T-Marc 3312SC Amp T-Marc 3312SCH User Guide Ver 5.0.R2.2

T-Marc 3312SC
&
T-Marc 3312SCH
Ethernet and MPLS Mobile Backhaul Demarcation Device
Release 5.0.R2.2
January 2016
MN100235 Rev F
The information in this document is subject to change without notice and describes only the product defined in
the introduction of this document. This document is intended for the use of customers of Telco Systems only
for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced
or transmitted in any form or means without the prior written permission of Telco Systems. The document is
intended for use by professional and properly trained personnel, and the customer assumes full responsibility
when using it. Telco Systems welcomes customer comments as part of the process of continuous development
and improvement of the documentation.
If the Release Notes that are shipped with the device contain information that conflicts with the information in
the user guide or supplements it, the customer should follow the Release Notes.
The information or statements given in this document concerning the suitability, capacity, or performance of the
relevant hardware or software products are for general informational purposes only and are not considered
binding. Only those statements and/or representations defined in the agreement executed between Telco
Systems and the customer shall bind and obligate Telco Systems. Telco Systems however has made all reasonable
efforts to ensure that the instructions contained in this document are adequate and free of material errors and
omissions. Telco Systems will, if necessary, explain issues which may not be covered by the document.
Telco Systems sole and exclusive liability for any errors in the document is limited to the documentary
correction of errors. TELCO SYSTEMS IS NOT AND SHALL NOT BE RESPONSIBLE IN ANY EVENT
FOR ERRORS IN THIS DOCUMENT OR FOR ANY DAMAGES OR LOSS OF WHATSOEVER KIND,
WHETHER DIRECT, INCIDENTAL, OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES),
that might arise from the use of this document or the information in it.
This document and the product it describes are the property of Telco Systems, which is the owner of all
intellectual property rights therein, and are protected by copyright according to the applicable laws.
Telco Systems logo is a registered trademark of Telco Systems, a BATM Company. CloudMetro,
TelcoOrchestrator, TelcoController, TelcoNFVController, ViNOX, TVE, BiNOX, BiNOS,
BiNOSCenter, TVE, T-Marc, T-Metro, EdgeGenie, EdgeLink, EdgeGate, Access60,
AccessIP, AccessMPLS, AccessTDM, AccessEthernet, NetBeacon, Metrobility, T5C-XG, T5
Compact, and OutBurst are trademarks of Telco Systems.
Other product and company names mentioned in this document reserve their copyrights, trademarks, and
registrations; they are mentioned for identification purposes only.
Copyright Telco Systems 2016. All rights reserved.
Introduction
Table of Contents
Table of Figures 1
Introduction 2
Key Features 2
Using This Document 3

Intended Audience 3
Documentation Suite 3
Conventions Used 3
Organization 4
Getting Documentation Updates 6
Technical Support 6
International Headquarters 6
US: North America and Latin America 6
Asia Pacific (APAC) 7
Europe, Middle East and Africa (EMEA) 7
Table of Figures
Figure 1: T-Marc 3312SC View ............................................................................................................ 2
Figure 2: T-Marc 3312SCH View......................................................................................................... 2
Introduction (Rev. 01) Page 1

T-Marc 3312SCH User Guide
T-Marc3312SCH
Introduction
T-Marc 3312SCH device is an Ethernet and MPLS mobile backhaul demarcation device. It
supports IEEE802.1q, Q-in-Q and MPLS transport technologies, providing high flexibility in
network design and future proofing the network with no additional software licenses. It provides
access to advanced data services such as virtual private wire services (VPWS), VPLS and HVPLS,
simplifying the network and making it easier to manage, while gaining MPLS added value.
The T-Marc 3312SCH device enables service providers to carry native TDM traffic transparently
across packet-switched networks (PSN) using various circuit emulation techniques required when
converging and migrating 2G and 3G to 4G and newer IP-based mobile technologies.
The T-Marc 3312SCH device supports a broad set of hardware-based OAM tools to help providers
reduce their OPEX and to assure their customers they are meeting the agreed SLA.
Figure 1: T-Marc 3312SC View
Figure 2: T-Marc 3312SCH View
Key Features
The device offers the following features:
Advanced Carrier Ethernet and full-MPLS demarcation for multiple types of services (voice,
video and data)
Multi-layer control, monitoring, line testing and, loopback for failsafe operations
Variety of resiliency technologies for a high level of protection and fast switchover (Resilient-
link, LAG with LACP, network-wide mechanisms-MSTP, Fast Ring, FRR).
Embedded QoS capabilities for flexible control of traffic and services (hierarchical queuing,
rate limiters, shaping, advance scheduling schemes, and intuitive service-oriented SLA
configuration)
Multiple traffic engineering technologies for data path management based on several attributes
(LDP and RSVP-TE)
Broad set of hardware-based OAM tools for optimized OPEX (IEEE 802.1ag, ITU-T
Y.1731, EEE 802.3ah, RFC 2544)
Page 2 Introduction (Rev. 01)

Circuit emulation support (CES) and time synchronization support (SyncE)

Redundant powering capability
MEF 9 and MEF 14 for Ethernet services at the UNI compliance; IEEE, and ITU-T
standards compliance for multi-vendor interoperability
Using This Document

This user guide includes information needed to configure the device functionalities, provides
complete syntax for the commands available in the currently-supported software version, and
describes the features supplied with the device.
NOTE
Ensure that the device is installed in accordance with Telco Systems' installation
instructions. For more information regarding device installation, refer to the
Installation Guide of this device.
For the latest software updates, see the Release Notes for the relevant release. The release notes may
contain information that is in conflict with the user guide. In all cases, information contained in the
release notes supersedes material contained in this user guide.
Intended Audience
This user guide is intended for network administrators responsible for installing and configuring
network equipment. To use this guide, you must already be familiar with Ethernet and local area
networking (LAN) concepts and terminology.
Documentation Suite
This document is just one part of the full documentation suite provided with this product.
You are: Document Function Function
Installation Guide Contains information about installing the hardware and

software including site preparation, testing, and safety
information.
User Guide Contains information on configuring and using the system.
Release Notes Contains information about the current release, including
new features, resolved issues (bug fixes), known issues,
and late-breaking information that supersedes information
in other documentation.
Conventions Used
The conventions listed below may appear in the user guide. Pay special attention as each one
contains important information:

NOTE
Indicates information requiring special attention.
CAUTION
Indicates special instructions needed to avoid possible damage to the product.
WARNING
Indicates special instructions necessary to avoid possible injury or death.
The table below defines additional conventions used to show commands, variable and parameters
within the document:
Conventions Description
commands CLI and SNMP commands

command example CLI and SNMP examples
<Variable> user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
Organization
The device User Guide includes the following chapters, each focusing on a different feature or set
of features. Each chapter begins with a brief overview of the feature/s, followed by the
configuration flow, and concluding with the configuration details for the corresponding commands.
Chapter Name Description
Introduction Overview of product and document

Using CLI Setting up basic CLI commands required to get started.
Managing the Device Administering T-Marc 3312SCH devices, performing initial
device configuration (such as time and date, software upgrade,
and protection from outside attacks), MAC address table, NTP,
DNS Resolver, understanding the files system, and Layer-2
port security techniques. System message logging and the
Remote Monitoring (RMON) feature are also explained. The
service statistics explanation is also part of this chapter.
Information for supported DHCP client and Zero-Touch
Provisioning (ZTP) features is also available in this chapter.
Simple Network Management Understanding and configuring Simple Network Management
Protocol (SNMP) Protocol (SNMP), community strings, trap managers, and
traps.
Device Authentication Understanding and configuring the privileged access levels to
commands used for protecting the device from unauthorized
access. The chapter also describes RADIUS and TACACS+.

Physical Ports and Logical Understanding and configuring device interface types The
Interfaces chapter also offers information on static Link Aggregation
Groups (LAGs), establishing resilience across the network
segments.
Virtual LANs (VLANs) and Understanding and configuring VLANs and Super VLANs
Super VLANs
Configuring Layer 2 Services Understanding and configuring LAN services
Layer 2 Protocol Tunneling Understanding and configuring Layer 2 protocol tunneling
(L2PT)
Spanning Tree Protocols Understanding and configuring Spanning Tree protocols.
Multicast Layer 2 Features Understanding and configuring Internet Group Management

Protocol (IGMP) snooping and Multicast VLAN Registration
(MVR)
Link Layer Discovery Protocol Understanding and configuring the IEEE 802.1AB standard
(LLDP)
Access Control Lists (ACLs) Understanding and configuring ACLs, traffic rate-limit, and
applying QoS using ACLs
Quality of Service (QoS) Understanding and configuring QoS features
Operations, Administration, Understanding and configuring various tools used for
and Maintenance (OAM) monitoring and troubleshooting the network:
802.3ah Ethernet in the First Mile (EFM-OAM)
IEEE 802.1ag Connectivity Fault Management (CFM)
ITU-T G.8032v2 Ring Automatic Protection Switching (R-
APS)
ITU-T Y.1564 Next-Generation Carrier-Ethernet Test
Two-Way Active Measurement Protocol (TWAMP)
ITU-T Y.1731-SLM SAA Test
ITU-T Y.1731 SAA Test
RFC 2544 SAA Throughput Test
Event propagation
Synchronous Ethernet Determine and configure the synchronized clock source for the
(SyncE) system as well as configure the clock source output for the
device
Routing Information and Understanding and configuring routing protocols
Protocols
Node Redundancy Understanding and configuring topological redundancy options
MPLS Protocols and Services Understanding and configuring Multiprotocol Label Switching
(MPLS) and Virtual Private LAN Services (VPLS)
Configuring Circuit Emulation Understanding and configuring CES over Ethernet
Services (CES)
Troubleshooting Troubleshooting and monitoring tools used to detect and solve
system related problems

Appendix A: SNMP Reference MIBs and objects for controlling, monitoring, and managing the
Guide device
Appendix B: Specifications An abbreviated version of the specifications for the device
Appendix C: Acronym The list of acronyms used in this user guide and their meaning
Glossary
Getting Documentation Updates

You can access the most current Telco Systems documentation on the following site:
http://support.telco.com/.
Access to most of the Telco Systems documentation is password protected. To obtain a password,
contact the Telco Systems support center.
Technical Support
Telco Systems provides technical assistance for customers and partners. Contact the Professional
Services team at our international headquarters, or the technical support center for your region.
Contact information is provided below:
Web Access: http://www.telco.com
Email: support@telco.com
International Headquarters
Telco Systems, A BATM Company
Professional Services
13 HaYetzira St., New Industrial Park
Yokneam Ilit, 20692, Israel
Tel: +972-4-993-5630
Fax: +972-4-993-7926
US: North America and Latin America

Telco Systems, A BATM Company
15 Berkshire Rd
Mansfield, MA 02048
Tel: +1-781-255-2120
Fax: +1-781-255-2122

Asia Pacific (APAC)

Telco Systems Pte Ltd
Technical Support
10 Anson Road
#17-03 International Plaza
Singapore, 079903
Tel: +65 6224 3112
Fax: +65 6220 5848
Europe, Middle East and Africa (EMEA)

BATM Advanced Communications GmbH
Peterstr. 2-4
52062 Aachen
Tel: +49 241 463 5490
Fax: +49 241 463 5491

Using Command Line Interface (CLI)
Table of Contents
Table of Figures 1
List of Tables 2
Using CLI 3
Accessing the CLI 3
CLI Modes 3
Committing Configuration Commands 4
Command Keywords and Arguments 6

Getting Help 7
Minimum Abbreviation 9
Dynamic Completion of Commands 10
Negating Commands 10
Using the Command History 10
CLI Keyboard Sequences 11
CLI Messages 11
Regular Expressions 12
General Operational Mode Commands 13
Filtering the show Command Output 17
The range Expression 20
Debug Commands 24
Banner Commands 32
Table of Figures
Figure 1: CLI Modes Hierarchy............................................................................................................ 4
Using Command Line Interface (CLI) (Rev. 01) Page 1

T-Marc 3312SC/T-Marc 3312SCH User Guide
List of Tables
Table 1: CLI Syntax Conventions in the User Guide ....................................................................... 6
Table 2: CLI Help Options ................................................................................................................... 7
Table 3: CLI Keyboard Sequences..................................................................................................... 11
Table 4: CLI Messages ......................................................................................................................... 12
Table 5: Common Regular Expressions ............................................................................................ 13
Table 6: General Operational Mode Commands............................................................................. 13
Table 7: General Configuration Mode Commands ......................................................................... 15
Table 8: Show Command Filter Options .......................................................................................... 17
Table 9: Debug Commands ................................................................................................................ 26
Table 10: Banner Commands ............................................................................................................. 32
Page 2 Using Command Line Interface (CLI) (Rev. 01)

T-Marc3312SC/T-Marc3312SCH
Using CLI
The CLI is a network management application operated through an ASCII terminal.
Using the CLI commands, users can configure the device parameters and maintain them, receiving
text output on the terminal monitor. These system parameters are stored in a non-volatile memory
and users have to set them up only once.
The device CLI is password protected.
Accessing the CLI

You can access the CLI:
directly, by connecting a PC to the devices console port
over an IP network, using Telnet or SSH (OutBand and InBand management)
Once the login prompt is displayed, type your username and password to access the CLI.
For more information regarding default usernames and passwords, refer to the Device Authentication
chapter.
The default password is admin.
CLI Modes
The CLI is structured from hierarchical modes, each mode grouping relevant CLI commands.
Its two top level modes are:
Operational mode
Configuration mode
Operational Mode
This is the initial mode that the CLI enters after a successful login to the CLI.
device-name#
The Operational mode is primarily used for:

viewing the system status
controlling the CLI environment
monitoring and troubleshooting network connectivity
initiating the Configuration mode

Configuration Mode
The Configuration mode is the mode in which users can change the device configuration.
To enter this mode from Operational mode, use the config terminal command.
device-name#config terminal
Entering configuration mode terminal
device-name(config)#
The Configuration mode has various sub-modes for configuring the different device features, as
shown in the figure below.
Figure 1: CLI Modes Hierarchy
Committing Configuration Commands

The commands executed in the Configuration mode are not applied to the devices active
configuration (the running configuration file) until after you commit them. These commands are
applied to a copy of the active configuration, called a candidate configuration, prior to being committed.
Use the commit command to save the unapplied configuration changes to the running
configuration file. The system verifies that no additional changes have been performed in the active
configuration by other users. In case of relevant changes, the system prompts for validating these
changes and committing them.
In addition when you attempt to exit the Configuration mode (end command or exit command),
the system prompts you to commit unapplied configuration changes:
Uncommitted changes found, commit them (yes/no/cancel)? [cancel]

In this case:
type yes to save the configuration changes and exit the configuration session
type no to exit the configuration session without committing the configuration changes
type cancel to remain in the current configuration session without exiting or committing the
configuration changes
When committing commands, the CLI validates the configuration changes and prompts for
missing configuration:
Example:
device-name#config
device-name(config)#vlan vl10 10
device-name(config-vlan-10)#routing-interface sw10
device-name(config-vlan-10)#com
Aborted: Error: Vlan instance is using the current routing-
interface or you are trying assign a non-existing
routing-interface to vlan!
device-name(config-vlan-10)#

Command Keywords and Arguments

A CLI command is built up of a series of keywords and arguments:
Keywords identify the commands action
Arguments specify the commands configuration parameters
The CLI commands are not case sensitive.
The general CLI syntax is represented by the following format:
device-name[(config- ...)]#keyword(s) [argument(s)] ... [keyword(s)]
[argument(s)]
In this format
device-name[(config ...)]# represents the prompt displayed by the device. This prompt includes:
the user-defined device-name
the current CLI mode
the command keywords and arguments typed by the user
Example:
In the command below:
device-name(config-port-1/1/10)#default-vlan 100
the CLI mode is config-port-1/1/10
default-vlan is the command keyword

100 is the command argument
Table 1: CLI Syntax Conventions in the User Guide
Symbol/Format Description
<Italic, small A numerical argument:

letters>
<priority>
Italic, capital A string argument:

letters
NAME
bold letters A command keyword:

show port
A.B.C.D An IP address:
10.4.0.4
UU/SS/PP A physical port number in a unit/slot/port format:

1/1/1
HH:HH:HH:HH:HH:HH A MAC address in a hexadecimal format:

00:a0:12:07:0f:78

Symbol/Format Description
[] An optional argument or keyword:

[FILENAME]
{} A mandatory argument or keyword:

{enable | disable}
| An or between two arguments or keywords, the user should select from:

{true | false}
Getting Help
To get specific help on a command mode, keyword, or argument, use one of the following
commands or characters:
Table 2: CLI Help Options
Command Purpose
help Provides a brief description of the help system in any command mode.
Example:
device-name(config)# help ethernet
Help for command: ethernet
Configures Ethernet services and protocols
abbreviated- To display a commands possible completions, type the partial command

command<Tab> followed immediately by <Tab> or <Space>.
To use <Space> option, command complete-on-space must be enabled. By
default, it is disabled.
If the partially typed command uniquely identifies a command, the full
command name is displayed. Otherwise, the CLI displays a list of possible
completions:
Example:
device-name(config)#ether
Possible completions:
ether-type Configure Ethertype access lists
ethernet Configures Ethernet services and protocols
command? (Leave no space between the command and ?) Provides a list and description
or of commands that begin with a particular string:
abbreviated- Example:
command?
device-name#s?
send Send message to terminal of one or all users
service Configure services
show Show information about the system
ssh ssh to network hosts
system Configure system's diagnostics, management and
troubleshooting
capabilities

Command Purpose
? Lists all commands available in the current command mode.

Example:
device-name(config-system)#?
Description: Configure system's diagnostics, management and
troubleshooting capa
bilities
banner Banner shown to the user when the CLI is
started.
dns-resolver Configure DNS resolver
dscp-mapping Specify the name of the L3 protocol
dscp-remarking Specify DSCP that will be remarked
fdb-extended Configure extended FDB table
hostname Set system's network name
license Software license
mirror Configure port mirror
monitor Operational monitoring of switch
netconf-server Configure NETCONF access-control
no Negate a command or set its defaults
reload Reload the system
snmp SNMP parameters
ssh-server Configure SSH access-control
time Configure time settings
---
commit Commit current set of changes
exit Exit from current mode
help Provide help information
pwd Display current mode path
top Exit to top level and optionally run
command
<cr>
command ? (Leave a space between command and ?) Lists the available keywords or
or arguments that can follow the specified command
abbreviated- Example:
command ?
device-name(config)#validate ?
| <cr>
! The CLI ignores all the characters following ! up to the next new line.
Example:
device-name(config)#vlan 10 10 ! create vlan with name '10'
and tag '10'
device-name(config-vlan-10)#commit ! apply configuration
NOTE
To use ! as an argument, prefix it with \ or inside
double quotes ().

Command Purpose
command | Searches and filters the command output. This functionality is

{append FILE useful if you need to sort through a large output or if
NAME | begin you want to exclude irrelevant output.
| count | append: appends the command output to a file. You are prompted
include | for a file name
exclude |
begin: begins an unfiltered output of the command with the
linnum |
first line containing the regular expression
more |
nomore | count: counts the output-lines number
save FILE include: displays output lines that contain the regular
NAME} | expression
until exclude: displays output lines that do not contain the regular
regular- expression
expression linnum: enumerates lines in the output
more: enables the output pagination
nomore: disables the output pagination
save: saves the command output to a file. You are prompted for
a file name
regular-expression: see Table 5
Example 1:
The below example displays only lines that do not contain
Regular expression sw*.
device-name#show router interface | exclude sw*
========================================================================
--------+------+---------------+---------------+---------------+--------
lo up 127.0.0.1 255.0.0.0 127.255.255.255 1500 |
outBand0 up 10.3.155.5 255.255.0.0 10.3.255.255 1500 |
========================================================================
Example 2:
It is also possible to display the output starting at the
first match of a regular expression, using the begin
keyword.
device-name#show router interface | begin .*sw30
39 sw30 up 100.1.3.1 255.255.255.0 100.1.3.255 1544 |
40 sw40 up 100.1.4.1 255.255.255.0 100.1.4.255 1544 |
============================================================================
|
Svc20 |4098| | |
You can use more than one filter on a single command.

Example:
device-name# show router interface | begin .*sw20 | until
.*sw40 | count
Count: 3 lines
Minimum Abbreviation
The CLI accepts a minimum number of characters that uniquely identify a command. Therefore
you can abbreviate commands and parameters as long as they contain enough letters to differentiate
them from any other available commands or parameters on the specific CLI mode.
Example:

You can type the config terminal command as con t

device-name#con t
In case of an ambiguous entry (when the CLI mode includes more than one command matching
the characters typed), the system prompts for further input.
Example:
device-name#co
-------------^
syntax error:
Possible alternatives starting with co:
commit - Confirm a pending commit
compare - Compare running configuration to another configuration or
a file
complete-on-space -
config - Manipulate software configuration information
Dynamic Completion of Commands

In addition to the Minimum Abbreviation functionality, the CLI can display the commands
possible completions.
To display possible command completions, type the partial command followed immediately by
<Tab> or <Space>.
To use <Space> option, command complete-on-space must be enabled. By default, it is disabled.
In case the partial command uniquely identifies a command, the CLI displays the full command.
Otherwise the CLI displays a list of possible completions.
device-name(config)#ether
ether-type Configure Ethertype access lists
ethernet Configures Ethernet services and protocols
Negating Commands
The no prefix negates the command or resets the commands configuration to its default value. For
example, the log command logs system messages. To disable logging, use the no log command.
Using the Command History

The CLI maintains a history of commands entered in any CLI mode. You can scroll back through
the history of commands by pressing the up arrow key. You can modify and execute any command
displayed in the history list.
You can also use the show history command to display a list of executed commands.
device-name#show history

00:06:29 -- show port

00:06:39 -- show vlan
00:06:42 -- show history
00:06:48 -- config terminal
00:07:21 -- show history
CLI Keyboard Sequences

You can use keyboard sequences for moving around the command line and editing it. You can also
use keyboard sequences to scroll through a list of recently executed commands.
Table 3: CLI Keyboard Sequences
Key Function
Ctrl+b or Left Arrow Moves one character back

Esc+b or Alt+b Moves one word back
Ctrl+f or Right Arrow Moves one character forward
Esc+f or Alt+f Moves one word forward
Ctrl+a or Home Moves to the beginning of the command line
Ctrl+e or End Moves to the end of the command line
Ctrl+h, Delete, or Backspace Deletes the character that precedes the cursor
Ctrl+d Moves one mode back
Ctrl+k Deletes all characters to the end of the command line
Ctrl+u or Ctrl+x Deletes the command line
Ctrl+w, Esc+Backspace, or Deletes last word before the cursor
Alt+Backspace
Esc+d or Alt+d Deletes the word after the cursor
Ctrl+y Inserts the most recently deleted text at the cursor
Ctrl+p or Up Arrow Moves up to the previous line in the history buffer
Ctrl+n or Down Arrow Moves down to the next command line in the history buffer
Ctrl+r Searches the command history in reverse order
Esc+c Capitalizes the letter at the cursor, for example, make the
first character uppercase and the rest of the word lowercase
Ctrl+c Enters the Operational mode
Ctrl+t Transposes characters
ESC+m Enters multi-line mode (>):
[Entering Multiline mode, exit with ctrl-D.]
Ctrl+z Returns to Operational mode
CLI Messages
The CLI displays relevant messages in response to executed commands:

Table 4: CLI Messages

CLI Message Description
syntax error: Displayed when the entry is not a legal command:

expecting
device-name#shiw
----------------^
syntax error: expecting
clear - Clear parameter
commit - Confirm a pending commit
compare - Compare running configuration to another
configuration or a file
complete-on-space -
config - Manipulate software configuration information
defaults-display - Shows default values when showing the configuration
file - Perform file operations
help - Provide help information
history - Configure history size
idle-timeout - Configure idle timeout
logout - Logout a user
mpls - mpls related commands
no - Negate a command or set its defaults
oam -
ping - Send ICMP ECHO_REQUEST to network hosts
run - Exec CLI script command
send - Send message to terminal of one or all users
show - Show information about the system
ssh - ssh to network hosts
system -
telnet - telnet to network hosts
tool -
traceroute - Print the route packets trace to network host
who - Display currently logged on users
write - Write configuration
Syntax error: Displayed when the user types a valid command but fails to type the
incomplete path commands required arguments:
device-name(config)#port
------------------------^
Error: incomplete path: 'port'
syntax error: Displayed when the user types too few characters. In these cases, the
Possible CLI detects an ambiguity and displays the possible matches:
alternatives
starting with device-name(config)#re
-----------------------^
syntax error:
Possible alternatives starting with re:
resolved - Conflicts have been resolved
revert - Copy configuration from running
Regular Expressions
Regular expressions are a subset of EGREP and AWK programming-language regular expressions.

Table 5: Common Regular Expressions

Key Function
. Matches any character

^ Matches the beginning of a string
$ Matches the end of a string
[abc...] Character class that matches any of the characters: abc
To specify a character range, type a pair of characters separated by a -.
[^abc...] Negated character class that matches any character except abc....
r1 | r2 Matches either r1 or r2
r1r2 Matches r1 and then r2
r+ Matches one or more r
r* Matches zero or more r
r? Matches zero or one r
(r) Matches a pattern group
General Operational Mode Commands

device-name#
- clear {history | fdb | lag | oam | port | access-group-statistics |
igmp-statistics | log | l2-tunneling-statistics | mac-violation}
- [no] complete-on-space
- [no] defaults-display
- help COMMAND
- [no] history <size>
- logout [session <session-number> | user USER-NAME]
- send {USER-NAME | all} MESSAGE
- show
- who
- write <terminal>
Table 6: General Operational Mode Commands

Command Description
device-name# Operational mode

clear {history | fdb | lag | oam | Clears all history records
port | access-group-statistics |
igmp-statistics | log | l2-
tunneling-statistics | mac-
violation}
complete-on-space Allows CLI to autocomplete a command also when

the user types the space character
no complete-on-space Disables the option

Command Description
defaults-display Defines whether to display defaults settings

no defaults-display Disables the option
help COMMAND Displays a help text for the selected command
history <size> Specifies the number of commands kept in the

history list:
size: in the range of <0-100>
no history Restores to default
logout [session <session number> Terminates the specified session

| user USER-NAME]
session number: the session number,
in the valid range of <1101>
USER-NAME: the specific users
session
send {USER-NAME | all} MESSAGE Sends immediate messages from your terminal to
one or more terminals
USER-NAME: send an immediate message
to the selected user
all: send an immediate message to all
users
MESSAGE: text string
show Pls refer to specific feature chapter to get more
information of the relevant show commands
who Displays information about currently logged on users
(such as session number, user name, and date)
write terminal Displays the running configuration that differs from
the factory default values
show running-config
General Configuration Mode Commands

device-name#
+ config terminal
- abort
- clear
- commit [comment COMMENT-DESCRIPTION]
- commit label LABEL-DESCRIPTION
- commit persist-id <id>
- move
- do COMMAND
- end [no-confirm]
- exit [configuration-mode | level | no-confirm]
- help COMMAND
- pwd

- resolved
- revert [no-confirm]
- rollback configuration [<number>]
- show {configuration COMMAND | full-configuration COMMAND |
history <number of items to show> | parser dump [COMMAND]}
-
- top COMMAND
- validate
Table 7: General Configuration Mode Commands

Command Description
config terminal Enters the Configuration mode

abort Ends the Configuration mode and returns to the
Operational mode without committing the current
configuration
clear Clears all uncommitted configuration changes
do COMMAND Executes an operational mode command in the

Configuration mode
end [no-confirm] Exits the Configuration mode and commits
uncommitted configuration changes
no-confirm: exits the Configuration
mode without to commit the current
configuration. It returns you
directly in the Operational mode
exit [configuration-mode | level | no- configuration-mode: exits the
confirm]
Configuration mode and commits the
uncommitted configuration changes.
It returns one mode level back
level: exits from the current mode
level. It returns one mode level
back
configuration
level
help COMMAND Displays the help text for the selected command
pwd Displays the current mode

Command Description
resolved If configuration conflicts are detected between

your configuration changes and the existing
running configuration during the commit
operation, a message prompts you to select a
conflict resolution:
Aborted: there are conflicts.
---------------------------------------
-
Resolve needed before configuration can
be committed. View conflicts with
the command 'show configuration' and
execute the command 'resolved'
when done, or
exit configuration mode to abort.
Conflicting configuration items are
indicated with a leading '!'
Conflicting users: admin
---------------------------------------
-
Use the resolved command to confirm the
resolution for the pending
changes.
revert [no-confirm] Copies the running configuration into candidate

configuration
configuration
rollback configuration [<number>] Returns the configuration to a previously
committed configuration:
number: the number of old
configuration to be restored
show {configuration COMMAND | full- configuration: displays the current
configuration COMMAND | history configuration that is still not
<value> | parser dump [COMMAND]} committed
full-configuration: displays the
whole configuration
history <value>: displays a list of
recorded commands in the current
CLI session, in the range of <0-
32000>
parser dump COMMAND: displays all
the commands (and subcommands)
available in a particular
configuration context

Command Description
show configuration {commit changes number: configuration session

<number> | diff COMMAND | merge number
COMMAND | rollback changes
<number> | running | this commit changes: displays the result
COMMAND} of comparing a committed
configuration (specified by a
number) to the candidate
configuration
rollback changes: displays the
result of comparing a rollback
configuration (specified by a
number) to the candidate
configuration
diff COMMAND: displays the
differences between the candidate
configuration and the committed
configuration per category
merge COMMAND: displays the result
of merging the candidate
configuration and the committed
configuration
running: displays the content of
the running configuration
this COMMAND: displays the
configuration changes for a
specific feature
top COMMAND Returns you to the Configuration mode from any
other mode, and executes the selected command
in the Configuration mode
validate Validates the current configuration
Filtering the show Command Output

The output of the show commands can generate a large amount of data. To display only a subset of
information, type the Pipe character (|) followed by a specific keyword and a regular expression.
The below table shows the filtering options for the show command.
Table 8: Show Command Filter Options
Command Description
show command | append file-name Redirects the command output into an existing
file, located on NVRAM, FTP, or TFTP.
show command | begin regular- Begins unfiltered command output with the first
expression line that contains the regular expression.
show command | count Counts the number of lines in the output.
show command | details (only for the show running-config command)

Displays all output elements.
show command | display {xml | txt} (only for the show running-config command)
Displays the command output in XML or text
format

Command Description
show command | extended (only for the show running-config command)

Displays extended command output.
show command | exclude regular- Displays output lines that do not contain the
expression regular expression.
show command | include regular- Displays output lines that contain the regular
expression expression.
show command | linnum Numbers the command output rows.
show command | more Allows the command output to be sent to the

screen one page at a time.
show command | nomore Displays the command output all at once instead
of one screen at a time.
show command | tab (only for the show running-config command)
Applies table format on the command output.
show command | save file-name Saves the command output to a file.
show command | until regular- Ends with the line that matches the regular
expression expression.
Examples:
To display the interface starting with ethernet0, execute the following command:
device-nameH#show router interface | begin outBand0
outBand0 up 10.3.155.5 255.255.0.0 10.3.255.255 1500 |
========================================================================
To display only the route statements from the running-config, execute the following command:
device-name#show running-config | include route
router
router-id 2.2.2.2
To display only lines that start with 127, execute the following command:
device-name#show Routes | include ^127
127.0.0.0/8 0.0.0.0 connect 0 selected ifindex active,fib
0 0s lo
127.0.0.1/32 0.0.0.0 connect 0 selected,self_ip ifindex active,fib
0 0s lo
To display the whole configuration except for the access-lists, execute the following command:
device-name#show running-config | exclude access-list
To save your current configuration, execute the following command:

device-name#show running-config | save test2.cfg
Verify the result, by using the following command:

device-name#file ls
1 Jan 2009 28.0k 2
1 Jan 2009 4.0k test1.cfg
1 Jan 2009 40.0k ttt.cfg

1 Jan 05:05 36.0k test2.cfg

Number of files: 4, 108K
Flash Size: Size
56.2M
Used Space: Used
44.6M
Free Space: Available
11.6M
To count the number of LSPs, execute the following command:

device-name#show running-config | include lsp | count
Count: 11 lines

The range Expression

The range expression enables you to modify, delete, or display ranges of values in one single
command, at the same time. Only group of VLANs can be created using range option.
device-name(config)#vlan range 500-502 tagged 1/1/1
Creating VLAN configuration. Please, wait ...
device-name(config-tagged- 1/1/1)#
NOTE
The range expression can be applied only on integer values.
The range expression can be omitted.
The range expression cannot be used for creating a new range of values.
Example 1:
device-name(config)#router
device-name(config-router)#rsvp-te
device-name(config-rsvp-te)#lsp
<lsp-id:int> range
device-name(config-rsvp-te)#lsp range 53-57, 1000
device-name(config-lsp-53-57,1000)#show full-configuration
router
rsvp-te
lsp 53
far-end 3.3.3.3
name 53
fast-reroute-mode facility
admin-group exclude-any 11
!
cspf
no shutdown
!
lsp 54
far-end 4.4.4.4
name 54
cspf
no shutdown
!
lsp 56
far-end 6.6.6.6
name 56
!
cspf
no shutdown

!
lsp 57
far-end 7.7.7.7
name 57
cspf
no shutdown
!
lsp 1000
far-end 6.6.6.6
name manual_bypass
guarded-destination 67.0.0.6
cspf
no shutdown
!
!
!
Example 2:
device-name(config-rsvp-te)#lsp
<lsp-id:int> range
device-name(config-rsvp-te)#lsp range 5*
device-name(config-lsp-5*)#show full-configuration
router
rsvp-te
lsp 53
far-end 3.3.3.3
name 53
!
cspf
no shutdown
!
lsp 54
far-end 4.4.4.4
name 54
cspf
no shutdown
!
lsp 56
far-end 6.6.6.6
name 56

!
cspf
no shutdown
!
lsp 57
far-end 7.7.7.7
name 57
cspf
no shutdown
!
lsp 58
far-end 8.8.8.8
name 58
cspf
no shutdown
!
!
!
Example 3:
device-name(config)#service
device-name(config-service)#vpls 101-200
device-name(config-vpls-101-200)#shutdown
device-name(config-vpls-101-200)#commit
Commit complete.
Example 4:
device-name(config-service)#no vpls * spoke 3
device-name(config-service)#show configuration
service
vpls 101
no spoke-sdp 3
!
vpls 102
no spoke-sdp 3
!
vpls 103
no spoke-sdp 3
!
vpls 104
no spoke-sdp 3
!
vpls 105

no spoke-sdp 3
!
vpls 106
no spoke-sdp 3
!
vpls 107
no spoke-sdp 3
!
vpls 108
no spoke-sdp 3
!
vpls 109
no spoke-sdp 3

Debug Commands
Caution
It is recommended to use the debug commands only under the direction of Technical
Support team when troubleshooting specific problems. Enabling debugging can disrupt
operation of the device when internetworks are experiencing high load conditions.
Command Hierarchy
device-name#
+ config terminal
+ [no] debug
- [no] bm api
- [no] bm api_time
- [no] bm api_call
- [no] bm async_io
- [no] bm drv
- [no] bm fdb
- [no] bm fdb_detailed
- [no] bm init
- [no] bm if_state
- [no] bm notify
- [no] bm oam
- [no] bm proto_1to1
- [no] bm proto_ces_circ
- [no] bm proto_ip
- [no] bm proto_reslink
- [no] bm proto_service
- [no] bm proto_trunk
- [no] bm rx
- [no] bm sfp
- [no] bm stp
- [no] bm tx
- [no] bm vlan
- [no] cfm <value>
- [no] mpls ldp
- [no] mpls prefix-fec
- [no] mpls rsvp
- [no] mpls te

- [no] mpls vpls

- [no] mpls vpws
- [no] system-monitor
- [no] ptp-tc
- [no] raps <value>
- [no] drv acl
- [no] drv core
- [no] drv hqos
- [no] drv init
- [no] drv internal_memory
- [no] drv l2
- [no] drv link
- [no] drv mfib
- [no] drv mpls
- [no] drv param
- [no] drv pktdump
- [no] drv port_monitor
- [no] drv qos
- [no] drv rx
- [no] drv saa
- [no] drv sfp
- [no] drv sfp_event
- [no] drv stp
- [no] drv super_vlan
- [no] drv tls
- [no] drv trunk
- [no] drv tx
- [no] drv vlan
- [no] dot3ah
- [no] ntest
- [no] system-monitor
- [no] snmp-netconf-notification
- [no] ptp-slave
- [no] ospf ipc
- [no] ospf graceful-helper
- [no] ospf assert
- [no] ospf events
- [no] ospf ism_events
- [no] ospf ism_status

- [no] ospf ism_timers

- [no] ospf lsa_flood
- [no] ospf lsa_generate
- [no] ospf lsa_install
- [no] ospf lsa_refresh
- [no] ospf management
- [no] ospf nsm_events
- [no] ospf nsm_status
- [no] ospf nsm_timers
- [no] ospf nssa
- [no] ospf opaque
- [no] ospf pkt_db_desc
- [no] ospf pkt_detail
- [no] ospf pkt_hello
- [no] ospf pkt_ls_ack
- [no] ospf pkt_ls_req
- [no] ospf pkt_ls_upd
- [no] ospf recv
- [no] ospf rm_api
- [no] ospf rm_redistribute
- [no] ospf send
- [no] ospf system
- [no] ospf te
- [no] ospf tsm_events
- [no] ospf tsm_lists
- [no] ospf tsm_send
- [no] ospf tsm_status
- [no] isis authentication
Command Descriptions
To turn off a debug command, enter the no form of the command at the command line.
Table 9: Debug Commands
Command Description
config terminal Enters Configuration mode

debug Enters the Debug Configuration mode
bm api Enables displaying of additional log messages related

to Bridge Manager (BM) Application Programming
Interface (API) server

Command Description
bm api_time Enables displaying of additional log messages related

to the execution time of each BM API
bm drv Enables displaying of additional log messages related
to driver events, received in BM
bm fdb Enables displaying of additional log messages related
to FDB
bm fdb_detailed Enables displaying of additional log messages related
to FDB in details (log messages for each Add/Remove
event)
bm init Enables displaying of additional log messages related
to BM Init flow
bm notify Enables displaying of additional log messages related
to notifications, sent from BM to its clients
bm oam Enables displaying of additional log messages related
to OAM specific logic in BM
bm proto_1to1 Enables displaying of additional log messages related
to one-to-one interfaces
bm proto_ces_circ Enables displaying of additional log messages related
to CES circuit interfaces
bm proto_ip Enables displaying of additional log messages related
to IP interfaces
bm proto_reslink Enables displaying of additional log messages related
to Resilient link interfaces
bm proto_service Enables displaying of additional log messages related
to Virtual Interfaces (VI)
bm proto_trunk Enables displaying of additional log messages related
to Trunk interfaces
bm rx Enables displaying of additional log messages related
to packet receive flow
bm sfp Enables displaying of additional log messages related
to SFP specific logic in BM
bm stp Enables displaying of additional log messages related
to Spanning tree specific logic in BM
bm tx Enables displaying of additional log messages related
to packet transmit flow
bm if_state Enables displaying of additional log messages related
to interface status change
bm async_io Enables displaying of additional log related to async IO

channel
bm api_call Enables displaying of additional log related to each
API call

Command Description
cfm <value> Enables displaying of additional log messages related

to CFM:
value: opens debug logs in the
applications, in the range of <0
4294967295>
mpls ldp Enables displaying of additional log messages related
to MPLS LDP
mpls prefix-fec Enables displaying of additional log messages related
to MPLS Prefix FEC LSP
mpls rsvp Enables displaying of additional log messages related
to MPLS RSVP
mpls te Enables displaying of additional log messages related
to MPLS TE LSP
mpls vpls Enables displaying of additional log messages related
to MPLS VPLS
mpls vpws Enables displaying of additional log messages related
to MPLS VPWS
system-monitor Enables displaying of additional log messages related
to system monitoring
ptp-tc Enables displaying of additional log messages related
to PTP transparent clock
raps <value> Enables displaying of additional log messages related
to RAPS
dot3ah Enables displaying of additional log messages related
to EFM
ntest Enables displaying of additional log messages related
to Network Loopback Test
snmp-netconf-notification Enables displaying of additional log messages related
to SNMP and Netconf notification
ptp-slave Enables displaying of additional log messages related
to PTP Slave clock
bm vlan Enables displaying of additional log messages related

to VLAN operations
drv acl Enables displaying of additional log messages related
to Access Lists
drv core Enables displaying of additional log messages related
to driver low level debug
drv hqos Enables displaying of additional log messages related
to HQoS
drv init Enables displaying of additional log messages related
to driver init flow
drv internal_memory Enables displaying of additional log messages related
to driver internal memory usage
drv l2 Enables displaying of additional log messages related
to MAC address learning

Command Description
drv link Enables displaying of additional log messages related

to physical link events
drv mfib Enables displaying of additional log messages related
to Multicast FIB (MFIB)
drv mpls Enables displaying of additional log messages related
to MPLS
drv param Enables displaying of additional log messages related
to interface parameter handling
drv pktdump Enables displaying of additional log messages related
to detailed dump of packets (combined with tx/rx
debug flags)
drv port_monitor Enables displaying of additional log messages related
to port monitor
drv qos Enables displaying of additional log messages related
to QoS
drv rx Enables displaying of additional log messages related
to packet receive flow
drv saa Enables displaying of additional log messages related
to SAA
drv sfp Enables displaying of additional log messages related
to SFP logic
drv sfp_event Enables displaying of additional log messages related
to SFP events
drv stp Enables displaying of additional log messages related
to STP
drv super_vlan Enables displaying of additional log messages related
to Super VLAN
drv tls Enables displaying of additional log messages related
to TLS
drv trunk Enables displaying of additional log messages related
to link aggregations
drv tx Enables displaying of additional log messages related
to packet transmit flow
drv vlan Enables displaying of additional log messages related
to VLAN operations
ospf ipc Enables displaying of additional log messages related
to Inter-Process communications (IPC) server side
ospf graceful-helper Enables displaying of additional log messages related
to OSPF graceful helper
ospf assert Enables displaying of additional log messages related
to assert errors
ospf events Enables displaying of additional log messages related
to general events and states
ospf ism_events Enables displaying of additional log messages related
to Interface State Machine events

Command Description
ospf ism_status Enables displaying of additional log messages related

to Interface State Machine status
ospf ism_timers Enables displaying of additional log messages related
to Interface State Machine timers
ospf lsa_flood Enables displaying of additional log messages related
to Link State Acknowledgment (LSA) flood process
ospf lsa_generate Enables displaying of additional log messages related
to LSA generation
ospf lsa_install Enables displaying of additional log messages related
to LSA install in local database
ospf lsa_refresh Enables displaying of additional log messages related
to LSA refresh
ospf management Enables displaying of additional log messages related
to management requests
ospf nsm_events Enables displaying of additional log messages related
to Neighbor State Machine events
ospf nsm_status Enables displaying of additional log messages related
to Neighbor State Machine status
ospf nsm_timers Enables displaying of additional log messages related
to Neighbor State Machine timers
ospf nssa Enables displaying of additional log messages related
to Not So Stubby Area (NSSA) LSA handling
ospf opaque Enables displaying of additional log messages related
to Opaque LSA handling
ospf pkt_db_desc Enables displaying of additional log messages related
to Database description packets
ospf pkt_detail Enables displaying of additional log messages related
to Detailed packet debug (dump packet contents)
ospf pkt_hello Enables displaying of additional log messages related
to Hello packets
ospf pkt_ls_ack Enables displaying of additional log messages related
to Link State (LS) Acknowledge packets
ospf pkt_ls_req Enables displaying of additional log messages related
to LS request packets
ospf pkt_ls_upd Enables displaying of additional log messages related
to LS update packets
ospf recv Enables displaying of additional log messages related
to receive packet flow
ospf rm_api Enables displaying of additional log messages related
to interaction with Router Manager
ospf rm_redistribute Enables displaying of additional log messages related
to route redistribution of other protocols
ospf send Enables displaying of additional log messages related
to transmit packet flow

Command Description
ospf system Enables displaying of additional log messages related

to system events
ospf te Enables displaying of additional log messages related
to traffic engineering
ospf tsm_events Enables displaying of additional log messages related
to Traffic Engineering (TE) State Machine events
ospf tsm_lists Enables displaying of additional log messages related
to TE State Machine lists
ospf tsm_send Enables displaying of additional log messages related
to TE State Machine information send
isis authentication Enables displaying of additional log messages related

to ISIS protocol authentication
ospf tsm_status Enables displaying of additional log messages related
to TE State Machine status change

Banner Commands
Commands Hierarchy
+ config terminal
+ system
- [no] banner-ssh STRING
- [no] banner-telnet STRING
Commands Descriptions
Table 10: Banner Commands
Command Description

system Enters System Configuration mode
banner-ssh STRING Specifies a login banner for SSH users:

STRING: in format banner text\n
no banner-ssh Removes the configured banner
banner-telnet STRING Specifies a login banner for Telnet users

STRING: in format banner text\n
no banner-telnet Removes the configured banner

Managing the Device
Table of Contents
Table of Figures 2
List of Tables 3
Features Included in this Chapter 4
Device Management 6
Managing the Device via CLI 6
Managing the Device via SNMP 6
Managing the Device via NETCONF 7
NETCONF Commands 9
DHCP Client 15
DHCP Client Commands 15
Zero-Touch Provisioning 18
DHCP Server Options and Sub-options 18
Zero-Touch Provisioning Commands 19
Example21
MAC Address Table (FDB) 24

MAC Address Table Commands25
MAC Address Table Configuration Example 30
MAC Learning Security Policies 31

Port Security 31
Port Limit 31
MAC Learning Security Profile Commands 32
Files System 37
File System Configuration Commands 37
Software Upgrade Example 44
System Time and Date 47
Managing the Device (Rev. 01) Page 1

Network Time Protocol (NTP) 47

Summer Time (Daylight Saving Time) 47
System Time and Date Configuration Commands 47
Domain Name System (DNS) Client 52

DNS Client Configuration Commands 52
Virtual Terminal Interface (VTY) 53

VTY Session Configuration Commands 53
License Configuration 54
Session Limiting 55
Sessions Limiting Commands 55
Remote Monitoring 57
RMON Ethernet Statistics Group 57
RMON Commands 59
Service Statistics Collection 64

Service Statistics Commands 64
Command Descriptions 65
System Logs Message 70

System Logs Message Format 70
Settings and Values 71
System Log Commands 73
Commands Descriptions 73
Configuration Example 76
Denial of Service (DoS) Attack Prevention 77

DoS Attack Prevention Commands 77
Reload Commands 80
Control Plane Policing 82
Supported Standards, MIBs, and RFCs84
Table of Figures
Figure 1: Obtaining an IP Address from a DHCP Server.............................................................. 15
Figure 2: ZTP Process with Option 43 ............................................................................................. 18
Page 2 Managing the Device (Rev. 01)

List of Tables
Table 1: NETCONF Standard Capabilities ........................................................................................ 7
Table 2: NETCONF Commands ........................................................................................................ 9
Table 3: DHCP Client Commands ................................................................................................... 16
Table 4: ZTP Commands .................................................................................................................... 20
Table 5: MAC Address Table Commands ........................................................................................ 25
Table 6: MAC Learning Security Profile Commands...................................................................... 33
Table 7: File System Commands ........................................................................................................ 38
Table 8: System Time and Date Commands .................................................................................... 48
Table 9: DNS Client Commands ....................................................................................................... 52
Table 10: VTY Session Commands ................................................................................................... 53
Table 11: License Commands ............................................................................................................. 54
Table 12: Sessions Limiting Commands ........................................................................................... 55
Table 13: RMON Commands ............................................................................................................ 60
Table 14: Counters Displayed by the show rmon statistics Command ..................... 62
Table 15: Service Statistics Commands ............................................................................................. 65
Table 16: System Message Fields........................................................................................................ 70
Table 17: Severity Levels ..................................................................................................................... 71
Table 18: Syslog Message Facilities .................................................................................................... 72
Table 19: System Log Commands...................................................................................................... 73
Table 20: DoS Commands .................................................................................................................. 78
Table 21: The reload Command ................................................................................................... 80
Table 22: CoPP Commands ................................................................................................................ 82

Features Included in this Chapter

This chapter consists of these sections:
Device Management
The device management enables system administrators to access, control and update
network devices.
DHCP Client
It is possible to obtain configuration parameters such as an IP address and a lease for the
IP address, using DHCP.
Zero-Touch Provisioning
Zero-Touch Provisioning (ZTP) automates configuration of the T-Marc 3312SC/T-Marc
3312SCH device.
MAC Address Table (FDB)
The device forwards traffic between ports using addresses contained in the MAC address
table (also known as the Forwarding Database). The devices maintain a database of MAC
addresses, both static entries, which are manually configured, and dynamic entries learned
by the device.
MAC Learning Security Policies
Port security and port limit policies control how many addresses the device can learn
from a particular port.
Files System
The File System manages software images and configuration files stored in flash memory
and used by the devices.
System Time and Date
Protocols, such as the Network Time Protocol (NTP), help you automatically configure
system date and time for your device. NTP synchronizes device clocks over TCP/IP
networks thereby ensuring consistent file timestamps and proper correlation of log files.
Domain Name System (DNS) Client
The client-side of the DNS initiates and sequences queries leading to translation of a
domain name into an IP address.
Virtual Terminal Interface (VTY)
The Virtual Terminal Interface (VTY) controls access to Command Line Interface (CLI)
for device management.
License Configuration
The section contains information about device license configuration.
Session Limiting
You can configure the number of sessions that are held to the device.
Remote Monitoring
Remote Monitoring (RMON) is a standard monitoring specification that enables network
monitors.

Service Statistics Collection

Service statistics provide important information for troubleshooting device problems at
the service level.
System Logs Message
The application software provides system log messages that are useful to the system
administrator for troubleshooting problems in the network.
Denial of Service (DoS) Attack Prevention
This section describes denial of service (DoS) attacks and how the BiNOX operating
system defends against DoS attacks.
Reload Commands
To reload the device, use any of the reload commands.
Control Plane Policing
CoPP feature increases security on the device by protecting the CPU from unused IPv4
reserved multicast traffic.

Device Management
Managing the Device via CLI
You can establish a CLI connection with the device by either:
Connecting the devices console port to your PC. For information about connecting to the
console port, see the devices Installation guide.
Using any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote PC. For
information see the Device Authentication chapter of this User Guide.
Managing the Device via SNMP

You can manage the device using any SNMP based management application.
To manage the device via SNMP:
1. Enable the SNMP protocol on the device (refer to the SNMP chapter of this user guide).
2. Verify that the Management Information Bases (MIBs) provided with the release are installed
on the management PC.
3. Connect your PC to a device port that is assigned to VLAN 1 (the default VLAN, refer to the
VLANs chapter of this User Guide)
4. Permit device management access on VLAN 1 (refer to the VLANs chapter of this User
Guide).

Managing the Device via NETCONF

NETCONF is a network management protocol defined by IETF. It provides a simple mechanism
for managing network devices, retrieving configuration-data information, and uploading and
manipulating new configuration data.
The NETCONF protocol uses the Remote Procedure Call (RPC) model. The Netconf Manager (client)
sends a set of RPC request operations that trigger the Netconf Agent (server, in this case T-Marc
3312SC/T-Marc 3312SCH ) to respond with a corresponding set of RPC replies.
NETCONF provides the following features:
distinction between configuration and state data
multiple configuration datastores (such as running and startup)
support for configuration change transactions
configuration testing and validation support
selective data retrieval with filtering
streaming and playback of event notifications
extensible remote procedure call mechanism
NETCONF Sessions
A NETCONF session is the logical connection between a network administrator or network
configuration-application and a network device.
NETCONF Capabilities
NETCONF capabilities are a set of functionalities that supplement the base NETCONF
specification.
NETCONF allows the client to discover the capabilities supported by the server. These capabilities
are sent to the management PC.
Table 1: NETCONF Standard Capabilities
Command Description
:candidate The agent allows this special database to be locked,

edited, saved, and unlocked. The agent also supports the
operations:
<discard-changes>: clears all changes from the
<candidate/> configuration database and makes it
matching the <running/> configuration database
<commit>: commits the contents of the <candidate/>
configuration database to the <running/>
configuration database

Command Description
:confirmed-commit This special mode requires an agent to send two

<commit> RPC requests instead of one, to save any
changes to the <running/> database. If the second request
does not arrive within a specified time interval, the agent
automatically reverts the running configuration to the
previous version.
:interleave The agent accepts <rpc> requests (besides <close-
session>) while notification delivery is active. The
:notification capability must also be present if this
capability is advertised.
:notification The agent supports the basic notification delivery
mechanisms defined in RFC 5277. The <create-
subscription> operation (creates a NETCONF notification
subscription) is accepted by the agent. Unless the
:interleave capability is also supported, only the
<close-session> operation (terminates this session) must
be supported by the agent while notification delivery is
active.
:rollback-on-error The agent supports the rollback-on-error value for the
<error-option> parameter to the <edit-config> operation
(modifies a configuration database). If any error occurs
during the requested edit operation, the target database
(usually the running configuration) will be left affected.
This provides an all-or-nothing edit mode for a single
<edit-config> request.
:url The agent supports the <url> parameter value form to
specify protocol operation source and target parameters.
The capability URI for this feature indicates which
schemes (File, HTTPS, SFTP) the agent supports within a
particular URL value. The File allows editable local
configuration databases. The other allows remote storage
of configuration databases.
:validate The agent supports the <validate> operation. When this
operation is requested on a target database, the agent
performs some amount of parameter validation and
referential integrity checking. Since the standard does not
define exactly what must be validated by this operation, a
manager cannot really rely on it for anything useful.
This operation is used to validate a complete database.
There is no standard way to validate a single edit request
against a target database, however a non-standard set-
option for the <edit-config> operation called test-only was
defined for this purpose.
:writable-running The agent allows the manager to change the running
configuration directly. Either this capability or the
:candidate capability is supported by the agent.
:xpath The agent fully supports the XPath 1.0 specification for
filtered retrieval of configuration and other database
contents. The type attribute within the <filter> parameter
for <get> and <get-config> operations may be set to
xpath. The select attribute (which contains the XPath
expression) is also supported by the agent.

NETCONF Commands
Commands Hierarchy
+ config terminal
+ system
+ [no] netconf-server
- [no] access source-ip A.B.C.D/M
- [no] source-address A.B.C.D
- [no] port <value>
- [no] shutdown
Table 2: NETCONF Commands
Command Description

netconf-server Enters NETCONF Configuration mode
no netconf-server Removes NETCONF configuration details
access source-ip A.B.C.D/M Limits the access to the NETCONF server only
from the specific sources IP address(es):
A.B.C.D/M: IP address and subnet
mask (in a dotted-decimal format)
that identify a network or hosts.
A.B.C.D/32 specifies a specific IP
address.
no access source-ip Removes the trusted IP address(es)
source-address A.B.C.D Configures NETCONF server to listen on a

specified IP address for incoming connections.
The connections are restricted to a specific
router interface including loopbacks.
A.B.C.D: IP address, in a dotted-
decimal format
0.0.0.0 (listen on all defined router
interfaces)
no source-address Restores to default
port <value> Specifies the port through which the NETCONF

connection is established:
number: the port number, in the
range of <165535>
Port 830
no port Restores to default

Command Description
shutdown Disables the NETCONF server

The NETCONF server is disabled
no shutdown Re-enables the NETCONF server
Accessing the Device via NETCONF

To access the device via NETCONF:
5. Open an SSH2 connection to the NETCONF sub-system:
ssh -s -p830 admin@10.4.4.69 netconf
6. Type the device password (default password is admin):

admin@10.4.4.69's password:admin
7. The agent and the manager both send a hello message and a set of capabilities are displayed:
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
</capabilities>
</hello>]]>]]>
NETCONF Configuration Example

1. Display the port 1/1/1 configuration:
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">
<get>
<filter type="xpath" select="/interfaces/interface[name='1/1/1']"/>
</get>
</rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="9">

<data>
<interfaces xmlns="http://batm.com/ns/bridge/1.0">
<interface>
<name>1/1/1</name>
<ifMtu>1544</ifMtu>
<ifSpeed>auto</ifSpeed>
<ifDuplex>auto</ifDuplex>
<ifAdminStatus>up</ifAdminStatus>
<ifPromiscuousMode>false</ifPromiscuousMode>
<ifLinkUpDownTrapEnable>disabled</ifLinkUpDownTrapEnable>
<ip>0.0.0.0/0</ip>
<defaultVlan>1</defaultVlan>
<ifLearnNewMacAddresses/>
<clear/>
<InterfaceReadOnlyData>
<ifIndex>3</ifIndex>

<ifType>ethernetCsmacd</ifType>
<ifPhysAddress>00:50:43:40:bf:bf</ifPhysAddress>
<ifOperStatus>down</ifOperStatus>
<ifLastChange>0</ifLastChange>
<ifMedia>not-installed</ifMedia>
<ifOperSpeed>unknown</ifOperSpeed>
<ifOperDuplex>unknown</ifOperDuplex>
<ifInterfaceDual>single</ifInterfaceDual>
<ifInterfaceActive>not-relevant</ifInterfaceActive>
<ifFlowCtrl>disabled</ifFlowCtrl>
<ifIp>0.0.0.0</ifIp>
<ifMask>0.0.0.0</ifMask>
<ifBcast>0.0.0.0</ifBcast>
<ifMediaTxType>Unknown</ifMediaTxType>
<ifMediaConType>Unknown</ifMediaConType>
<ifMediaSonetComp>42</ifMediaSonetComp>
<ifMediaEthComp>42</ifMediaEthComp>
<ifMediaLengthSMF>0</ifMediaLengthSMF>
<ifMediaLength50UM>0</ifMediaLength50UM>
<ifMediaLength62UM>0</ifMediaLength62UM>
<ifMediaLengthCu>0</ifMediaLengthCu>
<ifMediaLengthOM3>0</ifMediaLengthOM3>
<ifMediaTxTech>42</ifMediaTxTech>
<ifMediaMode>42</ifMediaMode>
<ifMediaSpeed>42</ifMediaSpeed>
<ifMediaEncoding>42</ifMediaEncoding>
<ifMediaBitrate>42</ifMediaBitrate>
<ifMediaVendorID>N/A</ifMediaVendorID>
<ifMediaVendorName>N/A</ifMediaVendorName>
<ifMediaVendorSN>N/A</ifMediaVendorSN>
<ifMediaVendorPN>N/A</ifMediaVendorPN>
<ifMediaVendorRev>N/A</ifMediaVendorRev>
<ifMediaVendorManufacturingDate>N/A</ifMediaVendorManufactur
ingDate>
<ifMediaCalibMode>42</ifMediaCalibMode>
</InterfaceReadOnlyData>
<Counters>
<ifInOctets>0</ifInOctets>
<ifInUcastPkts>0</ifInUcastPkts>
<ifInNUcastPkts>0</ifInNUcastPkts>
<ifInDiscards>0</ifInDiscards>
<ifInErrors>0</ifInErrors>
<ifInUnknownProtos>0</ifInUnknownProtos>
<ifOutOctets>0</ifOutOctets>
<ifOutUcastPkts>0</ifOutUcastPkts>
<ifOutNUcastPkts>0</ifOutNUcastPkts>
<ifOutDiscards>0</ifOutDiscards>
<ifOutErrors>0</ifOutErrors>
<ifOutQLen>0</ifOutQLen>
<ifSpecific>1.2.3</ifSpecific>
<ifInMulticastPkts>0</ifInMulticastPkts>
<ifInBroadcastPkts>0</ifInBroadcastPkts>

<ifOutMulticastPkts>0</ifOutMulticastPkts>
<ifOutBroadcastPkts>0</ifOutBroadcastPkts>
<ifHCInOctets>0</ifHCInOctets>
<ifHCInUcastPkts>0</ifHCInUcastPkts>
<ifHCInMulticastPkts>0</ifHCInMulticastPkts>
<ifHCInBroadcastPkts>0</ifHCInBroadcastPkts>
<ifHCOutOctets>0</ifHCOutOctets>
<ifHCOutUcastPkts>0</ifHCOutUcastPkts>
<ifHCOutMulticastPkts>0</ifHCOutMulticastPkts>
<ifHCOutBroadcastPkts>0</ifHCOutBroadcastPkts>
<ifHighSpeed>0</ifHighSpeed>
<ifConnectorPresent>true</ifConnectorPresent>
<ifCounterDiscontinuityTime>0</ifCounterDiscontinuityTime>
<ifUndersizePkts>0</ifUndersizePkts>
<ifOversizePkts>0</ifOversizePkts>
<ifFragmentsPkts>0</ifFragmentsPkts>
<ifJabberPkts>0</ifJabberPkts>
<ifCRCAligneErrorPkts>0</ifCRCAligneErrorPkts>
<ifCollisionsPkts>0</ifCollisionsPkts>
<ifFra64Pkts>0</ifFra64Pkts>
<ifFra65to127Pkts>0</ifFra65to127Pkts>
<ifTotalOctets>0</ifTotalOctets>
<ifTotalInPkts>0</ifTotalInPkts>
<ifTotalPkts>0</ifTotalPkts>
<ifTotalBcastPkts>0</ifTotalBcastPkts>
<ifTotalMcastPkts>0</ifTotalMcastPkts>
<ifTotalOutPkts>0</ifTotalOutPkts>
<ifAlignErr>0</ifAlignErr>
<ifFCSErr>0</ifFCSErr>
<ifSQETestErr>0</ifSQETestErr>
<ifCSEErr>0</ifCSEErr>
<ifSymbolErr>0</ifSymbolErr>
<ifMacTxErr>0</ifMacTxErr>
<ifMacRxErr>0</ifMacRxErr>
<ifTooLongFra>0</ifTooLongFra>
<ifSnglCollision>0</ifSnglCollision>
<ifMultCollision>0</ifMultCollision>
<ifLateCollision>0</ifLateCollision>
<ifExcessCollision>0</ifExcessCollision>
<ifInUnknownOpcode>0</ifInUnknownOpcode>
<ifDefferedTx>0</ifDefferedTx>
</Counters>
<efm-oam xmlns="http://batm.com/ns/efm/1.0">
<oper-status>linkFault</oper-status>
<maximum-pdu-size>0</maximum-pdu-size>
<config-revision>0</config-revision>
<functions-supported>eventSupport
variableSupport</functions

-supported>
<packets-sent>0</packets-sent>
<packets-received>0</packets-received>
<loopback-status>noLoopback</loopback-status>
<get-forward-status>None</get-forward-status>
<get-forward-shutdown>None</get-forward-shutdown>
</efm-oam>
</interface>
</interfaces>
</data>
</rpc-reply>
2. Change the port default VLAN to 2:

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">
<edit-config>
<target>
<running/>
</target>
<config>
<interfaces xmlns="http://batm.com/ns/bridge/1.0">
<interface>
<name>1/1/1</name>
<defaultVlan>2</defaultVlan>
</interface>
</interfaces>
</config>
</edit-config>
</rpc>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="15">

<ok/>
</rpc-reply>
CES Configuration Example via NETCONF

NOTE
Command for changing the mode does not restart the device. It must be done
by the user.
There are no commands for changing the mask, IP gateway, clock, and policy.
Changing the working mode does not remove automatically all configured
commands related to the previous mode. Therefore, all previously configured
options as interface framings, circuits, etc. must be removed manually via XML
file.
. . .
<module>
<name>1/3</name>
<interface>
<e1-interfaces>
<interface>
<name>e1-2.0.0.0</name>
<framing>cas</framing>

<clock>adaptive</clock>
<clock-controller>
<number>primary</number>
<circuit>2</circuit>
</clock-controller>
</interface>
</e1-interfaces>
</interface>
<circuit>
<number>2</number>
<interface>e1-2.0.0.0</interface>
<timeslots>1-15,17-31</timeslots>
<vlan-id>10</vlan-id>
<destination>
<ip-address>1.2.3.4</ip-address>
</destination>
</circuit>
<circuit>
<number>3</number>
<interface>e1-3.0.0.0</interface>
</circuit>
</module>
. . .

DHCP Client
Once the device is configured as a DHCP Client, it is possible to obtain configuration parameters
such as an IP address and a lease for the IP address, using DHCProtocol.
The figure below shows the basic steps that occur when a DHCP client requests an IP address
from a DHCP server. A DHCP client may receive offers from multiple DHCP servers and can
accept any one of the offers; however, the client usually accepts the first offer it receives.
Additionally, the offer from the DHCP server is not a guarantee that the IP address will be
allocated to the client; however, the server usually reserves the address until the client has had a
chance to formally request the address.
The negotiation starts with a DHCPDISCOVER broadcast message from the client seeking a
DHCP server. The DHCP Server responds with a DHCPOFFER unicast message offering
configuration parameters to the client. The client returns a DHCPREQUEST broadcast message
requesting the offered IP address from the DHCP Server. The DHCP Server responds with a
DHCPACK unicast message confirming that the IP address has been allocated to the client.
Figure 1: Obtaining an IP Address from a DHCP Server
The client may suggest values for the IP address and lease time in the DHCPDISCOVER message.
The client may include the requested IP address option to suggest that a particular IP address can be
assigned, and may include the IP address lease time option to suggest the lease time it would like to
have it. The requested IP address option is filled in a DHCPREQUEST message only when the client
is verifying network parameters obtained previously.
If a server receives a DHCPREQUEST message with an invalid requested IP address, the server
should respond to the client with a DHCPNAK message and may choose to report the problem to
the system administrator. The server may include an error message in the message option.
DHCP Client Commands

Command Hierarchy
device-name#
+ config terminal

+ [no] router
+ [no] interface swN
- [no] address dynamic
+ [no] dhcp-client
- [no] client-identifier ID
- [no] lease-time <value>
- [no] retransmission-attempt <value>
- [no] retransmission-interval <value>
- [no] vendor-id ID
- show router interface dynamic [name swN]
Table 3: DHCP Client Commands
Command Description

router Enters the Router Configuration mode
no router Removes the router configurations
interface swN Creates an IP interface and enters Configuration

Mode for the IP-Interface:
swN: an IP interface number in the
range of <09999>
no interface swN Removes the created IP interface:
range of <09999>
NOTE
To remove the created IP interface,
remove the IP interface from all
VLANs of which it is a member.
address dynamic Enables the dynamically assigning of IP
addresses to the device
no address dynamic Disables the dynamically assigning of IP
addresses to the device
dhcp-client Enters the DHCP Client Configuration mode
no dhcp-client Removes the DHCP Client configuration
client-identifier ID Specifies DHCP Client identifier. The

combination of 'client identifier' and assigned
network address constitute a unique identifier for
the client's lease and are used by the DHCP
client and server to identify a lease referred in
any DHCP messages.
ID: any string up to 20
characters
no client-identifier Removes the configured ID

lease-time <value> Configures the duration of the lease for an IP

address that is requested from a DHCP client:
value: in the range of 1-21600
minutes
1440
no lease-time Restores to default
retransmission-attempt Specifies the number of attempts, which the
<value> DHCP client makes to locate a DHCP server and
obtain an IP address from it:
value: 1-10
5
no retransmission-attempt Restores to default
retransmission-interval Specifies the time between successive
<value> retransmission attempts:
value: 1-10 seconds
3
no retransmission-interval Restores to default
vendor-id ID Specifies the Vendor identifier. DHCP clients and

servers may use this option to exchange vendor-
specific information.
ID: any string up to 20
characters
Telco
no vendor-id Restores to default
show router interface dynamic [name swN] Displays general dynamic DHCP information or
for a specific IP interface:
name swN: an IP interface number
in the range of <09999>
Examples:
device#show router interface dynamic
===============================================================================
Name |Status|IP Address |Network Mask |Server | Lease Time (min) | Expire Time
--------+------+---------------+---------------+---------------+---------------
sw0 |up |10.10.10.123 |255.255.0.0 |10.10.10.122 |10 |4 2009/01/01 01:48
===============================================================================
device#show router interface dynamic name sw0

DHCP
-------------------------------------------------------------------------------
Server: 10.10.10.122
IP Address: 10.10.10.123
Network Mask: 255.255.0.0
Lease Time 600
Expire Time 4 2009/01/01 01:48:56

Zero-Touch Provisioning
Zero Touch Provisioning (ZTP) allows you to automate configuration of the T-Marc 3312SC/T-
Marc 3312SCH device, without manual intervention. When ZTP process is activated and the device
is physically connected to the network, after its booting with a default factory configuration, the
Dynamic Host Configuration Protocol (DHCP) server provides IP address, necessary software
image and configuration files. The device attempts to upgrade the BINOX OS software
automatically and/or install the provided configuration file.
Figure 2: ZTP Process with Option 43
DHCP Server Options and Sub-options

Following options and sub-options need to be considered during configuring the DHCP server:
1. DHCP option 43, sub-option 01 - defines the transfer mode setting. The device accesses the
FTP/TFTP server using the specified transfer mode setting.
By default, TFTP transfer mode is used.
2. DHCP option 43, sub-option 02 defines the name or IP address of the FTP/TFTP server
containing the configuration file.
3. DHCP option 43, sub-option 03 defines the exact path where the configuration file is stored
on the FTP/TFTP server.
4. DHCP option 43, sub-option 04 - defines the name of the configuration file stored on the
FTP/TFTP server.
5. DHCP option 43, sub-option 05 - defines the version of the configuration file on the
FTP/TFTP server. The device compares the version of the provided configuration file to the
version of the configuration file on the device.
If DHCP option 43 sub-option 05 is not specified, the configuration file is downloaded and
handled unconditionally. If the configuration file version on the FTP/TFTP server is different
than the configuration file on the device, the configuration file is updated.

6. DHCP option 43, sub-option 06 defines the way for applying the configuration file (merge,
replace (causes devices reload), or reload to default (causes device reload)).
By default, merge action is used.
7. DHCP option 43, sub-option 26 defines the protocol type (FTP/TFTP) used to download
image file.
By default, TFTP transfer mode is used.
8. DHCP option 43, sub-option 27 defines the name or IP address of the FTP/TFTP server
containing the image file
9. IDHCP option 43, sub-option 28 defines the exact path where the image file is stored on the
FTP/TFTP server
10. DHCP option 43, sub-option 29 defines the image file name
11. DHCP option 43, sub-option 30 defines the version of the software image. The device
compares the version of the provided software image to the version of the software installed
on the device.
If the BINOX OS versions are different, the device downloads the software image from
the FTP/TFTP server, installs it, and reboots. Then, if requested, ZTP is again activated
to provide configuration file.
If the software versions are the same, the switch does not upgrade the software.
If both DHCP option 43 sub-option 05 and sub-option 30 are specified, sub-option
30 is processed before sub-option 05. The BINOX OS is upgraded, and then the
configuration file is applied.
Sub-option 30 is mandatory, if sub-options 26, 27, and 29 are present.
Sub-options 26, 27, 28, 29 and 30 are optional.
If the sub-options 03 and 28 are not present, then the file is in the root directory.
12. DHCP option 150 or option 66 - defines the IP address of the FTP or TFTP server. You
must configure either option 150 or option 66. If you configure both option 150 and option
66, option 150 takes precedence, and option 66 is ignored.
13. DHCP option 67 - defines the boot file name.
If options 66/150 and 67 are considered, the provided boot file will replace the
existing configuration; the device is reloaded.
If options 43, 66, 67 and 150 are specified, the option 43 is processed.
Zero-Touch Provisioning Commands
Command Hierarchy
device-name#
+ config terminal
+ [no] zero-touch
- [no] dhcp-ip-version {v4 | v6}
- [no] interface swN
- [no] retry <value>
- [no] shutdown

- [no] timeout <value>

- show zero-touch
Table 4: ZTP Commands
Command Description

zero-touch Enters Zero-Touch Provisioning Configuration
mode
no zero-touch Removes ZTP configurations
dhcp-ip-version {v4 | v6} Specifies the DHCProtocol versions:
v4: configures IPv4 hosts with
IP addresses
v6: configures IPv6 hosts with
IP addresses
v4
no dhcp-ip-version Restores to default
interface swN
Specifies an IP interface, used by ZTP to

establish connection to the DHCP server:
swN: an IP interface number in
the range of <09999>
no interface Removes the configured interface
retry <value> Specifies the maximum number of retries for

downloading the image or/and configuration
file:
value: in the range of <1-10>
the number of retries is 1 times
no retry Restores to default
shutdown Disables ZTP
Disabled
no shutdown
Enables ZTP
timeout <value> Specifies the time, ZTP waits for an reply from
DHCP server before considering it
unreachable:
seconds
20 seconds
no timeout Restores to default
show zero-touch Displays zero-touch configuration details.

Example
The following demonstrates how to configure ISC DHCP server using Ubuntu Linux.
Configure the DHCP Server

The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. Type the following command to
edit the file:
# vi /etc/dhcp/dhcpd.conf
1. Define valid and correct values for all the following operational directives:
option space BATM_ZT;option BATM_ZT.config-file-protocol code 01 = text;
option BATM_ZT.config-server code 02 = text;
option BATM_ZT.config-file-path code 03 = text;
option BATM_ZT.configuration-file code 04 = text;
option BATM_ZT.configuration-file-version code 05 = text;
option BATM_ZT.configuration-file-apply-config code 06 = text;
option BATM_ZT.image-file-protocol code 26 = text;
option BATM_ZT.image-file-server code 27 = text;
option BATM_ZT.image-file-path code 28 = text;
option BATM_ZT.image-file code 29 = text;
option BATM_ZT.image-file-version code 30 = text;
option tftp-server-name code 66 = text ;
option bootfile-name code 67 = text;
option tftp-servers code 150 = array of ip-address;
2. Update also the configuration file with your subnet on which addresses will be assigned
dynamically, as follows:
subnet 123.0.0.0 netmask 255.255.255.0 {
option routers 123.0.0.206;
option subnet-mask 255.255.255.0;
range 123.0.0.10 123.0.0.50;
}
3. Clasify Telco systems devices based on vendor -class- identifier:

class "TelcoSystems" {
match if option vendor-class-identifier ~= "^Telco-ZTP.*";
vendor-option-space BATM_ZT;
option BATM_ZT.config-file-protocol "tftp";
option BATM_ZT.config-server "123.0.0.206";
option BATM_ZT.configuration-file "test.cfg";
option BATM_ZT.configuration-file-version "3";
option BATM_ZT.configuration-file-apply-config "merge";
option BATM_ZT.image-file-protocol "tftp";
option BATM_ZT.image-file-server "123.0.0.206";
option BATM_ZT.image-file-path "";
option BATM_ZT.image-file "5.0.R2.binoxpkg";
option BATM_ZT.image-file-version "7";
option bootfile-name "test.cfg";
option tftp-server-name "123.0.0.206";
option tftp-servers 123.0.0.200,123.0.0.201,123.0.0.206;

Configure the ZTP

1. Specify IP interface to be used by ZTP, riffed to VLAN 10 with untagged member port
1/1/1, assigned to VLAN 10:
device-name(config)#router interface sw10
device-name(config-interface-sw10)#no shutdown
device-name(config-interface-sw10)#vlan 10
device-name(config-vlan-10)#untagged 1/1/3
device-name(config-untagged-1/1/3)#port 1/1/3
device-name(config-port-1/1/3)#commit
Commit complete.
device-name(config-port-1/1/3)#top
2. Configure ZTP:
device-name(config)#zero-touch
device-name(config-zero-touch)#interface sw10
device-name(config-zero-touch)#no shutdown
device-name(config-zero-touch)#commit
Commit complete.
device-name#show zero-touch
===========================================================================
Zero Touch Provisioning
===========================================================================
Interface Timeout (sec) Retry Admin State
---------------------------------------------------------------------------
----
sw10 20 1 Enabled
===========================================================================
---------------------------------------------------------------------------
DHCP
---------------------------------------------------------------------------
Server :123.0.0.206
IP Address :123.0.0.10
Lease Time :10
---------------------------------------------------------------------------
Configuration File Options
---------------------------------------------------------------------------
Server :123.0.0.206
Protocol :tftp
Path :test.cfg
Version :3
Action :merge
---------------------------------------------------------------------------
Configuration Image Options
---------------------------------------------------------------------------

Server :123.0.0.206
Protocol :tftp
Path :5.0.R2.binoxpkg
Version :7
===========================================================================

MAC Address Table (FDB)

Traffic passes through the switch according to information contained in the MAC address table
(also known as the Forwarding Database). Every device has its own MAC address table. For each
MAC address, the entry in the table defines the associated virtual LAN ID (VLAN), the port
number, priority, and the status of the port.
Entries in the MAC address table may contain one of the following status types:
Dynamic: Dynamic entries are MAC addresses learned by the device through examination of
incoming packets. Dynamic entries remain in the MAC address table provided traffic
continues to be received from the port but are deleted either when traffic is not received within
a specified time frame (defined by aging timeout).
The device flushes and repopulates dynamic entries when any of the following occurs:
A VLAN is removed
A VLAN ID is changed
A port mode is changed (tagged/untagged)
A port is disabled
A port goes down
Static: A user-defined entry, created using the Command Line Interface (CLI), that forces the
device to learn the MAC address for a specific port. Static entries are maintained permanently
by the device in the MAC address table and are retained by the device after reset or a power
on/off cycle.
Secure: Secured ports are configured using MAC Learning Profiles. MAC addresses learned
from a secured port will appear with a status of Secure.
Self: The MAC address of the device itself maintained permanently as a static entry in the
MAC address table. Such entries are created for each virtual LAN (VLAN) serviced by the
device and do not contain Port IDs.
Filtered: Addresses learned in excess of a defined Port Limit are added dynamically to the
MAC Address Table with the status of Filtered. The device will not forward additional packets
from a filtered address to the port indicated by the MAC Address Table entry.

MAC Address Table Commands

This section defines the command hierarchy for the MAC address table and provides a list of
available commands. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ port UU/SS/PP
- [no] learn-new-mac-addresses
+ [no] service
+ [no] vpls <vpls-id>
+ [no] sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-id>]:[igmp]
| UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}
+ [no] spoke-sdp [<sdp-id>]
+ [no] mesh-sdp [<sdp-id> | <sdp-range>]
- [no] fdb aging-time <time>
+ [no] fdb static <vlan-id> <mac:hexList>
- port UU/SS/PP
- [no] priority <priority>
- type {filtered | secure | self | static}
- clear fdb [interface UU/SS/PP | mac HH:HH:HH:HH:HH:HH | vlan <vlan-id>
| type {dynamic | filtered | secure} | service <id> | sap {{UU/SS/PP
| agN}[:[igmp] | :[<vlan-id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces
| ces-oos}}
- show fdb [detailed [vlan <vlan-id> | type {dynamic | filtered |
secure | self | static}] | service [<id> | tls id <id> | vpls-mtu id
<id> | vpls-pe id <id> | dot1q id <id> ]]
- show system self-mac
- show fdb count
Table 5: MAC Address Table Commands
Command Description
port UU/SS/PP Enters configuration mode for a specific port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-

Command Description
1/2/8
service Enters the Services Configuration mode
no service Removes the defined services
vpls <vpls-id> Creates a VPLS:

vpls-id: in the range of
<14294967294>
no vpls <vpls-id> Removes the VPLS:
<14294967294>
sap {{UU/SS/PP | agN}[:[igmp] | Adds a client port to a specific VPLS instance
:[<vlan-id>]:[igmp] | and specifies the SAP attributes:
UU1/SS1/PP1:<ces-circuit>:{ces
| ces-oos}} UU/SS/PP: the corresponding
physical port (unit, slot and
port) defined as SAP.(can be
obtained from the show port
command)
The valid port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
agN: LAG ID. N is in the range
of <1-14>
vlan-id: (optional) in the
range of <1-4094>
igmp: (optional) indicates the
traffic type for the SAP port
UU1/SS1/PP1: CES WAN port,
facing the packet processor. The
valid values are: 1/3/9.
ces-circuit: circuit ID in the
range of <1-64>
ces: for circuits carrying data
packets
ces-oos: for circuits carrying
control packets
For more details refer to Configuring Circuit
Emulation Services (CES) of this User Guide
no sap [{{UU/SS/PP | agN}[:[igmp] Removes the defined SAP:
| :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces UU/SS/PP: (optional) the
| ces-oos}} ] corresponding physical port
(unit, slot and port) defined as
SAP.(can be obtained from the
show port command)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
of <1-14>


Command Description
vlan-id: (optional) in the

range of <1-4094>
range of <1-64>
packets
control packets
spoke-sdp <sdp-id> Creates a spoke SDP:
sdp-id: (optional) in the range
of <14294967295>
no spoke-sdp [<sdp_id>] Removes the spoke SDP:
of <14294967295>
mesh-sdp [<sdp_id>] Creates a mesh SDP:
of <14294967294>
NOTE
By default, mesh SDPs are secured
thus the traffic between mesh
SDPs and secured SAPs/spoke
SDPs will be blocked.
no mesh-sdp [<sdp-id>] Removes the mesh SDP:
of <14294967294>
learn-new-mac-addresses Enables learning of new MAC addresses in
the MAC Address Table
Enabled
no learn-new-mac-addresses Restores to default
fdb aging-time <time> Aging determines the length of time that a

dynamic entry remains in the MAC Address
Table. Countdown begins when the entry is
added to the table and restarts each time the
MAC address is updated/used. :
time: in the range of <10
1000000> seconds
300 seconds
no fdb aging-time Restores to default
fdb static <vlan-id> <mac:hexList> Adds a static MAC address to the MAC
Address Table:

Command Description
vlan-id: the VLAN, in the range

of <1-4094>, for which the
packet with the specified MAC
address is received
mac:hexList: the destination
unicastMAC address
(HH:HH:HH:HH:HH:HH) added to the
MAC Address Table
None configured
no fdb static Removes a static entry:
vlan-id: on the specified VLAN
mac:hexList: a specific MAC
address (HH:HH:HH:HH:HH:HH)
port UU/SS/PP Specifies a port to which the received packet
is forwarded:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
priority <priority> Specifies priority for entries in the MAC
address Table:
priority: in the range of <07>
0
no priority Restores to default
type {filtered | secure | self | Specifies how MAC addresses are learned by
static} the device:
filtered, secure, self, and
static
Static
clear fdb [interface UU/SS/PP | mac Removes all or specific entries from the MAC
HH:HH:HH:HH:HH:HH | vlan <vlan-id> address table:
| type {dynamic | filtered | secure} |
service <id> | sap {{UU/SS/PP | UU/SS/PP: (optional) all MAC
agN}[:[igmp] | :[<vlan-id>]:[igmp] | addresses for the specified port
UU1/SS1/PP1:<ces-circuit>:{ces | The valid port range is:
ces-oos}}
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
HH:HH:HH:HH:HH:HH: (optional) a
specific MAC address
vlan-id: (optional) all MAC
addresses for the specified
VLAN in the range of <14094>
type: MAC type (dynamic,
filtered, or secure)
service <id>: in the range of
<14294967295>
sap: specifies a SAP port, based
on the below options:
UU/SS/PP: the corresponding

Command Description
command)
of <1-14>
vlan-id: (optional) in the range
of <1-4094>
range of <1-64>
packets
control packets
show fdb [detailed [vlan <vlan-id> | Displays the content of the MAC address
type {dynamic | filtered | secure | table, filtered by the commands arguments:
self | static}] | service [<id> | tls
id <id> | vpls-mtu id <id> | vpls-pe detailed: displays detailed
id <id> | dot1q id <id>]] information
vlan-id: (optional) all MAC
addresses for the specified
VLAN in the range of <14094>
type: MAC type (dynamic,
filtered, secure, self, static)
service: displays MAC table
related information on a
service. The user can obtain
this information on different
services by specifying the
service id, in the range of <1-
4294967294>
show system self-mac Displays the MAC address of the device
show fdb count Lists the number of entries in the FDB.

MAC Address Table Configuration Example

device-name(config)#fdb static 1 00:0a:01:02:03:04
device-name(config-static-1/00:0a:01:02:03:04)#port 1/1/2
device-name(config-static-1/00:0a:01:02:03:04)#priority 6
device-name(config-static-1/00:0a:01:02:03:04)#commit
Commit complete.
device-name(config-static-1/00:0a:01:02:03:04)#end
device-name#show fdb
System FDB
=============================================================================
VlanID | MAC | Port | Status | Priority |
-------+-------------------+--------------------------+----------+-----------
1 | 00:00:C8:00:00:02 | 1/1/3 | dynamic | 0 |
1 | 00:0A:01:02:03:04 | 1/1/2 | static | 6 |
1 | 00:A0:12:64:07:01 | | self | 0 |
=============================================================================

MAC Learning Security Policies

The Port Security and Port Limit policies control how many addresses the device can learn for a
particular port.
Port Security
MAC addresses are entered in the MAC address table with a secure status. Secure MAC Addresses
are retained permanently and are excluded automatically when the switch floods all ports on receipt
of an unknown address.
When a secured port receives a packet, it compares the packets source MAC address to the secured
MAC address list.
If the packets source MAC address is in the list, the incoming packet is forwarded.
If the packets source MAC address is not in the secured list, the port does not forward the
packet. In this case, the port either shuts down permanently or drops incoming packets from
the unauthorized device, generating an SNMP trap.
You can configure two types of secured MAC addresses:
Static secured MAC addresses created manually by the fdb static <vlan-id>
<mac:hexList> and type {filtered |secure | self | static | unknown} command.
These addresses are stored in the address table.
Dynamic secured MAC addresses that are dynamically learned. These addresses are stored in
the address table but are removed when the device restarts.
NOTE
The allocated MAC addresses on a port are permanently secured.
Port Limit
The Port Limit feature limits the number of MAC addresses learned by a port. When enabling this
feature:
MAC addresses within the limit are learned as dynamic.
MAC addresses that exceed the limit are learned as filtered MAC addresses.
packets with unknown MAC addresses are not forwarded. The mac-limited port behaves as
secured.
On the device, you can define one or more MAC Learning Profiles and add to each profile either
Port Security or Port Limit. Once defined, you can apply those profiles to the physical port.
To define the maximum number of addresses that can be learned, both Port Security and Port
Limit work in conjunction with the max-mac-count command. If a limit is not set through this
command, the device will continue to learn until the maximum number of addresses for the device
is reached.

Beyond the limit, additional MAC addresses are entered into the MAC address table with a filtered
status. Exceeding the defined limit for a port is considered to be a security violation. The device can
take action. Through configuration options, the device can either shut down the port or generate an
SNMP trap and log message. Filtered addresses, which are not learned by the device, remain in the
table for later security analysis by the system administrator.
MAC Learning Security Profile Commands

In this section, the command hierarchy for Port Security and Port Limit is defined and a list of
available commands is provided. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] mac-learning learning-profile NAME
- [no] action {operational-shutdown | trap}
- [no] ignore-filtered-addresses
- max-mac-count <number-of-addresses>
- policy {port-limit | port-security}
- [no] watermark count <number-of-addresses>
- [no] watermark action {log | trap}
+ port UU/SS/PP
- [no] mac-learning-profile NAME
+ [no] service
- [no] fdb-rapid-flush
- [no] mac-learning-profile profile-name NAME
+ [no] tls <service-id>
+ [no] fdb-rapid-flush
+ [no] sap {UU/SS/PP | agN}
+ [no] c-vlan {<cvlan-id> | all | untagged}
+ [no] dot1q <service-id>
- show ethernet mac-security [port UU/SS/PP | sap {{UU/SS/PP |
agN}[:[igmp] | :[<vlan-id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}}

Table 6: MAC Learning Security Profile Commands
Command Description

ethernet Enters Ethernet Configuration mode
mac-learning learning-profile NAME
Specifies a MAC-learning profile and enters the

MAC-learning Configuration mode:
NAME: profile name
no mac-learning learning-profile Removes the defined profile:
[NAME]
NAME: (optional) profile name
action {operational-shutdown | Specifies the port reaction upon a security
trap} violation:
operational-shutdown: the port
shuts down
trap: an SNMP trap and log message
are generated
no action Removes the configured violation
ignore-filtered-addresses Disables configuring/learning of filtered MAC
addresses in the MAC address table
no ignore-filtered-addresses Enables configuring/learning of filtered MAC
addresses in the MAC address table
max-mac-count <number-of- Specifies the maximum numbers of secure MAC
addresses> addresses the port can learn:
number-of-addresses: in the range
of <1-4096>
All MAC addresses are learned as secured
no max-mac-count Restores to default
policy {port-limit | port-
security}
Specifies the Layer-2 security technique:
port-limit
port-security
watermark count <number-of- Specifies the maximum numbers of secure MAC
addresses> addresses the port can learn before sending a
notification.
The idea of this command is to alarm the user
that the total number of secure MAC addresses
will be reached soon.
number-of-addresses: in the range
of <1-4096>
All MAC addresses are learned as secured
no watermark count Restores to default
watermark action {log | trap} Specifies the notification type sent by the port
before a security violation occurs:

Command Description
log: log message is generated

trap: trap is sent
no watermark action Removes the configured notification type
port UU/SS/PP Enters Configuration Mode for specific port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
tls <service-id>
Creates a TLS service instance and enters TLS

Configuration mode:
service-id: in the range of <1
4294967295>
NOTE
You cannot use the same service ID
for all MPLS L2 services.
no tls <service-id> Removes the defined TLS instance
dot1q <service-id> Enters Service Configuration mode for the

specified 802.1Q service:
service-id: in the range of <1-
4294967294>
no dot1q [<service-id>] Removes the specified 802.1Q service or, when
used without a parameter, removes all configured
802.1Q services:
service-id: (optional) in the
range of <1-4294967294>
vpls <vpls-id> Creates a VPLS service:
<14294967294>
no vpls <vpls-id> Removes the VPLS service:
<14294967294>
fdb-rapid-flush Enables MAC addresses dynamically-learned on
SDP/SAP port to flush when the port changes its
state to DOWN
Disabled
no fdb-rapid-flush Restores to default
sap {{UU/SS/PP | agN}[:[igmp] | Adds a client port to a specific VPLS instance

:[<vlan-id>]:[igmp] | and specifies the SAP attributes:
UU1/SS1/PP1:<ces-
circuit>:{ces | ces-oos}} UU/SS/PP: the corresponding
command)

Command Description
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-

1/2/8
agN: LAG ID. N is in the range of
<1-14>
of <1-4094>
UU1/SS1/PP1: CES WAN port, facing
the packet processor. The valid
values are: 1/3/9.
range of <1-64>
packets
control packets
no sap [{{UU/SS/PP | Removes the defined SAP:
agN}[:[igmp] | :[<vlan-
id>]:[igmp] | UU/SS/PP: the corresponding
UU1/SS1/PP1:<ces- physical port (unit, slot and
circuit>:{ces | ces-oos}}] port) defined as SAP.(can be
command)
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
sap {UU/SS/PP | agN}
Creates a service access point (SAP) of TLS or

802.1Q service and enters SAP Configuration
mode:

Command Description
UU/SS/PP: SAP port is in the range

of 1/1/1-1/1/4 and 1/2/1-1/2/8.
This port has to be an untagged
member of the S-VLAN
<1-14>
NOTE
You cannot use the same
physical port as MPLS and TLS
SAP.
You cannot use the MPLS
uplink for L2 SAP, and vice
versa.
The default VLAN of the TLS
SAP port must not be changed.
no sap [UU/SS/PP | agN] Removes the defined SAP:
UU/SS/PP: (optional) the SAP port
is in the range of 1/1/1-1/1/4 and
1/2/1-1/2/8
<1-14>
c-vlan {<cvlan-id> | all |
untagged}
Specifies a customer VLAN (C-VLAN) and enters
C-VLAN Configuration mode:
cvlan-id: in the range of <1-4094>
all: tunnels all the traffic
untagged: tunnels the untagged
traffic only
no c-vlan {<cvlan-id> | all Removes the defined C-VLAN:
| untagged}
traffic only
mac-learning-profile Assigns a MAC-learning profile to a port:
profile-name NAME
NAME: profile name
no mac-learning-profile Removes the assigned MAC-learning profile
profile-name
show ethernet mac-security [port Displays information about the MAC security
UU/SS/PP | sap {{UU/SS/PP | profiles applied, filtered by the command
agN}[:[igmp] | :[<vlan-id>]:[igmp] | arguments
UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}}

Files System
The file system can define, download, and delete software images and/or configuration files stored
in Flash memory.
File System Configuration Commands

The following section defines the File System command hierarchy and provides command
descriptions as well as configuration example.
Command Hierarchy
device-name#
+ config terminal
+ system
- file periodic-backup schedule hour HOUR minute MINUTE
- file activate-os-image FILE-NAME
- file backup binary-running-config flash [FILE-NAME]
- file backup binary-running-config
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp os-image PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp from FILE-NAME1 PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME2
- file cp from PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME1 FILE-NAME2
- file cp from FILE-NAME1 FILE-NAME2
- file cp technical-support PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-
NAME
- file cp technical-support FILE-NAME
- file cp technical-support use-external-file FILE-NAME USE-EXTERNAL-
FILE-NAME
- file cp technical-support use-external-file FILE-NAME
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME USE-EXTERNAL-FILE-NAME-
file cp running-configuration
- file cp running-configuration FILE-NAME
- file cp startup-configuration from
- file cp startup-configuration from FILE-NAME
- file ls
- file ls os-image
- file rm from FILE-NAME
- file rm os-image FILE-NAME
- file more FILE-NAME

- file mv FILE-NAME1 FILE-NAME2

- file merge FILE-NAME
- file diff FILE-NAME1 FILE-NAME2
- file restore binary-running-config flash FILE-NAME
- file restore binary-running-config
- file vi FILE-NAME
Table 7: File System Commands
Command Description

file periodic-backup schedule hour Performs automated scheduled backup of the
HOUR minute MINUTE running configuration at pre-defined
hour/minute and save the backup file to the
local file system:
hour HOUR: hour in the range of
<0-23>
minute MINUTE: minutes in the
range of <0-59>
The name of the backup file is
backup.tar.gz
When the configuration database (CDB) is
modified in the last 60 mins, the system
skips the scheduled backup, and will run it
again after another 60 mins. If the CDB is
modified again in the last 60 mins, the next
backup try is given at the defined by the
file periodic-backup schedule command time.
no file periodic-backup schedule Deactivates the automated scheduled backup
file activate-os-image FILE-NAME Specifies the name of the software image file
to be loaded during the next restart:
FILE-NAME: name of the software
image file

Command Description
file backup binary-running-config flash Backs up the binary running configuration to

[FILE-NAME] the local file system:
FILE-NAME: (optional) name of
the backup file
backup.tar.gz
NOTE
The device maintains only one
backup file, created either by
using command file
periodic-backup schedule,
or command file backup
binary-running-config
flash.
If you do not specify flash but
only the name of the file to be
backed up, the file name will
appear as backup.tar.gz.
file backup binary-running-config Backs up the binary running configuration to a
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR TFTP/FTP server:
T]/FILE-NAME
PROTOCOL type: tftp://A.B.C.D or
ftp://user:pass@A.B.C.D. For
TFTP servers, user, password,
and port are not required. For
FTP servers, port number is not
required.
USER: FTP user name
PASSWORD: FTP user password. The
password must be immediately
followed by the at sign (@).
IPv4: IP address of the TFTP/FTP
server (in dotted-decimal
format)
PORT: port number for the TFTP
transfer
FILE-NAME: name of the file to
be backed up

Command Description
file cp os-image Downloads a new software image from a

T]/FILE-NAME
required.
USER: FTP user name
format)
transfer
FILE-NAME: name of the software
image file
file cp from FILE-NAME1 Uploads a configuration file from the local file
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR system to a TFTP/FTP server:
T]/FILE-NAME2
FILE-NAME1: name of the source
file
required.
USER: FTP user name
format)
transfer
FILE-NAME2: name of the
destination file

Command Description
file cp from Downloads a configuration file from a

PROTOCOL[USER[:PASSWORD]@]IPv4[:POR TFTP/FTP server to the local file system:
T]/FILE-NAME1 FILE-NAME2
required.
USER: FTP user name
format)
transfer
FILE-NAME1: name of the source
file
FILE-NAME2: name of the
destination file
file cp from FILE-NAME1 FILE-NAME2 Saves a copy of any file to the local file
system:
FILE-NAME1: name of the copied
image file
FILE-NAME2: name of the new file
file cp technical-support Uploads the output of the show technical-
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR support command to a TFTP/FTP server
T]/FILE-NAME
(see the Troubleshooting chapter of this UG):
required.
USER: FTP user name
followed by the at symbol (@).
format)
transfer
FILE-NAME: name of the file
file cp technical-support FILE-NAME Saves the output of the show technical-
support command to the local file system
(see the Troubleshooting chapter of this UG):

Command Description
file cp technical-support use-external- Saves the show technical-support

file FILE-NAME USE-EXTERNAL-FILE- command output to the local file system:
NAME
FILE-NAME: name of the new file
saved with
USE-EXTERNAL-FILE-NAME: name of
the file that contains the
filtered command output
file cp technical-support use-external- Uploads an output of the show technical-
file FILE-NAME support command to a TFTP/FTP server:
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR
T]/FILE-NAME USE-EXTERNAL-FILE- PROTOCOL type: tftp://A.B.C.D or
NAME ftp://user:pass@A.B.C.D. For
TFTP servers, no user, password,
and port are required. For FTP
servers, no port number is
required.
USER: FTP user name
followed by the ape symbol (@).
format)
transfer
FILE-NAME: name of the new file
saved with
the file that contains the
filtered command output
file cp running-configuration Uploads the running configuration file to a
T]/FILE-NAME
required.
USER: FTP user name
Ipv4: IP address of the TFTP/FTP
format)
transfer
file cp running-configuration FILE-NAME Saves the running configuration file to the
local file system:

Command Description
file cp startup-configuration from Downloads a startup configuration file from a

PROTOCOL[USER[:PASSWORD]@]Ipv4[:POR TFTP/FTP server to be loaded during the next
T]/FILE-NAME restart:
required.
USER: FTP user name
Ipv4: IP address of the TFTP/FTP
format)
transfer
FILE-NAME1: name of the file
file cp startup-configuration from FILE- Specifies a startup configuration file to be
NAME loaded during the next restart:
file ls Lists the content of the local file system
file ls os-image Lists the available software images located on
the local file system
file rm from FILE-NAME Removes a configuration file from the local file
system:
file rm os-image FILE-NAME Removes a software image from the local file
system:
FILE-NAME: name of the image
file
file more FILE-NAME Displays the content of a configuration file:
file mv FILE-NAME1 FILE-NAME2 Renames the selected configuration file:
FILE-NAME1: old (current) name
of the file
FILE-NAME2: new name of the file
file merge FILE-NAME Merges the content of a specified
configuration file into the current running
configuration. The command can be used
when you want to integrate configuration,
contained in the defined configuration file, into
the running configuration.
The configuration files must be created
under the same software version.
FILE-NAME: name of the
configuration file to be merged

Command Description
file diff FILE-NAME1 FILE-NAME2 Compares the content of two files and returns
matches without regard to
uppercase/lowercase:
FILE-NAME1, FILE-NAME2: names of
the files to be compared
file restore binary-running-config flash Restores the binary running configuration
FILE-NAME from a backup file located on the local file
system:
FILE-NAME: name of the restored
file
backup.tar.gz
NOTE
If you do not specify flash, the
device restores backup.tar.gz. If the
file does not exist, you will get
warning message.
file restore binary-running-config Restores the running configuration from a
PROTOCOL[USER[:PASSWORD]@]IPv4[:POR backup file located on a TFTP/FRP server:
T]/FILE-NAME
required.
USER: FTP user name
format)
transfer
FILE-NAME: name of the file to
be restored
file vi FILE-NAME Opens the selected file for editing in a
standard VI editor:
Software Upgrade Example

NOTE
Before beginning the upgrade, it is recommended that you first verify that there is
sufficient free space available for storage of the new software image on the local file
system. To display the amount of free space and to list the currently stored software
image files, use the file ls os-image command illustrated below.

