 936: ...old 459 unregistered data flooding IGMP snooping 647 upgrading software 122 128 user account 218 219 user password 218 219 V VLAN trunking 569 VLANs 555 600 802 1Q tunnel mode 574 acceptable frame typ...

Page 937: ......

Page 938: ...E092017 CS R02...

Reviews:

No comments