In the following example, the new_image. T-Marc 3312SC.binoxpkg application package file is
downloaded from an FTP server (IP address is 10.3.71.17).
1. Download the desired file from the FTP server to the local file system:
device-name#file cp os-image ftp://user:pass123@10.3.71.17/new_image. T-
Marc 3312S.binoxpkg
Downloading the image 'new_image. T-Marc 3312SC.binoxpkg' from

host ftp://10.3.71.46 (29,051,909 bytes transferred)... OK
Generating components list for the package file... OK

Package's Content:
----------------------------------------------------------------------
___________________________________________________________________________
____________________________
/ |
| \
| Component Type: | Version | File
Name: |
|------------------------------|---------------------|---------------------
----------------------------|
| > Application | new_image | new_image. T-Marc
3312SC.tar.7z |
| > Kernel Image | 2.6.21.7-hrt1-WR2.0 |
uImage |
| > DTB File | Undefined |
board.dtb |
| > Safe Mode Image | 2.1.TP-dev55 | T-Marc
3312SCsafemode.img |
| > Root File System Image | Undefined |
rootfs.jffs2 |
| > Applic. File System Image | Undefined |
applicfs.layout.jffs2 |
\______________________________|_____________________|_____________________
____________________________/
Extracting the required components from the package file( This may take
several minutes )... OK
Checking the component file ' new_image. T-Marc 3312SC.tar.7z'... OK

Checking the component file 'uImage'... OK
Checking the component file 'board.dtb'... OK
Checking the component file 'T-Marc 3312SC-safemode.img'... OK
Checking the component file 'rootfs.jffs2'... OK
Checking the component file 'applicfs.layout.jffs2'... OK
-> Installing the DTB file 'board.dtb':

Erasing 128 Kibyte @ 0 -- 0 % complete.
Flashing the 'board.dtb' image on the /dev/mtd2 partition... OK
-> Installing the kernel image file 'uImage' version 2.6.21.7-hrt1-

WR2.0ap_standard:
Erasing 128 Kibyte @ 2e0000 -- 95 % complete.
Flashing the 'uImage' image on the /dev/mtd3 partition... OK

-> Installing the safe mode image file 'T-Marc 3312SC-safemode.img' version
2.1.TP-dev55:
Erasing 128 Kibyte @ e0000 -- 87 % complete.
Flashing the 'T-Marc 3312SC-safemode.img' image on the /dev/mtd4
partition... OK
-> Installing the root file system image file 'rootfs.jffs2':

Erasing 128 Kibyte @ be0000 -- 98 % complete.
Flashing the 'rootfs.jffs2' image on the /dev/mtd5 partition... OK
-> Installing the application file system image file

'applicfs.layout.jffs2':
skip ,the latest version allready in use.
-> Installing the application 'new_image.T-Marc 3312SC.tar.7z' version

new_image:
Installing the 'new_image.T-Marc 3312SC.tar.7z' file in the images
directory... Done.
The package file 'new_image.T-Marc 3312SC.binoxpkg' has been installed

successfully!
Use the 'file activate-os-image' command to activate the new application.
NOTE
If insufficient free space is available, the new software image is not saved on the
local file system. The following error message appears:
Installing the image file... Failed! (cp: write error: No space left on
device)
2. Activate the new image:

device-name#file activate-os-image new_image.T-Marc 3312SC.tar.7z
Image file new_image.T-Marc 3312SC.tar.7zis tested for validity, please
wait... OK
Activating image new_image.T-Marc 3312SC.tar.7z...
3. (Optional) List the available software images:

device-name#file ls os-image
* 1 Jan 01:05 8.5M new_image.T-Marc 3312SC.tar.7z
1 Jan 2010 8.6M old_image1.T-Marc 3312SC.tar.7z
1 Jan 01:56 8.6M old_image2.T-Marc 3312SC.tar.7z
Number of files: 3, 25.7M
Flash Size: Size
51.4M
Used Space: Used
26.0M
Free Space: Available
25.4M
4. Reload the device:

device-name(config)#system
device-name(config-system)#relaod

System Time and Date

The internal clock for the device runs continuously from system start up and tracks date and time.
The internal clock is set using either the Network Time Protocol or through manual configuration.
Network Time Protocol (NTP)

Network Time Protocol (NTP) provides a reliable way of transmitting and receiving date/time
information over IP networks. NTP is organized according to a client-server model. An NTP
network receives information from an authoritative time source, such as a radio clock or an atomic
clock connected to a time server, and then distributes that information across the network.
Time is represented as the number of seconds since 00:00 (midnight) 1 January 1970 GMT and will
remain so until the year 2038. In the first second, for example, time would appear as 12:00:01 on 1
January 1970 GMT.
Summer Time (Daylight Saving Time)

Daylight Savings Time (DST), as observed in the United States, is a configuration option for the
device. When enabled, the device advances the clock by one hour at 2:00 a.m. on the first Sunday in
April and moves the clock back one hour on the last Sunday in October. Configuration also
provides options to define a different starting date and/or ending date as well as whether time
adjustment should occur yearly.
System Time and Date Configuration Commands

The following section defines the System Date and Time hierarchy and provides command
descriptions.
Command Hierarchy
NOTE
System time for the device resets after reload. System time must be defined manually
when NTP is not configured.
device-name#
+ config terminal
+ system
+ [no] time
- [no] date CCYY-MM-DDTHH:MM:SS
+ [no] summer-time
- [no] recurring [start-at {day-of-the-week DAY |
month MONTH | week-of-the-month <week> | time
HH:MM:SS} | end-at {day-of-the-week DAY | month

MONTH | week-of-the-month <week> | time

HH:MM:SS}]
- [no] recurring offset <offset>
- [no] recurring shutdown
+ [no] ntp
+ [no] remote-server-ip A.B.C.D
- [no] authentication key-id <key-id> [key-
string STRING]
- refresh-interval <interval>
- timezone <-12+12>
- [no] time-out <value>
- [no] min <min>
- [no] dscp-mapping <value>
- [no] shutdown
Table 8: System Time and Date Commands
Command Description

system Enters System Configuration Mode
time Enters Time Server Configuration mode
no time Removes the system time configuration details
date CCYY-MM-DDTHH:MM:SS Manually sets system time for the device:

CCYY-MM-DDTHH:MM:SS: CC represents
the century, YY the year, MM the
month and DD the day
T: date/time separator
HH, MM, and SS represent hour,
minute and second respectively
summer-time Enter Summer-time daylight saving time (DST)
Configuration mode
no summer-time Removes the configuration

Command Description
recurring {start-at {day-of- Specifies a yearly starting and ending date for
the-week DAY | month MONTH summer time DST:
| time HH:MM:SS | week-of-
the-month <week>} | end-at start-at: start settings
{day-of-the-week DAY |
month MONTH | time
end-at: end settings
HH:MM:SS | week-of-the- DAY: the start/end day of the week
month <week>}} (Sunday, Monday)
MONTH: the start/end month
(January, February)
HH:MM:SS: the start/end time (24-
hour format)
week: the week of the month, in
which the specified day appears
for the first time (first, second,
third, forth week)
The summer time is disabled
recurring offset <offset> Specifies the number of minutes added during
summer time DST:
offset: in the range of <1-1440>
recurring shutdown Disables the recurring summer time
no recurring shutdown Enables the recurring summer time
ntp Configures synchronization of the system time
for the device by an NTP server
Enabled
NOTE
After changing any of the NTP
configuration parameters, restart
the NTP server using
shutdown/no shutdown
commands.
no ntp Disables NTP
remote-server-ip A.B.C.D Specifies the IP address of the NTP server:

A.B.C.D: NTP servers IP address
no remote-server-ip Removes the IP address of the NTP server
authentication key-id <1- Specifies the MD5 authentication key used by

65535> [key-string the device during authentication of the NTP
STRING] server to prevent rogue server intervention:
key-id: in the range of <1-65535>
key-string STRING: (optional) a
string of <1-20> characters (blank
spaces and question marks are not
allowed)
no authentication key-id Removes the MD5 authentication key

Command Description
refresh-interval <interval> Specifies the number of minutes allotted for

synchronization of system time with the NTP
server:
interval: in the range of <10
44640> minutes (the upper limit is
equivalent to 31 days)
timezone <-12+12> Specifies the number of hours offset from
Coordinated Universal Time, known as UTC,
(formerly Greenwich Mean Time or GMT):
-12: corresponds to time zones
west of UTC
+12: corresponds to time zones
east of UTC
time-out <value> Specifies the NTP server session timeout:
seconds
no time-out Removes the timeout
min <min> Specifies the number of minutes offset from

UTC:
min: in the range of <1-59>
minutes
no min Removes configured minutes
source-address A.B.C.D Configures NTP to listen on a specified IP

address for incoming connections. The
connections are restricted to a specific router
interface including loopbacks.
decimal format
interfaces)
no source-address Removes the configured IP address
dscp-mapping <value> Specifies a DSCP priority of packets sent to the

NTP server:
no dscp-mapping Removes the configured value
shutdown Stops NTP configuration
no shutdown Starts NTP configuration
Example
The following example configures the following summer time recurring:
start on 27 March 2011 at 03:00am - move forward one hour
end on 30 October 2011 at 04:00am - move backward one hour
device-name#configure terminal

device-name(config-system)#time
device-name(config-time)#date 2011-01-01T01:00:00
device-name(config-time)#summer-time recurring
device-name(config-recurring)#start-at week-of-the-month fourth
device-name(config-recurring)#start-at day-of-the-week Sunday
device-name(config-recurring)#start-at month March
device-name(config-recurring)#start-at time 03:00:00
device-name(config-recurring)#end-at week-of-the-month last
device-name(config-recurring)#end-at day-of-the-week Sunday
device-name(config-recurring)#end-at month October
device-name(config-recurring)#end-at time 04:00:00
device-name(config-recurring)#offset 60
device-name(config-recurring)#no shutdown
device-name(config-time)#commit
The device LOG message is:

Jan 1 01:00:00 info time Clock will be moved forward with 3600 seconds (Sun Mar 27 03:00:00
2011)
Jan 1 01:00:00 info time Clock will be moved back with 3600 seconds (Sun Oct 30 04:00:00 2011)

Domain Name System (DNS) Client

T-Marc 3312SC/T-Marc 3312SCH acts as a Domain Name System (DNS) client to resolve and
cache DNS domain names. Upon request, the device attempts to resolve an IP address from its
cache. If a domain name cannot be located, the device sends a query to the DNS server. The DNS
server responds with the IP address for the domain. The device then forwards the IP address to the
requesting agent and caches the response from the server for future reuse.
DNS Client Configuration Commands

The following section defines the DNS Client command hierarchy and provides command
descriptions.
Command Hierarchy
device-name#
+ config terminal
+ system
- [no] dns-resolver A.B.C.D [shutdown]
Table 9: DNS Client Commands
Command Description

dns-resolver A.B.C.D [shutdown] Specifies the IP address of the DNS server

used for domain name and address
resolution.
You can specify up to 3 DNS servers. The
device sends DNS queries to the primary
server first. If that query fails, the backup
servers are queried.
A.B.C.D: DNS servers IP address
shutdown: (optional) shuts down
the selected DNS server
No DNS servers are configured
no dns-resolver Remove the IP address for a configured DNS
server

Virtual Terminal Interface (VTY)

The Virtual Terminal interface (VTY) controls access to the device. The administrator opens a
VTY connection to manage the device through configuration commands entered into the
Command Line Interface (CLI).
VTY Session Configuration Commands

The following section defines the command hierarchy for the Virtual Terminal Interface (VTY) and
provides command descriptions.
Command Hierarchy
device-name#
- idle-timeout <timeout>
Table 10: VTY Session Commands
Command Description
idle-timeout <timeout> Specifies the timeout value for the VTY connection:
timeout: in the range of <0-8192>
seconds. Specify value of 0 for
unlimited VTY connection.

License Configuration
Each device is delivered to the customer with a full software license support.
License Configuration Commands
The following section defines the command hierarchy for License Configuration and provides a list
of available command descriptions.
Command Hierarchy
device-name#
+ config terminal
+ system
- license id <value>
- show system license
Table 11: License Commands
Command Description

license id <value> Specifies a new software license identifier:

value: in the range of <0-
4294967294>
show system license Displays the software license of the device

Session Limiting
The Session Limiting feature allows you to configure a limit on the number of CLI, SNMP, or
Netconf concurrent sessions.
Sessions Limiting Commands

Commands Hierarchy
device-name#
+ config terminal
+ system
- [no] max-config-sessions <value>
- [no] max-sessions <value>
Table 12: Sessions Limiting Commands
Command Description

max-config-sessions <value> Limits the number of allowed configuration

sessions, running simultaneously on the device:
20 sessions
SNMP and Netconf sessions are not considered
as configuration sessions.
no max-config-sessions Restores to default
max-sessions <value> Limits the global number of simultaneous

sessions allowed on the device:
20 sessions
Global number of sessions take precedence
over configuration session limit.
no max-sessions Restores to default
Example:
When you reach the limit of allowed sessions, you can terminate any of the current sessions and log
into the device:


device-name(config-system)#max-sessions 2
T-Marc 3312SC/T-Marc 3312SCH

admin@10.3.172.7's password:
Too many sessions. Ongoing sessions:
SID USER CTX FROM PROTO LOGIN CONFIG MODE
23 admin cli 10.3.71.112 ssh 13:36:48
20 admin cli 10.3.71.144 ssh 13:11:33
Enter SID of session to terminate or 'exit':

Remote Monitoring
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between RMON-
compliant console systems and network probes.
RMON provides you with comprehensive network-fault diagnosis, planning, and performance-
tuning information.
You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent to
monitor all the traffic flowing among devices on all connected LAN segments.
RMON Ethernet Statistics Group

The Ethernet statistics group collects Fast Ethernet and Gigabit Ethernet statistics on a
port.
Use the information from the Statistics group to detect changes in traffic and error
patterns in critical areas of the network.
Statistics History
A statistics monitoring provides historical view of the interface statistics based on user-defined
interval. A statistic monitoring profile defines which specific statistic-counter will be monitored.
Profile can be bound to specific interface instance in the control table
A table of build-in counters includes:
Counter Description
ifAlignErr The total number of alignment errors

ifCRCAligneErrorPkts The total number of packets with a CRC error
ifCSEErr The total number of Carrier Sense errors
ifCollisionsPkts The total number of collisions
ifDefferedTx The total number of Deferred Transmissions
ifDownCounter The total number of interface down events
ifExcessCollision The total number of Excess Collisions
ifFCSErr The total number of FCS errors
ifFra64Pkts The total number of 64 octet packets
ifFra65to127Pkts The total number of 65-127 octet packets
ifFragmentsPkts The total number of fragmented packets
ifHCInBroadcastPkts The total number of input broadcast packets

ifHCInMulticastPkts The total number of input multicast packets

ifHCInOctets The total number of input octets
ifHCInUcastPkts The total number of input unicast packets
ifHCOutBroadcastPkts The total number of output broadcast packets
ifHCOutMulticastPkts The total number of output multicast packets
ifHCOutOctets The total number of output octets
ifHCOutUcastPkts The total number of output unicast packets
ifInBroadcastPkts The total number of input broadcast packets
ifInDiscards The total number of dropped packets
ifInErrors The total number of input errors
ifInFlowControl The total number of input flow control packets
ifInFraFragments The total number of input fragmented packets
ifInFraOversize The total number of input oversized packets
ifInJabber The total number of input jabber packets
ifInMulticastPkts The total number of input multicast packets
ifInNUcastPkts The total number of input non-unicast packets
ifInOctets The total number of input octets
ifInRateBps10Sec input rate for last 10 seconds, in bytes per second
ifInRateBps60Sec input rate for last 60 seconds, in bytes per second
ifInUcastPkts The total number of input unicast packets
ifInUnknownOpcode The total number of Input Unknown Opcode
ifInUnknownProtos The total number of unknown protocol packets
ifJabberPkts The total number of jabber packets
ifLateCollision The total number of Late Collisions
ifMacRxErr The total number of Internal MAC Rx errors
ifMacTxErr The total number of Internal MAC Tx errors
ifMultCollision The total number of Multiple Collisions
ifOutBroadcastPkts The total number of output broadcast packets
ifOutDiscards The total number of output errors
ifOutErrors The total number of output errors
ifOutFlowControl The total number of output flow control packets
ifOutFraFragments The total number of output fragmented packets
ifOutFraOversize The total number of output oversized packets
ifOutJabber The total number of output jabber packets
ifOutMulticastPkts The total number of output multicast packets
ifOutNUcastPkts The total number of output non-unicast packets
ifOutOctets The total number of output octets
ifOutRateBps10Sec output rate for last 10 seconds, in bytes per second

ifOutRateBps60Sec output rate for last 60 seconds, in bytes per second

ifOutUcastPkts The total number of output unicast packets
ifOversizePkts The total number of oversized packets
ifSQETestErr The total number of SQE Test errors
ifSnglCollision The total number of Single Collisions
ifSymbolErr The total number of Symbol errors
ifTooLongFra The total number of Too Long packets
ifTotalBcastPkts The total number of input and output broadcast
packets
ifTotalInPkts The total number of input packets
ifTotalMcastPkts The total number of input and output multicast
packets
ifTotalOctets The total number of input and output octets
ifTotalOutPkts The total number of output packets
ifTotalPkts The total number of input and output packets
ifUndersizePkts The total number of undersized packets
NOTE
Counters are applied on a single port or on a group of ports.
RMON Commands
Commands Hierarchy
device-name#
+ config terminal
+ system
+ [no] statistics-history
- [no] control <value> [profile-name NAME | xpath-key
<value>]
- [no] get-interval <value>
- [no] profile NAME [xpath-template <value>]
- [no] shutdown
- [no] type {absolute | delta}
- show system statistics-history [control | displaylevel <value>]
- show [port UU/SS/PP] rmon statistics [etherStatsBroadcastPkts |
etherStatsCollisions | etherStatsCRCAlignErrors |
etherStatsDropEvents | etherStatsFragments | etherStatsJabbers |
etherStatsMulticastPkts | etherStatsOctets | etherStatsOversizePkt |
etherStatsPkts | etherStatsPkts1024to1518Octets |
etherStatsPkts128to255Octets | etherStatsPkts256to511Octets |

etherStatsPkts512to1023Octets | etherStatsPkts64Octets |
etherStatsPkts65to127Octets | etherStatsUndersizePkts]
Table 13: RMON Commands
Command Description

statistics-history Enables the statistics history mechanism and
enters Statistics History Configuration mode
no statistics-history Removes statistics history configuration details
control <value> [profile-name Creates an RMON statistics entry in the device

NAME | xpath-key <value>] configuration:
value: in the range <1-288>
profile-name NAME: applies the
specified profile name on port/s
or L3 interface
xpath-key <value>: specifies a
port, a group of ports or a L3
interface on which the RMON
profile is applied. value: a
string in the range <1-288>
characters
for a single port, in format UU/SS/PP
for a group of ports in format agN (N is in
the range of <1-14>)
for a L3 interface: loN (n in the range <1-9>,
outBand 0, swN (In is in the range <0
9999>)
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no control [<value>] [profile- Removes the configured entry
name NAME | xpath-key
<value>]
get-interval <value> Specifies interval between samples:

seconds
no get-interval Restores to default

Command Description
profile NAME [xpath-template Specifies an RMON profile:

<value>]
NAME: an user-defined profile name
in the range of <1-128> characters
(letters or/and numbers) or a pre-
defined profile
xpath-template <value>: specifies
the pattern that selects a set of
XML nodes. To define the profile
pattern use the yang.zip file,
part of the software package.
value: a pattern string in XPATH
1.0 notation
no profile [NAME] [xpath- Removes the specified profile
template <value>]
shutdown Disables historical collections of statistics

no shutdown Enables historical collections of statistics
type {absolute | delta} Specifies the methodology used to calculate
statistics:
absolute: absolute sample value is
used
delta: difference between sampled
values is used
Absolute
no type {absolute | delta} Restores to default
show system statistics-history [control Displays the complete collection of statistics:
| displaylevel <value>]
control: displays information for
specific RMON statistics entry
displaylevel <value>: displays the
specified level of output, in the
range of <1-64>
show [port UU/SS/PP] rmon statistics Displays the RMON statistics table. Optionally,
[etherStatsBroadcastPkts | you can display statistics for a specific port or for
etherStatsCollisions |
etherStatsCRCAlignErrors |
all ports (see Table 14)
etherStatsDropEvents | port UU/SS/PP: 1/1/1-1/1/4 and
etherStatsFragments |
etherStatsJabbers | 1/2/1-1/2/8
etherStatsMulticastPkts | RMON statistics collection is enabled.
etherStatsOctets |
etherStatsOversizePkts |
Statistics are refreshed every 60 seconds.
etherStatsPkts |
etherStatsPkts1024to1518Octets |
etherStatsPkts64Octets |
etherStatsUndersizePkts]
Example 1
device-name#show port 1/1/1 rmon statistics
===============================================================================
RMON Statistics

===============================================================================
Port 1/1/1
Counter Name Counter Value
-------------------------------------------------------------------------------
etherStatsDropEvents 117
etherStatsOctets 11298
etherStatsPkts 133
etherStatsBroadcastPkts 0
etherStatsMulticastPkts 133
etherStatsCRCAlignErrors 0
etherStatsUndersizePkts 0
etherStatsOversizePkts 0
etherStatsFragments 0
etherStatsJabbers 0
etherStatsCollisions 0
etherStatsPkts64Octets 4
etherStatsPkts65to127Octets 130
===============================================================================
Table 14: Counters Displayed by the show rmon statistics Command

Counter Description
etherStatsBroadcastPkts Number of good broadcast packets received not

including multicast packets
etherStatsCollisions Number of collisions on this Ethernet segment
etherStatsCRCAlignErrors Total CRC/alignment errors (FCS or alignment
errors)
etherStatsDropEvents Total events in which packets are dropped due
to lack of resources
etherStatsFragments Total packets received that are less than 64
bytes in length (excluding framing bits, but
including FCS bytes) and have either an FCS or
alignment error
etherStatsJabbers Total packets received that are longer than 1518
bytes (excluding framing bits, but including FCS
bytes), and have either an FCS or an alignment
error
etherStatsMulticastPkts Number of good multicast packets received
etherStatsOctets Number of octets of data (including those in bad
packets) received on the network (excluding
framing bits but including FCS octets)
etherStatsOversizePkts Total packets received that are longer than 1518
bytes (excluding framing bits, but including FCS
bytes) and are otherwise well formed (valid
CRC)

Counter Description
etherStatsPkts Total packets received (including bad packets,

broadcast packets, and multicast packets)
etherStatsPkts1024to1518Octets Total packets received and transmitted
etherStatsPkts128to255Octets (including bad packets) where the number of
etherStatsPkts256to511Octets bytes fall within the specified range (excluding
etherStatsPkts512to1023Octets framing bits but including FCS bytes)
etherStatsPkts65to127Octets
etherStatsPkts64Octets Total packets received and transmitted
(including bad packets) that are 64 bytes in
length (excluding framing bits but including FCS
bytes)
etherStatsUndersizePkts Total packets received that are less than 64
bytes long (excluding framing bits, but including
FCS bytes) and are otherwise well formed (valid
CRC)
Example
The following example displays how to create a profile Test_1/1/1, apply it on port 1/1/1, and
collect statistics for 10 seconds:
device-name(config-system)#statistics-history
device-name(config-statistics-history)#profile Test_1/1/1
device-name(config-statistics-history)#profile Test_1/1/1 xpath-template
"/interfaces/interface{%s}/Counters/ifInOctets"
device-name(config-statistics-history)#/1
device-name(config-statistics-history)#control 1 xpath-key 1/1/1
device-name(config-control-1)#commit
Commit complete.
device-name(config-control-1)#exit
device-name(config-statistics-history)#get-interval 10
device-name(config-statistics-history)#no shutdown
device-name(config-statistics-history)#commit
Commit complete.

Service Statistics Collection

Service statistics provide important information for troubleshooting device problems at the service
level. The service statistics include the number of bytes, number of unicast, multicast, broadcast
packets, and the number of packets with specified color or FC a SAP/SDP port has received.
Receive Statistics
Total number of packets and bytes Amount of packtes and bytes received on the selected
port.
Unicast Packets Amount of Unicast packets received on the selected port.
Multicast Packets Amount of Multicast packets received on the selected port.
Broadcast Packets Amount of Broadcast packets received on the selected port.
Packets with FC/color Amount of packets with configured color/FC received on the
selected port.
Service Statistics Commands
Service Statistics Commands Hierarchy

device-name#
+ config terminal
+ [no] service
+ [no] statistics
+ [no] ingress-statistics-policy NAME
- [no] description
- [no] fc
- [no] fc-bw-measurement {packets | bytes | all}
+ [no] packet-type
- [no] broadcast
- [no] broadcast-bw-measurement {packets |
bytes | all}
- [no] multicast
- [no] multicast-bw-measurement {packets |
bytes | all}
- [no] unicast
- [no] unicast-bw-measurement {packets | bytes
| all}
+ [no] egress-statistics-policy NAME
- [no] description
- [no] fc
- [no] fc-bw-measurement {packets | bytes | all}

- [no] da-type
- [no] da-bw-measurement {packets | bytes | all}
+ [no] c-vlan {<cvlan-id> | all}
- [no] ingress-statistics-policy NAME
- [no] egress-statistics-policy NAME
+ [no] sdp vlan <vlan-id>
+ [no] port {UU/SS/PP | agN}
- [no] ingress-statistics-policy NAME
- [no] egress-statistics-policy NAME
- show statistics ingress-statistics-policy NAME
- show statistics egress-statistics-policy NAME
- show service dot1q <service-id> {sap {UU/SS/PP | agN} c-vlan <vlan-id>
statistics | sdp <vlan-id> port UU/SS/PP statistics | statistics}
Table 15: Service Statistics Commands
Command Description

statistics Enters Statistics Configuration mode
no statistics Removes the defined statistics profiles
ingress-statistics-policy Specifies a statistics profile and enters the Ingress
NAME Statistics Configuration mode:
NAME: string of up to 32 characters
no ingress-statistics-policy Removes the configured profile
egress-statistics-policy Specifies a statistics profile and enters the Egress
NAME Statistics Configuration mode:
no egress-statistics-policy Removes the configured profile
description Specifies service statistics description:
DESCRIPTION: a string of <1-120>
characters
no description Removes the service statistics description
fc Provides a count of FC-configured packets
no fc Removes the configuration
fc-bw-measurement {packets Specifies packets, bytes or both to be counted

Command Description
| bytes | all} all
no fc-bw-measurement Restores to default
da-type Only for Egress Statistics.
Specifies unicast and broadcast packets to be
counted in egress statistics
no da-type Removes the configuration
da-bw-measurement {packets Only for Egress Statistics.
| bytes | all}
Specifies packets, bytes or both to be counted
all
no da-bw-measurement Restores to default
packet-type Only for Ingress Statistics.
Specifies the type of packets to be counted and
enters the Packet Configuration mode
no packet-type Removes the configuration
broadcast Enables counting of broadcast packets
no broadcast Disables the broadcast packets counting
broadcast-bw- Specifies broadcast packets, bytes or both to be
measurement {packets counted
| bytes | all}
all
no broadcast-bw- Restores to default
measurement
multicast Enables counting of multicast packets

no multicast Disables the multicast packets counting
multicast-bw- Specifies multicast packets, bytes or both to be
measurement {packets counted
| bytes | all}
all
no multicast-bw- Restores to default
measurement
unicast Enables counting of unicast packets

no unicast Disables the unicast packets counting
unicast-bw-measurement Specifies unicast packets, bytes or both to be
{packets | bytes | counted
all}
all
no unicast-bw- Restores to default
measurement

4294967294>
802.1Q services:
service-id: (optional) in the range

Command Description
of <1-4294967294>
Creates service access point (SAP) and enters

SAP Configuration mode.
UU/SS/PP: SAP port, in the range of
1/1/1-1/1/4 and 1/2/1-1/2/8.
agN: SAP LAG ID. N is in the range
of <1-14>
NOTE
SAP.
versa.
UU/SS/PP: (optional) SAP port, in
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
of <1-14>
c-vlan {<cvlan-id> | all}

no c-vlan {<cvlan-id> | all} Removes the defined C-VLAN:
sdp vlan <vlan-id> Specify the S-VLAN ID and enters the S-VLAN
Configuration mode:
vlan-id: in the range of <1-4094>
no sdp vlan [<vlan-id>] Removes the previously configured S-VLAN/s:
vlan-id: (optional) in the range of
<1-4094>
port {UU/SS/PP | agN} Adds port/s as tagged to the specified S-VLAN:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
agN: SDP LAG ID. N is in the range
of <1-14>
The port is tagged
no port [UU/SS/PP | agN] Removes tagged port/s from the specified S-
VLAN:
UU/SS/PP: (optional) 1/1/1-1/1/4

Command Description
and 1/2/1-1/2/8
agN: (optional) SDP LAG ID. N is in
the range of <1-14>
ingress-statistics-policy Applies the previously configured Ingress
NAME Statistics policy:
no ingress-statistics- Removes the configured profile
policy
egress-statistics-policy Applies the previously configured Egress

NAME Statistics policy:
no egress-statistics- Removes the configured profile
policy
show statistics ingress-statistics- Displays all configured ingress policy profiles

policy NAME
show statistics egress-statistics-policy Displays all configured egress policy profiles

NAME
show service dot1q <service-id> {sap Displays statistics for specific 802.1Q services or,
{UU/SS/PP | agN} c-vlan <vlan-id> when used with parameters, displays statistics for
statistics | sdp <vlan-id> port SAPs or SDPs, filtered by command arguments
UU/SS/PP statistics | statistics}
Example 1
The following example demonstrates how to configure FC and fc-bw-measurement policy profile
and apply it on dot1q SAP port:
Device-name(config-statistics)#service
Device-name(config-service)#statistics
Device-name(config-statistics)#egress-statistics-policy A1
Device-name(config-egress-statistics-policy-A1)#da-type
Device-name(config-egress-statistics-policy-A1)#exit
Device-name(config-statistics)#ingress-statistics-policy B1
Device-name(config-ingress-statistics-policy-B1)#fc
Device-name(config-ingress-statistics-policy-B1)#fc-bw-measurement bytes
Device-name(config-ingress-statistics-policy-B1)#exit
Device-name(config-statistics)#exit
Device-name(config-service)#dot1q 1
Device-name(config-dot1q-1)#sap 1/1/1 c-vlan 5
Device-name(config-c-vlan-5)#ingress-statistics-policy B1
Device-name(config-c-vlan-5)#egress-statistics-policy A1
Device-name(config-c-vlan-5)#exit
Device-name(config-sap-1/1/1)#exit
Device-name(config-dot1q-1)#sdp vlan 10 port 1/1/2
Device-name(config-port-1/1/2)#ingress-statistics-policy B1
Device-name(config-port-1/1/2)#egress-statistics-policy A1
Device-name(config-port-1/1/2)#commmit
Commit complete.
Device-name(config-port-1/1/2)#
Device-name#show running-config service

service
dot1q 1
sdp vlan 10
port 1/1/2
ingress-statistics-policy B1
egress-statistics-policy A1
!
!
sap 1/1/1
c-vlan 5
!
!
!
statistics
fc
fc-bw-measurement bytes
!
da-type
!
Exit
!
Device-name#show service dot1q 1 sap 1/1/1 c-vlan 5 statistics
statistics ingress policy:B1
packets bytes
In stat 0 0
fc be 1000 100000
fc l2 0 0
fc af 0 0
fc l1 0 0
fc h2 0 0
fc ef 0 0
fc h1 0 0
fc nc 0 0
statistics egress policy
packets bytes
Eg stat 0 0

System Logs Message

The application software provides system log messages that are useful to the system administrator
for troubleshooting problems in the network:
The console log routes system messages to a local or remote console, or to the system memory
buffer
Message logging is configurable (for example: what severity levels and where the log is sent)
System Logs Message Format

The logging subsystem takes messages initiated by various software processes within the application
software, formats the messages, and writes them to the appropriate log files. These messages come
from a local facility or module (a hardware device, protocol, or process within the system software).
The logging subsystem:
provides logging information for monitoring and troubleshooting
allows configuration of the types of logging information to be captured and the destination
(log file or other devices)
includes system log messages
The system message is stored and displayed based on the following format:
DATE TIME SEVERITY PROCESS MESSAGE-TEXT
Table 16: System Message Fields

Keyword Description
DATE and TIME Indicates when the message is issued

SEVERITY The literal messages severity level
PROCESS The name of a system process that generated the message
MESSAGE-TEXT The textual content of the message
Example
Jan 1 01:02:48 info OSPF interface 192.168.1.1 join AllSPFRouters
Multicast group.

Settings and Values
Severity Levels
Trap level for logging should be configured per receiver (buffer, CLI console, SSH console, and
Syslog server) and per severity.
By default, the buffer is disabled and it does not store any LOG messages.
To configure the level of the trap message logging filter, use the log buffer severity
command.
Table 17: Severity Levels
Severity Level Keyword Description
0 emergency Internal error occurred. The device reached a crash

state and cannot continue to operate.
1 alert Immediate action needed. The device might operate
incorrectly.
2 critical Internal error or non-supported event occurred.
3 error Error condition (for example, error messages about
software or hardware malfunctions).
4 warning Warning condition.
5 notice Normal but significant condition (for example,
interface up/down transitions and system restart
messages).
6 info Informational message only (for example, reload
requests and low-process stack messages).
7 debug Debug level messages.
Zero (0) is the highest severity, and 7 is the lowest severity. When you specify a severity level,
logging output of the specified level and all lower levels (higher severities) are enabled.

Syslog Facility
A Syslog facility is a setting for the remote Syslog server.
Table 18: Syslog Message Facilities
Keyword Description
alert Log alert

audit Log audit
auth Security/authorization messages
clock Clock daemon
cron Messages generated internally by Syslog
daemon System daemons
ftp FTP daemon
local0 Local use 0 (local0)
lpr Line printer subsystem
mail Mail system
news Network news subsystem
ntp NTP subsystem
security Security/authorization messages
syslog Messages generated internally by Syslog
user User-level messages
uucp UUCP subsystem
NOTE
Some operating systems use facilities alert, audit, and auth for
security/authorization and audit/alert messages.

System Log Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] log
- [no] cli-console {severity <level> | process-name NAME}
- [no] ssh-console {severity <level> | process-name NAME}
- [no] buffer {severity <level> | process-name NAME}
- [no] telnet-console {severity <level> | process-name NAME}
+ [no] syslog-server A.B.C.D
- [no] facility <level>
- severity <level>
- [no] process-name NAME
- show syslog
- show syslog message [level <level> | process NAME | text NAME |
timestamp NAME]
Table 19: System Log Commands
Command Description

log Enters Log Configuration mode
no log Exits Log Configuration mode
cli-console {severity <level> | Configures logs sent to the CLI console:

process-name NAME}
severity level: specifies a
severity level to limit logs on
the CLI console. Refer to
Keyword column of Table 17.
process-name NAME: specifies a
process, related logs are
displayed (AAA, BFD, MPLS LDB
forwarding, MPLS LDB HW, MPLS
Management, MPLS Stack, BIST,
and etc)
no cli-console {severity | process- Removes configured options
name}
ssh-console {severity <level> | Configures logs sent to the SSH console:

Command Description
process-name NAME}
the SSH console. Refer to
Keyword column of Table 17
and etc)
no ssh-console {severity | process- Removes configured options
name}
telnet-console {severity <level> | Configures logs sent to the Telnet console:

process-name NAME}
the Telnet console. Refer to
Keyword column of Table 17
and etc)
no telnet-console {severity | Removes configured options
process-name}
buffer {severity <level> | process- Specifies severity level to limit logs to buffer:
name NAME}
severity level: specifies
severity level to limit logs to
buffer. Refer to Keyword column
of Table 17
process, logs of which are
buffered (AAA, BFD, MPLS LDB
and etc)
Syslog buffer size is 2000 messages
no buffer {severity | process-name} Restores to default
syslog-server A.B.C.D Specifies the IP address of Syslog server:

A.B.C.D: the IP address in
dotted-decimal format
no syslog-server A.B.C.D Removes the configured server
facility <level> Specifies type of syslog facility from which

logs are sent:
level: refer to Keyword column
of Table 18
no facility Removes the configured facility level
severity <level> Specifies the severity level to limit logs sent to

the Syslog server:
level: refer to Keyword column

Command Description
of Table 17
process-name NAME Specifies a process, logs of which are sent to
the Syslog server:
NAME: process name (AAA, BFD,
MPLS LDB forwarding, MPLS LDB
HW, MPLS Management, MPLS Stack,
BIST, and etc)
no process-name Removes the configured process
source-address A.B.C.D Configures Syslog server to listen on a

specified IP address for incoming
connections. The connections are restricted to
a specific router interface including loopbacks.
A.B.C.D: IP address, in a
interfaces)
dscp-mapping <value> Specifies a DSCP priority of packets sent to

the Syslog server:
show syslog Displays information for logs kept in the
device buffer (last 2000 messages)
show syslog message [level <severity Displays detailed information for logs kept in
level> | process NAME| text NAME | the device buffer:
timestamp NAME]]
severity level: refer to Keyword
column of Table 17
process NAME: process, logs of
which are displayed
text NAME: the text name
timestamp NAME: the timestamp
name

Configuration Example
The following example shows how to enable system log messages for different severity levels that
are displayed by the console port, on SSH session or Syslog buffer.
1. Enable logging on the console port with severity level critical:
device-name#configure terminal
device-name(config)#log cli-console severity critical
device-name(config)#commit
Commit complete.
2. Enable logging to SSH with severity level debug:

device-name(config)#log ssh-console severity debug
Commit complete.
3. Enable logging to a Syslog buffer with severity level info:

device-name(config)#log buffer severity info
Commit complete.

Denial of Service (DoS) Attack Prevention

During a denial of service attack, multiple attackers flood the device CPU with packets potentially
causing the device to fail.
To protect against this type of attack, configure your device to perform the following actions when
the number of packets received exceeds the configured threshold limit of packets per second:
Sends an SNMP trap to all configured SNMP management stations
Generates a log message
Activiates a DoS START event trigger (if configured)
Administrators typically configure protection against DoS attacks on edge devices to prevent an
attack from entering the core layers of the network. DoS attacks can be classified as:
Logic attacks: Exploit security vulnerabilities to cause a server or service to crash or
significantly reduce performance.
Resource exhaustion flooding attacks: Cause resources for the server or network to be
consumed to the point where the service no longer responds or the response is significantly
reduced.
DoS Attack Prevention Commands

This section defines the command hierarchy for the DoS attack prevention feature and provides a
list of available commands. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] attack-prevent
- [no] first-tcp-fragment-without-full-tcp-header
- [no] fragmented-icmp
- [no] icmp-payload-greater-than-icmp-max-size
- [no] matching-source-destination-ip
- [no] tcp-fin-urg-psh-sequence-zero
- [no] tcp-header-fragment-offset-1
- [no] tcp-src-equals-tcp-dst
- [no] tcp-syn-fin
- [no] udp-src-equals-udp-dst
- [no] tcp-flag-and-sequence-zero

Table 20: DoS Commands
Command Description

attack-prevent Enters DoS Attack Prevention Configuration
mode
no attack-prevent Removes DoS configuration details
first-tcp-fragment-without-full- Blocks all TCP packets with missing or
tcp-header malformed TCP header (less than 20 bytes)
Disabled
no first-tcp-fragment-without-full- Restores to default
tcp-header
fragmented-icmp Blocks fragmented ICMP packets.

Because ICMP packets contain very short
messages, there is no legitimate reason for
ICMP packets to be fragmented. If an ICMP
packet is so large that it must be fragmented,
something is amiss.
no fragmented-icmp Restores to default
icmp-payload-greater-than-icmp-max- Blocks packets with ping ICMP packets
size payload larger than the maximum
programmed ICMP value
no icmp-payload-greater-than-icmp- Restores to default
max-size
matching-source-destination-ip Blocks packets with a source IP address

equal to the destination IP address
no matching-source-destination-ip Restores to default
tcp-fin-urg-psh-sequence-zero Blocks packets with TCP flags FIN (No more
data from sender), URG (indicates that the
Urgent pointer field is significant), and PSH
(Push function) set; and sequence number set
to 0
no tcp-fin-urg-psh-sequence-zero Restores to default
tcp-header-fragment-offset-1 Blocks packets with fragment offset of the
TCP header set to 1
no tcp-header-fragment-offset-1 Restores to default
tcp-src-equals-tcp-dst Blocks packets with a source TCP address
equal to the destination TCP address
no tcp-src-equals-tcp-dst Restores to default
tcp-syn-fin Blocks TCP flags with SYN (Synchronize
sequence numbers) and FIN (No more data
from sender) set
no tcp-syn-fin Restores to default

Command Description
udp-src-equals-udp-dst Blocks packets with equal UDP source and

destination port numbers
no udp-src-equals-udp-dst Restores to default
tcp-flag-and-sequence-zero Blocks packets with no TCP control flag and
sequence number
no tcp-flag-and-sequence-zero Restores to default
device-name(config-attack-prevent)#first-tcp-fragment-without-full-tcp-header
device-name(config-attack-prevent)#fragmented-icmp
device-name(config-attack-prevent)#commit
Commit complete.
device-name(config-attack-prevent)#end
device-name#show running-config ethernet attack-prevent
ethernet
attack-prevent
first-tcp-fragment-without-full-tcp-header
fragmented-icmp
!
!

Reload Commands
device-name#
+ config terminal
+ system
- reload [manufacturing-defaults] [downgrade]
- reload at MONTH DAY hour minute
- reload in hour minute
- show system reload
Table 21: The reload Command

Command Description

reload [manufacturing-defaults] Reloads the operating system:
[downgrade]
manufacturing-defaults: resets
the device to the factory
default configuration
downgrade: resets the device to
the factory configuration of an
older software image
The option is mandatory when the user

rollback to an older software image.
reload at MONTH DAY hour minute Reloads the operating system at the specified
time. The restart must take place within 12
months.
MONTH: number of the month in
the range of <1-12>
DAY: number of the day in the
range of <1-31>
hour: hour in the range of <1-
23>
minute: minutes in the range of
<0-59>
reload in hour minute Reloads the operating system after the
specified time interval. The restart must take
place within 12 months.
hour: hour in the range of <1-
23>
minute: minutes in the range of
<0-59>
show system reload Displays information about a scheduled reload
Example 1:

device-name(config-system)#relaod
Connection to 10.3.133.6 closed by remote host.
Connection to 10.3.133.6 closed.
Example 2:
device-name(config)#system reload at 9 26 11 35
Where values are months, day, hour and minutes.
device-name#show system reload

system reload in time : In 0:0; Hex : 00000000
system reload at time : Month: 9 Day: 26 At 11:35; Hex : 1a090b23

Control Plane Policing

Control Plane Policing (CoPP) allows you to manage the flow of IPv4 multicast traffic handled by
the CPU. CoPP is designed to prevent unnecessary traffic from overwhelming the CPU that, if left
unabated, could affect system performance.
The destination address of IPv4 multicast traffic is in the range of 224.0.0.0-224.0.0.255.
Destination MAC address is in the range of 01:00:5e:00:00:00 - 01:00:5e7f:ff:ff.
The last 23 bits should match the last 23 bits from the IP multicast address.
NOTE
By default, CoPP is applied on SAP ports of services carrying IPv4 multicast traffic. The
protection profile name is service with classification criteria pass. It is possible to harden
the device protection, by applying the protection profile on SDP ports of the configured
services.
Command Hierarchy
device-name#
+ config terminal
+ system
+ security
+ [no] protection-profile NAME
[no] ipv4-reserved-multicast {discard | pass | peer
| peer-and-pass}
+ port UU/SS/PP
- [no] protection-profile NAME
Table 22: CoPP Commands

Command Description

security Enters the Security Configuration mode
protection-profile NAME
Specifies a Protection profile and enters the

Protection Configuration mode:
NAME: string of up to 32
characters
no protection-profile Removes the defined profile

Command Description
ipv4-reserved-multicast {discard Defines the packet classification criteria for

| pass | peer | peer-and- the specified profile:
pass}
discard: packets are discarded
pass: packets are switched only
peer: packets are sent to the
CPU only, not switched to the
relevant ports
peer-and-pass: packets are
switched and also sent to the
CPU
peer-and-pass
no ipv4-reserved-multicast Restores to default
port UU/SS/PP
Enters configuration mode for a specific port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
protection-profile NAME Assigns a Protection profile to a port:
NAME: string of up to 32
characters
no protection-profile Removes the assigned Protection profile

Supported Standards, MIBs, and RFCs

Features Standards MIBs RFCs
MAC Address Table Not supported Standard MIB, Not supported

8021Q_d6.mib
MAC Learning Not supported Private MIB, Not supported
Security Policies PRVT-MAC-
SECURITY-MIB.mib
Files System Not supported Private MIB, Not supported
PRVT-
INTERWORKING-OS-
MIB
System Time and Date Not supported Not supported RFC 867, Daytime
Protocol
RFC 868, Time
Protocol
draft-ieee1588v2.1
DNS Resolver Not supported Not supported RFC 1034, Domain
NamesConcepts
and Facilities
RFC 1035, Domain
Names
Implementation and
Specification
VTY (Virtual Telnet Not supported Not supported RFC 884, Telnet
Type) Commands terminal type option
Remote Monitoring Not supported PRVT-StatHistMIB.mib RFC 1271, Remote
(RMON) Public MIBs: Network Monitoring
RMON-MIB.mib Management
Information Base
RFC 3273, Remote
Network Monitoring
Management
Information Base for
High Capacity
Networks
RFC 2819
System Logs Not supported Not supported RFC 3164, The BSD
Syslog Protocol (client
mode)
DoS Attack Prevention Not supported Not supported Not supported

Simple Network Management Protocol
(SNMP)
Table of Contents
Table of Figures 1
List of Tables 2
Overview 3
SNMP Entity 3
SNMP Agent 4
Structure of Management Information (SMI) 4
SNMP Manager 4
Management Information Base (MIB) 4
SNMP Engine ID 4
SNMP View Records 5
SNMP Notifications 5
The Discovery Mechanism 7
Versions of SNMP 9
SNMP Commands 11
Command Hierarchy 11
SNMP Configuration Example 26

Creating Users 26
SNMP Notification for Users 28
Table of Figures
Figure 1: SNMP Agent and Manager Communication ..................................................................... 3
Figure 2: Trap Sent to SNMP Manager Successfully ........................................................................ 5
Simple Network Management Protocol (SNMP) (Rev. 01) Page 1

Figure 3: Inform Request Sent to SNMP Manager Successfully ..................................................... 6

Figure 4: Trap Unsuccessfully Sent to SNMP Manager ................................................................... 6
Figure 5: Inform Request Successfully Resent to SNMP Manager ................................................. 7
Figure 6: Obtaining the snmpEngineID ............................................................................................. 8
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime ............................................... 8
List of Tables
Table 1: SNMP Versions ....................................................................................................................... 9
Table 2: Security Levels Available in the SNMPv3 Security Models ............................................ 10
Table 3: SNMP Configuration Commands ...................................................................................... 12
Table 4: Notification Types................................................................................................................. 18
Page 2 Simple Network Management Protocol (SNMP) (Rev. 01)

Overview
SNMP is an application layer protocol that facilitates the exchange of management information
between network devices. An SNMP-managed network consists of three key components:
Managed Device: A network node that contains an SNMP Agent and resides on a managed
network
Agent: A network-management software module that resides in a managed device. An agent
has local knowledge of management information and translates that information into a form
compatible with SNMP
Network-Management System: Responsible for execution of applications that monitor and
control managed devices.
Using SNMP, a network administrator can manage network performance, find and solve network
problems, and extend the network.
Table 1 displays communication between an SNMP Agent and a Manager.
Figure 1: SNMP Agent and Manager Communication
SNMP Entity
An SNMP Entity, an implementation of the SNMP architecture, consists of an SNMP Engine and
one or more associated applications.
An SNMP Engine provides services for sending and receiving messages, authenticating and
encrypting messages, and controlling access to managed objects. The SNMP Engine is
identified by the SNMP Engine ID.
Applications use the services of an SNMP Engine to accomplish specific tasks. They
coordinate the processing of management information operations, and may use SNMP
messages to communicate with other SNMP Entities.

SNMP Agent
An Agent is a network-management software module that resides in a managed device and is
responsible for maintaining local management information and delivering that information to a
Manager via SNMP. A management information exchange can be initiated by the Manager or by the
Agent.
The SNMP Agent contains MIB variables and these values can be requested or changed by the
SNMP Manager. The Agent and MIB reside on the device. The Agent gathers data from the MIB
and responds to a Managers request to get or set data.
Structure of Management Information (SMI)

Management information is a collection of managed objects, residing in a virtual information store,
termed the MIB. Collections of related objects are defined in MIB modules. Each type of object
has:
Name: Names are used to identify managed objects and are represented uniquely as an Object
Identifier (OID). An OID is an administratively assigned name used to identify an object
regardless of the semantics associated with that object.
Syntax
Encoding: Encoding is the way that instances of a particular object type are represented using
the object types syntax.
SNMP Manager
An SNMP Manager is a software module in a management network responsible for managing
either part of or the entire configuration on behalf of network management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB values.
Communication among protocol entities is accomplished by the exchange of messages; each of
them is entirely and independently represented within a single UDP datagram. A message consists
of a version identifier, an SNMP community name, and a protocol data unit (PDU). PDUs are the
packets that are exchanged in the SNMP communication.
Management Information Base (MIB)

A MIB consists of a collection of objects organized into groups. Objects have values that represent
managed resources. All managed objects in the SNMP environment are arranged in a hierarchical
or tree structure. A MIB is the repository for information about devices parameters and network
data.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier of a participant in
SNMP communication within a single management domain. The SNMP Manager and SNMP
Agent must be configured by an administrator to have unique SNMP Engine IDs.

SNMP View Records

With the community-based authentication defined in SNMPv1, an authorized user is granted access
to the whole MIB tree for reading or for reading/writing. With SNMPv1, it is not possible to allow
diverse authorized users access to different portions of the MIB database.
This deficiency is overcome in SNMPv3 with the introduction of views. A view is a set of rules that
define what portion of the MIB database can be visible to a specific user. The rules are defined by
the OID of a node in the MIB tree, and the type of rule: included or excluded. The OID defines a
view familya set of object identifiers that have a common prefix. A single rule (included or
excluded) in the view is applied to view family, not only to a single OID.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages to the SNMP
Managers. Devices can send notifications to SNMP Managers when particular events occur. For
example, an Agent might send a message to a Manager when the Agent experiences an error
condition.
NOTE
All traps, except the ones sent with SNMPv1, have a request ID as part of the PDU.
SNMP notifications can be sent as traps or Inform requests. Traps are unreliable because the
receiver does not send an acknowledgment upon receipt of a trap. However, an SNMP Manager
that receives an Inform request acknowledges the message with an SNMP response PDU. If the
sender does not receive a response after a particular time interval, the Inform request is sent again.
Informs consume more resources in the device and in the network but are more reliable. Unlike a
trap, which is discarded after being sent, an Inform request must be held in memory until a
response is received or the request times out. Also, traps are sent only once, while an Inform may
be sent several times.
Figure 2 through Figure 5 illustrate the differences between traps and Inform requests.
In Figure 2, the Agent successfully sends a trap to the SNMP Manager. The Manager receives the
trap but does not send an acknowledgment to the Agent. The Agent has no way of knowing
whether the trap reached its destination.
Figure 2: Trap Sent to SNMP Manager Successfully
In Figure 3, the Agent successfully sends an Inform request to the Manager. Upon receipt of the
Inform request, the Manager sends a response back to the Agent. As a result, the Agent knows that
the Inform request successfully reached its destination. In this example, while traffic is generated
twice, as in Figure 2; the Agent is sure that the Manager received the notification.

Figure 3: Inform Request Sent to SNMP Manager Successfully
In Figure 4, the Agent sends a trap to the Manager, but the trap does not reach the Manager. Since
the Agent has no way of knowing whether the trap reached its destination, the trap is not sent
again. The Manager never receives the trap.
Figure 4: Trap Unsuccessfully Sent to SNMP Manager

In Figure 5, the Agent sends an Inform request to the Manager, but the Inform request does not
reach the Manager. The Manager does not send a response. After a period of time, the Agent
resends the Inform request. This time, the Manager receives the Inform request and replies with a
response. In this example, there is more traffic than in Figure 4; however, the notification reaches
the SNMP Manager.
Figure 5: Inform Request Successfully Resent to SNMP Manager
The Discovery Mechanism

To protect the user network against message reply, delay and redirection, one of the SNMP engines
involved in each communication is designated as the authoritative SNMP engine. When an SNMP
message contains a payload that expects a response, the receiver of such a message is authoritative.
The PDUs involved in an authenticated/encrypted session between the Agent and the Manager are
encoded with keys that are localized with the snmpEngineID of the Manager and not with the
snmpEngineID of the local application software Agent.
To match the described requirements, you need an additional configuration of users, on whose
behalf Inform PDUs can be sent. User keys are required to be localized with the snmpEngineID of
the Manager (the authoritative side). The keys of these users are localized for the remote side and
the Agent cannot process configuration of SNMP requests on their behalf. GET, GET-NEXT,
GET-BULK, or SET requests from users with a SNMP Engine ID that is different from the Agent
SNMP Engine ID cannot be processed. The application software defines as remote those users
created with a snmpEngineID different from the Agents snmpEngineID. Remote users can
participate just by sending Inform PDUs.
To create a remote user, specify the snmpEngineID of the notification recipient, where this user is
correctly defined. The proper calculation of authentication/encryption keys requires a valid remote
user.
To send the Inform PDU to the authoritative side, the Agent needs information for the
snmpEngineID of the target-address of the recipient.

To reduce a configuration complexity, the application software Agent implements an auto

discovery procedure for obtaining the SNMP Engine IDs of different Inform recipients.
When an event occurs, for example LinkUp, the Agent sends an Inform PDU to all valid targets for
this Inform. The very first Inform PDU actually is not valid as the Agent still does not know the
parameters of the Receiver Engine IDsnmpEngineId, snmpEngineBoots and snmpEngineTime.
In Figure 6, the Manager reports the PDU with its Engine ID to the Agent.
Figure 6: Obtaining the snmpEngineID
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is received as shown
in Figure 6), but with incorrect snmpEngineBoots and snmpEngineTime. These parameters are still
unknown to the Agent. The discovery process ends when no authentication/encryption exists for
the target address. If authentication/encryption exists, the packet is with the corresponding
authentication/encryptionMD5, SHA or DES.
In Figure 7, the Manager returns an authenticated REPORT PDU (notInTimeWindow) that
consists of valid snmpEngineBoots and snmpEngineTime parameters.
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime
Finally, when the discovery process is completed, the Agent and the Manager are synchronized and
subsequent packets do not discover the Engine ID of the Manager.

Versions of SNMP
The application software supports the following versions of SNMP:
Table 1: SNMP Versions
Variable Description
SNMPv1 In the SNMP version 1, user can get and set MIB objects, traverse the
MIB tree using the getNext operation, and enable the management
device to receive asynchronous messages from the Agent using the trap
mechanism. SNMPv1 bases its security on community strings.
SNMPv2c SNMP version 2c (the c stands for community) is the community-string
based Administrative Framework. SNMPv2c includes the following
improvements over SNMPv1:
Improved performance for getting data using getBulk. The bulk
retrieval mechanism supports the retrieval of tables and large
quantities of information in one PDU, thus minimizing the number of
round-trips required.
Improved error handling. SNMPv2 adds many error codes to the
five originally defined in SNMPv1. Management devices are
provided with more detailed information about the cause of the
error. Also, three exceptions are reported with SNMPv2c:
no such object, no such instance, and end of MIB view
exceptions.
Extended asynchronous reporting. SNMPv2 allows the Agent to
send SNMP notifications by inform request, as well as by trap
messages that are available in SNMPv1. Whereas traps do not
provide the Agent with an indication that the message is received,
the inform request requires the Manager to confirm reception and
is therefore more reliable. As for the trap message, its format is
changed to match the PDU format of a regular get/set PDU, in order
to simplify the protocol. The SNMPv2 protocol requires adding more
details to every trap in order to supply the Manager with more
information.
Generally, MIBs written for Agents that use SNMPv2c or higher versions
use SMIv2 instead of version 1 of the SMI. This version adds some new
variables types.
Both SNMPv1 and SNMPv2c use a community-based form of security.
SNMPv3 SNMP version 3, an interoperable standards-based protocol, provides
secure communication using the USM (User-based Security Model) and
access control using the VACM (View-based Access Control). The USM
model provides an answer to the following threats:
Replay, interception and retransmission of messages prevented by
using time-stamp.
Masquerading prevented by authenticating the message sender.
Integrity, interception, changing data, and retransmission of
messages prevented by authenticating the message sender and
encryption of the message data.
Disclosure prevented by encryption of the message data.
The SNMPv3 USM allows three levels of security (see
Table 2):
No Authentication and No Privacy (noAuthNoPriv)

Authentication and No Privacy (AuthNoPriv)

Authentication and Privacy (authPriv)
Table 2: Security Levels Available in the SNMPv3 Security Models

Level Authentication Encryption Explanation
noAuthNoPriv Username No All PDUs are sent unencrypted and

not authenticated in the network.
authNoPriv HMAC-MD5 or No The PDUs are authenticated with
HMAC-SHA HMAC (keyed-Hashing for Message
Authentication Codes). They cannot
be altered by an attacker, but can be
read.
authPriv HMAC-MD5 or Cipher Block The PDUs are authenticated and
HMAC-SHA ChainingData encrypted (with CBC-DES Symmetric
Encryption Encryption Protocol).
Standard
(CBC-DES)
You must configure the SNMP Agent to use the version of SNMP supported by the management
device. An Agent can communicate with multiple users. For this reason, you can configure the
application software to support communications with many users: some users can use the SNMPv1
protocol, some can use the SNMPv2c protocol, and the rest can use SMNPv3.
NOTE
You can participate in different groups, with a different security model in each
group. You cannot participate in more than one group with the same security model.

SNMP Commands
The following section presents the SNMP Command Hierarchy together with command
descriptions and an example.
Command Hierarchy
device-name#
+ configure terminal
+ system
+ [no] snmp
- [no] engine-id <engineID>
- [no] max-packet-size <size>
- [no] general-port <port-number>
- [no] shutdown
- [no] authentication-failure-trap
- [no] system-name .LINE-TEXT
- [no] system-location .LINE-TEXT
- [no] system-contact .LINE-TEXT
- [no] system-description .LINE-TEXT
- [no] notification-change-trap
- [no] view VIEWNAME OID-TREE [MASK | included | excluded]
- [no] group GROUPNAME {authNoPriv | authPriv |
noAuthNoPriv} read READ-VIEW write WRITE-VIEW notify
NOTIFY-VIEW
- [no] user USERNAME GROUPNAME {v1 | v2c | v3} [md5 | sha
| remote ENGINE-ID] [AUTHENTICATION-PASSWORD]
[ENCRYPTION-PASSWORD]
+ [no] target-address ADDR-NAME
- [no] message-model {v1 | v2c | v3}
- [no] security-level {noAuthNoPriv | authNoPriv |
authPriv}
- [no] address TARGET-ADDRESS
- [no] security-name USERNAME
- [no] dst-port <port-number>
- [no] retry-count <value>

- [no] type [both | inform | trap]

- show snmp-server [displaylevel <level> | statistics]
- show snmp engine [displaylevel <level>]
- show snmp-system [displaylevel <level>]
- show snmp views [displaylevel <level>]
- show snmp group [displaylevel <level>]
- show snmp access [displaylevel <level>]
- show snmp target-address [displaylevel <level>]
Table 3: SNMP Configuration Commands
Command Description

snmp Enters SNMP Configuration mode
no snmp Removes the SNMP configuration
access source-ip A.B.C.D/M Limits the access to the SNMP server (device/SNMP
agent) only from the specific sources IP address(es):
A.B.C.D/M: IP address and subnet mask
(in a dotted-decimal format) that
identify a network or hosts.
address.
no access source-ip Removes the configured IP address
engine-id <engineID> Defines a new value for the SNMP Engine ID of the
Agent:
engineID: a string of 10 to 64
characters (represented internally by
5 to 32 bytes), in the format of
XX:XX:XX:XX:XX:XX
80 00 02 E2 03 [MAC ADDR]
no engine-id Restores the default
max-packet-size <size> Defines a new value for the maximum packet size:
size: in the range of <484-
2147483647>
9216
no max-packet-size Restores the default
general-port <port-number> Defines a new value for the IP SNMP port number:
port-number: in the range of <161,
1025-65535>
161
no general-port Restores the default

Command Description
shutdown Disables the SNMP server

SNMP server is disabled
no shutdown
Enables the SNMP server

authentication-failure-trap Enables authentication SNMP traps on the device.
An authentication failure trap signifies that the
sending protocol entity is the addressee of a protocol
message that is not properly authenticated.
Enabled
no authentication-failure- Disables authentication SNMP traps
trap
system-name .LINE-TEXT Defines the MIB-II system name:

.LINE-TEXT: descriptive system name
string, up to 255 characters long
The default value is the devices model name
no system-name Removes the defined system name.
system-location .LINE-TEXT Defines the MIB-II system location string:

.LINE-TEXT: descriptive system
location string, up to 255
characters long
Empty (null)
no system-location Restores to default.
system-contact .LINE-TEXT Defines the MIB-II system contact string:

.LINE-TEXT: descriptive system
contact string, up to 255 characters
long
Empty (null)
no system-contact Restores to default
system-description .LINE- Defines the MIB-II system description string:

TEXT
.LINE-TEXT: description string, up to
255 characters long
Empty (null)
no system-description Restores to default
notification-change-trap Enables SNMP notification change traps
no notification-change-trap Disables traps
source-address A.B.C.D Specifies the source address of SNMP packets:

decimal format

SNMP server:

Command Description
view VIEWNAME OID-TREE

[MASK | included |
excluded] Defines the subset of all MIB objects accessible to
the given view:
VIEWNAME: the name of the view up to
32 characters
OID-TREE: the starting point inside
the MIB tree given in dot-notation or
as an object name
MASK: the mask is typed as a
hexadecimal value, and is interpreted
as a binary value. A binary 1 in the
mask states that the Object ID at the
corresponding position has to match,
a binary 0 states that the Object ID
at the corresponding position is
irrelevantno match is required
included: the Object ID subtree is
included in the view
excluded: the Object ID subtree is
excluded from the view
no view VIEWNAME Removes the specified view
group GROUPNAME {authNoPriv

| authPriv | noAuthNoPriv}
read READ-VIEW write Creates an SNMP group with a specified security
WRITE-VIEW notify model and defines the access-right for this group by
NOTIFY-VIEW associating views to this group:
GROUPNAME: the name of the group is
limited to 32 characters
{authNoPriv | authPriv |
noAuthNoPriv}: the security level.
For more information, refer to
Table 2
If no security level is specified, noAuthNoPriv
security level is assumed
READ-VIEW: the name of the view (not
to exceed 32 characters) in which you
can only view the contents of the
Agents MIB
WRITE-VIEW: the name of the view (not
to exceed 32 characters) in which you
can type data and configure the
contents of the Agents MIB
NOTIFY-VIEW: the name of the view
(not to exceed 32 characters) that
specifies what portion of the MIB
database is accessible for
notifications
NOTE
We recommend avoiding the
combinations of same group name
with multiple security models.

Command Description

no group GROUPNAME Removes the SNMP group data:
{authNoPriv | authPriv |
noAuthNoPriv} If you specify only the group name, all groups
with that name are removed, regardless of
security model and level.
If you specify the security model, only the group
matching all conditions is removed.
user USERNAME GROUPNAME {v1
| v2c | v3} [md5 | sha |
remote ENGINE-ID] Creates an SNMP local or remote user:
[AUTHENTICATION-
PASSWORD] [ENCRYPTION- USERNAME: the name of the user on the
PASSWORD] host that connects to the Agent.
SNMP user is not configured
GROUPNAME: the name of the group is
limited to 32 characters
v1, v2c, v3: the security model. For
more information, refer to Table 1
md5: enables HMAC-MD5 (Message Digest
5) authentication
sha: enables HMAC-SHA (Secure Hash
Algorithm) authentication
(only for v3 users)remote ENGINE-ID:
creates a remote user by its engine
ID, in hexadecimal format FF:FF:FF:FF
ENCRYPTION-PASSWORD: the PDUs sent to
or received by this user should be
encrypted, with the key generated
from the encryption password; up to
32 characters
AUTHENTICATION-PASSWORD: the
authentication password string up to
32 characters
no user USERNAME GROUPNAME Removes the specified user definition
{v1 | v2c | v3}
target-address ADDR-NAME Defines the notification target address. The target

device is the device which receives the generated,
by the device, traps.
ADDR-NAME: the name of the
notification target address up to 32
characters
no target-address ADDR-NAME Removes the notification target address.
message-model {v1 | v2c | Defines the security model specifying the version of
v3} the protocol in which the traps are sent (for more
information, refer to Table 1):
v1, with TRAP-V1 PDU type
v2c with TRAP-V2 PDU type
v3, with TRAP-V2 PDU type)
v2c

Command Description
no message-model Restores the default

security-level Defines the SNMP level of security:
{noAuthNoPriv |
authNoPriv | authPriv} authNoPriv, authPriv, noAuthNoPriv:
the security level. For more
information, refer to
Table 2
If no security level is specified, noAuthNoPriv
security level is assumed
no security-level Restores the default
address TARGET-ADDRESS Defines the IP address of the target:

A.B.C.D: the IP address of the target
0.0.0.0
no address Restores to default
security-name USERNAME Defines the security name that identifies how SNMP
messages will be generated using this entry:
USERNAME: the security user name
no security-name Removes the security name
dst-port <port-number> Specifies the UDP port number:

port-number: in the range of <162,
1025-65535>
162
no dst-port Restores the default
timeout <value> Configures the time to wait for an acknowledgement

before resending an unacknowledged inform PDU:
seconds
15 seconds
no timeout Restores the default
retry-count <value> Configures the number of retries if there is no

response from the client on the informs:
3 retries
no retry-count Restores the default
type [both | inform | Defines the notification type:
trap]
both: specifies both inform- and
trap-type notifications
inform: specifies inform-type
notifications
trap: trap-type notifications
no type Removes the configured notification type
show snmp-server [displaylevel Displays the bind address, the status of the SNMP
<level> | statistics] server, and the UDP port on which SNMP is
enabled:

Command Description
level: in the range of <0-64>

statistics: the SNMP server
statistics
show snmp engine [displaylevel Displays the local SNMP Engine ID of the SNMP
<level>] Agent, all Engine IDs that are known to the Agent,
and information about the inform operation values:
show snmp-system [displaylevel Displays the SNMP server system configuration:
<level>]
show snmp views [displaylevel Displays all configured views and the viewmask of a
<level>] particular view (if configured):
show snmp group [displaylevel Displays the configured groups, associated views,
<level>] and security model. If the security model is USM
(v3), the command displays the security level:
show snmp access [displaylevel Displays the users and associated remote engine ID:
<level>]
show snmp target-address [displaylevel Displays the notification target address:
<level>]

Table 4: Notification Types

Argument Value Description
authenticationFailure This notification indicates that the SNMP entity,

acting as an Agent, has received a protocol message
that is not properly authenticated. The authentication
method depends on the version of SNMP that is
used. For SNMPv1 or SNMPv2c, authentication
failure occurs for packets with an incorrect
community string. For SNMPv3, authentication failure
occurs for packets with an incorrect SHA/MD5
authentication key or for a packet that is outside of
the authoritative SNMP engines time window.
prvtSysMonCpuTemperature This notification indicates that the sending Agent
senses that the internal temperature has exceeded
the program threshold.
prvtSysMonCpuUtilization This notification indicates that the sending Agent
sensed that the CPU utilization has passed the
programmed threshold.
customerCreated This notification is generated when an entry in
custInfoTable is created.
customerDeleted This notification is generated when an entry in

custInfoTable is deleted.
prvtSysMonFansTest This notification indicates that the sending agent

senses that one of the fans changed its status.
lagLinkDown This notification is generated when lag link becomes
down.
lagLinkUp This notification is generated when lag link becomes
up.
lagMemberAdd This notification is generated when a new port is
added to a LAG link. The first ifIndex indicates the ID
of the trunk interface. The second one displays the
added port member.
lagMemberLinkDown This notification is generated when the LAG link
becomes down. The first ifIndex indicates the ID of
the trunk interface. The second one shows the port
member with link status change.
lagMemberLinkUp This notification is generated when the LAG link
becomes up. The first ifIndex indicates the ID of the
trunk interface. The second one displays the port
member with a link status change.
lagMemberRemove This notification is generated when a port is removed
from a LAG. The first ifIndex indicates the ID of the
trunk interface. The second one shows the removed
port member.

linkDown This notification indicates that the SNMP entity,

acting as an Agent, has detected that the
ifOperStatus object for one of its communication links
is about to enter the down state from some other
state (but not from the notPresent state). This other
state is indicated by the included value of
ifOperStatus.
linkUp This notification indicates that the SNMP entity,
acting as an Agent, has detected that the
ifOperStatus object for one of its communication links
left the down state and transitioned into another state
(but not into the notPresent state). The other state is
indicated by the included value of ifOperStatus.
mplsAutoTunnelDown This notification is generated when a
mplsAutoTunnelOperStatus object for one of the
configured tunnels is about to enter the down state
from some other state (but not from the notPresent
state). This other state is indicated by the included
value of mplsAutoTunnelOperStatus.
mplsAutoTunnelUp his notification is generated when a
mplsAutoTunnelOperStatus object for one of the
configured tunnels is about to leave the down state
and transition into some other state (but not into the
notPresent state). This other state is indicated by the
included value of mplsAutoTunnelOperStatus.
mplsDynTunnelDown This notification is generated when a
mplsDynTunnelOperStatus object for one of the
value of mplsDynTunnelOperStatus.
mplsDynTunnelUp This notification is generated when a
mplsDynTunnelOperStatus object for one of the
included value of mplsDynTunnelOperStatus.
mplsManTunnelDown This notification is generated when a
mplsManTunnelOperStatus object for one of the
value of plsManTunnelOperStatus.
mplsManTunnelReoptimized This notification is generated when a tunnel is
reoptimized. If the mplsTunnelARHopTable is used,
then this tunnel instance's entry in the
mplsTunnelARHopTable MAY contain the new path
for this tunnel some time after this notification is
issued by the agent.

mplsManTunnelUp This notification is generated when a

plsManTunnelOperStatus object for one of the
included value of mplsManTunnelOperStatus.
mstNewRoot This notification indicates that a new root is elected
by the Multiple Spanning Tree algorithm.
mstTopologyChange This notification indicates that the topology change is

detected by the Multiple Spanning Tree algorithm.
prvtSysMonOnBoardPowerSupplyTest Change in onBoardPowerSupplyTest results

portSecurityViolation This notification indicates that a security violation is
done on a port defined as a secure port.
prvtSysMonPortStatisticsTest This notification indicates that port statistics test has
changed.
prvtSysMonPowerSupplyFansTest Change in powerSupplyFansTest results
prvtSysMonPowerSupplyTest This notification indicates that the sending agent
senses that one of the power supplies changed its
status.
prvtCfm1wJitterThreshold This notification is sent when CFM one way jitter
threshold crossed.
prvtCfmAisLckCleared The notification is sent each time AIS/LCK condition
is cleared.
prvtCfmAisLckRecieved A MEP may generate a AIS/LCK notification each
time its AIS/LCK condition is activated.
prvtCfmFaultAlarm A MEP has a persistent defect condition. A

notification (fault alarm) is sent to the management
entity with the OID of the MEP that has detected the
fault.
prvtCfmFaultAlarmCleared A MEP has a persistent defect condition has cleared.
A notification is sent to the management entity with
the OID of the MEP that has cleared the fault.
prvtCfmFrameLossThreshold This notification is sent when CFM frame loss
threshold crossed.
prvtCfmJitterThreshold This notification is sent when CFM two way jitter
threshold crossed.
prvtCfmLatencyThreshold This notification is sent when CFM latency threshold
crossed.
prvtCfmUnexpectedPriority The Unexpected Priority defect is calculated at the
ETH layer. It detects the configuration of different
Priorities for CCM at different MEPs belonging to the
same MEG. Refer to G.8021/Y.1341.

prvtConfigChangeAlarm This notification is generated when the value of

configurable attribute is changed. Use the notification
to trigger maintenance polling of the running
configuration on the device. One of the variables
points either to entry of the modified table or the OID
of the modified scalar object.
prvtEfmOamDyingGasp Generates a dying-gasp alarm.
This notification indicates for a failure due to loss of
local power - Dying Gasp. In order for dying-gasp
notification to be functional, also configure warmStart
and coldStart notifications.
Dying-gasp is sent only to one server (last one used).
prvtEfmOamLoopBackState This notification is changed when DOT3-OAM
Loopback state has changed.
prvtEfmOamNonThresholdEvent This notification is sent when a local or remote

threshold crossing event is detected. A local
threshold crossing event is detected by the local
entity, while a remote threshold crossing event is
detected by the reception of an Ethernet OAM Event
Notification OAMPDU that indicates a threshold
event. This notification should not be sent more than
once per second. The OAM entity can be derived
from extracting the ifIndex from the variable bindings.
The objects in the notification correspond to the
values in a row instance in the
dot3OamEventLogTable. The management entity
should periodically check dot3OamEventLogTable to
detect any missed events.
prvtEfmOamThresholdEvent This notification is sent when a local or remote non-
threshold crossing event is detected. This notification
should not be sent more than once per second.
prvtRapsDefectAlarm This notification is sent when ring APS service
operational status changed or a protocol defect
occurred.
prvtRapsInstSubRingDefectAlarm This notification will be sent by any subring instance
when it notices a defect.
So far only the situation when two or more RPL-
owners are defined in the ring is identified as a
defect. This scenario is noticed when the instance
with the RPL-Owner role receives a RAPS packet
with the RB bit set in its status field from a different
NodeID than its own.
The management entity receiving the notification
can identify the system from the network source
address of the notification, and can identify the
instance reporting the change by the indices in the
OID of the prvtRapsInstSubRingOperStatus variable
in the notification.

prvtRapsInstSubRingSwitchoverAlarm This notification will be sent by any subring instance

when it changes state.
The management entity receiving the notification
can identify the system from the network source
address of the notification, and can identify the
instance reporting the change by the indices in the
OID of the prvtRapsInstSubRingRapsState variable
in the notification.
prvtRapsSwitchoverAlarm This notification is sent when ring APS service active
link changed.
prvtResilientLinkStatusChange This notification indicates that the resilient link status

changed, identified by the resilientLinkIndex.
prvtSaaRFC2544ProbeFailed This notification is sent for each failed SAA probe

ping packet.
prvtSaaRFC2544ProbeSuccess This notification is sent for each successfully
completed SAA probe ping.
prvtSaaTestRfc2544Finished This notification is sent for each completed SAA test.
prvtSaaY1731DelayFarEndThreshold The SAA Y1731 Far End delay threshold crossed the
preconfigured threshold in any direction, raising or
falling.
prvtSaaY1731DelayNearEndThreshold The SAA Y1731 Near End delay threshold crossed
the preconfigured threshold in any direction, raising
or falling.
prvtSaaY1731FrLossFEThreshold The SAA Y1731 Far End frame-loss threshold
crossed the preconfigured threshold in any direction,
raising or falling.
prvtSaaY1731FrLossNearEndThreshold The SAA Y1731 Near End frame-loss threshold
crossed the preconfigured threshold in any direction,
raising or falling.
prvtSaaY1731JitterFarEndThreshold The SAA Y1731 Far End jitter threshold crossed the
preconfigured threshold in any direction, raising or
falling.
prvtSaaY1731JitterNearEndThreshold The SAA Y1731 Near End jitter threshold crossed
the preconfigured threshold in any direction, raising
or falling.
prvtSysMonRamUsage This notification indicates that the sending Agent
sensed that the internal amount of free RAMs is
lower than a program threshold.
sapCreated This notification is sent when a new row is created in
the sapTable.
sapDeleted This notification is sent when an existing row is

deleted from the sapTable.
sdpCreated This notification is sent when a new row is created in

the sdpTable.
sdpDeleted This notification is sent when an existing row is

deleted from the sdpTable.

serviceCreated This notification is sent when a new row is created in

the serviceTable.
serviceDeleted This notification is sent when an existing row is

deleted from the serviceTable.
sfpPlugged This notification is sent when SFP is inserted.
sfpUnPlugged This notification is sent when SFP is extracted.
stNewRoot This notification indicates that a new root is elected

by the Spanning Tree algorithm.
stTopologyChange This notification indicates that the topology change is

detected by the Spanning Tree algorithm.
syncEthernetDPLLChanged Some of the DPLL's operational status changes.
syncEthernetDPLLLockFailed If after new Reference selection the DPLL can't lock

onto it, this will affect the Clock Source associated
with that reference
syncEthernetDPLLReferenceChange DPLL's reference clock changed.
syncEthernetInvalidESMC Invalid ESMC has been received.
syncEthernetInvalidQualityLevelReceived Invalid Quality level equals to QL-INVx has been

received.
syncEthernetQualityLevelChange Current value of syncEthernetClockSourceQuality
has been changed.
prvtSwAclIfAcgApplyFailed This notification indicates that access group is not

properly applied in hardware.
This means that traffic will not be filtered as
expected. User should either remove this access
group or rearrange other access groups.
prvtSwAclIfAcgRLimitApplyFailed This notification indicates that access group is not
prvtSwAclIfAcgRedirectApplyFailed This notification indicates that access group is not

prvtSwAclIfAcgFcApplyFailed This notification indicates that access group is not

prvtSwAclIfAcgMonPrfApplyFailed This notification indicates that access group is not
prvtSwAclSapAcgApplyFailed This notification indicates that access group is not
prvtSwAclSapAcgRLimitApplyFailed This notification indicates that access group is not
prvtSwAclSapAcgRedirectApplyFailed This notification indicates that access group is not
prvtSwAclSapAcgFcApplyFailed This notification indicates that access group is not
prvtSwAclSapAcgMonPrfApplyFailed This notification indicates that access group is not
prvtPwTDMStatusChange This notification notifies the NMS about a change in
the current status of the CES module.
prvtClockFailed This notification indicates that the clock loses all its
input references.
prvtClockLocked This notification indicates that the clock enters
'Normal' mode.
prvtDsx1LineStatusChange This notification is generated when the value of an
instance dsx1LineStatus changes.
coldStart This notification is generated on device restart
caused by unplugging the power cable or using the
power switch.

warmStart This notification is generated on device restart

caused by specific a CLI command.
prvtDuplicatedMACAddressAlarm This notification is generated when a duplicated MAC

is received.
unauthenticatedAccessViaCLI This notification is generated when the last attempt to
login to the device via CLI cannot be authenticated.

SNMP Configuration Example

Creating Users
In this example, an SNMP user is added to the device. The user is named tester and is attached to
a group named public. The SNMPv3 community is parsed by the SNMP Agent as the user name.
1. Enable SNMP:
device-name(config-system)#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3. Create a user named tester that uses SNMPv3 and attach it to a group named public without
authentication and privacy:
device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
device-name(config-snmp)#user tester public v3
4. Enable SNMP server:

device-name(config-snmp)#no shutdown
5. Commit the configuration:

device-name(config-snmp)#commit
Commit complete.
device-name(config-snmp)#end

6. Display the SNMP configuration:

device-name#show snmp
SNMP engine configuration
===========================================================================
====
Local snmpEngineID : 800002E203005043B5AA9B
snmpEngineBoots : 30
snmpEngineTime : 17
snmpEngineMaxMessageSize : 9216
===========================================================================
====
SNMP Views
===========================================================================
====
MIB View name : internet
MIB Subtree : 1.3
MIB Subtree Mask :
MIB Subtree View type : included
===========================================================================
====
Number of entries: 1
SNMP Groups table

===========================================================================
====
SNMP group name : public
Security-model : noAuthNoPriv
Read-only MIB view : internet
Read-write MIB view : internet
Accessible-for-notify MIB view : internet
===========================================================================
====
SNMP user access configuration

===========================================================================
====
SNMP user name : tester
SNMP version : SNMPv3
Authentication type : None
Authentication password string : N/A
Encryption password : N/A
Remote Engine ID :
===========================================================================
====
SNMP Notification targets

===========================================================================
====

7. Display the configured SNMP groups:

device-name#show snmp group
SNMP Groups table
===========================================================================
====
Security-model : noAuthNoPriv
Read-only MIB view : internet
Read-write MIB view : internet
Accessible-for-notify MIB view : internet
===========================================================================
====
SNMP Notification for Users

In this example, a user named private with IP address 20.0.0.5 is attached to a group named
private_grp. This user receives SNMPv1 notifications linkUp and linkDown.
1. Enable SNMP:
device-name(config-system))#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3. Create a group named public that supports notifications:

device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
4. Create a user named tester that uses SNMPv3, and attach it to the already created group named
public:
device-name(config-snmp)#user tester public v3
5. Create the target address my_pc with IP address 20.0.0.5:

device-name(config-snmp)#target-address my_pc
device-name(config-target-address-my_pc)#address 20.0.0.5
device-name(config-target-address-my_pc)#message-model v3
device-name(config-target-address-my_pc)#security-name tester
device-name(config-target-address-my_pc)#security-level noAuthNoPriv
device-name(config-target-address-my_pc)#type trap
device-name(config-target-address-my_pc)#exit
6. Enable SNMP server:


device-name(config-snmp)#commit
Commit complete.

device-name(config-snmp)#end
8. Display the SNMP server:

device-name#show running-config system snmp
system
snmp
engine-id 80:00:02:e2:03:00:a0:12:64:05:60
no shutdown
authentication-failure-trap
view internet 1.3
group public noAuthNoPriv read internet write internet notify internet
user tester public v3
target-address my_pc
address 20.0.0.5
message-model v3
security-name tester
type trap


Feature Standards MIBs RFCs
Simple Network STD0015, Simple Public MIBs: RFC 1157, SNMPv1

Management Network SNMPV1-MIB The Simple Network
Protocol (SNMP) Management Management Protocol: A
MIB-II (RFC1213-
Protocol full Internet Standard
MIB)
STD0016, Structure RFC 1213, Management
SNMP-COMMUNITY-
of Management Information Base for
MIB (RFC2576)
Information Network Management of
SNMPv2-MIB TCP/IP-based internets:
STD0017,
Management SNMP-VIEW- MIB-II
Information Base BASED-ACM-MIB RFC 2579, Textual
STD0058, Structure SNMP-USER- Conventions for SMIv2
of Management BASED-SM-MIB RFC 2580, Conformance
Information Version 2 Statements for SMIv2
(SMIv2) RFC 3410, Introduction
STD0062, Simple and Applicability
Network Statements for Internet
Management Standard Management
Protocol Version 3 Framework
(SNMPv3) RFC 3411, An
Architecture for
Describing Simple
Network Management
Protocol (SNMP)
Management
Frameworks
RFC 3412, Message
Processing and
Dispatching for the
Simple Network
Management Protocol
(SNMP)
RFC 3413, Simple
Network Management
Protocol (SNMP)
Applications
RFC 3414, User-based
Security Model (USM) for
version 3 of the Simple
Network Management
Protocol (SNMPv3)
RFC 3415, View-based
Access Control Model
(VACM) for the Simple
Network Management
Protocol (SNMP)
RFC 3416, Version 2 of
the Protocol Operations
for the Simple Network
Management Protocol
(SNMP)


RFC 3417, Transport
Mappings for the Simple
Network Management
Protocol (SNMP)
RFC 3418, Management
Information Base (MIB)
for the Simple Network
Management Protocol
(SNMP)
RFC 1901, Introduction to
Community-based
SNMPv2.
RFC1902, Structure of
Management Information
for Version 2 of the
Simple Network
Management Protocol
(SNMPv2).
RFC1905, Protocol
Operations for Version 2
of the Simple Network
Management Protocol
(SNMPv2).
RFC3584, Coexistence
between Version 1,
Version 2, and Version 3
of the Internet-standard
Network Management
Framework

Device Authentication
Table of Contents
Table of Figures 2
List of Tables 2
Features Included in This Chapter 3
Managing User Privilege Profiles 4

Default User Name and Password 4
User Privilege-Profile Configuration 5
Users and Privilege Profiles Commands 5
Remote Authentication Dial in User Service (RADIUS) 11

The RADIUS Negotiation Procedure 11
Defining User Privileges on the RADIUS Server 12
RADIUS Configuration Flow 14
RADIUS Commands 14
Terminal Access Controller Access-Control System Plus (TACACS+) 19

TACACS+ Negotiation 19
Defining User Privileges on LINUX TACACS+ Server Version 4.0.4.19 20
TACACS+ Configuration Flow 21
TACACS+ Commands 21
Comparing TACACS+ and RADIUS 26
Telnet 27
Telnet Commands 27
Secure Shell (SSH) 29

SSH Commands29
Prioritizing ARP Packets 32

ARP Prioritization Commands 32
Device Authentication (Rev. 01) Page 1

Table of Figures
Figure 1: User Privilege Profiles Configuration Flow ....................................................................... 5
Figure 2: A RADIUS Communication Example ............................................................................. 11
Figure 3: RADIUS Configuration Flow ............................................................................................ 14
Figure 4: TACACS+ Configuration Flow ........................................................................................ 21
List of Tables
Table 1: Privilege Profile Types ............................................................................................................ 4
Table 2: Default Device Username and Password ............................................................................ 4
Table 3: User and Privilege Profile Commands ................................................................................. 6
Table 4: RADIUS Commands ............................................................................................................ 15
Table 5: TACACS+ Server Responses .............................................................................................. 19
Table 6: TACACS+ Commands ........................................................................................................ 22
Table 7: A comparison between TACACS+ and RADIUS ........................................................... 26
Table 8: Telnet Commands ................................................................................................................. 27
Table 9: SSH Commands .................................................................................................................... 29
Table 10: ARP Prioritization Commands ......................................................................................... 32
Page 2 Device Authentication (Rev. 01)

Features Included in This Chapter

This chapter provides information on security features incorporated into the T-Marc 3312SC/T-
Marc 3312SCH software as protection from unauthorized access.
This chapter includes the following features:
Managing User Privilege Profiles
Profile-based access to the management functions of the device through an authorized
user list defined either locally or by remote database lookup.
Remote Authentication Dial in User Service (RADIUS)
Authentication, authorization, and accounting protocol used to authenticate users
requesting access to the device.
Terminal Access Controller Access-Control System Plus (TACACS+)
Security protocol, used for remote authentication, authorization, and accounting, through
communication between the device and an authentication database.
Telnet
Telnet, part of the TCP/IP protocol suite, is a virtual terminal protocol that allows you to
make connections to remote devices.
Secure Shell (SSH)
Secure Shell (SSH) is a UNIX-based command interface and protocol for securely getting
access to a remote device.

Managing User Privilege Profiles

Management access to the Command Line Interface (CLI) requires a user name and password
associated with one of five, predefined privilege profiles designed to protect the CLI from
unauthorized access. Each profile determines the profile of access available to the user.
Table 1: Privilege Profile Types
Profile Type Description
Administrators Full read/write privileges (without restriction).

Network-Admins Read/write privileges without access to security (usernames and
passwords), debug commands, and other administrative settings
(such as software upgrade and device reload).
Technicians Read/write privileges.
Users Read-only privileges. Users with this privilege have access to all
show commands and general commands such as exit, quit,
ping, and traceroute commands.
Guests Read-only privileges in Root mode.
During logon, the device checks the user name and password either against a table that is stored
locally or in a remote database:
Locally: Authentication occurs through a database of user names and passwords located on
the local file system. If a remote database exists but the device is unable to make contact after
repeated attempts, the local database is queried instead. If there is no response or the local
database does not exist, the user is not permitted access.
RADIUS/TACACS+: Authentication occurs through contact with a remote database lookup
that can be used for other authentication tasks. Information contained in the remote database
is not shared with the local database.
Default User Name and Password

Initial access to the device requires the default user name and password supplied as part of the
installation process:
Table 2: Default Device Username and Password
Username Password
admin admin

User Privilege-Profile Configuration
Figure 1: User Privilege Profiles Configuration Flow
Users and Privilege Profiles Commands

The following section describes the command hierarchy for Users and Privilege Profile
Configuration and provides a list of available commands as well as a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ system
+ security
- [no] authentication-failure-trap
+ [no] password preferred-authentication {local | radius
| tacacs}
+ [no] privilege-profile PRIVILEGE-PROFILE-NAME
+ [no] netconf-access-rule <number>
- action {permit | permit_log | deny}
- match COMMAND-STRING
- namespace NAME
- operation {r | rw | rwx | rx | w | wx | x}
+ [no] command-access-rule <number>

- action {permit | permit_log | deny}

- match COMMAND-STRING
- agent cli]
- operation {r | x | rx}
+ [no] user USER-NAME
- member PRIVILEGE-PROFILE-NAME
- password PASSWORD
Configuration Commands
Table 3: User and Privilege Profile Commands
Command Description

security Enters Security Configuration mode
authentication-failure-trap Enables authentication CLI notification on the
device. This notification is generated when the
last attempt to login to the device via CLI
cannot be authenticated.
Disabled
no authentication-failure-trap Disables authentication CLI notification
password preferred-authentication Specifies the device login-authentication
{local | radius | tacacs} method:
local: local authentication
method
radius: RADIUS authentication
method
tacacs: TACACS+ authentication
method
Local authentication method
no password preferred- Restores to default
authentication
privilege-profile PRIVILEGE- Specifies a new privilege profile and enters

PROFILE-NAME Profile Configuration mode:
PRIVILEGE-PROFILE-NAME: a string
of <1-256> characters. You can
use predefined privilege profiles
(see Table 1)
no privilege-profile PRIVILEGE- Removes the defined privilege profile
PROFILE-NAME
netconf-access-rule <number> Specifies a NETCONF access rule:

number: in the range of <1-50>
NOTE
Before executing the netconf-
access-rule command, you
must commit all changes.

Command Description
no netconf-access-rule Removes the NETCONF access rule:

<number>
action {permit | permit_log Specifies the access rule type:
| deny}
permit: permits the rule
permit_log: permits log messages
for all permitted rules
deny: denies the rule
match COMMAND-STRING Specifies a command matching the specified
access rule:
COMMAND-STRING: a string of
characters
namespace NAME Specifies the namespace name for the selected
rule:
NAME: a string of <1-256>
characters
operation {r | rw | rwx | rx Specifies the operation type:
| w | wx | x}
r: read
rw: read-write
rwx: read-write-execute
rx: read-execute
w: write
wx: write-execute
x: execute
command-access-rule <number> Specifies a command access rule:
NOTE
Before executing the command-
access-rule command, you
must commit all changes.
no command-access-rule Removes the command access rule
<number>
action {permit | permit-log Specifies the access rule type:

| deny}
permit: permits the rule
permit-log: permits log messages
for all permitted rules
deny: denies the rule
match COMMAND-STRING Specifies a command matching the selected
access rule:
COMMAND-STRING: a command string
agent cli Specifies the management agent for the
selected rule

Command Description
operation {r | x | rx} Specifies the operation type permitted/denied

by the specified rule:
r: read
x: execute
rx: read-execute
user USER-NAME Creates a new username in the local database
and enters User Configuration mode:
USER-NAME: a case-sensitive
string of <1-100> characters
(blank spaces and question marks
(?) are not allowed)
no user USER-NAME Removes the defined username
member PRIVILEGE-PROFILE- Assigns a user to a profile:

NAME
PRIVILEGE-PROFILE-NAME: a string
of <1-256> characters. You can
use predefined privilege profiles
(see Table 1)
password PASSWORD Specifies a password for the user:
PASSWORD: case-sensitive string
of <1-64> characters (blank
spaces are not allowed)
When common punctuation marks (?, !, .)
and/or general typography symbols (#, $, &,
@) are used, the whole password string
must be surrounded by quotation marks.
1. Define a privilege profile telco which denies access to the device via CLI:
Device-name#config
Device-name(config)#system
Device-name(config-system)#security
Device-name(config-security)#privilege-profile telco
Device-name(config-privilege-profile-telco)#command-access-rule 2
Device-name(config-command-access-rule-2)#action deny
Device-name(config-command-access-rule-2)#agent cli
Device-name(config-command-access-rule-2)#match "file ls"
Device-name(config-command-access-rule-2)#operation rx
Device-name(config-command-access-rule-2)#exit
Device-name(config-command-access-rule-3)#match "config terminal"
Device-name(config-command-access-rule-3)#operation r

Device-name(config-command-access-rule-4)#match "config no-confirm"
Device-name(config-command-access-rule-4)#operation x
Device-name(config-command-access-rule-5)#match "show port"
Device-name(config-command-access-rule-5)#operation rx
Device-name(config-command-access-rule-5)#commit
Device-name(config-privilege-profile-telco)#exit
2. Create an user telco and assign it to a profile:
Device-name(config-security)#user telco
Device-name(config-user-telco)#member telco
Device-name(config-user-telco)#password telco
Device-name(config-user-telco)#commit
login as: telco

telco@10.3.171.101's password:
T-Marc 3312SC
telco connected from 10.3.71.96 using ssh on T-Marc 3312SC
3. Display the port status after applying the access rule:

Device-name#show port
Aborted: permission denied
4. Display the authentication details in the device running configuration:

Device-name#show running-config system security
system
security
password preferred-authentication local
privilege-profile admin
!
privilege-profile guests
!
privilege-profile net-admins
!
privilege-profile technicians
!
privilege-profile telco
command-access-rule 2
action deny
agent cli
match "file ls"
operation rx
!

action deny
agent cli
match "config terminal"
operation r
!
action deny
agent cli
match "config no-confirm"
operation x
!
action deny
agent cli
match "show port"
operation rx
!
!
privilege-profile users
!
user telco
password $1$zrynUo$D7sdDdi0ps/BdQnrksXvH0
member telco
!
!

Remote Authentication Dial in User Service

(RADIUS)
RADIUS is a client-server protocol used during user authentication.
The RADIUS client (typically a Network Access Server [ NAS]) exchanges UDPs with the
RADIUS server (usually a UNIX or Windows NT daemon process) to authenticate user-
connection requests.
NAS sends user-connection requests to designated RADIUS servers. The RADIUS server returns
the configuration information needed by NAS to provide the user with requested access. The RSA
MD5 algorithm encrypts user passwords prior to exchange between the NAS and RADIUS server.
The NAS and the RADIUS server authenticate transactions using a shared secret key that is not
sent over the network.
The RADIUS Negotiation Procedure

The following figure demonstrates a typical RADIUS negotiation procedure. In this example:
The user sends a Telnet request to connect to a T-Marc 3312SC device (NAS).
The device sends an Access Request packet, which contains the user name, encrypted password,
NAS IP address, and port to the RADIUS server. The request packet also provides
information about the type of session the user wants to initiate.
Figure 2: A RADIUS Communication Example

The RADIUS server first validates NAS (based on the shared secret-key) then validates the
user request against a local database by matching the password (and in some cases, other
parameters such as the port number). The RADIUS server then:
sends an acceptance message if the user information is validated. The acceptance message
includes a list of attributes that should be used in the session. An important parameter is
the privilege profile of the authenticated user.
sends a rejection message if the user is not found in the database or the information does
not match. The message may or may not include the reason for the rejection.
Based on this response, NAS accepts or rejects the request.
Defining User Privileges on the RADIUS Server

The following procedure describes how to ensure correct user privileges on the RADIUS server.
The example refers only to FreeRADIUS LINUX server authentication. The important point of
Radius server, is to have the following files correctly configure: dictionary, user, and clients.config
file. For every file of FreeRADIUS, in the configuration directory (/etc/raddb, /etc/freeradius or
similar) there is a commented examples included.
1. Complete the RADIUS configuration (as described in the FreeRADIUS README file) on
the RADIUS server.
2. Copy an additional dictionary.batm file (with the information shown below) to the folder
containing Radius server dictionary files. The BATM dictionary file must be also added at the
same location. In most cases it is under /usr/share/freeradius or
/usr/local/share/freeradius:
-------------------------------------------------
dictionary.batm
-------------------------------------------------
$INCLUDE /usr/share/freeradius/dictionary
VENDOR BATM 738
ATTRIBUTE BATM-privilege-group 1 integer BATM

ATTRIBUTE BATM-privilege-profile 2 string BATM
VALUE BATM-privilege-group Administrators 0

VALUE BATM-privilege-group Network-admins 4
VALUE BATM-privilege-group Technicians 8
VALUE BATM-privilege-group Users 12
VALUE BATM-privilege-group Guests 15
3. Assign a privilege profile to all other users in the users configuration file, as shown in the
following example. Every user have to be defined in this file.
admin Cleartext-Password := "admin"
Reply-Message = "Hello, admin",
Idle-Timeout = 30,
Session-Timeout = 60,
BATM-privilege-profile = admin,
BATM-privilege-group = Administrators
net Cleartext-Password := "net"

Reply-Message = "Hello, net-admin",

Idle-Timeout = 30,
BATM-privilege-profile = net-admins,
BATM-privilege-group = Network-admins
tech Cleartext-Password := "tech"

Reply-Message = "Hello, tech",
Idle-Timeout = 30,
BATM-privilege-profile = technicians,
BATM-privilege-group = Technicians
user Cleartext-Password := "user"

Reply-Message = "Hello, user",
Idle-Timeout = 30,
BATM-privilege-profile = users,
BATM-privilege-group = Users
guest Cleartext-Password := "guest"

Reply-Message = "Hello, guest",
Idle-Timeout = 30,
BATM-privilege-profile = guests,
BATM-privilege-group = Guests
tester Cleartext-Password := "tester"

Reply-Message = "Hello, tester",
Idle-Timeout = 30,
BATM-privilege-group = Administrators
4. Add the subnetwork address from which NAS is connected to the clients.conf file. By default,
only the localhost is defined, you need to add your access points:
client localhost {
ipaddr = 127.0.0.1
secret = testing123}
client 10.3.0.0/16 {
secret = secretkey}

RADIUS Configuration Flow
Figure 3: RADIUS Configuration Flow
RADIUS Commands
This section describes the command hierarchy for RADIUS configuration and provides a list of
available commands as well as a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ system
+ security
- [no] radius-server
- [no] host A.B.C.D
- [no] port <number>
- [no] deadtime <minutes>
- [no] key KEY
- [no] key-storage-type {local | file}
- [no] retransmit <count>
- [no] timeout <seconds>
- show radius-statistics
- clear-radius-statistics statistics

Table 4: RADIUS Commands
Command Description

radius-server Enters RADIUS Server Configuration mode
no radius-server Removes the RADIUS Server configuration
host A.B.C.D
Selects up to 15 RADIUS severs:

A.B.C.D: the RADIUS server's IP
address
The device connects to the RADIUS servers using
the order you define.
NOTE
When the RADIUS server is
unavailable (either shut down or
disconnected), the device retransmits
the request three times. On
retransmission timeout for the third
try, the device attempts
authentication using the local
database.
No RADIUS servers are configured
no host Remove the IP address for the configured RADIUS
server
port <number> Specifies the UDP-authentication port number:
number: in the range of <1024
65535>
1812
deadtime <minutes> Specifies length of time, expressed in minutes, that

the device will wait for an authentication response
before declaring the RADIUS server unavailable
and moving to the next RADIUS server:
minutes: in the range of <01440>
minutes
3 minutes
no deadtime Restores to default
key KEY
Specifies a key used to encrypt/decrypt traffic

between the device and the RADIUS server:
KEY: a string of <1-255> characters
no key Removes the configured key

Command Description
key-storage-type {local | Specifies the type of encryption key storage:

file}
local: the encrypted key, as
entered, is stored in the running
configuration
file: the encryption key is stored
in a separate file in the Flash
memory. Only the name of the file
containing the key is displayed in
the running configuration
Local
no key-storage-type Restores to default
retransmit <count> Specifies the number of attempts the device will

make to transmit an authentication request to the
RADIUS server, before declaring the RADIUS
server unavailable:
count: in the range of <130>
3 retries
no retransmit Restores to default
timeout <seconds> Specifies the length of time, expressed in seconds,

that the device will wait for a reply from the
RADIUS server before transmitting the request
again:
seconds: in the range of <160>
seconds
3 seconds
source-address A.B.C.D Specifies the source address of RADIUS packets:

decimal format
The device uses the source IP of the server
network. The typical use of the sources IP is
the loopback address.

RADIUS server:
show radius-statistics Displays the RADIUS statistics for accounting and

authentication packets
clear-radius-statistics statistics Clears the RADIUS statistics
1. Select the RADIUS server and define the shared secret key:

device-name(config-system)#security
device-name(config-security)#radius-server host 10.2.42.137
device-name(config-host-10.2.42.137)#exit
device-name(config-security)#radius-server key batm
2. Create local user localuser and password mypass:

device-name(config-security)#user localuser password mypass member users
device-name(config-user-localuser)#exit
3. Configure the RADIUS timers:

device-name(config-security)#radius-server retransmit 3
device-name(config-security)#radius-server timeout 10
device-name(config-security)#radius-server deadtime 3
4. Define the device login-authentication method:

device-name(config-security)#password preferred-authentication radius
device-name(config-security)#commit
device-name(config-security)#end
5. Display the RADIUS configuration:

device-name#show running-config system security
system
security
password preferred-authentication radius
radius-server
host 10.2.42.137
!
key $2$3c544ef45f0bc43f
timeout 10
!
!
!
!
!
!
!
!
6. Display the RADIUS statistics:

device-name#show radius-statistics
===========================================================================
===
Statistic | Counter
===========================================================================
===
request-send | 6

access-accept | 2
access-reject | 1
invalid-responces | 0
packets-droped | 0
responces-from-unknown-address | 0
===========================================================================
===
Configuration Results
When accessing the device using the username localuser, the RADIUS server sends a
REJECT reply:
Username: localuser
Password:
Username:
When accessing the device using the username admin and the password adminpass, the
RADIUS server sends an ACCEPT reply, authenticating the user:
Username:admin
Password:adminpass
device-name#
When the RADIUS server is unreachable/down, local authentication is used.

Terminal Access Controller Access-Control System

Plus (TACACS+)
TACACS+ is a security protocol used in communication between network devices and an
authentication database for the purpose of remote authentication, authorization, and accounting.
The protocol provides the following AAA services:
Authentication: determining who a user (or entity) is
Authorization: determining what a user is allowed to do
Accounting: tracking network activity for each user.
TACACS+ is based upon communication between a Network Access Server (NAS) and the
TACACS+ authentication server. TCP communication, used by TACACS+, is considered a more
reliable protocol than UDP (the protocol used by RADIUS).
TACACS+ Negotiation
When a user attempts to connect to the device, the following actions occur:
7. NAS mediates between the user and the TACACS+ server. NAS prompts for a username.
8. When the user types a username at the prompt, NAS prompts for a password.
9. When the user types a password, NAS sends the username and password to the TACACS+
server.
The TACACS+ server may request additional identifying information, other than the user
name and password, for user authentication.
10. When the user enters the required information, the TACACS+ server returns one of the
following responses:
Table 5: TACACS+ Server Responses
Response Description
ACCEPT User authentication succeeds. Based on configuration, NAS might need

to start the authorization phase.
REJECT User authentication does not succeed. The user either is prompted to
retry login or is denied access to the network.
ERROR An error occurred during authentication (such as a network connection
issue). In this case, NAS typically attempts authentication by an alternate
method.
CONTINUE The TACACS+ server prompts the user for further authentication
information.
authorization The message contains a fixed set of fields that describe the authenticity
REQUEST of the user or process, and a variable set of arguments that describes
the services and options for which authorization is requested.
authorization The message contains a variable set of response arguments (attribute-
RESPONSE value pairs) which can restrict or modify the clients actions.

accounting TACACS+ accounting is very similar to authorization. There is a fixed

REQUEST portion and an extensible portion. The extensible portion uses all the
same attribute-value pairs that authorization uses, and adds several
more.
accounting The response to an accounting message is used to indicate that the
REPLY accounting function on the daemon has completed and securely
committed the record.
Defining User Privileges on LINUX TACACS+ Server

Version 4.0.4.19
TACACS+ usernames and privileges are defined in the TACACS+ configuration file. The
following example displays the contents of a TACACS+ server configuration file.
# Created by Henry-Nicolas Tourneur
# See man(5) tac_plus.conf for more details
-------------------------------------------------
tac_plus.conf
-------------------------------------------------
# Define where to log accounting data
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = testkey
# We specify rules valid per group of users.

group = testgroup {
cmd = operational {
deny who
deny ping
deny "show running-config mac access-list"
deny "exit"
permit .*
}
cmd = configure {
deny "show full-configuration"
deny "router interface outBand0"
deny "no router interface .*"
deny "router vrrp"
permit router
deny "system telnet"
permit ethernet
deny "port 1/1/3"
permit port
permit mac
permit ip
permit "system host"
permit commit
deny "exit"

deny "vlan 20 tagged .*"

permit .*
}
cmd = vlan {
permit .*
deny tagged.*
}
}
# This user belong to group and have the groups rules

user = testuser {
login = cleartext "tester"
member = testgroup
}
# We can specify rules valid per user.

user = admin {
default service = permit
login = cleartext "adminpass"}
TACACS+ Configuration Flow
Figure 4: TACACS+ Configuration Flow
TACACS+ Commands
Commands Hierarchy
device-name#
+ config terminal
+ system

+ security
- [no] accounting commands tacacs
- [no] authorization commands tacacs
- [no] tacplus
- [no] host A.B.C.D
- [no] description DESCRIPTION
- [no] key KEY
- [no] timeout <seconds>
Table 6: TACACS+ Commands
Command Description

accounting commands tacacs Specifies that each command/s of a specified
privilege profile, executed on a network access
server, is recorded and sent to the TACACS+
accounting server/s.
The accounting facility can be used to track user
activity for a security audit or to provide
information for user billing.
Disabled
no accounting commands Disables support for command accounting
authorization commands tacacs Configures the network access server to request
authorization information from the TACACS+
authorization server before allowing a user to
execute any command.
TACACS+ authorization defines specific rights
for users by associating attribute-value pairs,
which are stored in a database on the TACACS+
server, with the appropriate user.
Disabled
no authorization commands Disables support for command authorization
tacplus Enters TACACS+ Server Configuration mode
no tacplus Removes the TACACS+ Server configuration

Command Description
host A.B.C.D
Selects TACACS+ server(s), up to 10 TACACS+

servers.
The device connects the TACACS+ servers in a
predefined order:
A.B.C.D: the TACACS+ server's IP
address
No TACACS+ servers are configured
NOTE
If the TACACS+ server is
unavailable (shut down or
disconnected), the device
retransmits the request three
times. On retransmission timeout
for the third try, the device
attempts authentication using the
local database.
no host Removes the configured IP address for the
TACACS+ server
description DESCRIPTION Describes the TACACS+ server:
DESCRIPTION: a string of
<1255> characters
no description Removes the TACACS+ server description
key KEY
Specifies an encryption key used to

encrypt/decrypt traffic between the device and
the TACACS+ server:
KEY: a string of <1-255>
characters
no key Removes the configured key
timeout <seconds> Specifies the length of time, expressed in

seconds, that the device will wait for an
authentication response from the TACACS+
server before declaring the server unavailable:
seconds: in the range of <160>
seconds
3 seconds
source-address A.B.C.D Specifies the source address of TACACS+

packets:
decimal format
The device uses the source IP of the
server network. The typical use of the
sources IP is the loopback address.

Command Description

TACACS+ server:
Device Configuration:
1. Select the TACACS+ server and define the shared encryption key:
device-name(config-system)#security
device-name(config-security)#tacplus
device-name(config-tacplus)#host 10.2.42.137
device-name (config-host-10.2.42.137)#description test
device-name (config-host-10.2.42.137)#exit
device-name(config-tacplus)#key testkey
2. Define the device login-authentication method:

device-name(config-security)#password preferred-authentication tacacs
device-name(config-security)#end
3. Configure authorization and accounting:

device-name(config-security)#authorization commands tacacs
device-name(config-security)#accounting commands tacacs
4. Display the TACACS+ configuration:

device-name#show running-config system security
system
security
password preferred-authentication tacacs
tacplus
host 10.2.42.137
description test
!
key $2$846b519358b80098
!
!
!
!
!

!
accounting commands tacacs
authorization commands tacacs
protection-profile default
!
Configuration Results
When accessing the device using username richy, the TACACS+ server sends a REJECT
reply:
Username:richy
Password:
Username:
When accessing the device using username admin and password adminpass, the TACACS+
server sends an ACCEPT reply, authenticating the user:
Username:admin
Password:adminpass
device-name#
When accessing the device using username testuser and password tester, the TACACS+
server sends a ACCEPT reply, authenticating the user:
Username: testuser
Password: tester
When this user try to execute command with deny rule, the TACACS+ server
sends an authorization reply with status FAIL:
device-name#who
device-name# (config)#no router interface sw1

device-name# (config)#
When this user try to execute command with permit rule, the TACACS+ server
sends an authorization reply with status PASS and command is accepted:
device-name(config)#ethernet
device-name(config-ethernet)#
All commands sent to device are stored in accounting file
When the TACACS+ server is unreachable/down for authentication, local authentication is used.

Comparing TACACS+ and RADIUS

Table 7: A comparison between TACACS+ and RADIUS
Feature RADIUS TACACS+
Communication UDP TCP

Protocol
Authentication and Combined AAA processes AAA architecturethree separate
Authorization processes: Authentication,
Authorization, and Accounting
Packet Encryption Encrypts only the password sent Encrypts the entire packet body
by the user to the server but leaves a standard TACACS+
header
Router Management Sends the device a privilege Controls command authorization
profile used for command on a per-user or per-group basis
authorization by assigning privilege profiles to
commands
Multiprotocol Support Does not support the following Offers multiprotocol support
protocols:
AppleTalk Remote Access
(ARA)
NetBIOS Frame Protocol
Control
Novell Asynchronous
Services Interface (NASI)
X.25 PAD connection

Telnet
Telnet is a network protocol used to provide a bidirectional communications facility using a virtual
terminal connection. User data is transmitted over the Transmission Control Protocol (TCP).
Telnet Commands
Commands Hierarchy
device-name#
- telnet {A.B.C.D | HOSTNAME} [<port-number>]
+ config terminal
+ system
+ telnet-server
- [no] port <number>
- [no] shutdown
Table 8: Telnet Commands
Command Description
telnet {A.B.C.D | HOSTNAME} [<port- Initiates a Telnet connection to a specified

number>] remote device:
A.B.C.D: the remote devices IP
address
HOSTNAME: the remote devices name
port-number: (optional) the TCP
port number for the service, in
port 23
The Telnet connection is password-protected.
The default password is admin. The
default user name is admin too.
telnet-server Enters Telnet server Configuration mode

Command Description
access source-ip A.B.C.D/M Limits the access to the Telnet server only from
the specific IP address:
A.B.C.D/32 defines a specific IP
address.
no access source-ip Removes the configured IP address
port <value> Specifies the port through which the Telnet
range of <165535>
port 23
no port <value> Restores to default
source-address A.B.C.D Configures Telnet to listen on a specified IP

decimal format
interfaces)
dscp-mapping <value> Specifies a DSCP priority of packets sent from

Telnet server:
shutdown Stops the Telnet server
no shutdown Starts the Telnet server

Secure Shell (SSH)

SSH is a protocol that provides a secure, remote connection to a device. SSH provides more
security for remote connections than Telnet does by providing strong encryption when a device is
authenticated.
The operating system offers both an SSH server and an SSH client. You can connect to the devices
SSH server from an SSH client, or you can connect your device's SSH client to another device that
has an SSH server.
To access the device via SSH protocol, install one of the following supported SSH clients on your
PC:
SSH Communications Security Corp
OpenSSH
PuTTY terminal program
F-Secure SSH
SecureCRT
Other clients that supports SSH version 2
To connect to the device, use the IP address for the device in the SSH client.
SSH Commands
Commands Hierarchy
device-name#
- ssh USERNAME@{A.B.C.D | SSHNAME}
+ config terminal
+ system
- [no] ssh-server
- [no] port <value>
- [no] shutdown
Table 9: SSH Commands
Command Description

Command Description
ssh USERNAME@{A.B.C.D | SSHNAME} Connects to a SSH server from the devices

SSH client:
USERNAME@: the username to access
the SSH server. The user name must
be followed by the ape symbol (@).
A.B.C.D: the IP address of the SSH
server
SSHNAME: the name of the SSH
server
After executing the command, you are prompted
for the user password.
The default username to access the SSH
server is admin. The default password is
admin too.
ssh-server Enters SSH Configuration mode
no ssh-server Removes the SSH configuration details
access source-ip A.B.C.D/M Limits the access to the SSH server only from
the specific sources IP address(es):
A.B.C.D/32 defines a specific IP
address.
no access source-ip Removes the trusted IP address
source-address A.B.C.D Configures SSH to listen on a specified IP

decimal format
interfaces)
port <value> Specifies the port through which the SSH

range of <165535>
port 22
dscp-mapping <value> Specifies a DSCP priority of packets sent from

SSH server:

Command Description
shutdown Disables the SSH server

The SSH server is enabled
no shutdown Re-enables the SSH server

Prioritizing ARP Packets

Use Class of Service (CoS) Forwarding Classes (FC) to protect ARP packets from being dropped
during periods of network congestion and delay.
ARP Prioritization Commands

Commands Hierarchy
+ config terminal
+ system
- [no] router
- [no] arp priority-mapping fc {af | be | ef | h1 | h2 |
l1 | l2 | nc}
Configuration Commands
Table 10: ARP Prioritization Commands
Command Description

arp priority-mapping fc {af | be | Sends the ARP packets to user-defined
ef | h1 | h2 | l1 | l2 | nc} forwarding class (FC):
be: assigns be FC to the ARP
packets
l2: assigns l2 FC to the ARP
packets
af: assigns af FC to the ARP
packets
l1: assigns l1 FC to the ARP
packets
h2: assigns h2 FC to the ARP
packets
ef: assigns ef FC to the ARP
packets
h1: assigns h1 FC to the ARP
packets
nc: assigns nc FC to the ARP
packets
be

Command Description
no arp priority-mapping fc Restores to default


User-Privilege Not supported Not supported Not supported

Profiles
RADIUS Not supported Not supported RFC 2865, Remote
Authentication Dial In User
Service (RADIUS)
RFC 2869, Remote
Authentication Dial In User
Service (RADIUS) Extensions
TACACS+ Not supported Not supported draft-grant-tacacs-02tac-
rfc.1.78.txt draft
SSH Not supported Not supported Not supported
Telnet Not supported Not supported Not supported

Physical Ports and Logical Interfaces
Table of Contents
Table of Figures 1
List of Tables 2
Device Interface Types 4

Fast and Giga Ethernet Ports 4
Ports and IP Interface Commands 4
Port Configuration Example 9
IP-Interface Configuration Example 10
Link Aggregation Groups (LAGs) 11

LAG Configuration 12
Link Aggregation Control Protocol (LACP) 12
Multi-System/Multi-Server LAG13
LAG Commands 14
LACP Configuration Example 18
MS-LAG Configuration Example22
Resilient Links 26
Resilient Links Configuration Notes 26
Resilient Link Commands26
Traffic Storm-Control 28
Storm-Control Commands 28
Supported Standards, MIBs, and RFCs 31
Table of Figures
Figure 1: Four Ports Combined into a Link Aggregation Group ................................................. 11
Physical Ports and Logical Interfaces (Rev. 01) Page 1

Figure 2: MS-LAG diagram ................................................................................................................ 13

Figure 3: Example of Two LAGs Configured on the Same Device ............................................. 19
Figure 4: MS-LAG Configuration ...................................................................................................... 23
List of Tables
Table 1: Ports Configuration Commands ........................................................................................... 5
Table 2: IP Interface Configuration Commands ............................................................................... 6
Table 3: Commands Used to Display and Clear Port Settings and Statistics ................................ 8
Table 4: LAGs Commands ................................................................................................................. 14
Table 5: Resilient Links Commands .................................................................................................. 27
Table 6: Descriptions of the Storm-Control Commands ............................................................... 28
Page 2 Physical Ports and Logical Interfaces (Rev. 01)


This chapter describes the T-Marc 3312SC/T-Marc 3312SCH device interface types, which
includes load sharing, resiliency and security solutions. Configuration examples are also provided.
The chapter includes the following sections:
Fast and Giga Ethernet Ports
This section details the physical T-Marc 3312SC/T-Marc 3312SCH device ports and lists
configuration commands.
Link Aggregation Groups (LAGs)
Link Aggregation Groups (LAGs) combine several ports in one logical link. LAGs
provide increased bandwidth and redundancy as well as higher availability.
Resilient Links
A resilient link consists of a main link and a standby (backup) link that together form a
resilient-link pair. Resilient links protect critical links and prevent network downtime.
Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a
broadcast, multicast, and/or unicast traffic storm.

Device Interface Types

There are two device interface types, one physical and the other logical:
Device Port: Device ports are Layer 2 only interfaces associated with a physical port.
Software Interface: A logical, Layer 3 (IP) interface specifying various attributes such as IP
address and mask. A single port can be associated with more than one IP interface via Virtual
Local Area Network (VLAN) configuration.
Fast and Giga Ethernet Ports

With this T-Marc 3312SC/T-Marc 3312SCH device, service providers can deliver multiple services
on separate user ports. A single port can support multiple application flows with each flow mapped
to a different traffic class.
The T-Marc 3312SC/T-Marc 3312SCH device supports:
Eight Fast Ethernet or Gigabit Ethernet SFP ports (100 Mbps and 1 Gbps)
Four copper ports (10 Mbps, 100 Mbps, and 1 Gbps)
Eight E1/T1 TDM ports
Ports and IP Interface Commands

This section defines the command hierarchy used by both the physical port and the logical IP
interface as well the available commands for both. Also included are configuration examples for
both.
Command Hierarchy
device-name#
+ config terminal
+ port UU/SS/PP
- [no] ethertype <value>
- [no] speed {10 | 100 | 1000 | auto}
- [no] duplex {auto | full | half}
- [no] default-vlan <vlan-id>
- [no] flow-control
- [no] mtu <value>
- [no] self-egress-filter
- [no] shutdown
+ [no] router
+ [no] interface {outBand0 | loN | swN}
- [no] group-id <value>


- [no] address A.B.C.D/M
- [no] mtu <value>
- [no] shutdown
- show router interface [name]
- show router interface statistics
- show port [UU/SS/PP] [statistics | detailed]
- clear port UU/SS/PP statistics
Table 1: Ports Configuration Commands
Command Description
port UU/SS/PP Enters Configuration Mode for a specific port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
ethertype <value> Specifies the packet ethertype value of forwarded
packets:
value: valid values:
0x88A8 - Provider Bridging (IEEE 802.1ad)
0x8100 - VLAN-Tagged Frame
0x9100 - Q-in-Q
0x8100
no ethertype Restores to default
description DESCRIPTION Describes the port:

characters
no description Removes the port description
speed {10 | 100 | 1000 | auto} Specifies the speed of the port:
10, 100, 1000: duplex speed, in
Mbps
auto: the port automatically finds
the highest supported speed
Auto
no speed Restores to default
duplex {auto | full | half} Specifies the ports duplex mode:
auto: auto detect mode
full: full duplex mode
half: half duplex mode
Auto
no duplex Restores to default

Command Description
default-vlan <vlan-id> Specifies the default VLAN for the port (only one
default VLAN allowed per port):
vlan-id: in the range of <14094>
1
no default-vlan Restores to default
flow-control Controls the amount of data sent from the
transmitting port to the receiving port (also called
Flow Control Mode).
Disabled
no flow-control Restores to default
mtu <value> Specifies the maximum packet size allowed for

the port.
The port can send frames larger than the
configured MTU but cannot accept frames of that
size.
value: in the range of <25612288 >
Bytes
1544 Bytes
no mtu Restores to default
self-egress-filter Denies packets received on the selected port from
being sent back to the same port.
NOTE
The command is applied only on
port selected to be a SAP port in
VPLS services.
Disabled
no self-egress-filter Restores to default
shutdown Disables the port (the port no longer receives,
forwards, or learns)
no shutdown Enables the port
Table 2: IP Interface Configuration Commands

Command Description

router Enters Router Configuration mode
no router Removes router configurations

Command Description
interface {outBand0 | loN | swN} Creates an IP interface and enters Configuration

outBand0: an Ethernet network
interface
loN: an internal logical loopback
IP-interface. N: in the range of
<09>
range of <09999>
NOTE
You cannot use the MPLS uplink for
L2 SAP, and vice versa.
no interface {outBand0 | loN | Removes the created IP interface:
swN}
interface
<09>
range of <09999>
NOTE
group-id <value> Defines a group to which an interface belongs.
Group ID acts as interface grouping mechanism
that prevents primary and backup LSPs from
being established on the same physical link.
Backup LSP cannot be selected if it passes
through an interface with the same group id as the
one used by the primary LSP.
value: in the range of <0 -
2147483647>
no group-id Removes the configured value
description DESCRIPTION Describes the IP interface:

DESCRIPTION: a string of up to 256
characters (spaces are allowed)
no description Removes the IP interface description
address A.B.C.D/M Specifies the IP address for the IP interface:

A.B.C.D/M: the IP address of the IP
interface and subnet mask (M) in
the range of <131>
no address Removes the IP address of the IP interface:
A.B.C.D/M: the IP address of the IP
interface and subnet mask (M) in
the range of <131>

Command Description
mtu <value> Specifies the maximum size of packets generated

by the CPU (for example RSVP/OSPF/LLDP
protocols packets) allowed for an interface:
value: in the range of <256 >
Bytes
1500 Bytes
When the ping packets size is bigger than the
default MTU, you need to consider if the ping
packets will go out of the device SW interface (in
case of routing). In that case, the MTU of the SW
interface need to meet the MTU value configured
on a port. Otherwise, the ping packets that go out
of the sw interface will be discarded if fragment
flag is not UP.
shutdown Disables the interface
no shutdown Enables the interface
Table 3: Commands Used to Display and Clear Port Settings and Statistics
Command Description
show port [UU/SS/PP] [statistics | Displays the status and configuration of all ports
detailed] or a specific port:
and 1/2/1-1/2/8
statistics: (optional) displays
port statistics and packet counters
detailed: (optional) displays
detailed configuration information
for the port
Unicast, multicast and broadcast statistics
count packets with size less than or equal to
1518 bytes.
Oversize counter counts packets with size
bigger than 1518 bytes.
show router interface name { outBand0 | Displays the status and configuration of the
loN | swN} selected interface:
interface
<09>
range of <09999>
show router interface statistics Displays interface statistics and packet counters

Command Description
clear port [UU/SS/PP] statistics Clears all port statistics:

UU/SS/PP: clears statistics for the
selected port: 1/1/1-1/1/4, 1/2/1-
1/2/8
Port Configuration Example

Device-name#config terminal
Device-name(config)#port 1/1/1
Device-name(config-port-1/1/1)#mtu 12000
Device-name(config-port-1/1/1)#description PORT1
Device-name(config-port-1/1/1)#flow-control
Device-name(config-port-1/1/1)#ethertype 0x9100
Device-name(config-port-1/1/1)#commit
Commit complete.
Device-name#show port 1/1/1

===============================================================================
Ethernet Interface
===============================================================================
Interface : 1/1/1
Description : PORT1
Admin State : up Port State : up
Config Duplex : auto Operational Duplex : full
Config Speed : auto Operational Speed(Mbps) : 100
-------------------------------------------------------------------------------
Flow Control : enabled
Dual Port : No Active Link : RJ45
-------------------------------------------------------------------------------
Default VLAN : 1 MTU[Bytes] : 12000
MAC Learning : enabled Self egress filter : enabled
LAG ID : N/A
===============================================================================
Device-name#show running-config port 1/1/1

port 1/1/1
description PORT1
mtu 12000
ethertype 0x9100
learn-new-mac-addresses
flow-control
no shutdown
qos-ingress-policy defInPol
qos-egress-policy defEgPol
!

IP-Interface Configuration Example

Device-name(config)#router
Device-name(config-router)#interface sw23
Device-name(config-interface-sw23)#address 1.2.3.4/31
Device-name(config-interface-sw23)#description ADDR1
Device-name(config-interface-sw23)#mtu 600
Device-name(config-interface-sw23)#commit
Commit complete.
Device-name#show running-config router interface sw23

router
interface sw23
description ADDR1
address 1.2.3.4/31
mtu 600
no shutdown
exit
!
!
Device-name#show router interface name sw23

Interface sw23 DOWN
Index 24
Description: ADDR1
Flags : <DOWN,BROADCAST,MULTICAST>
inet 1.2.3.4/31 broadcast 1.2.3.5 mask 255.255.255.254
HW address: 00:A0:12:C2:24:A1
MTU 600
Bandwidth 0bps

Link Aggregation Groups (LAGs)

Link Aggregation Groups (LAGs) combine several ports in one logical link. All links within a LAG
operate at the same data rate (specifically, 10 Mbps, 100 Mbps, 1 Gbps). By aggregating multiple
Giga ports (as shown in the following figure), LAGs also support bandwidths beyond 10 Gpbs.
LAGs provide increased bandwidth and high reliability and eliminate the cost of hardware
upgrades.
NOTE
LAGs are numbered from 1 to 14.
Each LAG can consist of up to eight compatibly configured ports.
Figure 1: Four Ports Combined into a Link Aggregation Group
There are two LAG types:

Static LAGs, which consist of individual Gigabit Ethernet links bundled into a single logical
link, treat multiple device ports as one device port. These port groups act as a single logical
port for high-bandwidth connections between two network devices. A static LAG balances
the traffic load across the links in the channel. If a physical link within the static LAG fails,
traffic previously carried over the failed link moves to the remaining links.
Most protocols can operate using LAG infrastructure as though all ports in the group
were a single, physical port.
Dynamic LAGs dynamically adapt aggregated links to changes in traffic conditions using the
Link Aggregation Control Protocol (LACP) to accommodate load sharing and automatic
readjustments in case of LAG link-failure and recovery.

LAG Configuration
You can configure both static and dynamic LAGs simultaneously, assuming the following
restrictions:
Both static and dynamic LAGs receive unique identifiers from the same LAG ID pool. Each
LAG, whether static or dynamic, must have its own LAG ID number.
Each port can only belong to a single LAG but that LAG can be either static or dynamic.
Link Aggregation Control Protocol (LACP)

The Link Aggregation Protocol (LACP) is the protocol used by a LAG. LACP, defined in IEEE
802.3ad, dynamically groups similarly configured ports into a single logical link (aggregate port) to
increase bandwidth and redundancy as well as provide higher availability. You can group ports
based on hardware or by administrative and port parameter constraints.
The device exchanges LACP frames to synchronize LACP-enabled port databases.
You can group up to a maximum of eight compatible ports in one LAG.
LACP Modes
LACP has two operational modes:
Active: When active, the port can start LACP negotiation and as a result form a link with
another device. The other device can be either active or passive.
Passive: The port does not start LACP negotiation.
LACP Parameters
The following factors define the ability of a port to aggregate with other ports:
Physical characteristics such as, data transfer rate, duplex capability, and medium type
User-defined configuration constraints
To use LACP, define the following parameters:
1. Enter the System ID. The System ID identifies the LACP system negotiating with other
LACP systems. The System ID is always the MAC address for the device.
2. Define System Priority. System priority, along with port priority, provides the means for
connected LACP ports to determine dynamically an exchange policy.
3. Enter the Administrative key to define the ability of the port to aggregate with other ports.
4. Define port priority. Port and system priority work together so that connected LACP ports
can dynamically determine an exchange policy.
5. Enable the LACP.

NOTE
When enabled, LACP attempts to group the maximum of eight compatible ports in a
LAG. However, if LACP is unable to aggregate compatible ports (for example, due
to remote device limitations), these ports remain in a hot standby state to be used
when one of the channeled ports fail.
Multi-System/Multi-Server LAG
Multi-System/Multi-Server link aggregation (MS-LAG) enables a device to form a logical LAG
with two or more other devices. MS-LAG is an extension of the regular LAG functionality that
provides additional benefits over traditional LAG:
provide redundancy level that including two sub-LAGs (see the below diagram)
more bandwidth available to the client in Active-Active configurations
fast failure detection using physical link failure detection or OAM over L2, where OAM over
VPLS/MPLS is not available
loop-free Layer 2 network without running Spanning Tree Protocol (STP).
On one end of MS-LAG is a MS-LAG client device that has one or more physical links in a link
aggregation group (Sub-LAG). This client device does not need to be aware of MC-LAG. On the
other side of MS-LAG are two MS-LAG server devices. Each of these server devices has one or
more physical links connected to a single client device. The server devices need to have specific
identical configuration to ensure that data traffic is forwarded properly. This configuration includes
LACP ID, port priority, and LACP administrative key.
Sub-LAGs work in Dynamic Active-Standby Sub-LAG mode. If only one Sub-LAG is defined, it is
always considered as Active Sub-LAG. If two Sub-LAGs are defined, then during the LAG
operation, based on Sub-LAG weight (total priority of ports members of the Sub-LAG) or the
number of ports, a Sub-LAG contains, one Sub-LAG is considered Active and the other is
considered Standby.
Figure 2: MS-LAG diagram

LAG Commands
In this section, the command hierarchy used by LAGs is defined. Also presented is a list of useable
commands and configuration examples.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] lag
- [no] distribution-type {L2 | L3 | L4 | mpls }
+ [no] lag-id agN
- [no] lacp enable
- lacp mode {active | passive}
- [no] lacp administrative-key <number>
- [no] lacp id <number>
- [no] lacp marker {disable | enable}
- [no] lacp priority <number>
- [no] lacp fast-rate
+ [no] port UU/SS/PP
- [no] priority <number>
- [no] sub-lag {1 | 2}
- [no] lacp selection-criteria {highest-count |
highest-weight}
- [no] lacp tx-on-standby
- [no] lacp force-active {1 | 2}
- show ethernet lag
- show ethernet lag lag-id agN [details | statistics]
- clear lag [lag-id agN] statistics
Table 4: LAGs Commands
Command Description

lag Enters LAG Configuration mode

Command Description
no lag Removes LAG configurations

distribution-type {L2 | L3 | L4 | Specifies the LAG packet-distribution between
mpls } the ports:
L2: distributes packets based on
the source and destination MAC
addresses of the packets
the source and destination IP
addresses of the packets
the TCP/UDP ports
mpls: distributes packets based
on the MPLS label
L2
no distribution-type Restores to default
lag-id agN
Creates a static LAG and enters LAG

Configuration mode:
<1-14>

no lag-id agN Removes the created static LAG
description DESCRIPTION Describes the LAG:

1255 characters (spaces are
allowed)
no description Removes the LAG description
lacp enable Enables the Link Aggregation Control Protocol
(LACP)
Disabled
no lacp enable Restores to default
lacp administrative-key Specifies the LACP administrative key,
<number> determining the ability of the port to aggregate
with other ports.
A unique LACP administrative key must be
specified for each LAG.
1
no administrative-key Restores to default
lacp id xx:xx:xx:xx:xx:xx Assigns a user-defined system ID of a specific

dynamic LAG:
xx:xx:xx:xx:xx:xx: user-defined
system ID, in a MAC address
format
the MAC address of the device

Command Description
no lacp id Restores to default

lacp marker {disable | enable} Enables the device to respond to LACP marker
requests
Disabled
no lacp marker Restores to default
lacp mode {active | passive} Specifies the LACP negotiating mode:
active: places a port into an
active negotiating state. The
port initiates negotiations by
sending LACP packets to other
ports
passive: places a port into a
passive negotiating state. The
port responds to received LACP
packets but does not initiate
negotiation
Active
no lacp mode [active | Restores to default or to specific negotiating
passive] mode
lacp priority <number> Specifies the LACP system priority. LACP uses
system priority, together with the device MAC
address, to form the system ID. System Priority
is also used during negotiation with other
systems:
(higher numbers have lower
priority)
32768
no lacp priority Restores to default
lacp fast-rate Specifies the interval LACP BPDUs send out
hello packets to detect link problems. Normal
LACP hello interval is 30 seconds which means
that the LACP neighbor is detected dead after
90 seconds if nothing is heard. Fast-rate hello
means a hello interval of 1 second (dead peer
detected in 3 seconds).
30 seconds
no lacp fast-rate Restores to default
port UU/SS/PP
Adds a port to a LAG and enters LAG Port

Configuration mode.
When a LAG is used as an uplink, its
member ports must be shut down before the
LAG is deleted.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no port [UU/SS/PP] Removes the selected port from a LAG group:
and 1/2/1-1/2/8

Command Description
priority <number> Specifies the priority of an individual port within

the LAG:
32768
sub-lag {1 | 2} Specifies a Sub-LAG ID per each port that will
become member of the MS-LAG:
1, 2: Sub-LAG 1 or 2
All Sub-LAG IDs are 1
no sub-lag Restores to default
lacp selection-criteria The Active Sub-LAG is selected according to
{highest-count | highest- one of the following criteria:
weight}
highest-count: Sub-LAG with the
highest number of operational
ports becomes Active
highest-weight: Sub-LAG with the
highest weight (total operational
port priority) becomes Active.
The highest weight of a sub-lag
is calculated by sum of (65535-
the priority of all ports).
When the selected criterion has identical results
for both Sub-LAGs, an Active Sub-LAG
becomes the last selected as Active; if there is
not such a Sub-LAG, the Sub-LAG 1 become
Active.
highest- weight
no lacp selection-criteria Restores to default
lacp tx-on-standby Enables/disables sending of LACP PDUs over
links selected as Standby
LACP PDUs are sent over Standby Sub-
LAG
no lacp tx-on-standby Restores to default
lacp force-active {1 | 2} Forces one of the configured Sub-LAGs to
become Active. The selected Sub-LAG remains
Active until the lacp force-active command in
deactivated.
no lacp force-active Deactivates the forcing process
show ethernet lag Displays the status and configuration of all
LAGs
show ethernet lag lag-id agN [details | Displays the status and configuration of the
statistics] selected LAG:
<1-14>
details: LAG detail information
statistics: LAG statistics and
packet counters

clear lag [lag-id agN] statistics Clears all LAG statistics:

agN: clears statistics for a
specific LAG ID
Example:
Device-name(config)#ethernet
Device-name(config-ethernet)#lag lag-id ag1
Device-name(config-lag-id-ag1)#port 1/1/1
Device-name(config-port-1/1/1)#port 1/1/2
Device-name(config-port-1/1/2)#port 1/1/3
Device-name(config-port-1/1/3)#exit
Device-name(config-lag-id-ag1)#lacp enable
Device-name(config-lag-id-ag1)#lacp fast-rate
Device-name(config-lag-id-ag1)#lacp administrative-key 5
Device-name(config-lag-id-ag1)#exit
Device-name(config-lag)#distribution-type L4
Device-name(config-lag)#commit
Commit complete.
Device-name(config-lag)#end
Device-name#show running-config ethernet lag
ethernet
lag
distribution-type L4
lag-id ag1
lacp enable
lacp administrative-key 5
lacp fast-rate
port 1/1/1
!
port 1/1/2
!
port 1/1/3
!
!
!
!
LACP Configuration Example

The following example establishes two dynamic link aggregation groups between Device1,
Devices2 and Device3.

Figure 3: Example of Two LAGs Configured on the Same Device
Configuring Device 1:
In the following example ports 1/1/1, 1/1/2, 1/1/3, and 1/1/4 are added respectively to LAG
ag1 and ag2 on which LACP is enabled.
1. Define LAGs ag1 and ag2. Add relevant ports to both LAGs:
device-name(config-ethernet)#lag lag-id ag1
device-name(config-lag-id-ag1)#port 1/1/1
device-name(config-port-1/1/1)#port 1/1/2
device-name(config-port-1/1/2)#exit
2. Enable LACP on both LAGs:

device-name(config-lag-id-ag1)#lacp enable
device-name(config-lag-id-ag1)#commit
Commit complete.
device-name(config-lag-id-ag1)# lag lag-id ag2
Commit complete.
3. Display LAG configuration:

device-name#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
Distribution Type: L2

Operational Status: up
System ID: 00a012c204a1
System Priority: 32768
Administrative Key: 1
LACP: enabled
LACP Mode: active
LACP interval: fast
LACP transmit on stdby: disabled
Selection criteria: highest-weight
Forced active sublag: -
Time since last failover: 1h-12m-19s
Marker protocol: disabled
----------------------------------------------------------------------
Port Admin Oper Priority Sublag Aggregation Active/
Id Status Status Status Standby
----------------------------------------------------------------------
1/1/1 up up 32768 1 active active
----------------------------------------------------------------------

Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
LACP interval: fast
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
In the following example ports 1/1/1 and 1/1/2 are added to LAG ag1 on which LACP is enabled.
1. Define LAG ag1. Add relevant ports to the LAG:

2. Enable LACP on the LAG:

Commit complete.

Interface Name ag1
Mode: network
LACP: enabled
LACP Mode: active
LACP interval: fast
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
In the following example ports 1/1/3 and 1/1/4 are added to LAG ag2 on which LACP is
enabled.
1. Define LAG ag2. Add relevant ports to the LAG:
2. Enable LACP on the LAG:


Commit complete.

Interface Name ag2
Mode: network
LACP: enabled
LACP Mode: active
LACP interval: fast
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
MS-LAG Configuration Example

Figure 4: MS-LAG Configuration
Configuring Server device 1:

1. Define LAG ag1 and enable LACP Add relevant ports to the LAG:
Server_device_1#con
Server_device_1(config)#ethernet
Server_device_1(config-ethernet)#lag
Server_device_1(config-lag)#lag-id ag1
Server_device_1(config-lag-id-ag1)#lacp enable
Server_device_1(config-lag-id-ag1)#lacp administrative-key 5
Server_device_1(config-lag-id-ag1)#lacp id 00:11:22:33:44:55
Server_device_1(config-lag-id-ag1)#port 1/2/1
Server_device_1(config-port-1/2/1)#priority 16384
Server_device_1(config-port-1/2/1)#port 1/2/2
Server_device_1(config-port-1/2/2)#commit
Server_device_1(config-port-1/2/2)#end

Server_device_1#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
System ID: 001122334455
LACP: enabled
LACP Mode: active
LACP interval: slow
LACP transmit on stdby: enabled
Time since last failover: 55m-28s
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
Configuring Server device 2:

1. Define LAG ag2 and enable LACP Add relevant ports to the LAG:
Server_device_2(config)#ethernet

Server_device_2(config-ethernet)#lag
Server_device_2(config-lag)#lag-id ag1
Server_device_2(config-lag-id-ag1)#lacp enable
Server_device_2(config-lag-id-ag1)#lacp administrative-key 5
Server_device_2(config-lag-id-ag1)#lacp id 00:11:22:33:44:55
Server_device_2(config-lag-id-ag1)#port 1/2/1
Server_device_2(config-port-1/2/1)#port 1/2/2
Server_device_2(config-port-1/2/2)#commit
Server_device_2(config-port-1/2/2)#end

Server_device_2#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
Operational Status: down
System ID: 001122334455
LACP: enabled
LACP Mode: active
LACP interval: slow
----------------------------------------------------------------------
----------------------------------------------------------------------
1/2/1 up up 16384 1 failed failed
1/2/2 up up 16384 1 failed failed
----------------------------------------------------------------------
Configuring Client device:

1. Define LAG ag1 and standby lAG on ag2.
Client_device(config)#ethernet
Client_device(config-ethernet)#lag
Client_device(config-lag)#lag-id ag1
Client_device(config-lag-id-ag1)#lacp enable
Client_device(config-lag-id-ag1)#port 1/2/1
Client_device(config-port-1/2/1)#port 1/2/2
Client_device(config-port-1/2/3)#sub-lag 2
Client_device(config-port-1/2/4)#sub-lag 2

Client_device(config-port-1/2/4)#commit

Client_device#show ethernet lag lag-id ag1 details
Interface Name ag1
Mode: network
System ID: 00a012cce521
LACP: enabled
LACP Mode: active
LACP interval: slow
----------------------------------------------------------------------
----------------------------------------------------------------------
1/2/3 up up 32768 2 stdby-selected standby
1/2/4 up up 32768 2 stdby-selected standby

Resilient Links
Resilient links protect critical links and prevent network downtime. A resilient link consists of a
main link and a standby (backup) link that together form a resilient-link pair. Under normal
network conditions, the main link carries network traffic. In case of signal loss, the device
immediately switches to the standby link. There is no session timeout since switchover to the
standby link occurs in less than one second.
If the main link has a higher bandwidth than its standby or if the main link is configured as a
preferred link, the device switches traffic back to the main link as soon as the connection recovers.
Otherwise, you must manually switch traffic back to the main link.
Resilient Links Configuration Notes

When configuring resilient links, note the following:
Define a resilient-link pair only on one end of the link. This provides a fully redundant
network, even when connecting the device to other devices, such as routers and servers.
If using shutdown mode, configure on one device (either local or remote).
When configuring a VLAN, the resilient link ports must belong to the same VLAN.
Ports can reside on different LICs.
You can configure a resilient link pair only if:
The ports have the same PVID
Neither port is part of a LAG
Neither port belongs to another resilient-link pair.
Resilient Link Commands

In this section, the command hierarchy for Resilient Links is defined and a list of available
commands is provided. Included also, is a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] resilient-link resN
- backup-mode {standby | shutdown}
- backup-port UU/SS/PP
- primary-port UU/SS/PP

Table 5: Resilient Links Commands
Command Description

resilient-link resN Enables the resilient link feature and enters

Resilient-link Configuration mode:
N: in the range of <1-256>
no resilient-link Disables the resilient link feature
backup-mode {standby | shutdown} Specifies the standby (backup) link behavior:
standby: the port is powered on
(the LED for the port is on)
shutdown: the port is powered off
(the LED for the port is off)
Standby
backup-port UU/SS/PP Specifies the standby (backup) port for the
resilient-link pair:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
primary-port UU/SS/PP Specifies the main port of the resilient-link pair:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
In the following example ports 1/1/1 and 1/1/2 define a resilient-link pair res1.
1. Enter the Configuration mode of resilient link res1:
device-name(config-ethernet)#resilient-link res1
2. Define primary and backup ports:

device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
3. Define resilient link behavior:

device-name(config-resilient-link-res1)#backup-mode standby
device-name(config-resilient-link-res1)#commit
Commit complete.
4. Display the resilient link configuration:

device-name#show ethernet resilient-link res1
Name Primary Backup Mode Active Swaps
--------------------------------------------------
Res1 1/1/1 1/1/2 Standby 1/1/1 0

Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a broadcast,
multicast, and/or unicast traffic storm. This mechanism regulates the rate at which devices forward
the traffic. Traffic storm-control monitors incoming traffic rates over a 1-second storm-control
interval and, compares this traffic rate with the traffic storm-control rate that you configure. When
the port threshold is met, all incoming traffic on the port is dropped.
Storm-Control Commands
Commands Hierarchy
device-name#
+ config terminal
+ ethernet
+ [no] storm-control
- [no] traffic-type broadcast [rate-threshold
<rate>]
- [no] traffic-type multicast [rate-threshold
<rate>]
- [no] traffic-type unknown [rate-threshold <rate>]
- [no] traffic-type all [rate-threshold <rate>]
- [no] shutdown
- show ethernet storm-control {in-use | port}
Table 6: Descriptions of the Storm-Control Commands
Command Description

ethernet Enters the Ethernet Configuration mode
storm-control Enters the Storm-control Configuration mode
no storm-control Removes the storm-control configurations
port UU/SS/PP Selects a port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no port UU/SS/PP Removes the port from the configuration:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8

Command Description
traffic-type broadcast [rate- Specifies the upper threshold rate for

threshold <rate>] broadcast traffic. The storm control action
occurs when traffic utilization reaches this rate.
rate: the valid range is <0
4294967295> packets per second
(pps), which, calculated on 64-
byte packet size basis,
translates to the following
limits (in pps):
for 100-megabit ports: 148810
for 1-gigabit ports: 1488095
no traffic-type broadcast Restores to default
traffic-type multicast [rate- Specifies the upper threshold rate for multicast
threshold <rate>] traffic:
limits (in pps):
no traffic-type multicast Restores to default
traffic-type unknown [rate- Specifies the upper threshold rate for unknown
threshold <rate>] traffic:
limits (in pps):
no traffic-type unknown Restores to default
traffic-type all [rate-threshold Specifies the upper threshold rate for all traffic:
<rate>]
limits (in pps):
no traffic-type all Restores to default
shutdown Disables the storm-control on the port
Disabled

Command Description
no shutdown Enables the storm-control on the port

show ethernet storm-control {in-use | port} Displays the configured thresholds and status
of the ports:
in-use: displays the above
information for all storm-
control-active ports
port: displays the above
information only for storm-
control-configured ports


Ethernet Port IEEE 802.3 Ethernet Public MIBs: RFC 2863 The
IEEE 802.3u Fast RFC 1213, Interfaces Group MIB
Ethernet Management (configL2IfaceTable
Information Base for and interface table)
IEEE 802.3x Flow
Control Network Management
of TCP/IP-based
IEEE 802.3z Gigabit
internets: MIB-II
Ethernet
(interface table and
configL2IfaceTable)
RMON MIB
Private MIB, PRVT-
SWITCH-MIB.mib
Link Aggregation IEEE 802.3ad Private MIB, Not supported
Groups (LAGs) PRVT-PORTS-
AGGREGATION-
MIB.mib
Resilience Links Not supported Private MIB, Not supported
PRVT-RESILIENT-
LINK-MIB.mib

Virtual and Super Local Area Networks
Table of Contents
Table of Figures 1
List of Tables 1
Features Included in This Chapter 3
Virtual Local Area Network (VLAN) 4
Virtual Local Area Network (VLAN) 4

VLAN Tagging 4
Management VLAN 6
VLAN Configuration Flow 7
VLAN Commands 8
Super VLANs 11
Super VLAN Types11
Super-VLAN Commands 13
Table of Figures
Figure 1: IEEE 802.1Q Frame Tag Structure .................................................................................... 4
Figure 2: VLANs in Ingress Traffic ..................................................................................................... 5
Figure 3: VLANs in Egress Traffic ...................................................................................................... 5
Figure 4: VLAN Configuration Flow .................................................................................................. 7
Figure 5: Switching Decisions without the Super VLAN Agent ................................................... 11
Figure 6: Switching Decisions with the Super VLAN Agent......................................................... 11
Figure 7: Super VLAN Ring Mode Configuration Example ......................................................... 12
List of Tables
Table 1: VLAN Commands .................................................................................................................. 8
Virtual and Super Local Area Networks (Rev. 01) Page 1

Table 2: Super-VLAN Commands .................................................................................................... 13
Page 2 Virtual and Super Local Area Networks (Rev. 01)

Features Included in This Chapter

The chapter contains the following sections:
Virtual Local Area Network (VLAN)
A Virtual LAN (VLAN) forms a user group having common requirements on the same
LAN regardless of physical location. A logical LAN can be implemented using any
physical infrastructure.
Super VLANs
The Super VLAN is a mechanism for separating users within one VLAN into multiple
broadcast domains.

Virtual Local Area Network (VLAN)

A Virtual Local Area Network (VLAN) assigns ports to separate, logical, broadcast domains.
Unlike a LAN, a VLAN is not limited to a single device but rather, spans an entire enterprise
organization or WAN link.
Through configuration options, the system administrator can:
Move members from one VLAN to another through port assignment
Set up individual VLANs for a service or group of services offered by the organization
Enforce rule-based polices (such as limiting the type of traffic permitted to pass between users
in a VLAN)
Prioritize VLAN traffic to ensure that Service Level Agreements (SLAs) are met.
Add ports from different LICs to a specific VLAN
VLAN Tagging
The VLAN Tagging Standard, IEEE 802.1Q, requires packets to be tagged at the port with a
unique VLAN ID. An Ethernet Frame, tagged with a VLAN ID inserted into the header,
associates that frame with a specific VLAN. Tagged packets cannot be shared between VLANs
with different VLAN IDs.
VLAN tagging makes it possible for a port that interconnects devices to carry traffic for multiple
VLANs over the same physical connection.
Figure 1: IEEE 802.1Q Frame Tag Structure
A port can belong to one or more VLANs. However, only one VLAN can be defined as the
default for that port. Initially, all device ports are defined as members of a VLAN named Default
with a default VLAN value of one (1).
Ingress Traffic
The following flow diagram shows how the combination of VLAN membership and default
VLAN definition for the port has a direct effect on incoming (ingress) traffic. When the port
receives tagged packets and the port is a member of the VLAN, the packets are redirected to

ports that are members of the same VLAN. If not a member of the VLAN, the port drops the
tagged packets. For untagged packets, the port adds a VLAN tag according to its default
VLAN ID and then processes as usual.
Figure 2: VLANs in Ingress Traffic
Egress Traffic
For each VLAN, a member port is further defined as being either a tagged or untagged member
which has a direct effect on outgoing (egress) traffic:
If the port is an untagged member of a VLAN, the port removes the VLAN ID before
forwarding frames for that VLAN.
If the port is a tagged member of a VLAN, the port forwards frames with the VLAN ID as is.
Figure 3: VLANs in Egress Traffic

Management VLAN
The Management VLAN controls device management. By connecting to any port assigned to the
Management VLAN, the device administrator can:
Enter Command Line Interface (CLI) commands to the device using SSH or Telnet (Telnet is
disabled by default)
Monitor and manage the device using the SNMP protocol
Use device pinging to troubleshooting connections
Upload/download files, such as software images, using TFTP and FTP file transfer protocols
Direct log messages to a Syslog Server in the same VLAN
The Management VLAN also isolates the management IP address of the device from data traffic
passing through the device to prevent unauthorized access and malicious attacks.

VLAN Configuration Flow

The following figure displays the process used to configure VLAN parameters.
Figure 4: VLAN Configuration Flow

VLAN Commands
This section describes the command hierarchy for a Virtual Local Area Network (VLAN) as well as
command descriptions and a configuration example.
Command Hierarchy
NOTE
For more information on the range option, refer to chapter Using CLI of this User
Guide.
device-name#
+ config terminal
+ [no] vlan [VLAN-NAME] <vlan-id>
- [no] cpu
- [no] tagged {UU/SS/PP | PORT-RANGE}
- [no] name VLAN-NAME
- [no] untagged {UU/SS/PP | PORT-RANGE}
- [no] management
- [no] routing-interface swN
- show vlan [[detailed] id <vlan-id>
Table 1: VLAN Commands
Command Description
vlan [VLAN-NAME] <vlan-id>
Creates a VLAN with a specified name and ID

(VLAN tag) and enters the VLAN Configuration
mode:
vlan-id: the valid range is <1
4094>
VLAN-NAME: (optional) a string of
<131> characters
no vlan [VLAN-NAME] <vlan-id> Removes the existing VLAN:
4094>
VLAN-NAME: (optional) a string of
<131> characters
cpu Adds the CPU port to the specified VLAN
no cpu Removes the CPU port from the VLAN

Command Description
tagged {UU/SS/PP | PORT-RANGE} Adds tagged port/s to the specified VLAN.

PORT-RANGE: a hyphenated range of
ports is in format UU/SS/PP-
UU1/SS1/PP1
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no tagged [UU/SS/PP | PORT-RANGE] Removes a tagged port(s) from the specified
VLAN:
PORT-RANGE: (optional) a
hyphenated range of ports is in
format UU/SS/PP-UU1/SS1/PP1
and 1/2/1-1/2/8
untagged {UU/SS/PP | PORT-RANGE} Adds port/s as untagged to the specified VLAN.
PORT-RANGE: a hyphenated range of
ports is in format UU/SS/PP-
UU1/SS1/PP1.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no untagged [UU/SS/PP | PORT- Removes untagged port(s) from the specified
RANGE] VLAN:
PORT-RANGE: (optional) a
hyphenated range of ports is in
format UU/SS/PP-UU1/SS1/PP1
and 1/2/1-1/2/8
name VLAN-NAME Define a text-based VLAN name:
VLAN-NAME: a string of <131>
characters
no name Removes the configured VLAN name
management Enables management access to the device from
the current VLAN
Disabled
no management Disables management access to the device from
the current VLAN
routing-interface swN Attaches an IP interface to the specified VLAN.
The sw0 IP interface is attached only to the
default VLAN (VLAN ID 1).
swN: an IP interface number the
valid range is <19999>
no routing-interface Detaches the IP interface from the specified
VLAN
show vlan [[detailed] id <vlan-id>] Displays VLAN configuration information:
detailed: configuration
information for the specified VLAN
id <vlan-id>: in the range of 1-
4094

VLAN Configuration Example

1. Enter Configuration mode for VLAN v110 with ID 10:
device-name(config)#vlan vl10 10
2. Add to the VLAN ports 1/1/1 and 1/1/2 as tagged:

device-name(config-vlan-10)#tagged 1/1/1
device-name(config-tagged-1/1/1)#exit
3. Add to the VLAN port 1/2/1 as untagged:

4. Specify the default VLAN for port 1/2/1:

device-name(config-vlan-10)#port 1/2/1
5. Configures routing interface for this VLAN:

device-name(config-router)#interface sw11
device-name(config-interface-sw11)#address 111.1.0.1/24
device-name(config-interface-sw11)#top
device-name(config)#vlan 10
6. Configures this VLAN as management VLAN for the device:

device-name(config-vlan-10)#management
device-name(config-vlan-10)#commit
device-name(config-vlan-10)#end
1. Display VLANs information:

device-name#show vlan id 10
====================================================================
VLANs Information
--------------------------------------------------------------------
====================================================================
Name | L3 Interface |VTag| Created By | Owned By |
-------------------+--------------+----+------------+--------------+
v110 | sw11 |10 |User |User |
--------------------------------------------------------------------
Tagged Ports: 1/1/1 1/1/2
--------------------------------------------------------------------
Untagged Ports: 1/2/1

Super VLANs
A Super Virtual Local Area Network (VLAN) further divides members of one VLAN into
multiple, virtual broadcast domains known as sub-VLANs. In a Super VLAN, the system
administrator uses the same IPv4 subnet and default gateway IP address for all users in the same,
switched infrastructure resulting in decreased IPv4 address consumption and eliminating the need
for a dedicated IP subnet for each VLAN.
Each sub-VLAN is a broadcast domain isolated at Layer 2. Communication between members of
different VLANs uses the IP address of the Super VLAN virtual interface as the IP address of the
gateway. Because multiple VLANs share the same virtual interface IP address, IP address usage is
minimized.
The following example illustrates traffic through the device without a Super VLAN. Traffic
entering the user device port is not restricted to the uplink port, therefore, all broadcast, unknown,
and multicast packets are spread across all VLANs on the device.
Figure 5: Switching Decisions without the Super VLAN Agent
With Super VLAN configuration, the Super VLAN agent overrides switching/routing decisions
and instead directs traffic to the Super VLAN uplink port.
Figure 6: Switching Decisions with the Super VLAN Agent
Super VLAN Types

There are two Super VLAN type:

Super VLAN layer 2: Suitable for a Layer-2 switching environment, where the sub-VLANs and
Super VLAN share the same IP subnet mask. The Super VLAN provides enhanced security
between customers by disallowing communication between sub-VLANs regardless of whether
the sub-VLANs are on the same LAN.
Super VLAN ring topology: Suitable for ring topology networks using the Multiple Spanning
Tree Protocol (MSTP). Traffic flows either clockwise or counterclockwise. Both ports
connected to the ring are uplink ports, while the rest of the ports are referred to as user ports.
The Super VLAN uplink must be one of the two ports connected to the rest of the ring.
Use this topology when the Super VLAN port has to be the root port of the bridge. The
Super VLAN uplink-port is selected dynamically by the bridge between the two, uplink
ports. If a topology change occurs, the Super VLAN uplink changes automatically and the
new Root port is selected as a Super VLAN uplink port.
In the figure below, one of the clients connected to device D sends broadcast traffic. The
traffic travels counterclockwise only since the Super VLAN active uplink-port is the root
port. If the link between device B and A is disconnected, a topology change occurs and
Device D selects a new Super VLAN uplink-port. As a result, traffic flows clockwise only.
Dynamic Super VLAN takes effect on all the bridges, except for the root bridge since it
does not have a root port (only designated ports).
Figure 7: Super VLAN Ring Mode Configuration Example

Super-VLAN Commands
This section describes the Super Virtual Local Area Network (VLAN) and provides both command
descriptions and a configuration example.
Command Hierarchy
device-name#
+ config terminal
+ [no] super-vlan {UU/SS/PP | agN}
+ [no] ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 | agN2}
- [no] preferred-port {UU/SS/PP | agN}
- [no] vlan <vlan-id>
- [no] target-port {UU/SS/PP | agN}
- show super-vlan [ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 | agN2}
active-port]
- show super-vlan
Table 2: Super-VLAN Commands
Command Description
super-vlan {UU/SS/PP | agN}
Specifies a user port for the Super-VLAN

mechanism and enters the Super-VLAN
Configuration mode:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
<1-14>
Disabled
no super-vlan Restores to default

Command Description
ring-ports {UU1/SS1/PP1 | agN1}

{UU2/SS2/PP2 | agN2}
Specifies uplink ports used by the Super-VLAN
mechanism for networks with a ring topology:
UU1/SS1/PP1: first uplink ring
port
UU2/SS2/PP2: second uplink ring
port
agN1: first LAG ID. N is in the
range of <1-14>
agN2: second LAG ID. N is in the
range of <1-14>
The correct range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no ring-ports Removes the selected uplink ports
preferred-port {UU/SS/PP | agN} Selects a preferred uplink port for the Super-
VLAN ring-topology mechanism:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
<1-14>
no preferred-port Removes the selected uplink port
vlan <vlan-id> Specifies a VLAN which has as its members the

uplink ring ports:
vlan-id: the valid range is <1-
4094>
The Super-VLAN mechanism is applied
on the uplink ring ports for all VLANs of
which these ports are members
no vlan Restores the default
target-port {UU/SS/PP | agN} Specifies an uplink port used by the Super-

VLAN mechanism for networks:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
<1-14>
no target-port Removes the selected uplink port

Command Description
show super-vlan ring-ports [{UU1/SS1/PP1 Displays the Super-VLAN ring-topology

| agN1} {UU2/SS2/PP2 | agN2} active- configuration:
port]
UU1/SS1/PP1: first uplink ring
port
UU2/SS2/PP2: second uplink ring
port
agN1: first LAG ID. N is in the
range of <1-14>
agN2: second LAG ID. N is in the
range of <1-14>
active-port]: the active uplink
port
The correct range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
show super-vlan Displays the Super-VLAN configuration
Example
The below example demonstrates how to configure Super-VLAN mechanism for a network with a
ring topology:
1. Define an user port used by the Super-VLAN mechanism:
device-name(config)#super-vlan 1/1/1
device-name(config-super-vlan-1/1/1)#
2. Define uplink ports used by the Super-VLAN in ring mode:

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3
3. Select a preferred uplink port for the Super-VLAN ring-topology:

device-name(config-ring-ports-1/1/2/1/1/3)#preferred-interface 1/1/2
device-name(config-ring-ports-1/1/2/1/1/3)#exit
4. Display the Super-VLAN ring-topology configuration:

device-name#show super-vlan
================================================================================================
===========
Super-vlan Information
================================================================================================
===========
User port Target port Ring ports Preferred port Active port C-Vlan Vlan-
Mask
------------------------------------------------------------------------------------------------
-----------
1/1/1 - 1/1/2 1/1/3 1/1/2 1/1/2 - -
------------------------------------------------------------------------------------------------
-----------
================================================================================================
===========
device-name#show super-vlan ring-ports
FIRST SECOND
RING RING ACTIVE
PORT PORT PORT

-----------------------
1/1/2 1/1/3 1/1/2


Virtual LANs IEEE 802.1Q-1998 Public MIBs: No RFCs are supported by this
IEEE 802.1Q-2003 IEEE 802.1Q feature.
IEEE 802.1P Q-BRIDGE-
IEEE 802.1u-2001 MIB.mib
Super VLANs No standards are Private MIB, RFC 3069, VLAN Aggregation
supported by this PRVT-SUPER- for Efficient IP Address
feature. VLAN-MIB.mib Allocation

Configuring Layer 2 Services
Table of Contents
Table of Figures 1
List of Tables 1
Configuring Layer 2 Services 2

Transparent LAN (TLS) Services2
Dot1q Services3
VLAN Manipulation of Dot1q Services 3
Layer 2 Services Commands 4

Layer 2 Services Commands Hierarchy 4
Layer 2 Services Commands Descriptions 5
Example 1 14
Example 2 16
Example 3 16
Example 4 17
Example 5 17
Table of Figures
Figure 1: TLS Service Configuration ....................................................................................................2
List of Tables
Table 1: Layer 2 Services Commands...................................................................................................5
Table 2: Mapping table between Dot1q working mode and possible C-VLAN (inner)
manipulations ........................................................................................................................................ 12
Table 3: Mapping table between Dot1q working mode, the management/management
c-vlan command, and ping packet tagging. ................................................................................. 13
Configuring Layer 2 Services (Rev. 01) Page 1

Configuring Layer 2 Services

Transparent LAN (TLS) Services
TLS deployment gives network operators the capability of transporting a large number of virtual
LANs (VLANs) for their customers while keeping traffic secured within individual VLANs. The
TLS mechanism establishes Layer 2 tunnels inside the service provider network where traffic from
different customers is segregated and where it is marked with an appropriate tunnel name.
Use TLS tunneling to deploy secure TLS through IEEE 802.1Q standard tags. Service providers
can use a separate service VLAN (S-VLAN) to support customers who have multiple VLANs,
while preserving the customer VLAN IDs and maintaining traffic segregation in VLANs (C-
VLANs) for individual customers.
TLS tunneling expands the VLAN space by adding an additional 802.1Q tag (the tunnel ID, S-
VLAN tag) to all previously tagged packets when they enter the service provider infrastructure, as
illustrated in the following figure.
Figure 1: TLS Service Configuration
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port configured to support TLS tunneling is known as a tunnel port. When you configure
tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling.
Three types of ports are defined on the network devices that are deployed by the service provider:
Residential port: a port that is connected to a user and does not participate in TLS. Packets that
are transmitted through this port have no tag added.

Access (SAP) port: a port that is connected to a user and participates in TLS. Packets that are
transmitted through this port have no tag added.
Core (SDP) port: a port that is connected to the service providers network. All packets that are
transmitted through this port are either control packets or packets with an additional tag. If the
packets arrive from an access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header is not added.
An access port (SAP) receives tagged customer traffic from a port on the customer device. The
access port (SAP) leaves the C-VLAN tag intact and forwards the traffic to a SDP port. The SDP
port adds a second 2-byte EtherType field (0x8100) followed by a 2-byte field containing the
priority (CoS) and the VLAN.
After the traffic exits the provider network, the core port (SDP) now strips the 2-byte EtherType
field (0x8100) and the 2-byte length field and transmits the traffic with the C-VLAN tag still intact
to the customer device. The port on the customer device strips the S-VLAN tag and puts the traffic
into the appropriate customer VLAN.
Dot1q Services
Using the Dot1q Services, providers can tag two or more customers data streams with different S-
VLAN tags, when all the customer traffic is received on a single uplink port.
VLAN Manipulation of Dot1q Services

Dot1q Services can operates in replace working mode where in upstream direction, the original
customer C-VLAN tag of the packet is replaced by the S-VLAN tag. As the packet leaves the S-
VLAN in the downstream direction, the provider S-VLAN tag is replaced with the configured C-
VLAN tag on the packet.
The other working mode of Dot1q Services, is add working mode. In the add working mode, as a
packet travels from a customer VLAN (C-VLAN) into a service provider's VLAN (S-VLAN), a
specific outer S-VLAN tag is added to packets. This additional tag is used to segregate traffic into
providerdefined service VLANs. The S-VLAN tag is added on egress for incoming packets. As
the packet leaves the S-VLAN in the downstream direction, the provider S-VLAN tag is removed.
NOTE
The VPT value of the C-VLAN tag will not be copied into the S-VLAN tag. The
VTP value of S-VLAN tag will be 0.
When our customers send traffic with different tag heights (untagged, single tagged, or dual tagged
packets) across Dot1q services, they expect Ethernet packets to be processed and translated to
provide the required VLAN tags. VLAN manipulation allows exactly transport of traffic with
different tag heights between different customer access sites. This flexibility permits service
providers to manipulate flows independent of customer VLANs.
The following rewrite operations are performed on C-VLAN tags:
VLAN adding: Adding VLAN tag
VLAN translation: Changing the value of a C-VLAN
VLAN stripping: Removing an C-VLAN tag

Any combinations of the above. The resulting VLAN scheme must allow the network to
distinguish between the various services and to perform the forwarding task correctly.
Refer to Mapping table between Dot1q working mode and possible C-VLAN (inner)
manipulations
Layer 2 Services Commands

Layer 2 Services Commands Hierarchy
device-name#
+ config terminal
+ [no] service
- c-vlan {<cvlan-id> | all | untagged}
- [no] description <value>
- [no] cpu
+ sdp s-vlan <svlan-id>
- [no] shutdown
- [no] description <value>
- [no] cpu
+ c-vlan {<cvlan-id> | all | untagged}
- [no] dei <value>
- [no] priority <value>
- [no] shutdown
+ sdp vlan <vlan-id>
- [no] untagged
- [no] shutdown
- [no] dei <value>
+ [no] inner-vlan-action add
- [no] dei <value>
- [no] vlan-id <value>
- [no] vpt <value>

+ [no] inner-vlan-action replace

- [no] dei <value>
- [no] vlan-id <value>
- [no] vpt <value>
- [no] inner-vlan-action delete
- [no] management [c-vlan <cvlan-id>]
- [no] routing-interface swN
- [no] vlan-action {add | replace}
- [no] shutdown
- show service dot1q
- show service tls [details [services <service-id>]]
Layer 2 Services Commands Descriptions

Table 1: Layer 2 Services Commands
Command Description

service Enters Service mode
tls <service-id>

Configuration mode:
4294967295>
NOTE

Command Description
Creates a service access point (SAP) and enters

SAP Configuration mode:
1/1/1-1/1/4 and 1/2/1-1/2/8.
agN1: first SAP LAG ID. N is in the
range of <1-14>
agN2: second SAP LAG ID. N is in
the range of <1-14>
NOTE
SAP.
versa.
When TLS service is used, the
default VLAN of the SAP port
must not be changed otherwise
the customer traffic will be
dropped.
If a port is used as SAP, it
cannot be used for switching.
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
range of <1-14>
the range of <1-14>

untagged}
Specifies the type of the customer VLAN (C-
VLAN) to be tunneled and enters C-VLAN
Configuration mode:
traffic only
NOTE
Once you specify the C-VLAN, the C-
VLAN will be automatically created.
description <value> Specifies the TLS service description:
characters
no description Removes the TLS service description

Command Description
cpu Adds the CPU port to the specified TLS service

instance
no cpu Removes the CPU port from the TLS service
instance
sdp s-vlan <svlan-id>
Creates a service distribution point (SDP) and

enters SDP Configuration mode:
svlan-id: specifies the service
VLAN tag, the customer traffic will
be tagged with, in the range of <1-
4094>
NOTE
Once you specify the S-VLAN, the S-
ethertype <value> Specifies the packet ethertype value of forwarded
packets:
0x9100 - Q-in-Q
0x8100
port {UU/SS/PP | agN}
Adds port/s to the specified S-VLAN

UU/SS/PP: SDP port in the range of
1/1/1-1/1/4 and 1/2/1-1/2/8
of <1-14>
no port [UU/SS/PP | agN] Removes port/s from the specified S-VLAN:
UU/SS/PP: (optional) SDP port, in
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
the range of <1-14>
shutdown Disables the defined TLS service

TLS is disabled
no shutdown Enables the defined TLS service

specified Dot1q service:
4294967294>
no dot1q [<service-id>] Removes the specified Dot1q service or, when
Dot1q services:

Command Description
of <1-4294967294>
description <value> Specifies the Dot1q service description:
characters
no description Removes the Dot1q service description
cpu Adds the CPU port to the specified Dot1q service
instance
no cpu Removes the CPU port from the Dot1q service
instance

1/1/1-1/1/4 and 1/2/1-1/2/8.
of <1-14>
NOTE
SAP.
versa.
When TLS service is used, the
default VLAN of the SAP port
must not be changed otherwise
the customer traffic will be
dropped.
If a port is used as SAP, it
cannot be used for switching.
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
of <1-14>
untagged}
traffic only
dei <value> Only for Qualified SAP.
Indicates that outgoing frames from SAP are
eligible to be dropped in the presence of
congestion. The dei command affects the C-

Command Description
VLAN tag of the mentioned packets.
value: the valid values are 0 and
1. Frames with the DEI set to 1 are
more likely to be dropped than
frames with a DEI of 0.
no dei Preserves the original DEI value of the incoming,
to SAP, packets
priority <value> Specifies the VLAN Priority Tag (VPT) for
forwarded packets:
The new priority value affects the whole traffic
going out of the SDP port.
no priority Removes the selected VPT
shutdown Disables the SAP port

Disabled
no shutdown Enables the SAP port
sdp vlan <vlan-id> Specify the S-VLAN ID and enters the S-VLAN
Configuration mode:
port {UU/SS/PP | agN}
Adds port/s as tagged to the specified S-VLAN:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
of <1-14>

The port is tagged
no port [UU/SS/PP | agN] Removes tagged port/s from the specified S-
VLAN:
and 1/2/1-1/2/8
the range of <1-14>
untagged Adds ports as untagged to the specified S-VLAN
no untagged Removes untagged port/s from the specified S-
VLAN
shutdown Disables the SDP port
Disabled
no shutdown Enables the SDP port
ethertype <value> Specify the ethertype value for forwarded packets:


Command Description
0x9100 - Q-in-Q
0x8100
priority <value> Specifies the VLAN Priority Tag (VPT) for

forwarded packets:
When this command is used with combination
with the ccm-priority command (refer to OAM
chapter of this User Guide), the priority
command takes precedence over the ccm-
priority command.
no priority Removes the configured VPT
dei <value> Indicates that outgoing packets from SDP are

congestion. The dei command affects the S-
no dei Preserves the original DEI value of incoming, to
SDP, packets
inner-vlan-action {add | Performs one of the possible VLAN manipulation
replace | delete} actions and enters the Inner-VLAN Configuration
mode:
add: adds a VLAN tag to outgoing,
from SDP, single-tagged packets
replace: replaces the C-VLAN tag of
the outgoing, from SDP, double-
tagged packets
delete: removes the C-VLAN tag of
outgoing, from SDP, tagged packets
no inner-vlan-action [add | Preserves the original format of the incoming, to
replace | delete] SDP, packets
dei <value> Indicates that outgoing packets from SDP are
congestion. The dei command affects the C-
no dei Preserves the original DEI value of incoming, to
SDP, packets
vlan-id <value> Specifies the VLAN ID of the outgoing, from SDP,
packets:
no vlan-id Preserves the original VLAN ID of incoming, to

Command Description
SDP, packets
vpt <value> Specifies the VPT value of the outgoing, from
SDP, packets:
no vpt Preserves the original VPT value of incoming, to
SDP, packets
vlan-action {add | replace} Specifies the Do1q Tunneling working mode:
add: enters in add working mode
replace: enters in replace working
mode
NOTE
The vlan-action add command is
not applicable in case of untagged
SDP.
Replace
no vlan-action Restores to default
management [c-vlan <cvlan- Enables management access (SNMP, Telnet,

id>] SSH, and ping) to the device from the current
service (from SAP/SDP port). :
c-vlan <cvlan-id>: (optional)
limits the management access to the
device from specified SAP, only
when the c-vlan option matches the
C-VLAN of the SAP port. Management
traffic is tagged with S-VLAN and
configured Management C-VLAN.
Only for dot1q add working mode.
Disabled
no management [c-vlan] Disables management access to the device from
the current service:
c-vlan: disables management access
to the device from the current C-
VLAN
routing-interface swN Attaches an IP interface to the specified S-VLAN.
The sw0 IP interface is attached only to the
default VLAN (VLAN ID 1).
swN: an IP interface number the
valid range is <19999>
no routing-interface Detaches the IP interface from the specified S-
VLAN
shutdown Deactivates the Do1q encapsulation on the
service
Disabled
no shutdown Activates the Dot1q encapsulation on the service
show service dot1q Displays the currently configured Dot1q services

Command Description
show service tls [details [services Displays information about all currently configured
<service-id>]] TLS services:
details: (optional) displays
detailed information
services <service-id>: (optional)
displays detailed information about
specific services
Table 2: Mapping table between Dot1q working mode and possible C-VLAN (inner)
manipulations
Dot1q service works in Add working mode:
Format of packets, going out of SDP port with:
SAP type
inner-vlan-action add inner-vlan-action inner-vlan-action
replace delete
Qualified (tagged packets remain packets are tagged with packets are tagged
packets expected) unchanged S-VLAN and Inner- with S-VLAN tag only
VLAN tags
Unqualified
(tagged packets remain packets are tagged with packets are tagged
packets unchanged S-VLAN and Inner- with S-VLAN tag only
expected) VLAN tags
(untagged packets are tagged packets are tagged with packets are tagged
packets with S-VLAN and S-VLAN tag only with S-VLAN tag only
expected) Inner-VLAN tags
Untagged (untagged packets are tagged packets are tagged with packets are tagged
packets expected) with S-VLAN and S-VLAN tag only with S-VLAN tag only
Inner-VLAN tags
Dot1q service works in Replace working mode:

Format of packets, going out of SDP port with:
SAP type
inner-vlan-action add inner-vlan-action inner-vlan-action
replace delete
Qualified (tagged packets are tagged packets are tagged with packets are tagged
Inner-VLAN tags
Unqualified
(tagged packets remain packets are tagged with packets are tagged
packets unchanged S-VLAN and Inner- with S-VLAN tag only
expected) VLAN tags
(untagged packets are tagged packets are tagged with packets are tagged
packets with S-VLAN and S-VLAN tag only with S-VLAN tag only
expected) Inner-VLAN tags
Untagged (untagged packets are tagged packets are tagged with packets are tagged
Inner-VLAN tags

Table 3: Mapping table between Dot1q working mode, the management/management c-

vlancommand, and ping packet tagging.
Dot1q service works in Add working mode:
In Add working mode, the ping process cannot be performed on untagged SAP when
the management c-vlan command is specified. Ping packets are dropped because
management c-vlan requires C-VLAN tagged ping packets to receive.
Ping packets tagging when below command is used:
Ping Packets are sent to SAP
management management c-vlan
Qualified (tagged packets Ping packets are tagged Ping packets are tagged
expected) with C-VLAN tag with C-VLAN tag
Unqualified
(tagged packets Ping packets are untagged Ping packets are tagged
expected) with C-VLAN tag
(untagged packets Ping packets are untagged Ping packets are tagged
expected) with C-VLAN tag
Untagged (untagged packets Ping packets are untagged -

expected)
management management c-vlan

Ping Packets are sent to SDP
Ping packets are tagged Ping packets are tagged
with S-VLAN tag only with S-VLAN tag and C-
VLAN tags
Dot1q service works in Replace working mode:

In Replace working mode, the ping process cannot be performed on SAP when the
management c-vlan command is specified.

Ping Packets are sent to SAP
management
Qualified (tagged packets Ping packets are tagged with C-VLAN tag
expected)
Unqualified
(tagged packets Ping packets are untagged

expected)
(untagged packets Ping packets are untagged
expected)
Untagged (untagged packets Ping packets are untagged

expected)
Ping Packets are sent to SDP management management c-vlan
Ping packets are tagged -

with S-VLAN tag only
Example 1
The following example demonstrates how to configure TLS service 1 on two devices.
1. Configure and display TLS service 1 on Device 1:

Device 1(config)#service
Device 1(config-service)#tls 1
Device 1(config-tls-1)#no shutdown
Device 1(config-tls-1)#sap 1/1/1
Device 1(config-sap-1/1/1)#c-vlan 2
Device 1(config-c-vlan-2)#c-vlan 3
Device 1(config-c-vlan-6)#sdp s-vlan 10
Device 1(config-s-vlan-10)#port 1/1/2
Device 1#show service tls details service 1

======================================================
TLS Service details
======================================================
Service Id : 1
State : Up
Description : N/A
S-VLAN : 10
S-VLAN ethertype : 0x8100
SAPs Count : 5
SDPs Count : 1
------------------------------------------------------
|Service Id|SAP |SDP |
------------------------------------------------------
|1 |1/1/1:2: Up |1/1/2:10 Up |
|1 |1/1/1:3: Up | |
|1 |1/1/1:4: Up | |
|1 |1/1/1:5: Up | |
|1 |1/1/1:6: Up | |
======================================================
2. Configure and display TLS service 1 on Device 2:

Device 2(config)#service
Device 2(config-service)#tls 1
Device 2(config-tls-1)#no shutdown
Device 2(config-tls-1)#sap 1/1/1
Device 2(config-sap-1/1/1)#c-vlan 2
Device 2(config-c-vlan-6)#sdp s-vlan 10
Device 2(config-s-vlan-10)#port 1/1/2
Device 1#show service tls details service 1

======================================================
TLS Service details
======================================================
Service Id : 1
State : Up
Description : N/A
S-VLAN : 10
S-VLAN ethertype : 0x8100
SAPs Count : 5
SDPs Count : 1
------------------------------------------------------
|Service Id|SAP |SDP |
------------------------------------------------------
|1 |1/1/1:2: Up |1/1/2:10 Up |
|1 |1/1/1:3: Up | |
|1 |1/1/1:4: Up | |
|1 |1/1/1:5: Up | |
|1 |1/1/1:6: Up | |

Example 2
The following example demonstrates how to configure dot1q service 1 on a device.
1. Configure Dot1q service 1:
Device-name(config)#service dot1q 1
Device-name(config-dot1q-1)#sap 1/1/1 c-vlan 6
Device-name(config-dot1q-1)#sdp vlan 60 port 1/1/2
Device-name(config-vlan-60)#exit
Device-name(config-dot1q-1)#no shutdown
Device-name(config-dot1q-1)#end
2. Display the configuration:

Device-name#show service dot1q
===========================================================================
|Id |SVlan |L3 |State|SAPs |SDPs
|
===========================================================================
|1 |60 Repl|None |UP |1/1/1:60:6: Up |1/1/2:60 Up
|
===========================================================================
Example 3
The following example demonstrates how to replace an outer tag (S-VLAN) of traffic encapsulated
in a dot1q service:
1. Configure Dot1q service with ID 1:
device-name(config-service)#dot1q 1
2. Specify SAP port and customer VLAN ID, expected on port 1/1/1:
device-name(config-dot1q-1)#sap 1/1/1 c-vlan 10
device-name(config-c-vlan-10)#exit
device-name(config-sap-1/1/1)#exit
3. Specify SDP port and Service VLAN ID, used to replace the most outer VLAN tag (in case of
double tagging traffic.) In case of single tagging-will replace the only available tag:
device-name(config-dot1q-1)#sdp vlan 20
device-name(config-vlan-20)#port 1/1/2
device-name(config-vlan-20)#vlan-action replace
device-name(config-vlan-20)#exit
4. Activate the Dot1q service:

device-name(config-dot1q-1)#no shutdown

Example 4
The following example demonstrates how packets C-VLAN tag behaves when the packets go out
through SDP port. The Dot1q service works in Replace mode. The SAP port is defined as
Qualified (the expected traffic must be tagged with C-VLAN tag). On the SDP port, the expected
traffic will be double tagged with outer tag=S-VLAN tag and inner tag=configured inner VLAN 4
with VPT 4 and CFI bit 1.
1. Configure Dot1q service with ID 1:
2. Configure S-VLAN and an action to be applied on the outgoing, from SDP, packets:
device-name(config-vlan-10)#inner-vlan-action add
device-name(config-inner-vlan-action-add)#vlan-id 4
device-name(config-inner-vlan-action-add)#vpt 4
device-name(config-inner-vlan-action-add)#dei 1
device-name(config-inner-vlan-action-add)#port 1/1/2
device-name(config-port-1/1/2)#no shutdown
3. Specify SAP port and customer VLAN ID, expected on port 1/1/1:
device-name(config-port-1/1/2)#sap 1/1/1
device-name(config-sap-1/1/1)#c-vlan 5
device-name(config-c-vlan-5)#no shutdown
device-name(config-c-vlan-5)#commit
4. Activate the Dot1q service:

5. Display configuration details:

device-name#show running-config service
service
dot1q 1
no shutdown
sdp vlan 10
inner-vlan-action add
vlan-id 4
vpt 4
dei 1
!
port 1/1/2
no shutdown
!
!
sap 1/1/1
c-vlan 5
no shutdown
!
!
Example 5
The following example demonstrates how to perform device management using SDP port of
Dot1q service, working in add working mode with different priority on SDP port:

1. Configure Dot1q service:

device-name(config-vlan-4)#vlan-action add
device-name(config-vlan-4)#management c-vlan 5
device-name(config-vlan-4)#port 1/1/2 priority 5
device-name(config-port-1/1/2)#no shutdown
device-name(config-port-1/1/2)#sap 1/1/1
device-name(config-c-vlan-5)#no shutdown
2. Configure Telnet server:

device-name(config-system)#telnet-server
device-name(config-telnet-server)#no shutdown
3. Enable Netconf server:

device-name(config-system)#netconf-server
device-name(config-netconf-server)#no shutdown
device-name(config-netconf-server)#commmit

Layer 2 Services No standards are Private MIBs: No RFCs are supported

supported by this PRVT-SERV- by this feature.
feature. MIB.mib

Layer 2 Protocol Tunneling (L2PT)
Table of Contents
Table of Figures 1
List of Tables 1
Layer 2 Protocol Tunneling (L2PT) 2

Layer 2 Protocol Tunneling Configuration Flow 3
L2PT Commands 3
L2PT Commands Hierarchy 3
L2PT Commands Descriptions 5
Table of Figures
Figure 1: Layer 2 Protocol Tunneling Configuration Flow .............................................................. 3
List of Tables
Table 1: L2PT Commands .................................................................................................................... 5
Table 2: Predefined Protocols ............................................................................................................ 11
Table 3: Default Multicast MAC Addresses (Tunnel MAC address)............................................ 12
Layer 2 Protocol Tunneling (L2PT) (Rev. 01) Page 1

Layer 2 Protocol Tunneling (L2PT)

Layer 2 protocol tunneling allows IEEE Layer 2 protocol data units (PDUs) to tunnel through a
network. L2PT is based on PDU software encapsulation in the ingress edge device. Encapsulation
involves rewriting the destination media access control (MAC) address in the PDU. The ingress
edge device rewrites the destination multicast MAC address for received PDUs and replaces that
address with a predefined multicast tunnel MAC addresses to ensure transparent L2CP traffic flow.
All devices inside the service provider network treat these encapsulated frames as regular data
packets and forward them appropriately. The egress edge device listens for these special
encapsulated frames and decapsulates them before forwarding them out of the tunnel.
Page 2 Layer 2 Protocol Tunneling (L2PT) (Rev. 01)

Layer 2 Protocol Tunneling Configuration Flow
Figure 1: Layer 2 Protocol Tunneling Configuration Flow
L2PT Commands
L2PT Commands Hierarchy
device-name#
+ config terminal
+ l2-tunneling

- global-tunnel-mac HH:HH:HH:HH:HH:HH
+ [no] profile {PROFILE-NAME | discard-all | tunnel-all |
tunnel-bpdu}
- [no] protocol PROTOCOL-NAME action {discard | tunnel}
+ [no] protocol PROTOCOL-NAME
- standard-mac HH:HH:HH:HH:HH:HH
- tunnel-mac HH:HH:HH:HH:HH:HH
- [no] use-global-tunnel-mac
- [no] shutdown
+ [no] service
- [no] tunnel-profile {PROFILE-NAME | discard-all |
tunnel-all | tunnel-bpdu}
- [no] tunnel-profile {PROFILE-NAME | discard-
all | tunnel-all | tunnel-bpdu}
+ [no] sdp s-vlan <svlan-id>
+ [no] sdp s-vlan <svlan-id>
- show l2-tunneling profiles
- show l2-tunneling protocols
- show l2-tunneling statistics
- clear l2-tunneling statistics

L2PT Commands Descriptions

Table 1: L2PT Commands
Command Description

l2-tunneling Enters Layer 2 Configuration mode
global-tunnel-mac Specifies a single multicast tunnel MAC address
HH:HH:HH:HH:HH:HH used for global rewriting the original multicast
destination MAC addresses for user-defined and
predefined Layer-2 protocols:
HH:HH:HH:HH:HH:HH: in hexadecimal
format
Global MAC address is 01:00:0c:cd:cd:d0
profile {PROFILE-NAME | discard- Configures a specific tunnel profile:
PROFILE-NAME: a custom profile name
of <1-32> characters
discard-all: discards only Layer 2
protocol PDUs
tunnel-all: tunnels only Layer 2
protocol PDUs
tunnel-bpdu: tunnels only xSTP
packets
no profile [PROFILE-NAME] Removes the defined tunnel profile:
PROFILE-NAME: (optional) a custom
profile name of <1-32> characters
protocol PROTOCOL-NAME action Specifies the protocol action:
{discard | tunnel}
PROTOCOL-NAME: a string of <1-16>
characters or see Table 2 for
predefined protocols names
discard: discards PDUs of the
specified protocol
tunnel: tunnels PDUs of the
specified protocol
no protocol [PROTOCOL-NAME] Removes the defined protocol name:
predefined protocol names
Predefined protocols names cannot be removed.
protocol PROTOCOL-NAME Specifies the Layer 2 protocol name, PDUs of
which are tunneled/discarded and enters Layer 2
Protocol Configuration mode:

Command Description
no protocol [PROTOCOL-NAME] Removes the defined protocol name:

Predefined protocols names cannot be removed.
When you add new protocol, its name is listed in
the below command arguments.
ethertype <value> Indicates which protocol is encapsulated in the
payload of the Ethernet frame:
value: in hexadecimal format (for
example 0x9000)
0x8100
standard-mac Specifies the original multicast destination MAC
HH:HH:HH:HH:HH:HH address of the specified protocol:
format (see Table 3)
tunnel-mac HH:HH:HH:HH:HH:HH Specifies a multicast tunnel MAC address that
rewrites the original multicast destination MAC
address in the encapsulated Layer 2 PDUs:
format
use-global-tunnel-mac Applies the already defined global tunnel MAC
address on selected protocols
no use-global-tunnel-mac Restores the default tunnel MAC address, listed in
Table 3, for the selected protocol
shutdown Disables the L2-tunneling
Disabled
no shutdown Enables the L2-tunneling

<14294967294>
NOTE
On VPLS service, SAP port must
not be removed from its default
VLAN in order L2 protocol
tunneling to be functional.

<14294967294>

Command Description
sap {{UU/SS/PP | agN}[:[igmp] Adds a client port to a specific VPLS instance and
| :[<vlan-id>]:[igmp] | specifies the SAP attributes:
UU1/SS1/PP1:<ces-
physical port (unit, slot and port)
defined as SAP.(can be obtained
from the show port command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
NOTE
CLI accepts multiple
definitions of unqualified
SAP, i.e: UU/SS/PP, UU/SS/PP:
or UU/SS/PP::. All definitions
result in UU/SS/PP::.
definitions of qualified SAP,
i.e: UU/SS/PP:vlan-id or
UU/SS/PP:vlan-id:. All
definitions result in
UU/SS/PP:vlan-id:.
<1-14>
<1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets

Command Description

id>]:[igmp] | UU/SS/PP: (optional) the
UU1/SS1/PP1:<ces- corresponding physical port (unit,
circuit>:{ces | ces-oos}}] slot and port) defined as SAP.(can
be obtained from the show port
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
tls <service-id>

Configuration mode:
4294967295>
NOTE

4294967294>
802.1Q services:
of <1-4294967294>

Command Description

1/1/1-1/1/4 and 1/2/1-1/2/8.
range of <1-14>
the range of <1-14>
NOTE
SAP.
versa.
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
range of <1-14>
the range of <1-14>

untagged}
Specifies the type of the customer VLAN (C-
VLAN) to be tunneled and enters C-VLAN
Configuration mode:
traffic only
NOTE
Once you specify the C-VLAN, the C-
no c-vlan {<cvlan-id> | all Removes the defined C-VLAN:
| untagged}
traffic only

Command Description
sdp s-vlan <svlan-id>
Creates a service distribution point (SDP) and

enters SDP Configuration mode:
svlan-id: specifies the service
VLAN tag, the customer traffic will
be tagged with, in the range of <1-
4094>
NOTE
Once you specify the S-VLAN, the S-
no sdp s-vlan <svlan-id> Removes the defined SDP
port {UU/SS/PP | agN} Adds port/s to the specified S-VLAN

UU/SS/PP: SDP port in the range of
1/1/1-1/1/4 and 1/2/1-1/2/8
of <1-14>
no port [UU/SS/PP | agN] Removes port/s from the specified S-VLAN:
UU/SS/PP: (optional) SDP port, in
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
the range of <1-14>
tunnel-profile {PROFILE- Applies the user-defined or predefined tunnel
NAME | discard-all | profile on a specified SAP/SDP:
tunnel-all | tunnel-
bpdu} PROFILE-NAME: a string of <1-32>
characters
discard-all: discards all Layer 2
protocol PDUs
tunnel-all: tunnels all Layer 2
protocol PDUs
tunnel-bpdu: tunnels only xSTP
packets
no tunnel-profile Removes the defined tunnel profile
show l2-tunneling profiles Displays TLS profile names used to define the
tunneling policy
show l2-tunneling protocols Displays L2PT encapsulation information
show l2-tunneling statistics Displays L2PT statistics
clear l2-tunneling statistics Clear Layer 2 protocol tunneling (L2PT) statistics

Table 2: Predefined Protocols

Protocol Description
all-brs Specifies that PDUs intended for the reserved MAC address
used exclusively by All Bridges are tunneled/discarded
NOTE
The global-tunnel-mac command is not
applicable for All-brs protocols.
other Specifies that PDUs intended for MAC addresses from the
bridge block that are not related to specific protocols are
tunneled/discarded.
NOTE
applicable for other protocols.
dot1x IEEE 802.1x standard
efm-oam Ethernet in the First Mile-Operations, Administration and
Maintenance standard
e-lmi Enhanced Local Management Interface
garp Generic Attribute Registration Protocol
NOTE
applicable for GARP protocol.
lacp Link Aggregation Protocol
lldp Link Layer Discovery Protocol
pvst Per-VLAN Spanning Tree (PVST) maintains a spanning tree
instance for each VLAN configured in the network. Since
PVST treats each VLAN as a separate network, it has the
ability to load balance traffic (at Layer 2) by forwarding some
VLANs on one link and other VLANs on another link without
causing a spanning tree loop.
pb-stp Provider Bridge Spanning Tree Protocol.
NOTE
applicable for PB-STP protocol.
stp Spanning Tree Protocol
cdp The Cisco Discovery Protocol (CDP) is a proprietary Data
Link Layer protocol developed by Cisco Systems. It is used to
share information about other directly connected Cisco
equipment.
dtp The Dynamic Trunking Protocol (DTP) is a proprietary
networking protocol developed by Cisco Systems for the
purpose of negotiating trunking on a link between two VLAN-
aware switches, and for negotiating the type of trunking
encapsulation to be used.

Protocol Description
pagp Port Aggregation Protocol (PAgP) is a Cisco Systems

proprietary networking protocol, which is used for the
automated, logical aggregation of Ethernet switch ports,
known as an etherchannel.
udld Unidirectional Link Detection (UDLD) is a data link layer
protocol from Cisco Systems to monitor the physical
configuration of the cables and detect unidirectional links.
UDLD complements the Spanning Tree Protocol which is
used to eliminate switching loops.
vtp VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol
that propagates the definition of Virtual Local Area Networks
(VLAN) on the whole local area network.
Table 3: Default Multicast MAC Addresses (Tunnel MAC address)

Protocol MAC Address
xSTP 01-A0-12-FF-FF-00
LACP/LAMP 01-A0-12-FF-FF-02
Link OAM (802.3ah) 01-A0-12-FF-FF-02
Port Authentication (802.1x) 01-A0-12-FF-FF-03
E-LMI 01-A0-12-FF-FF-07
LLDP (802.1AB) 01-A0-12-FF-FF-0E
Bridge block of protocols 01-A0-12-FF-FF-0X
NOTE
X denotes a random digit from 0 to F. If found
in the original MAC, the digit is preserved in
the replacement MAC.
All Bridges 01-A0-12-FF-FF-10
GARP Block of protocols 01-A0-12-FF-FF-2X
NOTE
X denotes a random digit from 0 to F. If found
in the original MAC, the digit preserved in the
replacement MAC.
Provider bridge STP 01-A0-12-FF-FF-08
PVST 01-A0-12-CC-CC-CD
CDP 01:A0:12:CC:CC:CC
DTP 01:A0:12:CC:CC:CC
PAGP 01:A0:12:CC:CC:CC
UDLD 01:A0:12:CC:CC:CC
VTP 01:A0:12:CC:CC:CC

When you configure the destination MAC address for encapsulated PDUs, you must leave the last
byte of the MAC address for protocols Bridge block of protocols and GARP Block of protocols as default
values:
00for Bridge block of protocols
20for GARP Block of protocols
Example:
device-name#show running-config l2-tunneling
l2-tunneling
shutdown
global-tunnel-mac 01:00:0c:cd:cd:d0
protocol cdp
standard-mac 01:00:0c:cc:cc:cc
tunnel-mac 01:a0:12:cc:cc:cc
!
protocol dtp
!
protocol stp
standard-mac 01:80:c2:00:00:00
tunnel-mac 01:a0:12:ff:ff:00
!
protocol vtp
!
protocol garp
!
protocol lacp
ethertype 0x8809
!
!
protocol lldp
standard-mac 01:80:c2:00:00:0e
tunnel-mac 01:a0:12:ff:ff:0e
ethertype 0x88cc
!
protocol pagp
!
protocol pvst
standard-mac 01:00:0c:cc:cc:cd
tunnel-mac 01:a0:12:cc:cc:cd

!
protocol udld
!
protocol dot1x
ethertype 0x888e
!
protocol e-lmi
ethertype 0x88ee
!
protocol other
!
protocol pb-stp
!
protocol all-brs
!
protocol efm-oam
ethertype 0x8809
!
1. Enable Layer 2 protocol tunneling (L2PT):
device-name(config)#l2-tunneling
device-name(config-l2-tunneling)#no shutdown
device-name(config-l2-tunneling)#commit
2. Configure a specific tunnel profile to permit STP BPDUs only:

device-name(config-l2-tunneling)#profile stp
device-name(config-profile-stp)#protocol stp action tunnel
device-name(config-profile-stp)#commit
3. Create a TLS service instance and enable it:

device-name(config-service)#tls 5
device-name(config-tls-5)#no shutdown
4. Define SAP on ports 1/1/1. Apply tunnel profile tunnel-all on the SAP:

device-name(config-tls-5)#sap 1/1/1
device-name(config-sap-1/1/1)#c-vlan all
device-name(config-c-vlan-all)#tunnel-profile tunnel-all
5. Define SDP on a port 1/1/2. Apply tunnel profile STP on the SDP:
device-name(config-c-vlan-all)#sdp s-vlan 10
device-name(config-s-vlan-10)#port 1/1/2
device-name(config-interface-1/1/2)#tunnel-profile stp
device-name(config-interface-1/1/2)#commit
Commit complete.


Layer 2 Protocol Not supported Private MIBs: Not supported

Tunneling (L2PT) PRVT-L2TUNNELING-
MIB.mib

Spanning Tree Protocols
Table of Contents
Table of Figures 2
List of Tables 2
Overview 3
Spanning Tree Protocol 4

Computing the Spanning Tree 4
Exchanging Information with BPDUs 4
Controlling BPDU Traffic 5
Detecting Changes in Topology 6
Broadcasting an Event to the Network 7
Timer Effect on Performance 8
Timer Settings and the STP Diameter 9
Calculating the STP Timers 9
STP Address Management 10
Rapid Spanning Tree Protocol 11

Rapid Recovery and Convergence 12
Determining the Port Link-Type 13
Synchronization of Port Roles13
RSTP BPDU Format and Processing 14
Multiple Spanning Tree Protocol 15

MST Instance Parameters 16
Interoperability with 802.1D STP 18
Fast Ring Modes 18
Interoperability Fast Ring 19
Cisco Compliance 21
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs 21
xSTP Commands 26
Spanning Tree Protocols (Rev. 01) Page 1

Commands Hierarchy26
Configuration Examples 35
Example 1 35
Example 2 43
Fast Ring Configuration Example 46
Fast Ring with Border Bridge Configuration Example 50
Table of Figures
Figure 1: The Spanning Tree Port States ............................................................................................ 6
Figure 2: Topology Change ................................................................................................................... 7
Figure 3: Topology Change with TC Message ................................................................................... 8
Figure 4: BPDU Message Age Parameter ........................................................................................... 8
Figure 5: Calculating the Diameter ...................................................................................................... 9
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence .................................. 13
Figure 2: Sequence of Events during Rapid Convergence ............................................................. 14
Figure 3: RSTP BPDU Flags .............................................................................................................. 15
Figure 6: MSTP within a Region ........................................................................................................ 16
Figure 7: MSTP in Ring Topology in a Link-Down Event ............................................................ 19
Figure 8: MSTP in Ring Topology with a Device in Link-Down Event ..................................... 20
Figure 9: Schematic MSTI Configuration ......................................................................................... 35
Figure 10: Link Failure between Two Devices................................................................................. 43
Figure 11: Fast Ring Topology ........................................................................................................... 46
Figure 12: Fast Ring Topology ........................................................................................................... 50
List of Tables
Table 1: STP States ................................................................................................................................. 5
Table 2: STP Timers............................................................................................................................... 8
Table 3: MSTI Parameters................................................................................................................... 16
Table 4: BiNOX BPDU Parsed According to IEEE 802.1s ......................................................... 22
Table 5: Cisco BPDU Parsed by a Telco Systems Device.............................................................. 23
Table 6: Configuration Commands.................................................................................................... 27
Table 7: MSTP Link-types................................................................................................................... 34
Table 8: Default Path Cost Configuration (IEEE802.1s)............................................................... 34
Page 2 Spanning Tree Protocols (Rev. 01)


Spanning Tree Protocol, and its improved versionsRSTP and MSTPare required to prevent
network loops, resulting from multiple paths to the same destination, and to introduce redundancy
to the link connections. Spanning Tree Protocols identify the best route to a destination and block
all other paths and by doing so, eliminate the possibility of loop formation and congestion in the
network.
Overview
The following standards are employed in Telco Systems ring topology management:
Spanning Tree Protocol Description
Spanning Tree Protocol (STP) Spanning Tree Protocol is a Layer 2 link

based on IEE 802.1d management protocol that provides path
redundancy while preventing undesirable loops in
the network.
Rapid Spanning Tree Protocol (RSTP) Rapid Spanning Tree Protocol reduces the time
based on IEE Std. 802.1w needed to update and reconfigure network
topology routes by proactive monitoring of port link
status. RSTP performs the roles assigned to the
STP protocol considerably faster by utilizing point
topoint wiring to provide rapid convergence of the
spanning tree.
The RSTP algorithm creates a dynamic tree that
efficiently directs packets to their destinations and
reduces a bridged network to a single, spanning
tree topology. With RSTP, the tree can be
reconfigured in less than one second. Redundant
connections can be reactivated in the event of link
or device failure.
Multiple Spanning Tree Protocol (MSTP) The Multiple Spanning Tree Protocol (MSTP)
based on IEE Std. 802.1s improves upon RSTP by giving users the ability to
group and associate VLANs to forwarding paths
known as Multiple Spanning Tree Instances
(MSTI). In a VLAN environment, MSTP ensures
load balancing as well as rapid convergence.
Each MSTI is an RSTP instance with its own,
independent topology that is applied on a
predefined set of VLANs.
MSTP includes all of its spanning tree information
in a single BPDU format to reduce the number of
BPDUs required on a LAN to communicate
spanning tree information for each instance.
In the following sections, specific information is provided on each of the spanning tree protocols.

Spanning Tree Protocol

Computing the Spanning Tree
Algorithm Selection Step Description
Select a Root Bridge In order to elect active paths within a network, STP first determines a
Root bridge. Each bridge within STP has a unique ID consisting of
the user-defined priority and MAC address for the bridge. The
protocol selects the bridge with the lowest ID as the Root.
The Root is the device used to calculate path cost by all other
devices. STP selects the path with the lowest cost between each
device to the Root as the active path and blocks all other redundant
paths.
Note: System administrators can alter the Bridge ID by configuring
the bridge priority and, as a result, control the probability of a bridge
becoming the Root.
Select a Designated After selecting the Root bridge, STP selects one Designated Bridge
Bridge per Network for each network segment. The Designated Bridge is closest to the
Segment Root and has a Designated port used to forward packets from the
segment to the Root Bridge.
Select the Root and As the final step, STP selects a Root Port (per bridge) that sends data
Alternate Ports towards the Root Bridge. In order to avoid loops, all other ports that
provide redundant paths to the Root Bridge are set as Alternate Ports.
These ports do not forward traffic unless the Root Port goes down.
Each bridge has only one Root Port, a single path toward the Root
bridge.
Exchanging Information with BPDUs

Bridges exchange information using Bridge Protocol Data Units (BPDUs). Each BPDU contains
the following information:
Root Bridge ID
Designated Bridge ID
Path Cost: Distance between the Root and the device
Designated port ID
Each bridge port has an assigned path cost, a user-definable parameter that determines the ports
preference to be included in the active spanning tree topology. During BPDU exchange, STP sums
up the path costs along all Designated ports (Designated path cost). This value then serves as the
bridges distance from the Root.
The lower the cost, the closer the device is to the Root. If two devices have identical path costs,
STP selects the path based on port priority and bridge IDs as a tiebreaker.
There are three BPDU types:
Configuration BPDU: Used for the election algorithm

Topology Change Notification (TCN) BPDU: Used to announce network topology

changes
Topology Change Notification Acknowledgment BPDU: Used to forward a TCN,
received by the device, to the Root Port.
Controlling BPDU Traffic

STP uses five port states to control BPDU traffic and ensure a loopfree network. During a
topology change involving inactive ports:
The port cannot start forwarding until the new topology information propagates throughout
the switched LAN
Frames, forwarded using the old topology, have to be allowed to expired
Table 1: STP States
STP State Description
Blocking The port does not forward frames. The port moves to this state after the
initialization phase when a different device/port was elected as Root.
If there is only one device in the network, no exchange occurs, the forward-
delay timer expires, and the ports move to Listening state.
A port in the Blocking state:
Discards frames
Discards frames switched from another port for forwarding
Does not learn MAC addresses
Receives BPDUs
A Blocking port can enter the Listening or Disabled states.
Listening This is the first state a Blocking port transitions to when STP determines that
the port should participate in frame forwarding. The device processes
BPDUs and waits for possible new information that might cause the port to
return to the Blocking state.
A port in Listening state performs the same steps as Blocking state:
Discards frames
Does not learn MAC addresses
Receives BPDUs
From this state the port can enter Learning or Disabled states.
Learning The second state the port enters when preparing to participate in frame-
forwarding. The port does not yet forward frames. However the port learns
source addresses from received frames and adds those addresses to the
filtering database.
A port in Learning the state:
Discards frames
Learns MAC addresses
Receives BPDUs
From this state the port can enter Forwarding or Disabled states.

STP State Description
Forwarding The port forwards frames. The device processes BPDUs and waits for
possible new information that might cause the port to return to the Blocking
state to prevent a loop. A port in Forwarding state:
Receives and forwards frames
Forwards frames switched from other ports
Receives BPDUs
From this state the port can enter Disabled state.
Disabled A port in this state does not participate in frame forwarding and spanning
tree. The port performs the same steps as Blocking state but does not
receive BPDUs.
The following figure illustrates how a port moves through the states described in the previous table.
Figure 1: The Spanning Tree Port States
Detecting Changes in Topology

Upon detection of a topology change in the network (such as a link failure or the link changing to
Forwarding state), the Bridge sends this event to the entire bridged network using a twostage
process. First, the Bridge notifies the STP Root and then, the Root broadcasts that information to
the whole network.
As a result of the topology change, the address tables of all devices are flushed and new paths are
learned. The following illustration depicts the reaction of the network to a topology change. Data
paths before and after the change were:

Initial Data Path Device ADevice BDevice C
After Topology Change Device ADevice DDevice C
Figure 2: Topology Change
Note that during the topology change, Devices C and D are not aware of the change. Frames sent
from Computer 1 are forwarded to Device B and there is no connection between Computers 1 and
2 until the address table ages out.
To avoid connection loss caused by a topology change, STP implements a mechanism called
Topology Change Notification (TCN) to flush out device MAC addresses.
Broadcasting an Event to the Network

When the Root is aware of a topology change, it sends out configuration BPDUs with the
Topology Change (TC) flag set. As a result, all bridges become aware of the topology change and
reduce the MaxAge timer to the forward-delay timer.
Bridges receive topology-change BPDUs on both forwarding and blocking ports.

Figure 3: Topology Change with TC Message
Timer Effect on Performance

The following timers affect STP performance.
Table 2: STP Timers
Hello timer The interval between two consecutive BPDUs a device sends to other
devices.
Forward-delay timer The time a port is in Listening and Learning states before the port begins
forwarding.
Maximum-age timer The time the device stores protocol information received on a port.
(MaxAge)
Message Age How far a device is from the Root when it receives a BPDU
The Message Age value of all BPDUs sent by the Root is zero. Each subsequent device increments
the Message Age value by one as illustrated in the following figure:
Figure 4: BPDU Message Age Parameter
After receiving a new BPDU equal to or greater than the recorded information on the port, all
BPDU information is stored, and the age timer begins to run, starting at the message age. If this age
timer reaches MaxAge before receiving another BPDU, the information ages out for that port.
For example, in the above figure:

Device B and C receive a BPDU from Device A with message age value zero. On the port
going to Device A, it takes MaxAge seconds before the information ages out.
Device D and E receive a BPDU from Device B with message age value one. On the port
going to Device A, it takes MaxAge-1 seconds before the information ages out.
Device F receives a BPDU from Device E with message age value two. On the port going to
Device E, it takes MaxAge-2 seconds before the information ages out.
Timer Settings and the STP Diameter

The STP timer settings are based on the STP diameter, defined as the maximum number of
bridges between any two end points on the network. IEEE 802.1D specification recommends a
maximum network diameter of 7 hops. (Therefore the maximum STP ring size is 14 devices: a
distance of seven hops from the root to the last bridge in the ring.)
The following figure illustrates a network built up of a diameter of five (path A-C-B-E-D). It
contains three access devices (C, D, and E) attached to two distribution devices (A and B) and a
Layer 3 boundary between the distribution devices and the core. The bridged domain stops at the
distribution devices.
The maximum STP diameter of five is between:
C-A-D-B-E
D-A-C-B-E
Figure 5: Calculating the Diameter
Calculating the STP Timers

To calculate the STP timers use the following formulas:
Max_age = 4 x hello +2 x dia - 2

Forward_delay = (4 x hello + 3 x dia) / 2
Based on these formulas, lowering the Hello timer value will decrease other STP parameter values.
However, the decrease will also double the number of BPDUs sent/received by each Brdige,
causing additional load on the CPU.
STP Address Management

IEEE 802.1D specifies 17 multicast MAC addresses, with a valid range from 0x0180C2000000 to
0x0180C2000010, to use by different bridge protocols. These addresses are static addresses that
cannot be removed.
Regardless of the STP state, the device receives but does not forward packets destined for addresses
between 0x0180c2000000 and 0x0180C200000F.
If STP is enabled, the CPU of the device receives packets destined for 0x0180C2000000 and
0x0180C2000010. If STP is disabled, the device forwards those packets as unknown multicast
addresses.

Rapid Spanning Tree Protocol

RSTP distinguishes between Port State and Port Role: Port State describes the relationship of that
port to the frame processing (filtering and forwarding) and learning functions while the Port Role
describes the role of the port in the spanning tree function.
There are three RSTP port states (as oppose to five STP states):
Table 1: RSTP Port States
Port State Description
Learning As in STP, the port prepares to participate in frame-forwarding. It learns

source addresses from frames received and adds them to the filtering
database.
From this state the port can enter a Forwarding state.
Forwarding As in STP, the port enters this state from the Learning state. The device
processes BPDUs and waits for possible new information that may cause
it to switch to the Discarding state to prevent a loop. A port in Forwarding
state:
Receives and forwards frames
Forwards frames switched from another port
Receives BPDUs
From this state, the port can only switch to Discarding state.
Discarding STP states Disabled, Blocking, and Listening are merged into this state.
This state describes a port that does not forward user traffic in either
direction. The port discards received frames and no learning occurs. As a
result, there are no entries in the filtering database pointing to this port and
no traffic is forwarded across it.
In order to create a loop-free environment and to provide rapid convergence, RSTP selects the
device with the highest priority as the root bridge, assigns port roles, and determines the active
topology. RSTP assigns a role to each bridge port throughout the bridged LAN:
Table 2: RSTP Port Role Assignments
Port Role Description
Root port Provides the best path (lowest cost) for packets forwarded from a device
to the root device.
A Root port is in Forwarding state.
Designated port Connects to the designated device that provides the best path for packets
forwarded from that LAN to the root device.
A Designated port is in Forwarding state.
Alternate port Offers an alternative path to the one provided by the current Root port.
Alternate ports are in Discarding state.
This role is equivalent to the STP Blocking state.

Port Role Description
Backup port Acts as a backup for the path provided by a Designated port in the
direction of the spanning tree leaves (end nodes).
A Backup port exists only when two ports are connected together in a
loopback by a point-to-point link or when a device has two or more
connections to a shared LAN segment.
Backup ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Disabled port Disabled ports do not participate in frame forwarding and are not
operational. These ports:
discard frames
discard frames switched from another port for forwarding
do not learn MAC addresses
do not receive BPDUs
Rapid Recovery and Convergence

Edge ports, new Root ports, and ports connected through point-to-point links converge rapidly
upon a link failure.
Table 3: The RSTP Rapid Convergence
Port Type Description
Edge ports Edge ports are configured by users on RSTP enables devices. Once
configured, these ports immediately transit to Forwarding state.
NOTE
You should configure Edge ports only on ports
connected to end devices (such as hosts and printers).
Root ports When RSTP selects a new Root port, it blocks the old Root port and
immediately transitions the new Root port to Forwarding state.
Point-to-point links Point-to-point links are links directly connecting two devices.
When you connect two devices using a point-to-point link the Designated
port negotiates rapid transition with the remote port by using the
proposal-agreement handshake to ensure a loop-free topology.
The following figure shows a rapid convergence example. In this example, Devices A and B are
connected through a point-to-point link and all the ports are in blocking state. Assume that Device
As priority is higher than Device Bs. The proposal-agreement handshaking proceeds as follows:
Device A proposes itself as the designated device by sending a proposal message (a
configuration BPDU with the proposal flag set).
Device B reactions to the proposal message from Device A as follows:
Assigning the port on which the proposal message was received as its new Root port.
Forcing all non-edge ports to Discarding state to avoid loops.
Sending an agreement message to Device A (a BPDU with the agreement flag set)
through its new Root port.
Device A immediately transitions its designated port to the Forwarding state.

Figure 1: Proposal and Agreement Handshaking for Rapid Convergence
The same handshaking process is repeated for each device that joins the active topology,
progressing from the root toward the leaves of the spanning tree as the network converges.0.
Determining the Port Link-Type

RSTP can implement a rapid transition only on point-to-point links. The link type is automatically
derived from the ports duplex mode:
A port operating in full-duplex mode is assumed to be point-to-point
A port operating in half-duplex mode is considered as a shared port by default.
You can override this automatic link-type setting by explicit configuration.
Today in most switched networks most links operate in full-duplex mode and are treated as point-
to-point links by RSTP. This makes them candidates for rapid transition to Forwarding state.
Synchronization of Port Roles

Upon receiving a proposal message for best path to the root through a port, the RSTP selects that
port as the new Root port and forces all other ports to synchronize with the new root information.
An individual port on the device is synchronized if:
The port is in Discarding state
The port is an edge port

If a Designated port is in Forwarding state and is not configured as an edge port, it transitions to
Discarding state when RSTP forces it to synchronize with new root information. When RSTP
forces a port to synchronize with root information and the port does not satisfy any of the above
conditions, it transitions to Discarding state.
After synchronizing all ports, the device sends an agreement message to the designated device
corresponding to its Root port. At this point RSTP immediately transitions the port states to
Forwarding.
The sequence of events is displayed in the following figure:
Figure 2: Sequence of Events during Rapid Convergence
RSTP BPDU Format and Processing

The RSTP BPDU has the same format as the STP BPDU except that the protocol version is set to
2.

Figure 3: RSTP BPDU Flags
The sending device proposes itself to be the designated device by setting:

Proposal flag (bit 1)
Port Role flag (bits 2-3) to Designated port
The receiving device accepts the proposal by setting:
Agreement flag (bit 6)
Port role flag to Root port
RSTP uses the Topology Change (TC) flag to indicate topology changes. Unlike STP, the RSTP
does not have a separate topology change notification (TCN) BPDU. However, for interoperability
with STP devices, the RSTP device processes and generates TCN BPDUs.
The Learning and Forwarding flags (bits 4 and 5) are determined according to the sending port.
Multiple Spanning Tree Protocol

Term Definition
MSTP Region A collection of interconnected bridges that share the same MSTP
configuration. Devices in the same MST Region share the following
attributes:
Region name
Revision number of the region
MST InstancetoVLAN assignment map (each VLAN can be
mapped only to one instance)
MST Instances Each bridge in the MSTP region contains up to 16 MSTIs which act like
(MSTI) separate RSTP bridges for a specific set of configured VLANs. All MSTIs
within the same region share the same protocol timers, but each instance
has its own topology parameters, such as root-device ID, root path-cost,
and active topology. By manipulating these parameters, systems
administrator can modify the spanning tree topology (defining forwarding
and blocked ports) for the MSTI VLANs to achieve traffic load-balancing
within the region.
MSTIs are identified by their instance ID:
Instance 0: The Common Internal Spanning Tree (CIST) to which
all VLANs are mapped by default. This instance is obligatory and
cannot be removed.
Instances 115: User-configurable, optional instances, to which the
system administrator maps sets of VLANs.
Load balancing is supported only with the MST Region. The following figure illustrates load
balancing between two instances.
MSTI 1 Device C is the MST Root
The port on Device B connected to Device A is blocked
Traffic for VLANs 101200 flows between Device C and Device A
MSTI 2 Device B is the MST Root
The port on Device C connected to Device A is blocked
Traffic for VLANs 201300 flows between Device B and Device A

Figure 6: MSTP within a Region
Outside the region, spanning tree information is carried by MST instance 0. The MST region can
participate in Common Spanning Tree (CST ) of legacy xSTP bridges and other MSTP regions
connected to the MST region.
This region is responsible for combining and forwarding all Internal Spanning Tree (IST)
information to the CST, handling CST information and setting roles for regional boundary ports.
As a consequence, each MSTP region acts as a single RSTP bridge within the CST topology.
In each region:
One boundary port, which can be the root port for the region, connects the region to the CST
Root bridge (the CIST Root). This port is called the Master port.
Boundary ports that provide alternative paths from the region to the CIST Root are blocked
(set to Alternative).
Boundary ports that provide connectivy to Designated LANs can be set as Designated ports.
MST Instance Parameters

Table 3: MSTI Parameters
Parameter Description
Boundary Ports Connect the designated bridge (an SST bridge or a bridge with a
different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the boundary flag
is set) if it detects an STP bridge or receives an agreement message
from an RST or MST bridge with a different configuration.
The role of the MST ports at the boundary is not important since the
MST port is forced to take the same state as the IST port. The IST port
at the boundary can take any port role except backup.

IST Master The IST master of an MST region is the bridge with the lowest bridge
identifier and the lowest path cost to the CST root.
If an MST bridge is the root bridge of the CIST in a region, then it is
the IST master of that MST region.
If the CST root is outside the MST region, then one of the MST
bridges at the boundary is selected as the IST master. Other
bridges on the boundary that belong to the same region eventually
block the boundary ports that lead to the root.
If two or more bridges have an identical path to the root, you can
set a lower bridge priority value to make a specific bridge the IST
master.
The root path-cost and message age inside a region stay constant.
However the IST path cost is incremented and the IST remaining hops
are decremented at each hop.
Regional Root The MSTI Regional root is the root bridge of each MSTI within a region.
In case of IST, it is the CIST Regional root. Therefore, the terms IST
Master and CIST Regional root are interchangeable.
Edge Ports An Edge Port is a port connected to a non-bridging device (for example,
a host or a device). A port that connects to a hub is also an edge port if
the hub or any LAN that is connected to it does not have a bridge.
An edge port can start forwarding as soon as its link is up.
Link-Type Rapid connectivity is established only on point-to-point links.
When connecting a port to another port through a point-to-point link, if
the local port becomes a designated port, RSTP negotiates a rapid
transition with the other port, using the proposal-agreement handshake
to ensure a loop-free topology.
By default, the link-type is automatically determined by the duplex state
of the port. However, when a half-duplex link is physically connected
point-to-point to a single port on a remote device running RSTP, you can
override the link-type default setting and enable rapid transitions to
Forwarding state.
Message Age and IST and MSTIs use a hop count mechanism similar to the IP time-to live
Hop Count (TTL) mechanism. Users can configure the maximum MST bridge hop
count.
The MSTI root bridge sends a BPDU (or M-record) with the remaining
hop count. The bridge receiving the BPDU (or M-record) decrements the
remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge discards
the BPDU and ages out the port information. Non-root bridges propagate
the decremented count as the remaining hop count in the BPDUs they
generate.
Port Priority The port priority determines the ports Forwarding state in case of a loop.
MSTP selects the port with the highest priority (lower priority value) first.
In case all ports have the same priority, MSTP selects the port with the
lowest number and blocks all other ports.

Path Cost MSTP uses the path cost when selecting the forwarding port in case of a
loop.
The default path-cost for the port derives from its link speed. However,
you can define lower cost values to ports you want selected first and
higher cost values to ports you want selected last.
In case all ports have the same path cost value, MSTP selects the port
with the lowest number and blocks all other ports.
Interoperability with 802.1D STP

A device running MSTP supports a built-in protocol migration mechanism that enables the device
to interoperate with legacy 802.1D devices.
If the device receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set
to 0), the device sends only 802.1D BPDUs on that port. An MSTP device can also detect that a
port is at the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3)
associated with a different region, or an RST BPDU (version 2).
However, the device cannot determine whether the legacy device was removed from the link
(unless the legacy device is the designated device). Therefore, the device does not automatically
revert to MSTP mode if no further 802.1D BPDUs are received.
Also, a device might continue to assign a boundary role to a port when the device to which it is
connected has joined the region.
If all the legacy devices on the link are RSTP devices, they can process MSTP BPDUs as if they are
RSTP BPDUs. Therefore, MSTP devices send either a version 0 configuration and TCN BPDUs
or version 3 MSTP BPDUs on a boundary port. A boundary port connects the designated device
to a LAN that is either a single spanning tree device or a device with a different MST configuration.
Fast Ring Modes

The fast ring mode shortens the MSTP convergence time to below 50 milliseconds when there is a
disconnection in a ring topology. Telco Systems offers two Fast Ring solutions:
Fast Ring: Use when all of the devices in the ring are Telco Systems devices
Interoperability Fast Ring: Use with devices that do not support MSTP or RSTP protocols
NOTE
Use standard MSTP as a ring solution if your network demands a topology different
from the one offered here.
Fast Ring
Use this solution when all the devices in the ring are Telco Systems devices.
1. Select one bridge to be the root bridge: set the priority for this bridge to the lowest value (0).
To avoid instability, do not enable the Fast Ring feature on this bridge.
2. Configure all user ports as MSTP edge ports.

3. To optimize network performance, increment the priority value for the bridge as you draw
away from the root bridge.
The figure below shows a ring topology using MSTP:

Device 1 is the MST root bridge
All the ports have equal priority thus one of Device 8's uplink ports are in Alternate state.
In case of link failure between Device 14 and Device 1:
4. Device 14 detects the link failure on its root port.
5. The ring solution immediately changes the traffic flow to a new direction.
Figure 7: MSTP in Ring Topology in a Link-Down Event
Interoperability Fast Ring

Designed especially for interoperation with devices that do not support MSTP or RSTP protocols.
Use Interoperability Fast Ring when you use a non Telco Systems gateway as a part of the ring.
The figure below shows a ring topology using MSTP, when one of the devices (Router, in the figure
below) does not support MSTP, but is capable of switching the MSTP BPDUs between the ports
connected in the topology.

Figure 8: MSTP in Ring Topology with a Device in Link-Down Event
To use an Interoperability Fast Ring:

6. Configure the two devices closest to the Router (Device 1 and Device 8) as Border Bridges to
avoid network-performance degrade.
7. Do not define any MSTP priorities on Border Bridges. These are automatically set once the
bridges are set as border bridges.
8. Increment the priority value for the bridge as you draw away from the root bridge, starting
with priority value 8192.
9. Configure all the user ports as MSTP edge ports.
In case the link between Device 8 and the Router fails:
Device 1 becomes the root
Traffic changes its direction toward the new root

Cisco Compliance
The device can be placed into Cisco-Compliant Mode, which changes the BPDU format to
conform to the standard adopted for Cisco devices. When the device is not in Cisco-Compliant
Mode, the root port is synchronized only if the port receives an agreement together with the
proposal flag from the designated port.
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs

Both Cisco-compliant and IEEE 802.1s-compliant modes send an Agreement flag in response to a
Proposal flag when the port transitions to Root role. However there are differences between the
two modes in the conditions under which the Agreement flag is set:
In the standard IEEE 802.1s-compliant mode, MSTP sets the Agreement flag when:
the port is either a Designated or a Root port
and
all the device ports are synchronized (when all the ports participate only in loop-free
topologies)
In Cisco-compliant mode the Agreement flag is set also when the port is going to Alternate
role.
The following two tables compare two BPDUs:
Table 2 displays a BPDU generated in IEEE 802.1s-compliant mode and includes two
M-records.
Table 3 displays a BPDU generated in Cisco-compliant mode, parsed in the format generated
by Cisco devices.
Standard BiNOX Dump (IEEE 802.1s-Compliant)

01 80 c2 00 00 00 00 a0 12 11 29 92 00 89 42 42
03 00 00 03 02 4e 80 00 00 a0 12 11 29 92 00 00
00 00 80 00 00 a0 12 11 29 92 80 0b 00 00 14 00
02 00 0f 00 00 00 60 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 60 b0 d3 6e cc e1
45 40 14 da 65 22 bd 08 f3 cd 00 00 00 00 80 00
00 a0 12 11 29 92 28 4e 80 01 00 a0 12 11 29 92
00 00 00 00 80 80 28 4e 80 02 00 a0 12 11 29 92
00 00 00 00 80 80 28
Cisco-Compliant Dump
01 80 c2 00 00 00 00 08 a3 37 f1 c1 00 84 42 42
03 00 00 03 02 68 60 00 00 07 eb d5 a2 00 00 00
00 00 60 00 00 07 eb d5 a2 00 80 01 00 00 14 00
02 00 0f 00 00 00 00 5a 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 64 b1 f4 bb 1f 3c
6d 4d a3 00 94 c1 11 b7 c0 92 60 00 00 07 eb d5

a2 00 00 00 00 00 14 00 01 69 60 01 00 07 eb d5
a2 00 00 00 00 00 60 01 00 07 eb d5 a2 00 80 01
14 00
Table 4: BiNOX BPDU Parsed According to IEEE 802.1s

Field Name Content
ETH Dest. 01 80 c2 00 00 00
ETH Src 00 a0 12 11 29 92
ETH Len 00 89
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 4e
CIST Root Identifier 80 00 00 a0 12 11 29 92
CIST Ext. Path Cost 00 00 00 00
CIST Regional Root Identifier 80 00 00 a0 12 11 29 92
CIST Port Identifier 80 0b
Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00
Version 1 length (must be 0) 00
Version 3 length (Mrecords total length) 00 60
MSTI configuration Identifier (Key, 00 00 00 00 00 00 00 00 00 00 00 00
Revision, Name) 51 Bytes 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 60
b0 d3 6e cc e1 45 40 14 da 65 22 bd
08 f3 cd
CIST Internal Root Path Cost 00 00 00 00
CIST Bridge Identifier 80 00 00 a0 12 11 29 92
CIST Remaining hops 28
MSTI1
Flags 4e
MSTI Regional Root Identifier 80 01 00 a0 12 11 29 92
00 00 00 00
MSTI Internal root path cost
80
MSTI Bridge Priority
80
MSTI Port Priority
28
MSTI Remaining hops

Field Name Content
MSTI2
Flags 4e
MSTI Regional Root Identifier 80 02 00 a0 12 11 29 92
00 00 00 00
MSTI Internal root path cost
80
MSTI Bridge Priority
80
MSTI Port Priority
28
MSTI Remaining hops
Table 5: Cisco BPDU Parsed by a Telco Systems Device

Field Name Content Notes
ETH Dest. 01 80 c2 00 00 00 Matches the IEEE-802.1s

ETH Src 00 08 a3 37 f1 c1
ETH Len 00 84
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 68
CIST Root Identifier 60 00 00 07 eb d5 a2 00
CIST Ext. Path Cost 00 00 00 00
CIST Bridge Identifier 60 00 00 07 eb d5 a2 00
CIST Port Identifier 80 01
Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00
Version 1 length (must be 00
0)
Extra byte 00 If the Cisco BPDUs are parsed
as specified in the IEEE 802.1s
standard, some offsets and
shifts may cause wrong values
for the M-records and for the
matching fields that are located
after the version 3 length
CIST Internal root path cost,
CIST Bridge identifier, CIST
remaining hops.
Version 3 length (Mrecords 00 5a
total length)

MSTI configuration 00 00 00 00 00 00 00 00 00 00 The first byte of the

Identifier (Key, Revision, 00 00 00 00 00 00 00 00 00 00 configuration is called selector,
Name) 50 Bytes. 00 00 00 00 00 00 00 00 00 00 and is omitted (or over-ridden
00 00 00 00 64 b1 f4 bb 1f 3c by the version 3 length field).
6d 4d a3 00 94 c1 11 b7 c0 92
CIST Regional Root 60 00 00 07 eb d5 a2 00 Fields order is flipped.
Identifier
CIST Remaining hops2 14 00 Extra byte-Cisco BPDU with no
bytes instead of 1. MSTIs ends here and contains
the extra byte.
MSTI1 The whole M-Record structure
is different. In the 802.1s there
is no MSTID field. The priority
of the sending bridge and the
port priority are sent without
bridge ID and port ID of the
sending bridge.
MSTID 01 The whole M-Record structure
sending bridge.
Flags 69 The whole M-Record structure
sending bridge.
MSTI Regional Root 60 01 00 07 eb d5 a2 00 The whole M-Record structure
Identifier is different. In the 802.1s there
sending bridge.
MSTI Internal root path 00 00 00 00 The whole M-Record structure
cost is different. In the 802.1s there
sending bridge.
MSTI Transmitting Bridge 60 01 00 07 eb d5 a2 00 The whole M-Record structure
Identifier is different. In the 802.1s there
sending bridge.

MSTI Port Identifier 80 01 The whole M-Record structure

sending bridge.
MSTI Remaining hops 14 00 The whole M-Record structure
sending bridge.

xSTP Commands
Commands Hierarchy
device-name#
+ config terminal
+ ethernet
+ spanning-tree
- [no] hold-count <value>
- [no] forward-delay <interval>
- [no] hello-time <interval>
- [no] learn-mode {none | standard | temporary-disabled}
- [no] max-age <interval>
- [no] bpdu-rx
- [no] bpdu-tx
- [no] cisco-compliant
- [no] detect-bpdu-loss
- [no] edge-port
- [no] edge-port-flush
- [no] link-type {auto | point-to-point | shared}
- [no] mstp instance-id <instance-id>
- [no] path-cost <cost>
- [no] restricted-root
- [no] restricted-tcn
- [no] shutdown
+ [no] protocol-fast-ring
- [no] border-bridge preferred-link {UU/SS/PP | agN}
- [no] ring-ports {UU1/SS1/PP1 | agN1} {UU2/SS2/PP2 |
agN2}
- [no] shutdown
+ [no] protocol-mstp
+ [no] instance <value>
- [no] max-hops <hops>
- [no] region-name NAME

- [no] region-revision <unsignedShort>

- [no] shutdown
- [no] vlan-per-instance <vlan-id>
- [no] instance-id <value>
- [no] protocol-rstp
- [no] shutdown
- [no] protocol-stp
- [no] shutdown
- [no] provider-bridge-address {dot1ad | dot1d}
- show ethernet mstp [cist port UU/SS/PP | configuration | detailed |
instance <value> port UU/SS/PP]
- show ethernet rstp [port UU/SS/PP | details]
- show ethernet stp [port UU/SS/PP | details]
Table 6: Configuration Commands
Command Description

ethernet Enters the Ethernet Configuration mode
spanning-tree Enters the Spanning Tree Configuration mode
hold-count <value> Specifies the number or BPDUs that can be

transmitted during every hello time period:
3
no hold-count Restores to default
forward-delay <interval> Specifies the time a port waits in Learning and

Listening states before moving to Forwarding
state:
interval: in the range of <4-30>
seconds
15 seconds
no forward-delay Restores to default
hello-time <interval> Specifies the interval between consecutive

BPDUs the device transmits:
seconds
2 seconds
no hello-time Restores to default

Command Description
learn-mode {none | standard | Specifies the mode in which MAC addresses are
temporary-disabled} learned and flushed:
none: permanently disables
learning on non-edge/ring ports
standard: permanently enables
learning on non-edge/ring ports
temporally-disabled: enables
learning, except for cases where
an MSTP topology change occurs and
learning is temporarily disabled
Standard
no learn-mode Restores to default
max-age <interval> Specifies the time a device waits without

receiving configuration messages before
attempting a reconfiguration:
seconds
20 seconds
no max-age Restores to default
port {UU/SS/PP | agN} NOTE

The port command is accessible
only after enabling xSTP protocol
in the Spanning Tree
Configuration mode.
Configures Spanning Tree on a port and enters
Specific Ports or LAG Configuration mode and:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
<1-14>
no port [UU/SS/PP | agN] Removes all xSTP-related default configuration
form the selected port/LAG. Once the port is
removed from xSTP configuration, its default
configuration needs to be manually reconfigured
if you return the port back to xSTP.
bpdu-tx Enables BPDU packets transmission on an
edge-port
no bpdu-tx Disables the BPDU packets transmission
bpdu-rx Enables BPDU packets receiving on an edge-
port
no bpdu-rx Prevents the port from receiving BPDUs
cisco-compliant Activates the Cisco-Compliant Mode
no cisco-compliant Deactivates the Cisco-Compliant Mode
detect-bpdu-loss Enables the Loop Guard on a port
Enabled
no detect-bpdu-loss Disables the Loop Guard on a port

Command Description
edge-port Changes the ports administrative status, setting

it as an Edge Port
The port is not an edge port.
no edge-port Restores to default
edge-port-flush Forces the MSTP to flush the edge port it is
configured on, when the link on the port is down
The port is not a flush port.
no edge-port-flush Restores to default
link-type {auto | point-to- Specifies the port administrative link-type:
point | shared}
auto: see Table 7
point-to-point: see Table 7
shared: see Table 7
Auto
no link-type Restores to default
mstp instance-id <value> Enters the MSTP Instance Configuration mode

for the specified port. Parameters for instance 0
are defined in the Port mode:
value: in the range of <115>
no mstp instance-id Removes the defined MSTP instance
path-cost <cost> Specifies the path cost of an MSTP instance. A

lower path cost represents a higher-speed
transmission:
cost: in the range of <1-
200000000>
Table 8 displays the default value
calculated by the ports media speed.
no path-cost Restores to default
shutdown Disables xSTP on the port
no shutdown Enables xSTP on the port
priority <priority> Specifies the port priority:

priority: valid values are: 0, 16,
32,48, 64, 80, 96, 112, 128, 144,
160,176, 192, 208, 224, and 240
128
restricted-root Enables the selection of a port as the Root port
Disabled
no restricted-root Disables the selection of a port as the Root port
restricted-tcn Enables receiving Topology Change
notifications (TCN) and propagating them to
other ports on the device
Disabled
no restricted-tcn Disables receiving the Topology Change
notifications (TCN)

Command Description
priority <priority> Specifies the bridge priority. When MSTP is

enabled, the priority value Specifies the bridge
priority for instance 0:
priority: the valid values are: 0,
4096, 8192, 12288, 16384, 20480,
24576, 28672, 32768, 36864, 40960,
45056, 49152, 53248, 57344, and
61440. The bridge with the highest
bridge priority (the lowest
numerical priority value) is
selected for a Root device
32768
protocol-fast-ring Enables the MSTP Fast Ring mode and enters
the MSTP Fast Ring Configuration mode:
Disabled
no protocol-fast-ring Removes MSTP Fast Ring settings
border-bridge preferred-link Configures the device as a border bridge and
{UU/SS/PP | agN} selects a preferred MSTP Fast Ring port or a
LAG that connects the ring topology to the
network gateway:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
<1-14>
no border-bridge preferred- Disables the process of configuring border
link [UU/SS/PP | agN] bridge:
and 1/2/1-1/2/8
agN: (optional) LAG ID. N is in
the range of <1-14>
ring-ports {UU1/SS1/PP1 | Specifies two physical ports or two groups of
agN1} {UU2/SS2/PP2 | ports that provide connectivity in the ring:
agN2}
UU1/SS1/PP1: the first ring port
UU2/SS2/PP2: the second ring port
agN2: the second ring LAG, where
N2 is in the range of <1-14>
agN1: the first ring LAG, where N1
is in the range of <1-14>
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8

Command Description
no ring-ports [UU1/SS1/PP1 | Disables the process of defining ring ports or

agN1] [UU2/SS2/PP2 | groups of ports:
agN2]
UU1/SS1/PP1: (optional) the first
ring port
UU2/SS2/PP2: (optional) the second
ring port
agN2: (optional) the second ring
LAG, where N2 is in the range of
<1-14>
agN1: (optional) the first ring
LAG, where N1 is in the range of
<1-14>
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
shutdown Disables the MSTP Fast Ring mode
no shutdown Enables the MSTP Fast Ring mode
protocol-mstp Enters the MSTP Configuration mode
no protocol-mstp Removes MSTP configurations
instance <value> Enters the Specific MSTP Instance

Configuration mode:
no instance Removes the defined instance
priority <priority> Specifies the MSTP priority for instances in the

range of <1-15>. MSTP priority for instance 0 is
defined in the Spanning Tree Configuration
mode:
priority: 0, 4096, 8192, 12288,
16384, 20480, 24576, 28672, 32768,
36864, 40960, 45056, 49152, 53248,
57344, and 61440
32768
max-hops <hops> Specifies the maximum number of hops allowed

in a region before discarding a BPDU:
hops: in the range of <1-40>
40
no max-hop Restores to default
region-name NAME Specifies the MSTP region name:

NAME: a case-sensitive string of
<1-32> characters
no region-name Removes the defined name

Command Description
region-revision Specifies the region revision-number:

<unsignedShort>
unsignedShort: in the range of <0-
32767>
1
no region-revision Restores to default
shutdown Disables MSTP
no shutdown Enables MSTP
vlan-per-instance <vlan-id> Define a VLAN mapped to an instance:

All VLANs are mapped to instance 0
no vlan-per-instance Restores to default
instance-id <value> Specifies an instance mapped to the desired

VLAN/s:
no instance-id Removes the specified instance
protocol-rstp Enters the RSTP Configuration mode
shutdown Disables RSTP
no shutdown Enables RSTP
protocol-stp Enters the STP Configuration mode
shutdown Disables STP
no shutdown Enables STP
provider-bridge-address {dot1ad | Specifies the destination MAC address used to
dot1d} send STP BPDUs:
dot1ad: sets the destination MAC
to 01:80:C2:00:00:08
dot1d: sets the destination MAC to
01:80:C2:00:00:00
dot1d
no provider-bridge-address Removes the defined destination MAC address

Command Description
show ethernet mstp [cist port UU/SS/PP | Displays the MSTP port states and roles for
configuration | detailed | instance each instance :
<value> port UU/SS/PP]
cist port UU/SS/PP: (optional)
displays detailed MSTP
configuration of the selected port
detailed information about MSTP
information vectors
configuration: (optional) displays
the current regions MSTP
configuration
instance <value> port UU/SS/PP:
(optional) displays MSTP instance
configuration on port
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
show ethernet rstp [port UU/SS/PP | Displays the RSTP general information or RSTP
details] information per port:
information vectors
port UU/SS/PP: (optional) displays
detailed RSTP configuration of the
selected port
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
show ethernet stp [port UU/SS/PP | Displays the STP general information or STP
details] information per port:
information vectors
port UU/SS/PP: (optional) displays
detailed STP configuration of the
selected port
The port range is:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8

Table 7: MSTP Link-types

Link-Type Description
Admin Link-Type auto The device automatically manages the port's link-type. The
device considers the port connected to a point-to-point LAN
segment if any of the following conditions are met:
The MST algorithm determines that the LAN segment
operates in full duplex mode.
If you configure the port by management means to a
full duplex operation. Otherwise, consider the MAC to
be connected to a LAN segment that is not point-to-
point (shared media).
point-to-point Consider the device connected to a point-to-point LAN
segment that forces the operational link-type to be point-to-
point.
shared Consider the device connected to a shared media LAN
segment that forces the operational link-type to be shared.
Operational Link- If you configure Admin link-type to auto, then you can determine the value of
Type Operational link-type in accordance with the specific procedures defined for
the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then Operational
link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of link-
type is shared.
Table 8: Default Path Cost Configuration (IEEE802.1s)

Link Speed Recommended Value Recommended Range Range
<=100 Kbps 200,000,000 20,000,000200,000,000 1200,000,000

1 Mbps 20,000,000 2,000,00020,000,000 1200,000,000
10 Mbps 2,000,000 200,0002,000,000 1200,000,000
100 Mbps 200,000 20,000200,000 1200,000,000
1 Gbps 20,000 2,000200,000 1200,000,000
10 Gbps 2,000 20020,000 1200,000,000
100 Gbps 200 202,000 1200,000,000
1 Tbps 20 2200 1200,000,000
10 Tbps 2 120 1200,000,000

Configuration Examples
Example 1
In the following example, four devices are connected via VLANs V100 and V200 that are mapped
to two MST instances on each device. The example shows the redundancy achieved with MSTP.
After configuring the network, use the show mstp command on each device to verify that the MST
instances are configured correctly.
Figure 9: Schematic MSTI Configuration
1. Create VLANs V100 and V200 and add the appropriate ports to each VLAN:
Device1(config)#vlan default 1
Device1(config-vlan-1)#no untagged 1/1/1
Device1(config-vlan-1)#exit
Device1(config)#vlan v100 100
Device1(config-vlan-100)#tagged 1/1/1
Device1(config-tagged-1/1/1)#tagged 1/1/3
Device1(config-tagged-1/1/3)#exit
Device1(config-vlan-100)#untagged 1/1/4
Device1(config-untagged-1/1/4)#top
Device1(config)#port 1/1/4
Device1(config-port-1/1/4)#default-vlan 100
Device1(config-port-1/1/4)#exit
Device1(config-tagged-1/1/3)#top
2. Enable MSTP:

Device1(config)#ethernet
Device1(config-ethernet)#spanning-tree protocol-mstp
Device1(config-protocol-mstp)#no shutdown
3. Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:

Device1(config-protocol-mstp)#instance 1 priority 0
Device1(config-instance-1)#exit
4. Add the VLANs to MSTIs 1, and 2:

Device1(config-protocol-mstp)#vlan-per-instance 100 instance-id 1
Device1(config-vlan-per-instance-1)#exit
Device1(config-vlan-per-instance-2)#commit
Device2#configure
Device2(config-vlan-1)#exit
2. Enable MSTP:
3. Set priority 0 to MSTI 2 to force Device 2 to be MSTI2 root:

Device2(config-protocol-mstp)#instance 2 priority 0
Device2(config-instance-2)#exit
4. Add the VLANS to MSTIs 1, and 2:


Device3#configure
2. Enable MSTP:
3. Add the VLANS to MSTIs 1, and 2:

1. Create VLAN V200 and add the appropriate ports to each VLAN:
Device4#configure

2. Enable MSTP:
3. Add the VLANs to MSTIs 1 and 2:

Displaying Device 1 Configuration:

Device1#show ethernet mstp detailed
Multiple spanning trees = enabled
ProtocolSpecification = ieee8021s
Priority = 32768
TimeSinceTopologyChange = 0 (Sec)
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
ForwardDelay = 15 (Sec)
BridgeMaxAge = 20 (Sec)
BridgeHelloTime = 2 (Sec)
BridgeForwardDelay = 15 (Sec)
ProtoMigratioDelay = 3 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
LearnMode = standard
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
RemainingHopCount = 39

TopChanges = 6
Border Bridge = Disabled
No active ports are mapped to the MSTI
MST 1
VLANs mapped = 100
Priority = 0
Regional Root = This bridge is the root
TopChanges = 5
Border Bridge = disabled
==========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+-------
01/01/01 128 Designat frwrd 200000 0 00000.00A0122700C0 128.003
01/01/04 128 Designat frwrd 200000 0 00000.00A0120A0168 128.006
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.005

device-name#show ethernet mstp detailed
Priority = 32768
TopChanges = 4
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3

FastRing = disabled
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:C0
TopChanges = 4
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 4
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/01 128 Alternat block 200000 200000 32768.00A0122700C0 128.004
01/01/03 128 Root frwrd 200000 200000 00000.00A0122700C0 128.005
MST 2
VLANs mapped = 200
Priority = 0
TopChanges = 4
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/02 128 Designat frwrd 200000 0 00000.00A012271420 128.002
01/01/03 128 Designat frwrd 200000 0 00000.00A012271420 128.003
01/01/04 128 Designat frwrd 200000 0 00000.00A012271420 128.005

Priority = 32768
TopChanges = 3
CIST Root = This bridge is the root
MaxAge = 20 (Sec)

HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
TopChanges = 3
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 0001.00:A0:12:27:00:C0
TopChanges = 2
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/01 128 Root frwrd 200000 0 00000.00A0122700C0 128.003
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3

Priority = 32768

TopChanges = 2
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
TopChanges = 2
MST 1
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 5
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 2
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/01 128 Root frwrd 200000 0 00000.00A012271420 128.003
01/01/02 128 Designat frwrd 200000 0 32768.00A012271420 128.004
01/01/04 128 Designat frwrd 200000 0 32768.00A012271420 128.006

Example 2
In the example above if the direct link between Device 1 and Device 3 fails, MSTI1 is recalculated,
and port 1/1/2 in Device 3 changes its role from alternative to root.
Figure 10: Link Failure between Two Devices
In this case, the show ethernet mstp detailed command displays the following:

Priority = 32768
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
CIST Root = 32768.00:A0:12:27:00:80

TopChanges = 6
MST 1
VLAN mapped = 100
Priority = 0
TopChanges = 5
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.003

Priority = 0
TopChanges = 3
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3

FastRing = disabled
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
TopChanges = 3
MST 1
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:0A:01:68
TopChanges = 3
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/01/02 128 Root frwrd 200000 400000 32768.00A00001090B 128.002
01/01/04 128 Designat frwrd 200000 400000 32768.00A012BBBBBB 128.006
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3
On Device 2 and Device 4:

This topology change does not affect Device 2 and Device 4 output.

Fast Ring Configuration Example

The following example displays how to configure the devices in a fast ring so that traffic is
distributed correctly among client networks.
Figure 11: Fast Ring Topology
1. Enable MSTP and configure Device 1 to be the root device:
Device1(config-protocol-mstp)#exit
Device1(config-spanning-tree)#priority 0
2. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device1(config-vlan-default/1)#no untagged 1/2/1

Device1(config-tagged-1/1/2)#commit
1. Enable MSTP fast-ring and configure fast ring ports:
Device2(config-spanning-tree)#protocol-fast-ring
Device2(config-protocol-fast-ring)#no shutdown
Device2(config-protocol-fast-ring)#ring-ports 1/2/1 1/1/2
Device2(config-protocol-fast-ring)#exit
2. Configure an edge port on the client port:

Device2(config-spanning-tree)#port 1/1/1 edge-port
Device2(config-port-1/1/1)#port 1/1/3 edge-port
Device2(config-port-1/1/4)#top
Device2(config-untagged-1/1/1)#exit
Device2(config-port-1/1/1)#port 1/1/3

Device2(config-port-1/1/4)#commit


Device4(config- vlan-10)#tagged 1/2/1

Device4(config-tagged-1/1/2)#vlan v30 30


Fast Ring with Border Bridge Configuration Example

The following example displays how to configure the devices in a fast ring with border-bridge so
that traffic is distributed correctly among client networks.
Figure 12: Fast Ring Topology
Any xSTP protocol is not enabled on Device 1 but Device 1 forwards BPDUs.

1. Enable MSTP fast-ring, configure fast ring ports, and set border-bridge preferred-link:
Device2(config-protocol-fast-ring)#border-bridge preferred-link 1/1/2
Device2(config-border-bridge)#exit

Device2(config-port-1/1/4)#top



Device4(config- vlan-10)#tagged 1/2/1

1. Enable MSTP fast-ring, configure fast ring ports, and set border-bridge preffer-link:
Device5(config-protocol-fast-ring)#border-bridge preferred-link 1/2/1
Device5(config-border-bridge)#exit



Spanning Tree Protocols IEEE 802.1d-1998 No MIBs are RFC 2863, Interfaces
(xSTP) IEEE 802.1t-2001 supported by this Group MIB
feature. (configL2IfaceTable)
IEEE 802.1w-2001
IEEE 802.1s-2002

Multicast Layer 2 Features
Table of Contents
Table of Figures 2
List of Tables 2
Internet Group Management Protocol (IGMP) Snooping 4

Multicast Forwarding Table 4
Dynamic Entries 4
Static Entries 5
IGMP Configuration Flow 6
IGMP Snooping Commands 6
Commands Hierarchy 6
Configuration Example 1 20
Multicast VLAN Registration (MVR) 30

Overview30
MVR Modes 30
Immediate Leave 30
MVR Commands 31
Multicast Layer 2 Features (Rev. 01) Page 1

Table of Figures
Figure 1: Initial IGMP Join Message ................................................................................................... 5
Figure 2: IGMP Configuration Flow ................................................................................................... 6
List of Tables
Table 1: IGMP Snooping Commands ................................................................................................. 9
Table 2: MVR Commands .................................................................................................................. 31
Page 2 Multicast Layer 2 Features (Rev. 01)


This chapter consists of these sections:
Internet Group Management Protocol (IGMP) Snooping
IGMP Snooping is the process of listening to IGMP traffic in order to learn the IP
multicast group memberships and direct multicast traffic only to relevant users. IGMP
Snooping is very important in order to ensure proper performance on networks with
heavy multicast traffic
Multicast VLAN Registration (MVR)
Multicast VLAN Registration (MVR) is a protocol for Layer 2 networks that enables
multicast-traffic from a source VLAN to be shared with subscriber-VLANs.

Internet Group Management Protocol (IGMP)

Snooping
To prevent flooding ports with multicast traffic, IGMP snooping dynamically configures ports on
the host side of the switch to receive multicast traffic only when the attached host previously
expressed an interest in receiving that traffic.
On the transmitter side of the device, the port that connects upstream to the multicast source is
called the Mrouter port.
Multicast Forwarding Table

The device maintains a Multicast Forwarding table and creates entries either dynamically or
statically.
NOTE
The maximum number of multicast entries in the Multicast Forwarding Table is
1024.
Dynamic Entries
The host can request to join or leave one or more multicast groups using the following IGMP
Report types:
IGMP Join Message: Host side request to join an IP multicast group by sending an
unsolicited IGMP Join Message that identifies the IP multicast group. The CPU creates a
multicast entry in the Multicast Forwarding table for that group and adds the port to the table.
The host associated with that port receives multicast traffic for that group.
On receipt of an IGMP Join Message on the host side, the device generates and sends an
IGMP Join Message on the transmitter side upstream, via the MRouter port, to the
multicast traffic source. By doing so, the device creates a logical connection between the
host and the source of the multicast traffic.
IGMP Leave Group Message: When the device receives an IGMP Leave Group message
(IGMP Version 2), the device deletes the port number for the host from the Multicast
Forwarding Table. When the device receives a Leave Group message from a host, the Group
timer is reset to the robustness value* last member query interval value (see the IGMP Snooping
Commands table).
If the user enables fast leave processing, the device handles requests to leave a multicast
group immediately to ensure optimal bandwidth management for all hosts on a switched
network even when the device manages several multicast groups simultaneously.
On the edge of the network, the multicast router connects to an IGMP Snooping device on the
transmitter side. The transmitter side port where the Mrouter connects becomes an Mrouter port
either through static configuration or automatically upon receipt of an IGMP Query from the
multicast traffic source side.

When the device receives a transmitter side request, known as an IGMP Query, the device
automatically responds with an IGMP Join Message for any active Multicast groups maintained by
the device.
Figure 1: Initial IGMP Join Message
Static Entries
Along with IGMP Snooping-learned entries, the Multicast Forwarding table can also include static
entries. Create static entries using the IGMP Snooping commands for the Command Line Interface
(CLI) found in Table 1.

NOTE
Static, or permanent, entries supersede dynamic changes creates through the IGMP
Snooping protocol.
IGMP Configuration Flow
Figure 2: IGMP Configuration Flow
IGMP Snooping Commands
Commands Hierarchy
device-name#
+ config terminal
- [no] multicast filter-mode {any-source | source-specific}
+ [no] vlan VLAN-NAME <vlan-id>
+ [no] ip-igmp-snooping
- [no] mode {proxy | report-suppression | transparent}
- [no] ip-tos-check
- [no] router-alert-check
+ [no] router-timers

- [no] last-member-query-interval <interval>

- [no] query-interval <interval>
- [no] robustness <value>
- [no] query-response-interval <interval>
- [no] ip-tos-check
+ [no] untagged UU/SS/PP
- [no] multicast-static-group NAME
+ [no] igmp-snooping
- [no] explicit-tracking {enable | disable}
- [no] fast-leave {enable | disable}
- [no] fast-querier
- [no] max-groups <unsignedInt>
- [no] mrouter
- [no] mrouter-block
- [no] mrouter-allow-reports
- [no] report-block
+ [no] tagged UU/SS/PP
- [no] multicast-static-group NAME
- [no] fast-querier
- [no] mrouter
- [no] report-block
+ [no] multicast-static-group NAME
- [no] ip A.B.C.D
- [no] ip-source A.B.C.D A1.B1.C1.D1
- [no] mac <mac:hexList>
+ service

- [no] multicast filter-mode any-source

+ [no] ip-igmp-snooping
- [no] mode {proxy | report-suppression |
transparent}
- [no] ip-tos-check
- [no] last-member-query-interval
<interval>
+ [no] spoke-sdp <spoke-sdp-id>
- [no] fast-querier
- [no] mrouter
- [no] report-block
++ [no] sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-
id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-
oos}}
- [no] fast-querier
- [no] mrouter

- [no] force-forward
- [no] report-block
- show igmp-snooping
- show igmp-snooping service [<service-id> | detailed | groups |
mrouters | statistics]
- show igmp-snooping vlan [<vlan-id> | detailed | groups | mrouters |
statistics]
Table 1: IGMP Snooping Commands
Command Description

multicast filter-mode {any-source | Specifies the multicast model:
source-specific}
any-source: Any-Source Multicast
(ASM) mode is when any user is
permitted to send data.
source-specific: Single-Source
Multicast (SSM) mode is when only
the user initiating the session
is allowed to send data; other
users can receive only.
no multicast filter-mode Disables the feature
vlan VLAN-NAME <vlan-id>
Creates a VLAN with the defined name and ID

(VLAN tag) and enters VLAN Configuration
mode:
VLAN-NAME: a string of
<131> characters
no vlan VLAN-NAME <vlan-id> Removes the existing VLAN:
VLAN-NAME: a string of
<131> characters
ip-igmp-snooping Enables IGMP Snooping on a specific VLAN
Disabled
no ip-igmp-snooping Restores to default
mode {proxy | report-suppression Specifies the mode in which IGMP snooping
| transparent} operates:
proxy: number of processing done
on the multicast router is
reduced, because the device acts
as Proxy. On the host-side
interfaces, IGMP snooping in
proxy mode behaves as an IGMP
router and sends general and
group-specific queries on those
interfaces.

Command Description
IGMP proxy supports IGMPv2
control traffic.
report-suppression: device uses
IGMP report suppression mode to
forward only one IGMP report per
multicast router query to
multicast devices. When IGMP
router suppression is selected,
the device sends the first IGMP
report from all hosts for a group
to all the multicast routers. The
device does not send the
remaining IGMP reports for the
group to the multicast routers.
This feature prevents duplicate
reports from being sent to the
multicast devices.
transparent: snooping device does
not generate packets, only
listens and builds its database
and forwards the rules quietly.
In this mode of operation the
multicast router receives all
IGMP messages generated in the
VLAN. These can overhead the
router with reports or sending
specific queries.
Transparent
no mode Restores to default
ip-tos-check Enables the IP TOS field verification (RFC
3376)
Enabled
no ip-tos-check Disables the IP TOS field check
router-alert-check Enables the IP Router Alert option (RFC 2113)
verification
Enabled
no router-alert-check Disables the IP Router Alert option check
router-timers Enters IGMP Snooping Timer Configuration
mode
no router-timers Removes the IGMP Snooping Timer
configuration
last-member-query-interval Specifies the time that the IGMP router waits to
<interval> receive a response to a Group-Specific query:
interval: in the range of <1-
1024> seconds
1 second
no last-member-query- Restores to default
interval
query-interval <interval> Specifies the time between successive IGMP

General queries:

Command Description
1024> seconds
125 seconds
no query-interval Restores to default
robustness <value> Specifies a robustness value to reflect expected

packet loss on a congested network. Use a
larger value for a busy network:
2
no robustness Restores to default
query-response-interval Specifies the time, the multicast router waits to
<interval> receive a response to an IGMP General query:
1024> seconds
10 seconds
no query-response-interval Restores to default
verification
Enabled
3376)
Enabled
mode
configuration
1024> seconds
1 second
no last-member-query-interval Restores to default

General queries:
1024> seconds
125 seconds

2

Command Description

<interval> receive a response to an IGMP General query.
During downgrade from version 2.4.R1.4 to
version 2.3.R3 and lower, the user-defined
value will disappeared from the running
configuration.
1024> seconds
10 seconds
source-address A.B.C.D Only for IGNMP Snooping Proxy mode.

Specifies the source address of all generated
IGMP Snooping Reports and Queries
Packets source address is 0.0.0.0.
no source-address Removes the configured source address
untagged UU/SS/PP Enters in Configuration mode of specific

untagged port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
no untagged [UU/SS/PP] Removes the port configuration
tagged UU/SS/PP Enters in Configuration mode of specific tagged

port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
no tagged [UU/SS/PP] Removes the port configuration
igmp-snooping Enables IGMP snooping

Disabled
no igmp-snooping Restores to default
explicit-tracking {enable | Enables the router to explicitly track each
disable} individual host joined to a group:
enable, disable: enables/disables
the option
Enabled
no explicit-tracking Restores to default
fast-leave {enable | disable} Enables IGMP fast-leave processing:
enable, disable: enables/disables
the option
Enabled
no igmp-snooping fast-leave Restores to default
fast-querier Enables sending a general IGMPv2 Query when
the port status changes to UP.
no fast-querier Disables sending general IGMPv2 Query
max-groups <unsignedInt> Specifies the number of multicast groups that

Command Description
can be registered:
unsignedInt: in the range of <0-
1024>
1024
no max-groups Restores to default
mrouter Configures a port as a multicast router port
Disabled
no mrouter Restores to default
mrouter-allow-reports Processes the IGMP reports, received on the
Mrouter port. The port becomes Dynamic
Querier (the port will send IGMP General
Queries at intervals).
Disabled
no mrouter-allow-reports Restores to default
mrouter-block All IGMP queries, received on the MRouter port,
are not processed and are entered in local
IGMP database
Disabled
no mrouter-block Restores to default
report-block All IGMP reports received on the MRouter port,
are not processed and are entered in local
IGMP database
Disabled
no report-block Restores to default
multicast-static-group UU/SS/PP Specifies a port to be added to the multicast

group:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
no multicast-static-group Removes the specified port/s from the multicast
[UU/SS/PP] group
multicast-static-group NAME Specifies a multicast group name and enters
Multicast Static Configuration mode:
NAME: a string
no multicast-static-group Removes the multicast group
ip A.B.C.D Specifies the IP address of the multicast group:

A.B.C.D: in the range of
<224.0.0.0-239.255.255.255>
no ip A.B.C.D Removes the defined multicast IP address:
A.B.C.D: in the range of
<224.0.0.0-239.255.255.255>
ip-source A.B.C.D A1.B1.C1.D1 Specifies a source-specific multicast entry in the
Multicast Forwarding Table for a group:
A.B.C.D: the IP address of the
multicast group

Command Description
A1.B1.C1.D1: the source IP

address of the multicast traffic
no ip-source A.B.C.D Removes the defined entry:
A1.B1.C1.D1
multicast group
A1.B1.C1.D1: the source IP
address of the multicast traffic
mac <mac:hexList> Specifies the Group Destination MAC address
(GDA) of the multicast group:
mac:hexList: GDA MAC address, in
format HH:HH:HH:HH:HH:HH
no mac <mac:hexList> Removes the defined Group Destination MAC
(GDA) address:
mac:hexList: GDA MAC address, in
format HH:HH:HH:HH:HH:HH
NOTE
SAP and SDP ports have to be
untagged members of the default
VLAN.
vpls <vpls-id> Creates a VPLS service instance and enters
VPLS Configuration mode:
4294967294>
no vpls [<vpls-id>] Removes the defined VPLS instance:
range of <14294967294>
ip-igmp-snooping Enables IGMP Snooping for a specific VPLS
instance and enters IGMP Snooping VPLS
Configuration mode
Disabled
no ip-igmp-snooping Restores to default
mode {proxy | report- Specifies the mode, IGMP snooping operates:
suppression | transparent}
proxy: number of processing done
on the multicast router is
reduced, because the device acts
as Proxy. On the host-side
interfaces, IGMP snooping in
proxy mode behaves as an IGMP
router and sends general and
group-specific queries on those
interfaces.
IGMP proxy supports IGMPv2
control traffic.
report-suppression: device uses
IGMP report suppression mode to
forward only one IGMP report per
multicast router query to
multicast devices. When IGMP
router suppression is selected,

Command Description
the device sends the first IGMP
report from all hosts for a group
to all the multicast routers. The
device does not send the
remaining IGMP reports for the
group to the multicast routers.
This feature prevents duplicate
reports from being sent to the
multicast devices.
transparent: snooping device does
not generate packets, only
listens and builds its database
and forwards the rules quietly.
In this mode of operation the
multicast router receives all
IGMP messages generated in the
VLAN. These can overhead the
router with reports or sending
specific queries.
transparent
3376)
Enabled
verification
Enabled
mode
configuration
last-member-query- Specifies the time that the IGMP router waits to
interval <interval> receive a response to a Group-Specific query:
1024> seconds
1 second
interval
query-interval Specifies the time between successive IGMP

<interval> General queries:
1024> seconds
125 seconds


Command Description
2
1024> seconds
10 seconds
no query-response- Restores to default
interval

verification
Enabled
no router-alert-check Disables the IP Router Alert option
mode
configuration
1024> seconds
1 second
interval

General queries:
1024> seconds
125 seconds

2 packets
1024> seconds
10 seconds
source-address A.B.C.D Only for IGNMP Snooping Proxy mode.

Specifies the source address of all generated
IGMP Snooping Reports and Queries

Command Description
Packets source address is 0.0.0.0.
no source-address Removes the configured source address
spoke-sdp <spoke-sdp-id> Configures a spoke binding between a VPLS

and a Service Distribution Point (SDP) and
enters Spoke-sdp Configuration mode:
spoke-sdp-id: an existing SDP ID
to bind to the specified service
ID, in the range of <1-
4294967295>
no spoke-sdp [<spoke-sdp-id>] Removes SDP binding for the specified VPLS:
spoke-sdp-id: (optional) an
existing SDP ID to bind to the
specified service ID, in the
range of <1-4294967295>
sap {{UU/SS/PP | agN}[:[igmp] | Creates a Service Access Point (SAP) and
:[<vlan-id>]:[igmp] | enters SAP Configuration mode:
UU1/SS1/PP1:<ces-
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
UU1/SS1/PP1:<ces- physical port (unit, slot and
circuit>:{ces | ces-oos}} ] port) defined as SAP.(can be
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8

Command Description

<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
igmp-snooping Enables IGMP Snooping for a specific spoke
binding and enters IGMP Snooping
Configuration mode
Disabled
no igmp-snooping Restores to default
explicit-tracking {enable | Configures the router to explicitly track each
disable} individual host joined to a group:
enable: enables the feature
disable: disables the feature
Enabled
fast-leave {enable | Configures IGMP fast-leave processing:
disable}
enable: enables the feature
disable: disables the feature
Enabled
no fast-leave Restores to default
max-groups <unsignedInt> Specifies the number of multicast groups that

can be registered:
1024>
1024
no max-groups Restores to default
mrouter Configures a static connection to a multicast
router
Disabled
no mrouter Restores to default
fast-querier Enables sending a general IGMPv2 Query when
the port status changes to UP.

Command Description
no fast-querier Disables sending general IGMPv2 queries

mrouter-allow-reports Processes the IGMP reports, received on the
Mrouter port. The port becomes Dynamic
Querier (the port will send IGMP General
Queries at interval).
Disabled
no mrouter-allow-reports Restores to default
report-block All IGMP reports received on the selected port
are not processed and entered in local IGMP
database
Disabled
no report-block Restores to default
mrouter-block All IGMP queries received on the selected SDP

are not entered in the local IGMP database but
instead, are forwarded to all SAPs/SDPs
according to split horizon rules:
Deny IGMP queries entering local IGMP
database and forward to all SAPs/SDPs
according to split horizon rules:
Disabled
no mrouter-block Restores to default
force-forward Only for VPLS service.
Enables forwarding the IGMP control traffic
from/to secured SAPs and from/to mesh SDPs.
Disabled
no force-forward Restores to default
show igmp-snooping Displays information for all aspects of IGMP
snooping on VPLS services and VLANs
show igmp-snooping service [<service-id> Displays information for all aspects of IGMP
| detailed | groups | mrouters | snooping on a VPLS service, filtered by the
statistics]
following arguments:
range of <14294967294>
groups: (optional) displays
information for multicast groups
that are joined on SDP or SAP
mrouters: (optional) displays
multicast routers ports related
to the specified service
IGMP snooping statistics for the
specified service
show igmp-snooping vlan [<vlan-id> | Displays information for all aspects of IGMP
detailed | groups | mrouters | snooping on a VLAN, filtered by the following
statistics]
arguments:

Command Description

of <14094>
groups: (optional) displays
information for multicast groups
that are joined on the specified
VLAN
mrouters: (optional) displays
multicast routers ports related
to the specified VLAN
IGMP snooping statistics for the
specified VLAN and port
In the following example IGMP snooping is configured on VLAN 100. The multicast router that
sends IGMP queries is connected to port 1/2/5. The multicast host that sends the IGMP report is
connected to port 1/2/4:
1. Enter the Configuration mode of VLAN v100 with ID 100:
device-name(config)#vlan v100 100
device-name(config-untagged-1/2/4)#exit
device-name(config-untagged-1/2/5)#top
device-name(config)#port 1/2/4 default-vlan 100
device-name(config)#port 1/2/5 default-vlan 100
2. Enable IGMP snooping on the specified VLAN and configure last-member-query interval:
device-name(config-vlan-100)#ip-igmp-snooping
device-name(config-ip-igmp-snoopping)#router-timers last-member-query-
interval 20
device-name(config-router-timers)#exit
device-name(config-ip-igmp-snooping)#exit
device-name(config-untagged-1/2/4)#igmp-snooping
device-name(config-igmp-snooping)#exit
device-name(config-untagged-1/2/5)#igmp-snooping
3. Display IGMP snooping queries and reports information (the multicast router with source IP
address 100.1.1.33 is connected to port 1/2/5 and a multicast host joines a multicast group
with IP address 224.2.2.2 on port 1/2/4):
device-name#show igmp-snooping vlan 100 mrouters
================================================================================
Vlan ID 100 - IGMP Snooping Mrouters

================================================================================
Port ID: 1/2/5 Mrouters: 1
--------------------------------------------------------------------------------
Mrouter Ip: 100.1.1.33 Type: Dynamic
Group Ip: 224.2.2.2 Age: 244s
--------------------------------------------------------------------------------
device-name#show igmp-snooping vlan 100 groups

================================================================================
Vlan ID 100 - IGMP Snooping
================================================================================
Port ID: 1/2/5 Groups: 0
================================================================================
================================================================================
================================================================================
device-name#show igmp-snooping vlan 100 groups

================================================================================
Vlan ID 100 - IGMP Snooping
================================================================================
================================================================================
================================================================================
================================================================================
================================================================================
Group IP: 224.2.2.2 Mode: Include
--------------------------------------------------------------------------------
SrcIp Mode Joined Host ExpTime
--------------------------------------------------------------------------------
100.1.1.50 Forward 258s
100.1.1.11 258s
In the following example, IGMP Snooping is configured on VPLS-MTU 1010. The multicast
router that sends IGMP queries is connected to SAP 1/1/3: The multicast host that sends the
IGMP report is connected to SAP 1/1/3::.
1. Configure IP interfaces, OSPF, LDP, and VLANs on Device_1 device:

Device_1#config terminal
Device_1(config)#vlan 10 10
Device_1(config-vlan-10)#routing-interface sw10
Device_1(config-vlan-10)#untagged 1/1/1
Device_1(config-untagged-1/1/1)#exit
Device_1(config-vlan-10)#exit

Device_1(config-untagged-1/1/2)#port 1/1/1
Device_1(config-port-1/1/1)#default-vlan 10
Device_1(config-port-1/1/1)#port 1/1/2
Device_1(config-port-1/1/2)#top
Device_1(config)#router interface lo1 address 1.1.172.101/32
Device_1(config-interface-lo1)#exit
Device_1(config-router)#interface sw10
Device_1(config-interface-sw10)#address 11.0.10.1/24
Device_1(config-interface-sw10)#exit
Device_1(config-interface-sw20)#commit
Commit complete.
Device_1(config-router)#ospf
Device_1(config-ospf)#router-id 1.1.172.101
Device_1(config-ospf)#area 0.0.0.2
Device_1(config-area-0.0.0.2)#interface 1.1.172.101
Device_1(config-interface-1.1.172.101)#passive
Device_1(config-interface-1.1.172.101)#exit
Device_1(config-interface-11.0.20.1)#commit
Commit complete.
Device_1(config-area-0.0.0.2)#exit
Device_1(config-ospf)#trafic-engineering
Device_1(config-ospf)#commit
Commit complete.
Device_1(config-ospf)#exit
Device_1(config-router)#mpls lsr-id 1.1.172.101
Device_1(config-mpls)#ldp
Device_1(config-ldp)#interface lo1
Device_1(config-interface-lo1)#interface sw10
Device_1(config-interface-sw10)#interface sw20
Commit complete.
Device_1(config-ldp)#targeted-peer 1.1.3.1
Device_1(config-targeted-peer-1.1.3.1)#targeted-peer 1.1.4.1
Device_1(config-targeted-peer-1.1.4.1)#exit
Device_1(config-ldp)#distribute ingress ospf
Device_1(config-distribute)#egress ip 1.1.172.101/32
Device_1(config-ip-1.1.172.101/32)#exit
Device_1(config-distribute)#exit
Device_1(config-ldp)#exit
Device_1(config-router)#rsvp-te
Device_1(config-rsvp-te)#commit

Commit complete.
Device_1(config-rsvp-te)#exit
Device_1(config-router)#end
Device_1#
Device_1#show router ospf neighbor
Neighbor ID Pri State Dead Time Uptime Address Interface
RXmtL RqstL DBsmL
1.1.3.1 0 Full/DROther 00:00:32 0d 00:00:17 11.0.10.2 sw10:11.0.10.1
0 0 0
1.1.4.1 0 Full/DROther 00:00:32 0d 00:00:17 11.0.20.2 sw20:11.0.20.1
0 0 0
2. Configure VPLS-MTU 1010:

Device_1(config)#service sdp 1
Device_1(config-sdp-1)#far-end 1.1.3.1
Device_1(config-sdp-1)#exit
Device_1(config-service)#sdp 2
Device_1(config-service)#vpls 1010
Device_1(config-vpls-1010)#no shutdown
Device_1(config-vpls-1010)#mode mtu-s
Device_1(config-vpls-1010)#redundancy-mode none
Device_1(config-vpls-1010)#sap 1/1/3::
Device_1(config-sap-1/1/3::)#sap 1/1/3::
Device_1(config-sap-1/1/3::)#no shutdown
Device_1(config-sap-1/1/3::)#learn-new-mac-address
Device_1(config-sap-1/1/3::)#exit
Device_1(config-vpls-1010)#spoke-sdp 1
Device_1(config-spoke-sdp-1)#no shutdown
Device_1(config-spoke-sdp-1)#learn-new-mac-address
Device_1(config-spoke-sdp-1)#exit
Device_1(config-spoke-sdp-2)#backup
Device_1(config-spoke-sdp-2)#commit
Commit complete.
Device_1(config-spoke-sdp-2)#end
3. Enable IGMP snooping on VPLS 1010:

Device_1(config)#service vpls 1010
Device_1(config-vpls-1010)#ip-igmp-snooping
Device_1(config-ip-igmp-snooping)#exit
Device_1(config-sap-1/1/3::)#igmp-snooping
Device_1(config-igmp-snooping)#exit
Device_1(config-spoke-sdp-1)#igmp-snooping

Device_1(config-igmp-snooping)#commit
Commit complete.
Device_1(config-igmp-snooping)#end
4. Verify the VPLS configuration:

Device_1#show vpls 1010 sdp
-------------------------------------------------------------------------------
ServiceID SDP Peer Role Up time Adm Opr
===============================================================================
1010 1.1.3.1 Prim 00:00:21 Up Up
1010 1.1.4.1 Prim 00:00:00 Up Stndby
Device_1#show igmp-snooping service 1010

================================================================================
IGMP Information Service 1010
================================================================================
Service-ID VIs Mrouter IGMP Status Groups
--------------------------------------------------------------------------------
1010 3 0(0) UP 0
================================================================================
Services: 1 Groups: 0
================================================================================
5. Verify the IGMP group database:

Device_1#show igmp-snooping service groups
================================================================================
Service ID 1010 - IGMP Snooping
================================================================================
SAP : 1/1/3:: Groups: 0
================================================================================
================================================================================
SDP : 1010:1.1.4.1 Groups: 0
================================================================================
================================================================================
SDP : 1010:1.1.3.1 Groups: 10
================================================================================
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
100.1.1.51 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
100.1.1.51 Forward 256s
100.1.1.11 256s
100.1.1.52 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.52 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.53 Forward 256s
100.1.1.11 256s
================================================================================
Group IP: 239.1.1.6 Mode: Exclude ExpTimer: 258s
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.10 Block
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.10 Block
100.1.1.11 Block
================================================================================
6. Configure IP interfaces, OSPF, LDP, and VLANs on Device_2 device:

Device_2(config)#port 1/1/1
Device_2(config-port-1/1/1)#exit
Device_2(config)#port 1/1/2
Device_2(config-port-1/1/2)#exit
Device_2(config)#router interface lo1
Device_2(config-interface-lo1)#address 1.1.172.102/32
Device_2(config-interface-lo1)#exit

Device_2(config-router)#commit
Commit complete.
Device_2(config-router)#ospf
Device_2(config-ospf)#router-id 1.1.172.102
Device_2(config-ospf)#trafic-engineering
Device_2(config-ospf)#no area 0.0.0.0
Device_2(config-interface-1.1.172.102)#passive
Device_2(config-ospf)#commit
Commit complete.
Device_2(config-ospf)#exit
Device_2(config-router)#mpls lsr-id 1.1.172.102
Device_2(config-mpls)#ldp
Device_2(config-mpls)#interface lo1
Device_2(config-interface-lo1)#interface sw10
Device_2(config-interface-sw10)#interface sw20
Commit complete.
Device_2(config-mpls)#ld
Device_2(config-ldp)#distribute ingress ospf
Device_2(config-distribute)#egress ip 1.1.172.102/32
Device_2(config-ip-1.1.172.102/32)#exit
Device_2(config-distribute)#exit
Device_2(config-ldp)#rs
Device_2(config-rsvp-te)#commit
Commit complete.
Device_2(config-rsvp-te)#end
Device_2#
Device_2#show router ospf neighbor
Neighbor ID Pri State Dead Time Uptime Address Interface
RXmtL RqstL DBsmL

1.1.3.2 0 Full/DROther 00:00:38 0d 00:00:21 12.0.10.2 sw10:12.0.10.1

0 0 0
1.1.4.2 0 Full/DROther 00:00:38 0d 00:00:21 12.0.20.2 sw20:12.0.20.1
0 0 0
7. Configure VPLS-MTU 1010:

Device_2(config)#service sdp 1
Device_2(config-service)#sdp 2
Device_2(config-service)#vpls 1010
Device_2(config-vpls-1010)#no shutdown
Device_2(config-vpls-1010)#mode mtu-s
Device_2(config-vpls-1010)#redundancy-mode none
Device_2(config-sap-1/1/3::)#no shutdown
Device_2(config-sap-1/1/3::)#learn-new-mac-address
Device_2(config-spoke-sdp-2)#backup
Device_2(config-spoke-sdp-2)#commit
Commit complete.
Device_2(config-spoke-sdp-2)#end
8. Enable IGMP snooping on VPLS 1010:

Device_2(config)#service vpls 1010
Device_2(config-vpls-1010)#ip-igmp-snooping
Device_2(config-ip-igmp-snooping)#exit
Device_2(config-vpls-1010)#sap 1/1/3:: igmp-snooping
Device_2(config-igmp-snooping)#commit
Commit complete.
Device_2(config-igmp-snooping)#end
9. Verify the VPLS configuration:

Device_2#show vpls sdp

-------------------------------------------------------------------------------
ServiceID SDP Peer Role Up time Adm Opr
===============================================================================
1010 1.1.3.2 Prim 00:00:24 Up Up
1010 1.1.4.2 Prim 00:00:00 Up Stndby
10. Verify the IGMP group database:

Device_2#show igmp-snooping service groups
================================================================================
Service ID 1010 - IGMP Snooping
================================================================================
SAP : 1/1/3:: Groups: 10
================================================================================
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
100.1.1.51 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.50 Forward 256s
100.1.1.11 256s
100.1.1.51 Forward 256s
100.1.1.11 256s
100.1.1.52 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.52 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.53 Forward 256s
100.1.1.11 256s
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.10 Block
================================================================================


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.10 Block
100.1.1.11 Block
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
================================================================================
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
100.1.1.13 Block
================================================================================
SDP : 1010:1.1.4.2 Groups: 0
================================================================================
================================================================================
SDP : 1010:1.1.3.2 Groups: 0
================================================================================

Multicast VLAN Registration (MVR)

Overview
Multicast VLAN Registration (MVR) is designed for applications using wide-scale deployment of
multicast traffic across an Ethernet ring-based service provider network (for example, the broadcast
of multiple television channels over a service-provider network). MVR allows a subscriber on a port
to subscribe and unsubscribe to a multicast stream on the network-wide multicast VLAN. It also
allows the single multicast VLAN to be shared in the network while subscribers remain in separate
VLANs. MVR provides the ability to continuously send multicast streams in the multicast VLAN,
but to isolate the streams from the subscriber VLANs for bandwidth and security reasons.
MVR assumes that subscriber ports subscribe to and unsubscribe from (join and leave) these
multicast streams by sending out Internet Group Management Protocol (IGMP) join and leave
messages. These messages can originate from an IGMP version-2-compatible set-top box with an
Ethernet connection or from a PC capable of generating IGMP version-2 messages. The device
identifies IP multicast streams and their associated MAC addresses in the forwarding table,
intercepts the IGMP messages, and modifies the VLAN table to include or remove the subscriber
port from/to multicast VLAN.
MVR Modes
The device supports two MVR modes of operation:
In the dynamic mode, the device performs standard IGMP snooping. When the device receives
an IGMP report for a particular group-on MVR receiver port, it forwards the IGMP report to
the multicast router, connected to any MVR source port. The multicast router only forwards
multicast streams for groups for which reports are received. Receiver ports are treated as
members of the multicast VLAN for MVR multicast control and data traffic.
In the static mode, the device sends IGMP reports for all configured multicast groups to the
multicast router. The multicast router is forced to send multicast stream for all configured
groups. When the device receives an IGMP report on the receiver port, it immediately starts
switching the stream to the subscriber.
NOTE
The maximum number of multicast groups is 256.
Immediate Leave
If Immediate Leave is enabled on a receiver port, the port leaves a multicast group more quickly.
Without Immediate Leave, when the device receives an IGMP leave message from a subscriber on a
receiver port, it sends out an IGMP query on that port and waits for IGMP group membership
reports. If no reports are received within a configured time period, the receiver port is removed
from multicast group membership. With Immediate Leave, an IGMP query is not sent from the

receiver port on which the IGMP leave was received. As soon as the leave message is received, the
receiver port is removed from multicast group membership, which speeds up leave latency.
MVR Commands
Commands Hierarchy
device-name#
+ config terminal
- [no] multicast filter-mode source-specific
+ ethernet
+ [no] mvr
+ [no] mc-group <id>
+ [no] asm-group <value>
- [no] count <value>
- [no] grp-address A.B.C.D
+ [no] ssm-group <value>
- [no] grp-address A.B.C.D
- [no] mode {exclude | include}
- [no] source-list <value>
- [no] mvr-mode {dynamic | static}
- [no] mvr-source-ip A.B.C.D
- [no] mvr-vlan <vlan-id>
- [no] explicit-tracking {false | true}
- [no] fast-leave {false | true}
- [no] mc-group <value>
- [no] mvr-type {receiver | source}
- [no] shutdown
- show multicast mvr [groups [<string> | dynamic] | members | ports]
Table 2: MVR Commands
Command Description

multicast filter-mode source-specific Enables the Source Specific Multicast feature
where datagram traffic is forwarded to receivers
from only those multicast sources to which the
receivers have explicitly joined.

Command Description
no multicast filter-mode source- Disables the feature

specific

mvr Enables the MVR
Disabled
no mvr Restores to default
mc-group <id> Specifies the MVR multicast group ID:

id: a string of <1-16> characters
no mc-group Removes the configured group
asm-group <value> Specifies an Any Source Multicast (ASM) group

ID.
The ASM method allows multicast receiver to
listen to all traffic sent to the group, regardless of
who is sending the information.
no asm-group Removes the configured group
ssm-group <value> Specifies a Specific Source Multicast (SSM)

group ID.
The SSM method allows a multicast receiver to
detect only a specifically identified sender within
the multicast group.
no ssm-group Removes the configured group
count <value> Specifies a contiguous series of MVR group

addresses:
value: in the range of <1-256>.
The format is [A.B.C.D
A1.B1.C1.D12 AN.BN.CN.DN]
1
no count Restores to default
grp-address A.B.C.D Specifies an IP multicast address of the MVR

group. Any multicast data sent to this address is
sent to all source ports on the switch and all
receiver ports that have elected to receive data
on that multicast address.
A.B.C.D: multicast groups IP
address
no grp-address Removes the configured IP address

Command Description
mode {exclude | include} Specifies the multicast group traffic:

include: for a given multicast
group address, the user accepts
multicast traffic from sources IP
addresses on the list.
exclude: for a given multicast
group address, the user accepts
multicast traffic from all source
IP addresses except the ones on
the list.
Include
source-list <value> Specifies a list of source IP addresses

value: in the range of <1-256>.
The format is [A.B.C.D
A1.B1.C1.D12 AN.BN.CN.DN]
1
no source-list Restores to default
mvr-mode {dynamic | static} Specifies the MVR mode of operation:
dynamic: sends multicast data only
after sending a request from a
receiver port to join that
multicast group. The response in
this mode is slower than the
response in dynamic mode, but the
device is not loaded with traffic
from unused multicast groups.
The response to joins and channel zapping is
quick, at the expense of loading the device with
traffic from all the configured multicast groups all
the time.
If do not define a multicast group, the default is
224.0.0.1.
Under normal conditions, dynamic mode is
preferable.
static: the device forces the
multicast server to send all
configured multicast-group data to
the source port, without waiting
for join requests from receiver
ports. When a user on a receiver
port sends a join to a multicast
group, it immediately starts
receiving the multicast data.
Dynamic
no mvr-mode Restores to default
mvr-source-ip A.B.C.D Specifies an IP address to be used by the

device during packets generation:
A.B.C.D: devices IP address
0.0.0.0
no mvr-source-ip Restores to default

Command Description
mvr-vlan <vlan-id> Specifies the VLAN in which the multicast traffic

is received. All source ports must belong to this
VLAN.
VLAN ID =1
no mvr-vlan Restores to default
port UU/SS/PP Specifies a port and enters MVR Port

configuration mode:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no port Removes the MVR port configuration
explicit-tracking {false | Configures the device to explicitly track each
true} individual host that is joined to a group:
true: enables the feature
false: disables the feature
True
fast-leave {false | true} Enable the Immediate Leave feature of MVR on
the port:
false: disables the feature
true: enables the feature
Disabled
no fast-leave Restores to default
mc-group <value> Specifies the MVR multicast group ID:

id: a string of <1-16> characters
no mc-group Removes the configured group
mvr-type {receiver | source} Specifies an MVR port type:
source: configure uplink ports
that receive and send multicast
data as source ports. Subscribers
cannot be directly connected to
source ports. All source ports on
a switch belong to the single
multicast VLAN.
receiver: configure a port as a
receiver port if it is a
subscriber port and should only
receive multicast data. It does
not receive data unless it becomes
a member of the multicast group,
either statically or by using IGMP
leave and join messages. Receiver
ports cannot belong to the
multicast VLAN.
The default configuration is as a non-MVR
port.
no mvr-type Restores to default

Command Description
shutdown Stops the MVR

no shutdown Starts the MVR
show multicast mvr [groups [<string> | Displays the MVR configuration, filtered by the
dynamic] | members | ports] following option:
groups string: statically-defined
MVR multicast group
groups dynamic: dynamically-
defined MVR multicast group
members:
ports: MVR ports configuration
In the following example, MVR is configured in dynamic mode. The multicast router that receives
and sends multicast data is connected to port 1/1/1. The multicast host that receives multicast data
is connected to port 1/1/2:
1. Enter Configuration mode of the MVR source VLAN v10 with ID 10:
device-name(config-tagged-1/1/1)#commit
2. Enter Configuration mode of the receiver VLAN v20 with ID 20:

device-name(config)#port 1/1/2
3. Enable MVR on the specified ports and configure fast-leave on the receiver port:
device-name(config)#ethernet mvr
device-name(config-mvr)#no shutdown
device-name(config-mvr)#commit
device-name(config-mvr)#mvr-mode dynamic
device-name(config-mvr)#mvr-source-ip 11.11.11.11
device-name(config-mvr)#mvr-vlan 10
device-name(config-mvr)#port 1/1/1
device-name(config-port-1/1/1)#mvr-type source
device-name(config-port-1/1/2)#mvr-type receiver
device-name(config-port-1/1/2)#fast-leave true
4. Display MVR mode, VLAN and source IP configuration:

device-name#show multicast mvr
=========================================================================

MVR status : enabled

MVR mode : dynamic
MVR vlan id : 10
MVR Source IP : 11.11.11.11
=========================================================================
5. Display MVR port configuration:

device-name#show multicast mvr ports
=========================================================================
Multicast Vlan Replicaiton Interfaces
=========================================================================
Port id : 1/1/1
MVR type : Source
Explicit tracking : Enabled
Fast leave : Enabled
Number of groups : 0
Vlan list : 10
V1 Querier Present Timer : 0 secs
V2 Querier Present Timer : 0 secs
-------------------------------------------------------------------------
Port id : 1/1/2
MVR type : Receiver
Explicit tracking : Enabled
Fast leave : Enabled
Number of groups : 0
Vlan list : 20
========================================================================
In the following example, MVR is configured in static mode. Static groups are configured. The
multicast router that receives and sends multicast data is connected to port 1/1/1. The multicast
host that receives multicast data is connected to port 1/1/2:
1. Enter Configuration mode of the MVR source VLAN v10 with ID 10:
2. Enter Configuration mode of the receiver VLAN v20 with ID 20:

3. Enable MVR on the specified ports:

device-name(config-mvr)#no shutdown
device-name(config-mvr)#commit

device-name(config-mvr)#mvr-mode static
device-name(config-mvr)#mvr-source-ip 11.11.11.11
device-name(config-mvr)#mvr-vlan 10
device-name(config-port-1/1/1)#mvr-type source
device-name(config-port-1/1/2)#mvr-type receiver
4. Configure static group with ASM entry and apply it to the receiver port:
device-name(config-mvr)#mc-group k1
device-name(config-mc-group-k1)#asm-group 1 count 1 grp-address 224.2.2.2
device-name(config-asm-group-1)#commit
device-name(config-asm-group-1)#exit
device-name(config-mc-group-k1)#exit
device-name(config-port-1/1/2)#mc-group k1
5. Configure static group with SSM entry and apply it to the receiver port:
device-name(config-mvr)#mc-group k2
device-name(config-mc-group-k2)#ssm-group 1 grp-address 224.3.3.3 mode
include source-list 10.5.5.5
device-name(config-ssm-group-1)#commit
device-name(config-ssm-group-1)#exit
device-name(config-mc-group-k2)#exit
device-name(config-port-1/1/2)#mc-group k2
6. Display configured static groups:

device-name#show multicast mvr groups
=========================================================================
Group name : k2
ASM entries : 0
SSM entries : 1
Port list : Empty
-------------------------------------------------------------------------
Group name : k1
ASM entries : 1
SSM entries : 0
Port list : 1/1/2
=========================================================================
Number of entries : 2
7. Display port membership of the static groups:

device-name(config)#show multicast mvr members
=========================================================================
Multicast Vlan Replication Group members

=========================================================================
Group IP : 224.2.2.2
Number of source entries : 0
Filter mode : Exclude
Port list : 1/1/2
-------------------------------------------------------------------------
Group IP : 224.3.3.3
Number of source entries : 1
Source list : 10.5.5.5
Filter mode : Include
Port list : 1/1/2
=========================================================================


IGMP Snooping Not supported Not supported RFC 1112, Host

Extensions for IP
Multicasting
RFC 2236, Internet Group
Management Protocol,
Version 2
draft-ietf-magma-snoop-
11.txt
RFC3376, Internet Group
Management Protocol,
Version 3
Multicast VLAN Not supported Not supported Not supported
Registration (MVR)

Link Layer Discovery Protocol (LLDP)
Table of Contents
Table of Figures 1
List of Tables 1
Link Layer Discovery Protocol (LLDP) 2

LLDP Data Unit (LLDPDU) 2
TLV Format 2
LLDP Command Hierarchy 4

Table of Figures
Figure 1: LLDPDU Frame Structure................................................................................................... 3
Figure 2: Example for Configuring LLDP on two Devices............................................................. 8
List of Tables
Table 1: LLDP Commands ................................................................................................................... 4
Link Layer Discovery Protocol (LLDP) (Rev. 01) Page 1

Link Layer Discovery Protocol (LLDP)

The Link Layer Discovery Protocol (LLDP) is a discovery Layer 2 protocol used by network
devices for advertising their identity, capabilities, interconnections, and store information about the
network. LLDP is a one hop protocol; the LLDP information can only be sent to and received
by devices that are directly connected to each other (neighbors) by the same link. It allows a device
to learn higher layer management reachability and connection endpoint information from adjacent
devices.
LLDP Data Unit (LLDPDU)

The LLDP frame contains a Link Layer Discovery Protocol Data Unit (LLDPDU) which is a set of
type-length-value (TLV) structures. The LLDPDU is enclosed into an Ethernet frame in which the
destination MAC address is set to multicast address 01:80:c2:00:00:0e and the Ethernet type is set to
0x88cc.
The device sends LLDP frames on each of its ports at a fixed frequency. It also sends LLDPDUs
when the local configuration changes to inform the neighboring devices. In any of the two cases, an
interval exists between two successive operations of sending LLDPDUs. This prevents the network
from being overwhelmed by LLDPDUs. The receiving of LLDP packets is implemented by
capturing the packet in hardware, using the L2 destination MAC and forwarding it to the CPU.
The information about a neighboring device maintained locally ages out when the corresponding
TTL expires. Only valid LLDP information is stored in the network devices.
TLV Format
In an LLDPDU, the chassis ID, port ID, and TTL TLV are the first three TLVs. The optional
TLVs are placed after the TTL TLV. The End of LLDPDU TLV is placed last. There is no
restriction regarding the length of LLDPDUs. The restriction comes from the transport layer, for
example in 802.3 MAC environments the maximum size of the PDU is 1500 bytes.
The figure below provides the LLDPDU structure and the mandatory LLDPDU TLV structure
details:
Page 2 Link Layer Discovery Protocol (LLDP) (Rev. 01)

Figure 1: LLDPDU Frame Structure
The mandatory TLVs contained in a LLDPDU are:

Chassis ID TLVThe MAC address associated with the local system
PortID TLVIdentifies the port from which the LLDPDU is transmitted
TTL TLVIndicates how long (in seconds) the LAN device's information received in the
LLDPDU is to be treated as valid information
End of LLDPDU TLVIndicates the end of TLVs of the LLDPDU frame
The optional TLVs defined as part of LLDP are grouped into Basic Management TLV Set (Port
description, System name, System description, System capabilities, Management address).

LLDP Command Hierarchy

device-name#
+ config terminal
+ [no] ethernet
+ [no] lldp
- [no] advertise-basic {management-address | port-
description | system-capabilities | system-
description | system-name}
- [no] mode {disabled | rx-only | rx-tx | tx-only}
- [no] reinit-delay <value>
- [no] shutdown
- [no] transmit-delay <value>
- [no] transmit-hold <value>
- [no] transmit-interval <value>
- show ethernet lldp local-system-data [port UU/SS/PP]
- show ethernet lldp remote-system-data [port UU/SS/PP]
- show ethernet lldp remote-table-statistics
- show ethernet lldp statistics [port UU/SS/PP]
- show ethernet lldp configuration [port UU/SS/PP]
Table 1: LLDP Commands
Command Description

lldp
Enables LLDP and enters LLDP Configuration

mode
no lldp Removes the LLDP configuration details
port UU/SS/PP
Enters the LLDP Port Configuration mode:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no port [UU/SS/PP] Removes the LLDP configuration details from
port(s):
UU/SS/PP: (optional) port range

Command Description
advertise-basic {management-
address | port-description
| system-capabilities | Configures the LLDP advertising:
system-description |
system-name} port-description: configures an
LLDP-enabled port to advertise its
port description
management-address: configures an
LLDP-enabled port to advertise the
devices management address
system-capabilities: configures an
LLDP-enabled port to advertise its
system capabilities
system-description: configures an
LLDP-enabled port to advertise the
system description
system-name: configures an LLDP-
enabled port to advertise the
system name
no advertise-basic Disabled the process of advertising
{management-address | port-
description | system-
capabilities | system-
description | system-name}
mode {disabled | rx-only | Specifies LLDP behavior:

rx-tx | tx-only}
disabled: port neither receives
nor transmits LLDP packets
rx-only: port only receives LLDP
packets
rx-tx: port both transmits and
receives LLDP packets
tx-only: port only transmits LLDP
packets
rx-tx
reinit-delay <value> Specifies the minimum time an LLDP port waits

before reinitializing LLDP transmission:
seconds
2 seconds
no reinit-delay Removes the configured value
shutdown Disables the LLDP
no shutdown
Enables the LLDP

Command Description
transmit-delay <value> Specifies the delay between successive LLDP

frame transmissions initiated by value/status
changes in the LLDP local systems MIB:
seconds
NOTE
Transmit-delay can be set only to
values smaller than (0.25 * transmit-
interval).
2 seconds
no transmit-delay Removes the configured value
transmit-hold <value> Specifies the time the receiving device holds

LLDP remote information before marking it as old
and deleted. The device information on the
neighboring devices ages out and it discarded
when its corresponding TTL expires.
seconds
4 seconds
no transmit-hold Removes the configured value
transmit-interval <value> Specifies the time the device waits before

sending LLDP packets:
seconds
NOTE
Transmit-interval can be set only to
values bigger than (4 * transmit-
delay).
The values of transmit-interval and
transmit-delay are mutually
dependent on each other:
transmit-interval is from 5 to
32768 (5 can be set when
transmit-delay is set to its
minimum value of 1)
transmit-delay is from 1 to 8192
(8192 can be set when
transmit-interval is set to its
maximum value of 32768)
30 seconds
no transmit-interval Removes the configured value
show ethernet lldp local-system-data Displays LLDP global or port-specific
[port UU/SS/PP] configuration settings for the device:
and 1/2/1-1/2/8

Command Description
show ethernet lldp remote-system-data Displays LLDP global or port-specific

[port UU/SS/PP] configuration settings of remote devices,
attached to an LLDP-enabled port:
and 1/2/1-1/2/8
show ethernet lldp statistics [port Displays statistical counters for all LLDP-enabled
UU/SS/PP] ports or for a specific port:
and 1/2/1-1/2/8
show ethernet lldp remote-table- Displays statistical counters of the remote
statistics device, attached to an LLDP-enabled port
show ethernet lldp configuration [port Displays detailed LLDP configuration information
UU/SS/PP] per all device ports

The following example shows how to configure LLDP on two devices.
Figure 2: Example for Configuring LLDP on two Devices
Device1 Configuration:
1. Enable the LLDP:
device-name(config-ethernet)#lldp
device-name(config-lldp)#no shutdown
device-name(config-lldp)#commit
2. Configure LLDP on port 1/1/1:

device-name(config-lldp)#port 1/1/1
device-name(config-port-1/1/1)#advertise-basic management-address
device-name(config-port-1/1/1)#advertise-basic port-description
device-name(config-port-1/1/1)#advertise-basic system-capabilities
device-name(config-port-1/1/1)#advertise-basic system-description
device-name(config-port-1/1/1)#advertise-basic system-name
Commit complete.
device-name(config-port-1/1/1)#end
3. Display the LLDP local database:

device-name#show ethernet lldp local-system-data
LLDP Local System Data

======================================================================
Chassis Id Subtype : MAC address
System ChassisId : 00:a0:12:96:24:21
System Name : device-name
System Description : device-name Service Demarcation Switch
software version 2.4R3 Sun Jun 3 14:44:48 EEST 2012
System capabilities supported : Bridge
Router
System capabilities enabled : Bridge

Router
System Management addresses

----------------------------------------------------------------------
Subtype : ipV4
Address : 001.000.000.010
Interface Numbering Subtype : ifIndex
Interface ID : 32
Subtype : ipV4
Address : 010.003.155.009
Interface ID : 2
LLDP Local System Data on port 1/1/1

======================================================================
Port ID subtype : MacAddress
Port ID : 00:a0:12:96:24:22
Port Description : 1/1/1

======================================================================
Port ID : 00:a0:12:96:24:23

======================================================================
Port ID : 00:a0:12:96:24:24
4. Display the LLDP remote database:

device-name#show ethernet lldp remote-system-data
LLDP Remote System Data received on port 1/1/1
======================================================================
Remote Data TTL : 120
Remote Data Age : 25
Chassis Id : 00:a0:12:96:20:91
Port ID : 00:a0:12:96:20:92


software version 2.4.R3 Sun Jun 3 14:44:48 EEST 2012
Router

Router

----------------------------------------------------------------------
Address : (IPv4) 1.0.0.100
Interface ID : 32
Address : (IPv4) 10.3.155.8

Interface ID : 2
5. Enable the LLDP:
device-name(config-ethernet)#lldp
device-name(config-lldp)#no shutdown
device-name(config-lldp)#commit
6. Configure LLDP on port 1/1/2:

device-name(config-lldp)#port 1/1/2
device-name(config-port-1/1/2)#advertise-basic management-address
device-name(config-port-1/1/2)#advertise-basic port-description
device-name(config-port-1/1/2)#advertise-basic system-capabilities
device-name(config-port-1/1/2)#advertise-basic system-description
device-name(config-port-1/1/2)#advertise-basic system-name
Commit complete.
7. Display the LLDP local database:

device-name#show ethernet lldp local-system-data
LLDP Local System Data
======================================================================
System ChassisId : 00:a0:12:96:20:91
software version 2.4R3 Sun Jun 3 14:44:48 EEST 2012
Router


Router

----------------------------------------------------------------------
Subtype : ipV4
Address : 1.0.0.100

Interface ID : 32
Subtype : ipV4
Address : 10.3.155.8
Interface ID : 2

======================================================================
Port ID : 00:a0:12:96:20:91

======================================================================
Port ID : 00:a0:12:96:20:92

======================================================================
Port ID : 00:a0:12:96:20:93
8. Display the LLDP remote database:

device-name#show ethernet lldp remote-system-data
======================================================================
Chassis Id : 00:a0:12:96:24:21
Port ID : 00:a0:12:96:24:22
software version 2.4.R3 3 14:44:48 EEST 2012
Router


Router

----------------------------------------------------------------------
Address : (IPv4) 001.000.000.010
Interface ID : 32
Address : (IPv4) 010.003.155.009

Interface ID : 2


Link Layer IEEE 802.1AB Public MIB, 802.1AB Not supported

Discovery Protocol Section 12 (LLDP
(LLDP) MIB Definitions)

Access Control Lists (ACLs)
Table of Contents
Table of Figures 2
List of Tables 2
Overview 3
ACL Type 3
Processing Options 4
Access Control Groups (ACG) 4
ACL Processing Rules 4
Traffic Rate Limit 5

Single Rate Three Color Marker (RFC 2697) 5
Two Rate Three Color Marker (RFC 2698) 6
Exceed Action 6
Color-Blind and Color-Aware 6
Hierarchical Rate Limit (HRL) 7
ACLs Configuration Flow 7
Traffic Counting Command 7

Traffic Counting Command Hierarchy 7
Traffic Counting Command Descriptions 8
ACL Commands 8
ACLs Configuration Example 92

Configure Standard ACL 92
Configure Extended ACL 93
Configure Egress and VLAN ACLs 94
Apply ACG on a SAP port with Traffic Rate-limit 95
Apply ACG on a SAP Port 96
Access Control Lists (ACLs) (Rev. 01) Page 1

Apply IPv6 ACG on Aggregated SAP Ports 97

Apply Egress ACG on SAP Port of TLS Service 98
Table of Figures
Figure 1: ACL Configuration Flow ...................................................................................................... 7
List of Tables
Table 1: Traffic Counting Commands................................................................................................. 8
Table 2: Implicit ACLs Configuration Commands ........................................................................... 8
Table 3: Monitoring Profile Commands ............................................................................................. 9
Table 4: IP ACLs Configuration Commands ................................................................................... 20
Table 5: IP ACLs Show Commands .................................................................................................. 36
Table 6: IPv6 ACLs Configuration Commands............................................................................... 42
Table 7: MAC ACLs Configuration Commands ............................................................................. 57
Table 8: MAC ACLs Show Commands ............................................................................................ 68
Table 9: EtherType ACLs Configuration Commands .................................................................... 74
Table 10: EtherType ACLs Show Commands ................................................................................. 85
Table 11: Traffic Types ........................................................................................................................ 85
Table 12: Monitoring Profiles ............................................................................................................. 86
Table 13: Valid ToS Values ................................................................................................................. 86
Table 14: Valid Precedence Values .................................................................................................... 86
Table 15: Valid ICMP Message Type Values ................................................................................... 87
Table 16: Valid ICMP Code Values ................................................................................................... 88
Table 17: Valid TCP Port Literal Values........................................................................................... 88
Table 18: Valid UDP Port Literal Values.......................................................................................... 89
Table 19: Valid FC Values ................................................................................................................... 90
Table 20: Known EtherType Values ................................................................................................. 90
Page 2 Access Control Lists (ACLs) (Rev. 01)

Overview
An Access Control List (ACL) is a set of numbered rules that are processed in sequential order.
Packet parameters are tested against conditions defined in the ACL; the first condition matched
determines the action taken by the port.
Using ACLs, system administrators can filter packets passing through the port according to defined
criteria. The main advantages to ACLs are as follows:
Security: Manage network security policies by forwarding or dropping traffic on ingress to the
port.
Traffic Control: Manipulate traffic flow, reduce bottlenecks, and congestion by enforcing
redirection rules.
Traffic Rate Limitation: Control traffic rates by port, by group of ports or by SAP, according
to user-defined criteria.
Quality of Service (QoS): Assign packet-handling priority to data flow by sorting into eight
priority queues based on ACL criteria. You can also use ACLs to remark VPT and ToS/DSCP
values.
ACL Type
Each ACL is identified by a unique name or a number. There are four basic ACL types and each
type matches specific fields in a packet:
ACL Type Numerical Range Matches
Standard IP 1-99 The source IP address

Layer 3 DSCP field, VPT and other Layer 2
Header fields
Extended IP 100-199 both the source and destination IP
addresses
Other parameters such as: protocol types
as well as TCP/UDP parameters
VPT and other Layer 2 and Layer 3 header
fields
IPv6 - both the source and destination IPv6
addresses
Other parameters such as: protocol types
as well as TCP/UDP parameters
VPT and other Layer 2 and Layer 3 header
fields
Extended MAC 400-499 Both the source and destination MAC
addresses
VPT and other Layer 2 and Layer 3 Header
fields as well as traffic type (unicast,
multicast, broadcast)

ACL Type Numerical Range Matches
EtherType 500-599 The EtherType of the packet

Layer 2 and Layer 3 header fields if the
EtherType is IP
Processing Options
Apply ACLs to both ingress (inbound) and egress (outbound) traffic:
Ingress: Process incoming packets to the port according to matched conditions defined with
the ACL. Packets that pass definied criteria are handled by the port. Packets that do not pass
the defined criteria are discarded, thereby reducing the load on the outbound interface.
Egress: Process packets at Egress mainly to shape traffic, remark, and collect statistics. To a
lesser extent, ACLs at the outbound port can also be used to filter traffic. As with packets
received at an inbound port, packets are matched to ACL conditions; packets that meet one of
the defined criteria are passed through the port.
Egress ACLs do not filter packets originated by the device (such as outgoing Telnet
session packets, NTP service packets, and various broadcast packets, such as ARP
request).
VLAN Traffic Redirection: Redirect ingress traffic according to conditions defined by an
Access Control Group (ACG) relating to VLAN assignment. Systems administrators can
change the VLAN ID in the VLAN tag header to forward traffic between VLANs.
NOTE
VLAN-based ACLs cannot be applied on Dot1q/TLS/VPLS SAP ports.
NOTE
IPv6 ACLs can be applied only with Ingress ACGs
Access Control Groups (ACG)

An ACG is a collection of ACLs applied to port(s), groups of ports, and SAP(s) that determine
processing of ingress or egress traffic. You can apply multiple ACGs on ports and SAP ports.
When multiple ACGs are applied on ports/SAP ports, traffic will be processed according to the
order in which the user first applied the ACGs.
ACL Processing Rules

To effectively use ACLs, you must first understand ACL processing rules. The maximum number
of rules contained within a single ACL is 250. Both the order of rules within the ACL and the order
in which ACLs are applied, via an ACG, is crucial.

NOTE
Rules of the VLAN-based ACL take precedence over any other configured ACLs.
Rules of Ingress and Egress ACLs are matched sequentially starting with the lowest
numbered rule.
Once created, users can remove existing rules and/or add new rules to the ACL.
The device tests packets only the first match is found. That match defines whether to permit
or deny the packet.
If the packet does not match any of the conditions defined for the ports ACLs:
On Ingress: The packet is denied because the last rule is an implicit deny statement.
On Egress: Packet is permitted (unless the user configures a rule to implicitly deny
packets that do not match any of the rules).
VLAN-based ACL (VLAN translation): Packet is permitted.
Egress ACLs have no default rule. All options defined in an ACG are applied only on traffic
that is explicitly defined in permit rule.
VLAN-based ACLs have no default rule. All options defined in ACG are applied only on
traffic that is explicitly defined in permit rule.
VLAN-based ACLs are permit by default.
Processing occurs using the order in which the ACLs were applied (via ACGs).
NOTE
ACLs do not take effect on protocol control packets (BPDUs).
Traffic Rate Limit

8B
During periods of heavy network traffic, congestion can cause incoming packets to be dropped. To
prevent congestion on provider networks, system administrators can allocate a specific bandwidth
per user port or traffic. A traffic rate limiter monitors the incoming traffic by:
forwarding conforming traffic (within the predefined rate)
dropping non-conforming traffic
marking non-conforming traffic as yellow or red
Single Rate Three Color Marker (RFC 2697)

14B
The Single Rate Three Color Marker (srTCM) meters a traffic stream and marks packets according
to three parameters:
Parameter Description Result
Committed Information Rate Determines the long-term, Traffic within CIR always
(CIR) average transmission rate confirms and is marked
green
Committed Burst Size (CBS) Determines how large a traffic Traffic above the CBS but
burst can be before some of below EBS, is marked
the traffic exceeds the rate limit yellow

Excess Burst Size (EBS) Determines how large a traffic Traffic exceeding the EBS
burst can before all traffic is marked red or dropped
exceeds the rate limit
Two Rate Three Color Marker (RFC 2698)

The two-rate Three Color Marker (trTCM) meters a traffic stream and marks packets according to
the following parameters.
Committed Information Rate Determines the long-term Traffic within CIR and
(CIR) average transmission rate CBS always conforms
Committed Burst Size (CBS) Associated with CIR, and is marked green
determines how large a traffic
burst can be before some of
the traffic exceeds the rate limit
Peak Information Rate (PIR) Determines the long term Traffic that does not
delimiter between yellow and conform to CIR and CBS
red packets but does confirm to PIR
Peak Burst Size (PBS) Associated with PIR, and PSB is marked
determines the burst size yellow
before traffic exceeds PIR. Traffic not conforming to
PIR and PBS is dropped
or marked red
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device either:
drops the packet
marks the packet as yellow or red
processes the packet based on congestion avoidance mechanisms,
Color-Blind and Color-Aware

Rate limiting operates in one of two modes:
Color-Blind:, Packets are considered green upon entering the metering process and are
marked as yellow or red if the traffic class exceeds the configured bandwidth limits
Color-Aware: Assumes the packet stream is colored, ingress by rate limiter, egress by rate
limiter or QoS policy, before entering the metering process. The device forwards green
packets. Yellow and red packets are forwarded according to the defined rate-limit.

Hierarchical Rate Limit (HRL)

HRL or Parent service applies a common rate limit to several classified flows, allowing them to
share bandwidth according to the preferences specified in the hierarchical rate limits. It is an
enhancement of the ACL Rate Limit feature.
Green traffic flow passes through the device independently of the configured parent CIR.
ACLs Configuration Flow
Figure 1: ACL Configuration Flow
Traffic Counting Command

Traffic Counting Command Hierarchy
device-name#
+ config terminal
+ system
- [no] traffic-counting-mode {L1 | L2}

Traffic Counting Command Descriptions

Table 1: Traffic Counting Commands
Command Description

traffic-counting-mode {L1 | L2} Performs precise traffic counting (in case of
packet capture) based on the packet type:
L1: calculation of rate limiting
relates to L1 packet headers,
including the entire packet, IPG
(inter-packet-gap) and preamble
L2: calculation of rate limiting
relates to L2 packet headers,
including the entire packet,
including Layer 2 header and CRC
L2
no traffic-counting-mode Restores to default
ACL Commands
In this section, command hierarchies are described and definitions for individual commands are
provided. Also included are examples.
Implicit ACLs Rules Command Hierarchy

By default, the ACL implementation adds implicit deny-any rule at the end of every ACL, denying
all packets that dont match the user-defined rules in an ACL. The rule is added when the ACL is
applied and unless you explicitly permit the traffic, it will not pass.
You can release additional ACL resources by deactivating the above implementation.
device-name#
+ config terminal
+ system
+ [no] resource-management
- [no] apply-default-access-list-rule
Implicit ACLs Command Descriptions

Table 2: Implicit ACLs Configuration Commands
Command Description

resource-management Enters the Resource Management Configuration

Command Description
mode
no resource-management Removes specific resource management
configurations
apply-default-access-list-rule Enables the hidden deny-any ACLs
Deny-any ACLs rules are applied
no apply-default-access-list- Disables the hidden deny-any ACLs. Removing
rule deny-any ACLs is recommended when the
you configure permit-any ACLs (for example,
in case of rate limiting).
ACL Monitoring Profile Command Hierarchy

device-name#
+ config terminal
+ [no] access-group-monitoring-profile <profile-id>
- [no] enables-statistics PROFILE
- show running-config access-group-monitoring-profile [<profile-id>]
enable-statistics PROFILE
ACL Monitoring Profile Command Descriptions

Table 3: Monitoring Profile Commands
Command Description

access-group-monitoring-profile Defines a monitoring profile and enters the
<profile-id> specific Profile Configuration mode.
profile-id: any number
no access-group-monitoring-profile Removes configured monitoring profiles:
[<profile-id>]
profile-id: (optional) any
number
enable-statistics PROFILE Defines statistics:
PROFILE: see Table 12
no enable-statistics [PROFILE] Removes the definition:
PROFILE: (optional) see Table 12
show running-config access-group-monitoring- Displays information about the monitoring
profile [<profile-id>] enable-statistics profiles:
PROFILE
PROFILE: see Table 12
IP ACL Command Hierarchy

NOTE
device-name#

+ config terminal
+ [no] ip access-list standard {NAME | <acl-number>}
+ [no] rule <value>
- action {deny | permit}
- [no] dscp <value>
- [no] inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>]
- [no] inner-vpt <priority>
- source-ip A.B.C.D/MASK
- [no] untagged
- [no] vlan <vlan-id> [vlan-mask <vlan-mask>]
- [no] vpt <priority>
+ [no] ip access-list extended {NAME | <acl-number>}
+ [no] rule <value>
- destination-ip A.B.C.D/MASK
- [no] precedence TYPE
+ protocol TYPE
- [no] established
- [no] icmp-code <value>
- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>
- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source-ip A.B.C.D/MASK
- [no] tos <value>
- [no] untagged
- [no] dscp <value>
+ port UU/SS/PP
[no] access-groups-rule-sequence <number>
+ [no] ip-access-group-standard {NAME | <acl-number>} in
- [no] restrict-egress-forwarding UU/SS/PP
- [no] fc <value>

- color {red | green | yellow}

- [no] monitoring-profile <profile-id>
+ [no] rate-limit {dual | single}
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] exceed-action {drop | mark-yellow |
mark-red}
- [no] redirect UU/SS/PP
- [no] set-green-to-fc <value>
- [no] set-red-to-fc <value>
- [no] set-yellow-to-fc <value>
- [no] copy-inner-vpt-to-outer-vpt
+ [no] ip-access-group-standard {NAME | <acl-number>} vlan
- [no] add-vlan <vlan-id>
+ [no] ip-access-group-standard {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>
- [no] set-green-to-dscp <value>
- [no] set-green-to-vpt <value>
- [no] set-red-to-dscp <value>
- [no] set-red-to-vpt <value>
- [no] set-yellow-to-dscp <value>
- [no] set-yellow-to-vpt <value>
+ [no] ip-access-group-extended {NAME | <acl-number>} in
+ [no] fc <value>


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] ip-access-group-extended {NAME | <acl-number>}
vlan
+ [no] ip-access-group-extended {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>
+ ethernet lag lag-id agN

+ [no] ip-access-group-standard {NAME | <acl-number>} in

- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] ip-access-group-standard {NAME | <acl-number>} vlan
+ [no] ip-access-group-standard {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>
+ [no] ip-access-group-extended {NAME | <acl-number>} in


+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] ip-access-group-extended {NAME | <acl-number>}
vlan
+ [no] ip-access-group-extended {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>
+ [no] service

- [no] parent <id> single-rate-limit {cbs <value> | cir

<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlan-id>
| all | untagged}
+ [no] access-groups-rule-sequence <number>
+ [no] ip-access-group-standard {NAME | <acl-number>}
in
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
+ [no] ip-access-group-extended {NAME | <acl-
number>} in
+ [no] fc <value>
- [no] cbs <value>

- [no] cir <value>

- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
+ [no] dot1q <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlan-
id> | untagged}
in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
out


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
number>} in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] vpls <vpls-id> sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-
id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}}
- [no] access-groups-rule-sequence <number>
in


- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] parent <id>
out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
number>} in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}

- [no] parent <id>

number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- show port UU/SS/PP access-groups-rule-sequence <number> ip-access-
group-standard [NAME | <acl-number>] [in | out | vlan] [monitoring-
profile <profile-id> [statistics [fbrs-green-bps | fbrs-green-fps |
fbrs-match-counter-bps | fbrs-match-counter-fps | fbrs-not-green-bps
| fbrs-not-green-fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrs-
red-bps | fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | green-
bps | green-fps | match-counter-bps | match-counter-fps | not-green-
bps | not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps
| yellow-bps | yellow-fps]]]
- show port UU/SS/PP access-groups-rule-sequence <number> ip-access-
group-extended [NAME | <acl-number>] [in | out | vlan] [monitoring-
- show running-config ip access-list
- show running-config ip access-list standard [NAME | <acl-number>]
[description DESCRIPTION | rule {<rule> | {action {deny | permit} |
inner-vlan <vlan-id> [inner-vlan-mask <VLAN mask>] | inner-vpt
<priority> | source-ip A.B.C.D/MASK | untagged | vlan <vlan-id>
[vlan-mask <vlan-mask>] | vpt <priority>}}]
- show running-config ip access-list extended [NAME | <acl-number>]
[description DESCRIPTION | rule {<rule> | {action {deny | permit} |
destination-ip A.B.C.D/MASK | established | icmp-code <value> | icmp-
type <value> | inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>] |
inner-vpt <priority> | precedence TYPE | protocol <type> | source-ip
A.B.C.D/MASK | tcp-destination-port <value> | tcp-source-port <value>
| tos <value> | udp-destination-port <value> | udp-source-port
<value> | untagged | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
- show access-group-statistics {lag agN | port UU/SS/PP | service {tls
<service-id> sap {{UU/SS/PP | agN}[:[igmp] | :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}} [rule-sequence-id
<number>]
- show access-groups {ip-extended | ip-standard | lag | port | service}

- show access-lists {ip-extended | ip-standard}
IP ACL Command Descriptions

Table 4: IP ACLs Configuration Commands
Command Description
ip access-list standard {NAME |

<acl-number>}
Specifies a standard IP ACL and enters standard
IP ACL Configuration mode:
NAME: a string of
<110> characters
acl-number: in the range of <1-99>
no ip access-list standard [NAME | Removes the selected standard IP ACL:
<acl-number>]
NAME: (optional) a string of
<110> characters
acl-number: (optional) in the range
of <1-99>
description DESCRIPTION Associates a description with the standard IP
ACL:
<130> characters
no description Removes the description
rule <value>
Creates a standard IP ACL rule for filtering traffic

and enters the Rule Configuration mode:
no rule [<value>] Removes the standard IP ACL rule:
value: (optional) in the range of
<1-250>
action {deny | permit}
Specifies rule conditions:

deny: denies packets
permit: permits packets
inner-vlan <vlan-id> [inner- Defines a specific VLAN ID and mask for the inner
vlan-mask <vlan-mask>] vlan tag. Applying it on TLS SAP is meaningless.
It cannot be used in combination with the
untagged option.
vlan-mask: in hexadecimal format
FF:FF:FF:FF. Use 0 for meaningful
bits (exact-match) and F for
meaningless bits (any). The last 12
bits are meaningful.
no inner-vlan [<vlan-id>] Removes the selected inner-VLAN and inner-
[inner-vlan-mask [<vlan- mask:
mask>]]

Command Description

<1-4094>
vlan-mask: (optional) in
hexadecimal format FF:FF:FF:FF
inner-vpt <priority> Specifies packet filtering by the VLAN Priority Tag
(VPT) in the inner-VLAN tag header:
priority: in the range of <0-7>
no inner-vpt [<priority>] Removes the selected VPT:
priority: (optional) in the range
of <0-7>
source-ip A.B.C.D/MASK
Specifies the source address of the packet:

A.B.C.D/MASK: source IP-
address/source mask. Use keyword
any when source IP-address/source-
mask is 0.0.0.0/32 (any host)
untagged The ACL rule matches untagged packets only
Both tagged and untagged
no untagged Restores to default
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask for the outer
<vlan-mask>] IP-header:
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and outer-
[<vlan-mask>]] mask:
1-4094
vpt <priority> Specifies packet filtering by the VLAN Priority Tag
(VPT) in the outer-VLAN tag header:
no vpt [<priority>] Removes the selected VPT:
of <0-7>
dscp <value> Specifies packet filtering by the DSCP value in the
IP header of the packet:
no dscp [<value>] Removes the defined DSCP value
ip access-list extended {NAME |

<acl-number>}
Specifies an extended IP ACL and enters the
extended IP ACL Configuration mode:

Command Description
NAME: a string of
<110> characters
acl-number: in the range of <100-
199>
no ip access-list extended [NAME | Removes the selected extended IP ACL:
<acl-number>]
<110> characters
of <100-199>
description DESCRIPTION Associates a description with extended IP ACL:
<130> characters
rule <value>
Creates an extended IP ACL rule for filtering

traffic and enters Rule Configuration mode:
no rule [<value>] Removes the extended IP ACL rule:
<1-250>

destination-ip A.B.C.D/MASK
Specifies the destination address of the packet:

A.B.C.D/MASK: destination IP-
address/destination mask. Use
keyword any when destination IP-
address/destination-mask is
0.0.0.0/32 (any host)
untagged option.
meaningless bits (any. The last 12
mask>]]
<1-4094>

Command Description

no inner-vpt Removes the priority
precedence TYPE The ACL rule matches packets by literal

precedence values:
TYPE: see Table 14
no precedence Removes the precedence value
protocol TYPE
Specifies the name or a number of an IP protocol:

TYPE: tcp, udp, ip, ipinip, igmp,
icmp or IP protocol numbers in the
range of <0255>, representing an
IP protocol number
(http://www.iana.org/assignments/pr
otocol-numbers (RFC5237)). To match
any Internet protocol, use the
keyword ip. Some protocols allow
further qualifiers, as described
below
established (valid for TCP protocol only) indicates an
established connection. A match occurs if the
TCP datagram has the ACK or RST bits set.
Packets that do no match are TCP packets sent to
initialize a TCP session.
no established (valid for TCP protocol only) Removes the
configured match of ACK or RST bits.
icmp-code <value> ( valid for ICMP protocol only) matches ICMP
packets by the ICMP message code:
value: in the range of <0255> or a
valid literal ICMP message code
(see Table 16)
no icmp-code Removes the ICMP message code
icmp-type <value> (valid for ICMP protocol only) matches ICMP

packets by the ICMP message type:
valid literal ICMP message type
(see Table 14)
no icmp-type Removes the ICMP message type
tcp-source-port <value> (valid for TCP protocol only) Specifies the decimal
number or a name of source TCP port. Use TCP
port names when filtering TCP packets only:
value: in the range of <065535> or
a TCP port literal value (see Table
17)
no tcp-source-port Removes the literal value of the TCP source port
tcp-destination-port <value> (valid for TCP protocol only) Specifies the decimal
number or a name of destination TCP port. Use

Command Description
TCP port names when filtering TCP packets only:
a TCP port literal value (see Table
17)
no tcp-destination-port Removes the literal value of the TCP destination
port
udp-source-port <value> (valid for UDP protocol only) Specifies the decimal
number or a name of source UDP port. Use UDP
port names when filtering UDP packets only:
a UDP port literal value (see Table
18)
no udp-source-port Removes the literal value of the UDP source port
udp-destination-port <value> (valid for UDP protocol only) Specifies the decimal
number or a name of a UDP destination port. Use
UDP port names when filtering UDP packets only:
a UDP port literal value (see Table
18)
no udp-destination-port Removes the literal value of the UDP destination
port
source-ip A.B.C.D/MASK
Specifies the source-address of the packet:

A.B.C.D/MASK: source IP-
address/source mask. Use keyword
any when source IP-address/source-
mask is 0.0.0.0/32 (any host)
tos <value> The ACL rule matches packets by the service
level type:
valid literal ToS value (See Table
13)
no tos Removes the valid literal ToS value
vlan <vlan-id> [vlan-mask Specifies a specific VLAN ID and mask for the
<vlan-mask>] outer IP-header:
<1-4094>

Command Description
vpt <priority> Specifies packet filtering by the VLAN Priority Tag
of <0-7>
dscp <value> Specifies packet filtering by the DSCP value in the

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
ethernet lag lag-id agN Creates a static LAG and enters LAG
Configuration mode:
<1-14>
service
Enters the Services Configuration mode

parent <id> single-rate-limit {cbs Specifies a parent rate-limiter, which allows you to
<value> | cir <value>} configure Hierarchical policers on the device.
id: in the range of <1-200>
single-rate-limit: configures a
rate limit for the parent group
cbs <value>: specifies the
Committed Burst Size (CBS), in the
range of <1-262144> KB
cir <value>: specifies the
Committed Information Rate (CIR),
in the range of, <81000000>
(depends on the link capacity) kbps
no parent <id> single-rate-limit Removes the configured parent
{cbs | cir}
vpls <vpls-id> sap {{UU/SS/PP |

id>]:[igmp] | Adds a client port to a specific VPLS instance and
UU1/SS1/PP1:<ces- enters SAP Configuration mode:
circuit>:{ces | ces-oos}}
vpls-id: in the range of <1
4294967295>
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8

Command Description
NOTE
For unqualified SAPs, options
inner-vpt and inner-vlan must
be used as a matching option.
For qualified SAPs, options
VPT and VLAN must be used
as a matching option.
<1-14>
<1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
no vpls <vpls-id> sap [{{UU/SS/PP Removes the SAP:
| agN}[:[igmp] | :[<vlan-
UU1/SS1/PP1:<ces- physical port (unit, slot and port)
circuit>:{ces | ces-oos}} ] defined as SAP.(can be obtained
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>

<1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets

Command Description
tls <service-id> sap {UU/SS/PP |
agN} c-vlan {<cvlan-id> | all
| untagged} Creates a TLS service instance and enters TLS
Configuration mode:
4294967295>
sap: creates a service access point
(SAP) and enters SAP Configuration
mode
1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
c-vlan: specifies a customer VLAN
(C-VLAN) and enters C-VLAN
Configuration mode
traffic only
no tls [<service-id>] sap
[UU/SS/PP | agN] c-vlan
[<cvlan-id> | all | untagged] Removes the created TLS service:
of <14294967295>
sap: (optional) creates a service
access point (SAP) and enters SAP
Configuration mode
the range of 1/1/1-1/1/4, 1/2/1-
1/2/8
agN: (optional) LAG ID. N is in the
range of <1-14>
c-vlan: (optional) Specifies a
customer VLAN (C-VLAN) and enters
C-VLAN Configuration mode
cvlan-id: (optional) in the range
of <1-4094>
all: (optional) tunnels all the
traffic
untagged:(optional) tunnels the
untagged traffic only
dot1q <service-id> sap {UU/SS/PP Enters 802.1Q service Configuration mode for the
| agN} c-vlan {<cvlan-id> | specified SAP C-VLAN, creates a service access
untagged} point (SAP), and specifies a customer VLAN (C-
VLAN):
4294967294>

Command Description
1/1/1-1/1/4 and 1/2/1-1/2/8. This
port has to be an untagged member
of the S-VLAN
<1-14>
traffic only
NOTE
SAP.
versa.
no dot1q [<service-id>] sap Removes the specified 802.1Q service or, when
[{UU/SS/PP | agN} c-vlan used without a parameter, removes all configured
{<cvlan-id> | untagged}] 802.1Q services:
of <1-4294967294>
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
range of <1-14>
traffic only
access-groups-rule-sequence
<number>
Specifies the sequential order in which the ACL
rules are processed:
NOTE
When applying the same ACL type
(for example, IP or MAC ACLs) to
an already used sequence number,
remove and apply the ACL again.
This action is not required when
applying different ACL types to the
same sequence number.
no access-groups-rule-sequence Removes the configured sequence number:
[<number>]
number: (optional) in the range of
<1-250>

Command Description
ip-access-group-standard {NAME
| <acl-number>} {in | out |
vlan} Assigns a IP ACG to a port/s and enters the IP
ACG Configuration mode:
NAME: a string of <110> characters
acl-number: in the range of <1-99>
in: filters the ingress traffic
only
out: filters the egress traffic
only
vlan: redirects the matching
ingress traffic to a VLAN
no ip-access-group-standard Removes the specified IP ACG:
[NAME | <acl-number>] [in
| out | vlan] NAME: (optional) a string of
<110> characters
of <1-99>
in: (optional) filters the ingress
traffic only
out: (optional) filters the egress
traffic only
restrict-egress-forwarding (valid only for ingress ACLs) Restricts the traffic
UU/SS/PP to be forwarded only to a specific port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no restrict-egress-forwarding Removes the restriction from all ports or only from
[UU/SS/PP] the selected port when the UU/SS/PP argument is
specified
fc <value> Applies forwarding class (FC) mapping on ACG
(only the ingress traffic) and enters the FC
Configuration mode:
value: FC value (see Table 19)
no fc [<value>] Removes FC mapping:
value: (optional) FC value
color {red | green | Specifies the conforming level:
yellow}
red: the non-conforming drop level
green: the conforming drop level
yellow: the partially conforming
level
monitoring-profile <profile- Enables fps and bps packet counters per ACL
id> rules:
profile-id: any number. Up to 24
profiles can be defined.
no monitoring-profile Disables fps and bps monitoring:
[<profile-id>]
profile-id: (optional) any number

Command Description
rate-limit {dual | single} Applies a rate-limit on the ACG for the specified
port and enters Rate-Limit Configuration mode:
dual: the Two Rate Three Color
Marker (RFC 2698)
single: the Single Rate Three Color
Marker (RFC 2697)
no rate-limit [dual | single] Removes the rate limit from the configured ACG:
dual: (optional) the Two Rate Three
Color Marker (RFC 2698)
single: (optional)the Single Rate
Three Color Marker (RFC 2697)
cbs <value> Specifies the Committed Burst Size (CBS):
KB
100 KB
no cbs Restores to default
cir <value> Specifies the Committed Information Rate (CIR):

value: in the range of, <81000000>
1000 kbps
no cir Restores to default
color-aware Enables the color-aware mode
Color blind
no clor-aware Restores to default
pbs <value> (valid only for dual rate) Specifies the Peak Burst
Size (PBS):
KB
100 KB
no pbs Restores to default
pir <value> (valid only for dual rate) Specifies the Peak
Information Rate (PIR):
1000 kbps
no pir Restores to default
ebs <value> (valid only for single rate) Specifies the Excess
Burst Size (EBS):
KB
100 KB
no ebs Restores to default
exceed-action {drop | Specifies the action performed once the packet is
mark-yellow | mark-red} classified as exceeding a particular rate limit:
drop: drops the packet

Command Description
mark-yellow: marks the packet as

yellow
mark-red: marks the packet as red
Drop
no exceed-action [drop | Restores to default
mark-yellow | mark-red]
redirect UU/SS/PP (valid only for ingress ACLs) Redirects matching

traffic to the specified port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no redirect [UU/SS/PP] Removes the traffic redirection from the specified
port:
UU/SS/PP: (optional) 1/1/1-1/1/4,
1/2/1-1/2/8
vlan <vlan-id> (Only for VLAN Traffic Redirection ACLs)
Redirects matching traffic to the specified VLAN
by changing the VLAN ID in the packet header.
NOTE
The port on which the newly-
tagged packets arrive must be a
tagged member of vlan on which
the packet arrives before being re-
tagged.
no vlan [<vlan-id>] Removes traffic redirection:
<1-4094>
add-vlan <vlan-id> (Only for VLAN Traffic Redirection ACLs)
by adding a VLAN tag to the untagged frame, or
an additional VLAN tag to the VLAN-tagged
frame:
no add-vlan [<vlan-id>] Removes traffic redirection:
<1-4094>
dscp <value> Changes the DSCP value in the IP header of the
packet:
value: the new DSCP value in the
range of <0-63>
inner-vpt <priority> Changes the VLAN Priority Tag (VPT) in the

inner-VLAN tag header:
priority: the new VPT value in the
range of <07>
no inner-vpt [<priority>] Removes the defined VPT:
of <07>

Command Description
vpt <priority> Changes the VLAN Priority Tag (VPT) in the

outer-VLAN tag header:
range of <0-7>
no vpt [<priority>] Removes the defined VPT:
of <07>
copy-inner-vpt-to-outer-vpt Remarks the outer S-VLAN ID with the inner C-
VLAN ID
Disabled
no copy-inner-vpt-to-outer- Restores to default
vpt
ip-access-group-extended {NAME
| <acl-number>} {in | out |
vlan} Assigns a IP ACG to a port/s and enters the IP
NAME: a string of
<110> characters
199>
only
only
no ip-access-group-extended Removes the specified IP ACG:
[NAME | <acl-number>] [in |
out | vlan] NAME: (optional) a string of
110 characters
of <100-199>
traffic only
traffic only
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
specified
(only the ingress traffic) and enters FC
Configuration mode:

Command Description

yellow}
level
id> rules:
Disabled
[<profile-id>]
Marker (RFC 2698)
Marker (RFC 2697)
KB
100 KB

1000 kbps
Color blind
Size (PBS):
v value: in the range of <1-262144>
KB
100 KB

Command Description
1000 kbps
Burst Size (EBS):
KB
100 KB
parent <id> (valid only for ingress ACLs) Applies the

configured parent rate-limiter:
no parent Removes the applied parent
yellow
Drop

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no redirect [UU/SS/PP] Removes traffic redirection from the specified
port:
1/2/1-1/2/8
by changing the VLAN ID in the packet header:
<1-4094>
by adding tags to untagged traffic and adding an
additional tag to tagged traffic:
<1-4094>

Command Description

packet:
range of <0-63>
inner-vpt <priority> (for egress ACLs) Changes the VLAN Priority Tag
range of <07>
of <07>
vpt <priority> (For VLAN and egress ACLs) Changes the VLAN
Priority Tag (VPT) in the outer-VLAN tag header:
range of <0-7>
of <07>
copy-inner-vpt-to-outer-vpt (valid only for ingress ACLs)
Remarks the outer S-VLAN ID with the inner C-
VLAN ID
Disabled
vpt
set-green-to-dscp <value> (valid only for egress ACLs) Remarks the DSCP
value in the IP header for traffic marked green:
no set-green-to-dscp Removes the configured value
set-green-to-vpt <value> (valid only for egress ACLs) Remarks the CoS
priority value in the IP header for traffic marked
green:
no set-green-to-vpt Removes the configured value
set-red-to-dscp <value> (valid only for egress ACLs) Remarks the DSCP
value in the IP header for traffic marked red:
no set-red-to-dscp Removes the configured value
set-red-to-vpt <value> (valid only for egress ACLs) Remarks the CoS
green:
no set-red-to-vpt Removes the configured value
set-yellow-to-dscp <value> (valid only for egress ACLs) Remarks the DSCP

Command Description

no set-yellow-to-dscp Removes the configured value
set-yellow-to-vpt <value> (valid only for egress ACLs) Remarks the CoS
green:
no set-yellow-to-vpt Removes the configured value
set-green-to-fc <value> (valid only for ingress ACLs) Maps traffic marked
green to a Forwarding Class (FC):
no set-green-to-fc Removes the configured value
set-red-to-fc <value> (valid only for ingress ACLs) Maps traffic marked
red to a Forwarding Class (FC):
no set-red-to-fc Removes the configured value
set-yellow-to-fc <value> (valid only for ingress ACLs) Maps traffic marked
yellow to a Forwarding Class (FC):
no set-yellow-to-fc Removes the configured value
Table 5: IP ACLs Show Commands

Command Description
show port UU/SS/PP [access-groups-rule- Displays the standard IP ACGs configured on

sequence <number>] ip-access-group- ports:
standard [NAME | <acl-number>] [in
| out | vlan] [monitoring-profile UU/SS/PP: port number
<profile-id> [statistics [fbrs-
green-bps | fbrs-green-fps | fbrs- number: the sequence number ,in the
match-counter-bps | fbrs-match- range of <1-250>
counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-bps NAME: a string of
| fbrs-not-red-fps | fbrs-red-bps | <110> characters
fbrs-red-fps | fbrs-yellow-bps |
fbrs-yellow-fps | green-bps | green- acl-number: in the range of <1-99>
fps | match-counter-bps | match-
counter-fps | not-green-bps | not- in: only ingress ACGs
green-fps | not-red-bps | not-red-fps
| red-bps | red-fps | yellow-bps | out: only egress ACGs
yellow-fps]]]
monitoring-profile statistics:
counts match packets
vlan: only VLAN traffic redirection
ACLs
NOTE
Statistics counters are reset
whenever a new ACL/monitoring
profile is applied on a port/SAP
port.

Command Description
show port UU/SS/PP [access-groups- Displays information about the extended IP ACGs,
rule-sequence <number>] ip-access- filtered by the command arguments:
group-extended [NAME | <acl-
number>] [in | out | vlan] UU/SS/PP: port number
[monitoring-profile <profile-id>
[statistics [fbrs-green-bps | fbrs- number: the sequence number ,in the
green-fps | fbrs-match-counter-bps | range of <1-250>
fbrs-match-counter-fps | fbrs-not-
green-bps | fbrs-not-green-fps | NAME: a string of
fbrs-not-red-bps | fbrs-not-red-fps | <110> characters
fbrs-red-bps | fbrs-red-fps | fbrs-
yellow-bps | fbrs-yellow-fps | green- acl-number: in the range of <100-
bps | green-fps | match-counter-bps | 199>
match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not- in: only ingress ACGs
red-fps | red-bps | red-fps | yellow-
bps | yellow-fps]]] out: only egress ACGs
monitoring-profile statistics:
counts match packets
ACLs
NOTE
port.
show running-config ip access-list Displays the configured IP ACLs
show running-config ip access-list Displays information about standard IP ACLs,
standard [NAME | <1-99>] filtered by command arguments
[description DESCRIPTION | rule
{<1-250> | {action {deny | permit} |
inner-vlan <vlan-id> [inner-vlan-mask
<VLAN mask>] | inner-vpt <priority>
| source-ip A.B.C.D/MASK | untagged
| vlan <vlan-id> [vlan-mask <vlan-
mask>] | vpt <priority>}}]
show running-config ip access-list Displays information about extended IP ACLs,

extended [NAME | <100-199>] filtered by command arguments
[description DESCRIPTION | rule
{<1-250> | {action {deny | permit} |
destination-ip A.B.C.D/MASK |
established | icmp-code <value> |
icmp-type <value> | inner-vlan
<vlan-id> [inner-vlan-mask <vlan-
mask>] | inner-vpt <priority> |
precedence TYPE | protocol <type> |
source-ip A.B.C.D/MASK | tcp-
destination-port <value> | tcp-
source-port <value> | tos {<0-7> |
max-reliability | max-throughput |
min-delay | min-monetary-cost |
normal} | udp-destination-port
<value> | udp-source-port <value> |
untagged | vlan <vlan-id> [vlan-mask
<vlan-mask>] | vpt <priority>}}]

Command Description
show access-group-statistics {lag agN | Displays IP ACGs statistics filtered by command

port UU/SS/PP | service {tls arguments
<service-id> sap {{UU/SS/PP |
agN}[:[igmp] | :[<vlan-id>]:[igmp] | NOTE
UU1/SS1/PP1:<ces-circuit>:{ces |
ces-oos}} [rule-sequence-id
<number>] whenever a new ACL/monitoring
port.
show access-groups {ip-extended | ip- Displays the current ACGs applied on ports,
standard | lag | port | service} filtered by command arguments
show access-lists {ip-extended | ip- Displays all ACLs and their parameters configured
standard} on the device, filtered by command arguments
IPv6 ACL Command Hierarchy

NOTE
device-name#
+ config terminal
+ system
+ [no] resource-management
- [no] ipv6-access-list
+ [no] ipv6 access-list NAME
+ [no] rule <value>
- destination-ip IPv6-PREFIX/LENGTH
- [no] dscp <value>
+ protocol TYPE
- [no] established
- [no] icmp-code <value>
- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>
- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source-ip IPv6-PREFIX/LENGTH
- [no] traffic-class <value>

- [no] untagged
+ port UU/SS/PP
+ [no] ipv6-access-group NAME in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}


+ [no] service
| all | untagged}
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>

- [no] pir <value>

mark-red}
id> | untagged}
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- show access-lists ipv6
- show access-groups ipv6
- show port UU/SS/PP [access-groups-rule-sequence <number>] ipv6-
access-group NAME [in] [monitoring-profile <profile-id> [statistics
[fbrs-green-bps | fbrs-green-fps | fbrs-match-counter-bps | fbrs-
match-counter-fps | fbrs-not-green-bps | fbrs-not-green-fps | fbrs-
not-red-bps | fbrs-not-red-fps | fbrs-red-bps | fbrs-red-fps | fbrs-
yellow-bps | fbrs-yellow-fps | green-bps | green-fps | match-
counter-bps | match-counter-fps | not-green-bps | not-green-fps |
not-red-bps | not-red-fps | red-bps | red-fps | yellow-bps | yellow-
fps]]]
- show running-config ipv6 access-list

IPv6 ACL Command Descriptions

Table 6: IPv6 ACLs Configuration Commands
Command Description

resource-management Enters the Resource Management Configuration
mode
no resource-management Removes specific resource management
configurations
ipv6-access-list Enables the IPv6 ACLs functionality.
The command takes effect only after
performing the commit command and
reloading the device.
Disabled
no ipv6-access-list Disables the IPv6 ACLs functionality.
The command takes effect only after
performing the commit command and
reloading the device.
ipv6 access-list NAME Specify an IPv6 ACL and enter IPv6 ACL
Configuration mode:
NAME: a string of <110>
characters
no ipv6 access-list [NAME] Removes the selected IPv6 ACL:
<110> characters
description DESCRIPTION Associates a description with IPv6 ACL:
<130> characters
rule <value>
Creates an IPv6 ACL rule for filtering traffic and

enters the Rule Configuration mode:
no rule [<value>] Removes the IPv6 ACL rule:
<1-250>

permit: permits packets to pass
the configured ACL
dscp <value> Specifies packet filtering by the DSCP value in
the IP header of the packet:

Command Description
no dscp [<value>] Removes the defined DSCP value:

<0-63>
inner-vlan <vlan-id> [inner-vlan- Defines a specific VLAN ID and mask for the
mask <vlan-mask>] inner vlan tag. Applying it on TLS SAP is
meaningless. It cannot be used in combination
with the untagged option.
meaningless bits (any). The last
12 bits are meaningful.
no inner-vlan <vlan-id> [inner- Removes the selected inner-VLAN and inner-
vlan-mask <vlan-mask>] mask:
of <1-4094>
inner-vpt <priority> Specifies packet filtering by the VLAN Priority
Tag (VPT) in the inner-VLAN tag header:
no inner-vpt <priority> Removes the selected VPT:
of <0-7>
destination-ip IPv6-
PREFIX/LENGTH
Specifies the destination IPv6 network or class of
networks for which to set deny or permit
conditions:
IPv6-PREFIX/LENGTH: destination
IPv6 network, in hexadecimal and
using 16-bit values between colons
(documented in RFC 3513). Enter
any as an abbreviation for the
IPv6 prefix ::/0.
protocol TYPE
Specifies the name or a number of an IP

protocol:
TYPE: tcp, udp, ip, ipinip, igmp,
ospf, pim, icmp or IP protocol
numbers in the range of <0255>,
representing an IP protocol number
(http://www.iana.org/assignments/p
rotocol-numbers (RFC5237)). To
match any Internet protocol, use
the keyword ip. Some protocols
allow further qualifiers, as
described below
established (valid for TCP protocol only) indicates an
established connection. A match occurs if the
TCP datagram has the ACK or RST bits set.

Command Description
Packets that do no match are TCP packets sent
to initialize a TCP session.
no established (valid for TCP protocol only) Removes the
configured match of ACK or RST bits.
icmp-code <value> ( valid for ICMP protocol only) matches ICMP
packets by the ICMP message code:
a valid literal ICMP message code
(see Table 13)
no icmp-code Removes the ICMP message code
icmp-type <value> (valid for ICMP protocol only) matches ICMP

packets by the ICMP message type:
a valid literal ICMP message type
(see Table 11)
no icmp-type Removes the ICMP message type
tcp-source-port <value> (valid for TCP protocol only) Specifies the

decimal number or a name of source TCP port.
Use TCP port names when filtering TCP packets
only:
or a TCP port literal value (see
Table 14)
no tcp-source-port Removes the literal value of the TCP source port
tcp-destination-port <value> (valid for TCP protocol only) Specifies the

decimal number or a name of destination TCP
port. Use TCP port names when filtering TCP
packets only:
or a TCP port literal value (see
Table 14)
no tcp-destination-port Removes the literal value of the TCP destination
port
udp-source-port <value> (valid for UDP protocol only) Specifies the
decimal number or a name of source UDP port.
Use UDP port names when filtering UDP packets
only:
or a UDP port literal value (see
Table 15)
no udp-source-port Removes the literal value of the UDP source port
udp-destination-port <value> (valid for UDP protocol only) Specifies the

decimal number or a name of a UDP destination
port. Use UDP port names when filtering UDP
packets only:
or a UDP port literal value (see
Table 15)
no udp-destination-port Removes the literal value of the UDP destination

Command Description
port
source-ip IPv6-PREFIX/LENGTH
Specifies the source IPv6 network or class of

networks for which to set deny or permit
conditions:
IPv6-PREFIX/LENGTH: source IPv6
network, in hexadecimal and using
16-bit values between colons
(documented in RFC 3513). Enter
any as an abbreviation for the
IPv6 prefix ::/0.
vlan <vlan-id> [vlan-mask <vlan- Specifies a specific VLAN ID and mask for the
mask>] outer IP-header:
of <1-4094>
vpt <priority> Specifies packet filtering by the VLAN Priority
Tag (VPT) in the outer-VLAN tag header:
of <0-7>
traffic-class <value> Specifies the traffic class that matches the traffic
class field in the IPv6 header
no traffic-class [<value>] Removes the configured value:
<0-255>

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
Configuration mode:
<1-14>


Command Description
service


agN} c-vlan {<cvlan-id> | all |
untagged} Creates a TLS service instance and enters TLS
Configuration mode:
4294967295>
sap: creates a service access
point (SAP) and enters SAP
Configuration mode
UU/SS/PP: SAP port, in the range
of 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
Configuration mode
traffic only
range of <14294967295>
Configuration mode
the range of 1/1/1-1/1/4, 1/2/1-
1/2/8
the range of <1-14>
of <1-4094>
traffic

Command Description
dot1q <service-id> sap {UU/SS/PP Enters 802.1Q service Configuration mode for
| agN} c-vlan {<cvlan-id> | the specified SAP C-VLAN, creates a service
untagged} access point (SAP), and specifies a customer
VLAN (C-VLAN):
4294967294>
of 1/1/1-1/1/4 and 1/2/1-1/2/8.
<1-14>
traffic only
NOTE
SAP.
versa.
[{UU/SS/PP | agN} c-vlan used without a parameter, removes all
{<cvlan-id> | untagged}] configured 802.1Q services:
range of <1-4294967294>
the range of 1/1/1-1/1/4 and
1/2/1-1/2/8
the range of <1-14>
traffic only
id>]:[igmp] | UU1/SS1/PP1:<ces- Adds a client port to a specific VPLS instance
circuit>:{ces | ces-oos}} and enters SAP Configuration mode:
4294967295>

Command Description
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
NOTE
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
no vpls <vpls-id> sap {{UU/SS/PP | Removes the SAP:
id>]:[igmp] | UU1/SS1/PP1:<ces- UU/SS/PP: the corresponding
circuit>:{ces | ces-oos}} physical port (unit, slot and
command)
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets

Command Description

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
access-groups-rule-sequence <number>
Specifies the sequential order in which the ACL

rules are processed:
number: in the range of <1 - 250>
NOTE
[<number>]
<1-250>
ipv6-access-group NAME in
Assigns a IPv6 ACG to a port/s and enters the

IPv6 ACG Configuration mode:
NAME: a string of <110>
characters
only
no ipv6-access-group [NAME] [in] Removes the specified IPv6 ACG:
<110> characters
traffic only
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no restrict-egress-forwarding Removes the restriction from all ports or only
[UU/SS/PP] from the selected port when the UU/SS/PP
argument is specified
(only the ingress traffic) and enters the FC
Configuration mode:
yellow}

Command Description

level
id> rules:
[<profile-id>]
Marker (RFC 2698)
single: the Single Rate Three
dual: (optional) the Two Rate
KB
100 KB

value: in the range of, <8
1000000> (depends on the link
capacity) kbps
1000 kbps
Color blind
Size (PBS):
KB
100 KB
capacity) kbps
1000 kbps

Command Description
Burst Size (EBS):
KB
100 KB
exceed-action {drop | mark- Specifies the action performed once the packet is
yellow | mark-red} classified as exceeding a particular rate limit:
yellow
Drop
VLAN ID
Disabled
no copy-inner-vpt-to-outer-vpt Restores to default

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no redirect [UU/SS/PP] Removes the traffic redirection from the specified
port:
1/2/1-1/2/8
show access-lists ipv6 Displays all ACLs and their parameters
configured on the device
show access-groups ipv6 Displays the current ACGs applied on ports
show port UU/SS/PP [access-groups- Displays the IPv6 ACGs configured on ports:

Command Description
rule-sequence <number>] ipv6-
UU/SS/PP: port number
access-group NAME [in] [monitoring-
profile <profile-id> [statistics number: the sequence number ,in
[fbrs-green-bps | fbrs-green-fps | the range of <1-250>
fbrs-match-counter-bps | fbrs-match-
counter-fps | fbrs-not-green-bps | NAME: a string of
fbrs-not-green-fps | fbrs-not-red- <110> characters
bps | fbrs-not-red-fps | fbrs-red-
bps | fbrs-red-fps | fbrs-yellow-bps in: only ingress ACGs
| fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps | monitoring-profile statistics:
match-counter-fps | not-green-bps | counts match packets
not-green-fps | not-red-bps | not-
red-fps | red-bps | red-fps | profile-id: any number
yellow-bps | yellow-fps]]]
NOTE
profile is applied on a port.
show running-config ipv6 access-list Displays the configured IPv6 ACLs
MAC ACLs Commands Hierarchy

NOTE
device-name#
+ config terminal
+ [no] mac access-list {NAME | <acl-number>}
+ [no] rule <value>
- [no] da-type <type>
- destination_mac HH:HH:HH:HH:HH:HH destination_mac_mask
HH:HH:HH:HH:HH:HH
- precedence TYPE
- source_mac HH:HH:HH:HH:HH:HH source_mac_mask
HH:HH:HH:HH:HH:HH
- [no] tos <value>
- [no] untagged
- [no] dscp <value>
+ port UU/SS/PP

+ [no] mac-access-group {NAME | <acl-number>} in

- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] mac-access-group {NAME | <acl-number>} vlan
+ [no] mac-access-group {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>


- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
+ [no] mac-access-group {NAME | <acl-number>} vlan
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>


+ [no] service
<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlan-
id> | all | untagged}
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] parent <id>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
id> | untagged}
+ [no] fc <value>

- [no] cbs <value>

- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] parent <id>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>


- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- show port UU/SS/PP [access-groups-rule-sequence <number>] mac-access-
group [NAME | <acl-number>] [in | out | vlan] [monitoring-profile
<profile-id> [statistics [fbrs-green-bps | fbrs-green-fps | fbrs-
match-counter-bps | fbrs-match-counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-
bps | fbrs-red-fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps |
green-fps | match-counter-bps | match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps |
yellow-bps | yellow-fps]]]
- show running-config mac access-list
- show running-config mac access-list [NAME | <acl-number>] [description
DESCRIPTION | rule {<rule> | {action {deny | permit} | da-type
<type> | destination_mac HH:HH:HH:HH:HH:HH destination_mac_mask
HH:HH:HH:HH:HH:HH | inner-vlan <vlan-id> [inner-vlan-mask <vlan-mask>]
| inner-vpt priority> | precedence TYPE | source_mac
HH:HH:HH:HH:HH:HH source_mac_mask HH:HH:HH:HH:HH:HH | tos <value> |
untagged | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
- show access-groups mac
- show access-lists mac
MAC ACL Command Descriptions

Table 7: MAC ACLs Configuration Commands
Command Description
mac access-list {NAME | <acl-

number>}
Specifies an MAC ACL and enters MAC ACL
Configuration mode:
NAME: a string of
<110> characters
499>
no mac access-list [NAME | <acl- Removes the selected MAC ACL:
number>]
<110> characters
acl-number: (optional) in the
range of <400-499>
description DESCRIPTION Associates a description with MAC ACL:
<130> characters

Command Description
rule <value>
Creates an MAC ACL rule to filter traffic and

enters Rule Configuration mode:
no rule [<value>] Removes the MAC ACL rule:
<1-250>

da-type <type> Specifies traffic type:
type: see Table 11
no da-type [<type>] Removes traffic type:
type: (optional) see Table 11
destination_mac
HH:HH:HH:HH:HH:HH
destination_mac_mask Specifies the destination MAC address and mask
HH:HH:HH:HH:HH:HH the packet is sent to:
HH:HH:HH:HH:HH:HH: MAC address and
mask in hexadecimal format. The
any keyword that represents all
MAC addresses
inner-vlan <vlan-id> [inner- Defines a specific VLAN ID and mask for the
vlan-mask <vlan-mask>] inner vlan tag. Applying it on TLS SAP is
meaningless. It cannot be used in combination
with the untagged option.
mask>]]
of <1-4094>
inner-vpt <priority> Specifies packet filtering by the VLAN Priority
Tag (VPT) in the inner-VLAN tag header:
of <0-7>

Command Description
precedence TYPE The ACL rule matches packets by literal

precedence values:
TYPE: see Table 14
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH Specifies the source MAC-address of the packet
and the mask:
HH:HH:HH:HH:HH:HH: MAC address and
mask in hexadecimal format. The
any keyword that represents all
MAC addresses
tos <value> The ACL rule matches packets by the service
level type:
literal ToS value (See Table 13)
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask for the
<vlan-mask>] outer IP-header:
of <1-4094>
vpt <priority> Specifies packet filtering by the VLAN Priority
Tag (VPT) in the outer-VLAN tag header:
of <0-7>
dscp <value> Specifies packet filtering by the DSCP value in
the IP header of the packet:
port UU/SS/PP Enters Port Configuration mode

Command Description
Configuration mode:
<1-14>
service

parent <id> single-rate-limit {cbs Specifies a parent rate-limiter, which allows you
<value> | cir <value>} to configure Hierarchical policers on the device.
(depends on the link capacity)
kbps
{cbs | cir}

id>]:[igmp] | Adds a client port to a specific VPLS instance
UU1/SS1/PP1:<ces-circuit>:{ces and enters SAP Configuration mode:
| ces-oos}}
4294967295>
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8

NOTE

<1-14>
of <1-4094>

Command Description

values are: 1/3/9.
range of <1-64>
packets
control packets
UU1/SS1/PP1:<ces-circuit>:{ces physical port (unit, slot and
| ces-oos}} ] port) defined as SAP.(can be
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
Configuration mode:
4294967295>
Configuration mode
of 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>

Command Description

Configuration mode
traffic only
range of <14294967295>
Configuration mode
the range of 1/1/1-1/1/4, 1/2/1-
1/2/8
the range of <1-14>
of <1-4094>
traffic
untagged: (optional) tunnels the
dot1q <service-id> sap {UU/SS/PP Enters 802.1Q service Configuration mode for
| agN} c-vlan {<cvlan-id> | the specified SAP C-VLAN, creates a service
untagged} access point (SAP), and specifies a customer
VLAN (C-VLAN):
4294967294>
of 1/1/1-1/1/4 and 1/2/1-1/2/8.
<1-14>
traffic only
NOTE

Command Description

SAP.
versa.
[{UU/SS/PP | agN} c-vlan used without a parameter, removes all
{<cvlan-id> | untagged}] configured 802.1Q services:
range of <1-4294967294>
the range of 1/1/1-1/1/4 and
1/2/1-1/2/8
the range of <1-14>
traffic only
<number>
Specifies the sequential order in which ACL rules
are processed:
number: in the range of <1 - 250>
NOTE
[<number>]
<1-250>
mac-access-group {NAME | <acl-
number>} {in | out | vlan}
Assigns a MAC ACG to a port/s and enters MAC
NAME: a string of
<110> characters
499>
only

Command Description
only
no mac-access-group [NAME | Removes the specified MAC ACG:
<acl-number>] [in | out |
vlan] NAME: (optional) a string of
<110> characters
acl-number: (optional) in the
range of <400-499>
traffic only
traffic only
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
no restrict-egress-forwarding Removes the restriction from all ports or only
[UU/SS/PP] from the selected port when the UU/SS/PP
(only the ingress traffic) and enters FC
Configuration mode:
yellow}
level
id> rules:
[<profile-id>]
Marker (RFC 2698)
single: the Single Rate Three
dual: (optional) the Two Rate

Command Description

KB
100 KB

capacity) kbps
1000 kbps
Color blind
Size (PBS):
KB
100 KB
capacity) kbps
1000 kbps
Burst Size (EBS):
KB
100 KB
yellow
Drop

Command Description
parent <id> (valid only for ingress ACLs) Applies the

configured parent rate-limiter:

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
port:
1/2/1-1/2/8
of <1-4094>
of <1-4094>
packet:
range of <0-63>

range of <07>
of <07>
range of <0-7>
of <07>

Command Description
VLAN ID
Disabled
no copy-inner-vpt-to-outer-vpt Restores to default
green:
green:
green:

Table 8: MAC ACLs Show Commands

Command Description
show port UU/SS/PP [access-groups-rule- Displays the MAC ACGs:

sequence <number>] mac-access-group [NAME
| <acl-number>] [in | out | vlan] UU/SS/PP: port number
[monitoring-profile <profile-id>
[statistics [fbrs-green-bps | fbrs-green-
number: the sequence number, in
fps | fbrs-match-counter-bps | fbrs- the range of <1-250>
match-counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-bps | NAME: a string of
fbrs-not-red-fps | fbrs-red-bps | fbrs- <110> characters
red-fps | fbrs-yellow-bps | fbrs-yellow-
fps | green-bps | green-fps | match- acl-number: in the range of
counter-bps | match-counter-fps | not- <400-499>
green-bps | not-green-fps | not-red-bps |
not-red-fps | red-bps | red-fps | yellow- in: only ingress ACGs
bps | yellow-fps]]]
out: only egress ACGs
monitoring-profile: the rate, in
frame per second and bytes per
second, of transmitted packets
that are marked as red, green,
or yellow on a selected port
statistics: counts match packets
vlan: only VLAN traffic
redirection ACLs
NOTE
Statistics counters will be reset
port.
show running-config mac access-list Displays information about the extended MAC
ACLs
show running-config mac access-list [NAME | Displays information about the extended MAC
<acl-number>] [description DESCRIPTION ACLs, filtered by command arguments
| rule {<value> | {action {deny |
permit} | da-type <type> |
destination_mac HH:HH:HH:HH:HH:HH
destination_mac_mask HH:HH:HH:HH:HH:HH
| inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt priority> |
precedence TYPE | source_mac
HH:HH:HH:HH:HH:HH source_mac_mask
HH:HH:HH:HH:HH:HH | tos {<0-7> | max-
reliability | max-throughput | min-delay
| min-monetary-cost | normal} | untagged
| vlan <vlan-id> [vlan-mask <vlan-
mask>] | vpt <priority>}}]
show access-groups mac Displays information about MAC ACGs

show access-lists mac Displays information about MAC ACLs

Ethertype ACLs Commands Hierarchy

NOTE
device-name#
+ config terminal
+ [no] ether-type access-list {NAME | <acl-number>}
+ [no] rule <rule>
- [no] ether-type <type> [ether-type-mask <mask>]
- [no] precedence TYPE
- [no] tos <value>
- [no] untagged
- [no] dscp <value>
+ port UU/SS/PP
+ [no] ether-type-access-group {NAME | <acl-number>} in
- [no] fc <value>
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
mark-red}


+ [no] ether-type-access-group {NAME | <acl-number>} vlan
+ [no] ether-type-access-group {NAME | <acl-number>} out
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- [no] dscp <value>
+ [no] ether-type-access-group {NAME | <acl-number>} in
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}


+ [no] ether-type-access-group {NAME | <acl-number>} vlan
+ [no] ether-type-access-group {NAME | <acl-number>} out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- [no] dscp <value>
+ [no] service
<value>}
+ [no] tls <service-id> sap {UU/SS/PP | agN} c-vlan {<cvlan-
id> | all | untagged}
+ [no] ether-type-access-group {NAME | <acl-number>}
in
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware

- [no] ebs <value>

- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
id> | untagged}
in
+ [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
out
- [no] cbs <value>
- [no] cir <value>

- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
+ [no] vpls <vpls-id> sap{{UU/SS/PP | agN}[:[igmp] | :[<vlan-
in
- [no] fc <value>
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
mark-red}
- [no] parent <id>
out
- [no] cbs <value>
- [no] cir <value>
- [no] color-aware
- [no] ebs <value>
- [no] pbs <value>
- [no] pir <value>
- show port UU/SS/PP [access-groups-rule-sequence <number>] ether-type-
access-group [NAME | <acl-number>] [in | out | vlan] [monitoring-


- show running-config ether-type access-list
- show running-config ether-type access-list [NAME | <acl-number>]
[description DESCRIPTION | rule {<value> | {action {deny | permit} |
ether-type <type> | inner-vlan <vlan-id> [inner-vlan-mask <vlan-
mask>] | inner-vpt <priority> | precedence TYPE | tos <value> | vlan
<vlan-id> [vlan-mask <vlan-mask>] | vpt <priority>}}]
- show access-groups ether-type
- show access-lists ether-type
EtherType ACL Command Descriptions

Table 9: EtherType ACLs Configuration Commands
Command Description
ether-type access-list {NAME | <acl-

number>}
Specifies an EtherType ACL and enters
EtherType ACL Configuration mode:
NAME: a string of
<110> characters
599>
no ether-type access-list {NAME | Removes the selected EtherType ACL:
<acl-number>}
<110> characters
of <500-599>
description DESCRIPTION Associates a description with EtherType ACL:
<130> characters
rule <value>
Creates an EtherType ACL rule for filtering traffic

and enters Rule Configuration mode:
no rule [<value>] Removes the EtherType ACL rule:
<1-250>

ether-type <type> [ether-type-
mask <mask>]
Matches the hexadecimal value specifying the

Command Description
EtherType:
type: see Table 20
ether-type-mask: (Optional) allows
a range of EtherTypes to be
specified together
mask: hexadecimal number in the
range of <0-FFFF>. An EtherType
mask of 0 requires an exact match
of the EtherType.
no ether-type [<type>] [ether- Removes the specified EtherType:
type-mask [<mask>]]
type: (optional) see Table 20
ether-type-mask: (Optional) allows
a range of EtherTypes to be
specified together
mask: (Optional) hexadecimal number
in the range of <0-FFFF>
untagged option.
mask>]]
<1-4094>
of <0-7>
precedence TYPE Supported only when the value of the
EtherType field of the Ethernet frame is
0x0800.
The ACL rule matches packets by literal
precedence values.
TYPE: see Table 14
tos <value> Supported only when the value of the

0x0800.
The ACL rule matches packets by service level

Command Description
type:
valid literal ToS value (See Table
13)
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask for the outer
<vlan-mask>] IP-header:
<1-4094>
vpt <priority> Supported only when the value of the
0x8100.
Specifies packet filtering by the VLAN Priority Tag
of <0-7>
dscp <value> Supported only when the value of the

0x0800.
Specifies packet filtering by the DSCP value in the
port UU/SS/PP Enters Port Configuration mode
Configuration mode:
<1-14>

service

Command Description
parent <id> single-rate-limit {cbs Specifies a parent rate-limiter, which allows you to
<value> | cir <value>} configure Hierarchical policers on the device.
{cbs | cir}

id>]:[igmp] | Adds a client port to a specific VPLS instance and
UU1/SS1/PP1:<ces- enters SAP Configuration mode:
4294967295>
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
NOTE

<1-14>
<1-4094>
values are: 1/3/9.
range of <1-64>
packets

Command Description
control packets
UU1/SS1/PP1:<ces- physical port (unit, slot and port)
circuit>:{ces | ces-oos}} ] defined as SAP.(can be obtained
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
<1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
agN} c-vlan {<cvlan-id> | all
| untagged} Creates a TLS service instance and enters TLS
Configuration mode:
4294967295>
sap: creates a service access point
(SAP) and enters SAP Configuration
mode
1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
Configuration mode
traffic only

Command Description
of <14294967295>
Configuration mode
the range of 1/1/1-1/1/4, 1/2/1-
1/2/8
range of <1-14>
c-vlan: (optional) specifies a
of <1-4094>
traffic
dot1q <service-id> sap {UU/SS/PP Enters 802.1Q service Configuration mode for the
| agN} c-vlan {<cvlan-id> | specified SAP C-VLAN, creates a service access
untagged} point (SAP), and specifies a customer VLAN (C-
VLAN):
4294967294>
1/1/1-1/1/4 and 1/2/1-1/2/8. This
port has to be an untagged member
of the S-VLAN
<1-14>
traffic only
NOTE
SAP.
versa.
[{UU/SS/PP | agN} c-vlan used without a parameter, removes all configured
{<cvlan-id> | untagged}] 802.1Q services:

Command Description
of <1-4294967294>
the range of 1/1/1-1/1/4 and 1/2/1-
1/2/8
range of <1-14>
traffic only
<number>
Specifies the sequential order in which ACL rules
are processed:
NOTE
[<number>]
<1-250>
ether-type-access-group {NAME |
<acl-number>} {in | out |
vlan} Assigns an EtherType ACG to a port/s and enters
EtherType ACG Configuration mode:
NAME: a string of
<110> characters
599>
only
only
no ether-type-access-group Removes the specified EtherType ACG:
[NAME | <acl-number>] [in
| out | vlan] NAME: (optional) a string of
<110> characters
of <500-599>
traffic only
traffic only

Command Description

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
specified
(only ingress traffic) and enters FC Configuration
mode:
yellow}
level
id> rules:
[<profile-id>]
port and enters the Rate-Limit Configuration
mode:
Marker (RFC 2698)
Marker (RFC 2697)
KB
100 KB

1000 kbps

Command Description

Color blind
Size (PBS):
KB
100 KB
1000 kbps
Burst Size (EBS):
KB
100 KB
yellow
Drop
parent <id> Applies the configured parent rate-limiter:


UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
port:
1/2/1-1/2/8

Command Description

<1-4094>
VLAN ID
Disabled
vpt

<1-4094>
packet:
range of <0-63>

range of <07>
of <07>
range of <0-7>
of <07>
green:

Command Description
green:
green:

Table 10: EtherType ACLs Show Commands

Command Description
show port UU/SS/PP [access-groups-rule- Displays information about the EtherType ACGs,
sequence <number>] ether-type-access- filtered by command arguments:
group [NAME | <500-599>] [in | out |
vlan] [monitoring-profile <profile- UU/SS/PP: port number
id> [statistics [fbrs-green-bps |
fbrs-green-fps | fbrs-match-counter- number: the sequence number ,in the
bps | fbrs-match-counter-fps | fbrs- range of <1-250>
not-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps | NAME: a string of
fbrs-red-bps | fbrs-red-fps | fbrs- <110> characters
yellow-bps | fbrs-yellow-fps | green-
bps | green-fps | match-counter-bps | acl-number: in the range of <500-
match-counter-fps | not-green-bps | 599>
not-green-fps | not-red-bps | not-
red-fps | red-bps | red-fps | yellow- in: only ingress ACGs
bps | yellow-fps]]]
out: only egress ACGs
monitoring-profile: the rate, in
frame per second and bytes per
second, of transmitted packets that
are marked as red, green, or yellow
on a selected port
statistics: counts match packets
ACLs
NOTE
Statistics counters will be reset
port.
show running-config ether-type access- Displays information about EtherType ACLs
list
show running-config ether-type access- Displays information about EtherType ACLs,

list [NAME | <500-599>] [description filtered by command arguments
DESCRIPTION | rule {<1-250> |
{action {deny | permit} | ether-type
<type> | inner-vlan <vlan-id>
[inner-vlan-mask <vlan-mask>] |
inner-vpt <priority> | precedence
TYPE | tos {<0-7> | max-reliability |
max-throughput | min-delay | min-
monetary-cost | normal} | vlan <vlan-
id> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
show access-groups ether-type Displays information about EtherType ACGs

show access-lists ether-type Displays information about EtherType ACLs
Table 11: Traffic Types

Traffic Type Description
unknown-unicast (Optional, supported for ingress ACLs only)

matches unknown traffic.

Traffic Type Description
known-unicast (Optional, supported for ingress ACLs only)

matches known-unicast traffic.
known-multicast (Optional, supported for ingress ACLs only)
matches already known multicast traffic.
unknown-multicast (Optional, supported for ingress ACLs only)
matches unknown multicast traffic.
broadcast (Optional, supported for ingress ACLs only)
matches broadcast traffic.
Table 12: Monitoring Profiles

Profile Meaning
match-counter-fps Counter for transmitted packets, in frames

match-counter-bps Counter for transmitted packets, in bytes
rate-limit-statistics-red-notred-fps Counter for red and not red packets, in frames
rate-limit-statistics-red-notred-bps Counter for red and not red packets, in bytes
rate-limit-statistics-green-notgreen-fps Counter for green and not green packets, in
frames
rate-limit-statistics-green-notgreen-bps Counter for green and not green packets, in
bytes
rate-limit-statistics-green-red-fps Counter for green and red packets, in frames
rate-limit-statistics-green-red-bps Counter for green and red packets, in bytes
rate-limit-statistics-green-yellow-fps Counter for green and yellow packets, in frames
rate-limit-statistics-green-yellow-bps Counter for green and yellow packets, in bytes
rate-limit-statistics-red-yellow-fps Counter for red and yellow packets, in frames
rate-limit-statistics-red-yellow-bps Counter for red and yellow packets, in bytes
Table 13: Valid ToS Values

Valid Literal Value Description Value
max-reliability Max reliable TOS 2

max-throughput Max throughput TOS 4
min-delay Min delay TOS 8
min-monetary-cost Min monetary cost TOS 1
normal Normal TOS 0
Table 14: Valid Precedence Values

Valid Literal Value Description
critical Critical precedence

flash Flash precedence

Valid Literal Value Description
flash-override Flash override precedence

immediate Immediate precedence
internet Internetwork control precedence
network Network control precedence
priority Priority precedence
routine Routine precedence
Table 15: Valid ICMP Message Type Values

alternate-address Alternate Host Address 6

conversion-error Datagram Conversion Error 31
domain name reply Domain Name Reply 35
domain name request Domain Name Request 36
echo Echo (ping) 8
echo-reply Echo reply 0
information-reply Information replies 16
information-request Information requests 15
ipv6-i-am-here IPv6 I-Am-Here 34
ipv6-where-are-you IPv6 Where-Are-You 33
mask-reply Address mask replies 17
mask-request Address mask requests 18
mobile-redirect Mobile Host Redirect 32
mobile-registration-reply Mobile Registration Reply 35
mobile-registration- Mobile Registration Request 36
request
parameter-problem Parameter Problem 12
photuris Photuris 40
redirect All redirects 5
router-advertisement Router Advertisement 9
router-solicitation Router Solicitation 10
skip SKIP 39
source-quench Source Quench 4
time-exceeded Time Exceeded 11
timestamp-reply Timestamp Reply 14
timestamp-request Timestamp 13
traceroute Traceroute 30
unreachable Destination unreachable 3

Table 16: Valid ICMP Code Values

administratively- Communication is administratively prohibited 13

prohibited
dod-host-prohibited Communication with destination host is 10
administratively prohibited
dod-net-prohibited Communication with destination network is 9
administratively prohibited
host-isolated Source host is isolated 8
host-precedence- Host precedence violation 14
unreachable
host-tos-unreachable Destination host ToS is unreachable 12
host-unknown Destination host is unknown 7
host-unreachable Host is unreachable 1
net-tos-unreachable Destination network ToS is unreachable 11
net-unreachable Net is unreachable 0
network-unknown Destination network is unknown 6
packet-too-big Fragmentation needed but fragmentation is not set 4
port-unreachable Port is unreachable 3
precedence-cutoff Precedence cutoff is in effect 15
protocol-unreachable Protocol is unreachable 2
source-route-failed Source route failed 5
Table 17: Valid TCP Port Literal Values

bgp Border Gateway Protocol 179

chargen Character generator 19
daytime Daytime 13
discard Discard 9
domain Domain name service 53
echo Echo 7
exec Exec (rsh) 512
finger Finger 79
ftp File Transfer Protocol 21
ftp-data FTP data connections (used infrequently) 20
gopher Gopher 70
hostname NIC hostname server 102
ident Ident protocol 113

irc Internet Relay Chat 194

klogin Kerberos login 543
kshell Kerberos shell 544
login Login (rlogin) 513
lpd Printer service 515
nntp Network News Transport Protocol 119
pim-auto-rp PIM Auto-RP 496
pop2 Post Office Protocol v2 109
pop3 Post Office Protocol v3 110
smtp Simple Mail Transport Protocol 25
sunrpc Sun Remote Procedure Call 111
syslog Syslog 514
tacacs-ds TAC Access Control System 49
talk Talk 517
telnet Telnet 23
time Time 37
uucp Unix-to-Unix Copy Program 540
whois Nickname 43
www World Wide Web (HTTP) 80
Table 18: Valid UDP Port Literal Values

biff Biff (mail notification, comsat) 512

bootps Bootstrap Protocol (BOOTP) server 67
bootpc Bootstrap Protocol (BOOTP) client 68
discard Discard 9
dnsix DNSIX security protocol auditing 195
domain Domain name service 53
echo Echo 7
isakmp Internet Security Association and Key Management 500
Protocol
mobile-ip Mobile IP registration 434
nameserver IEN116 name service (obsolete) 42
netbios-dgm NetBios datagram service 138
netbios-ns NetBios name service 137
netbios-ss NetBios session service 139
ntp Network Time Protocol 123

pim-auto-rp PIM Auto-RP 496

rip Routing Information Protocol 520
snmp Simple Network Management Protocol 161
snmptrap SNMP Traps 162
sunrpc Sun Remote Procedure Call 111
syslog Syslog 514
tacacs-ds TAC Access Control System 49
talk Talk 517
tftp Trivial File Transfer Protocol 69
time Time 37
who Who service 513
xdmcp X Display Manager Control Protocol 177
Table 19: Valid FC Values

FC Description
be The FC to be mapped is the Best-Effort Forwarding Class

l2 The FC to be mapped is the Low-2 Forwarding Class
af The FC to be mapped is the Assured Forwarding Class
l1 The FC to be mapped is the Low-1 Forwarding Class
h2 The FC to be mapped is the High-2 Forwarding Class
ef The FC to be mapped is the Expedited Forwarding Class
h1 The FC to be mapped is the High-1 Forwarding Class
nc The FC to be mapped is the Network Control Forwarding Class
Table 20: Known EtherType Values

Value Description
0x00000x05DC IEEE 802.3 length

0x0800 IP (Internet Protocol)
0x0806 ARP (Address Resolution Protocol)
0x8035 DRARP (Dynamic RARP)
RARP (Reverse Address Resolution Protocol)
0x80F3 AARP (AppleTalk Address Resolution Protocol)
0x8137 IPX (Internet Packet Exchange)
0x86DD IPv6 (Internet Protocol version 6)
0x880B PPP (Point-to-Point Protocol)
0x880C GSMP (General Switch Management Protocol)

Value Description
0x8847 MPLS (Multi-Protocol Label Switching) unicast

0x8848 MPLS (Multi-Protocol Label Switching) multicast
0x8863 PPPoE (PPP Over Ethernet) Discovery Stage
0x8864 PPPoE (PPP Over Ethernet) PPP Session Stage
0x88BB LWAPP (Light Weight Access Point Protocol)
0x8E88 EAPOL (EAP over LAN)
0xFFFF Reserved
NOTE
Permitting EtherType code 0x8XXX allows tagged traffic since EtherType 0x8100 is
used.

ACLs Configuration Example

Configure Standard ACL
1. Define a standard IP ACL:
device-name(config)#ip access-list standard 3
device-name(config-standard-3)#
2. Define the rule for the standard IP ACL:

device-name(config-standard-3)#rule 3 action permit source-ip 1.0.0.3/32
3. Define the VLAN:

device-name(config-rule-3)#vlan 11 vlan-mask 00:00:00:0F
4. Define the VPT:

device-name(config-rule-3)#vpt 3

device-name(config-rule-3)#commit
Commit complete.
6. Define the rate limit on port 1/1/1:

device-name(config-port-1/1/1)#access-groups-rule-sequence 1
device-name(config-access-groups-rule-sequence-1)#ip-access-group-standard
3 in
device-name(config-ip-access-group-standard-3/in)#rate-limit single cir

5000 cbs 300
device-name(config-rate-limit-single)#commit
Commit complete.
7. Display information about the standard IP ACL:

device-name#show running-config ip access-list standard 3
ip access-list standard 3
rule 3
action permit
source-ip 1.0.0.3/32
vlan 11
vlan-mask 00:00:00:0f
vpt 3
!
!
8. Display information about the standard IP ACG per port 1/1/1:

device-name#show running-config port 1/1/1
port 1/1/1

duplex auto
no shutdown
access-groups-rule-sequence 1
ip-access-group-standard 3 in
rate-limit single
cir 5000
cbs 50
!
exit
!
exit
!
!
Configure Extended ACL

1. Define an extended IP ACL:
device-name(config)#ip access-list extended 110
2. Define the rule for the extended IP ACL:

device-name(config-extended-110)#rule 5 action permit protocol tcp source-
ip 1.0.0.2/32 destination-ip 2.0.0.4/32
3. Define the TCP-port, ToS, VLAN, VPT and precedence level:

device-name(config-rule-5)#tcp-source-port 33
device-name(config-rule-5)#tos max-throughput
device-name(config-rule-5)#vlan 22 vlan-mask 00:00:00:00
device-name(config-rule-5)#precedence critical

Commit complete.
5. Define the rate limit on port 1/1/2:

device-name(config-access-groups-rule-sequence-1)#ip-access-group-extended
110 in
device-name(config-ip-access-group-extended-110/in)#rate-limit dual cir
3000 cbs 100 pir 6000 pbs 300
device-name(config-rate-limit-dual)#commit
Commit complete.
6. Display information about the extended IP ACL:

device-name#show running-config ip access-list extended 110

ip access-list extended 110

rule 5
action permit
protocol tcp
source-ip 1.0.0.2/32
destination-ip 2.0.0.4/32
tcp-source-port 33
tos max-throughput
precedence critical
vlan 22
vlan-mask 00:00:00:00
vpt 2
!
!
7. Display information about the extended IP ACG per port 1/1/2:

device-name#show running-config port 1/1/2
port 1/1/2
duplex full
speed 10000
no shutdown
ip-access-group-extended 110 in
rate-limit dual
cir 3000
pir 6000
pbs 300
!
exit
!
exit
!
!
Configure Egress and VLAN ACLs

1. Define an extended IP ACL:
2. Define a rule for the extended IP ACL:

device-name(config-extended-100)#rule 1 action permit source-ip 1.0.0.1/32
destination-ip 2.0.0.4/32 protocol tcp
Commit complete.
3. Apply the configured ACL on port 1/1/1 and redirect the matching traffic to the VLAN 200

100 vlan
device-name(config-ip-access-group-extended-100/vlan)#vlan 200
device-name(config-ip-access-group-extended-100/vlan)#commit
Commit complete.
4. Apply the configured ACL on port 1/1/2 and limit the outgoing traffic to 5M, and remark
dscp value with 44:
device-name(config-port-1/1/2)#
100 out
device-name(config-ip-access-group-extended-100/out)#rate-limit single cir

5000 cbs 16
device-name(config-rate-limit-single)#exit
device-name(config-ip-access-group-extended-100/out)#dscp 44
device-name(config-ip-access-group-extended-100/out)#commit
Commit complete.
Apply ACG on a SAP port with Traffic Rate-limit

1. Define a monitoring profile and statistics:
device-name(config)#access-group-monitoring-profile 5
device-name(config-access-group-monitoring-profile-5)#enable-statistics
rate-limit-statistics-green-red-bps
device-name(config-enable-statistics-rate-limit-statistics-green-red-
bps)#access-group-monitoring-profile 10
device-name(config-access-group-monitoring-profile-10)#enable-statistics
rate-limit-statistics-red-notred-fps
device-name(config-enable-statistics-rate-limit-statistics-red-notred-
fps)#commit
Commit complete.
2. Create ACLs:
device-name(config-standard-66)#rule 1
device-name(config-rule-1)#action permit
device-name(config-rule-1)#source-ip 1.0.0.1/32
device-name(config-rule-1)#ip access-list standard 67
device-name(config-rule-1)#ip access-list standard 68

Commit complete.
3. Apply ACGs (on the ingress traffic only) on a SAP port with defined traffic rate-limit:
device-name(config-vpls-2)#sap 1/1/1:20:
device-name(config-sap-1/1/1:20:)#access-groups-rule-sequence 1
66 in
device-name(config-ip-access-group-standard-66/in)#monitoring-profile 10
device-name(config-ip-access-group-standard-66/in)#access-groups-rule-
sequence 2
67 in
device-name(config-ip-access-group-standard-67/in)#access-groups-rule-
sequence 3
68 in
device-name(config-ip-access-group-standard-68/in)#rate-limit single cir
5000 cbs 16
Commit complete.
Apply ACG on a SAP Port

1. Apply ACGs (on ingress traffic only) on a SAP port with defined traffic rate-limit::
device-name(config-service)#tls 1
device-name(config-c-vlan-12)#access-groups-rule-sequence 1
100 in
device-name(config-ip-access-group-extended-100/in)#rate-limit dual
device-name(config-rate-limit-dual)#cir 1000
device-name(config-rate-limit-dual)#cbs 16
device-name(config-rate-limit-dual)#pir 2000
device-name(config-rate-limit-dual)#pbs 16
device-name(config-rate-limit-dual)#exceed-action mark-yellow
device-name(config-rate-limit-dual)#color-aware
device-name(config-rate-limit-dual)#monitoring-profile 10
device-name(config-monitoring-profile-10)#sdp s-vlan 10
device-name(config-s-vlan-10)#port 1/1/2
device-name(config-port-1/1/2)#commmit
2. Display the configuration:

device-name#show running-config service tls 1 sap 1/1/1

service
tls 1
sap 1/1/1
c-vlan 12
ip-access-group-extended 100 in
rate-limit dual
cir 1000
cbs 16
pir 2000
pbs 16
exceed-action mark-yellow
color-aware
!
monitoring-profile 10
!
!
!
!
!
!
!
Apply IPv6 ACG on Aggregated SAP Ports

1. Apply ACGs (on ingress traffic only) on a group of SAP ports:
device-name(config)#ipv6 access-list 1000
device-name(config-access-list-1000)#rule 1
device-name(config-rule-1)#source-ip 2001::1/128
device-name(config-rule-1)#destination-ip 2001::4/126
device-name(config-rule-1)#top
device-name(config-rule-1)#exit
device-name(config-rule-2)#action deny
device-name(config-rule-3)#top


device-name(config-rule-1)#destination-ip 2001::a/128
2. Apply IPv6 ACLs:

device-name(config)#service vpls 14
device-name(config-vpls-14)#mode mtu-s
device-name(config-vpls-14)#sap ag1:100
device-name(config-sap-ag1:100:200)#access-groups-rule-sequence 1
device-name(config-access-groups-rule-sequence-1)#ipv6-access-group 1000
in
device-name(config-ipv6-access-group-1000/in)#top
in
device-name(config-ipv6-access-group-2000/in)#top
in
device-name(config-ipv6-access-group-3000/in)#commit
Apply Egress ACG on SAP Port of TLS Service

1. Create ACLs:
Device-name(config)#ip access-list standard 3
Device-name(config-standard-3)#rule 3
Device-name(config-rule-3)#action permit
Device-name(config-rule-3)#source-ip 1.0.0.3/32
Device-name(config-rule-3)#vlan 11
Device-name(config-rule-3)#vlan-mask 00:00:00:0f

Device-name(config-rule-3)#vpt 3
Device-name(config-rule-3)#commit
Commit complete.
Device-name(config-rule-3)#top
Device-name(config)#ip access-list extended 100
Device-name(config-extended-100)#rule 1
Device-name(config-rule-1)#action permit
Device-name(config-rule-1)#protocol tcp
Device-name(config-rule-1)#source-ip 1.0.0.1/32
Device-name(config-rule-1)#destination-ip 2.0.0.4/32
Device-name(config-rule-1)#commit
Commit complete.
Device-name(config-rule-1)#top
Device-name(config)#
2. Specify SAP and SDP ports of TLS service 1:

Device-name(config-service)#tls 1
Device-name(config-tls-1)#sap 1/1/1 c-vlan 5
Device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
Device-name(config-s-vlan-10)#exit
Device-name(config-tls-1)#no shutdown
Device-name(config-tls-1)#commit
3. Apply ACGs (on egress traffic only) on a SAP port:

Device-name(config-c-vlan-5)#access-groups-rule-sequence 1 ip-access-group-
standard 3 out
Device-name(config-ip-access-group-standard-3/out)#dscp 20
Device-name(config-ip-access-group-standard-3/out)#set-green-to-vpt 7
Device-name(config-ip-access-group-standard-3/out)#set-yellow-to-vpt 5
Device-name(config-ip-access-group-standard-3/out)#commit
Commit complete.
Device-name(config-rate-limit-single)#exit
Device-name(config-ip-access-group-standard-3/out)#exit
Device-name(config-access-groups-rule-sequence-1)#exit
Device-name(config-c-vlan-5)#access-groups-rule-sequence 2 ip-access-group-
extended 100 out
Device-name(config-ip-access-group-extended-100/out)#rate-limit single cir
50000
Device-name(config-rate-limit-single)#commit
Commit complete.
Device-name#show running-config service
service
tls 1
no shutdown
sap 1/1/1
c-vlan 5
ip-access-group-standard 3 out

set-green-to-vpt 7
set-yellow-to-vpt 5
dscp 20
!
!
ip-access-group-extended 100 out
rate-limit single
cir 50000
!
!
!
!
!
sdp s-vlan 10
ethertype 0x8100
port 1/1/2
!
!
!
!


Access Control No standards are Private MIB, RFC 2697, A Single Rate
Lists (ACLs) supported by this PRVT-SWITCH- Three Color Marker
feature. ACCESS-LIST- RFC 2698, A Two Rate Three
MIB.mib Color Marker

Quality of Service (QoS)
Table of Contents
Table of Figures 2
List of Tables 2
Port-Based Quality of Service (QoS) 3

Traffic Analysis for QoS Deployment 3
Port-Based QoS Architecture 4
QoS Mechanisms 4
Sorting Packets for QoS Handling 5
Forwarding Class (FC) 6
Profiles 7
Port-Related Policies 7
Relevant Scaling Numbers 8
Order of Configuration 8
Trust Mode for the Port 8
Traffic Scheduling 9
Traffic Shaping 13
QoS Default Configuration 13
Service-Based Quality of Service (QoS) 15

Service QoS Architecture 16
Service-Based QoS Mechanisms 17
Policy-Based QoS Management 17
Profiles 17
Port-Related Policies18
Service-Related Policies 18
Relevant Scaling Numbers 18
Order of Configuration 18
QoS Default Configuration 19
QoS Configuration Flow 21
Quality of Service (QoS) (Rev. 01) Page 1

QoS Commands 21
Table of Figures
Figure 1: Port-based QoS Architecture ............................................................................................... 4
Figure 2: 802.1p Priority Header Fields .............................................................................................. 5
Figure 3: Type of Service (ToS) Header Fields .................................................................................. 6
Figure 4: Strict Priority Queuing ........................................................................................................ 10
Figure 5: Weighted Round-Robin Queuing ...................................................................................... 11
Figure 5: Service Ingress QoS Architecture ...................................................................................... 16
Figure 6: Combining Service Ingress QoS and Port-based QoS ................................................... 16
Figure 7: QoS Configuration Flow (applied on ports) .................................................................... 21
List of Tables
Table 1: Modified Deficit Round-Robin Queuing Algorithms...................................................... 12
Table 2: QoS Default Configuration ................................................................................................. 13
Table 3: QoS Default Configuration ................................................................................................. 19
Table 4: QoS Profiles Configuration Commands ............................................................................ 23
Table 5: QoS Policy Configuration Commands .............................................................................. 32
Table 6: QoS Port/Service Configuration Commands ................................................................... 37
Table 7: QoS Display Configuration Commands ............................................................................ 39
Page 2 Quality of Service (QoS) (Rev. 01)

Port-Based Quality of Service (QoS)

Todays networks transmit data streams for various applications using many different protocols.
Different types of traffic sharing a data path through the network can interact in ways that affect
application performance. Traffic prioritization becomes especially important when delay-sensitive,
interactive applications are supported across the network. In many cases a guaranteed level of
throughput is part of contractual obligations between the network operator and customers or third-
party service providers.
QoS controls congestion by determining the order in which packets are transmitted based on
priorities assigned to those packets. QoS queuing policies can protect bandwidth for important
categories of applications, or specifically limit the bandwidth associated with less critical traffic. For
example, if Voice over IP (VoIP) traffic requires a reserved amount of bandwidth to function
properly, QoS policies can reserve sufficient bandwidth and at the same time, limit bandwidth for
less critical applications.
Basic QoS implementation for BiNOX devices is port-based. During periods of light traffic, QoS
policies have little effect, and packets are transmitted as soon as they arrive. During periods of
congestion, outbound packets accumulating at a port are sorted into eight queues. Packets are
transmitted from the queues according to the scheduling mechanism configured for the port.
Traffic Analysis for QoS Deployment

To effectively configure QoS, the user must analyze traffic types to determine the relative
bandwidth demand of each port. The user should also evaluate sensitivity to latency, jitter, and
packet loss of the supported applications.
General guidelines for each traffic type are given below. Consider them as general guidelines and
not strict recommendations. Once QoS parameters are set, the user can monitor performance to
determine if the actual behavior of the application matches user expectations.
Voice applications demand small amounts of bandwidth. However, the bandwidth must be
constant and predictable because voice applications are typically sensitive to latency (inter-
packet delay) and jitter (variation in inter-packet delay).
Video applications have similar needs as voice applications with the exception that bandwidth
requirements are somewhat larger depending on encoding.
Some applications can transmit large amounts of data for multiple streams in one spike with
the expectation that the end-stations will buffer significant amounts of video-stream data. This
behavior presents a problem since the network infrastructure must be capable of buffering
transmitted spikes where there are speed differences involved (for example, going from
Gigabit Ethernet to Fast Ethernet).
Database applications such as those associated with ERP, typically do not demand significant
bandwidth and are tolerant of delay. The user can establish a minimum bandwidth using a
lower priority than that needed for delay-sensitive applications.
Web browsing applications cannot be generalized into a single category. Casual and
application-oriented traffic can be distinguished from each other by server source and
destination.

Most browser-based applications have an asymmetric data flow (small data flows from
the browser client and large data flows from the server to the browser client). An
exception to this pattern may be created by some Java -based applications.
Web-based applications are generally tolerant of latency, jitter, and some packet loss:
however, small packet-loss may have a large impact on perceived performance due to the
nature of TCP.
File server applications typically pose the greatest demand on bandwidth. File server
applications are very tolerant of latency, jitter, and some packet loss depending on the network
operating system and the use of TCP or UDP.
Port-Based QoS Architecture

Figure 1 shows how QoS affects traffic flow during the switching process.
On ingress, the traffic is:
Classified (mapped) according to policy mapping tables
Policed based on ACLs (optional)
Re-mapped based on ACLs (optional)
On egress, traffic is:
Distributed into eight priority queues based on the classification
Entered into queues after Congestion Avoidance enforcement
Transmitted according to a scheduling algorithm
Shaped on a per queue/egress port basis
Figure 1: Port-based QoS Architecture
QoS Mechanisms
The user can control Quality of Service behavior through the following mechanisms:
Mapping inbound packets into eight Forwarding classes that correspond to eight outbound
queues. Existing QoS markers such as VPT and DSCP values can be used for mapping
purposes.
Policing ingress traffic rate using rate-limit ACLs.

Overriding mapping using rate-limit ACLs.

Controlling queue overflow states using the Congestion Avoidance and color-aware
mechanisms.
Scheduling packet transmissions out of the outbound queues. Several basic scheduling
mechanisms are provided:
Strict Priority (SP)
Weighted Round-Robin (WRR)
Deficit Round-Robin (DRR)
In addition, several hybrid scheduling schemes are available, which combine the
Weighted/Deficit Round-Robin and Strict Priority mechanisms.
Shaping egress traffic rates per queue and per port.
Sorting Packets for QoS Handling

The following methods are available to sort packets:
Packet Sorting by 802.1p Priority Values
Packet Sorting by DiffServ Values
Packet Sorting by 802.1p Priority Values

The device supports the standard 802.1p priority bits that are part of a tagged Ethernet packet. The
802.1p bits can be used to prioritize the packet. 802.1p priority bits, which are part of a tagged
Ethernet packet, can be used to prioritize incoming packets. The device examines the 802.1p
priority field and assigns the packet to a specific QoS queue for transmission. The 802.1p priority
field is located directly after the 802.1Q type field and before the 802.1Q VLAN ID, as shown in
Figure 2.
Figure 2: 802.1p Priority Header Fields
The device maps ingress traffic containing 802.1p prioritization information, to hardware queues
on the egress port of the device. The transmitting hardware queue determines bandwidth
management and priority characteristics used in packet transmission and exact mapping depends on
the employed trust mode.
By default, 802.1p priority information is not replaced or manipulated. Priority information
observed on ingress is preserved during packet transmission and is not affected by the switching or
routing configuration of the device. The device is capable of using the 802.1p priority information

of incoming traffic for internal QoS mapping and handling or ignore it (default untrusted mode)
changing, however in any case the 802.1p priority information is kept during transmission of an
802.1Q tagged frame (unless the device is configured to remark it)
Packet Sorting by DiffServ Values

The device uses the IP Type of Service (ToS) field contained in every IP packet header to
determine the type of service provided to the packet.
The application software can use ToS/DiffServ values to sort packets into QoS queues. Individual
ToS values, or ranges of values, are mapped to 802.1p priority values. Packets are sorted into QoS
queues based on this derived priority value. Figure 3 shows the ToS fields in the IP packet header.
Figure 3: Type of Service (ToS) Header Fields
The device examines the first six of eight ToS bits, known as the Differentiated Services Code
Point (DSCP), for incoming packets arriving on the ingress port. Depending on the trust mode
assigned to the packet and based on the DSCP, the device can assign the QoS priority used to
subsequently transmit the packet. QoS priority:
Controls the hardware queue used to transmit packets out of the device
Determines the forwarding class of a particular DSCP
Advantages to using the DSCP field include:
Class of service information can be carried throughout the network infrastructure without
repeated complex traffic policies at each device location
End stations can perform packet marking on an applicationspecific basis.
Application software can observe and manipulate DSCP information without performance
penalty.
Forwarding Class (FC)

VPT and DSCP QoS values are mapped to internal priority values known as Forwarding Classes
(FC). The mapping process might be referred to as Class of Service (CoS) assignment.

This classification is performed according to the configured mapping profile and the trust mode for
the port. During this process, a "color" is assigned to each packet in addition to the FC.
The FC value determines the transmission queue and the color will be used for the Congestion
Avoidance mechanism.
There are eight FC values representing eight transmission queues with different priorities (low to
high):
be queue 1
l2 queue 2
af queue 3
l1 queue 4
h2 queue 5
ef queue 6
h1 queue 7
nc queue 8
A single packet can be assigned to one of the eight queues for transmission. The order of packet
transmission out of the queues occurs according to the configured QoS scheduling algorithm (Strict
Priority by default).
For example, a packet received with VPT 2 and classified as the Forwarding Class be (and by
extension, to transmission queue 1), will be served in queue1 but it will egress the device with the
received VPT 2.
By default, the QoS markers (VPT \DSCP) for incoming traffic to a port are ignored (untrusted
mode) and all traffic is mapped to FC "be", assigned with "green" color and transmitted via queue
1.
Normally, once traffic is assigned to a FC at the ingress it remains in that FC throughout its time
within the system.
Profiles
A profile includes a set of configurable values that can be applied within a QoS policy. The device
supports the following QoS Profile types:
Mapping Profile: Maps L2 (VPT) or L3 (DSCP) marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
Scheduling Profile: Specifies the queuing/scheduling algorithm to apply to a queue.
Shaper Profile: Specifies the shaping algorithm to apply to a port or a queue.
Remarking profile: Specifies the VPT or DSCP remarking per egress according to FC and
color.
Port-Related Policies
The device supports the following port-related QoS policies:

Port Ingress Policy

Applied per port.
Applies mapping of VPT/DSCP values to Forwarding Class (FC) and traffic color
through a mapping profile.
Applies trust mode of the VPT/DSCP values to the ingress traffic.
Port Egress Policy
Applied per port
Applies scheduling algorithms through a scheduling profile.
Applies shaper per port/per queue or both through a shaper profile.
Relevant Scaling Numbers

Number Description
Maximum Number of Profiles Mapping profiles: 64 (including one default: global)

Shaper profiles: 8
Scheduling profiles: 8 (including SP default profile)
Remarking profiles
Maximum Number of Policies Port ingress policies: 64 (including one default policy)
Port egress policies: 64 (including one default policy)
Order of Configuration
1. Define and configure the following profiles:
Mapping profiles
Shaper profiles
Scheduling profiles
Remarking profile
2. Define and configure the ingress/egress policies.
Port Ingress Policy: Map VPT and DSCP bits for incoming traffic to internal Forwarding
Class (FC), color, and trust mode. The FC groups in ingress policies are mapped to
queues.
Port Egress Policy: Define the queueing mechanism (scheduling) and shaper profile.
Apply the configured policies to ports. Once applied, QoS profiles and policies can be
modified. For updating the configuration of any port, the applied policies must first be
first removed from that configuration. You are not able to delete profiles and polices
attached to port.
Trust Mode for the Port

An ingress port can work in several modes which determine the sorting of incoming traffic.

Untrusted (default): For incoming traffic, VPT\DSCP fields are ignored and all incoming
traffic is mapped to a single Forwarding Class and color, according to untrust-to-fc command
configuration.
VPT-trusted: Incoming traffic carrying VPT will be mapped according to a "global" or user-
defined mapping profile.
Inner-VPT-trusted: Incoming double-tagged traffic will be classified by inner VPT according
to a "global" or user-defined mapping profile.
DSCP-trusted: Incoming traffic carrying DSCP will be mapped according to a "global" or
user defined mapping profile.
VPT and DSCP trusted: VPT and DSCP incoming traffic will be mapped according to a
"global" or user defined mapping profile.
Traffic Scheduling
Traffic scheduling controls congestion by determining transmission order for packets based on
assigned priorities. Traffic scheduling requires:
Assignment of packets to port queues based on packet mapping
Setting the method for timing the transmission of packet out of the queues
Using scheduling features, packets accumulate at port queues waiting for transmission. Packets are
scheduled for transmission according to their assigned priority and the configured queuing
mechanism. The device determines the order of packet transmission by controlling which packets
are placed in which queue and how those queues are serviced with respect to each other.
Scheduling Methods
The following scheduling methods are available:
Strict Priority Scheduling (SP)
Weighted Round-Robin Scheduling (WRR)
Hybrid Scheduling
Deficit Round Robin Scheduling (DRR)
Modified Deficit Round Robin Scheduling (MDRR)
Strict Priority Scheduling (SP)

With Strict Priority (SP) queue handling, queues are ranked in order. The highest ranking queue,
queue8, is serviced first. When queue8 is empty, the lower queues (specifically, queue7, queue6,
queue5, queue4, queue3, queue2 and queue1 in that order) are serviced in sequence. Strict Priority
Scheduling, which provides absolute preferential treatment to high priority traffic, ensures that
mission-critical traffic, traversing various WAN links, gets priority treatment. In addition, SP
provides a faster response time than other queuing methods.
Use the SP mechanism to guarantee a fixed portion of available bandwidth to one type of
application for example, interactive multimedia applications possibly at the expense of less
critical traffic.

Using SP can mean that lower priority traffic is denied bandwidth in favor of higher priority traffic.
As a result, use of Strict Priority could, in the worst case, result in lower priority traffic never being
transmitted. To avoid inflicting this condition on lower priority traffic, use rate-limit to control the
rate of the higher priority traffic.
Figure 4: illustrates the Strict Priority mechanism in a four-queue architecture.
Figure 4: Strict Priority Queuing
Strict Priority Scheduling provides absolute preferential treatment to high priority traffic ensuring
that mission-critical traffic traversing various WAN links gets priority treatment. In addition, SP
provides a faster response time than do other methods of queuing.
Weighted Round-Robin Scheduling (WRR)

In the Weighted Round-Robin Scheduling method, a weighting factor for each queue determines
how many bytes of data the system delivers from the queue before moving on to the next queue.
The WRR mechanism cycles through the queues. For each queue, packets are sent until the number
of bytes transmitted exceeds the bandwidth determined by the queue weighting factor or the queue
is empty. The WRR mechanism moves to the next queue. If a queue is empty, the router will send
packets from the next queue that has packets ready to send.
Note that if packet length exceeds the queue-allowed bandwidth, the packet is still transmitted
during its time slot. The quota, however, is overdrawn so that on the next time slot, the queue
receives a smaller allotment. This mechanism guarantees a minimum bandwidth to each queue but
allows the minimum to be exceeded if one or more of the port other queues are idle). When all of
the queues are loaded, each is limited to its maximum bandwidth according to its assigned weight
no queue achieves more than a predetermined proportion of overall capacity when the line is under
stress.
Weighting factors are defined as relative percentages. The value for all of the queues must be
positive and must add up to ten or 100.
Relative percentages are calculated by byte counts rather than by packets, thus providing a greater
degree of bandwidth fairness. For example, suppose one protocol has 500-byte packets, another
has 300-byte packets, and a third has 100-byte packets. If the user wants to split the bandwidth
evenly across all three protocols, the user might choose to specify byte counts of 200, 200, and 200
for each queue. However, this configuration does not result in a 33/33/33 ratio of bandwidth
usage. When the router services the first queue, it sends a single 500-byte packet; when it services

the second queue, it sends a 300-byte packet; and when it services the third queue, it sends two 100-
byte packets. The effective ratio is 50/30/20 - setting the byte count too low can result in an
unintended bandwidth allocation.
Figure 5 shows how WRR queuing behaves in a four-queue architecture.
Figure 5: Weighted Round-Robin Queuing
Hybrid Scheduling
The Hybrid Scheduling method combines Strict Priority queuing and Weighted Round Robin
scheduling. Queues with higher priority are serviced with SP while the remaining queues are
serviced in accordance with WRR once the higher priority queues are empty.
SP/WRR hybrid scheduling guarantees immediate delivery of packets from high-ranking queues
while avoiding starvation of the lowest-ranking queues.
Table 2 explains the available hybrid scheduling algorithms.
Table 2: Hybrid Scheduling Algorithms
Algorithm Name Algorithm Description
Hybrid 1 Assigns WRR scheduling to txq1-txq7 and SP scheduling to txq8.

Hybrid 2 Assigns WRR scheduling to txq1-txq6 and SP scheduling to txq7-txq8.
Deficit Round Robin Scheduling (DRR)

Deficit Round Robin (DRR) is a modified version of Weighted Round Robin (WRR) scheduling.
WRR allocates bandwidth in terms of packets and works well when the average packet size is
known for each QoS queue flow. However, in most cases, packet size is traffic dependent and can
vary over time. In DRR, where the size of individual packets is not known, the maximum packet

size is subtracted from the packet length. Packets exceeding that number are held back until the
next visit of the scheduler.
With DRR scheduling, you can send frames from non-empty queues one after the other, in round-
robin. Each time frames are sent from a queue, a fixed amount of data is de-queued and the
algorithm sends from the next queue. When sending frames from a queue, DRR keeps track of the
number of data bytes de-queued in excess of the configured value.
When sending from the queue again, less data is de-queued to compensate for the excess data
previously sent. As a result, the average amount of data de-queued per queue is close to the
configured value.
Two variables define each DRR/MDRR queue:
Quantum Value: An average number of bytes served in each round. The quantum value is 2
KB.
Deficit Counter: Tracks the number of transmitted bytes per queue in each round. Initially,
the counter holds the quantum value.
For each queue, the mechanism sends packets as long as the deficit counter is greater than zero.
Each sent packet decreases the deficit counter by a value equal to its length in bytes. You cannot
send a queue after the deficit counter drops to zero or moves into negative numbers. DRR serves
more packets at a time if the packet size is less than the quantum value.
Each DRR queue can receive a relative weight with one of the queues from the group defined as a
priority queue. The weights assign relative bandwidth for each queue when the port is congested.
NOTE
DRR scheduling using fixed packet size behaves the same as Weighted Round
Robin.
Modified Deficit Round Robin Scheduling (MDRR)

Modified Deficit Round Robin Scheduling combines Strict Priority queuing and Deficit Round
Robin scheduling. Service one or more queues with strict priority and then service the remaining
queues using the MDRR algorithm. MDRR queuing guarantees immediate delivery of packets from
high-ranking queues while avoiding starvation of lowest-ranking queues.
Table 1 explains the available MDRR scheduling algorithms.
Table 1: Modified Deficit Round-Robin Queuing Algorithms
Algorithm Name Algorithm Description
MDRR 1 Assigns DRR queuing to txq1-txq7 and SP queuing to txq8.

MDRR 2 Assigns DRR queuing to txq1-txq6 and SP queuing to txq7-txq8.

Traffic Shaping
When congestion occurs, output or egress traffic is shaped on a per-port, per-service, and per-
queue basis. Output traffic monitoring verifies that the traffic conforms to the rate configured for
the device. When excessive traffic is detected on the device, the output port applies traffic shaping
and controls excess traffic. If the device queues overflow, traffic is dropped.
The shaping implementation in the device uses CIR to limit the traffic rate and CBS to allow
temporary bursts to breach the CIR as part of the Service Level Agreement.
QoS Default Configuration

Table 6 shows the default QoS configuration.
Table 2: QoS Default Configuration
Feature Default Value
Default mapping profile global

This profile implements the default mapping on device, see Table 8:
Mapping Profile Default Configuration
QoS scheduling Strict Priority
algorithm
Port trust mode untrust
Drop level per user green
priority
User priority fc=be
DSCP value Specified in the default mapping profiles

DSCP drop level Specified in the default mapping profiles
Traffic shaping Disabled
Port policies profiles See Table 10: Port Policies Profiles Default Configuration
configuration
Table8: Mapping Profile Default Configuration (Untrust VPT/DSCP)

Profile Priority Mapping
VPT DSCP FC Color
global untrust be green
Table 9: Global Mapping Profile Configuration (Trust VPT/DSCP)

VPT DSC FC Color

P
global 0 - be green

VPT DSC FC Color

P
1 - l2 green
2 - af green
3 - l1 green
4 - h2 green
5 - ef green
6 - h1 green
7 - nc green
- 0-7 be green
- 8-15 l2 green
- 16- af green
23
- 24- l1 green
31
- 32- h2 green
39
- 40- ef green
47
- 48- h1 green
55
- 56- nc green
63
Table 10: Port Policies Profiles Default Configuration

Policy Policy Type Profile Type/Name Trust Mode
Mapping Scheduling
defInPol ingress global - untrust

defEgPol egress - 1 -
Table 11: Default Configuration of FC to Queue Mapping for Unicast Traffic
VPT 0 1 2 3 4 5 6 7
FC be l2 af l1 h2 ef h1 nc
Queue 1 2 3 4 5 6 7 8
Table 12: Default Configuration of FC to Queue Mapping for Broadcast, Multicast and

Unknown Traffic
VPT 0 1 2 3 4 5 6 7
Queue 1 2 2 2 7 7 7 8
Table 13: Default Remarking Profile

Initial Packet Priority Packet Priority (VPT) Packet Priority (VPT) FC Queue
(VPT) after Remarking for after Remarking for
unicast traffic multicast traffic
0 0 0 be 1
1 1 1 l2 2
2 2 1 af 3
3 3 1 l1 4
4 4 6 h2 5
5 5 6 ef 6
6 6 6 h1 7
7 7 7 nc 8
Initial Packet Priority Packet Priority (DSCP) Packet Priority (DSCP) FC Queue
(DSCP) after Remarking for after Remarking for
unicast traffic multicast traffic
0-7 0 0 be 1
8-15 1 1 l2 2
16-23 2 1 af 3
24-31 3 1 l1 4
32-39 4 6 h2 5
40-47 5 6 ef 6
48-55 6 6 h1 7
56-63 7 7 nc 8
Service-Based Quality of Service (QoS)

Service-based Quality of Service (QoS) provides per customer queuing, scheduling, and shaping for
service ingress (with eight queues per service). A Service Level Agreement (SLA) describes service
levels where multiple customers can be connected to each port and each customer can be
subscribed to multiple services.
Service-based QoS enables enhanced services with flexible SLAs and better bandwidth utilization.
The better bandwidth utilization allows the carrier to sell available bandwidth to more customers

(usually more profitable than selling more bandwidth to each customer) while also allowing each
customer to save on bandwidth expenses.
Service QoS Architecture

Figure 1 shows how QoS affects traffic flow during the service ingress process.
On service ingress, the traffic is:
Classified according to policy mapping tables
Policed and reclassified based on ACLs (optional)
Distributed into eight priority queues based on the assigned classification
Entered into the queues after Congestion Avoidance enforcement
Transmitted according to a scheduling algorithm
Shaped on a per queue/per service basis
Figure 5: Service Ingress QoS Architecture
Figure 6: Combining Service Ingress QoS and Port-based QoS

Service-Based QoS Mechanisms

Service-based QoS mechanisms are similar to the Port-based QoS mechanisms except for the fact
that there are eight transmission queues per service SAP (Service Access Point) instead of per port.
The same mechanisms that are applied per port in port-based QoS are applied per service in
service-based QoSfor example, shaping per queue and per service.
It is possible to combine Service-based QoS and Port-based QoS on the same device to gain
enhanced and granular Service Level Agreement requirements as in the preceding figure.
Policy-Based QoS Management

In Policy-based QoS, a carrier usually provides a limited number of packages to its customers.
Multiple customers can purchase the same package and most of the Service Level Agreements for
these customers would be based on these packages as templates.
For example, a Premium Business package could be a true VPN and triple-play package that
includes VPN, Voice, Video and Internet with 10Mb/s of overall bandwidth. On the other hand, a
Basic Business package might include VPN and Internet only with lower overall bandwidth
allocation (such as 3Mb/s).
Once a customer subscribes to a package, the network allocates the required resources both for the
service(s) and for the QoS implementation. For QoS implementation, a set of resources (such as
queues, schedulers, buffer space, etc.) will be allocated inside the device. In Telco QoS terminology,
this is called instantiation of a Policy. Once another customer has subscribed to the same package,
the same Policy will be instantiated again, meaning allocation of an additional, identical set of
resources.
In some cases a Policy instance can be shared between multiple customers, a useful technique that
saves resources. Sharing resources also means that no true per-customer SLA assurance can be
performed (for example, these customers will share the same shapers and eventually the same
allowed bandwidth).
The device supports several types of Policies (described in detail in the following subsections). Each
Policy type includes parameters related to a different set of QoS features.
In addition, some of the features are configured using Profiles. Unlike Policies, Profiles are low-
level templates, each defining parameters for a single distinctive QoS feature. Profiles are used
not to allocate resources, but rather to configure resources that have already been allocated.
Profiles
A profile includes a set of configurable values that can be applied within a QoS policy. The device
supports the following QoS Profile types:
Mapping Profile: Maps L2(VPT or L3 (DSCP) marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
Scheduling Profile: Specifies the queuing/scheduling algorithm to apply to a queue.
Shaper Profile: Specifies the shaping algorithm to apply to a port or a queue.

Port-Related Policies
The device supports the following port-related QoS policies:
Port Ingress Policy
Applied per port.
Applies mapping of VPT/DSCP values to Forwarding Class (FC) and traffic color
through a mapping profile.
Applies trust mode of the VPT/DSCP values to the ingress traffic.
Port Egress Policy
Applied per port
Applies shaper per port/per queue or both through a shaper profile.
Service-Related Policies
The device supports the following service-related QoS policies:
Service Ingress Policy
Applies shaper profile per SAP or per queue.
Relevant Scaling Numbers

Number Description
Maximum Number of Profiles Mapping profiles: 64 (including one default: global)

Shaper profiles: 8
Scheduling profiles: 8 (including SP default profile)
Remarking profiles
Maximum Number of Policies Port ingress policies: 64 (including one default policy)
Port egress policies: 64 (including one default policy)
Order of Configuration
3. Define and configure the following profiles:
Mapping profiles
Shaper profiles
Scheduling profiles
Remarking profile
4. Define and configure the ingress/egress policies and service ingress policies.
Port Ingress Policy: Map VPT and DSCP bits for incoming traffic to internal Forwarding
Class (FC), color, and trust mode. The FC groups in ingress policies are mapped to
queues.

Port Egress Policy: Define the queueing mechanism (scheduling) and shaper profile.
Service ingress policy includes configuring the shaper and scheduling profiles.
5. Apply the configured policies to ports/Service SAP. Once applied, QoS profiles and policies
can be modified. For updating the configuration of any service or port, the applied policies
must first be first removed from that configuration. You are not able to delete profiles and
polices attached to port or SAP.
QoS Default Configuration

Table 6 shows the default QoS configuration.
Table 3: QoS Default Configuration
Feature Default Value
Default mapping profile global

This profile implements the default mapping on device, see Table 8:
Mapping Profile Default Configuration
QoS scheduling Strict Priority
algorithm
Port trust mode untrust
Drop level per user green
priority
User priority fc=be
DSCP value Specified in the default mapping profiles

DSCP drop level Specified in the default mapping profiles
Traffic shaping Disabled
Port policies profiles See Table 10: Port Policies Profiles Default Configuration
configuration
Table8: Mapping Profile Default Configuration (Untrust VPT/DSCP)

VPT DSCP FC Color
global untrust be green
Table 9: Global Mapping Profile Default Configuration (Trust VPT/DSCP)

VPT DSCP FC Color
global 0 - be green
1 - l2 green
2 - af green
3 - l1 green
4 - h2 green

VPT DSCP FC Color
5 - ef green
6 - h1 green
7 - nc green
- 0-7 be green
- 8-15 l2 green
- 16-23 af green
- 24-31 l1 green
- 32-39 h2 green
- 40-47 ef green
- 48-55 h1 green
- 56-63 nc green
Table 10: Port Policies Profiles Default Configuration

Policy Policy Type Profile Type/Name Trust Mode
Mapping Scheduling
defInPol ingress global - untrust

defEgPol egress - 1 -
Table 11: Default Configuration of FC to Queue Mapping for Unicast Traffic
VPT 0 1 2 3 4 5 6 7
Queue 1 2 3 4 5 6 7 8
Table 12: Default Configuration of FC to Queue Mapping for Multicast Traffic
VPT 0 1 2 3 4 5 6 7
Queue 1 2 2 2 7 7 7 8

QoS Configuration Flow

The following flow chart shows the process of configuring the QoS parameters.
Figure 7: QoS Configuration Flow (applied on ports)
QoS Commands
QoS Profile Configuration Commands
Commands Hierarchy
+ config terminal
+ qos

[no] dscp-remarking <value> fc {af | be | ef | h1 | h2 | l1 | l2 |

nc}
+ [no] mapping-profile {global | PROFILE-NAME}
- [no] any-dscp-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |
nc}
[no] any-vpt-to-fc color {green | yellow}
- [no] any-vpt-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |
nc}
+ dscp-to-fc <dscp-marking>
- [no] set-to-fc {be | l2 | af | l1 | h2 | ef | h1 | nc}
+ vpt-to-fc <vpt-marking>
- [no] color {green | yellow}
- [no] set-to-fc {be | l2 | af | l1 | h2 | ef | h1 | nc}
+ [no] remarking-profile PROFILE-NAME
+ [no] fc-to-dscp {be | l2 | af | l1 | h2 | ef | h1 | nc}
{green | yellow}
- dscp <value>
+ [no] fc-to-vpt {be | l2 | af | l1 | h2 | ef | h1 | nc}
{green | yellow}
- vpt <value>
+ [no] scheduling-profile [<profile-id>]
+ scheduling-type {drr | hybrid-1 | hybrid-2 | hybrid-3 |
hybrid-4 | hybrid-5 | hybrid-6 | mdrr-1 | mdrr-2 | mdrr-3
| mdrr-4 | mdrr-5 | mdrr-6 | sp | wrr}
- [no] queue1-weight <value>
+ [no] shaper-profile port <profile-id>
- [no] cbs <cbs>
- [no] cir <value>
+ [no] shaper-profile service <profile-id>
- [no] cbs <value>
- [no] cir <value>

- [no] pir <value>

- [no] pbs <value>
Table 4: QoS Profiles Configuration Commands
Command Description
qos Enters QoS Configuration mode
dscp-remarking <value> fc {af | be | ef Enables the DSCP remarking for a FC to DSCP

| h1 | h2 | l1 | l2 | nc} priority combination:
value: dscp priority, in the
range of <0-63>
be: assigns be FC to the traffic
l2: assigns l2 FC to the traffic
af: assigns af FC to the traffic
h2: assigns h2 FC to the traffic
ef: assigns ef FC to the traffic
nc: assigns nc FC to the traffic
no dscp-remarking <value> fc {af | be | Disables the DSCP remarking
ef | h1 | h2 | l1 | l2 | nc}
mapping-profile {global | PROFILE- Specifies a mapping profile to configure and

NAME} enters configuration mode for that profile:
PROFILE-NAME: name of the mapping
profile, a string of <1-32>
characters
Global default mapping profile
no mapping-profile [global | PROFILE- Deletes the specified mapping:
NAME]
profile to delete
any-dscp-to-fc fc {be | l2 | af | l1 Assigns specific Forwarding Class (FC) to all
| h2 | ef | h1 | nc} DSCP-marked ingress packets, without
reference to its actual DSCP-marking:
no any-dscp-to-fc fc Restores to default

Command Description
any-vpt-to-fc color {green | Assigns the specified color to all VPT-marked

yellow} ingress traffic, without reference to its actual
VPT-marking:
green: assigns green color to the
traffic
yellow: assigns yellow color to
the traffic
no any-vpt-to-fc color Restores to default
any-vpt-to-fc fc {be | l2 | af | l1 Assigns the specified FC to all VPT-marked
| h2 | ef | h1 | nc} ingress traffic, without reference to its actual
VPT-marking:
no any-vpt-to-fc fc Restores to default
description DESCRIPTION Assigns a description to the configured profile:

characters
no description Removes the assigned description
dscp-to-fc <dscp-marking> Specifies the DSCP value of the ingress traffic

and enters the DSCP-to-FC mode for the
specified DSCP marking:
dscp-marking: specified DSCP
marking of the ingress traffic,
the valid range is <0-63>
no dscp-to-fc [<dscp-marking>] Deletes from profile the DSCP-to-FC/color
mapping for the specified DSCP marking or,
when used without a parameter, deletes all
configured DSCP-to-FC/color mappings.
dscp-marking: specified DSCP
the valid range is <0-63>

Command Description
set-to-fc {be | l2 | af | l1 | h2 Maps the traffic with the configured DSCP

| ef | h1 | nc} marking to the specified FC:
no set-to-fc Restores to default
vpt-to-fc <vpt-marking> Enters the VPT-to-FC mode for the specified

VPT marking for configuring the mapping of the
ingress traffic bearing that marking to a
particular color and forwarding class:
vpt-marking: specified VPT
in the range of <0-7>
no vpt-to-fc [<vpt-marking>] Deletes from profile the VPT-to-FC/color
mapping for the specified VPT marking or, when
used without a parameter, deletes all configured
VPT-to-FC/color mappings.
vpt-marking: specified VPT
color {green | yellow} Maps the traffic with the configured VPT
marking to the specified color:
traffic
the traffic
no color Restores to default
set-to-fc {be | l2 | af | l1 | h2 Maps the traffic with the configured VPT
| ef | h1 | nc} marking to the specified FC:

Command Description
remarking-profile PROFILE-NAME Specifies a remarking profile to configure and

enters configuration mode for that profile:
PROFILE-NAME: name of the
remarking profile, the valid
range is <1-64> characters
no remarking-profile [PROFILE-NAME] Deletes the specified remarking profile or, when
used without a parameter, deletes all remarking
profiles.
remarking profile to delete
characters
no description DESCRIPTION Removes the assigned description
fc-to-dscp {be | l2 | af | l1 | h2 | Maps the packets from specific FC and with

ef | h1 | nc} {green | yellow} specific color to user-defined DSCP precedence
on the egress interface and enters the FC-to-
DSCP remarking configuration node.
be: specifies be FC
l2: specifies l2 FC
af: specifies af FC
l1: specifies l1 FC
h2: specifies h2 FC
ef: specifies ef FC
h1: specifies h2 FC
nc: specifies nc FC
green: selects the packets
colored in green
yellow: selects the packets
colored in yellow
If FCs are not explicitly remarked to user-
defined DSCP values, the queues are
remarked according to default remarking
profile.

Command Description
no fc-to-dscp {be | l2 | af | l1 | Removes the configured FC-to-DSCP

h2 | ef | h1 | nc} {green | remarking:
yellow}
be: specifies be FC for the
FC/color combination
l2: specifies l2 FC for the
af: specifies af FC for the
h2: specifies h2 FC for the
ef: specifies ef FC for the
nc: specifies nc FC for the
green: selects green-colored
traffic
yellow: selects yellow-colored
traffic
dscp <value> Enables remarking of the traffic bearing the
configured FC/color combination with the
specified DSCP priority:
no dscp Disables the specified DSCP remarking for the
configured FC/color node

Command Description
fc-to-vpt {be | l2 | af | l1 | h2 | Maps the packets from specific FC and with

ef | h1 | nc} {green | yellow} specific color to user-defined VPT priority on the
egress interface and enters the FC-to-VPT
remarking configuration node.
be: specifies be FC
l2: specifies l2 FC
af: specifies af FC
l1: specifies l1 FC
h2: specifies h2 FC
ef: specifies ef FC
h1: specifies h2 FC
nc: specifies nc FC
green: selects the packets
colored in green
yellow: selects the packets
colored in yellow
If FCs are not explicitly remarked to user-
defined VPT values, the queues are
remarked according to default remarking
profile.
no fc-to-vpt {be | l2 | af | l1 | h2 Removes the configured FC-to-VPT remarking:
| ef | h1 | nc} {green | yellow}
be: specifies be FC for the
remarking to be removed
af: specifies af FC for the
ef: specifies ef FC for the
nc: specifies nc FC for the
green: selects green-colored
traffic
yellow: selects yellow-colored
traffic
vpt <value> Enables remarking of the traffic with the
configured FC/color combination with the
specified VPT priority:
value: the valid range is <0-7>

Command Description
no vpt Disables the specified VPT remarking for the

configured FC/color node
scheduling-profile <profile-id> Specifies a scheduling profile to configure and
profile-id: ID of the mapping
profile, the valid range is <1-8>
no scheduling-profile [<profile-id>] Deletes the specified scheduling profile or,
when used without a parameter, deletes all
mapping profiles.
profile-id: (optional) ID of the
scheduling profile to delete
scheduling-type {drr | hybrid-1 | Specifies the type of queuing/scheduling to be
hybrid-2 | hybrid-3 | hybrid-4 | employed by the configured profile. For an
hybrid-5 | hybrid-6 | mdrr-1 |
mdrr-2 | mdrr-3 | mdrr-4 | mdrr-5 explanation of the algorithm behind each
| mdrr-6 | sp | wrr} scheduling type, see " Modified Deficit Round
Robin " and "Hybrid Scheduling".
drr: specifies Deficit Round-
Robin (DRR) scheduling
hybrid-1: specifies scheduling
according to the first hybrid
algorithm
according to the second hybrid
algorithm
according to the third hybrid
algorithm
according to the fourth hybrid
algorithm
according to the fifth hybrid
algorithm
according to the sixth hybrid
algorithm
mdrr-1: specifies scheduling
according to the first Modified
Deficit Round-Robin (MDRR)
algorithm
according to the second MDRR
algorithm
according to the third MDRR
algorithm
according to the fourth MDRR
algorithm
according to the fifth MDRR

Command Description
algorithm
according to the sixth MDRR
algorithm
sp: specifies Strict Priority
(SP) scheduling
wrr: specifies Weighted Round-
Robin (WRR) scheduling
queue1-weight <value> Specifies the weighting factor for the queue:
no queue1-weight Removes the configured weigh







characters
shaper-profile port <profile-id> Specifies a port shaper profile to configure and

profile-id: ID of the port shaper
profile, the valid range is <1-8>
no shaper-profile port [<profile-id>] Deletes the specified port shaper profile or,
when used without a parameter, deletes all port
shaper profiles.
profile-id: (optional) ID of the
port shaper profile to delete

Command Description
cbs <value> Specifies the Committed Burst Size (CBS) for

the shaper profile, in kilobytes:
KB
64 KB
cir <value> Specifies the Committed Information Rate (CIR)

for the shaper profile, in kilobits per second:
capacity) kbps
100000 kbps

characters
shaper-profile service <profile-id> Specifies a service shaper profile to configure

and enters configuration mode for that profile:
profile-id: ID of the service
shaper profile, the valid range
is <1-48>
no shaper-profile service [<profile- Deletes the specified service shaper profile or,
id>] when used without a parameter, deletes all
service shaper profiles.
profile-id: ID of the service
shaper profile to delete
cbs <value> Specifies the Committed Burst Size (CBS) for
the shaper profile, in kilobytes:
KB
64KB
cir <cir> Specifies the Committed Information Rate (CIR)

for the shaper profile, in kilobits per second:
capacity) kbps
100000 kbps

characters

QoS Policy Configuration Commands
Commands Hierarchy
+ config terminal
+ qos
+ [no] port-egress-policy POLICY-NAME

+ [no] queue <queue-id>
[no] shaper-profile <profile-id>
- [no] scheduling-profile <profile-id>
- [no] shaper-profile <profile-id>
- [no] remarking-profile <profile-id>
+ [no] port-ingress-policy POLICY-NAME
- [no] mapping-profile PROFILE-NAME
- [no] trust-mode {trust-dscp | trust-priority | trust-
priority-and-dscp | untrust | trust-inner-priority}
- [no] untrust-to-fc fc {be | l2 | af | l1 | h2 | ef | h1 |
nc} color {green | yellow}
+ [no] service-ingress-policy POLICY-NAME
+ [no] queue <queue-id>
- [no] mapping-profile PROFILE-NAME
- [no] scheduling-profile <profile-id>
Table 5: QoS Policy Configuration Commands
Command Description
qos Enters QoS Configuration mode
port-egress-policy POLICY-NAME Specifies a port egress policy to configure and

enters configuration mode for that policy:
POLICY-NAME: name of the
specified policy, a string of <1-
64> characters
defEgPol: name of the default egress
policy

Command Description
no port-egress-policy POLICY-NAME Deletes the specified port egress policy:

specified policy
description DESCRIPTION Assigns a description to the configured policy:
characters
no description Removes the assigned description
queue <queue-id> Assigns queue to the configured policy and

enters queue configuration mode for that
queue:
queue-id: ID of the assigned
queue, the valid range is <1-8>
no queue <queue-id> Removes the specified queue from the
configured policy:
queue-id: ID of the queue to
remove from the policy
shaper-profile <profile-id> Specifies shaper profile to apply to the queue.
The profile is selected from the available
shaper profiles:
profile-id: ID of the specified
profile
no shaper-profile Removes from the queue the applied shaper
profile
scheduling-profile <profile-id> Assigns scheduling profile to the configured
policy. The profile is selected from the
available scheduling profiles.
profile-id: ID of the assigned
profile
no scheduling-profile Removes the assigned scheduling profile from
the policy
shaper-profile <profile-id> Assigns a shaper profile to the configured
available shaper profiles.
profile
no shaper-profile Removes the shaper profile from the policy
remarking-profile <profile-id> Assigns a remarking profile to the configured

available remarking profiles.
profile
no remarking-profile Removes the remarking profile from the policy

Command Description
port-ingress-policy POLICY-NAME Specifies a port ingress policy to configure and

enters configuration mode for that policy:
64> characters
defInPol: name of the default ingress
policy; for details, refer to Default
Settings
no port-ingress-policy POLICY-NAME Deletes the specified port ingress policy:
64> characters
characters
mapping-profile PROFILE-NAME Assigns mapping profile to the configured

available mapping profiles.
assigned profile
no mapping-profile Removes the mapping profile from the policy
trust-mode {trust-dscp | trust- Specifies the ingress traffic trust mode to be
priority | trust-priority-and-dscp applied by the configured policy:
| untrust | trust-inner-priority}
trust-dscp: trusts all DSCP-
marked ingress traffic

trust-priority: trusts the outer
VPT value in the VLAN tag, in
case of double-tagged ingress
traffic. In case of single-tagged
traffic, the system trusts the
only one existing VPT in the VLAN
tag.
trust-priority-and-dscp: trusts
all DSCP- and VPT-marked ingress
traffic; the DSCP-marked traffic
has higher precedence than the
VPT traffic
untrust: untrusts all ingress
traffic
trust-inner-priority: trusts the
inner VPT value in the VLAN tag,
in case of double-tagged ingress
traffic
Untrust (the packets priority for the
ingress traffic (VPT/DSCP is 0)
no trust-mode Restores to default

Command Description
untrust-to-fc fc {be | l2 | af | l1 | Assigns a specific FC and color to all untrusted

h2 | ef | h1 | nc} color {green | ingress traffic:
yellow}
traffic
the traffic
no untrust-to-fc fc {be | l2 | af | Removes the configured FC and color
l1 | h2 | ef | h1 | nc} color
{green | yellow}
service-ingress-policy POLICY-NAME Specifies a service ingress policy to configure

and enters configuration mode for that policy:
32> characters
no service-ingress-policy POLICY-NAME Deletes the specified service ingress policy:
specified policy
characters
no description DESCRIPTION Removes the assigned description.
queue <queue-id> Assigns queue to the configured policy and

enters queue configuration mode for that
queue:
queue-id: ID of the assigned
queue, the valid range is <1-8>
no queue <queue-id> Removes the specified queue from the
configured policy or, when used without a
parameter, removes queues assigned to the
policy.
queue-id: ID of the queue to
remove from the policy
shaper-profile <profile-id> Specifies shaper profile to apply to the queue.
The profile is selected from the available
shaper profiles:
profile-id: ID of the specified
profile
no shaper-profile Removes from the queue the applied shaper
profile.

Command Description
mapping-profile PROFILE-NAME Assigns mapping profile to the configured

available mapping profiles.
assigned profile
no mapping-profile Removes the mapping profile from the policy
scheduling-profile <profile-id> Assigns scheduling profile to the configured

available scheduling profiles.
profile
no scheduling-profile Removes the assigned scheduling profile from
the policy
shaper-profile <profile-id> Assigns a shaper profile to the configured
available shaper profiles.
profile
no shaper-profile Removes the shaper scheduling profile from
the policy
QoS Port and Service Configuration Commands
Commands Hierarchy
device-name#
+ config terminal
+ port UU/SS/PP
- [no] qos-egress-policy POLICY-NAME
- [no] qos-ingress-policy POLICY-NAME
+ [no] service
- [no] apply-qos-policy
- [no] apply-qos-policy

Table 6: QoS Port/Service Configuration Commands

Command Description
port UU/SS/PP Specifies a port to configure with port

ingress/egress policies and enters QoS port
configuration mode for that port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
qos-egress-policy POLICY-NAME Specifies port egress policy to apply to the
configured port. The policy is selected from the
available port egress policies.
64> characters
no qos-egress-policy Restores the default port egress policy on the
specified port.
qos-ingress-policy POLICY-NAME Specifies the port ingress policy to apply to the
configured port. The policy is selected from the
available port ingress policies.
64> characters
no qos-ingress-policy Removes service ingress policy on the specified
port
service Enters Service Configuration Mode

4294967294>
used without a parameter, removes all
configured 802.1Q services:
range of <1-4294967294>
tls <service-id> Enters TLS Service Configuration mode for the
specified service:
service-id: service ID to be used
as a reference SAP configuration
qos-ingress-policy POLICY-NAME Specifies the QoS service ingress policy to be

applied to the configured service. The policy is
selected from the available service ingress
policies.
32> characters
no qos-ingress-service-policy Restores the default service ingress policy on
POLICY-NAME the specified service

Command Description
Creates a service access point (SAP) and

enters SAP Configuration mode:
UU/SS/PP: the SAP port is in the
range of 1/1/1-1/1/4 and 1/2/1-
1/2/8. This port has to be an
untagged member of the S-VLAN
<1-14>
NOTE
SAP.
versa.
UU/SS/PP: (optional) the SAP port
is in the range of 1/1/1-1/1/4
and 1/2/1-1/2/8
<1-14>
untagged}
Specifies a customer VLAN (C-VLAN) and
enters C-VLAN Configuration mode:
cvlan-id: in the range of <1-
4094>
traffic only
no c-vlan {<cvlan-id> | all | Removes the defined C-VLAN:
untagged}
4094>
traffic only
apply-qos-policy Applies to the specific sap with C-VLAN the
QoS policy already configured for the service
no apply-qos-policy Removes the specified QoS service policy from
the specified C-VLAN(s)

QoS Configuration Display Commands
Commands Hierarchy
device-name#
- show running-config qos service-ingress-policy POLICY-NAME
- show qos mapping-profile [PROFILE-NAME]
- show qos port-egress-policy [POLICY-NAME]
- show qos port-ingress-policy [POLICY-NAME]
- show qos remarking-profile [PROFILE-NAME]
- show qos shaper-profile [<profile-id>]
- show qos scheduling-profile [<profile-id>]
- show qos service-ingress-policy POLICY-NAME
- show qos port UU/SS/PP [ingress | egress]
Table 7: QoS Display Configuration Commands
Command Description
show running-config qos service-ingress- Displays the specified service ingress policy or,
policy POLICY-NAME when used without a parameter, displays all
configured service ingress policies.
POLICY-NAME: name of the service
ingress policy to display
show qos mapping-profile [PROFILE-NAME] Displays the specified mapping profile or, when
used without a parameter, displays all
configured mapping profiles.
profile to display
show qos port-egress-policy [POLICY-NAME] Displays the specified port egress policy or,
when used without a parameter, displays all
configured port egress policies.
POLICY-NAME: name of the policy
to display
show qos port-ingress-policy [POLICY- Displays the specified port ingress policy or,
NAME] when used without a parameter, displays all
configured port ingress policies.
POLICY-NAME: name of the policy
to display
show qos remarking-profile [PROFILE-NAME] Displays the specified remarking profile or,
when used without a parameter, displays all
configured remarking profiles.
PROFILE-NAME: Name of the
remarking profile to display
show qos shaper-profile [<profile-id>] Displays all configured shaper profiles:
profile-id: ID of the shaper
profile to display

Command Description
show qos scheduling-profile [<profile- Displays the specified scheduling profile or,
id>] when used without a parameter, displays all
configured scheduling profiles.
profile-id: ID of the scheduling
profile to display
show qos service-ingress-policy POLICY- Displays the specified service ingress policy or,
NAME when used without a parameter, displays all
configured service ingress policies.
POLICY-NAME: name of the service
ingress policy to display
show qos port UU/SS/PP [ingress | egress] Displays the QoS configuration of the specified
port, including the ingress/egress policies
applied to it or, when used without a parameter,
displays the configuration for all ports.
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
ingress, egress: displays
ingress/egress port policies
Configuring QoS Shaper per Port
1. Create port shaper profile:
device-name(config)#qos
device-name(config-qos)#shaper-profile port 1 cir 6000 cbs 16
device-name(config-port-1)#commit
Commit complete.
device-name(config-port-1)#
2. Apply shaper profile per egress policy:

device-name(config-qos)#port-egress-policy 22
device-name(config-port-egress-policy-22)#shaper-profile 1
device-name(config-port-egress-policy-22)#commit
Commit complete.
device-name(config-port-egress-policy-22)#
3. Apply egress policy per egress port:

device-name(config-port-1/1/3)#qos-egress-policy 22
Commit complete.
device-name(config-port-1/1/3)#

Configuring QoS Shaper per Queue

Create port shaper profile:
device-name(config-qos)#shaper-profile port 1 cir 6000 cbs 16
4. Apply shaper profile per queue per egress policy:

device-name(config-qos)#port-egress-policy 22
device-name(config-port-egress-policy-22)#queue 1
device-name(config-queue-1)#shaper-profile 1
5. Apply egress policy per egress port:

device-name(config-port-1/1/1)#qos-egress-policy 22
Commit complete.
Configuring QoS Policy per TLS Service

1. Configure TLS service 1:
Device-name(config)#service tls 1
Device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
Device-name(config-s-vlan-10)#exit
Device-name(config-tls-1)#exit
Device-name(config-service)#exit
2. Create port shaper profile:

Device-name(config-qos)#shaper-profile service 5
Device-name(config-service-5)#cir 5000
Device-name(config-service-5)#commit
Commit complete.
Device-name(config-service-5)#exit
3. Create scheduling profile 5:

Device-name(config)#qos
Device-name(config-qos)#scheduling-profile 5
Device-name(config-scheduling-profile-5)#scheduling-type wrr
Device-name(config-scheduling-profile-5)#queue1-weight 1

Device-name(config-scheduling-profile-5)#commit
Commit complete.
Device-name(config-scheduling-profile-5)#exit
4. Specify QoS policy and apply QoS shaper profile and scheduling profile:
Device-name(config)#qos
Device-name(config-qos)#service-ingress-policy Shape
Device-name(config-service-ingress-policy-Shape)#shaper-profile 5
Device-name(config-service-ingress-policy-Shape)#scheduling-profile 5
Device-name(config-service-ingress-policy-Shape)#commit
Commit complete.
Device-name(config-service-ingress-policy-Shape)#exit
Device-name(config-qos)#exit
5. Apply the QoS policy on TLS service:

Device-name(config-tls-1)#qos-ingress-policy Shape
Device-name(config-c-vlan-5)#apply-qos-policy
Device-name(config-c-vlan-5)#commit
Commit complete.
Device-name(config-c-vlan-5)#end
Device-name#show running-config service tls
service
tls 1
no shutdown
sap 1/1/1
c-vlan 5
apply-qos-policy
!
!
sdp s-vlan 10
ethertype 0x8100
port 1/1/2
!
!
qos-ingress-policy Shape
!
!
Device-name#show running-config qos service-ingress-policy Shape
qos
service-ingress-policy Shape
shaper-profile 5
scheduling-profile 5
!
top
!


Quality of Service MEF-10 Private MIB, Not supported

(QoS) (Ethernet Services PRVT-QOS-
Attributes Phase I) MIB.mib

Operations, Administration, and
Maintenance (OAM)
Table of Contents
Table of Figures 2
List of Tables 3
802.1ag Connectivity Fault Management (OAM-CFM) 4

CFM-OAM Protocol Functionality 4
CFM Purpose 4
Ethernet 802.1ag OAM Mechanisms 5
Discovery and Connectivity 5
Fault Verification (Loopback Messages) 7
Fault Isolation (Linktrace Messages) 7
Fault Notification and Alarm Suppression (Fault Alarms) 8
CFM Configuration Flow 10
CFM Commands10
802.3ah Ethernet in the First Mile (OAM-EFM)26

EFM-OAM Configuration Flow 32
EFM-OAM Commands 33
ITU-T G.8032v2 Ring Automatic Protection Switching (R-APS) 46

R-APS Mechanism 46
Timing Configuration 47
R-APS Configuration Flow 48
R-APS Commands over Ethernet49
RAPS Configuration Example over Ethernet 59
ITU-T Y.1564 Next-Generation Carrier-Ethernet Test 61

Overview61
Operations, Administration, and Maintenance (OAM) (Rev. 01) Page 1

Key Objectives 61
Test Rates 62
Methodology 62
Bidirectional Test 62
Y.1564 Commands 63
Two-Way Active Measurement Protocol (TWAMP) 75

TWAMP Commands 76
ITU-T Y.1731 SAA In-Service Test 82

ITU-T Y.1731 SAA In-Service Configuration Flow 83
ITU-T Y.1731 SAA In-Service Configuration Commands83
ITU-T Y.1731-SLM SAA In-Service Test 94

ITU-T Y.1731-SLM SAA In-Service Configuration Commands 95
RFC 2544 SAA Throughput Test 105

Overview 105
SAA Unidirectional Throughput Test 105
SAA Bi-Directional Throughput Test 106
SAA Throughput Configuration Flow 107
SAA Throughput Configuration Commands 107
Event Propagation 119

Event Propagation Configuration Flow 120
Event Propagation Command Hierarchy 121
Table of Figures
Figure 1: OAM Ethernet Tools ............................................................................................................ 5
Figure 2: MEP1 and MEP3 Send a Multicast CC Frame ................................................................. 6
Figure 3: MEP4 and MEP2 Send a Multicast CC Frame ................................................................. 6
Figure 4: Loopback Operation ............................................................................................................. 7
Figure 5: Link Trace Operation ............................................................................................................ 8
Figure 6: CFM Configuration Flow ................................................................................................... 10
Page 2 Operations, Administration, and Maintenance (OAM) (Rev. 01)

Figure 7: End-to-End OAM Configuration ..................................................................................... 26

Figure 8: Managing Provider Devices Using the EFM 802.3ah Standard ................................... 27
Figure 9: Managing Customer Devices (Passive) Using the EFM 802.3ah Standard ................. 28
Figure 10: EFM-OAM Configuration Flow ..................................................................................... 32
Figure 11: Example Configuring of Two Devices using EFM-OAM .......................................... 42
Figure 12: Network with two R-APS Instances (Traffic flowing in different directions) ......... 47
Figure 13: R-APS Configuration Flow .............................................................................................. 48
Figure 14: TWAMP Measurement Architecture .............................................................................. 76
Figure 15: ITU-T Y.1731 SAA In-Service Configuration Flow .................................................... 83
Figure 16: Two Devices in SAA In-Service Test Mode.................................................................. 91
Figure 17: ITU-T Y.1731-SLM In-Service Configuration Flow .................................................... 95
Figure 18: Unidirectional Test .......................................................................................................... 105
Figure 19: End-to-End Unicast Loopback Test ............................................................................ 106
Figure 20: SAA Throughput Configuration Flow ......................................................................... 107
Figure 21: Two Devices in RFC2544 SAA Throughput Test Mode .......................................... 115
Figure 22: Event Propagation Configuration Flow ....................................................................... 120
Figure 23: Example for Configuring Event Propagation ............................................................. 125
List of Tables
Table 1: Defects and Priorities ............................................................................................................. 9
Table 2: CFM Configuration Commands ......................................................................................... 13
Table 3: CFM Display Commands..................................................................................................... 23
Table 4: EFM Configuration Commands ......................................................................................... 34
Table 5: EFM Display Commands .................................................................................................... 39
Table 6: Log messages employed by the EFM-OAM protocol..................................................... 40
Table 7: R-APS Commands over Ethernet ...................................................................................... 50
Table 8: Y.1564 Test Commands ....................................................................................................... 64
Table 9: TWAMP Commands ............................................................................................................ 77
Table 10: ITU-T Y.1731 SAA In-Service Test Commands ........................................................... 85
Table 11: ITU-T Y.1731-SLM SAA In-Service Test Commands ................................................. 96
Table 12: SAA Throughput Commands ......................................................................................... 109
Table 13: Event Propagation Commands ....................................................................................... 121

802.1ag Connectivity Fault Management (OAM-

CFM)
The pre-standard IEEE 802.1ag CFM feature, called MAC ping/trace route, defines the end-to-end
OAM capabilities that are intrinsic to Ethernet technology, enabling service providers to monitor
the Ethernet service that the customer receives.
IEEE 802.1ag Connectivity Fault Management (802.1ag CFM) supports monitoring by the
network of the health of an end-to-end service delivered to customers as opposed to links or
individual bridges. 802.1ag CFM specifies the protocols, procedures, and managed objects used to
support transport fault management:
Discovery and verification of the frame path addressed to and from specified network users
Detection and isolation of a connectivity fault to a specific bridge or LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for point-to-point and
multipoint Ethernet Virtual Connections (EVC) that span one or more links.
CFM-OAM Protocol Functionality

CFM-OAM supports the following basis functionalities:
Discovery and Connectivity: Discovery of other CFM-OAM enabled devices and
verification of connectivity to these devices
Fault Verification: Verification and quality testing of the service delivered
Fault Isolation: Identification and isolation of the fault point within the service path
CFM Purpose
Bridges are used increasingly in networks operated by multiple, independent organizations. In such
networks, each organization maintains restricted access to its equipment. CFM assists in detection,
verification, and isolation of connectivity failures in networks where multiple organizations are
involved in the provision and use of Ethernet services such as customers, service providers, and
operations.
Customers purchase Ethernet service from service providers who in turn may utilize their own
network or the network of other operators to provide connectivity for the requested service.
Customers themselves may be service providers. For example, a customer may be an Internet
service provider that sells Internet connectivity.

Figure 1: OAM Ethernet Tools
Operators need minimal Ethernet OAM as opposed to providers that need more comprehensive
Ethernet OAM for themselves as well as the ability to provide their customers with better
monitoring functionality.
In order to validate service quality and perform fault verification on Maintenance End Points
(MEP) and Maintenance Intermediate Points (MIPs) belonging to the organization, each
organization defines its own maintenance domain. MEPs and MIPs are then linked to the relevant
domain creating a Maintenance Association (MA).
Ethernet 802.1ag OAM Mechanisms

The mechanisms supported by CFM include Connectivity Check Messages (CCM), Loopback,
Link Trace and Alarm Indication Signal (AIS).
CFM allows for end-to-end fault management that is generally reactive (through Loopback, Link
Trace messages, and Alarm Indication Signals) as well as connectivity verification that is proactive
(through Connectivity Check messages).
Discovery and Connectivity

To discover the devices in a domain, each MEP transmits a periodical CCM to the MIPs and
MEPs through the entire domain.
A CCM is a periodic hello message multicast by a MEP within the MA at a defined rate. The
receiving MEPs build a MEP database that catalogs a list of the various MAs, including their MEPs
and MIPs (indicating the MAC Address for each entity) as functional points.
The database includes MEP Destination MAC Address (DA) and port (format: MEP DA, Port)
entities.

Figure 2: MEP1 and MEP3 Send a Multicast CC Frame
Figure 3: MEP4 and MEP2 Send a Multicast CC Frame
A CCM timeout is used to detect connectivity faults (such as a software failure, memory corruption,
or problems with configuration). A CCM loss is assumed when a MEP does not receive the next
CCM from a remote MEP within the CCM timeout.
If a MEP on a local bridge (local MEP) stops receiving periodic CCMs from a peer MEP on a
remote bridge (remote MEP), the receiving MEP assumes that a failure in the remote bridge or in
the continuity of the path has occurred. If the MEP does not receive three consecutive CCMs, the
MEP declares a connectivity loss.
In this case, the bridge can notify the network management application about the failure and initiate
fault verification and fault isolation either automatically or by operator command.
Since a short CCM interval rate is a key point in ensuring fast connection-failure detection, the
systems administrator can define a CCM interval rate of down to 3.3 milliseconds.
In cases where a MEP is deliberately taken out of commission, status indication for the MEP is sent
to other peer MEPs to avoid triggering false fault detections.
CFM also provides an alarm suppression mechanism in cases where a network fault affects more
than one VLAN and where different MEPs generate an alarm for the same common fault.

Fault Verification (Loopback Messages)

To verify connectivity between a MEP and its peer MEP or MIP, a unicast Loopback Message
(LBM) is initiated by the MEP using the destination address of either a peer MEP or MIP. The
receiving MEP/MIP responds to the LBM with a Loopback Reply (LBR).
To identify the precise fault location along an MA, a Loopback message is issued by a MEP to a
given MIP. The appropriate MIP before the fault responds with a Loopback Replay; however, the
MIP after the fault does not. For Loopback to work, the MEP must know the MAC address of the
MIP to ping.
Figure 4: Loopback Operation
In the Figure 4 two maintenance entities are shown: one comprising the yellow MEPs and MIPs, the
other comprising orange MEPs and MIPs.
Fault Isolation (Linktrace Messages)

To isolate the exact fault point, a MEP initiates Linktrace, a mechanism used to isolate faults at the
Ethernet MAC layer.
The originating MEP sends a Linktrace Message (LTM) using one of the multicast MAC Addresses
reserved by the domain, that traverses hop-by-hop along the domain trace path. Each Maintenance
Point (MP), whether a MEP or MIP, along the trace path intercepts, processes and forwards this
LTM on to the next hop until the LTM reaches the destination MEP.
Each MP along the path returns a unicast Linktrace Reply (LTR) back to the originating MEP. The
MEP then sends a single LTM to the next hop along the trace path. In this way, the MEP
determines the MAC Address and location, in relation to the originating MEP, for all MIPs along
the MA.

Figure 5: Link Trace Operation
For the Ethernet, fault isolation is more challenging since MAC addresses age and erase the
information needed to locate the fault. Possible ways to address this issue are:
Carry out Linktrace within the age-out time frame
Maintain information about the destination MEP at the MIPs along the path using CCMs
Maintaining the path visibility at the source MEPs through periodic LTMs (in intervals larger
than the CCM rate interval)
You can also use Linktrace to:
Discover normal data paths through the network when the network is fault-free. Path
discovery can prove helpful when Linktrace cannot provide the information needed to isolate
a fault.
Issue LBMs to MPs along normal data paths to retrieve additional information.
Fault Notification and Alarm Suppression (Fault Alarms)

With Fault Alarm enabled, when a MEP detects a defect that exceeds a predefined time threshold,
Fault Alarm generates and sends SNMP notification to a designated address. The MEP cannot
transmit further Fault Alarms until a defined time period has passed during without further
indications of a defect.
A MEP maintains a number of separate defects, such as accidental cross-connection between two
different MAs or defects confined to a single MA, and ranks those defects by priority. After
transmitting a Fault Alarm for a lower priority defect, if a higher priority defect occurs, the MEP
can transmit another Fault Alarm.
With this mechanism, the operator can reliably prioritize Fault Alarms. For example, cross-connect
errors are typically of greater concern in a Service Provider environment than connectivity loss
errors. Only the highest-priority defect is reported in the Fault Alarm. In order of priority, the
defects are:
DefRDICCM: Last CCM received by the MEP from a remote MEP contained the RDI bit
DefMACstatus: Last CCM received by the MEP from a remote MEP indicating that the
MAC Address associated with the transmitting MEP is reporting an error status

DefRemoteCCM: The MEP is not receiving CCMs from one of the MEPs in its configured
list
DefErrorCCM: The MEP is receiving invalid CCMs
DefXconCCM: The MEP is receiving CCMs from a different MA
The following table shows the relationship between variables:
Variable: The name of the variable as defined by the 802.1ag standard
HighestDefect: Represents the highest priority defect currently detected by the MEP
HighestDefectPri: Represents the priority of the defect, expressed as an integer, named in the
HighestDefect variable
Importance: Describes the severity of the defect
Table 1: Defects and Priorities
Defect Priority
Variable HighestDefect HighestDefectPri Importance
Disable Disable 6
xconCCMdefect DefXconCCM 5 most
errorCCMdefect DefErrorCCM 4
someRMEPCCMdefect DefRemoteCCM 3
someMACstatusDefect DefMACstatus 2
someRDIdefect DefRDICCM 1 least

CFM Configuration Flow
Figure 6: CFM Configuration Flow
CFM Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] cfm
+ [no] shutdown
+ [no] domain DOMAIN-NAME
- level <level>
+ ma MA-NAME
- [no] ais-lck-receive
+ [no] ais-lck-transmit
- [no] ais-lck-interval {1min | 1sec}

- [no] ais-lck-level <level>

- [no] ais-lck-priority <priority>
- [no] ais-lck-vlan <vlan-id>
- format {icc | ieee | primaryVid}
- [no] hello-interval <value>
+ [no] mep <id>
- bind-to {UU/SS/PP:[<vlan-id>]:[<cvlan-
id>]: | UU/SS/PP:[<cvlan-id>]: |
{UU/SS/PP | agN}[:[igmp] | :[<vlan-
id>]:[igmp] | UU1/SS1/PP1:<ces-
- [no] shutdown
- direction {up | down}
- [no] ccm-enabled
- [no] ccm-priority <priority>
- [no] fault-notification-delay <value>
- [no] fault-notification-minimal-defect
{all-defects | broken-ccm | cross-
connect | mac-status | none | remote-
failure}
- [no] fault-notification-reset-delay
<value>
- [no] mip-policy {default | defer | explicit |
none}
- [no] sender-id-content {hostname | defer |
all | management-address | none}
- [no] service <id>
- format {none | string}
- [no] mip-policy {default | explicit | none}
- [no] sender-id-content {hostname | defer | all |
management-address | none}
- [no] service <id>
+ [no] threshold-profile <id>
- [no] one-way-jitter-error <value>
- [no] one-way-jitter-warning <value>
- [no] one-way-jitter-monitoring <true | false>
- [no] frame-loss-error <threshold>
- [no] frame-loss-warning <threshold>
- [no] frame-loss-monitoring
- [no] round-trip-jitter-error <value>
- [no] round-trip-jitter-error-period <value>
- [no] round-trip-jitter-warning <value>
- [no] round-trip-jitter-warning-period <value>

- [no] round-trip-jitter-monitoring
- [no] round-trip-latency-error <value>
- [no] round-trip-latency-error-period <value>
- [no] round-trip-latency-warning <value>
- [no] round-trip-latency-warning-period <value>
- [no] round-trip-latency-monitoring
- [no] results-bucket-size <size>
- [no] rate <rate>
- [no] description <string>
- [no] payload-size <value>
- [no] description <string>
- [no] update-interval <value>
- [no] test <id> DOMAIN-NAME MA-NAME
- [no] threshold-profile-id <id>
- [no] repeat-interval <value>
- [no] shutdown
- oam cfm linktrace domain DOMAIN-NAME ma MA-NAME mep <id> {target-mep
<target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} {timeout <value> | ttl
<value>}
- oam cfm loopback domain DOMAIN-NAME ma MA-NAME mep <id> {target-mep
<target-mep-id> | target-mip HH:HH:HH:HH:HH:HH} [timeout <value> |
payload <value> | delay <value> | number <value>]
- clear oam cfm remote-mep-table domain-name NAME ma NAME [remote-mep
<id>]
- show oam cfm
- show oam cfm connectivity [domain-name DOMAIN-NAME] [ma MA-NAME]
- show oam cfm connectivity [extended]
- show oam cfm domain level <level>
- show oam cfm update-interval
- show oam cfm {interface UU/SS/PP | interfaces}
- show oam cfm test [id <id>]
- show oam cfm threshold-profile [id <id>]
- show oam cfm linktrace-results domain-name DOMAIN-NAME [ma MA-NAME]

Table 2: CFM Configuration Commands
Command Description

oam Enters OAM Protocol Configuration mode
no oam Removes the OAM configurations
cfm Enters CFM Protocol Configuration mode
no cfm Removes all CFM configurations
shutdown Disables CFM
no shutdown
Enables CFM
domain DOMAIN-NAME
Creates a Maintenance Domain (MD) and

enters a specific MD mode:
DOMAIN-NAME: a string of <1-22>
characters
no domain DOMAIN-NAME Removes the maintenance domain
level <level>
Specifies a MD level:
The MD levels are:
Operator Maintenance Association (MA)
levels: 02
Provider MA levels: 34
Customer MA levels: 57
ma MA-NAME
Creates a Maintenance Association (MA) and

enters a Specific MA configuration mode:
MA-NAME: a string of <1-45>
characters
service <id>
Specifies a unique service identifier:

id: in the range of
<14294967295>
no service [<id>] Removes the defined service identifier
vlan <vlan-id>
Specifies a unique VLAN identifier:

vlan-id: in the range of
<14094>
no vlan [<vlan-id>] Removes the defined VLAN identifier

Command Description
ais-lck-receive Enables Alarm Indication Signal (AIS) and Lock

Signal (LCK) functions of Y.1731. MEPs send
AIS packets during signal failure detection and
LCK packets during tests.
no ais-lck-receive Disables AIS and LCK functions of Y.1731
ais-lsk-transmit Enters AIS-LCK Configuration mode
no ais-lsk-transmit Removes the AIS-LCK configuration details
ais-lck-interval {1min | Specifies a time interval between two
1sec} successively sent AIS or LCK packets:
1min: 1 minute interval
1sec: 1 second interval
1sec
no ais-lck-interval Restores to default
ais-lck-level <level> Specifies a domain level for sending AIS and

LCK packets (AIS-LCK level). This level must
be higher than the CFM domain level:
no ais-lck-level Removes the configured AIS-LCK level
ais-lck-priority Specifies the priority for sending AIS packets:
<priority>
6
no ais-lck-priority Restores to default
ais-lck-vlan <vlan-id> Specifies a VLAN to which the AIS signal is

sent in case of an AIS condition:
no ais-lck-vlan Removes the configured VLAN
format {icc | ieee | Specifies the MA format:
primaryVid}
icc: ma name format complying to
ITU-T SG13/SG15 Y.1731 standard
specifications
ieee: ma name format complying to
IEEE 802.1ag standard
specifications
primaryVid: primary VLAN ID
ieee
hello-interval <value> Specifies the time interval between two
successive CCMs sent by a MEP that is a
member of the MA:
value: 1m, 1s, 10m, 10ms, 10s,
100ms, and 300Hz
1 second
no hello-interval Restores to default
mep <id> UU/SS/PP Specifies the maintenance end point (MEP) ID:
id: in the range of <08191>

Command Description
no mep <id> Removes the configured MEP from the MA
bind-to
{UU/SS/PP:[svlan-
id>]:[<cvlan-id>]: | Adds a local port, member of 802.1Q, TLS, or
UU/SS/PP:[<cvlan- VPLS service, as MEP to a specific MA:
id>]:
UU/SS/PP: a local port (unit,
| {UU/SS/PP | slot and port) to be added as MEP
agN}[:[igmp] |
:[<vlan-id>]:[igmp] | The valid port range is:
UU1/SS1/PP1:<ces- UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
circuit>:{ces | ces-
oos}}
1/2/8
<1-14>
cvlan-id: (optional) specifies a
customer VLAN (C-VLAN), in the
range of <1-4094>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
shutdown Disables the MEP
Disabled
no shutdown Enables the MEP
direction {up | down} Specifies the direction the MEP faces the
bridge port:
up, down: direction
ccm-enabled Enables CCM message generation by the MEP
no ccm-enabled Restores to default
Disabled
ccm-priority Specifies the VLAN priority assigned to all CCM
and LTM packets for a particular MEP:
When this command is used with combination
with the dot1q sdp vlan priority command (refer
to L2 services chapter of this User Guide), the
dot1q sdp vlan priority command takes
precedence over the ccm-priority command.

Command Description
6
no ccm-priority Restores to default
fault-notification-delay Specifies the length of time defects must be
<value> present before a local MEP generates a Fault
Alarm:
in hundredths of a seconds
250 hundredths of a second
no fault-notification- Restores to default
delay
fault-notification- Specifies the length of time that defects must

reset-delay <value> be absent before enabling a Fault Alarm again:
hundredths of a second
1000 hundredths of a second
reset-delay
fault-notification- Specifies defect priority for generating Fault

minimal-defect {all- Alarms. Defects can be either loss of CCMs or
defects | broken-ccm
| cross-connect | mac- reception of cross connected CCMs:
status | none |
remote-failure}
all-defects: Fault alarms are
generated when any of the bellow
defects occur
broken-ccm: Fault alarms are
generated when the MEP is
receiving invalid CCMs
cross-connect: Fault alarms are
generated when the MEP is
receiving CCMs from a different
MA
mac-status: Fault alarms are
generated when the last CCM
received by this MEP from a
remote MEP indicated that the
transmitting MEPs associated MAC
is reporting an error status
none: no Fault alarms are
generated when
remote-failure: Fault alarms are
generated when the MEP is not
receiving CCMs from one of the
MEPs in its configured list
Defect priority is all-defects and alarms
are generated for all defect conditions
minimal-defect
mip-policy {default | defer Specifies the conditions under which MIPs are
| explicit | none} automatically created on ports:
default: always creates MIPs
defer: adopts the setting of the

Command Description
enclosing domain
explicit: creates MIPs only if a
MEP exists on a lower MD Level
none: does not create any MIPs
for the specified MA
defer
no mip-policy Restores the default MIP policy setting
sender-id-content {hostname Specifies the content of the Type Length Value
| defer | all | (TLV) of the Sender ID included in most of the
management-address |
none} CFM packets sent by MEPs:
hostname: the Sender IDs TLV
includes only the device
hostname: the local hostname is
visible to all remote sites on
the MA but the local management
address is hidden
enclosing domain
all: the Sender IDs TLV includes
both the hostname and the
management address of the device
management-address: the Sender ID
TLVs includes only the devices
management address: the local
management mechanism and
management address are visible to
all remote sites on the MA, but
the local hostname is hidden
none: does not send the Sender
IDs TLV to remote MEPs: the
chassis ID and management
information are hidden from all
remote sites
defer
no sender-id-content Restores to default

format {none | string} Specifies the format of the domain name:
none: the domain name will not
appear in the CCM packet
string: the domain name will
appear in the CCM packet (the
domain name is specified using
domain DOMAIN-NAME command)
mip-policy {default | explicit Specifies the conditions in which MIPs are
| none} automatically created on ports:
default: always creates MIPs
explicit: creates MIPs only if a
MEP exists on a lower MD Level
none: does not create any MIPs
for the specified MA

Command Description
none
no mip-policy Restores to default
sender-id-content {hostname Specifies the content of the Type Length Value
| defer | all | (TLV) of the Sender ID included in most of the
management-address |
none} CFM packets sent by MEPs:
hostname: the Sender IDs TLV
includes only the device
hostname: the local hostname is
visible to all remote sites on
the MA but the local management
address is hidden
enclosing domain
all: the Sender IDs TLV includes
both the hostname and the
management address of the device
management-address: the Sender ID
TLVs includes only the devices
management address: the local
management mechanism and
management address are visible to
all remote sites on the MA, but
the local hostname is hidden
none: does not send the Sender
IDs TLV to remote MEPs: the
chassis ID and management
information are hidden from all
remote sites
defer
no sender-id-content Restores to default
threshold-profile <threshold- Creates a CFM profile with a specified name

profile id> and enters Monitoring Profile Configuration
mode:
threshold-profile id: in the
range of <1-64>
When the CFM protocol is enabled, a
default profile is created automatically
no threshold-profile [threshold- Restores to default
profile id]
one-way-jitter-error <value> Specifies one-way jitter error monitoring:

milliseconds
350 milliseconds
no one-way-jitter-error Restores to default
one-way-jitter-warning <value> Specifies the one-way jitter warning monitoring:

milliseconds
300 milliseconds

Command Description
no one-way-jitter-warning Restores to default

one-way-jitter-monitoring Enables the one-way jitter monitoring
no one-way-jitter-monitoring Disables the one-way jitter monitoring
frame-loss-error <error Specifies the threshold for two-way frame loss

threshold> error monitoring:
errorthreshold: in the range of
<1-99>, in percent
10% frame loss
no frame-loss-error Restores to default.
frame-loss-warning <warning Specifies the threshold for two-way frame loss

threshold> warning monitoring:
warningthreshold: in the range
of <0-99>, in percent. If you
specify a value that is higher
than the frame-loss-error value,
the frame-loss-warning will be
disabled
8% frame loss
no frame-loss-warning Restores to default
frame-loss-monitoring Enables frame loss monitoring
Enabled
no frame-loss-monitoring Disables frame loss monitoring
round-trip-jitter-error Specifies error value of two-way jitter error
<value> monitoring:
milliseconds
700 milliseconds
no round-trip-jitter-error Restores to default
round-trip-jitter-error-period Specifies the duration of a two-way jitter error:
<value>
seconds
90 seconds
no round-trip-jitter-error- Restores to default
period
round-trip-jitter-warning Specifies the warning value for two-way jitter

<value> warning monitoring:
milliseconds
600 milliseconds
no round-trip-jitter-warning Restores to default
round-trip-jitter-warning- Specifies the duration of a two-way jitter
period <value> warning:
seconds
180 seconds

Command Description
no round-trip-jitter-warning- Restores to default

period
round-trip-jitter-monitoring Enables round-trip jitter monitoring

<true | false>
True
no round-trip-jitter-monitoring Restores to default.
round-trip-latency-error Specifies the threshold for two-way latency
<value> error monitoring:
milliseconds
2000 milliseconds
no round-trip-latency-error Restores to default
round-trip-latency-error-period Specifies the duration of a latency error
<value> increase:
seconds
90 seconds
no round-trip-latency-error- Restores to default
period
round-trip-latency-warning Specifies the threshold for a two-way latency

<value> warning:
milliseconds
1600 milliseconds
no round-trip-latency-warning Restores to default
round-trip-latency-warning- Specifies the duration of a latency warning
period <value> increase:
seconds
180 seconds
no round-trip-latency-warning- Restores to default
period
round-trip-latency-monitoring Enables round-trip latency monitoring
no round-trip-latency- Disables round-trip latency monitoring

monitoring
results-bucket-size <size> Specifies the number of results to be stored for

jitter calculation:
size: in the range of <2-255>
20 results
no results-bucket-size Restores to default
priority <priority> Specifies the 802.1p class-of-service:

0

Command Description
rate <rate> Specifies the number of Loopback Request

packets:
rate: in the range of <1-3>
1 packet
no rate Restores to default
payload-size <value> Specifies the loopback request packets size:

bytes
0
no payload-size Restores to default
description <string> Specifies CFM profile name

string: in the range of <1-255>
no description Removes the specified description
update-interval <value> Specifies the time interval for updating

monitoring parameters (one-way jitter, two-way
jitter, latency, and frame loss):
seconds. A value 0 suspends the
monitoring task and a value
different from 0 resumes it
20 seconds
no update-interval Restores to default
test <id> DOMAIN-NAME MA- Tests connectivity:

NAME
DOMAIN-NAME: a string of <1-22>
characters
characters
no test DOMAIN-NAME MA-NAME Stops the testing
threshold-profile-id <id> Specifies CFM monitoring profile ID:

no threshold-profile-id Removes the configured profile
repeat-interval <value> Specifies CFM monitoring process repetition

interval:
no repeat-interval number Removes the configured interval
shutdown Stops the test

no shutdown Starts the test
oam cfm linktrace domain DOMAIN-NAME ma Sends a linktrace message to a specified MEP
MA-NAME mep <id> {target-mep <target- or MIP in the domain:
mep-id> | target-mip
HH:HH:HH:HH:HH:HH} [timeout <value> | DOMAIN-NAME: a string of <1-22>
ttl <value>] characters

Command Description
characters
mep <id>: the source MEP ID, in
target-mep <target-mep-id>: the
linktrace destination MEP ID, in
target-mip HH:HH:HH:HH:HH:HH: the
MAC address of the linktrace
destination MIP
timeout <value>: (optional) the
linktrace reply (LTR) timeout, in
the range of <160> seconds
2 seconds
ttl <value>: (optional) the
initial TTL field value, in the
range of <1255>
oam cfm loopback domain DOMAIN-NAME ma Sends a loopback message to a specific MEP
MA-NAME mep <id> {target-mep <target- or MIP in a specified domain:
mep-id> | target-mip
HH:HH:HH:HH:HH:HH} [timeout <value> | DOMAIN-NAME: a string of <1-22>
payload <value> | delay <value> | characters
number <value>]
characters
mep <id>: the source MEP ID, in
target-mep <target-mep-id>: the
loopback destination MEP ID, in
target-mip HH:HH:HH:HH:HH:HH: the
MAC address of the loopback
destination MIP
timeout <value>: (optional) the
loopback reply (LBR) timeout, in
the range of <160> seconds
2 seconds
payload <value>: (optional) the
loopback message PDU size, in the
range of <01462> bytes
0 bytes
delay <value>: (optional) the
delay between 2 consecutive
loopback messages, in the range
of <060> seconds
5 seconds
number <value>: (optional)
specifies the number of loopback
messages sent, in the range of
<11024>
3 messages
clear oam cfm remote-mep-table domain-name Clears a remote MEP connectivity table:
NAME ma NAME remote-mep <id>
DOMAIN-NAME: clears table for a

Command Description
domain name string, in the range
ma NAME: clears table for a MA
name string, in the range of <1-
45> characters
remote-mep <id>: clears table for
a specific MEP, in the range of
<08191>. A value of 0 clears all
remote MEPs
Table 3: CFM Display Commands

Command Description
show oam cfm Displays the current CFM configuration and

CFM status
show oam cfm connectivity [domain-name Displays connectivity statistics for all configured
DOMAIN-NAME] [ma MA-NAME] domains:
DOMAIN-NAME: displays
connectivity statistics for the
specified domain
MA-NAME: displays connectivity
statistics for the specified MA
show oam cfm connectivity [extended] Displays information extracted from the TLV of
the Port ID in CCMs:
extended: (optional) displays
additional information, as remote
device management address and
name
show oam cfm domain level <level> Displays information for MD:
show oam cfm update-interval Displays the update interval value, in seconds
show oam cfm {interface UU/SS/PP | Displays the CFM configuration per interface
interfaces}
show oam cfm test [id <id>] Displays information about performed test(s):
show oam cfm threshold-profile [id <id>] Displays information about CFM profile(s):
show oam cfm linktrace-results domain-name Displays linktrace results for a management
DOMAIN-NAME [ma MA-NAME] domain and maintenance association:
domain-name DOMAIN-NAME: a
string of <1-22> characters
ma MA-NAME: (optional) a string
1. Enable CFM:

device-name(config)#oam cfm
device-name(config-cfm)#no shutdown
2. Create a maintenance domain with a specified name d7 and level 7 and create a MA ma7 within
a specified domain:
device-name(config-cfm)#domain d1 level 1
device-name(config-domain-d7)#ma ma1 vlan 501
3. Specify the identification data sent to the remote MEPs creation policy on the specified MA:
device-name(config-ma-ma7)#sender-id-content all
device-name(config-ma-ma7)#mip-policy explicit
4. Add port 1/1/1 as MEP with an ID 10 to a specified MA and specify the CCM flow direction:
device-name(config-ma-ma1)#mep 601
device-name(config-mep-601)#bind-to 1/1/2
device-name(config-mep-601)#ccm-enabled
device-name(config-mep-601)#no shutdown
device-name(config-mep-601)#exit
device-name(config-ma-ma1)#exit
device-name(config-domain-d1)#exit
5. Create a profile with ID 4 and configure the profile priority, rate, round-trip jitter, frame loss,
and latency errors monitoring:
device-name(config-cfm)#threshold-profile 4
device-name(config-threshold-profile-4)#priority 2
device-name(config-threshold-profile-4)#rate 2
device-name(config-threshold-profile-4)#round-trip-jitter-error 100
device-name(config-threshold-profile-4)#frame-loss-error 20
device-name(config-threshold-profile-4)#no frame-loss-monitoring
device-name(config-threshold-profile-4)#round-trip-latency-error 200
device-name(config-cfm)#commit
Commit complete.
device-name(config-cfm)#end
6. Display the current CFM configuration and status:

device-name#show oam cfm
Domain: d1
Domain Name Format: string
Level: 1
Mip Policy: none
Sender ID Content: none
Maintenance association: ma1

MA Name Format: string
VLAN ID: 501
CCM Priority: 6
Hello interval (ms): 1000
Mip Policy: defer
Sender ID Content: all
Local MEPs

device-name#show oam cfm connectivity

Domain: d1
Level: 1
Maintenance association: ma1

VLAN ID: 501
Hello interval (ms): 1000
Remote MEPs discovered by local MEP 10

=================================================================
| MEP | MAC-address | Adm | Oper | Last State |RDI|
| | | State | State | Change |Bit|
|-----+-------------------+-------+-------+-----------------+---|
| 561| 00:E0:0C:11:95:02 | Up| Up | 1days 01:00:10| 0|
=================================================================
device-name#show oam cfm threshold-profile id 4

Profile ID/name: 4/none
Priority: 2; Rate: 2; Payload size: 0; Bucket size: 20;
Thresholds (value<ms>/duration<s>):
1W Jitter error: 350 1W Jitter warning: 300
2W Jitter error: 100/90 2W Jitter warning: 600/180
Latency error: 200/90 Latency warning: 1600/180
Frame loss error[disabled]: 20% Frame loss warning[disabled]: 8%

802.3ah Ethernet in the First Mile (OAM-EFM)

The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming it into a
highly reliable technology.
By using the Ethernet in the First Mile solution, you gain broadcast Internet access in addition to
services (such as Layer 2 transparent LAN services, Voice services over Ethernet Access networks,
Video, and multicast applications) reinforced by security and Quality of Service (QoS) control to
build a scalable network.
The in-band management specified by this standard defines the operations, administration, and
maintenance (OAM) mechanisms needed for the advanced monitoring and maintenance of
Ethernet links in the first mile. OAM capabilities facilitate network operation and troubleshooting
for both the provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link. The 802.3ah (Clause
57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units (OAMPDUs).
OAMPDUs are standard-size frames, including information such as the destination MAC address,
EtherType and subtype, sent at a predefined rate (a limitation necessary for reducing the impact on
the usable bandwidth).
EFM OAM is optional and can be enabled or disabled per physical port.
Figure 7: End-to-End OAM Configuration

Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices (defined as passive
devices) without utilizing an IP layer. Instead, they can utilize link-layer SNMP counter request and
reply, loopback testing, and other techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE passive device) using
the 802.3ah standard.
Figure 8: Managing Provider Devices Using the EFM 802.3ah Standard

The configuration below illustrates how to manage customer devices using EFM 802.3ah.
Figure 9: Managing Customer Devices (Passive) Using the EFM 802.3ah Standard
EFM-OAM Protocol Functionality

EFM-OAM supports the following basic functionality:
Discovery: Ability of the local Data Terminating Entity (DTE) to discover other EFM-OAM
enabled DTEs and exchange information about OAM entities, capabilities, and configuration
Link Monitoring: Process used to detect and indicate link faults to a peer
Remote Failure Detection: Used by the OAM device to convey error conditions to its peer via
a flag in the OAMPDUs
Response to MIB Variable Retrieval: Retrieves information for a management information
base
Organizing Specific Enhancements: Provides vendor-specific enhancements to the protocol
Discovery
In the first phase, EFM-OAM enabled DTEs identify other DTEs along with their OAM
capabilities using Information OAMPDUs, advertising the following information:
OAM configuration (capabilities): OAM capabilities of the local DTE. Using this
information, a peer can determine what functions are supported and accessible (for example,
loopback capability).
OAM mode: OAM mode of the DTE, also used to determine DTE functionality:
Active Mode: The DTE instigates OAM communications and issues queries and
commands to the remote device.
Passive Mode: The DTE generally waits for the peer DTE to instigate OAM
communications and then responds. The DTE does not instigate commands and queries.
For more information about the rules for active and passive mode DTEs, refer to Rules
for Active Mode and Rules for Passive Mode below.
The mode combinations are:
One active and one passive OAM DTE

Two active OAM DTEs

OAMPDU Configuration: Includes the maximum size of OAMPDUs delivered. This
information, in combination with a limited rate of ten frames per second, is used to limit the
bandwidth allocated to OAM traffic.
Platform Identity: Platform identity is a combination of an Organization Unique Identifier
(OUI), the first three bytes of the MAC address, and 32-bits of vendor-specific information.
IEEE controls OUI allocation.
Once OAM support is detected and OAM expectations are met, both ends of the link exchange
the above information and enable OAM on the link. However, the link loss or failure to receive
OAMPDUs for a predefined interval causes the discovery process to start again.
Timers
Two configurable timers control the protocol:
Hello Timer: Determines the rate at which OAMPDUs are sent
Keep-Alive Timer: Determines the time interval during which OAMPDUs are expected from
the peer
An additional one-second, non-configurable timer is used for error aggregation. This timer is
necessary for the Link Monitoring Process to generate link quality events.
Flags
Each OAMPDU includes a Flags field that describes the discovery process status. There are three
possible status values:
Discovering: Discovery is in progress
Stable: Discovery is complete. The remote device can start sending any type of OAMPDU.
Unsatisfied: Mismatches in OAM configuration prevented OAM from completing the
discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect OAM on a remote
DTE. Once OAM support is detected, both ends of the link exchange state and configuration
information (such as mode, PDU size, loopback support, etc.). If both DTEs are satisfied with the
settings, OAM is enabled on the link. However, link loss or failure to receive OAMPDUs during
the defined, keep alive time interval (for example, 5 seconds) may cause the discovery process to
restart.
DTEs may either be in active or passive mode:
Active mode DTEs instigate OAM communications and can issue queries and commands to a
remote device.
Passive mode DTEs generally wait for the peer device to instigate OAM communications and
respond to, but do not instigate, commands and queries.
Rules of what DTEs in active or passive mode can do are discussed in the following sections.
Rules for Active Mode

The Active mode DTE:

Initiates the OAM Discovery process
Sends Information PDUs
Sends Event Notification PDUs
Sends Variable Request/Response PDUs
Sends Loopback Control PDUs
Responds to Variable Request PDUs (does not respond to Variable Request PDUs from devices
in Passive mode)
Reacts to Loopback Control (does not react to Loopback Control PDUs from devices in Passive
mode)
Rules for Passive Mode

The Passive mode DTE:
Waits for the remote device to initiate the Discovery process
Sends Information PDUs
Sends Event Notification PDUs
Responds to Variable Request PDUs
Reacts to received Loopback Control PDUs
Cannot send Variable Request or Loopback Control OAMPDUs
Link Monitoring Process

The Link Monitoring process is used to detect occurrences where defined thresholds are crossed
and send an Event Notification OAMPDU to notify the remote device.
Events detected by the Link Monitoring process:
Errored Symbol per second: The number of coding symbol errors, such as a violoation of
4B/5B coding, occurring during a specific period exceeds the defined threshold.
Errored Frame per second: The number of frame errors detected during a specific period
exceeds the defined threshold. Errored frames in case of Undersized frames, Fragments with
FCS errors, Oversized frames, Jabber frames, or packets with CRC errors.
802.3ah OAM does not guarantee delivery of OAMPDUs. As a result, to reduce the probability of
losing a notification, the Event Notification OAMPDU can be sent multiple times. The Event
Notification OAMPDU has a sequence number so that duplicate events can be recognized. .
The Link Monitoring process operates on all enabled EFM OAM links.
Remote Failure Indication

Ethernet faults, caused by slow deterioration of quality, are more difficult to detect than a
completely disconnected link. A flat in the OAMPDU allows an OAM entity to send failure
conditions to its peer. Failure conditions are defined as follows:
Link Fault: Link Fault condition is detected when the receiver loses the signal. This condition
is sent once per second in the Information OAMPDU.

Dying Gasp: Detected when the receiver goes down. The Dying Gasp condition is considered
as unrecoverable. Conditions for dying gasp:
Management of the reload command
Device power down (incidental / deliberate)
Critical Event: When a critical event occurs, the device is unavailable, resulting from a
malfunction, and must be restarted by you. Critical events can be sent immediately and
continually. Conditions for critical events:
Fatal error mess any task on the device (suspend)
When a link receives no signal from its peer at the physical layer (for example, if the laser
is malfunctioning), the local entity sets this flag to let the peer know that the transmit path
is inoperable.
Since these conditions are severe, OAMPDUs updated with these flags are not subject to normal
rate limiting policy.
Storm Loopback
Employs hardware-created frames at wire-speed to test the link under extreme, high-load
conditions. Upon return from the remote peer, hardware-created frames are discarded on the active
device. Storm Loopback tests and displays counters for both the local and remote peer.
CAUTION
Starting EFM-OAM loopback on a xSTP Ring topology with traffic forwarding
enabled, can cause serious problems.

EFM-OAM Configuration Flow
Figure 10: EFM-OAM Configuration Flow

EFM-OAM Commands
Command Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] efm
+ [no] shutdown
- [no] event-config UU/SS/PP
- [no] critical-event-enable
- [no] dying-gasp-enable
- [no] error-frame-event-notification-enable
- [no] error-frame-threshold <framethreshold>
- [no] error-frame-window <value>
- [no] error-symbol-period-event-notification-enable
- [no] error-symbol-period-threshold <period
threshold>
- [no] error-symbol-period-window <value>
- [no] hello-interval <value>
- [no] history-limit <value>
- [no] keep-alive-interval <value>
- [no] log-events
- [no] multiple-pdu-count <pdu-count>
- [no] priority <priority-level>
- [no] remote-event
- oam efm ping port UU/SS/PP [delay-time <value> | echo-number
<value> | timeout <value>]
- oam efm loopback port UU/SS/PP storm [count <value> | delay-time
<value> | packet-size <value> | timeout <value>]
+ port UU/SS/PP
- [no] efm mode [basic | enhanced]
- [no] efm accept-loopback-commands
- [no] efm event-forward-status UU/SS/PP
- [no] efm event-forward-shutdown UU/SS/PP
- [no] efm event-return-shutdown <number-of-attempts>
- [no] efm role [active | passive]
- [no] efm shutdown
- show oam efm [details]
- show oam efm event-log

- show oam efm peer

- show oam efm statistics
- show port UU/SS/PP efm statistics
Table 4: EFM Configuration Commands
Command Description

no oam Removes OAM configurations
efm Enters EFM Protocol Configuration mode
no efm Restores to default the configuration set in
OAM-EFM Configuration mode. The command
does not affect configurations made per port,
that is, in EFM Interface Configuration mode.
shutdown Disables EFM
no shutdown
Enables EFM. By default, EFM is enabled on

the device
event-config To configure thresholds and manage event
notifications, accesses Event Configuration
Mode for a specific interface:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
no event-config Removes configured thresholds and event
notifications for all interfaces
critical-event-enable Enables the local OAM entity to send critical
events notifications to its OAM peer
no critical-event-enable Disables sending critical events notifications
dying-gasp-enable Enables the local OAM entity to send dying
gasps notifications to its OAM peer
no dying-gasp-enable Disables sending dying gasps notifications
error-frame-event-notification- Enables the OAM entity to send an event
enable notification OAMPDU whenever an Errored
Frame Event occurs
Enabled
no error-frame-event- Disables sending event notifications
notification-enable
error-frame-threshold <frame Specifies the Errored Frame Event threshold.

threshold> Threshold used for frame error testing and
reporting on a specific interface. Provided the
error-frame-event-notification-enable
option has been configured, once the threshold
is reached, the device generates an Errored
Frame Event message that is sent to the

Command Description
remote peer. The message is written both to the
system log and to the feature history.
Additionally, the event counters are updated.
framethreshold: the valid range
is <1-1488000>
256
no error-frame-threshold Restores to default.
error-frame-window value> Monitoring interval for frame errors, in seconds:

20
no error-frame-window Restores to default
error-symbol-period-event- Enables the OAM entity to send an event
notification-enable notification OAMPDU whenever an error
symbol period event occurs
no error-symbol-period-event- Restores to default
notification-enable
error-symbol-period-threshold Specifies the symbol errors threshold within a

<periodthreshold> given window. Once the threshold is reached, a
notification is triggered if the error-symbol-
period-event-notification-enable
option has been configured.
periodthreshold: the valid range
is <1-1488000>
256
no error-symbol-period- Restores to default
threshold
error-symbol-period-window Monitoring interval for symbol errors, in

<value> seconds:
seconds
20 seconds
no error-symbol-period-window Restores to default
hello-interval <value> Specifies the hello interval.

The hello interval is the time interval between
two PDUs, expressed in milliseconds. This
mechanism is used to inform the neighboring
device that the local device is operative. When
the local device receives no PDU within the
defined keep-alive interval, the neighboring
device is considered inoperative.
value: the valid range is <100-
5000> milliseconds
1000 milliseconds
NOTE

Command Description
The standard hello interval is 1000

milliseconds. However, to reduce
overload, in some cases, it is possible
to set the range to up to 5000
milliseconds even though doing so
violates the standard.
NOTE
The keep-alive interval (keep-
alive-interval) must be twice as
long as the hello-interval.
history-limit <value> Specifies the maximum number of entries in the

efm-oam history log:
10000>
5000
no history-limit Restores to default.
keep-alive-interval <value> Specifies keep-alive interval.

The keep-alive interval is the aging interval for
the neighboring device that last sent packets. If
the neighboring device does not send a PDU
within the defined keep-alive interval, it is
considered inoperative.
15000> milliseconds
5000 milliseconds
no keep-alive-interval Restores to default
log-events Enables sending threshold notification
messages to the local system log
no log-events Disables sending threshold notification
messages to the local system log
multiple-pdu-count <pdu-count> Specifies number of identical PDUs to send
when local event occurs:
pdu-count: the valid range is <1-
10>
5
no multiple-pdu-count Restores to default
priority <priority-level> Specifies EFM-OAM PDU priority. Priority is

effective only if the port is a tagged member of
the default VLAN.
priority-level: the valid range
is <0-7> (The highest the number,
the highest the priority)
0

Command Description
remote-event Enables sending local event notifications to the

remote peer
no remote-event Disables sending local event notifications to the
remote peer
oam efm ping port UU/SS/PP [delay-time Pings an EFM port:
<value> | echo-number <value> |
timeout <value>] UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
delay-time <value>: (optional)
the delay between packets, in the
range of <0600> seconds
echo-number <value>: the number
of echo packets sent, in the
range of <110>
timeout <value>: the timeout for
receiving a response, in the
range of <1600> seconds
oam efm loopback port UU/SS/PP storm Enables the EFM-OAM monitoring on a port, by
[count <value> | delay-time <value> | setting the remote device into a loopback mode
packet-size <value> | timeout <value>] and generating test traffic:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
storm: sets the remote peer port
into a loopback mode, stops the
local data flow to this port, and
the local CPU generates a packet
burst. When the remote peer sends
the burst back, the local device
validates it and displays the
burst statistics.
count <value>: (Optional)
specifies the number of packets
sent in the Storm loopback, in
the range of <12147483646>.
100 packets
delay-time <value>: (Optional)
specifies the delay between
packets, in the range of <1600>
seconds
there is no delay
packet-size <value>: (Optional)
specifies the test-packets size,
in the range of <641512> bytes
64 bytes
timeout <value>: (Optional) the
reply timeout, in the range of
<1600> seconds
2 seconds
duration <value>: (optional)
specifies the burst loopback
duration, in the range of <1600>
seconds

Command Description
10 seconds
port UU/SS/PP Accesses Interface Configuration Mode for the
specified port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
efm accept-loopback-commands Enables the processing of OAM loopback
control PDUs from peers
Disabled
no efm accept-loopback-commands Restores to default
efm mode [basic | enhanced] Enables/disables the organization-specific
EFM-OAM enhancements on a specific
interface or interface range. Depending on the
required variable used, this command specifies
one of the following two alternative EFM
modes:
Basic: Does not employ organization-
specific extensions
Enhanced: Allows definition and retrieval
of all SNMP variables on the remote
device.
If the remote device is not an organization
device, Basic mode is used, even when
Enhanced mode is configured; configure both
devices with Enhanced mode for the devices to
exchange their hostname.
basic: enables Basic mode
enhanced: enables Enhanced mode
Enhanced
no efm mode Returns the default EFM mode configuration
efm event-forward-status UU/SS/PP Enables sending a Link Event Notification from

a target port to its EFM peer whenever the link
status changes on the source port:
UU/SS/PP: the target port in the
range of 1/1/1-1/1/4, 1/2/1-1/2/8
no efm event-forward-status Disable sending a Link Event Notification
efm event-forward-shutdown UU/SS/PP Enables shutting down a target port whenever

the link status changes on the source port.
In order to restore the UP state of the target
port, previously disabled by the efm event-
forward-shutdown command, perform the
following procedure:
Step 1. Disable the target port by the shutdown

command.
Step 2. Enable the target port by the no shutdown
command.
UU/SS/PP: the target port in the

range of 1/1/1-1/1/4, 1/2/1-1/2/8

Command Description
no efm event-forward-shutdown Disables shutting down a target port
efm event-return-shutdown <number- Enables the Event Return feature. This feature
of-attempts> determines the number of discovery attempts
prior to administratively shutting down the port.
number-of-attempts: number of
discovery attempts before
shutting down the port; the valid
range is <010> (0 disables the
feature)
0
no efm event-return-shutdown Disables shutting down a target interface
efm role [active | passive] Enables EFM-OAM on a specific interface and
specifies one of the following two alternative
modes:
Active: Device sends Hello packets over
this interface to initiate EFM-OAM
discovery process.
Passive: Device cannot use this interface
to initiate EFM-OAM discovery process.
The valid mode combinations are either
one active and one passive OAM interface
two active OAM interfaces
When both peer interfaces are in Passive
mode, Remote Status information is not
updated and might be inaccurate.
active: specifies the devices
role as Active for uplinks and
user interfaces.
passive: enables Enhanced mode.
passive
no efm role Restores to default
efm shutdown Disables the EFM-OAM protocol for the
configured interface. Though disabled, the
EFM-OAM configuration for the interface is
preserved and can be restored with the no efm
shutdown command.
no efm shutdown Enables the EFM-OAM protocol for the
configured interface. This command restores
the EFM-OAM configuration, previously
disabled with the efm shutdown command, for
the interface.
Table 5: EFM Display Commands

Command Description
show oam efm [details] Displays the current EFM configuration and
EFM status:
details: displays EFM details

Command Description
show oam efm event-log Displays the EFM-OAM event log

show oam efm peer Displays the EFM-OAM peer
show oam efm statistics Displays local and remote counters and all
EFM-OAM statistics for all interfaces
show port UU/SS/PP efm statistics Displays EFM-OAM statistics for a specific
interface:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
Table 6: Log messages employed by the EFM-OAM protocol

Message Severity Description
EFM-OAM-Remote- Error An event generated on interface UU/SS/PP.

CriticalEvent
NOTE
This error requires special
attention
EFM-OAM-Remote- Error A Dying Gasp event generated on interface
DyingGasp UU/SS/PP.
EFM-OAM-Remote- Warning A fault event generated on interface UU/SS/PP.
LinkFault
EFM-OAM-Remote- Notification An organization specific event generated on
SpecificEvent interface UU/SS/PP.
EFM-OAM-Remote- Warning The PDU quantity exceeded the allowed rate on
RateExceeded interface UU/SS/PP.
EFM-OAM-Remote- Warning Port UU/SS/PP:
Errored-Symbol-Event Remote, Errored Frame, Symbol Period,
Event Received
Date: Thu Jan 1 01:09:57 2009
Window: 45.1 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Errored-Frame-Event Remote, Errored Frame, Frame Event
Received
Date: Thu Jan 1 01:09:57 2009
Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943


Errored-Period-Event Remote, Errored Frame, Period Event
Received
Date: Thu Jan 1 01:09:57 2009
Window: 45.1 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
Errored-Seconds-Event Remote, Errored Frame, Seconds Event
Received
Date: Thu Jan 1 01:09:57 2009
Window: 45.1 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Local- Fatal EFM-OAM detected a local Dying Gasp event.
DyingGasp
EFM-OAM-Local-LinkFault Error Link Fault occurred on the local device, on
interface UU/SS/PP.
EFM-OAM-Local-Errored- Warning Port UU/SS/PPLocal Errored Frame Symbol
Symbol-Event Period Event sent:
Date: Thu Jan 1 01:09:57 2009
Window: 45 seconds
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
EFM-OAM-Local-Errored- Warning Port UU/SS/PPLocal Errored Frame Frame
Frame-Event Event sent:
Date: Thu Jan 1 01:09:57 2009
Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943

EFM-OAM-Remote- Warning Port UU/SS/PPLocal Errored Frame Seconds

Errored-Seconds-Event Event sent:
Date: Thu Jan 1 01:09:57 2009
Window: 45 sec
Threshold: 10
Errors: 15
Total Errors: 32654
Total Events: 5943
The following example demonstrates how to configure an Ethernet network using the EFM-OAM
protocol.
Figure 11: Example Configuring of Two Devices using EFM-OAM
Configuring Device1:
1. Verify if the EFM-OAM protocol is enabled on the device (default):
Device1#show oam efm
===========================================================================
EFM-OAM
===========================================================================
Administrative Status : Enabled
Local MAC : 00:a0:12:27:0d:e1
History Count : 0
Hello Interval : 1000 milliseconds

Keep-alive Interval : 5000 milliseconds

Remote Event : True
Log Events : True
Packets Counter : Sent = 0, Received = 0
===========================================================================
2. Access EFM Configuration Mode:

Device1#configure terminal
Device1(config)#oam
Device1(config)#efm
Device1(config-efm)#
3. Specify the number of OAMPDUs:

Device1(config-efm)#multiple-pdu-count 3
4. Enable sending local event notifications to the remote device:

Device1(config-efm)#remote-event
5. Define OAMPDU priority:

Device1(config-efm)#priority 3
6. Define the aging interval in seconds for the neighboring device that last sent packets:
Device1(config-efm)#keep-alive-interval 3000
Device1(config-efm)#exit
Device1(config-oam)#exit
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config-port-1/1/1)#efm role active
Configuring Device2:
1. Verify if the EFM-OAM protocol is enabled on the device (default):
2. Access EFM Configuration Mode:
3. Specify the number of OAMPDUs:
Device2(config-efm)#multiple-pdu-count 3
4. Enable sending local event notifications to the remote device:

Device2(config-efm)#remote-event
5. Define OAMPDU priority:

Device2(config-efm)#priority 3
6. Define the aging interval in seconds for the neighboring device that last sent packets:
Device2(config-efm)#keep-alive-interval 3000
Device2(config-efm)#exit
Device2(config-oam)#exit
Device2(config)#
7. Enable EFM-OAM on the specified interface and set its mode to active:

Device2(config-port-1/1/1)#efm role active
Device2(config-port-1/1/1)#
Displaying Interface Statistics on Device1:

Device1#show port 1/1/1 efm statistics
===============================================================================
EFM-OAM Statistics
===============================================================================
Port 1/1/1
Counter Name Counter Value
-------------------------------------------------------------------------------
information-tx 73
information-rx 60
unique-event-notification-tx 0
unique-event-notification-rx 0
duplicate-event-notification-tx 0
duplicate-event-notification-rx 0
loopback-control-tx 0
loopback-control-rx 0
variable-request-tx 0
variable-request-rx 5
variable-response-tx 5
variable-response-rx 0
organization-specific-tx 2
organization-specific-rx 2
unsupported-codes-tx 0
unsupported-codes-rx 0
frames-lost-due-to-oam 0
===============================================================================
Displaying EFM details on Device1:

Device1#show oam efm details
===============================================================================
EFM-OAM Details
===============================================================================
Port 1/1/1
-------------------------------------------------------------------------------
Local Role : Passive
Local Status : Unknown
Remote Port : N/A
Remote Mac : 00:00:00:00:00:00
Remote Role : Unknown
Remote Status : Unknown
Remote Hostname : Unknown
-------------------------------------------------------------------------------
Port 1/1/2
-------------------------------------------------------------------------------
Local Role : Passive
Local Status : LinkFault

Remote Port : N/A

Remote Mac : 00:00:00:00:00:00
Remote Role : Unknown
Remote Status : Unknown
Remote Hostname : Unknown
-------------------------------------------------------------------------------
Port 1/1/3
-------------------------------------------------------------------------------
Local Role : Active
Local Status : Stable
Remote Port : 1/2/1
Remote Mac : 00:a0:12:9a:1d:ad
Remote Role : Active
Remote Status : Stable
Remote Hostname : device-name
-------------------------------------------------------------------------------

ITU-T G.8032v2 Ring Automatic Protection

Switching (R-APS)
G.8032, Ring Automatic Protection Switching (R-APS), creates a fault tolerant ring topology by
configuring a primary and secondary path for each VLAN. Upon failure of the primary path traffic
is forwarded via the secondary path.
NOTE
Each Sub-ring instance and main R-APS instance must be configured with
identical CFM level. The sub-ring instance inherits the monitored VLAN from
the main R-APS instance.
The sub-ring instance has only one port.
You can connect up to 10 sub-ring instances to each main R-APS instance.
To minimize management overhead, R-APS utilizes existing CFM-OAM CCMs. These CCMs can
be used also for CFM-OAM but not for customer traffic.
NOTE
You must disable xSTP protocols on all the ports in the ring to use this feature.
R-APS Mechanism
Definitions
Ring Protection Link: one ring link is configured as the Ring Protection Link (RPL). To
prevent loops, this link is disabled under normal conditions. The RPL is disabled as long as the
primary path is active.
RPL Owner: A node adjacent to the RPL responsible for blocking its end of the ring under
normal conditions (when the ring is established and no requests are present in the ring). The
RPL Owner is also responsible for reverting the ring from the protected path to the primary.
RPL Neighbor: A node adjacent to the RPL that is responsible for blocking its end of the
ring under normal conditions like the RPL Owner. However, this node is not responsible for
reverting the ring.
Simple Node: all other nodes that participate only in the R-APS ring.
Ring Protection
A dedicated maintenance association (MA) is configured as the ring protection.
The R-APS ring uses a dedicated VLAN for Continuity Check Message (CCM) and Automatic
Protection Switching (APS) communication within this MA.
Each device in the MA must be configured with two Maintenance Association End Point (MEP)s,
both MEPs must be assigned to the dedicated VLAN.

Operation
Upon a failure detection, a signal-fail status bit is enabled in the APS messages sent
throughout the ring. Upon receipt of an APS signal-fail message, the RPL Owner sends a
switchover command to all the devices in the ring and enables RPL. Traffic is now sent via the
secondary path.
Figure 12: Network with two R-APS Instances (Traffic flowing in different directions)
Behavior of the system following recovery of the primary path is configurable. There are two
options:
Revertive Operation: When the primary path recovers, traffic is switched over to the primary
path and the RPL is blocked again. This mode is used in scenarios in which the primary path is
an optimized path, at the expense of an additional traffic interruption for switching back to this
path.
Non-Revertive Operation: Traffic continues to use the RPL, even when the primary path
recovers. This mode is used when there is no advantage in reverting to the primary path and
avoids a second traffic interruption.
Timing Configuration
The following configurable timers control aspects of R-APS behavior:
Guard Timer: To reduce the possibility of receiving outdated R-APS packets, R-APS packets
are blocked for a specified length of time after receiving a signal failure or clear message.
Wait-to-Restore Timer: Used in Revertive Mode, the Wait-To_Restore Timer defines the
length of time to wait after recovery of the primary path before reverting traffic. This timer
prevents flapping in case of frequent failures.
Hold-Off Timer: The amount of time to wait while attempting fault recovery before
declaring a signal-fail condition. This timer prevents flapping in case of short failures.
NOTE
Configuring timer values is optional. If not configured, the default values are
used.

R-APS Configuration Flow
Figure 13: R-APS Configuration Flow

R-APS Commands over Ethernet

Commands Hierarchies
device-name#
+ config-terminal
+ ethernet
+ [no] ring-aps
+ [no] instance <value>
- cfm-domain-level <value>
- control-vlan <vlan-id>
- disable-virtual-channel
- [no] guard-timer <value>
- [no] hold-off-timer <value>
+ [no] lag <id>
- [no] lag-id agN
- [no] mep <value>
- [no] rpl-port
- [no] monitoring-method {ccm | link-status}
- [no] mode {version1 | version2}
- [no] monitor-vlan <vlan-range>
+ [no] port <id>
- [no] mep <value>
- [no] port-id UU/SS/PP
- [no] rpl-port
- [no] monitoring-method {ccm | link-status}
- [no] revertive-mode
- [no] ring-id <id>
- [no] role {rpl-neighbor | rpl-owner | simple-node}
- [no] shutdown
+ [no] subring <id>
- [no] control-vlan
- [no] guard-timer <value>
- [no] hold-off-timer <value>
- [no] propagate-topology-changes
- [no] revertive-mode
- [no] ring-id <id>

- [no] role {rpl-neighbor | rpl-owner | simple-

node}
- [no] shutdown
- [no] subring-lag agN
- [no] mep <value>
- [no] rpl-port
- [no] monitoring-method {ccm | link-
status}
- [no] subring-port UU/SS/PP
- [no] mep <value>
- [no] rpl-port
- [no] monitoring-method {ccm | link-
status}
- [no] virtual-channel-vlan
- [no] wait-to-restore-timer <value>
- [no] wait-to-restore-timer <value>
- ethernet ring-aps instance <value> clear
- ethernet ring-aps instance <value> port <id> manual-switch
- ethernet ring-aps instance <value> port <id> forced-switch
- ethernet ring-aps instance <value> lag <id> manual-switch
- ethernet ring-aps instance <value> lag <id> forced-switch
- ethernet ring-aps instance <value> subring <id> clear
- ethernet ring-aps instance <value> subring <id> manual-switch
- ethernet ring-aps instance <value> subring <id> forced-switch
- show ethernet ring-aps [detailed [instance <value> [subring <value>]]]
- show running-config ethernet ring-aps
Table 7: R-APS Commands over Ethernet
Command Description

ring-aps Enters Ring Automatic Protection Switching (R-
APS) Configuration mode
no ring-aps Removes R-APS configuration
instance <value> Specifies an R-APS instance and enters R-APS
Configuration mode:
no instance [<value>] Removes R-APS instances:
<1-10>

Command Description
cfm-domain-level <value> Specifies a CFM domain, identified by the

domain level:
The domain's levels are:
Operators Maintenance Association (MA)
levels: 02
Providers MA levels: 34
Customers MA levels: 57
description DESCRIPTION Specifies the R-APS instance ring description:
DESCRIPTION: string of up to 256
characters
control-vlan <vlan-id> Specifies a control VLAN used for the CCM
traffic. You should not direct any other traffic
through this VLAN.
disable-virtual-channel Enables sending R-APS packets through the
blocked ports and ensuring that R-APS packets
reach all nodes in the ring. Otherwise, the ring
becomes segmented because R-APS packets
cannot reach all nodes in the ring.
no disable-virtual-channel Disables sending R-APS packets through the
blocked ports
Virtual channel is in used
guard-timer <value> Specifies the length of time to block R-APS
packets after receiving a signal-failure or clear
message.
NOTE
Configure this timer to a value
bigger than the maximum delay
an R-APS packet can have in
order to traverse the entire ring.
milliseconds, in increments of 10
milliseconds
500 milliseconds
no guard-timer Restores to default
hold-off-timer <value> Specifies the length of time needed to attempt
fault recovery before declaring a signal-fail
condition:
milliseconds
0 milliseconds
no hold-off-timer Restores to default

Command Description
lag <id> Specifies a Link Aggregation Group (LAG) that

participates in R-APS and enters the R-APS
LAG Configuration mode. The configured LAG
generates signal-failure messages towards the
R-APS Owner in case of a connectivity failure.
id: R-APS LAG ID in the range of
<0-1>
no lag [<id>] Removes the configured LAG:
id: (optional) R-APS LAG ID in the
range of <0-1>
lag-id agN Selects a static LAG that is previously created
(see Physical Ports and Logical Interfaces
chapter of the current User Guide):
<1-14>
no lag-id [agN] Restores to default:
agN: (optional) deselects the
specific LAG
mep <value> Specifies the MEP ID for LAG monitoring:
no mep [<value>] Removes the configured MEP ID
rpl-port Configures the selected LAG as Ring Protection
Link (RPL).
Valid only for the RPL Owner or RPL Neighbor.
You can designate only one LAG as RPL.
no rpl-port Removes the RPL role from the LAG
monitoring-method {ccm | Specifies a method used to detect ring link
link-status} failure and node failure:
ccm: status of the link connection
is derived from CCMs
link-status: monitors the status
of the port facing a device that
does not support R-APS
ccm
no monitoring-method Restores to default
mode {version1 | version2} Specifies the version of G.8032 standard used:
version1: G.8032v1 (compatibility) mode
only
version2: G.8032v2 (this version supports
revertive mode)
version2
monitor-vlan <vlan-range> Selects a list of customer VLANs monitored by
R-APS:
vlan-range: VLANs should be
defined with space. VLAN IDs are
in the range of <14094>.

Command Description
no monitor-vlan [<vlan-range>] Removes the specified VLAN ranges:

vlan-range: (optional) VLANs
should be defined with space.
port <id> Specifies a port that participates in R-APS and
enters the R-APS Port Configuration mode. The
configured port generates signal-failure
messages towards the R-APS Owner in case of
a connectivity failure.
id: R-APS port ID in the range of
<0-1>
no port [<id>] Removes the configured port:
id: (optional) R-APS port ID in
the range of <0-1>
mep <value> Specifies the MED ID for port monitoring:
no mep [<value>] Removes the configured MEP ID
port-id UU/SS/PP Selects a port:
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
No ports are selected
no port-id [UU/SS/PP] Restores to default:
1/2/1-1/2/8
rpl-port Specifies the selected port as a Ring Protection
Link (RPL).
You can designate only one port as RPL.
no rpl-port Removes the RPL role from the port
ccm
revertive-mode Specifies whether the R-APS should revert to
the primary path after recovering from a failure
no revertive-mode Configure a non-revertive R-APS
ring-id <id> Specifies the Ring ID used to separate rings.
The Ring ID is reflected in the multicast
destination MAC, used for sending R-APS
packets (01-19-A7-00-00-[Ring ID]).
1

Command Description
no-ring-id [<id>] Restores to default

role {rpl-neighbor | rpl-owner Specifies the role of the device within the R-APS
| simple-node} ring:
rpl-neighbor: devices role (see
RAPS Mechanism)
rpl-owner: devices role (see RAPS
Mechanism)
simple-node: devices role (see
RAPS Mechanism)
simple node
no role [rpl-neighbor | rpl- Restores to default:
owner | simple-node]
rpl-neighbor: optional
rpl-owner: optional
simple-node: optional
shutdown Disables the configured R-APS instance. A
disabled instance does not send R-APS packets
and does not respond to R-APS packets
received
no shutdown Enables an R-APS instance
subring <id> Specifies an R-APS Subring Instance ID and
enters R-APS Subring Configuration mode:
no subring [<id>] Removes subring instances:
id: (optional) in the range of <1-
10>
guard-timer <value> Specifies the amount of time to block R-APS
packets after receiving a signal-failure or clear
message. The timer value has to be bigger than
the maximum delay of an R-APS packet in order
to traverse the entire sunring.
milliseconds
500 milliseconds
no guard-timer Restores to default
hold-off-timer <value> Specifies the length of time needed to attempt
recovery from a fault before declaring a signal-
fail condition:
milliseconds
0 milliseconds
no hold-off-timer Restores to default
propagate-topology-changes Propagates flushing to the main ring when a
topology change notification happens in the
subring

Command Description
no propagate-topology- Disable propagation

changes
revertive-mode Specifies whether the R-APS subring should

revert to the primary path after recovering from a
failure
no revertive-mode Configure a non-revertive R-APS
ring-id <id> Specifies the Ring ID used to separate rings.
The Ring ID is reflected in the multicast
destination MAC used to send R-APS packets
(01-19-A7-00-00-[Ring ID]).
1
no-ring-id [<id>] Restores to default
role {rpl-neighbor | rpl- Specifies the role of the device within the R-APS
owner | simple-node} subring:
rpl-neighbor: devices role (see
RAPS Mechanism)
rpl-owner: devices role (see RAPS
Mechanism)
simple-node: devices role (see
RAPS Mechanism)
simple node
no role [rpl-neighbor | Restores to default:
rpl-owner | simple-node]
rpl-neighbor: optional
rpl-owner: optional
simple-node: optional
shutdown Disables the configured R-APS subring instance.
no shutdown Enables an R-APS subring instance
subring-lag agN Specifies a Link Aggregation Group (LAG)
participating in R-APS and enters R-APS
Subring LAG Configuration mode. The
configured LAG generates and sends signal-
failure messages to the R-APS Owner in case of
a connectivity failure.
<1-14>
no subring-lag agN Removes the configured LAG:
<1-14>
mep Specifies the MEP ID of the neighboring device:
no mep Removes the configured MEP ID.

Command Description
rpl-port Specifies the selected LAG as Ring Protection

Link (RPL).
You can designate only one LAG as RPL.
no rpl-port Removes the RPL role from the LAG
ccm
subring-port UU/SS/PP Selects a port to participate in R-APS and enters
R-APS Subring Port Configuration mode. The
ports generate and send signal-failure messages
to the R-APS Owner in case of a connectivity
failure.
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
No ports are selected
no subring-port [UU/SS/PP] Restores to default:
UU/SS/PP: (optional) removes only
the specified port from the R-APS
subring
mep Specifies the MED ID of the neighboring device:
no mep Removes the configured MEP ID
rpl-port Specifies the selected port as Ring Protection
Link (RPL).
You can designate only one port as RPL.
no rpl-port Removes the RPL role from the port
ccm

Command Description
virtual-channel-vlan <vlan- Uses the R-APS virtual channel over the main
id> ring.
In order to transmit RAPS packets from one
interconnection node to other, the R-APS
packets of the subring are encapsulated with
virtual channel VLAN tag in order to be
forwarded through the main ring. The R-APS
packets reach the other interconnection node
where the virtual channel VLAN tag is stripped
and the packets are transmitted in the subring
with the control VLAN tag.
no virtual-channel-vlan Removes the configured virtual channel:
[<vlan-id>]
of <14094>
wait-to-restore-timer Specifies the length of time to wait after recovery
<value> before reverting to the primary path:
minutes
5 minutes
no wait-to-restore-timer Restores to default
ethernet ring-aps instance <value> clear Triggers a revertive behavior, in case revertive
mode is not used or in case the wait-to-restore
timer is active
ethernet ring-aps instance <value> port Enables the manual switch option for R-APS
<id> manual-switch ring.
In the absence of a failure, block one of the ring
ports in a ring node to perform maintenance on
that link.
(The command is reverted by the clear
command.)
<0-1>
ethernet ring-aps instance <value> port Enables the forced switch option for R-APS ring.
<id> forced-switch
that link.
command.)
<0-1>

Command Description
ethernet ring-aps instance <value> lag Enables the manual switch option for an R-APS
<id> manual-switch ring (for more information refer to ITU-T
Recommendation G.8032/Y.1344 version 2)
LAGs in a ring node to perform maintenance on
that link.
command.)
<0-1>
ethernet ring-aps instance <value> lag Enables the forced switch option for an R-APS
<id> forced-switch ring (for more information refer to ITU-T
Recommendation G.8032/Y.1344 version 2)
LAGs in a ring node to perform maintenance on
that link.
command.)
<0-1>
ethernet ring-aps instance <value> subring Triggers revertive behavior, in case revertive
<id> clear mode is not used or in case the wait-to-restore
timer is active in sub ring.
ethernet ring-aps instance <value> subring Enables the manual switch option for R-APS
<id> manual-switch subring.
that link.
command.)
ethernet ring-aps instance <value> subring Enables the forced switch option for R-APS
<id> forced-switch subring.
that link.
command.)
show ethernet ring-aps [detailed [instance Displays detailed R-APS status information,
<value> [subring <value>]]] filtered by the commands arguments
show running-config ethernet ring-aps Displays R-APS configuration.

RAPS Configuration Example over Ethernet

1. Enable R-APS:
device-name(config-ethernet)#ring-aps
2. Specify an instance to configure (instance 1):

device-name(config-ring-aps)#instance 1
3. Specify the CFM domain level for this instance (level 1):
device-name(config-instance-1)#cfm-domain-level 1
4. Specify the control VLAN ID for this instance (10):

device-name(config-instance-1)#control-vlan 10
5. Specify the monitored VLAN ID. You can configure single VLAN, several VLAN or range of
VLAN:
device-name(config-instance-1)#monitor-vlan 23
device-name(config-instance-1)#exit
6. Specify the role of the device (simple-node configured):

device-name(config-instance-1)#role simple-node
7. Configure the hold-off timer value (50 milliseconds configured):

device-name(config-instance-1)#hold-off-timer 50
8. Configure the wait-torestore timer (3 minutes configured):

device-name(config-instance-1)#wait-to-restore-timer 3
9. Configure the guard timer value (30 milliseconds configured):

device-name(config-instance-1)#guard-timer 30
10. Specify the ring-ID that the instance belongs to (100 configured):
device-name(config-instance-1)#ring-id 100
11. Enable the virtual channel:

device-name(config-instance-1)#no disable-virtual-channel
12. Configure Port 0 as a port (configured as port 1/1/2, MEP 200):

device-name(config-instance-1)#port 0
device-name(config-port-0)#port-id 1/1/2
device-name(config-port-0)#mep 200
device-name(config-port-0)#exit
13. Configure Port 1 as a port (configured as port 1/1/1, MEP 300):

device-name(config-instance-1)#port 1
device-name(config-port-1)#port-id 1/1/1
device-name(config-port-1)#mep 300
14. Specify no shutdown to enable this R-APS instance:

Device-name(config-instance-1)#no shutdown
15. Commit current configuration (You may commit when R-APS instance (without Sub ring) is
configured or R-APS instance and Sub ring are configured):
Device-name(config-instance-1)#commit
16. Configure the device as a member of a sub-ring (configured as sub-ring 2).

device-name(config-instance-1)#subring 2
17. Configure the port of the subring (port 1/2/3 ) NOTE only one sub ring port per sub-ring:
device-name(config-subring-2)#subring-port 1/2/3
device-name(config-subring-port-1/2/3)#mep 500
18. Enter exit to exit the port configuration:

19. Specify the role of the device in the sub-ring:

device-name(config-subring-2)#role rpl-neighbor
20. Specify the ring-id:

device-name(config-subring-2)#ring-id 99
21. Specify the virtual channel VLAN. Virtual Channel VLAN must be a monitored VLAN of the
main ring instance:
device-name(config-subring-2)#virtual-channel-vlan 23
22. Configure the timers:

device-name(config-instance-1)#guard-timer 20
device-name(config-instance-1)#wait-to-restore-timer 6
device-name(config-instance-1)#hold-off-timer 500
23. Select to set device in revertive-mode:

device-name(config-subring-2)#no revertive-mode
24. Select propagate topology changes:

Device-name(config-subring-2)#propagate-topology-changes
25. Specify no shutdown to enable this R-APS subring:

Device-name(config-subring-2)#no shutdown
26. Commit the current configuration:

Device-name(config-subring-2)#commit

ITU-T Y.1564 Next-Generation Carrier-Ethernet

Test
Overview
The ITU-T Y.1564 defines a test methodology as a new test standard, which goal is to verify the
configuration and performance of Ethernet-based services. Services are traffic streams with specific
attributes identified by different classifiers, such as 802.1q VLAN, 802.1ad and class of service
(CoS) profiles. These services are defined at the user-to-network interface (UNI) level with different
frame and bandwidth profiles, such as the services maximum transmission unit (MTU) or frame
size, committed information rate (CIR) and excess information rate (EIR).
By default, the ITU-T Y.1564 test is non-intrusive, meaning that it runs while the service is
operational, and do not interfere with the user-traffic flowing within the service. For diagnoses and
root-cause analysis of customer-impacting problems in a live network, non-intrusive testing is the
most common and efficient means.
The ITU-T Y.1564 can behave also as intrusive (see Example 1), meaning that the test itself
interferes with what is being tested. When ITU-T Y.1564 is running, normal service frames are not
being forwarded. Instead, ITU-T Y.1564 inserts a high frequency of measurement frames into the
network, and calculates performance metrics under a specified heavy load.
Thus this type of testing is intended to happen before the service is activated or during a
maintenance window.
Y.1564 focuses on the following indicators for service quality:
Bandwidth - this is a bit rate measure of the available or consumed data communication
resources expressed in bits/second or multiples of it (kilobits/s, megabits/s, etc.).
Frame transfer delay (FTD) (latency) - this is a measurement of the time delay between the
transmission and the reception of a frame. Typically this is a round-trip measurement, meaning
that the calculation measures both the near-end to far-end and far-end to near-end directions
simultaneously.
Frame delay variations (packet jitter) - this is a measurement of the variations in the time delay
between packet deliveries. As packets travel through a network to their destination, they are
often queued and sent in bursts to the next hop. There may be prioritization at random
moments, also resulting in packets being sent at random rates. Packets are therefore received at
irregular intervals. The direct consequence of this jitter is stress on the receiving buffers of the
end nodes where buffers can be overused or underused when there are large swings of jitter.
Frame loss - this is a measurement of the number of packets lost over the total number of
packets sent. Frame loss can be due to a number of issues such as network congestion or
errors during transmissions.
Key Objectives
The ITU-T Y.1564 methodology has the following main objectives:

To serve as a network service-level-agreement (SLA) validation tool, ensuring that a service

meets its guaranteed performance settings in a controlled test time.
To ensure that all services carried by the network meet their SLA objectives at their maximum
committed rate, proving that under maximum load, network devices and paths can support all
the traffic as designed.
To perform medium- and long-term service testing, to validate that network elements can
properly carry all services while under stress during a soaking period.
Test Rates
ITU Y.1564 defines three test rates based on the MEF service attributes for Ethernet virtual circuit
(EVC) and UNI bandwidth profiles.
CIR denes the maximum transmission rate for a service where it is guaranteed certain
performance objectives; these objectives are typically defined and enforced via SLAs.
EIR denes the maximum transmission rate above the committed information rate considered
as excess traffic. This excess traffic is forwarded as the capacity allows and is not subject to
meeting any guaranteed performance objectives (best effort forwarding)
Overshoot rate denes a testing transmission rate above CIR or EIR and is used to ensure
that the DUT or network under test does not forward more traffic than specified by the CIR
or EIR of the service.
Methodology
The ITU-T Y.1564 is built around two key subtests, the service-configuration test and the service-
performance test, which are performed in order:
Service configuration test-the test is designed to measure the ability of the device or the
network under test to properly forward in three different states:
In the CIR phase, where performance metrics for the service are measured and compared
to the SLA performance objectives
In the EIR phase, where performance is not guaranteed and the services transfer rate is
measured to ensure that CIR is the minimum bandwidth
In the discard phase, where the service is generated at the overshoot rate and the expected
forwarded rate is not greater than the committed information rate or excess rate
Service performance test-the test measures the ability of the device or network under test to
forward multiple services, while maintaining SLA conformance for each service. Services are
generated at the CIR, where performance is guaranteed, and pass/fail assessment is performed
on the key performance indicators (KPI) values for each service according to its SLA.
Bidirectional Test
The user can perform round-trip measurements with a loopback device. In this case, the results
reflect the average of both test directions, from the test set to the loopback point and back to the
test set. In this scenario, the loopback functionality can be performed by another test instrument in
Loopback mode or by a network interface device in Loopback mode.

Y.1564 Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] saa
+ [no] profile PROFILE-NAME
- type y1564
+ [no] y1564
- [no] frame-delay <value>
- [no] frame-loss-ratio <value>

+ [no] test TEST-NAME TEST-OWNER
- profile PROFILE-NAME
- type y1564
- [no] shutdown
+ [no] y1564
- [no] domain DOMAIN-NAME
- [no] ma MA-NAME
- [no] mep <value>
- mode bi-test-loopback
- mode bi-test-head
- [no] c-vlan <vlan-id>
- [no] c-vlan-drop-eligible
- [no] c-vlan-priority <value>
- [no] cir <value>
- [no] cir-steps <value>
- [no] configuration-step-duration <value>
- [no] custom-data-size <value>
- [no] data-size <value>
- [no] domain DOMAIN-NAME
- [no] eir <value>
- [no] function {both | configuration | performance}
- [no] loopback-type {mac-swap | oam}
- [no] ma MA-NAME
- [no] mep <value>
- [no] pattern {none | null | null-crc | prbs |
prbs-crc}
- [no] performance-test-duration <value>

- [no] s-vlan-drop-eligible
- [no] s-vlan-priority <value>
- [no] target-type {mac | mep}
- [no] target-mep <value>
- [no] target-mac HH:HH:HH:HH:HH:HH
- [no] traffic-policing
- show profile name [NAME]
- show test name [NAME] owner [NAME]
Table 8: Y.1564 Test Commands
Command Description

saa Enters SAA Configuration mode
no saa Removes SAA configurations such as profiles
and tests
profile PROFILE-NAME
Creates a SAA monitoring profile (up to 64

profiles) and enters SAA Profile mode:
PROFILE-NAME: up to 32
characters, numbers and/or
letters
no profile PROFILE-NAME Removes the configured SAA profile
NOTE
You cannot remove a profile
associated with a running test.
type y1564
Selects the Y.1564 test.

The Y.1564 test measures performance
monitoring parameters:
Frame Delay and Frame Delay Variation
Frame Loss Ratio
y1564 Enters SAA Y1564 Profile Configuration mode
no y1564 Exits SAA Y1564 Profile Configuration mode
frame-delay <value> Specifies the frame-loss ratio threshold for the

Y.1564 test:
60000000> microseconds
1000000us
no frame-delay Restores to default

Command Description
frame-loss-ratio <value> Specifies the frame-loss ratio threshold for the

Y.1564 test:
value: in the range <0-100> %,
with resolution of 0.001%
8.000%
no frame-loss-ratio Restores to default
test TEST-NAME TEST-OWNER
Specifies a SAA test and enters SAA Test

mode:
TEST-NAME: up to 32 characters
TEST-OWNER: the test-owner's
name
no test TEST-NAME TEST-OMNER Removes the configured SAA test
type y1564
Selects the Y.1564 test.

The Y.1564 test measures performance
monitoring parameters:
Frame Delay and Frame Delay Variation
Frame Loss Ratio
Applies a profile to the specified Y.1564 test.

letters
y1564 Enters SAA Y1564 Configuration mode
no y1564 Exits SAA Y1564 Configuration mode
mode bi-test-loopback
Enters Y.1564 Test Loopback mode and

initiates the test Loopback (bidirectional).
mode bi-test-head
Enters Y.1564 Test Head mode and initiates

the test Head.
c-vlan <cvlan-id> Specifies the C-VLAN ID in the generated test

packets:
c-vlan-id: in the range of <1-
4094>
no c-vlan Removes the configured C-VLAN ID
c-vlan-drop-eligible Specifies the eligibility of the packets to be

discarded when congestion conditions are
encountered.
Packets are marked as drop ineligible
no c-vlan-drop-eligible Restores to default

Command Description
c-vlan-priority <value> Specifies the C-VLAN priority of the packets:

6
no c-vlan-priority Restores to default
cir <value> Specifies the maximum Committed

Information Rate (CIR) of the test packets:
500000 kbps
cir-steps <value> Specifies the number of steps in the test.

When the CIR step is 1, the test is performed
with the specified CIR only.
4
no cir-step Restores to default
configuration-step-duration Specifies the duration of the specified step. If

<value> the CIR is 100Mbits, CIR step is 10 and
configuration-step-duration is 12 seconds, the
Y.1564 test will start with 10bits lasting 12
seconds, then 20Mbits, lasting again 12
seconds.
seconds
1 second
no configuration-step-duration Restores to default
data-size <value>
Selects a pre-defined PDU size for which the

test is executed:
value: 64, 128, 256, 512, 1024,
1280, 1518, 1522, 1526, 1530,
1534, 2000, and 9000 bytes.
Use the below format to specify
more than one value:
Example:
data-size [ 64 128 1530]
no data-size <value> Removes some of the selected values.
custom-data-size <value> Specifies the size of the data packets:

no custom-data-size <value> Removes some of the configured values.

Command Description
domain DOMAIN-NAME
Selects a Maintenance Domain (MD) for the

test to operate on:
DOMAIN-NAME: up to 22
letters
eir <value> Specifies the EIR value of test packets. This
value must be smaller than CIR value.
value: in the range of <64
1000000> Kbps
0 Mbps
no eir Restores to default
function {both | configuration | Specifies the test function:

performance}
configuration: performs cir
measurements with cir variations
specified by command cir-steps
for period 1 second to 1 minute.
The test duration depends on
specified by command
configuration-step-duration
value.
performance: performs cir
measurements with duration
specified by command
performance-test-duration.
The test is performed with a
single cir value.
both: performs both measurements
Both
no function Restores to default
loopback-type {mac-swap | oam} Specifies the type of the loopback testing:

mac-swap: swaps MAC source and
destination addresses of the
packet before looping it back.
The OpCode field remains the
same.
oam: swaps MAC source and
The OpCode field is changed from
LoopBack Message (LBM) to
LoopBack Reply (LBR).
The OpCode is a 1-octet field that identifies
the OAM PDU type.
OAM
no loopback-type Restores to default

Command Description
ma MA-NAME
Selects a Maintenance Association (MA) for

the test:
MA-NAME: up to 45 characters,
numbers and/or letters
mep <value>
Specifies the MEP ID of the test-head device:

pattern {none | null | null-crc Specifies the test packet's pattern type:
| prbs | prbs-crc}
none: arbitrary pattern
null: null signal without Cyclic
Redundancy Check (CRC)-32
null-crc: null signal with
Cyclic Redundancy Check (CRC)-32
prbs: Pseudo-Random Byte
Sequence (PRBS) without Cyclic
prbs-crc: Pseudo-Random Byte
Sequence (PRBS)with Cyclic
PRBS
no pattern Restores to default
performance-test-duration Specifies the duration of a test. A test with

<value> specified performance duration is performed
for each test packet.
value: the valid values are 15
and 30 minutes
15 minutes
no performance-test-duration Restores to default
s-vlan-drop-eligible Specifies the eligibility of the packets to be

encountered.
NOTE
The throughput test priority
must be lower than the CCM
priority.
no s-vlan-drop-eligible Restores to default
s-vlan-priority <value> Specifies the S-VLAN priority of the packets:

6
no s-vlan-priority Restores to default

Command Description
target-type {mac | mep}
Specifies the target type of the remote device:

mac: the destination is MAC
address
mep: the destination is MEP ID
target-mep <value> Specifies the remote devices MEP ID:
no target-mep Removes the configured MEP
target-mac HH:HH:HH:HH:HH:HH Specifies the MAC address of the remote

device:
HH:HH:HH:HH:HH:HH: the MAC
address in a hexadecimal format
no target-mac Removes the configured MAC address
timeout <value> Specifies the maximum timeout of the Y.1564

test packets:
value: In the range of <0-10000>
msec
1000 msec
traffic-policing Allows you to specify the test information rate

above CIR and EIR
Disabled
no traffic-policing Restores to default
show profile name [NAME] Displays information about the configured

Y.1564 test profiles:
profile name NAME: specific
profile
show test name [NAME] owner [NAME] Displays results of Y.1564 tests:
test name NAME: specific test
owner NAME: specific owner
Example 1
The following example displays the configuration needed to convert the ITU-T Y.1564 testing
from non-intrusive (default status) to intrusive. The user needs to configure any MAC ACL and
apply it on port, group of ports, or SAP port.
device-name(config)#mac access-list 400
device-name(config-access-list-400)#rule 1 action deny source-mac any
destination-mac any vlan 300
device-name(config-access-list-400)#rule 2 action permit source-mac any
destination-mac any

The following example demonstrates how to configure Y.1564 test:
1. Configure theY.1564 head device:
Configure the packet size of the selected port:
device-name(config-port-1/1/1)#mtu 9000
Configure VLAN 300 on which the Y.1564 test is configured:

device-name(config-vlan-300)#name v300
device-name(config-vlan-300)#no management
Enable CFM:
device-name(config)#oam
device-name(config-oam)#cfm
Configure CFM domain:

device-name(config-cfm)#domain d6
device-name(config-domain-d6)#level 6
Configure MA:
device-name(config-domain-d6)#ma ma6
device-name(config-ma-ma6)#vlan 300
Configure CFM:
Configure Y.1564 test profile thresholds:

device-name(config)#saa
device-name(config-saa)#profile 4
device-name(config-profile-4)#type y1564
device-name(config-profile-4)#y1564
device-name(config-y1564)#frame-loss-ratio 100000
device-name(config-y1564)#exit
device-name(config-profile-4)#exit
Configure Y.1564 test and apply Y.1564 test profile:

device-name(config-saa)#test LAB_TEST John
device-name(config-test-LAB_TEST/John)#type y1564

device-name(config-test-LAB_TEST/John)#profile 4
Configure Y.1564 test parameters:

device-name(config-test-LAB_TEST/John)#y1564
device-name(config-y1564)#mode bi-test-head
device-name(config-y1564)#domain d6
device-name(config-y1564)#ma ma6
device-name(config-y1564)#mep 3209
device-name(config-y1564)#target-type mep
device-name(config-y1564)#target-mep 3208
device-name(config-y1564)#cir 1000000
device-name(config-y1564)#cir-steps 1
device-name(config-y1564)#data-size [ 64 128 256 512 1024 1280 1518 1522
1526 1530 1534 2000 9000 ]
device-name(config-y1564)#custom-data-size 2500
2. Configure theY.1564 loopback device:

Configure the packet size of the selected port:
Configure VLAN 300 on which the Y.1564 test is configured:

device-name(config-vlan-300)#name v300
Enable CFM:
Configure CFM domain:

Configure MA:
Configure CFM:
Configure Y.1564 test parameters:

device-name(config-saa)#test LAB_TEST John

device-name(config-test-LAB_TEST/John)#type y1564
device-name(config-test-LAB_TEST/John)#y1564
device-name(config-y1564)#mode bi-test-loopback
Display configuration results:

device-name#show saa profile
=======================
Name |Type
--------------+--------
1 |y1731
2 |rfc2544
3 |rfc2544
4 |y1564
device-name#show saa profile name 4

Profile name : 4
Profile type : y1564
FrameLoss : 100.000 %
FrameDelay : 1000000 us
FrameDelayVariation : 300000 us
device-name#show saa test

==============================================================================
Name |Owner |Profile |Type |State |Status
----------------+----------------+----------------+--------+---------+--------
2 |2 |2 |rfc2544 |Shutdown |N/A
3 |3 |2 |rfc2544 |Shutdown |N/A
20 |20 |N/A |rfc2544 |Shutdown |N/A
Y1 |1 |1 |y1731 |Shutdown |N/A
RFC_John |John |3 |rfc2544 |Shutdown |Stopped
LAB_TEST |John |4 |y1564 |Enabled |Finished
device-name#show saa test name LAB_TEST owner John

Test name : LAB_TEST
Test owner : John
Test type : y1564
Test mode : bi-test-head
State : Enabled
Status : Finished
Function : Configuration
Profile name : 4
Cfm domain : d6
Cfm ma : ma6
Source mep : 3209
Target mep : 3208
CIR : 1000000
CIR steps : 2
EIR : 0

Traffic Policing : Not set

Pattern : prbs
Priority : 5
DE flag : Not set
C-vlan Id : Not set
C-vlan Priority : 0
C-vlan DE flag : Not set
Config duration : 1 seconds
Perform duration : 15 min
Timeout : 1.0 seconds
Loopback type : oam
Datasize : 64, 128, 256, 512, 1024, 1280, 1518, 1522, 1526, 1530, 1534,
2000, 9000
Custom Datasize : 2500
------------------------------------------------------------------------
| Step 1 CIR: 50000Kbps Status: Pass |
------------------------------------------------------------------------
| Size | IR | FLR | FTD | FDV |
+--------+-------------+-----------+-----------------+-----------------+
| 64 | 500000Kbps | 0.000 % | 17.354 us | 2.560 us |
+--------+-------------+-----------+-----------------+-----------------+
| 128 | 500000Kbps | 0.000 % | 21.335 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 256 | 500000Kbps | 0.000 % | 29.798 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 512 | 500000Kbps | 0.001 % | 46.169 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1024 | 500000Kbps | 0.003 % | 78.985 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1280 | 500000Kbps | 0.004 % | 95.378 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1518 | 500000Kbps | 0.004 % | 110.517 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1522 | 500000Kbps | 0.004 % | 111.008 us | 2.048 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1526 | 500000Kbps | 0.004 % | 111.168 us | 1.536 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1530 | 500000Kbps | 0.004 % | 111.547 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 1534 | 500000Kbps | 0.004 % | 111.692 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
| 2000 | 500000Kbps | 0.006 % | 141.074 us | 0.512 us |
+--------+-------------+-----------+-----------------+-----------------+
| 2500 | 500000Kbps | 0.008 % | 174.080 us | 0.000 us |
+--------+-------------+-----------+-----------------+-----------------+
| 9000 | 500000Kbps | 0.043 % | 446.637 us | 1.024 us |
+--------+-------------+-----------+-----------------+-----------------+
Result: Pass
------------------------------------------------------------------------
| Step 2 CIR: 50000Kbps Status: Pass |

------------------------------------------------------------------------
| Size | IR | FLR | FTD | FDV |
+--------+-------------+-----------+-----------------+-----------------+
| 64 | 1000000Kbps | 99.646 % | 127.395 us | 786.944 us |
+--------+-------------+-----------+-----------------+-----------------+
Result: Pass

Two-Way Active Measurement Protocol (TWAMP)

The Two-Way Active Measurement Protocol (TWAMP) defines Layer 3 monitoring capabilities for
measuring round-trip network performance among two devices in a network that support the
TWAMP protocol.
With TWAMP, service providers and equipment vendors can identify the congested parts at IP
layer of the network and confidently develop IP service level agreements (SLAs).
TWAMP defines two sets of protocols:
TWAMP control protocol - initiates, starts and stops TWAMP test sessions
TWAMP test protocol - exchanges TWAMP performance-measurement probes between two
TWAMP hosts.
Test sessions can also be configured without the TWAMP control protocol and this is known as
TWAMP light.
The TWAMP measurement architecture is composed of four logical entities:
control-client - sets up, starts, and stops TWAMP-Test sessions
session-sender - instantiates TWAMP-Test packets that are sent to the session-reflector
server - manages one or more TWAMP sessions. The server listens on the TCP port.
session-reflector - reflects a measurement packet upon receiving a TWAMP-Test packet. The
session reflector does not collect packet statistics in TWAMP.

Figure 14: TWAMP Measurement Architecture
Each TWAMP-enabled device may participate in several active sessions at the same time, both as
control- client/session-sender and server/session-reflector. Device can be only client or only server.
In a TWAMP test session, packets are time stamped, tagged with sequence numbers and
transmitted from a session-sender to a session-reflector. The session-reflector time stamps the
incoming packets, create new test packets (one packet is created for each test packet received by the
session-reflector) and send them to the session-sender as soon as possible. Using these time stamps
and sequence numbers, the session-sender can then calculate the one-way delay, jitter and packet
loss for the session in the forward path and the reverse path.
TWAMP Commands
This section defines the command hierarchy for the TWAMP and provides a list of available
commands. Included also, is a configuration example.
Command Hierarchy
device-name#

+ config terminal
+ [no] saa
+ [no] twamp
+ [no] server
- [no] client A.B.C.D
- [no] max-parallel-sessions <value>
- [no] max-sessions <value>
- [no] server-inactivity <value>
- [no] session-inactivity <value>
- [no] shutdown
+ [no] test TEST-NAME
- [no] delay <value>
- [no] packets <value>
- server-ip A.B.C.D
- [no] session-count <value>
- saa twamp test TEST-NAME {start | stop}
- show twamp test [name TEST-NAME]
- show twamp server
Table 9: TWAMP Commands
Command Description

and tests
twamp Enters the TWAMP Configuration mode
no twamp Removes TWAMP configurations
server Configures the device as a TWAMP server

and enters TWAMP server configuration
mode.
no server Removes TWAMP Server configurations

Command Description
client A.B.C.D
Specifies the allowed client host that can

connect to the server.
You can include multiple client lists.
You must configure at least one client
address to enable TWAMP.
A.B.C.D: clients IP address, in
no client [A.B.C.D] Removes the configured client/s:
A.B.C.D: (optional) clients IP
address, in dotted-decimal
format
max-parallel-sessions <value> Specifies maximum number of concurrent
connections the server can have to client
hosts:
1
no max-parallel-sessions Restores to default
max-sessions <value> Specifies maximum number of TWAMP

sessions the server can have running at one
time, including the maximum number of
concurrent connections:
100
no max-sessions Restores to default
server-inactivity <value> Specifies the time the TWAMP server has to

finish the TWAMP control protocol
negotiation, otherwise the TWAMP session
will be closed:
seconds
900 seconds
no server-inactivity Restore to default
session-inactivity <value> Specifies the time the TWAMP session is

inactive before it times out:
seconds
900 seconds
no session-inactivity Restores to default
shutdown Deactivates the TWAMP server

Server must be shut down if you want to start
a test session.
no shutdown Activates the server

Command Description
test TEST-NAME
Configures a TWAMP test and enters

TWAMP Test Configuration mode:
no test [TEST-NAME] Removes the configured TWAMP test:
TEST-NAME: (optional) up to 32
characters
delay <value> Specifies the time gap between two packets
sent:
1500> seconds
100 milliseconds
no delay Restores to default
packets <value> Specifies the number of packets to be sent:

300
no packets Restores to default
server-ip A.B.C.D
Specifies the TWAMP Server IP address.

One TWAMP server can communicate with
multiple clients.
You must configure at least one server
address to enable TWAMP.
A.B.C.D: servers IP address, in
session-count <value> Specifies the number of concurrent
connection in one session:
1
no session-count Restores to default
timeout <value> Specifies the time the client waits to receive a

packet after stop command execution:
10000> milliseconds
1000 milliseconds
saa twamp test TEST-NAME {start | stop} Manipulates the TWAMP test execution:
start: starts test execution
stop: stops test execution

Command Description
show twamp test [name TEST-NAME] Displays the TWAMP test configuration on the
client side:
name TEST-NAME: (optional)
displays a specific test
configuration and results if the
mode is set to test
show twamp server Displays the TWAMP test configuration on the
server side
The following example shows how to configure the TWAMP test:
Configuring the Client Side

1. Configures the client device to have connection to the peer device:
device-name(config-interface-sw10)#exit
device-name(config-router)#exit
device-name(config-vlan-10)#name VLAN10
2. Configures the TWAMP test:

device-name(config-saa)#twamp
device-name(config-twamp)#test 5
device-name(config-test-5)#server-ip 1.0.0.11
device-name(config-test-5)#sessions-count 5
device-name(config-test-5)#packets 400
device-name(config-test-5)#timeout 10000
device-name(config-test-5)#delay 200
device-name(config-test-5)#exit
device-name(config-twamp)#exit
device-name(config-saa)#exit
Configuring the Server Side

1. Configures the server device to have connection to the peer device:

2. Configures the TWAMP test:

device-name(config-saa)#twamp
device-name(config-twamp)#server
device-name(config-server)#server-inactivity 20
device-name(config-server)#session-inactivity 120
device-name(config-server)#max-sessions 30
device-name(config-server)#max-parallel-sessions 10
device-name(config-server)#client 1.0.0.1
device-name(config-client-1.0.0.1)#exit
device-name(config-server)#no shutdown
device-name(config-server)#commit
Commit complete.
3. Starts the TWAMP Test

device-name#saa twamp test 5 start
Displaying TWAMP results

device-name#show saa twamp test
=====================================================================================================
Start Time |Name |Server |Ses|Status |RTT |Min RTT |Max RTT |Pkt
|Drop%|Variation |Low% |-/+10%|High% |
--------------+--------+---------------+---+----------+----------+----------+----------+-----+-----+-
01.01.09 14:04|5 |1.0.0.11 | 5| Completed| 7.2647| 3.9700| 15.8130| 2000| 0.0|
8.4350| 2.66| 95.19| 2.16|

ITU-T Y.1731 SAA In-Service Test

Service Assurance Application (SAA) in-service tests monitor and analyze network performance
and service quality.
Following are the performance monitoring parameters:
Frame Delay and Frame Delay Variation Measurement (ETH-DM)
One-way ETH-DM (using 1DM PDU)
Two-way ETH-DM (using DMM and DMR PDUs)
Frame Loss (ETH-LM)
Based on in-profile service frame counters
Dual-ended ETH-LM (using CCM PDU)
Single-ended ETH-LM (using LMM and LMR PDUs)
An SAA includes measurements are specified by the ITU-T Y-1731 standard and interpreted by the
Metro Ethernet Forum (MEF) standards group.
SAA compares test results to predefined SLA thresholds and sends notification when the threshold
is crossed.
In case of simultaneously working SAA tests, it is recommended to use one second
interval. Otherwise high CPU use occurs.
Frame Loss (ETH-LM)

Frame Loss Measurement function (ETH-LM) maintains counters of received and transmitted
service frames between a pair of MEPs. These counters are used to calculate frame loss ratio, which
is a ratio of the number of service frames not delivered, divided by the total number of service
frames during a time interval. The number of service frames not delivered is the difference between
the number of service frames arriving at the ingress Ethernet flow point and the number of service
frames delivered at the egress Ethernet flow point in a point-to-point Ethernet connection.
Dual-ended LM and single-ended LM are two ways ETH-LM can be performed. To perform dual-
ended LM, each MEP proactively sends periodic CCM frames to its peer MEP. Each peer MEP
terminates the CCM frames and performs near-end and far-end loss measurements using local
counters and counter values in the received CCM frames.
To perform single-ended LM, a MEP sends LM request (LMM) frames to its peer MEP upon an
on-demand administrative trigger. The peer MEP responds with LM reply (LMR) frames. Using
counter values in LMR frames and its local counter value, a MEP performs near-end and far-end
loss measurements. The following are the dual-ended and single-ended frame loss formulas.
ETH-DM Frame Delay and Frame Delay Variation Measurement

(ETH-DM)
When a MEP is enabled to perform the frame delay and frame delay variation measurement
function (ETH-DM), it periodically sends frames with ETH-DM information to its peer MEP. It
receives frames with ETH-DM information from its peer MEP. MEPs can use one of two
methods to perform ETH-DM, one-way ETH-DM or two-way ETH-DM.

For one-way ETH-DM to work properly, clocks on the peer MEPs must be synchronized. The
sending MEP sends 1DM frames including timestamp at transmission time. The receiving MEP
calculates the frame delay using the timestamp at the reception of the 1DM frame and the
timestamp in the 1DM frame. For one-way frame delay variation measurement, clock
synchronization on the peer MEPs is not required. The out-of-phase period can be removed by the
difference of subsequent frame delay variation measurements. If clocks on peer MEPs are not
synchronized, a MEP can measure frame delay using two-way ETH-DM. When two-way DM is
enabled, a MEP sends ETH-DM request (DMM) frames including timestamp at transmission time.
The receiving MEP copies the timestamp into ETH-DM Reply (DMR) and sends that DMR back
to the sending MEP. The sending MEP receives the DMR and calculates the two-way frame delay
using the timestamp in the DMR and the timestamp at reception of the DMR. Frame delay
variation measurement is done by calculating the difference between two subsequent two-way
frame delay measurements.
ITU-T Y.1731 SAA In-Service Configuration Flow
Figure 15: ITU-T Y.1731 SAA In-Service Configuration Flow
ITU-T Y.1731 SAA In-Service Configuration Commands

This section defines the command hierarchy for the SAA In-Service test and provides a list of

Command Hierarchy
device-name#
+ config terminal
+ [no] saa
- type {y1731 | y1731-slm}
+ [no] y1731
- [no] delay-far-end <value>
- [no] delay-near-end <value>
- [no] jitter-far-end <value>
- [no] jitter-near-end <value>
- type y1731
+ [no] y1731
- [no] count-all-priorities
- mode {loopback | test}
- [no] delay-method {average | p-
percentile}
- [no] delay-p-value <value>
- [no] frequency <value>
- [no] function {both | delay-measurement
| loss-measurement}
- [no] history <value>
- [no] interval <value>
- [no] jitter-method {p-percentile | peak-
to-peak | variance}
- [no] jitter-p-value <value>
- domain DOMAIN-NAME
- mep <value>
- [no] mode {loopback | test}
- [no] period <value>
- target-type {mac | mep}
- [no] ma MA-NAME
- [no] shutdown
- show saa test [name TEST-NAME owner TEST-OWNER]

- show saa profile [name PROFILE-NAME]
Table 10: ITU-T Y.1731 SAA In-Service Test Commands
Command Description

and tests

letters
NOTE
type y1731
Selects SAA Y1731 test

delay-far-end <value> Specifies the one-way delay threshold from

the test-loopback to the test-head device:
1000000 microsecond
no delay-far-end Restores to default
delay-near-end <value> Specifies the one-way delay threshold from

the test-head to the test-loopback device:
1000000 microsecond
no delay-near-end Restores to default
frameloss-far-end <value> Specifies the one-way frame loss ratio from

100000>. The resolution is
0.001%.
8%
no frameloss-far-end Restores to default

Command Description
frameloss-near-end <value> Specifies the one-way frame loss ratio from

100000>. The resolution is
0.001%.
8%
no frameloss-near-end Restores to default
jitter-far-end <value> Specifies the one-way jitter threshold from the

test-loopback to the test-head device:
300000 microseconds
no jitter-far-end Restores to default
jitter-near-end <value> Specifies the one-way jitter threshold from the

test-head to the test-loopback device:
300000 microseconds
no jitter-near-end Restores to default

mode:
name
type y1731
Selects SAA Y1731 test


letters
count-all-priorities Measures users traffic frameloss regardless

of the packets priority
Disabled
no count-all-priorities Restores to default

Command Description
mode {loopback | test}
Specifies type of test:

loopback: enters Loopback mode
and initiates the test Tail,
which is the passive part of the
SAA test.
The test Tail receives delay measurement
messages (DMM) and loss measurement
messages (LMM) and replies to them by
sending delay measurement replies (DMR)
and loss measurement replies (LMR).
test: enters Test mode and
initiates the test Head, which
is the active part of the SAA
test.
The test Head sends DMM and LMM packets
to the Tail, and gathers statistics for near-end
(NE) and far-end (FE) frame loss, one-way
and two-way delay and jitter.
The test Head replies to DMM and LMM
packets sent by another test Head.
function {both | delay- Supported only for Loopback mode and
measurement | loss- Test mode.
measurement}
Specifies the test function:
delay-measurement: performs only
delay measurements
loss-measurement: performs only
loss measurements
both: performs loss and delay
measurements
Both loss and delay measurements are
calculated
no function Restores to default
domain DOMAIN-NAME
Specifies a Maintenance Domain (MD) for the

test.
letters
mep <value>
Specifies the test's source MEP ID:

ma MA-NAME

the test to operate on:

Command Description
delay-method {average | p- Supported only for Test mode.

percentile}
Specifies the delay calculation method:
average: selects a delay
average, measured by all packets
p-percentile: selects the OAM p-
percentile method
Average
no delay-method Restores to default
delay-p-value <value> Supported only for Test mode and when

the OAM p-percentile method is used.
Specifies the OAM p-percentile method:
value: in the range of <1100>,
in percent
50%
no delay-p-value Restores to default
frequency <value> Supported only for Test mode.

Specifies the time interval for repeating the
SAA test:
seconds
1 second
no frequency Restores to default
history <value> Supported only for Test mode.

Specifies the number of test results kept in the
history database:
96
interval <value> Supported only for Test mode.

Specifies the time interval used by the SAA
test to collect data before calculating results.
The results are stored in the history database.
seconds
900 seconds
no interval Restores to default

Command Description
jitter-method {p- Specifies the jitter threshold calculation

percentile | peak-to- method:
peak | variance}
p-percentile: specifies the OAM
p-percentile method
variance: specifies a simple
variance of all packets' delays
peak-to-peak: specifies the
difference between the maximum
and minimum frame delay
Variance
no jitter-method Restores to default
jitter-p-value <value> Supported only for Test mode and when

the OAM p-percentile method is used.
Specifies the OAM p-percentile method:
value: in the range of <1100>,
in percent
50%
no jitter-p-value Restores to default
mode {loopback | test} Switches between modes.
period <value> Supported only for Test mode.

Specifies the time interval between packets,
sent by the SAA test:
10000> milliseconds
1000 millisecond
no period Restores to default
priority <value> Supported only for Test mode.

Specifies the packets priority, sent by the test:
6
NOTE
To measure configured priority
correctly, change QoS traffic trust
mode from untrust to trust-priority on
the test-head devices, test-tail devices,
and all devices between.
target-mep <value> Supported only for Test mode.

Specifies the remote devices MEP ID:

Command Description
target-mac Supported only for Test mode.

HH:HH:HH:HH:HH:HH
Specifies the MAC address of the remote
device:
Supported only for Test mode.

address
timeout <value> Supported only for Test mode.
Specifies the timeout interval for each packet.
If a reply is not received within the timeout
period, the packet is assumed to be lost.
seconds
3 seconds
shutdown Disables a SAA test

All tests are in disabled state
no shutdown Enables a SAA test
NOTE
Before enabling the SAA test,
use the commit command to
save the unapplied SAA test
configuration. After enabling
the SAA test, use again the
commit command to confirm
the change.
show saa test [name TEST-NAME owner TEST- Displays the SAA test configurations:
OWNER]
mode is set to test
owner TEST-OWNER: (optional)
displays SAA text configuration
and results if the mode is set
to test for the selected tests
owner
show saa profile [name PROFILE-NAME] Displays the SAA profile configuration:
name PROFILE-NAME: (optional)
displays a specific profile
configuration
Note: You cannot change configuration for an enabled test.

The following example shows how to configure the SAA In-Service test on two devices.
Figure 16: Two Devices in SAA In-Service Test Mode
Configuring the Test-Head Device

1. Configure the SAA In-Service test profile:
device-name(config-saa)#profile prof1
device-name(config-profile-prof1)#type y1731
device-name(config-profile-prof1)#y1731
device-name(config-y1731)#delay-near-end 1000
device-name(config-y1731)#delay-far-end 1000
device-name(config-y1731)#jitter-near-end 1200
device-name(config-y1731)#jitter-far-end 1500
device-name(config-y1731)#frameloss-near-end 9999
device-name(config-y1731)#frameloss-far-end 9999
device-name(config-y1731)#commit
Commit complete.
device-name(config-profile-prof1)#exit
2. Enable the SAA In-Service test:

device-name(config-saa)#test test1 user
device-name(config-test-test1/user)#type y1731
device-name(config-test-test1/user)#profile prof1
device-name(config-test-test1/user)#y1731
device-name(config-y1731)#mode test
device-name(config-y1731)#delay-method average
device-name(config-y1731)#frequency 60
device-name(config-y1731)#function both

device-name(config-y1731)#history 50
device-name(config-y1731)#interval 60
device-name(config-y1731)#jitter-method variance
device-name(config-y1731)#period 1000
device-name(config-y1731)#priority 6
device-name(config-y1731)#target-type mep
device-name(config-y1731)#target-mep 7124
device-name(config-y1731)#timeout 5
Commit complete.
device-name(config-test-test1/user)#no shutdown
device-nameconfig-test-test1/user)#commit
Commit complete.
device-name(config-test-test1/user)#end
3. Display SAA In-Service test results:

device-name#show saa test name test1 owner user
Test name : test1
Test owner : user
Test type : y1731
Test mode : test
State : Enabled
Status : Started
Profile name : prof1
Cfm domain : d6
Cfm ma : ma6
Source mep : 3208
Target mep : 7124
Frequency : 60
Timeout : 5 seconds
History : 50
Clocks in sync : No
Interval : 60 sec
Period : 1000 msec
Priority : 6
Count all
priorities : Disabled
Functions : both
Delay method : average
Jitter method : variance
Interval Id: 2 Results gathered: 120

Timeouts: 0 Errors: 0 Sent Pkts: 120
Delay (NE): 1.234 us Delay (FE): 1.234 us
Jitter (NE): 0.050 us Jitter (FE): 0.020 us
FrameLoss (NE): 0.001 % FrameLoss (FE): 0.000 %
Sent Pkts (NE): 1000000 Sent Pkts (FE): 200000
Rcvd Pkts (NE): 200000 Rcvd Pkts (FE): 999999

Configuring the Test-Loopback Device

1. Configure the SAA In-Service test:
device-name(config)#saa profile prof1
device-name(config-profile-prof1)#type y1731
device-name(config-profile-prof1)#y1731
device-name(config-y1731)#delay-far-end 1000
device-name(config-y1731)#delay-near-end 1000
device-name(config-y1731)#frameloss-far-end 9999
device-name(config-y1731)#frameloss-near-end 9999
device-name(config-y1731)#jitter-far-end 1500
device-name(config-y1731)#jitter-near-end 1200
Commit complete.
device-name(config-profile-prof1)#exit
2. Enable the SAA In-Service test:

device-name(config-saa)#test test1 user
device-name(config-test-test1/user)#type y1731
device-name(config-test-test1/user)#profile prof1
device-name(config-test-test1/user)#y1731
device-name(config-y1731)#mode loopback
Commit complete.
device-name(config-test-test1/user)#no shutdown
device-name(config-test-test1/user)#commit
Commit complete.
device-name(config-test-test1/user)#end
3. Display SAA In-Service test results:

device-name#show saa test name test1 owner user
Test name : test1
Test owner : user
Test type : y1731
Test mode : loopback
State : Enabled
Status : Started
Cfm domain : d6
Cfm ma : ma6
Source mep : 7124
Count all
priorities : Disabled
Functions : both

ITU-T Y.1731-SLM SAA In-Service Test

Synthetic Frame Loss Measurement (ETH-SLM)
Synthetic Loss Measurement (SLM) is an extension of the existing Y.1731 feature, and makes use
of an additional functionality defined in the latest version of the ITU-T Y.1731 (2011) standard.
SLM measures frame loss and delay using synthetic frames instead of data traffic.
Frame loss is measured by calculating the difference between the number of synthetic frames that
are sent and received. It can be used between peer MEPs in both point to point and multipoint
services.
Single-ended ETH-SLM (Unidirectional) Test

The unidirectional SLM test consist 2 units. One unit (Unidirectional-Head) sends 1SL packets. The
other unit (Unidirectional-Tail) receives the single-ended SLM and count them. Counter for
sent/received are stored, and test results are calculated based on the gathered counters within the
configured interval of time. Only the test-tail displays results and performs calculations.
Dual-ended ETH-SLM (Bidirectional) Test

The bidirectional SLM test includes a unit (Bidirectional-Head) that sends at configured interval
SLM frames and receives back SLR frames. Counter for sent/received are stored, and test results
are calculated based on the gathered counters on a configured interval of time. The other unit
(Bidirectional-Loopback) only replies to each SLM, received from Head with a SLR. All calculations
and results are performed by the Head side.

ITU-T Y.1731-SLM SAA Configuration Flow
Figure 17: ITU-T Y.1731-SLM In-Service Configuration Flow
ITU-T Y.1731-SLM SAA In-Service Configuration

Commands
This section defines the command hierarchy for the SAA In-Service test and provides a list of
Command Hierarchy
device-name#
+ config terminal
+ [no] saa
- type y1731-slm
+ [no] y1731-slm
- [no] delay-far-end <value>
- [no] delay-near-end <value>
- [no] frameloss-far-end <value>
- [no] frameloss-near-end <value>
- [no] jitter-far-end <value>
- [no] jitter-near-end <value>


- type y1731-slm
+ [no] y1731-slm
- [no] mode {bi-test-head | bi-test-loopback |
uni-test-head | uni-test-tail}
- [no] frequency <value>
- mep <value>
- ma MA-NAME
- [no] mode {bi-test-head | bi-test-
loopback | uni-test-head | uni-test-
tail}
- [no] interval <value>
- [no] drop-eligible
- [no] history <value>
- [no] pdu-size <value>
- [no] test-id <value>
- [no] gathering-interval <value>
- [no] include-delay-measurement
- [no] shutdown
Table 11: ITU-T Y.1731-SLM SAA In-Service Test Commands
Command Description

and tests

letters

Command Description

NOTE
type y1731-slm
Selects SAA Y1731-SLM test

y1731-slm Enters SAA Y1731-SLM Profile Configuration
mode
no y1731-slm Exits SAA Y1731-SLM Profile Configuration
mode
delay-far-end <value> Specifies the one-way delay threshold from
1000000 microsecond
no delay-far-end Restores to default
delay-near-end <value> Specifies the one-way delay threshold from

1000000 microsecond
no delay-near-end Restores to default
frameloss-far-end <value> Specifies the one-way frame loss ratio from

100000> in %*1000
8000
no frameloss-far-end Restores to default
frameloss-near-end <value> Specifies the one-way frame loss ratio from

100000> in %*1000
8000
no frameloss-near-end Restores to default
jitter-far-end <value> Specifies the one-way jitter threshold from the

test-loopback to the test-head device:
300000 microseconds
no jitter-far-end Restores to default

Command Description
jitter-near-end <value> Specifies the one-way jitter threshold from the

test-head to the test-loopback device:
300000 microseconds
no jitter-near-end Restores to default

mode:
name
type y1731-slm
Selects SAA Y1731-SLM test


letters
y1731-slm Enters SAA Y1731-SLM Profile Configuration
mode
no y1731-slm Exits SAA Y1731-SLM Profile Configuration
mode
mode {bi-test-head | bi-test-
loopback | uni-test-head |
uni-test-tail} Specifies the type of the SAA Y1731-SLM
test:
bi-test-head: bi-directional
Y1731-SLM test
bi-test-loopback: test-loopback
functionality during a bi-
directional test
uni-test-head: unidirectional
Y1731-SLM test
uni-test-tail: test-tail
functionality during a
unidirectional Y1731-SLM test
domain DOMAIN-NAME
Specifies a Maintenance Domain (MD) for the

test.
letters

Command Description
mep <value>
Specifies the test's source MEP ID:

ma MA-NAME

the test to operate on:
frequency <value> Supported only for Uni-test-tail mode and
Bi-test-head mode.
Specifies the time interval for repeating the
SAA test:
seconds
1 second
no frequency Restores to default
history <value> Supported only for Bi-test-head mode and

Uni-test-tail mode.
Specifies the number of test results kept in the
history database:
96
interval <value> Supported only for Bi-test-head mode and

Uni-test-tail mode.
Specifies the time interval used by the SAA
test to collect data before calculating results.
The results are stored in the history database.
seconds
900 seconds
no interval Restores to default
period <value> Supported only for Bi-test-head mode and

Uni-test-head mode.
Specifies the time interval between packets,
sent by the SAA test:
value: valid values are 300Hz,
10msec, 100msec, or 1sec
100 millisecond

Command Description
priority <value> Supported only for Bi-test-head mode and

Uni-test-head mode.
Specifies the packets priority, sent by the test:
6
NOTE
To measure configured priority
correctly, change QoS traffic trust
mode from untrust to trust-priority on
the test-head devices, test-tail devices,
and all devices between.
target-mep <value> Supported only for Bi-test-head mode.

target-mac Supported only for Bi-test-head mode and

HH:HH:HH:HH:HH:HH Uni-test-head mode.
device:
Supported only for Bi-test-head mode and

Uni-test-head mode.
address
drop-eligible Supported only for Bi-test-head mode and
Uni-test-head mode.
Specifies the eligibility of the synthetic packets
to be discarded when congestion conditions
are encountered.
no drop-eligible Restores to default
pdu-size <value>
Supported only for Bi-test-head mode and
Uni-test-head mode.
Specifies the synthetic packets size:
bytes
no pdu-size Restores to default

Command Description
test-id <value> Supported only for Bi-test-head mode and

Uni-test-tail mode.
Specifies Y1731-SLM test ID:
no test-id Removes the configured test ID
gathering-interval <value> Supported for Bi-test-head mode, Bi-test-

loopback mode, Uni-test-tail mode, and
Uni-test-head mode.
Specifies a time period at which the SAA
application gets refreshed counters from the
hardware.
value: 1sec, 2sec or 3sec
no gathering-interval Removes the configured interval
mode {bi-test-head | bi- Supported for Bi-test-head mode, Bi-test-

test-loopback | uni- loopback mode, Uni-test-head mode, and
test-head | uni-test-
tail} Uni-test-tail mode.
Switches between modes.
include-delay-measurement Supported only for Bi-test-head mode
(Y1731-SLM).
Includes delay measurement in the Y1731-
SLM test
Not included
no include-delay- Restores to default
measurement

All tests are in disabled state
NOTE
Before enabling the SAA test,
use the commit command to
save the unapplied SAA test
configuration. After enabling
the SAA test, use again the
commit command to confirm
the change.
show saa test [name TEST-NAME owner TEST- Displays the SAA test configurations:
OWNER]
mode is set to test
owner

Command Description
configuration
Example
The following example demonstrates how to configure bi-directional Y1731-SLM test:
1. Configure the Test-head device:
Device-name(config-c-vlan-1111)#sdp s-vlan 111 port 1/1/2
Device-name(config-port-1/1/2)#top
Device-name(config)#oam cfm
Device-name(config-cfm)#no shutdown
Device-name(config-cfm)#domain SLM level 1
Device-name(config-domain-SLM)#ma 11 service 111
Device-name(config-ma-11)#hello-interval 1s
Device-name(config-ma-11)#mep 1 bind-to 1/1/1:1111: direction up ccm-
enabled
Device-name(config-mep-1)#no shutdown
Device-name(config-mep-1)#top
Device-name(config)#saa profile SLM
Device-name(config-profile-SLM)#type y1731-slm
Device-name(config-profile-SLM)#top
Device-name(config)#saa test 111 111
Device-name(config-test-111/111)#type y1731-slm
Device-name(config-test-111/111)#profile SLM
Device-name(config-test-111/111)#y1731-slm
Device-name(config-y1731-slm)#mode bi-test-head
Device-name(config-y1731-slm)#include-delay-measurement
Device-name(config-y1731-slm)#domain SLM
Device-name(config-y1731-slm)#interval 60
Device-name(config-y1731-slm)#period 1sec
Device-name(config-y1731-slm)#gathering-interval 1sec
Device-name(config-y1731-slm)#history 1
Device-name(config-y1731-slm)#mep 1
Device-name(config-y1731-slm)#ma 11
Device-name(config-y1731-slm)#priority 6
Device-name(config-y1731-slm)#target-type mep
Device-name(config-y1731-slm)#target-mep 2
Device-name(config-y1731-slm)#pdu-size 1024
Device-name(config-y1731-slm)#test-id 111
Device-name(config-y1731-slm)#exit
Device-name(config-test-111/111)#no shutdown
Device-name(config-test-111/111)#commit
Commit complete.

Device-name(config-test-111/111)#
2. Configure the Test-loopback device:

Device-name(config-c-vlan-1111)#sdp s-vlan 111 port 1/1/4
Device-name(config)#oam cfm
Device-name(config-cfm)#no shutdown
Device-name(config-cfm)#domain SLM level 1
Device-name(config-domain-SLM)#ma 11 service 111
Device-name(config-ma-11)#hello-interval 1s
Device-name(config-ma-11)#mep 2 bind-to 1/1/3:1111: direction up ccm-
enabled
Device-name(config-mep-2)#no shutdown
Device-name(config-mep-2)#top
Device-name(config)#saa profile SLM
Device-name(config-profile-SLM)#type y1731-slm
Device-name(config-profile-SLM)#top
Device-name(config)#saa test 111 111
Device-name(config-test-111/111)#type y1731-slm
Device-name(config-test-111/111)#profile SLM
Device-name(config-test-111/111)#y1731-slm
Device-name(config-y1731-slm)#mode bi-test-loopback
Device-name(config-y1731-slm)#domain SLM
Device-name(config-y1731-slm)#mep 2
Device-name(config-y1731-slm)#ma 11
Device-name(config-y1731-slm)#test-id 111
Device-name(config-y1731-slm)#exit
Device-name(config-test-111/111)#no shutdown
Device-name(config-test-111/111)#commit
Commit complete.
3. Display the Y1731-SLM configuration:

Device-name#show saa test name 111 owner 111
Test name : 111
Test owner : 111
Test type : y1731-slm
State : Enabled
Status : Running
Profile name : SLM
Cfm domain : SLM
Cfm ma : 1
Cfm mep : 11
Target mep : 2
Frequency : 1
History : 1
Clocks in sync : No
Interval : 60 sec

Period : 1000 msec

Priority : 6
Test-id : 111
Pdu-size : 1024
DE flag : Unset
Gathering-int : 1 seconds
Include-delay : Yes
Delay method : average
Jitter method : variance
Interval Id: 2 Results gathered: Thu Oct 1 14:29:07 2009

Delay (NE): 15.360 us Delay (FE): 15.360 us
Jitter (NE): 0.181 us Jitter (FE): 0.181 us
FrameLoss (NE): 0.0000000 % FrameLoss (FE): 0.0000000 %
Sent Pkts (NE): 60 Sent Pkts (FE): 60
Rcvd Pkts (NE): 60 Rcvd Pkts (FE): 60

RFC 2544 SAA Throughput Test

Overview
Service Assurance Application (SAA) throughput tests use RFC 2544 methodologies to measure
and evaluate the performance of a device connection or network elements under specific load
scenarios. These tests determine the maximum bandwidth in which the device receives and
forwards packets with frame loss lower than a specified threshold.
By default, the RFC2544 test is non-intrusive, meaning that it runs while the service is operational,
and do not interfere with the user-traffic flowing within the service. Services are traffic streams with
specific attributes identified by different classifiers, such as 802.1q VLAN, 802.1ad and class of
service (CoS) profiles. For diagnoses and root-cause analysis of customer-impacting problems in a
live network, non-intrusive testing is the most common and efficient means.
The RFC2544 can behave also as intrusive (see Example 1), meaning that the test itself interferes
with what is being tested. Normal service frames are not being forwarded and thus this type of
testing is intended to happen before the service is activated or during a maintenance window.
Two types of SAA Throughput tests are supported:
Unidirectional type
Bi-directional type
SAA Unidirectional Throughput Test

The SAA unidirectional throughput test provides measurements of different rates (duration,
maximum rate of test packets, maximum timeout, and list of data sizes) for egress traffic (see the
following figure). This test measures the frame loss ratio between the test packets sent by the test-
head and the ones received by the test-tail. The results are compared with a predefined threshold.
Figure 18: Unidirectional Test
To perform the SAA Unidirectional Throughput test, define the following parameters:
Test-head (source) and test-tail (target) within an existing domain
PDU sizes for the selected test: the test calculates performance for each PDU size (64, 128,
256, 512, 1024, 1280, 1518, 2000, 9000 bytes), and displays the results per PDU size.

Maximum traffic rate and the ratio between constant and burst traffic: the test sends two
traffic streams from the test-head simultaneously:
Stream 1: The constant traffic rate (simulating the Committed Information Rate (CIR)).
The stream uses 90% of the maximum traffic rate by default.
Stream 2: The burst traffic rate (simulating the Committed Burst Size [CBS]). The stream
uses the remaining ten percent of the maximum traffic rate by default.
Burst size (in kbps) for Stream 2, the CBS size
Test duration per selected PDU size
When performing a Unidirectional Throughput test:
The test-tail calculates the packet count for each test sequence and sends the results to the test-
head. The test-head reduces the test rate or continues to the next PDU size.
To ensure notification delivery, the test-tail keeps sending results until the test-head sends a
reply to the test-tail or until it reaches the configured timeout.
The test ends if the test-head does not receive the message.
SAA Bi-Directional Throughput Test

The SAA Bi-Directional Throughput test is based on the end-to-end unicast loopback test (see the
following figure). This test measures the frame loss ratio between test packets sent by the test-head
and ones received by the test-loopback. The results are compared with a predefined threshold.
Figure 19: End-to-End Unicast Loopback Test
The bi-directional throughput test generates test frames using 802.1ag LBM/LBR format.
To perform the SAA Bi-Directional throughput test, define the following parameters:
Test-head (source) and test loopback (target) within an existing domain
PDU sizes for the selected test. The test calculates performance for each PDU size (64, 128,
256, 512, 1024, 1280, 1518, 1530, 2000, 9000 bytes), and displays test results per PDU size.
Committed Information Rate (CIR), expressed in Mbps
The test duration per selected PDU size
Select one of the following loopback types:
MAC-Swap: Swaps the MAC source and destination addresses of the packet before
looping the packet back. The OpCode field remains the same.

OAM: Swaps the MAC source and destination addresses of the packet before looping the
packet back. The OpCode field is changed from LoopBack Message (LBM) to LoopBack
Reply (LBR).
When performing a Bi-Directional Throughput test:
The test transmits PDUs at the defined CIR rate for the test duration to determine whether
the frame loss differs from the threshold.
After completing packet transmission, the test is suspended for a length of time equal to the
maximum latency at which all packets arrive.
Transmitted PDU has an ID (sequence number) and timestamp used for statistics calculation.
If frame loss is higher than the maximum frame loss percentage, the test-head repeats the test
at a lower rate until frame loss is within the configured SLA range.
SAA Throughput Configuration Flow
Figure 20: SAA Throughput Configuration Flow
SAA Throughput Configuration Commands

This section defines the command hierarchy for the SAA Throughput test and provides a list of

Command Hierarchy
device-name#
+ config terminal
+ [no] saa
- type rfc2544
+ [no] rfc2544
[no] frameloss <value>
- type rfc2544
- [no] shutdown
+ [no] rfc2544
- mode bi-test-head
- mode bi-test-loopback
- mode uni-test-head
- mode uni-test-tail
- [no] burst-percentage <value>
- [no] c-vlan <cvlan-id>
- [no] c-vlan-drop-eligible
- [no] c-vlan-priority <value>
- [no] cir <value>
- [no] cbs <value>
- [no] data-size <value>
- [no] custom-data-size <value>
- [no] duration <value>
- [no] loopback-type {mac-swap | oam}
- ma MA-NAME
- mep <value>
- mode {bi-test-head | bi-test-loopback | uni-test-
head | uni-test-tail}
- [no] pattern {none | null | null-crc | prbs |
prbs-crc}
- [no] result-ack-timeout <value>
- [no] s-vlan-drop-eligible
- [no] s-vlan-priority <value>


Table 12: SAA Throughput Commands
Command Description

no saa Removes SAA configuration details such as
profiles and tests
Creates a monitoring SAA profile (up to 64

characters
NOTE
type rfc2544
Selects the RFC2544 test.

The RFC2544 test measures throughput,
delay and variation across Ethernet networks.
rfc2544 Enters SAA RFC2544 Profile Configuration
mode
no rfc2544 Exits SAA RFC2544 Profile Configuration
mode
frameloss <value> Supported only for unidirectional and bi-
directional test-heads.
Specifies the allowed frame loss ratio
threshold in hundredths of the percent:
100000>
0
no frameloss Restores to default

mode:
name

Command Description
type rfc2544
Selects the RFC2544 test.

The RFC2544 test measures throughput,
delay and variation across Ethernet networks.
Applies a profile to the specified RFC2544

test:
letters
rfc2544 Enters SAA RFC2544 Test Configuration
mode
no rfc2544 Exits SAA RFC2544 Test Configuration mode

uni-test-tail} Specifies the type of the SAA RFC2544 test:
throughput test
directional test
throughput test
unidirectional throughput test
burst-persentage <value> Supported only for the unidirectional test-
head.
Specifies the amount of bursty traffic:
value: in the range of <0-100>,
in percent
10%
no burst-persentage Restores to default
c-vlan <cvlan-id> Specifies the C-VLAN ID in the generated test

packets:
c-vlan-id: in the range of <1-
4094>
no c-vlan Removes the configured C-VLAN ID
c-vlan-drop-eligible Supported only for unidirectional and bi-

Specifies the eligibility of the packets to be
encountered.
no c-vlan-drop-eligible Restores to default

Command Description
c-vlan-priority <value> Supported only for unidirectional and bi-

Specifies the C-VLAN priority of the packets:
6
no c-vlan-priority Restores to default
cbs <value> Supported only for the unidirectional test-

head.
Specifies the Committed Burst Size (CBS):
KB
1 MB
cir <value> Supported only for unidirectional and bi-

Specifies the maximum Committed
Information Rate (CIR) of the test packets:
500000 kbps
data-size <value>
Supported only for unidirectional and bi-

Selects a pre-defined PDU size for which the
test is executed:
value: 64, 128, 256, 512, 1024,
1280, 1518, 1522, 1526, 1530,
1534, 2000, and 9000 bytes.
Use the below format to specify
more than one value:
Example:
data-size [ 64 128 1530]
no data-size <value> Removes some of the selected values.
custom-data-size <value> Specifies the size of the data packets:

no custom-data-size <value> Removes some of the configured values.
domain DOMAIN-NAME
Selects a Maintenance Domain (MD) for the

test to operate on:
letters

Command Description
duration <value> Supported only for unidirectional and bi-

Specifies the test duration:
seconds
5 seconds
no duration Restores to default
loopback-type {mac-swap | oam} Supported only for bi-directional test-

heads.
Specifies the type of the loopback testing:
mac-swap: swaps MAC source and
The OpCode field remains the
same.
oam: swaps MAC source and
The OpCode field is changed from
LoopBack Message (LBM) to
LoopBack Reply (LBR).
The OpCode is a 1-octet field that identifies
the OAM PDU type (see the ITU-T
Recommendation Y.1731).
OAM
no loopback-type Restores to default
ma MA-NAME

the test:
mep <value>
Specifies the MEP ID of the test-head device:

uni-test-tail} Specifies the type of the SAA RFC2544 test:
throughput test
directional test
throughput test
unidirectional throughput test

Command Description
pattern {none | null | null-crc Supported only for unidirectional and bi-
| prbs | prbs-crc} directional test-heads.
Specifies the test packet's pattern type:
none: arbitrary pattern
null: null signal without Cyclic
null-crc: null signal with
Cyclic Redundancy Check (CRC)-32
prbs: Pseudo-Random Byte
Sequence (PRBS) without Cyclic
prbs-crc: Pseudo-Random Byte
Sequence (PRBS)with Cyclic
PRBS
no pattern Restores to default
result-ack-timeout <value> Supported only for unidirectional test-

head.
Specifies the time the test-head waits for an
inform acknowledgment from the test-tail. If no
acknowledgment is received within the
timeout period, the test-head stops the test.
seconds
5 seconds
no result-ack-timeout Restores to default
s-vlan-drop-eligible Supported only for unidirectional and bi-

Specifies the eligibility of the packets to be
encountered.
NOTE
The throughput test priority
must be lower than the CCM
priority.
no s-vlan-drop-eligible Restores to default
s-vlan-priority <value> Supported only for unidirectional and bi-

Specifies the S-VLAN priority of the packets:
6
no s-vlan-priority Restores to default

Command Description
target-mep <value>

target-mac HH:HH:HH:HH:HH:HH

device:
Supported only for unidirectional and bi-

address
timeout <value> Specifies the timeout interval for the test
packet. If a reply is not received within the
timeout period, the packet is assumed to be
lost.
x100 milliseconds
1 seconds

all tests are in a disabled state
NOTE
Before enabling the SAA test, use
the commit command to save the
unapplied SAA test configuration.
After enabling the SAA test, use
again the commit command to
confirm the change.
show saa test [name TEST-NAME owner TEST- Displays the SAA test configuration:
OWNER]
mode is set to test
owner

Command Description
configuration
Note: You cannot change configuration for an enabled test.
Example 1
The following example displays the configuration needed to convert the RFC2544 testing from
non-intrusive (default status) to intrusive. The user needs to configure any MAC ACL and apply it
on port, group of ports, or SAP port.
device-name(config-access-list-400)#rule 1 action deny source-mac any
destination-mac any vlan 300
device-name(config-access-list-400)#rule 2 action permit source-mac any
destination-mac any
The following example shows how to configure the RFC2544 SAA Throughput test on two
devices.
Figure 21: Two Devices in RFC2544 SAA Throughput Test Mode
Configuring the Test-Head Device

1. Configure a profile for RFC2544 SAA test:

device-name(config-profile-1)#type rfc2544
device-name(config-profile-1)#rfc2544
device-name(config-rfc2544)#frameloss 10000
device-name(config-rfc2544)#commit
Commit complete.
device-name(config-rfc2544)#exit
2. Enable the RFC2544 SAA test:

device-name(config-saa)#test 2 2
device-name(config-test-2/2)#type rfc2544
device-name(config-test-2/2)#profile 1
device-name(config-test-2/2)#shutdown
device-name(config-test-2/2)#rfc2544
device-name(config-rfc2544)#mode bi-test-head
device-name(config-rfc2544)#domain d6
device-name(config-rfc2544)#ma ma6
device-name(config-rfc2544)#mep 3208
device-name(config-rfc2544)#target-type mep
device-name(config-rfc2544)#target-mep 7124
device-name(config-rfc2544)#cir 1000000
device-name(config-rfc2544)#data-size 64
device-name (config-rfc2544)#data-size 9000
device-name(onfig-rfc2544)#commit
Commit complete.
device-name(config-test-2/2)#no shutdown
ddevice-name(config-test-2/2)#commit
Commit complete.
device-name(config-test-2/2)#end
3. Display RFC2544 SAA test results:

device-name#show saa test name 2 owner 2
Test name : 2
Test owner : 2
Test type : rfc2544
State : Enabled
Status : Finished
Profile name : 1
Cfm domain : d6
Cfm ma : ma6
Source mep : 3208
Target mep : 7124
CIR : 1000000

Pattern : prbs
Priority : 6
DE flag : 0
Duration : 5 seconds
Timeout : 10 seconds
Datasize : 64, 128, 256, 512, 1024, 1280, 1518, 2000, 9000
Loopback type : oam
----------------------------------------------------------------
| Size | Successful rate | Net Successful rate | Frame-loss |
+--------+-----------------+---------------------+-------------+
| 64 | 1000000Kbps | 761904Kbps | 1.576 % |
| 128 | 1000000Kbps | 864864Kbps | 0.513 % |
| 256 | 1000000Kbps | 927536Kbps | 0.015 % |
| 512 | 1000000Kbps | 962406Kbps | 0.004 % |
| 1024 | 1000000Kbps | 980842Kbps | 0.000 % |
| 1280 | 1000000Kbps | 984615Kbps | 0.473 % |
| 1518 | 1000000Kbps | 986996Kbps | 0.008 % |
| 2000 | 1000000Kbps | 990099Kbps | 0.000 % |
| 9000 | 1000000Kbps | 997782Kbps | 0.000 % |
+--------+-----------------+---------------------+-------------+
----------------------------------------------------------------
| Size | Min Delay | Avg Delay | Max Delay |
+--------+-----------------+-----------------+-----------------+
| 64 | 14.336 us | 47.807 us | 53.760 us |
| 128 | 16.384 us | 66.643 us | 78.336 us |
| 256 | 19.456 us | 95.708 us | 125.440 us |
| 512 | 28.160 us | 133.010 us | 221.184 us |
| 1024 | 44.544 us | 151.638 us | 258.048 us |
| 1280 | 51.712 us | 158.837 us | 264.704 us |
| 1518 | 59.904 us | 167.333 us | 273.408 us |
| 2000 | 74.240 us | 181.933 us | 287.744 us |
| 9000 | 294.400 us | 400.991 us | 506.880 us |
+--------+-----------------+-----------------+-----------------+
The Successful traffic rate is the total number of physically transferred bits per second over the
communication link, including useful data as well as protocol overhead.
The Net Successful rate is the capacity excluding the physical layer protocol overhead; it is
calculated by the following formula:
NetSuccRate = SuccRate*PDUSIZE/(PDUSIZE+160),
where SuccRate is the measured Successful traffic rate, PDUSIZE is the packets size, and the 160
bytes includes 96 interframe gap (IFG) bites, and 64 preamble bytes.
Configuring the Test-Loopback Device

1. Configure a profile for RC2544 SAA test:

device-name(config-profile-1)#type rfc2544
device-name(config-rfc2544)#frameloss 10000
2. Enable the RFC2544 SAA test:

device-name(config-saa)# test 2 2
device-name(config-test-2/2)#type rfc2544
device-name(config-test-2/2)#profile 1
device-name(config-test-2/2)#shutdown
device-name(config-test-2/2)#rfc2544
device-name(config-rfc2544)#mode bi-test-loopback
device-name(config-rfc2544)#domain d6
device-name(config-rfc2544)#ma ma6
device-name(config-rfc2544)#mep 3208
Commit complete.
device-name(config-test-2/2)#no shutdown
device-name(config-test-2/2)#commit
Commit complete.
device-name(config-test-2/2)#end
3. Display RFC2544 SAA test configuration:

device-name#show saa test name 2 owner 2
Test name : 2
Test owner : 2
Test type : rfc2544
Test mode : bi-test-loopback
State : Enabled
Status : Running
Cfm domain : d6
Cfm ma : ma6
Source mep : 3208

Event Propagation
The Event Propagation feature allows you to configure automatic actions executed upon the
occurrence of specific events.
The feature acts upon receiving events from the events provider. It matches the received events
with pre-configured pairs of event-action and then forwards the matched action to the related
action performer.
To configure this feature, you have to define profiles grouping the event-action pairs. Profiles are
applied to various targets, such as SAPs or physical ports.
By enabling event propagation, the device:
detects a remote link failure or a local ports down status
disconnects a link to a peer device
restores the link to the peer device in case the event is reversed
To avoid flapping events, you can configure two timers per profile:
Event timer (hold-off): the interval from the time the event starts before the event propagation
disconnects a link or sends LDP MAC address withdraw message.
Revertive timer (wait-to-restore): the interval from the time the event is reversed before reversing the
Event Propagation action.
This feature is based on TLS and the CFM-OAM functionality. Therefore, it can function only on
devices where these features are enabled.

Event Propagation Configuration Flow
Figure 22: Event Propagation Configuration Flow

Event Propagation Command Hierarchy

device-name#
+ config terminal
+ [no] event-propagation profile <id>
- action {lacp-standby | link-drop | mac-withdraw | none}
- event {ais-lck | con-lost | none | rcvd-tc-bpdu | status-
down}
- [no] perform-mac-flush
- [no] reverse {lacp-active | link-restore | none}
- [no] source {local-mep <id> | local-port {UU/SS/PP | agN} |
rem-mep <id>}
- [no] timer {hold-off <value> | wait-to-restore <value>}
- [no] threshold <value>
+ port {UU/SS/PP | agN}
- [no] event-propagation-profile <id>
+ service
| all | untagged}
- show event-propagation [profile <id> | session]
Table 13: Event Propagation Commands

Command Description
event propagation profile <id>
Specifies an event propagation profile and

enters Event Propagation Profile Configuration
mode:
id: a string of up to 32
letters
no event propagation profile [<id>] Removes the configured profiles:
id: (optional) removes a specific
event-propagation profile
action {lacp-standby | link-drop |
mac-withdraw | none}
Specifies an action, the event-propagation
profile performs upon the configured event:
lacp-standby: LACP operates in
Standby/passive negotiation mode
link-drop: drops the link
mac-withdraw: sends LDP MAC
address withdraw message
none: no action is performed

Command Description
NOTE
When action lacp-standby is
specified, configuration of VRRP
and event propagation must be
committed in a single transaction.
event {ais-lck | con-lost | none |
rcvd-tc-bpdu | status-down}
Specifies the expected event type:
ais-lck: the AIS (Alarm
Indication Signal) bit is
received
con-lost: the connectivity is
lost
none: no expected event
rcvd-tc-bpdu: xSTP-topology-
change BPDU is received
status-down: the port is in down
state
perform-mac-flush Enables MAC addresses, dynamically-learned
on port/s, to be flushed when the port receives
specific event
Disabled
no perform-mac-flush Restores to default
reverse {lacp-active | link-restore Specifies the reverse action to be performed
| none} when the configured event stops processing:
lacp-active: LACP operates in
Active negotiation mode
link-restore: restores the link
none: no action is performed
None
no reverse [link-restore | none] Removes the configured action
source {local-mep <id> | local-port Specifies the source from which the event-
{UU/SS/PP | agN} | rem-mep <id>} propagation profile receives the configured
event:
local-mep <id>: receives events
from a local MEP with ID, in the
range of <18191>
local-port UU/SS/PP or agN:
receives events from a local port
or a group of ports
rem-mep <id>: receives events
from a remote MEP with ID, in the
range of<18191>
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
<1-14>

Command Description
no source [local-mep | local-port | Removes the configured event source:

rem-mep]
local-mep: receives events from a
local MEP
local-port: receives events from
a local port
rem-mep: receives events from a
remote MEP
timer {hold-off <value> | wait-to- Specifies profile timers:
restore <value>}
hold-off <value>: defines the
hold off timeout, in the range of
<0600000> milliseconds, in 100-
millisecond increments. The timer
postpones the switchover for a
specified time. If the transport
path does not recuperate by the
end of this time period, the link
is dropped or LDP MAC address
withdraw message is sent.
0 milliseconds
wait-to-restore <value>: defines
the wait-to-restore timeout, in
the range of <0-600> seconds. If
the revertive mode is disabled,
this timer is also disabled.
0 seconds
no timer {hold-off | wait-to- Restores to defaults
restore}
threshold <value> Supported only for source port.

Specifies a threshold for a given source port.
Once the threshold is reached, the event action
is triggered.
1
no threshold Restores to default
port {UU/SS/PP | agN} Enters Configuration Mode for a specific port:

UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
<1-14>
event-propagation-profile
<id>
Applies the selected event-propagation profile
on a port:
id: id: a string of up to 32
letters
no event-propagation- Removes the event-propagation profile from the
profile port

Command Description

Configuration mode:
4294967295>
Configuration mode:
of 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
Configuration mode
4094>
traffic only
no tls [<service-id>] sap Removes the created TLS service:
[<cvlan-id> | all | untagged] service-id: (optional) in the
range of <14294967295>
Configuration mode:
UU/SS/PP: (optional) SAP port in
the range of 1/1/1-1/1/4, 1/2/1-
1/2/8
<1-14>
c-vlan: (optional) specifies a
of <1-4094>
traffic
event-propagation-profile <id>
Applies the selected event-propagation profile

on a SAP port:
letters
no event-propagation-profile Removes the event-propagation profile from the
SAP port

Command Description
show event-propagation [profile <id> | Displays event-propagation information:

session]
profile <id>: displays the
configured parameters for the
specified profile with ID in the
range of <1-32>
session: displays the source each
profile is allocated to and its
parameters
The following example shows how to configure event propagation on two devices (Device 1 and
Device 4).
Provider side is in domain 5 level 5 VLAN 10.
Customer side is in domain 6 level 6 VLAN 10.
In case of problem on level 5, you will receive ais-lck event on level 6. So if you receive such issue
an automatic action can be triggered in Device1 or Device2 based on above mentioned event.
Figure 23: Example for Configuring Event Propagation
Configure Device 1:
Configure CFM:
Commit complete.

device-name(config-ma-ma6)#ais-lck-receive
device-name(config-ma-ma6)#ais-lck-transmit
device-name(config-ais-lck-transmit)#ais-lck-level 7
device-name(config-ais-lck-transmit)#ais-lck-priority 3
device-name(config-ais-lck-transmit)#ais-lck-vlan 10
device-name(config-ais-lck-transmit)#mep 602
device-name(config-mep-602)#direction up
device-name(config-mep-602)#ccm-priority 5
Configure an event-propagation profile and apply it on a port:

device-name(config)#event-propagation profile 1
device-name(config-profile-1)#source local-mep 602
device-name(config-profile-1)#event ais-lck
device-name(config-profile-1)#action link-drop
device-name(config-profile-1)#reverse link-restore
device-name(config-profile-1)#commit
device-name(config-port-1/1/4)#event-propagation-profile 1
Configure Device 2:
Configure CFM:
Commit complete.
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-level 6
device-name(config-ais-lck-transmit)#exit
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-priority 7
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-vlan 10
device-name(config-ma-ma5)#mep 1 bind-to 1/1/2 direction up

Configure Device 3:
Configure CFM:
Commit complete.
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-level 6
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-priority 7
device-name(config-ma-ma5)#ais-lck-transmit ais-lck-vlan 10
device-name(config-ma-ma5)#mep 2 bind-to 1/1/2 direction up
Configure Device 4:
Configure CFM:
Commit complete.

device-name(config-ma-ma6)#ais-lck-transmit
device-name(config-ais-lck-transmit)#ais-lck-level 7
device-name(config-ais-lck-transmit)#ais-lck-priority 3
device-name(config-ais-lck-transmit)#ais-lck-vlan 10
device-name(config-ais-lck-transmit)#mep 601
device-name(config-mep-601)#direction up
Configure an event-propagation profile and apply it on a port:

device-name(config)#event-propagation profile 1
device-name(config-profile-1)#source local-mep 601
device-name(config-profile-1)#event ais-lck
device-name(config-profile-1)#action link-drop
device-name(config-profile-1)#reverse link-restore
device-name(config-profile-1)#commit
device-name(config-port-1/1/4)#event-propagation-profile 1


802.1ag IEEE 802.1ag-2007 Public MIB, RFC 2544,

Connectivity Fault (draft 8.1)Virtual IEEE8021-CFM-MIB Benchmarking
Management (CFM) Bridged Local Area Private MIB, Methodology for
Networks (Amendment PRVT-CFM-MIB.mib Network Interconnect
5: Connectivity Fault Devices
These MIBs are used
Management).
for the Connectivity
Connectivity Fault Fault Management
ManagementAn (CFM) module for
Update on Bridging managing IEEE
Technologies (IEEE 802.1ag.
Tutorial, July 18, 2005).
Intermediate IEEE Std 802.3ah-2004 Public MIB: DOT3- Not supported

802.3ah EFM-OAM OAM-MIB.mib
Private MIB: PRVT-
SWITCH-EFM-OAM-
MIB.mib
ITU-T G.8032v2 ITU-T G.8032 standard Private MIB: PRVT- Not supported
Ring Automatic RAPS-MIB.mib
Protection
Switching (R-APS)
ITU-T Y.1564 Next- ITU-T Y.1564 standard Not supported Not supported
Generation Carrier-
Ethernet Testing
SAA tests SOAM (Service OAM) Public MIB, RFC 2544
based on the IEEE ping.mib RFC 2925 allows
802.1ag-2007 (draft Private MIB, functionality for
8.1) PRVT-SAA-MIB.mib creating of ping and
ITU-T traceroute tests that
Recommendation can be carried out
Y.1731 periodically on the
remote host.
Event Propagation IEEE 802.1ag-2007 Not supported Not supported
(Connectivity Fault
Management)
Two-Way Active Not supported Not supported RFC 5357
Measurement RFC 4656
Protocol (TWAMP)

Synchronous Ethernet (SyncE)
Table of Contents
Table of Figures 1
List of Tables 2
Synchronization in SDH/SONET and Ethernet Networks 3

Quality Levels in Synchronization 3
Physical Structure of Network Synchronization 5
Clock Synchronization in Traditional Ethernet 6
Clock Synchronization in Synchronous Ethernet 6
Ethernet Synchronization Messaging Channel (ESMC) Protocol 7
How Synchronization Works on the Individual Device Level 9
Synchronization 10
DPLL10
Clock Sources 10
Selecting a Clock Reference10
Output Clocks 11
SyncE Commands 11
Table of Figures
Figure 1: SDH/SONET Network Synchronization Hierarchy ....................................................... 3
Figure 2: Clock Transmission over Traditional Ethernet ................................................................. 6
Figure 3: Clock Transmission over Synchronized Ethernet ............................................................ 7
Figure 4: Schematic Presentation of the System Synchronization Concept ................................ 10
Synchronous Ethernet (SyncE) (Rev. 01) Page 1

T-Marc 3312SC User Guide
List of Tables
Table 1: Hierarchy of Quality Levels in Option I Synchronization Networks ............................. 5
Table 2: Hierarchy of Quality Levels in Option II Synchronization Networks ............................ 5
Table 3: ESMC PDU Format ............................................................................................................... 8
Table 4: General Structure of the TLV Field ..................................................................................... 9
Table 5: Structure and Content of TLV Field Containing an SSM ................................................. 9
Table 6: SyncE Commands ................................................................................................................. 13
Page 2 Synchronous Ethernet (SyncE) (Rev. 01)

T-Marc3312SC
Synchronization in SDH/SONET and Ethernet

Networks
Synchronous Ethernet (SyncE) refers to a set of technologies and protocols for Ethernet networks
used to transport services that rely on precise frequency synchronization such as Mobile
Backhauling. Using SyncE, the device transmits a precise timing signal to synchronize the reference
frequency at network endpoints (such as Mobile Base Stations) without the necessity of dedicated
TDM lines.
SyncE uses the physical interface to pass timing signals from node to node in the same way that
timing passes in SONET/SDH or T1/E1 networks. SyncE-based networks deliver cost effective,
time-critical services as reliably as SONET-/SDH- and T1-/E1-based networks.
Quality Levels in Synchronization

Synchronous Ethernet (SyncE), based on the principles of Synchronous Digital Hierarchy (SDH)
and Synchronous Optical Network (SONET), depends on clock hierarchy or quality levels (QL).
SyncE utilizes a timing-source signal either provided by special synchronization equipment, with a
cesium clock, or received from a cesium clock-controlled system such as Global Positioning
Systems (GPSs). GPS emits a high quality, stable signal used to create the first synchronization
input in the clock hierarchy, an output clock known as the Primary Reference Clock (PRC).
The PRC passes to devices that can maintain secondary synchronization, filter the clock, and
provide holdover capability Synchronization Supply Units (SSUs) and Building Integrated
Timing Supplies (BITS). Holdover capability ensures continued generation of an accurate clock, of
satisfactory quality, in the event of PRC failure and subsequent synchronization loss for a period of
at least twenty-four hours.
Each SDH network element contains an SDH Equipment Clock (SEC) with a holdover capability
of 15 seconds after source clock failure. The lowest quality level used in synchronization is the SDH
Equipment Clock (SEC) or SONET Minimum Clock (SMC) called EEC in Synchronous
Ethernet networks.
The following figure illustrates the QL clock hierarchy with the most accurate clock at the top:
Figure 1: SDH/SONET Network Synchronization Hierarchy
While PRC/PRS and SSU/BITS are usually implemented as standalone products with timing
functionality only (no data transmission), SEC/SMC/EEC are almost exclusively embedded in
networking products.

ITU-T Recommendation G.781 specifies the following clock source quality levels corresponding to
4 base levels of synchronization quality for SDH networks or Synchronous Ethernet networks that
connect to or replace SDH (option I):
QL-PRC: A synchronization trail transporting timing quality generated by a Primary
Reference Clock as defined in Recommendation G.811
QL-SSU-A: A synchronization trail transporting timing quality generated by a transit slave
clock as defined in Recommendation G.812, Types I and V
QL-SSU-B: A synchronization trail transporting a timing quality generated by a local slave
clock as defined in Recommendation G.812, Type VI
QL-SEC: A synchronization trail transporting a timing quality generated by an SDH
Equipment Clock (SEC) as defined in Recommendation G.813, Option I, or Ethernet
Equipment Clock (EEC) as defined in Recommendation G.8262, Option I.
QL-DNU: While not used for synchronization, this signal is used when clock quality of the
source is either unknown, too low, or when use of the source risks formation of a
synchronization loop.
QL-INVx, -FAILED, -UNC, -NSUPP: Internal QLs inside the network equipment that are
never generated at an output port.
The following clock-source quality-levels are defined in the synchronization selection process of an
option II network corresponding to second generation quality levels.
QL-PRS: PRS-traceable ([ITU-T G.811])
QL-STU: synchronizedtraceability unknown
QL-ST2: traceable to stratum 2 ([ITU-T G.812], type II)
QL-TNC: traceable to transit node clock ([ITU-T G.812], type V)
QL-ST3E: traceable to stratum 3E ([ITU-T G.812], type III)
QL-ST3: traceable to stratum 3 ([ITU-T G.812], type IV)
QL-SMC: traceable to SONET clock self timed ([ITU-T G.813] or [ITU-T G.8262], option
II)
QL-ST4: traceable to stratum 4 freerun (only applicable to 1.5 Mbit/s signals)
QL-PROV: provisionable by the network operator
QL-DUS: not used for synchronization
NOTE
First generation quality levels do not define QL-ST3E and QL-TNC as separate
quality levels and QL-PROV was identified as QL-RES.
Table 1 and Table 2 show the clock source quality levels for SDH networks and for Synchronous
Ethernet networks that connect to or replace SONET, as specified by ITU-T Recommendation
G.781 (as option I and option II networks, respectively).

Table 1: Hierarchy of Quality Levels in Option I Synchronization Networks

Quality Level Relative Quality
QL-PRC highest
QL-SSU-A
QL-SSU-B
QL-SEC
QL-DNU
QL-INVx, -FAILED, -UNC, -NSUPP lowest
Table 2: Hierarchy of Quality Levels in Option II Synchronization Networks

Quality Level Relative Quality
QL-PRS highest
QL-STU
QL-ST2
QL-TNC
QL-ST3
QL-ST3E
QL-SMC
QL-ST4
QL-PROV (default position)
QL-DUS
QL-DNU
QL-INVx, -FAILED, -UNC, -NSUPP lowest
Physical Structure of Network Synchronization

SONET/SDH/SyncE networks are synchronized by phase-locking SECs/EECs to one or more
PRCs (usually serving as backup). The timing signal, which is transmitted from one SEC/EEC to
another, achieves synchronization over the entire network. Some higher order SEC/EECs act as
masters to lower-order SECs/EECs.
Because SEC/EEC signals tend to degrade in quality with each hop, SSUs are placed at certain
nodes in the network topology to stabilize and recover clock quality. SSUs, utilizing a GPS
reference, provide a PRC-quality clock that effectively splits the synchronization network into
several, smaller networks. As a result, synchronization chains are shortened and overall clock quality
along the chain remains as high as possible.
The clock-source selection process may be controlled by external commands. When no overriding
external commands are active, the algorithm selects the reference according to the following
guidelines:
Input with the highest quality level not experiencing a signal fail condition

When multiple inputs have the same high quality level, the device selects the input with the
highest priority
When multiple inputs have the same high priority and quality level, the existing reference is
maintained when that reference belongs to the same group
Otherwise, the reference with the lowest Index in the group is selected.
If no clock source could be selected, the local clock oscillator is selected as reference.
Clock Synchronization in Traditional Ethernet

Transmission of asynchronous data traffic does not require a synchronization signal to pass from
the source to the destination. The requirement to synchronize data packet flow is relatively new.
The older 10 Mbps (10 Base-T) Ethernet is not capable of synchronized signal transmission over
the physical layer interface.
Faster Ethernets (100 Mbps, 1 Gbps, and 10 Gbps), which have the means to synchronize traffic
between two devices, make good use of idle periods through continuous pulse transitions that are
utilized for continuous, high-quality, clock recovery at the receiving end. In an older, 10 Mbps
Ethernet, the pulse signal transmits every 16 milliseconds. Because 16 milliseconds is too infrequent
for clock recovery at the receiving end, utilization of the idle pulse signal impossible.
Figure 2 shows how physical layer synchronization operates on traditional Ethernet: First, the master
and slave are determined through an auto-negotiation process. (The master is randomly assigned
through a seed value, however, the master can also be set manually.) Once the roles are established,
the master generates a transmit clock locally using its own free-running crystal oscillator (that is,
internally generating clock). The slave recovers the master clock from the received data stream and
uses that clock for data transmission. As a result, synchronization occurs during a hop between two
adjacent nodes but does not pass from hop to hop.
Figure 2: Clock Transmission over Traditional Ethernet
Clock Synchronization in Synchronous Ethernet

Synchronization in traditional Ethernet exists only between adjacent devices. Synchronous
Ethernet, however, can transmit the received clock between hops and make possible travel across
remote devices and interconnected networks. A synchronization chain forms when the clock
recovered from the node receiving synchronization feeds all nodes capable of transmitting
synchronization signals. The chain uses a primary reference clock source that mimics the

hierarchical synchronization mode employed by SONET/SDH or T1/E1 networks. A Phase

Locked Loop (PLL) mechanism removes jitter and wander generated by the clock recovery circuit
before the recovered SyncE clock is fed to the transmitting device (see Figure 3).
Figure 3: Clock Transmission over Synchronized Ethernet
For 1000Base-T networks, manually configure ports to alternate the master and slave function
(in the clock path).
On 1000Base-X (fiber) and 10GBASE-X (10 gigabit) networks, where there is no bi-
directional transmission on a single fiber, one fiber is always used for transmission and the
other for reception.
Gigabit or 10-Gigabit Ethernet Physical Layer Devices (PHYs) devices, which are capable of
providing recovered clock on one of their output pins, support SyncE. The recovered clock is
cleaned by the PLL and fed to the 25MHz crystal oscillator input pin on the PHY device. Newer
Ethernet PHY devices provide a dedicated pin for synchronization input. The advantage of this
approach is that frequency input can be higher than 25MHz resulting in lower jitter and avoidance
of potential timing loop problems within the PHY device.
Ethernet Synchronization Messaging Channel

(ESMC) Protocol
The Ethernet Synchronization Messaging Channel (ESMC) protocol communicates the current
reference clock quality over Ethernet networks. ESMC serves as a communication channel for
Synchronization Status Messages (SSMs) and makes possible interworking with existing
SONET/SDH infrastructure by allowing SyncE links to convey SSM quality level as defined in
ITU-T G.707, G.781, Telcordia GR-253-CORE, and ANSI T1.101. ESMC is based on an
Ethernet protocol called Organization Specific Slow Protocol (OSSP) and uses its Protocol Data
Unit (PDU).
The ESMC protocol is event-driven and has two message types:
Event Messages: An event message is sent whenever the clock quality level changes.
Information Messages. An information message is sent every second to signal that the
system is alive and working properly.

Despite the fact that the average message rate is about one message/second, this messaging
arrangement ensures a short reaction time. If an information message (alive signal) is not received
within a five-second period, the clock considers the incoming ESMC protocol as having failed.
The ESMC protocol payload uses Type-Length-Values (TLVs) for content format. The clock
quality level is transmitted in a TLV containing the standard 4-bit, SSM quality level values defined
by ITU- T, ANSI and Telcordia.
The ESMC protocol is a unidirectional transmission channel. The Tx phase provides the necessary
information and clock states; the Rx phase always receives that information and states, but the
device may choose whether to use or ignore the information depending upon configuration.
ESMC contains:
the standard Ethernet header for OSSP
the ITU-T Organization Unique Identifier (OUI)
a specific ITU-T subtype
an ESMC-specific header
a flag field
a Type-Length-Value (TLV) field.
The use of flags and TLVs is aimed at improving SyncE link management and the associated
timing change. Table 3 presents the ESMC PDU format. Note that in the TLV field, padding
bits are added to ensure that the field length is an integer number of bytes and covers the
required minimum of 64 bytes.
Table 3: ESMC PDU Format
Octet Number Field Size Content (HEX)
1-6 Destination Address 6 octets Destination Address

=01-80-C2-00-00-02
(hex)
7-12 Source Address 6 octets Ports MAC address
13-14 Slow Protocol 2 octets Slow Protocol
Ethertype Ethertype = 88-09
(hex)
15 Slow Protocol Subtype 1 octet Slow Protocol Subtype
=0A (hex)
16-18 ITU OUI 3 octets ITU-OUI = 00-19-A7
(hex)
19-20 ITU Subtype 2 octets 01
21 Version 4 bits 01
Event Flag 1 bit 0 for Information PDU
1 for Event PDU
Reserved 3 bits Reserved
22-24 Reserved 3 octets Reserved
25-1532 TLV (data and 36-1490 octets See Table
padding)

Octet Number Field Size Content (HEX)
Last 4 Frame Check 4 octets FCS

Sequence (FCS)
Table 4 and Table 5 show the structure of the TLV field, respectively its general structure and the
structure and content when containing an SSM. The ability to use TLV fields keeps the ESMC
protocol open to accommodating future extensions.
Table 4: General Structure of the TLV Field
Field Size
Type 1 octet
Length 2 octets
Data and padding up to 1387 octets
Table 5: Structure and Content of TLV Field Containing an SSM

Field Size Content (HEX)
Type 1 octet 01
Length 2 octets 04
Unused 4 bits 0
SSM 4 bits SSM code
How Synchronization Works on the Individual

Device Level
A synchronous network uses a Digital Phase Locked Loop (DPLL) mechanism to:
Select and clean-up jitter/wander in the incoming reference clock
Generate a proper output frequency
Implement smooth fail-over between reference clocks
Implement stable holdover when all references fail
System synchronization consists mainly of locking a DPLL onto one of its clock references. There
can be multiple DPLLs in a device and there can be multiple clock sources connected to the
system. Potentially, any clock source can be configured as a clock reference for one or both DPLLs.
Each DPLL generates various internal/external output clocks that may have different frequencies
but are all locked onto a selected reference (see Figure 4).
In the process, the DPLL also cleans up any accumulated jitter/wander. If no acceptable reference
is currently available, the DPLL may go into holdover mode. In holdover mode, the DPLL trying
to preserve the lock on the last available clock reference based on collected history and use of a
clock oscillator (TCXO) available with the device. Before locking onto the first reference after
startup, the DPLL runs in Freerun mode, locked onto the internal TCXO generated clock.

Figure 4: Schematic Presentation of the System Synchronization Concept
Synchronization
DPLL
DPLL 0: Generates all output clocks.
Clock Sources
The clock source is a logical entity corresponding to a physical input clock (Ethernet, etc.). Specifics
and configuration options depend on the input clock type. SyncE Clock Source is supported.
SyncE Clock Source

The SyncE clock source can be received on any port. The clock source is identified by port number
(UU/SS/PP). The SyncE clock source supports both static and dynamic QLs (via ESMC).
Selecting a Clock Reference

The clock reference is a logical association between a DPLL and a clock source. There can be only
one reference per clock source per DPLL while a clock source may be associated with either one or
both of the device DPLLs. The clock reference identifier contains the name of the appropriate
clock source concatenated with the DPLL ID. The QL provided by the clock reference is inherited
from the clock source. Each clock reference can have a static priority configured by the user.
There are three DPLL reference selection modes:
Freerun: Uses internal oscillator as the only clock source
QL-Disabled: Reference selection based on priority only
QL-Enabled: Reference selection based on both priority and QL
There are also some special cases in which the reference is selected in a different manner:

Equal Reference: When the top-rated references have the same QL and priority, the
reference with lowest IfIndex (interface index) is selected.
Reference Lock-out: Reference cannot be selected temporarily.
Manual Switch: Used only to override the configured priority.
Forced Switch: Applied to any Reference that is enabled and not locked-out.
Output Clocks
SyncE Output clock is supported.
SyncE Output Clock

The SyncE output clock is always generated by DPLL 0, can be transmitted through any Ethernet
port (1GE or 10GE), and supports ESMC generation.
SyncE Commands
This section describes the command hierarchy for SyncE, lists available commands, and provides a
configuration example.

Command Hierarchy
device-name#
- system sync-timing clear-timer clock-source-name UU/SS/PP timer-type
{hold-off | wait-to-restore}
- system sync-timing reset module-id <id> reference-clock-name UU/SS/PP
- system sync-timing switch {module-id <id> | reference-clock-name
UU/SS/PP | mode {forced | clear | manual}}
+ config terminal
- system
+ [no] sync-timing
- [no] ql-prov-position {before | after} {ql-dnu | ql-dus
| ql-inv | ql-prc | ql-prov | ql-prs | ql-sec | ql-
smc | ql-ssu-a | ql-ssu-b | ql-st2 | ql-st3 | ql-st3e
| ql-stu | ql-tnc}
+ [no] clock-output UU/SS/PP
- [no] esmc
+ [no] clock-source UU/SS/PP
- [no] esmc
- [no] quality {ql-dnu | ql-dus | ql-inv | ql-prc |
ql-prov | ql-prs | ql-sec | ql-smc | ql-ssu-a |
ql-ssu-b | ql-st2 | ql-st3 | ql-st3e | ql-stu |
ql-tnc}
- [no] quality-change-notify
- [no] shutdown
- [no] debug {{assert | drv | management | selection}
{true | false}| packet {event {recv | send} |
informational {recv | send}}}
+ [no] dpll <module-id>
- [no] reference-change-notify
+ [no] reference-clock UU/SS/PP
- [no] lock-out
- [no] reference-selection {freerun | q781}
- quality-level {enable | disable}
- [no] status-change-notify
- [no] shutdown
- [no] g781-option {I | II}
- [no] hold-off <value>
- [no] wait-to-restore <value>
- show system sync-timing [displaylevel <value>]
- show system sync-timing clock-source [displaylevel <value>]

- show system sync-timing clock-source UU/SS/PP

- show system sync-timing clo ck-source system-info
- show system sync-timing clock-output [displaylevel <value>]
- show system sync-timing clock-output UU/SS/PP
- show system sy nc-timing clock-output system-info
- show system sync-timing dpll reference-clock UU/SS/PP
- show system sync-timing dpll reference-clock clock-reference-system-
info [status-fail | displaylevel <value>]
- show system sync-timing dpll reference-clock [displaylevel <value>]
- show system sync-timing dpll <module-id>
- show system sync-timing dpll system-info
- show system sync-timing dpll [displaylevel <value>]
Table 6: SyncE Commands
Command Description

system sync-timing clear-timer clock- For the selected clock source on the specified
source-name UU/SS/PP timer-type {hold- port, clears the hold-off timer or the wait-to-
off | wait-to-restore}
restore timer:
UU/SS/PP: 1/2/1-1/2/8
hold-off: hold-off timer
wait-to-restore: wait-to-restore
timer
system sync-timing reset module-id <id> For the selected DPLL, resets the enabled
reference-clock-name UU/SS/PP reference clock for the port:
module-id <id>: the valid value
is 0
UU/SS/PP: 1/2/1-1/2/8
system sync-timing switch {module-id <id> For the selected DPLL, manually reconfigures
| reference-clock-name {UU/SS/PP | the reference clock for the port:
mode {forced | clear | manual}}
mode: specifies the mode in which
the reference clock operates
forced: overrides the currently
selected reference clock
manual: selects the reference
clock
clear: clears the forced and
manual operations
module-id <id>: the valid value
is 0
UU/SS/PP: 1/2/1-1/2/8

Command Description
sync-timing Enters SyncE Configuration mode

no sync-timing Removes SyncE configuration
ql-prov-position {before | after} Specifies the position of the quality of the clock
{ql-dnu | ql-dus | ql-inv | source:
ql-prc | ql-prov | ql-prs |
ql-sec | ql-smc | ql-ssu-a | before: before the selected
ql-ssu-b | ql-st2 | ql-st3 | quality level
ql-st3e | ql-stu | ql-tnc}
after: after the selected quality
level
ql-dnu, ql-dus, ql-inv, ql-prc,
ql-prov, ql-prs, ql-sec, ql-smc,
ql-ssu-a, ql-ssu-b, ql-st2, ql-
st3, ql-st3e, ql-stu, ql-tnc: see
Table 2
ql-prov
no ql-prov-position [before | Restores to default
after] [ql-dnu | ql-dus | ql-
inv | ql-prc | ql-prov | ql-
prs | ql-sec | ql-smc | ql-
ssu-a | ql-ssu-b | ql-st2 |
ql-st3 | ql-st3e | ql-stu |
ql-tnc]
clock-output UU/SS/PP Enables clock output through the configured

port and enters SyncE clock output
configuration node for the interface:
UU/SS/PP: 1/2/1-1/2/8
no clock-output [UU/SS/PP] Disables clock output:
UU/SS/PP: 1/2/1-1/2/8
esmc Enables the ESMC protocol for clock output on
the configured port. (Ethernet ports only.) When
the ESMC protocol is enabled, Synchronization
Status Messages can be transmitted through
the port.
no esmc Disables the ESMC protocol for clock output on
the ESMC protocol is disabled, no SSMs can be
transmitted through the port.
clock-source UU/SS/PP Enables clock source on the specified port:
UU/SS/PP: 1/2/1-1/2/8
no clock-source [UU/SS/PP] Disables clock source:
esmc Enables the ESMC protocol for clock input on
the ESMC protocol is enabled, SSMs can be
received on the port.
no esmc Disables the ESMC protocol for clock input on
the configured port. (Ethernet ports only.) All
SSMs received on the port will be dropped.
quality {ql-dnu | ql-dus | ql- Specifies a particular quality for the selected
inv | ql-prc | ql-prov | clock source if ESMC is disabled. The variables
ql-prs | ql-sec | ql-smc |

Command Description
ql-ssu-a | ql-ssu-b | ql- below are listed in the order of preference in
st2 | ql-st3 | ql-st3e |
ql-stu | ql-tnc}
which they are used by the system (not counting
dnu):
ql-dnu: the signal should not be
used for synchronization. This
parameter is specific for Option
I.
ql-dus: the signal should not be
used for synchronization. This
II.
ql-inv: internal quality level.
This quality level cannot be set
on clock-source. It indicates
that an invalid ESMC message is
received on the clock-source.
ql-prc: the signal is traceable
to a primary reference clock.
This parameter is specific for
Option I.
ql-prov: provided at the
discretion of the network
operator and may take different
order positions. This parameter
is specific for Option II.
ql-prs: the signal is traceable
to a primary reference source.
This parameter is specific for
Option II.
ql-sec: the signal is traceable
to the SDH equipment clock. This
I.
ql-smc: the signal is traceable
to the SONET minimum clock
ql-ssu-a: THIS synchronization
trail transports a timing quality
generated by Types I or V slave
clock. This parameter is specific
for Option I.
ql-ssu-b: this synchronization
trail transports a timing quality
generated by a Type VI slave
clock. This parameter is specific
for Option I.
ql-st2: the signal is traceable
to the stratum 2 level. This
II.
ql-st3: the signal is traceable
to the stratum 3 level. This
II.
ql-st3e: the signal is traceable

Command Description
to the stratum 3E level. This
II.
ql-stu: the signal is traceable
to unknown stratum level. This
II.
ql-tnc: the signal is traceable
to transit node clock. This
II.
dus
no quality Restores to default
quality-change-notify Enables notification whenever clock quality
changes on the specified port
no quality-change-notify Disables notification whenever clock quality
changes on the specified port
shutdown Enables the clock source
no shutdown Disables the clock source
debug {{assert | drv | management Enables displaying of additional log messages
| selection} {true | false}| related to:
packet {event {recv | send} |
informational {recv | send}}} assert: critical events related
to memory space, hardware
problems with chips
drv: interactions with drivers
management: interactions with the
management interface
selection: clock-selection
mechanism
packet event, informational
(recv, send): sent/received
packets
no debug {{assert | drv | Disables displaying of additional log messages
management | selection} {true
| false}| packet {event {recv
| send} | informational {recv
| send}}}
dpll <module-id> Enters SyncE feature configuration mode for the

selected DPLL module:
module-id: the valid value is 0
no dpll <module-id> Switches the configured DPLL module to
Freerun mode:
module-id: the valid value is 0
reference-change-notify Enables notification whenever the selected
clock reference changes
no reference-change-notify Disables notification whenever the selected
clock reference changes
reference-clock UU/SS/PP Enables reference clock on the specified port

Command Description
and enters clock-reference configuration mode
for that port:
UU/SS/PP: 1/2/1-1/2/8
no reference-clock [UU/SS/PP] Disables reference clock:
priority <value> Specifies the priority of the configured DPLL
module for reference clock selection:
0
no priority [<value>] Restores to default
lock-out Locks the configured DPPL module. Once the

locking is committed, no further configuring of
the module is possible until the module is
explicitly unlocked.
no lock-out Unlocks the configured DPPL module (if it has
been previously locked). Once the unlocking is
committed, configuring of the module is allowed
again.
reference-selection {freerun | Specifies the operational mode of the DPLL
q781} module:
freerun: configures the DPLL
module to operate in freerun
mode.
q781: configures automatic clock
source selection through the ESMC
protocol
freerun
no reference-selection Restores to default
quality-level {enable | Specifies if quality level should be used when
disable} selecting the reference clock:
enable: enables using quality
level
disable: disables using quality
level
status-change-notify Enables notification whenever the DPLL status
changes
no status-change-notify Disables notification whenever the DPLL status
changes
shutdown Enables the DPLL
no shutdown Disable the DPLL
g781-option {I | II} Specifies the g781 option:
I: Configures g781 option 1
II: Configures g781 option 2
I
no g781-option Restores to default

Command Description
hold-off <value> Specifies the hold-off timer (in milliseconds):

1800>
500
no hold-off Restores to default
wait-to-restore <value> Specifies the wait-to-restore timer (in minutes):

4
no wait-to-restore Restores to default
show system sync-timing [displaylevel Displays current configuration for the SyncE
<value>] feature:
displaylevel <value>: (optional)
displays current SyncE
configuration up to a specified
level, in the range of <1-64>
show system sync-timing clock-source Displays current clock-source configuration:
[displaylevel <value>]
displays current clock-source
show system sync-timing clock-source Displays current clock-source configuration
UU/SS/PP filtered by the command arguments
show system sync-timing clock-source Displays current clock-source configuration in a
system-info table format
show system sync-timing clock-output Displays current clock-output configuration:
[displaylevel <value>]
displays current clock-output
show system sync-timing clock-output Displays current clock-output configuration
UU/SS/PP filtered by the command arguments
show system sync-timing clock-output Displays current clock-output configuration in a
system-info table format
show system sync-timing dpll reference- Displays currently configured clock-reference
clock UU/SS/PP filtered by the command arguments
show system sync-timing dpll reference- Displays current clock-reference configuration in
clock clock-reference-system-info a table format
[status-fail | displaylevel <value>]
show system sync-timing dpll reference- Displays current clock-reference configuration:

clock [displaylevel <value>]
displays current clock-reference
show system sync-timing dpll <module-id> Displays currently configured DPLLs filtered by
the command arguments
show system sync-timing dpll system-info Displays current DPLLs configuration in a table
format

Command Description
show system sync-timing dpll [displaylevel Displays current DPLLs configuration:

<value>]
displays current clock-source
DPLLs configuration up to a
specified level, in the range of
<1-64>

In the following example, clock sources, Ethernet ports using ESMC for dynamic Quality Level, are
configured and assigned to DPLL 0.
Output clocks are generated by the DPLL 0.
1. Enter SyncE Configuration mode:
device-name(config)#system sync-timing
2. Enable clock source and ESMC protocol for clock input on port 1/1/2:
device-name(config-sync-timing)#clock-source 1/1/2
device-name(config-clock-source-1/1/2)#esmc
device-name(config-clock-source-1/1/2)#commit
Commit complete.
device-name(config-clock-source-1/1/2)#no shutdown
Commit complete.
3. Enable clock source and ESMC protocol for clock input on port 1/1/3:
device-name(config-clock-source-1/1/2)#clock-source 1/1/3
Commit complete.
Commit complete.
4. Enable clock source and ESMC protocol for clock input on port 1/1/4. Send notifications
whenever clock quality changes:
device-name(config-clock-source-1/1/3)#clock-source 1/1/4
Commit complete.
device-name(config-clock-source-1/1/4)#quality-change-notify
Commit complete.
5. Configure the DPLL 0 module:

device-name(config-sync-timing)#dpll 0
device-name(config-dpll-0)#reference-clock 1/1/2
device-name(config-reference-clock-1/1/2)#reference-clock 1/1/3
device-name(config-reference-clock-1/1/3)#reference-clock 1/1/4
device-name(config-dpll-0)#commit
Commit complete.
device-name(config-dpll-0)#reference-selection g781
Commit complete.
device-name(config-dpll-0)#no shutdown

device-name(config-dpll-0)#quality-level enable
device-name(config-dpll-0)#status-change-notify
Commit complete.
6. Configure clock output through ports 1/1/2 and 1/1/3:

device-name(config-dpll-0)#exit
device-name(config-sync-timing)#clock-output 1/1/2
device-name(config-clock-output-1/1/2)#esmc
device-name(config-clock-output-1/1/2)#clock-output 1/1/3
device-name(config-clock-output-1/1/3)#esmc
device-name(config-sync-timing)#commit
Commit complete.
7. (Optional) Display the configuration to verify settings:

device-name(config-sync-timing)#show full
sync-timing
clock-source 1/1/3
no shutdown
esmc
!
clock-source 1/1/4
no shutdown
esmc
quality-change-notify
!
clock-source 1/1/2
no shutdown
esmc
!
clock-output 1/1/3
esmc
!
clock-output 1/1/2
esmc
!
dpll 0
no shutdown
reference-selection g781
quality-level enable
status-change-notify
reference-clock 1/1/3
!
!
!
!
!
!


SyncE The following ITU-T standards No private MIBs are No RFCs are
are supported: supported by this supported by this
G.8261 feature. feature
G.8262
G.8264
G.781

Routing Information and Protocols
Table of Contents
Table of Figures 2
List of Tables 2
IPv6 Addressing 4
IPv6 Address Structure 4
IPv6 Configuration Commands 4
IP Unicast Routing 9
Populating the Routing Table (FIB) 9
Special IP Interfaces 10
Route-Maps 10
Prefix-List 11
The IP Unicast Routing Default Configuration 11
IP Configuration Commands 12
Open Shortest Path First (OSPF) 17

Area types 17
Link State Advertisement 19
OSPF Neighbors 19
OSPF Network Types 20
Virtual Links 20
OSPF Graceful Restart Helper Mode Functionality per RFC 3623 22
OSPF Configuration Flow 23
OSPF Commands24
Traffic Engineering (TE) 36

TE Commands 36
Intermediate System-to-Intermediate System (IS-IS) 40
Routing Information and Protocols (Rev. 01) Page 1

IS-IS Routers Types 40

Network Types 42
IS-IS Packet Types 42
IS-IS Configuration Flow 44
IS-IS Commands 44
Table of Figures
Figure 1: OSPF Topology ................................................................................................................... 18
Figure 2: Virtual Link Providing Redundancy.................................................................................. 21
Figure 3: OSPF Configuration Flow.................................................................................................. 23
Figure 4: OSPF Configuration Example ........................................................................................... 33
Figure 5: Level 1, Level 2, and Level 1-2 Routers in an IS-IS Network Topology..................... 41
Figure 6: IS-IS Configuration Flow ................................................................................................... 44
List of Tables
Table 1: IPv6 Commands..................................................................................................................... 5
Table 2: IP Unicast Routing Default Configuration........................................................................ 11
Table 3: Default Administrative Distances of the Dynamic Routing Protocols ......................... 11
Table 4: Static Routes Commands ..................................................................................................... 12
Table 5: LSA Type Names and Numbers ......................................................................................... 19
Table 6: OSPF Commands ................................................................................................................. 25
Table 7: TE Commands ...................................................................................................................... 37
Table 8: IS-IS Packet Types ................................................................................................................ 42
Table 9: IS-IS Hello PDU Fields ........................................................................................................ 43
Table 10: IS-IS Commands ................................................................................................................. 46
Page 2 Routing Information and Protocols (Rev. 01)


This chapter focuses on the following routing protocols:
IPv6 Addressing
The basic IPv6 connectivity consists of assigning IPv6 addresses to individual router
interfaces and implementing IPv6 for network management.
IP Unicast Routing
The section provides a technical overview of the principles of unicast routing.
Open Shortest Path First (OSPF)
OSPF protocol is an Interior Gateway (IG) protocol used to distribute routing
information within a single Autonomous System (AS).
Traffic Engineering (TE)
Traffic engineering (TE) brings traffic management capabilities into IP networks, which
still rely on OSPF.
Intermediate System-to-Intermediate System (IS-IS)
ISIS is a link-state IGP similar to OSPF, in which routers exchange routing information
based on a single metric to determine the network topology.

IPv6 Addressing
IPv6 is the latest version of the Internet Protocol (IP). The main idea of IPv6 is to meet the
demand for globally unique IP addresses. While IPv4 addresses are 32 bits long, the IPv6 address
space has been extended to 128 bits. The architecture of IPv6 allows existing IPv4 users to
transition easily to IPv6 while providing services such as end-to-end security, quality of service
(QoS), and globally unique addresses. The flexibility of the IPv6 address space reduces the need for
private addresses and the use of Network Address Translation (NAT); therefore, IPv6 enables new
application protocols that do not require special processing by border routers at the edge of
networks.
IPv6 Address Structure

IPv6 addresses are represented as a series of 16-bit hexadecimal fields separated by colons (:) in the
format: x:x:x:x:x:x:x:x.
The full IPv6 address consists of eight 16-bit fields similar to the following:
2001:0DB8:0000:CD30:0000:0000:0123:4567
To simplify above address, leading zeros can be removed:

2001:DB8:0:CD30:0:0:123:4567
You can compress one or more groups of 0s using a :: symbol.

The basic IPv6 header contains only the following fields: Version, Traffic Class, Flow Label,
Payload Length, Next Header, Hop Limit, Source Address and Destination Address.
The second half of the IPv6 address is the Interface Identifier (refer to RFC 4291 -IP Version 6
Addressing Architecture).
NOTE
Two colons (::) can be used only once in an IPv6 address to represent the
longest successive hexadecimal fields of zeros.
The hexadecimal letters in IPv6 addresses are not case-sensitive.
IPv6 Configuration Commands
Commands Hierarchy
device-name#
+ config terminal
+ router
- [no] ipv6 disable
- [no] ipv6 address <ipv6-address/prefix-length>
- [no] static-ipv6-route <destination-ipv6-address/prefix-
length> <nexthop-ipv6-address> <distance-value>

+ system
- [no] netconf-server
- [no] ipv6 port <value>
- [no] ssh-server
- [no] ipv6 port <value>
+ [no] snmp
- [no] ipv6 general-port <value>
- [no] target-address ADDR-NAME
- [no] ipv6 address <ipv6-address>
- show routes-ipv6 [RouteEntry {Flags {blackhole | changed | deleted |
ibgp | internal | mpls_egress | mpls_ingress | outband | selected |
self_ip | selfroute | stale | static | staticarp | vrrp_ip} | IfName
| Metrics | NextHopFlags | NextHopType | Uptime} | displaylevel]
- show router interface name IPv6NAME
- tracepath6 {<ipv6-address> | HOSTNAME}
- ping6 {ipv6-address | HOSTNAME} [number <number> | length <length>]
Table 1: IPv6 Commands
Command Description

ipv6 disable Disables the IPv6 processing
no ipv6 disable Enables the IPv6 processing
Enabled
interface {outBand0 | loN | swN} Creates an IP interface and enters Configuration
interface
<09>
range of <09999>

no interface {loN | swN} Removes the created IP interface:

<09>
range of <09999>
NOTE
ipv6 address <ipv6- Specifies an IPv6 address for the IP interface:
address/prefix-length>
ipv6-address/prefix-length: the
IPv6 address of the IP interface
and subnet mask (M) in the range
of <131>
no ipv6 address Removes the IPv6 address of the IP interface
static-ipv6-route <destination- Configures a static entry in the IPv6 routing

ipv6-address/prefix-length> table. For static routing, the address of the next-
<nexthop-ipv6-address> hop router should be specified using the global
<distance-value> address of the router (automatically assigned per
interface, not routable)
destination-ipv6-address/prefix-
length: the IPv6 destination
address of the packet
nexthop-ipv6-address: next hop
IPv6 address
distance-value: in the range of
<1-255>
Disabled
Only default routes are supported.
no static-ipv6-route Removes the configured static entry:
[<destination-ipv6-
address/prefix-length> destination-ipv6-address/prefix-
<nexthop-ipv6-address> length: (optional) the IPv6
<distance-value>] destination address of the packet
nexthop-ipv6-address: (optional)
next hop IPv6 address
distance-value: (optional) in the
range of <1-255>
netconf-server Enters NETCONF Configuration mode
no netconf-server Removes NETCONF configuration details
ipv6 port <value> Specifies the port through which the NETCONF
connection is established, in case IPv6 packet
processing is used:
range of <165535>
Port 830
Telnet connection also supports IPv6
addressing.

no ipv6 port Restores to default

ssh-server Enters SSH Configuration mode
no ssh-server Removes the SSH configuration details
ipv6 port <value> Specifies the port through which the SSH
connection is established, in case IPv6 packet
processing is used:
range of <165535>
Port 22
Telnet connection also supports IPv6
addressing.
no ipv6 port Restores to default
snmp Enters SNMP Configuration mode
no snmp Removes the SNMP configuration
ipv6 general-port <value> Configures SNMP to listen on a specified port for

incoming IPv6 connections.
65535>
161
no ipv6 general-port Restores to default
target-address ADDR-NAME Defines the notification target address. The

target device is the device which receives the
generated, by the device, traps.
ADDR-NAME: the name of the
notification target address up to
32 characters
no target-address ADDR-NAME Removes the notification target address.
ipv6 address <ipv6-address> Defines the IP address of the target host. The
IPv6 host can perform SNMP queries and
receive SNMP notifications from a device
running IPv6 software:
ipv6-address: the IPv6 address of
the target
0:0:0:0:0:0:0:0
no ipv6 address Removes the configured address
show routes-ipv6 [RouteEntry {Flags { Displays the current contents of the IPv6 routing
blackhole | changed | deleted | ibgp | table, filtered by any of the commands
internal | mpls_egress | mpls_ingress
| outband | selected | self_ip | arguments
selfroute | stale | static | staticarp
| vrrp_ip} | IfName | Metrics |
NextHopFlags | NextHopType | Uptime} |
displaylevel]
show router interface name swN Displays the status and configuration of the
selected interface:
swN: an IPv6 interface number

tracepath6 {<ipv6-address> | HOSTNAME} Traces the IPv6 data-packet route to the

destination IP address.
The traceroute command has more advanced
options than command tracepath6 which uses
UDP packets for tracing. The tracepath6
command is similar to traceroute, but it doesnt
require root privileges.

the pinged device
HOSTNAME: the name of the pinged

device
ping6 {ipv6-address | HOSTNAME} Pings a IPv6 device:
[number <number> | length <length>]

the pinged device
HOSTNAME: the IPv6 hostname of the

pinged device
number: the number of ICMP echo
packets sent, in the range of
<12147483646>
5
length: the size of the ICMP echo
packet, in the range of
<5665535>
56

IP Unicast Routing
Populating the Routing Table (FIB)
The routing table is a database that stores and updates the locations (addresses) of other network
devices and the most efficient routes to them. It is used to directing routing.
The table is populated from the following sources:
Dynamic routes, typically learned from routing protocol packets (see Dynamic Routes)
Static routes, manually entered by the network administrator (see Static Routes). They include:
Default routes, configured by the network administrator
Local routes, of IP interface addresses assigned to the system
Other static routes, configured by the network administrator
Dynamic Routes
Dynamic routes are typically learned by the routing protocols (OSPF, IS-IS). Routers that use the
routing protocols exchange information in their routing tables by advertising. Using dynamic
routes, the routing table only contains accessible networks. Dynamic routes are deleted from the
table when either of the following occurs:
An update for the network is not received for a period of time that is determined by the
routing protocol (i.e., the dynamic route is aged out of the table)
A neighbor sends a command to delete the dynamic routes advertised by the routing protocol
OSPF (by setting the route aging time to the maximum and flooding the Link-State
Advertisement (LSA) to the advertiser neighbors)

Static Routes
Static routes are manually entered into the routing table. Static routes are important in the following
cases:
When the router cannot build a route to a particular destination automatically
When, for security reasons, you need to make changes to the routing table of the router
When it is necessary to specify a gateway of last resort to which all unroutable packets will be
sent
Static routes are never aged out of the routing table.
A static route must be associated with a valid IP subnet and next hop IP address. When the IP
interface goes down, next hop IP address is not resolved. The static route using the next hop will
become inactive, although it will remain in the routing table.
The device remembers the static routes until they are manually removed. However, the static routes
decisions can be overridden by the dynamic routing information through prudent assignment of
administrative distance values. Each dynamic routing protocol has a default administrative distance,
as indicated in Table 3.
NOTE
If you want to override a static route by information received from a dynamic routing
protocol, simply ensure that the administrative distance of the static route is higher
than that of the dynamic protocol.
Special IP Interfaces
A permanent Layer 3 interface (sw0) is attached to the default VLAN. All available ports in the
system are attached to the default VLAN as untagged. For the device to be able to route between
the VLANs, the Layer 3 interfaces must be configured with an IP address.
The lo1-lo9 Layer 3 interfaces are not directly related to a VLAN. These interfaces can never be in
a down state. The packets sent through them are looped back to the IP stack and are then routed
on a destination-IP-address basis.
The outBand0 Layer 3 IP interface (OutBand interface) is destined for debugging purposes and
cannot be used to pass data.
Route-Maps
A route map provides an advanced filtering mechanism used to control and modify routing
information, and to specify the criteria for permitting or denying redistribution of routes between
routing devices. Route maps consist of a list of match and set clauses that specify the required
criteria and the actions to perform if these criteria are met.

Prefix-List
Prefix-lists work like access lists for route advertisements (prefixes). Prefix-lists are used to match
routes as opposed to traffic. Two things are matched:
The prefix (the network itself)
The prefix-length (the length of the subnet mask). Two optional keywords (ge and le) can be
used to designate a range of prefix lengths to be matched.
Prefix lists work very similarly to access lists; a prefix list contains one or more ordered entries
which are processed sequentially. As with access lists, the evaluation of a prefix against a prefix list
ends as soon as a match is found.
An empty prefix list permits all prefixes. A prefix that does not match any entries of a prefix list is
denied.
The IP Unicast Routing Default Configuration

Table 2: IP Unicast Routing Default Configuration
Parameter Default Value
Default IP address for sw0 IP interface Not defined

The Default Administrative Distances of the See Table 3
Dynamic Routing Protocols
IP Forwarding Enabled
Table 3: Default Administrative Distances of the Dynamic Routing Protocols

Route Source Default Distance
Connected IP interface 0
OSPF 110
IS-IS 115
Unknown 255

IP Configuration Commands
Commands Hierarchy
device-name#
+ config terminal
+ router
- [no] static-route A.B.C.D/M A1.B1.C1.D1 <distance-value>
- [no] prefix-list NAME
- [no] rule ID
- [no] ge <value>
- [no] ip-prefix A.B.C.D/M
- [no] le <value>
- [no] type {deny | permit}
- [no] route-map NAME
- [no] rule ID
- [no] match {interface {outBand0 | loN | swN} | ip-
address-prefixlist NAME | ip-nexthop-prefixlist
NAME | metric <value> | tag <value>}
- [no] next-rule <value>
- [no] on-match {exit | goto | next}
- [no] set {metric-type {type-1 | type-2} | metric
<value> | tag <value>}
- [no] type {deny | permit}
- show routes [RouteEntry {Flags {blackhole changed | deleted | ibgp |
internal | mpls_egress | mpls_ingress | outband | selected | self_ip
| selfroute | static | staticarp | vrrp_ip} | ifname NAME | metrics
<metric value> | NextHopFlags {active | fib | fibsetoutband |
notready | outband | recursive} | nexthoptype {ifindex | ifname |
ipv4 | ipv4_ifindex | ipv4_ifname ipv6 | ipv6_ifindex | ipv6_ifname}
| uptime <duration> | A.B.C.D/M}]
Table 4: Static Routes Commands
Command Description


router static-route A.B.C.D/M Specifies a static route:

A1.B1.C1.D1 <distance-value>
A.B.C.D/M: the destination IP
address and mask in dotted-decimal
(Ipv4) format
A1.B1.C1.D1: the gateway IP
address
distance-value: in the range of
<1-255>
Disabled
no router static-route [A.B.C.D/M Removes a specific static route or all configured
A1.B1.C1.D1 <distance-value>] static routes
A.B.C.D/M: (optional) the
destination IP address and mask in
A1.B1.C1.D1: (optional)the gateway
IP address
distance-value: (optional)in the
range of <1-255>
prefix-list NAME Creates a prefix-list to filter the routing
information and enters Prefix-list Configuration
mode:
NAME: prefix-list name of <1-20>
characters
no prefix-list Removes the configured prefix-list
rule ID Creates a prefix-list rule ID and enters Prefix-list

Rule Configuration mode:
ID: in the range of <1-2147483647>
no rule Removes the configured route-map rule
ge <value> Specifies range limits on the prefix length used

for matching prefixes that are more specific than
the exact prefix length.
If only the ge attribute is specified, the range is
assumed to be from the ge value to 32:
no ge Removes the configured value
ip-prefix A.B.C.D/M Specifies the network address, and the length of

the network mask:
A.B.C.D/M: in dotted-decimal
format
no ip-prefix Removes the configured address
le <value> Specifies range limits on the prefix length used

for matching prefixes that are more specific than
the exact prefix length.
If only the le attribute is specified, the range is
assumed to be from the exact prefix length to the
le value.
If neither ge <value> nor le <value> is specified,
the matching criteria require an exact match of
the prefix length.

no le Removes the configured value

type {deny | permit}
Specifies the type of the action to be performed

on routes that match the route map criteria:
deny: rejects access to routes
with prefixes that match the
criteria
permit: permits access to routes
with prefixes that match the
criteria
no type Removes the configured rule type
route-map NAME Creates a route-map and enters Route-map

Configuration mode:
NAME: route-map name of <1-20>
characters
no route-map Removes the configured route-map
rule ID Creates a route-map rule and enters Route-map

Rule Configuration mode:
ID: in the range of <1-2147483647>
The ID indicates the position of the current rule in
the route map. Routes, tested by a route-map
with multiple rules pass in succession through
the sequence of instances until a match criterion
is met. If a match is found, the routing protocol
permits or denies the action specified in the
configuration of the instance that is matched. If
no match is found in any instance, the route is
rejected.
no rule Removes the configured route-map rule

match {interface {outBand0 | Specify the criteria for matching route entries:
loN | swN} | ip-address-
prefixlist NAME | ip- interface: IP interface type
nexthop-prefixlist NAME | A route-map entry is created to match routes
metric <value> | tag first-hop IP interface to the specified IP interface.
<value>}
Valid interfaces are:
outBand0: an Ethernet network interface
loN: an internal logical loopback IP-
interface. N is in the range of <09>
swN: an IP interface number in the range of
<09999>
ip-address-prefixlist NAME:
specifies a prefix list used to
match against the IP address of
the route entries
ip-nexthop-prefixlist NAME:
specifies a prefix list used to
match against nexthop of the route
entries
metric <value>: matches the
specified metric, in the range of
<1-16777215>
tag <value>: matches the specified
tag
no match Removes the configured criteria
next-rule <value> Specifies the next rule to be applied:

no next-rule Removes the configured next rule
on-match {exit | goto | next} Specifies the action to be performed on the
current matching rule of the specified route map:
exit: exits the route map
goto: moves to rule specified by
next-rule
next: moves to next rule
no on-match Removes the configured action on matching rule
set {metric {type-1 | type-2} Specifies which attribute of the route entry to be
| metric <value> | tag set:
<value>}
metric (type-1 or type-2):
specifies the OSPF external type
metrics for redistributed routes
metric <value>: specifies metric
value for match routes, in the
range of <1-16777215>
tag <value>: in the range of <1-
4294967295>
no set Removes the configured set operation

type {deny | permit}
Specifies the type of the action to be performed

on routes that match the route map criteria:
deny: rejects the routes that
match the route map criteria
permit: permits the routes that
match the route map criteria
no type Removes the configured rule type of action
show routes [RouteEntry {flags {blackhole Displays the static and directly connected (via
| changed | deleted | ibgp | internal configured IP interfaces) routes.
| mpls_egress | mpls_ingress | outband
| selected | self_ip | selfroute |
static | staticarp | vrrp_ip} | ifname
NAME | metrics <metric value> |
NextHopFlags {active | fib |
fibsetoutband | notready | outband |
recursive} | nexthoptype {ifindex |
ifname | ipv4 | ipv4_ifindex |
ipv4_ifname ipv6 | ipv6_ifindex |
ipv6_ifname} | uptime <duration> |
A.B.C.D/M}]

Open Shortest Path First (OSPF)

OSPF is an interior gateway protocol that routes (IP) packets solely within a single routing domain
(autonomous system (AS)). It gathers link state information from available routers and constructs a
topology map of the domain network.
Upon initialization, each device transmits a Link State Advertisement (LSA) on each of its IP
interfaces. OSPF exchanges the status of networks and links with every router in the network. Each
router collects the LSAs of all the routers within a common area, synchronizing their topological
databases, and updating their Link-State Database (LSDB). Using OSPF, all the routers within the
area maintain identical LSDBs.
Each router constructs a tree of shortest paths to each destination in the autonomous system (AS),
based on the LSDB. The cost of a route is described by a single metric (path cost). When several
equal-cost routes to a destination exist, traffic can be distributed among them.
The OSPF protocol uses the following algorithms:
Shortest Path First (SPF) algorithmcalculates configurable cost metrics and exchanging
routing information between routers in large networks.
Constrained Shortest Path First (CSPF) algorithm(optional) calculates a path that
meets, not only the, topology of the network but also the attributes of the Label Switched Path
LSP (refer to chapter MPLS Protocols and Services of this User Guide) and the links. It
minimizes congestion by intelligently balancing the network load. CSPF relies on a Traffic
Engineering Database (see Traffic Engineering (TE)) to do the calculations.
Area types
OSPF requires dividing the network into a logical star of areas.
Backbone area
Stub area
Normal Area
Not So Stubby area (NSSA)
The topology within an area is hidden from the rest of the AS. Hiding this information significantly
reduces LSA traffic and the calculations needed to maintain the LSDB. Routing within the area is
determined only by the topology.
Backbone Area
This area (also called Area 0) connects all other OSPF areas to each other. Any traffic
between areas must go through the backbone area. Due to its role, this area has to be
robust and stable. It should have internal redundancy and efficient bandwidth to handle
the traffic between areas.
Network areas should be contiguous (all in one connected piece). OSPF has a mechanism
for handling disconnections between network areas (other than Area 0) due to link
failures.

The figure below shows a simple OSPF topology.
Figure 1: OSPF Topology
OSPF defines the following router types:

Internal Routers (IR)routers that all their IP interfaces are within the same area
Area Border Routers (ABR)routers that their IP interfaces are within in multiple areas. An
ABR is responsible for exchanging summary advertisements with other ABRs
Autonomous System Border Routers (ASBR)routers acting as gateways between OSPF and
other routing protocols or other ASs
The backbone allows ABRs to exchange summary information. Each ABR receives area
summaries from all other ABRs. Each ABR then adds the backbone distance to each
advertising router and forms a picture of the distance to all networks outside its area.
Stub Area
A stub area is connected to other areas; one of them may be the backbone area. External route
information is not distributed into stub areas. Stub areas are used to reduce memory consumption
and computation requirements on OSPF routers.
Normal Area
An area which is not Area 0 or a Stub area.
Not-So-Stubby-Area (NSSA)
NSSA is an optional area that does not flood all LSAs from the core into the area, but can import
and redistribute AS-external routes within the area.

Link State Advertisement

LSA is a data unit describing the local state of a router or network. There are several types of LSAs,
designated by names and numbers, as described below:
Table 5: LSA Type Names and Numbers
LSA Number LSA Name LSA Description
1 Router-LSAs Originated by all routers, a router-LSA describes the

collected states of the router IP interfaces to an area
2 Network-LSAs Contains the list of routers connected to the network
3, 4 Summary-LSAs A summary-LSA describes a route to a destination outside
the area, yet still inside the AS (an inter-area route).
It is originated by ABRs and flooded throughout the LSAs
associated area.
Type 3 summary-LSAs describe routes to networks
Type 4 summary-LSAs describe routes to ASBR
5 AS-external- Originated by ASBR and flooded throughout the AS, each
LSAs AS-external-LSA describes a route to a destination in
another AS.
Default routes for the AS can also be described by AS-
external-LSAs.
OSPF Neighbors
Upon initialization, routers running OSPF attempt to locate neighboring routers to exchange LSAs.
Routers form adjacencies with neighboring routers before exchanging routing information. The
routers check details, such as subnet address, OSPF area number, network type, and authentication
passwords before forming an adjacency.
On broadcast or point-to-point segments, the routers dynamically discover neighbors through
the OSPF multicast, 224.0.0.5, using the OSPF Hello protocol.
On Non-Broadcast Multiple Access (NBMA) networks the system administrators have to
configure neighbors manually before the Hello protocol initializes in a unicast fashion,
beginning the adjacency forming process.

OSPF Network Types

OSPF has defined standards for communicating across a diverse set of network media:
Broadcast
The Broadcast OSPF network type typically runs on multi-access broadcast IP interfaces such as
Ethernet, Token Ring, or FDDI.
Each Broadcast OSPF area includes one Designated Router (DR) and one Backup Designated
Router (BDR) elected dynamically on a broadcast segment with which all other routers form
adjacencies. The election criteria include router ID, loopback IP interface presence, and router IP
interface priority values.
The system administrators can manually configure these criteria to influence the selection process.
The DR and BDR are responsible for collecting link state information from all routers on the
broadcast segment, compiling, and distributing the resulting area map back to each router. This
prevents all routers on a common segment from exchanging link state information with every other
router on a segment, thus reducing the amount of traffic on a broadcast segment.
Point-to-Point
The point-to-point OSPF network type is typically implemented across dedicated WAN circuits,
such as T-1 links or on frame relay point-to-point sub-interfaces.
This network type does not have a designated router since each segment includes only two routers.
These routers exchange link state information and routes as peers across a common subnet.
Virtual Links
You can configure virtual links between any two backbone routers that have an IP interface to a
common non-backbone area. The protocol treats two routers joined by a virtual link as if they were
connected by a point-to-point connection in the backbone.
If you cannot physically connect an area to the backbone area, you can use a virtual link to connect
to the backbone through a non-backbone area, known as a transit area. The transit area must have
full routing information; therefore it cannot be a stub area.
In the image below if the connection between ABR1 and the backbone fails, the connection via
ABR2 provides redundancy, ensuring communication between ABR1 and the backbone using the
virtual link.

Figure 2: Virtual Link Providing Redundancy

OSPF Graceful Restart Helper Mode Functionality per

RFC 3623
A router in a helper mode monitors the network for topology changes. When the router that is on
the same network segment as a restarting router receives a grace-LSA from the restarting router, the
it enters helper mode as long as the following criteria are met:
The neighbor must have a full adjacency with the restarting router over the associated network
segment.
There have been no changes to the link-state database since the restarting router began
restarting.
The grace period has not yet expired.
The neighbor router must not be in its own graceful restart process.
Helper mode for this router has not been disabled by the network administrator.
The helper router stops performing helper mode for its neighbor when one of the following events
occurs:
The grace-lsa that was originated by the restarting router is flushed, to signify that the restarting
router has exited the graceful restart process successfully.
The grace period of the grace-lsa expires.

OSPF Configuration Flow
Figure 3: OSPF Configuration Flow

OSPF Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] router
+ [no] ospf
[no] helper-mode
+ [no] area <id>
- [no] area-range <range-id> [advertise nssa-
external-link | do-not-advertise]
- [no] shortcut-configuration
+ [no] interface A.B.C.D
- [no] auth-key-md5 entry <value> word STRING
- [no] auth-key-simple STRING
- [no] auth-type {md5 | simple}
- [no] dead-interval <interval>
- [no] hello-interval <interval>
- [no] interface-type {broadcast | point-to-
point}
- [no] metric <value>
- [no] passive
- [no] transit-delay <delay>
+ [no] nssa
- [no] summaries
+ [no] stub
- [no] default-metric <metric>
- [no] summaries
+ [no] virtual-link A.B.C.D
- [no] auth-key-md5 entry <value> word STRING
- [no] auth-key-simple STRING
- [no] auth-type {md5 | simple}
- [no] dead-interval <interval>
- [no] transit-delay <interval>
- [no] compatible-rfc-1583
+ [no] redistribute {connect | static}

- [no] metric-type1 <metric>

- [no] route-map NAME
- [no] router-id A.B.C.D
+ [no] timers
- [no] spf-wait <delay>
- [no] lsa-generate <interval>
- [no] lsa-arrival <interval>
- [no] traffic-engineering
- [no] external-link-state-DB-size <size>
- [no] external-link-state-overflow-timer <timer>
- show router ospf database [area <area-id> | asbr-summary | external |
max-age | network | nssa-external | opaque | router | self-originate
| summary]
- show router ospf interface [name NAME]
- show router ospf neighbor [all [detail] | detail | id A.B.C.D |
interface swN [detail]]
- show router ospf opaque-database
- show router ospf route
- clear router ospf neighbour id A.B.C.D
- clear router ospf process
Table 6: OSPF Commands
Command Description

ospf Enables the OSPF routing and enters the
OSPF Router Configuration mode
Enabled
no ospf Disables OSPF
helper-mode Configures the router as a graceful OSPF
restart helper router for a single or multiple
routers. When the router is acting as a helper,
it will continue to advertise the restarting
router as if it was fully adjacent.
Enabled
no helper-mode Disables the helper mode and the router
cannot help a neighboring router that is
attempting to restart.

Command Description
area <id>
Specifies an OSPF area and enters the OSPF

Area Configuration mode:
id: OSPF areas ID, in dotted
decimal format (A.B.C.D) or in
decimal format, in the range of
<0-4294967295>
Not defined
no area [<id>] Deletes OSPF areas:
id: (optional) deletes specific
OSPF area
area-range <range-id> Define ranges of addresses on the Area
[advertise nssa-external-link Border Router (ABR) for the purpose of route
| do-not-advertise]
summarization or suppression, and enters the
OSPF Area-range Configuration mode:
range ID: the OSPF area range
ID. The OSPD area ID may be
expressed either as a decimal
number (<0-4294967295>) or in
dotted decimal (<0.0.0.0-
255.255.255.255>).
advertise nssa-external-link:
configures NSSA external link-
state advertisement (Type-7)
which can be flooded throughout
the NSSA area
do-not-advertise: prevents
advertisement of configured
networks
Advertise
no area-range [<range-id>] Deletes OSPF area ranges:
range ID: (optional) deletes a
specific area range
shortcut-configuration Allows OSPF to pass traffic from a backbone
area to a non-backbone area
Disabled
no shortcut-configuration Restores to default
interface A.B.C.D
Specifies an OSPF interface:

A.B.C.D: OSPF interfaces IP
address
Not activated
no interface [A.B.C.D] Deletes the OSPF interface configuration:
A.B.C.D: (optional) deletes the
OSPF interface configuration for
a specific IP address

Command Description
auth-key-md5 entry <value> Specifies a password for md5 authentication:

word STRING
STRING: a string of <1-16>
characters
no auth-key-md5 entry Removes the password
auth-key-simple STRING Specifies a password for simple

authentication (RFC 2328):
characters
no auth-key-simple Removes the password
auth-type {md5 | simple} Specifies the authentication type:

md5: configured in accordance
with RFC 2328
simple: simple password (RFC
2328)
Simple
no auth-type Restores to default
dead-interval <interval> Specifies the time that a device must wait

before it declares a neighbor OSPF router
down. The minimum interval must be two
times the hello interval
65535> seconds
40 seconds
no dead-interval Restores to default
hello-interval <interval> Specifies the time between the hello packets

that the router sends on an IP interface:
65535> seconds
10 seconds
interface-type {broadcast | Specifies the OSPF network type:

point-to-point}
broadcast
point-to-point
Broadcast
no interface-type Restores to default
metric <value> Specifies the cost of sending a packet on the

OSPF IP interface:
10
no metric Restores to default

Command Description
passive Sets the passive working mode

no passive Exits the passive working mode
priority <priority> Specifies the router priority for the configured

IP interface to help determine the OSPF
designated router for the network:
priority: in the range of <0-
255>
1
transit-delay <delay> Specifies the estimated number of seconds

taken to transmit a link state update packet on
an IP interface:
delay: in the range of <1-65535>
seconds
1 seconds
no transit-delay Restores to default
nssa Sets the OSPF not-so-stubby area (NSSA)

area type and enters the OSPF NSSA
Configuration mode
no nssa Removes the defined type and exits the
OSPF NSSA Configuration mode
summaries Enables sending summary (type 3)
advertisements into a Not So Stubby Area
(NSSA) on an Area Border Router (ABR)
no summaries Disables sending summary route
advertisements. Only the default route is
advertised by the ABR
stub Sets the OSPF Stub area type and enters the
OSPF Stub Configuration mode
no stub Removes the defined type and exits the Stub
Configuration mode
summaries Enables sending summary (type 3)
advertisements into a stub area on an Area
Border Router (ABR)
no summaries Disables sending summary route
advertisements. Only the default route is
advertised by the ABR
default-metric <metric> Specifies a default metric value for
redistributed routes:
metric: in the range of <0
16777215>
1
no default-metric Restores to default

Command Description
virtual-link A.B.C.D Specifies a virtual link to connect the area

border routers to the backbone via a virtual
link and enters the OSPF Virtual Link
Configuration mode:
A.B.C.D: neighbor ID, in a
Not configured
no virtual-link Removes the virtual link definitions
auth-key-md5 entry <value> Specifies a password for md5 authentication:

word STRING
characters
no auth-key-md5 entry Removes the password
<value>
auth-key-simple STRING Specifies a password for simple

authentication (RFC 2328):
characters
no auth-key-simple Removes the password
auth-type {md5 | simple} Specifies the authentication type:
md5: configured in accordance
with RFC 2328
simple: simple password (RFC
2328)
Simple
no auth-type Restores to default
dead-interval <interval> Specifies the time that a device must wait

before it declares a neighbor OSPF router
down. The minimum interval must be two
times the hello interval.
65535> seconds
40 seconds
no dead-interval Restores to default
hello-interval <interval> Specifies the time between the hello packets

that the router sends on an IP interface:
65535> seconds
10 seconds
transit-delay <delay> Specifies the link state transmit delay:

delay: in the range of <0-3600>
seconds
1 second
no transit-delay Restores to default

Command Description
redistribute {connect | static} Redistributes OSPF routes from one routing

domain into another routing domain and
enters the OSPF Redistribute Configuration
mode:
connect: interface routes of the
router
static: static routes
Disabled
no redistribute Restores to default
metric-type1 <metric> Specifies the external link type 1 associated

with the default route advertised into the
OSPF routing domain. It can be:
metric: in the range of <0-
16777215>
0
no metric-type1 Restores to default
route-map NAME Specifies an already configured route-map to

apply on redistributed routes in the OSPF
area:
NAME: route-map name of <1-20>
characters
To change already applied route-map, you
need to perform following commands:
no redistribution connect
commit
redistribution connect route-map NEW
no route-map Removes the specified route-map
router-id A.B.C.D Specifies the OSPF fixed-router ID:

A.B.C.D: fixed-router ID in a
No OSPF routing process is defined
no router-id Resets the OSPF fixed-router ID to the
highest IP address on any of its interfaces
timers Enters the OSPF Timer Configuration mode
no timers Exits the OSPF Timer Configuration mode
spf-wait <delay> Specifies the delay time between when OSPF

receives a topology change and when it starts
an SPF calculation:
delay: in the range of <0-
4294967295> seconds
5 seconds
no spf-wait Restores to default

Command Description
lsa-generate <interval> Specifies the minimum interval between two

consecutive SPF calculations:
4294967295> seconds
10 seconds
no lsa-generate Restores to default
lsa-arrival <interval> Specifies the maximum interval between two

consecutive SPF calculations:
4294967295> seconds
10 seconds
no lsa-arrival Restores to default
compatible-rfc-1583 Enables OSPF summary and external route
calculations in compliance with RFC1583
Enabled
no compatible-rfc-1583 Disables the RFC 1583 compatibility and
returns to the default method of calculation
that is according to RFC 2328
dscp-mapping <value> Specifies a DSCP priority of the OSPF
packets:
traffic-engineering Enabling the Traffic Engineering (TE)
no traffic-engineering Disables the Traffic Engineering (TE)
external-link-state-DB-size <size> Assigns the upper limit to the number of non-

default AS-external-LSAs allowed in the
routers Link-State Database (LSDB). The
router enters Overflow state when the number
of non-default AS-external-LSAs in the
database reaches their maximum.
size: in the size of <0-
2147483647>
10000
no external-link-state-DB-size Restores to default
external-link-state-overflow-timer Specifies the time countdown, starting when
<timer> the router enters Overflow state, after which
the router attempts to resume transmitting
non-default AS-external-LSAs.
timer: in the range of <0-
2147483647>, in seconds
0 seconds- the router does not leave
OverflowState until restarted.
no external-link-state-overflow- Restores to default
timer

Command Description
show router ospf database [area <area-id> | Displays the OSPF database:
asbr-summary | external | max-age |
network | nssa-external | opaque | router area-id: in the range of
| self-originate | summary] <0.0.0.0-255.255.255.255>
asbr-summary: the ASBR summary
link states
external: the external link
states
max-age: the LSAs in the MaxAge
list
network: the network link states
nssa-external : the NSSA
database content per area
opaque: the information about TE
opaque LSAs
router: the router link states
self-originate: the self-
originated link states
summary: the network summary
link states
show router ospf interface name {outBand0 | Displays OSPF interfaces related information:
loN | swN}
interface
loN: an internal logical
loopback IP-interface. N is in
the range of <09>
show router ospf neighbor [all [detail] | Displays information on OSPF neighbors on a
detail | id A.B.C.D | interface swN per-interface basis:
[detail]]
all: (optional) information for
all neighbors that are in a down
state (neighbors not in full or
2-way state)
detail: (optional) detailed
information for all neighbors
id A.B.C.D: the neighbors IP
address
interface swN: an IP interface
number in the range of <09999>
show router ospf opaque-database Display lists of information about the TE
opaque LSAs
show router ospf route Displays all routes received through the OSPF
router
clear router ospf neighbour id A.B.C.D Clears the established OSPF database
between two OSPF neighbors:
id A.B.C.D: the neighbors IP
address

Command Description
clear router ospf process Resets the entire OSPF process, forcing
OSPF to re-create neighbors, database, and
routing table.
Figure 4 shows an example of a network that uses OSPF routing. The diagram is followed by
commands that create this network.
Figure 4: OSPF Configuration Example
RSW1 Configuration:
1. Enable OSPF and set the OSPF Router ID:
RSW1#configure terminal
RSW1(config)#router ospf router-id 192.168.1.1
2. Enable OSPF for the network 192.168.1.0/24 and assign the area 1 for the network:
RSW1(config)#router ospf area 0.0.0.1 interface 192.168.1.1
RSW1(config)#commit
RSW2 Configuration:
3. Enable OSPF and Set the OSPF Router ID:
RSW2(config)#commit

RSW3 Configuration:
7. Enable OSPF for the network 20.0.0.0/8 and assign the area 2.2.2.2 for the network:
RSW3(config)#commit
RSW4 Configuration:
RSW4(config)#router ospf area 0.0.0.3 stub
RSW4 (config-area-0.0.0.3)# interface 192.168.0.1
RSW4(config)#commit
RSW5 Configuration:
RSW5(config)#commit
RSW6 Configuration:


RSW6(config)#router ospf area 0.0.0.3 stub
RSW6 (config-area-0.0.0.3)#interface 192.168.0.2
RSW6(config)#commit

Traffic Engineering (TE)

OSPF propagates TE information in order CSPF to calculate network paths.
The OSPF traffic engineering (TE) feature currently deployed in IP networks is based on routing
metrics (cost metrics) which optimize system-wide measures of performance such as average
response time, delay, etc., discounting the diversity of QoS requirements from the mixture of
narrow- and broad-band applications carried by the new multi-service Internet.
The Traffic Engineering (TE) database stores network topology with detailed link information,
including total and reserved bandwidths. This database is filled in and kept up-to-date.
TE Commands
Commands Hierarchy
device-name#
- tool traffic-engineering admin-group {exclude <value> | include-any
<value> | include-all <value>}
- tool traffic-engineering clear-query
- tool traffic-engineering destination ip A.B.C.D
- tool traffic-engineering excluded-link start-ip A.B.C.D end-ip A.B.C.D
- tool traffic-engineering excluded-node ip A.B.C.D
- tool traffic-engineering intermediate-hop address A.B.C.D maximum-
backup-hops <unsignedInt> maximum-hops <unsignedInt>
- tool traffic-engineering maximum-bandwidth value <value>
- tool traffic-engineering maximum-reserved-bandwidth value <value>
- tool traffic-engineering minimum-mtu value <unsignedInt>
- tool traffic-engineering originating ip A.B.C.D
- tool traffic-engineering relax-maximum-bandwidth value <unsignedInt>
- tool traffic-engineering unreserved-bandwidth-0 value <unsignedInt>
- tool traffic-engineering run
- tool traffic-engineering show

Table 7: TE Commands
Command Description
tool traffic-engineering admin-group Excludes/includes an administrative group

{exclude <value> | include-any <value> unique value:
| include-all <value>}
exclude <value>: excludes any
admin groups the link selects.
include-any <value>: includes
any admin groups the link
selects
include-all <value>: includes
all admin groups the link
selects
tool traffic-engineering clear-query Clears the previously built CSPF query
tool traffic-engineering destination ip
A.B.C.D
Specifies the IP address of the destination
point (for example, system node, interfaces IP
address of this node, or network segment):
A.B.C.D: destination points IP
address
tool traffic-engineering excluded-link Excludes the selected link from the queried
start-ip A.B.C.D end-ip A.B.C.D path:
start-ip A.B.C.D: the IP address
of the links start
end-ip A.B.C.D: the IP address
of the links end
tool traffic-engineering excluded-node ip Excludes the selected node from the queried
A.B.C.D path:
A.B.C.D: the nodes IP address
tool traffic-engineering intermediate-hop Specifies the intermediate hop through which
address A.B.C.D maximum-backup-hops a packet mandatory passes to reach the
<unsignedInt> maximum-hops destination point:
<unsignedInt>
A.B.C.D: the intermediate hops
IP address
maximum-backup-hops
<unsignedInt>: in range of <1-
1000> for the backup route.
Value 0unlimited number of
hops
maximum-hops <unsignedInt>: in
range of <1-1000> for the path.
Value 0unlimited number of
hops
tool traffic-engineering maximum-bandwidth Specifies the maximum amount of bandwidth
value <string> required per an outgoing link:
string: in the range of
<0x00000000-0xffffffff>

Command Description
tool traffic-engineering maximum-reserved- Specifies the minimum level of the maximum

bandwidth value <string> reserved bandwidth required per all links:
string: in the range of
<0x00000000-0xffffffff>
tool traffic-engineering minimum-mtu value Specifies the maximum transmission unit
<unsignedInt> (MTU) size per an outgoing link:
10000>
tool traffic-engineering originating ip
A.B.C.D
Specifies the IP address of the starting point
(originator) of the queried path:
A.B.C.D: originator points IP
address
tool traffic-engineering relax-maximum- Specifies the maximum bandwidth deviation:
bandwidth value <unsignedInt>
100> %
tool traffic-engineering unreserved- Specifies the minimum level of the unreserved
bandwidth-0 value <unsignedInt> bandwidth of priority level 0, required per all
links:
4294967295>
links:
4294967295>
links:
4294967295>
links:
4294967295>
links:
4294967295>
links:
4294967295>
links:

Command Description

4294967295>
links:
4294967295>
tool traffic-engineering run Executes the specified CSPF query
tool traffic-engineering show Displays the current CSPF query configuration

Intermediate System-to-Intermediate System (IS-IS)

Intermediate system to intermediate system (IS-IS) is an Interior Gateway Protocol (IGP) used in
an administrative domain or network. When IS-IS routers exchange topology information with the
nearest neighbors, a topological representation of the network is built. The created map indicates
the IP subnets which each IS-IS router can reach, and IP traffic is forwarded to the lowest cost
(shortest) path to an IP subnet.
The IS-IS network consists of:
End Systems (user devices)
Intermediate Systems (routers)
Areas (group of routers)
Domains (group of areas)
IS-IS routing uses a two-level hierarchical routing:
Level 1 routingrouting within an area (intra routing)
Level 2 routingrouting between areas (inter routing)
NOTE
ISIS protocol supports only broadcast type of interfaces.
ISIS protocol cannot be enabled on sw0 interface.
IS-IS Routers Types

Three types of routers exist:
Level 1 routerit is part of the Level 1 routing. This router locates the destination host within
the area, known as the intra-area router. The Level 1 router has a link-state database containing
all the routing information for the area. For routers to communicate, neighbors must be in the
same area.
Level 2 routerit routes traffic between areas (so called inter-area routing). The link-state
database is identical on all Level 2 routers, although the database contains prefixes of addresses
in other areas as opposed to internal area addresses.
Level 1-2 routerit has neighbors in different areas. This router holds both a Level 1 database
for the Level 1 area to which it is connected, and a Level 2 database with all the information
for inter-area routing.

Figure 5: Level 1, Level 2, and Level 1-2 Routers in an IS-IS Network Topology

Network Types
Broadcast networksconnect more than two devices. When one router sends a packet, all
connected routers receive it. One IS elects the DIS itself. The DIS is responsible for flooding;
it creates and floods a new pseudo-node LSP for each routing level in which it participates
(Level 1 or Level 2) and for each LAN to which it is connected.
LSPs on broadcast media (LANs) are sent to a multicast address.
No configuration is needed to inform IS-IS as to what the network type is.
How Adjacencies Are Built

Routers become IS-IS neighbors when they share a common data link and their hello packets
contain information that matches the criteria for forming an adjacency - authentication, IS-type and
MTU size. The criteria depend on the type of used network, point-to-point or broadcast.
Two routers are adjacent if the following parameters match:
Level 1the two routers sharing a common network should have their IP interfaces
configured to be in the same area if they are to have a Level 1 adjacency.
Level 2the two routers sharing a common network should be configured as Level 2 if they
are in different areas and want to become neighbors.
AuthenticationIS-IS allows to configure a password for a specified link, for an area, or for
an entire domain.
IS-IS Packet Types

Table 8: IS-IS Packet Types
Packet Type Description
Intermediate System-to-Intermediate IS-IS uses hello packets to establish and maintain

System Hello (IIH) connections to neighbors.
Link-state packet (LSP) LSPs distribute routing information between IS-IS
nodes.
There are four types of LSPs:
Level 1 pseudonode
Level 1 nonpseudonode
Level 2 pseudonode
Level 2 nonpseudonode
Complete sequence number PDU (CSNP) CSNPs contain a list of all LSPs from the current
database. CSNPs inform other routers of LSPs
that may be outdated or missing from their own
database.
Partial sequence number PDU (PSNP) PSNPs request an LSP (or LSPs) and
acknowledge receipt of an LSP (or LSPs).

Table 9: IS-IS Hello PDU Fields

Field Description
PDU type The type of IS-IS packet: a point-to-point (WAN)

PDU or a LAN PDU.
Source ID System ID of the sending router.
Holding time Time period to wait to hear a hello before
declaring the neighbor unavailability.
Circuit type Indicates whether the IP interface on which the
PDU is sent is Level 1, Level 2, or Level 1/Level 2.
PDU length Length of entire PDU including the header, in
bytes.
Local circuit ID A unique ID is assigned to a circuit at the time of
its creation. This circuit ID is only present in the
point-to-point hello PDUs.
LAN ID System ID of the DIS plus the pseudonode ID
(circuit ID) to differentiate LAN IDs on the same
DIS.
Priority Used in DIS election, with preference to higher
values.

IS-IS Configuration Flow
Figure 6: IS-IS Configuration Flow
IS-IS Commands
Commands Hierarchy
+ config terminal
+ [no] router
+ [no] isis
- [no] authentication-check
- [no] authentication-key-simple STRING
- [no] authentication-key-md5 STRING
- [no] authentication-type {none | simple | md5}
- [no] area-address FF:FF:FF:FF:FF:FF
- [no] level {level1 | level1L2 | level2}
+ [no] level-1

- [no] csnp-interval <interval>

- [no] hello-multiplier <value>
- [no] lsp-interval <delay>
- [no] metric <metric>
- [no] retransmit-interval <interval>
+ [no] level-2
- [no] csnp-interval <interval>
- [no] hello-multiplier <value>
- [no] lsp-interval <interval>
- [no] retransmit-interval <interval>
- [no] passive-interface
- [no] shutdown
+ [no] level-1
- [no] lsp-gen-interval <interval>
- [no] metric-style {both | narrow | wide}
- [no] set-overload-bit
- [no] te-enable
+ [no] level-2
- [no] lsp-gen-interval <interval>
- [no] metric-style {both | narrow | wide}
- [no] set-overload-bit


- [no] lsp-refresh-interval <1interval>
- [no] max-lsp-lifetime <interval>
- [no] router-id [FF:FF:FF:FF:FF:FF]
- [no] route-leak A.B.C.D/M
- [no] spf-interval <interval>
- [no] summary-address A.B.C.D/M
- [no] type {level1IS | level1L2IS | level2IS}
- [no] shutdown
- [no] te-router-id A.B.C.D
- [no] redistribute connect
- [no] level {level1 | level2}
- [no] redistribute default
- [no] redistribute static
- show router isis database [level {level-1 | level-2}] [details]
- show router isis
- show router isis interfaces [interface {outBand0 | loN | swN}] [details]
- show router isis neighbor
Table 10: IS-IS Commands
Command Description

isis Enables IS-IS and enters the IS-IS Router
Configuration mode
Disabled
no isis Disables IS-IS
authentication-check Enables the global authentication check of
ISIS incoming packets
Enabled

Command Description
no authentication-check Disables the authentication check
authentication-key-simple STRING Specifies a global password for simple

authentication:
STRING: plain-text string of <1-
255> characters
no authentication-key-simple Removes the password
authentication-key-md5 STRING Specifies a global password for md5

authentication:
characters
no authentication-key-md5 Removes the password
authentication-type {none | simple Specifies the authentication type:
| md5}
md5: configures HMAC-MD5
authentication type
simple: configures plain-text
password
none: disables the
authentication of ISIS packets
None
no authentication-type Restores to default
area-address FF:FF:FF:FF:FF:FF Specifies the area ID:

FF:FF:FF:FF:FF:FF: area ID in
hexadecimal format
no area-address FF:FF:FF:FF:FF:FF Removes the defined area ID
interface {outBand0 | loN | swN} Enable IS-IS on an already configured

interface (for more information on configuring
interfaces, refer to the Physical Ports and
Logical Interfaces chapter of this user guide):
interface
loopback IP-interface.
N: in the range of <09>
sw0
no interface {outBand0 | loN | Disables IS-IS on an already configured
swN} interface:
interface
loopback IP-interface.

Command Description
level {level1 | level1L2 | Specifies an adjacency level for a specified

level2} interface:
level1: level 1 adjacency
level1L2: level 1 and Level 2
adjacency
level2: level 2 adjacency
Level 1 and Level 2 adjacency
no level Restores to default
level-1 Enters the Level-1 adjacency Interface
Configuration mode
no level-1 Removes the Level-1 configurations
level-2 Enters the Level-2 adjacency Interface
Configuration mode
authentication-check Enables the level-2 authentication check of
ISIS incoming hello packets
Enabled
authentication-key-simple Specifies level-2 simple authentication
STRING password of Hello packets:
255> characters
authentication-key-md5 Specify level-2 MD5 authentication password
STRING of Hello packets:
characters
authentication-type {none | Specifies the authentication type:
simple | md5}
authentication type
password
none: disables the
None
csnp-interval <interval> Specifies the time between transmission of

CSNP packets:
600> seconds
10 seconds
no csnp-interval Restores to default

Command Description
hello-interval <interval> Specifies the time between transmission of

hello packets:
600000> seconds
3 seconds
hello-multiplier <value> Specifies the number of hello packets a

neighbor must miss before the router declares
the adjacency unavailability:
10
no hello-multiplier Restores to default
lsp-interval <interval> Specifies the time delay between successive

ILSP transmissions:
65535> milliseconds
10 milliseconds
no lsp-interval Restores to default
metric <metric> Specifies the cost of a specified interface.

The metric is a relative cost for sending
information over the specified interface.
metric: in the range of <0-63>
10
priority <priority> Specifies the priority of designated routers:

priority: in the range of <0-
127>
64
retransmit-interval Specifies the time between retransmissions of
<interval> LSP packets:
300> seconds
5 seconds
no retransmit-interval Restores to default
passive-interface Enables the passive mode on a specified
interface. In passive mode, transmission and
interpretation of PDUs on the specified
interface are suppressed. However these
interfaces are still included in LSPs and are
advertised to neighbors.
no passive-interface Disables the passive mode
shutdown Disables the specified interface
no shutdown Enables the specified interface

Command Description
level-1 Enters the Level-1 adjacency Global

Configuration mode
level-2 Enters the Level-2 Global Configuration mode
authentication-check Enables the authentication check of ISIS
xSNP and LSP incoming packets
Enabled
authentication-key-simple Specifies level-2 simple authentication
STRING password of xSNP and LSP packets:
255> characters
authentication-key-md5 STRING Specifies level-2 MD5 authentication

password of xSNP and LSP packets:
characters
authentication-type {none | Specifies the authentication type:
simple | md5}
authentication type
password
none: disables the
None
lsp-gen-interval <interval> Specifies the minimum interval rate that LSPs

are generated:
65535> seconds
30 seconds
no lsp-gen-interval Restores to default
metric-style {both | narrow | Specifies a metric style, advertised when
wide} sending LSPs:
both: advertises narrow and wide
metric-style links
narrow: advertises links using
traditional metric-style (6
bits)
wide: advertises links using
wide metric-style (24 bits)
Narrow

Command Description
no metric-style Restores to default

set-overload-bit Sets the overload bit in the header of its
nonpseudonode LSPs. When the overload bit
is set, other routers in the domain do not
include this router in their shortest-path-first
(SPF) calculations. Consequently, the other
routers do not detect any paths through this
router and do not forward traffic through this
router.
no set-overload-bit Removes the overload bit
lsp-refresh-interval <interval> Specifies the rate at which locally generated

LSPs are periodically transmitted:
65235> seconds
900 seconds
no lsp-refresh-interval Restores to default
max-lsp-lifetime <interval> Specifies the maximum time that LSPs persist

without being refreshed:
65535>
1200 seconds
no max-lsp-lifetime Restores to default
router-id [FF:FF:FF:FF:FF:FF] Specifies the IS-IS router ID:

FF:FF:FF:FF:FF:FF: (optional)
router ID in hexadecimal format
The IP address of loopback interface
with the lowest index, converted in
hexadecimal format
no router-id Removes the defined IS-IS router ID
route-leak A.B.C.D/M Redistributes L2 routes in the L1 routing

domain:
A.B.C.D/M: address and IP subnet
mask of the L2 route
no route-leak Removes the specified route
spf-interval <interval> Specifies the SPF Interval:

120000> milliseconds
5000 milliseconds
no spf-interval Restores to default
summary-address A.B.C.D/M Specifies a summary of addresses for a given

routing level:
A.B.C.D/M: address and IP subnet
mask
no summary-address Removes the address

Command Description
type {level1IS | level1L2IS | Specifies the routing level:

level2IS}
level1IS: intra-area routing
level1L2IS: intra and inter area
routing
level2IS: inter-area routing
Level 1 and level 2
no type Restores to default:
level1IS: intra-area routing
level1L2IS: intra and inter area
routing
level2IS: inter-area routing
shutdown Disables the IS-IS protocol
no shutdown Enables the IS-IS protocol
te-router-id <id> Enables the traffic engineering and specifies

the router ID for the traffic engineering
application:
id: in format A.B.C.D
no te-router-id Disables the traffic engineering
redistribute connect Configures connected routes to be
redistributed
no redistribute connect Removes the redistribution
redistribute default Configures default routes to be redistributed
no redistribute default Removes the redistribution
redistribute static Configures static routes to be redistributed
no redistribute static Removes the redistribution
metric <metric> Specifies metric assigned to the link:

metric: in the range of <1-63>
10
level {level1 | level2} Specifies the area routing:
level 1: intra-area routing
level 2: intra and inter area
routing
Level 2
no level Restores to default
show router isis Displays the state of the IS-IS protocol

Command Description
show router isis database [level {level-1 | Displays the internal routing database:
level-2}] [details]
details: (optional) detailed
information
level-1: (optional) level1
related information
level-2: (optional) level2
related information
show router isis interfaces [interface { Displays IS-IS interfaces related information:
outBand0 | loN | swN}] [details]
outBand0: (optional) an Ethernet
network interface
loN: (optional) an internal
logical loopback IP-interface. N
is in the range of <09>
swN: (optional) an IP interface
number in the range of <09999>
details: detailed information
show router isis neighbor Displays information for IS-IS neighbors
1. The following example enables IS-IS as a Level1-2 router on interfaces sw10 and sw20:
device-name(config-isis)#router-id 11:11:11:11:11:11
device-name(config-isis)#interface sw10
device-name(config-interface-sw10)#level level1L2
device-name(config-interface)#exit
device-name(config-isis)#interface sw20
device-name(config-interface-sw20)#level level1L2
device-name(config-interface)#exit
device-name(config-isis)#area-address 11:22:33:44
device-name(config-area-address-11:22:33:44)#commit
2. Display the state of IS-IS:

device-name#show router isis
Router is adminstratively up
Oper status: 1
Router ID: 11.11.11.11.11.11
ISIS type: L1-L2
SPF schedule delay 5000 msecs
LSP maximum lifetime 1200 secs,
LSP refresh interval 900 secs
Global authentication type: None
Suppress globally incoming packets authentication: Disabled
Level 1 setup:
LSP generation interval 30 secs,

metric style is NARROW

overload state: ON; set overload: FALSE
L1 authentication type: None
Suppress L1 incoming packets authentication: Disabled
Level 2 setup:
LSP generation interval 30 secs,
metric style is NARROW
overload state: ON; set overload: FALSE
L2 authentication type: None
Suppress L1 incoming packets authentication: Disabled
3. Display the IS-IS neighbor information:

device-name#show router isis neighbours
00.00.96.01.01.02, state UP, Interface sw10
System type L1-L2, Adjacency type L1, Priority 0
SNPA: 02.00.00.00.04.8F
Holdtime 16 secs, Uptime 12m,16s,637ms,447us
SNPA: 02.00.00.00.04.8F
SNPA: 02.00.00.00.04.90
SNPA: 02.00.00.00.04.90


IP Unicast No standards are Private MIB, RFC 791, Internet Protocol DARPA
Routing supported by this PRVT-SWITCH- Internet Program Protocol
feature. IPVLAN-MIB.mib. Specifications
RFC 919, Broadcasting Internet
Datagrams
RFC 922, Broadcasting Internet
Datagrams in the Presence of Subnets
RFC 1042, A Standard for the
Transmission of IP Datagrams over
IEEE 802 Networks
RFC 1122, Requirements for Internet
Hosts -- Communication Layers
RFC 1812, Requirements for IP
Version 4 Routers
Open Shortest STD 54, OSPF RFC 1850, OSPF RFC 1370, Applicability Statement for
Path First Version 2 Version 2 OSPF
(OSPF) Management RFC 1587, The OSPF NSSA Option
Information Base
RFC 1765, OSPF Database Overflow
Private MIB,
RFC 2328, OSPF Version 2
PRVT-OSPF-
MIB.mib
IS-IS ISO 10589 Private MIB, RFC 1195, Use of OSI IS-IS for
Information PRVT-ISIS- Routing in TCP/IP and Dual
Technology MIB.mib Environments
Telecommunicati RFC 2966, Domain-wide Prefix
on and Distribution with Two-Level IS-IS
information
RFC 3373, Three-way handshake
exchange
between RFC 3567, IS-IS Cryptographic
systems Authentication
Intermediate
system to
Intermediate
system intra-
domain routing
information
exchange
protocol for use
in conjunction
with the protocol
for providing the
connectionless-
mode Network
Service (ISO
8473), 1992.


Node Redundancy
Table of Contents
Table of Figures 1
List of Tables 1
Node Redundancy 2
Advantages of Virtual Router Redundancy Protocol (VRRP) 2
VRRP Router Priority 3
Event Propagation 7
Event Propagation VRRP Related Commands Hierarchy 7
Table of Figures
Figure 1: Node Redundancy Scenarios................................................................................................ 2
List of Tables
Table 1: VRRP Commands ................................................................................................................... 4
Table 2: Event Propagation VRRP Related Commands .................................................................. 7
Node Redundancy (Rev. 01) Page 1

Node Redundancy
Node Redundancy feature allows a single T-Marc 3312SC/T-Marc 3312SCH device to be backed
up. It uses the concept of Master/Backup. When a failure occurs in the master device, the backup
devices takes over the masters role, so that it can provides stable services.
The figure below illustrates the redundancy connectivity between two T-Marc 3312SC/T-Marc
3312SCH devices:
Figure 1: Node Redundancy Scenarios
device#1 -T-Marc 3312SC/T-Marc 3312SCH is the Master device

device#2 -T-Marc 3312SC/T-Marc 3312SCH is the Slave device
NOTE
Currently, only a single backup device is supported.
Inter Switch Link (ISL) is a physical link between the devices, used to send redundancy
protocol messages.
External Network collects network devices connected to the BiNOX devices. The External
Network is physically connected to both the Master and the Slave devices.
Advantages of Virtual Router Redundancy Protocol

(VRRP)
Node redundancy mechanism is based on VRRP, which provides automatic backup for critical
switches.
Page 2 Node Redundancy (Rev. 01)

Master device transmits VRRP advertisement packets at the stated periods to the network to
inform its status to backup device. If there is no VRRP advertisement packet during the time, the
backup device sends VRRP advertisement packets. Then they decide the priorities according to the
received advertise packets and then the new Master device is decided.
In the network embodied by VRRP, the external network devices do not need to know the real
master device.
Changes in the VRRP are automatically propagated using the Event Propagation feature.
VRRP Router Priority

Priority determines the role that each VRRP device plays and what happens if the Master device
fails. Priority also determines if a VRRP device functions as a backup device and the order of
ascendancy to becoming a Master device if the Master device fails. The user can configure the
priority of each backup device with a value between 1 (lowest priority) and 254 (highest priority).
By default, if a backup device with priority higher than the elected backup device becomes available,
it preempts (takes over the mastership from) the backup device that was elected.
VRRP Advertisements
The Master device sends VRRP advertisements to other VRRP device in the same group. The
advertisements communicate the priority and state of the Master device. The VRRP advertisements
are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP
group. The advertisements are sent every one second by default.
VRRP Master-Election Algorithm

Assume that devices A and B are connected to the same LAN and configured as a VRRP group. If
one of the VRRP devices owns the IP address of the VRRP virtual router and the IP address of the
physical interface, this device will function as the Master device. If no one of the VRRP devices
meets this condition, an election process takes place to determine which of the VRRP devices A
or B will become the Master. The process is as follows:
If one of the VRRP devices has the highest priority, this device is elected to become the
Master device
If two or more VRRP devices have the same highest priority, then the device with the highest
IP address is elected to become Master
The remaining VRRP device function as backup device.
System Interfaces
The system interfaces are divided into four groups:
Monitored (traced) physical interfaces - these interfaces are monitored for failures. When there
are at least N failing interfaces (N is a configurable threshold) within the group, fail-over
occurs. Upon fail-over, all interfaces in this group are shut down in order to neighboring nodes
to flush their MAC tables. After fail-over is completed, and wait-to-restore timer has expired,
these interfaces can be brought up again so the new Slave device can protect the new Master
device once the operational interface failures have been fixed.

Linked physical interfaces - this group of interfaces allow the other line cards in the chassis to
detect the current Master device by simply sensing the link up/down state. These interfaces are
always administratively enabled on the Master device and disabled on the Slave device.
VRRP interfaces ("Inter-Switch Link") - this group of IP interfaces, over which the VRRP
advertisements are sent. The physical interfaces over which these IP interface are defined, may
also belong to the Monitored interfaces group.
One-IP Advertisement interfaces - these interfaces are used to advertise the Virtual IP address
by sending the Gratuitous ARP. Only IP interfaces are allowed in this group.
VRRP Configuration Commands
Commands Hierarchy
device-name#
+ config terminal
+ router
- [no] vrrp virtual-router <value>
- [no] accept-mode {all | none | icmp}
- [no] advertised-interval <value>
- [no] interface swN
- [no] preempt
- [no] shutdown
- [no] trace-uplink UU/SS/PP
- [no] trace-uplink-flush-timer <value>
- [no] trace-uplink-threshold <value>
- [no] version {2 | 3}
- [no] virtual-ip-address A.B.C.D
- [no] range <value>
- show vrrp virtual-router [detailed]
- show running-config router vrrp virtual-router
Table 1: VRRP Commands
Command Description

vrrp virtual-router <value> Specifies group of routers ID (Virtual Router ID

(VRID)), its configuration, and enters the VRRP
Configuration mode:

Command Description
no vrrp virtual-router Removes the created VRRP configuration

accept-mode {all | none | icmp} Allows the VRRP Master to accept packets sent
to one of the virtual routers IP addresses:
all: accepts all packets
none: doesnt accept any packets
icmp: accepts ping packets
none
no accept-mode Restores to default
advertised-interval <value> Specifies the time interval for sending

advertising packets to the specified router group:
centiseconds
10 centiseconds
no advertised-interval Restores to default
interface swN Specifies the Virtual Router IP interface:

range of <09999>
no interface Removes the configuration
preempt Controls whether a higher priority Backup router
preempts a lower priority Master. When
preemption is enabled, if the backup VRRP
router detects that there is a Master with lower
priority, it can become the Master.
Enabled
no preempt Restores to default
priority <value> Specifies the sending VRRP router priority of the

virtual router:
Higher values equal higher priority. The priority
value of the VRRP router that owns the IP
address(es) associated with the virtual router
must be 255.
The priority value zero has special meaning
indicating that the current Master has stopped
participating in VRRP. This is used to trigger
Backup routers to quickly transition to Master
without having to wait for the current Master to
timeout.
100
shutdown Stops the VRRP router
Shutdown
no shutdown Starts the VRRP router

Command Description
trace-uplink UU/SS/PP Specifies the uplink interface connecting a

VRRP router to the backbone network:
UU/SS/PP: port that is connected
to the extranet uplink
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no trace-uplink Removes the uplink configuration
trace-uplink-flush-timer <value> Specify how long the monitored uplinks of a

failed device remain down before being reset:
seconds
0
no trace-uplink-flush-timer Removes the configured value
trace-uplink-threshold <value> Specifies a threshold limit for the number of

failed uplinks:
1
no trace-uplink-threshold Restores to default
version {2 | 3} Specifies a VRRP version. The version of VRRP
on all routers in the VRRP group must be the
same:
2, 3: the version number is 2 or
3, where 2 indicates VRRPv2
(described in RFC 3768), and 3
indicates VRRPv3 (described in RFC
5798).
3
no version Restores to default
virtual-ip-address A.B.C.D Specifies the IP address/es of the Virtual Router

interface and enters Virtual Router IP Address
Configuration mode:
A.B.C.D: in hexadecimal format
no virtual-ip-address Removes the configured IP address/es
range <value> Specifies the length of the set of sequential IP

addresses associated with the virtual router:
no range Removes the configured range of IP addresses
of the virtual router.
show running-config router vrrp Displays VRRP running configuration
virtual-router
show vrrp virtual-router [detailed] Displays VRRP information:

detailed: displays detailed VRRP
related information

Event Propagation
The Event Propagation feature allows you to configure automatic actions executed upon the
occurrence of specific events (refer to Operations, Administration, and Maintenance (OAM) chapter
of this User Guide for more information).
Event Propagation VRRP Related Commands Hierarchy

device-name#
+ config terminal
+ [no] event-propagation profile <id>
- action {link-drop | mac-withdraw | none}
- event vrrp-status-backup
- [no] reverse {link-restore | none}
- [no] source vrrp-group <value>
- [no] timer {hold-off <value> | wait-to-restore <value>}
- [no] threshold <value>
+ port {UU/SS/PP | agN}
- show event-propagation [profile <id> | session]
Table 2: Event Propagation VRRP Related Commands

Command Description
event propagation profile <id> Specifies an event propagation profile and

enters Event Propagation Profile Configuration
mode:
id: a string of up to 32
characters, numbers and/or letters
no event propagation profile [<id>] Removes the configured profiles:
id: (optional) removes a specific
event-propagation profile
action link-drop Specifies an action, the event-propagation
profile performs upon the configured event:
link-drop: drops the link
event vrrp-status-backup Specifies the expected event type a VRRP
router becomes a VRRP backup router
reverse link-restore Specifies the reverse action to be performed
when the configured event stops processing:
link-restore: restores the link
no reverse [link-restore | none] Removes the configured action
source vrrp-group <value> Specifies the source from which the event-

Command Description
propagation profile receives the configured
event:
value: receives events from
Virtual Router group with ID in
the range <1-255>
no source Removes the configured event source
timer {hold-off <value> | wait-to- Specifies profile timers:

restore <value>}
hold-off <value>: defines the hold
off timeout, in the range of <0
600000> milliseconds, in 100-
millisecond increments. The timer
postpones the switchover for a
specified time. If the transport
path does not recuperate by the
end of this time period, the link
is dropped or LDP MAC address
withdraw message is sent.
Default: 2000 milliseconds
wait-to-restore <value>: defines
the wait-to-restore timeout, in
the range of <0-600> seconds. If
the revertive mode is disabled,
this timer is also disabled.
Default: 2 seconds
no timer {hold-off | wait-to- Restores to defaults
restore}
port {UU/SS/PP | agN} Enters Configuration Mode for a specific port:

UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
event-propagation-profile Applies the selected event-propagation profile
<id> on a port:
characters, numbers and/or letters
no event-propagation- Removes the event-propagation profile from the
profile port
show event-propagation [profile <id> | Displays event-propagation information:
session]
profile <id>: displays the
configured parameters for the
specified profile with ID in the
range of <1-32>
session: displays the source each
profile is allocated to and its
parameters
Example
device-name(config)#router interface sw3 add 3.3.3.3/24
device-name(config-interface-sw3)#commit

Commit complete.
device-name(config-interface-sw3)#top
Commit complete.
device-name(config-tagged-1/1/1)#top
device-name(config)#event-propagation profile vrrp
device-name(config-profile-vrrp)#event vrrp-status-backup
device-name(config-profile-vrrp)#source vrrp-group 3
device-name(config-profile-vrrp)#action link-drop
device-name(config-profile-vrrp)#reverse link-restore
device-name(config-profile-vrrp)#commit
Commit complete.
device-name(config-profile-vrrp)#top
device-name(config-port-1/1/2)#event-propagation-profile vrrp
Commit complete.
device-name(config)#router vrrp virtual-router 3
device-name(config-virtual-router-3)#interface sw3
device-name(config-virtual-router-3)#virtual-ip-address 3.3.3.33
device-name(config-virtual-ip-address-3.3.3.33)#exit
device-name(config-virtual-router-3)#priority 110
device-name(config-virtual-router-3)#no shutdown
device-name(config-virtual-router-3)#commit
Commit complete.
device-name(config-virtual-router-3)#trace-uplink 1/2/1
device-name(config-trace-uplink-1/2/1)#trace-uplink 1/2/2
device-name(config-trace-uplink-1/2/2)#commit
Commit complete.
device-name(config-trace-uplink-1/2/2)#top
device-name#show router vrrp

STATE
ID VRRP
3 backup


Virtual Router No standards are No MIBs are RFC 3768

Redundancy supported by this supported by this
Protocol feature. feature.
RFC 5798
(VRRP)
Event IEEE 802.1ag- Not supported Not supported
Propagation 2007
(Connectivity
Fault
Management)

MPLS Protocols and Services
Table of Contents
Table of Figures 2
List of Tables 2
Multiprotocol Label Switching (MPLS) 3

Architecture 3
Pseudowires and Virtual Circuits 4

Virtual Private Wire Service (VPWS) 4
Virtual Private LAN Services (VPLS) 5
PW RedundancyService Protection 8
A Spoke PW Failure in a Hub and Spoke Topology 8
A Mesh PW Failure in a Hub and Spoke Topology 9
MPLS Transport and Service 10

Resource Reservation Protocol And Traffic Engineering 10
RSVP-TE Extensions for MPLS 10
RSVP-TE Fast Reroute (FRR) Transport Protection 11
The FRR Advantage 11
Fast Reroute Terms 11
Local Repair Technique: One-to-One Method 12
Local Repair Technique: Facility Method 13
Secondary LSP 14
Penultimate Hop Popping (PHP) 14
Traffic-Engineering Tool 15
MPLS and VPLS/VPWS Configuration Flow 15
MPLS and VPLS Configuration Commands 17
RSVP-TE Tunnels Configuration Examples 52
MPLS Protocols and Services (Rev. 01) Page 1

LDP Tunnels Configuration Example 54

VPLS Configuration Examples 54
SAP Options on Services 56
Triangle Topology Configuration Example 56
Traffic-Engineering Tool Example 65
Table of Figures
Figure 1: MPLS Cloud ........................................................................................................................... 4
Figure 12: VPWS .................................................................................................................................... 4
Figure 2: VPLS Cloud ............................................................................................................................ 5
Figure 3: Packets at Different Points of the VPLS ........................................................................... 6
Figure 4: H-VPLS Topology................................................................................................................. 7
Figure 5: Two-tiered Hierarchical VPLS Model ................................................................................ 7
Figure 6: A Spoke PW Failure in a Hub and Spoke Topology ........................................................ 9
Figure 7: Recovery from a Spoke PW Failure .................................................................................... 9
Figure 8: A Mesh PW Failure in a Hub and Spoke Topology ......................................................... 9
Figure 9: Recovery from A Mesh PW Failure .................................................................................... 9
Figure 10: Establishing a TE-tunnel .................................................................................................. 11
Figure 11: One-to-One Backup Method........................................................................................... 12
Figure 12: Facility Backup Method .................................................................................................... 13
Figure 13: Penultimate Hop Popping ................................................................................................ 15
Figure 14: MPLS and VPLS Configuration Flow ............................................................................ 16
Figure 15: A Triangle Topology Configuration Example .............................................................. 57
List of Tables
Table 1: Term Definitions and Acronyms ........................................................................................ 11
Table 2: MPLS Configuration Commands ....................................................................................... 17
Table 3: LDP Configuration Commands.......................................................................................... 20
Table 4: RSVP and TE Entity Configuration Commands ............................................................. 25
Table 5: VPLS Commands.................................................................................................................. 36
Table 6: Show Commands .................................................................................................................. 44
Table 7: Fields Displayed by show mpls tunnel command ............................................... 47
Page 2 MPLS Protocols and Services (Rev. 01)

Multiprotocol Label Switching (MPLS)

Multiprotocol Label Switching (MPLS), used mainly for service-provider core networks and large
enterprise networks, is a data-carrying mechanism that overcomes many of the shortcomings of IP-
based networks. MPLS provides an easy way to engineer traffic, manage bandwidth, and bring
Quality of Service (QoS) to IP networks.
This mechanism provides a unified, multi-protocol, data-carrying service by building Virtual Circuits
(VCs) across IP networks that tunnel these packets through the MPLS network.
MPLS is based on prefixing data packets with an MPLS header that contains one or more label(s)
(label stacking) and switching these packets through the MPLS network solely according to their
MPLS labels. Using the labeling method, MPLS tunnels all packets through the network without
regard to their protocols.
MPLS supports traffic engineering to provide traffic prioritization and QoS.
Using MPLS, you can also define multiple paths to two endpoints to achieve load balancing and
ensure backup in case of a line failure.
Architecture
An MPLS network is typically a large group of core devices distributed over a wide geographic area.
MPLS can also be used in metropolitan area networks.
The MPLS network is built by unidirectional Label Switched Paths (LSPs) that are created by a
signaling protocol prior to data transmission. LSPs include:
Label Edge Routers (LER): Devices at the LSP ingress and egress points connected to the
non-MPLS networks.
Label Switching Routers (LSR): Devices within the MPLS network core.
Upon data transmission, data packets are routed to the LER (at the MPLS ingress point). Based on
packet details, the LER determines which LSP to tunnel the packet through and prefixes the packet
with an appropriate label. Each LSR along the LSP switches the packet label to another label and
then forwards the packet to the next LSR along the path. The LER at the MPLS network egress
removes the label from the packet and forwards the packet to the external network.
For further details refer to Multiprotocol Label Switching Architecture RFC 3031.

Figure 1: MPLS Cloud
Pseudowires and Virtual Circuits

Pseudowire (PW) describes a connection oriented, service transport over packet switched network,
such as MPLS network. Each pseudowire contains two unidirectional Virtual Circuits (VCs) which
defines a connection between service end-points in the MPLS topology. A VC is usually referred to
as a Service Distribution Point (SDP).
According to its connection oriented nature, traffic starts flowing via the PW only after the
connection setup is signaled between PW end points and the connection is up.
PW delivers two types of services to end users:
VPWS
VPLS
Virtual Private Wire Service (VPWS)

VPWS is a point-to-point circuit (link) connecting two devices, a logical link through a packet
switched network. Frames transmitted by a device on such a virtual circuit are received by the
device at the other end-point of the virtual circuit.
An example of VPWS application is a customer network where CE (Customer Edge) devices are
connected to each other via a PW, which is either a physical or logical circuit, between PE (Provider
Edge) devices in the provider network.
Figure 12: VPWS

Virtual Private LAN Services (VPLS)

VPLS, one of the most common VC applications, is a technology for transparently connecting
geographically-dispersed, corporate sites over an MPLS network so that the sites appear and behave
like a single bridged Ethernet LAN.
Combining the simplicity of Ethernet backbone LAN technology with the scalability and security of
the MPLS core, VPLS is a viable alternative for enterprises seeking a cost-effective Layer 2 VPN
solution. VPLS functionality is usually required for Provider Edge (PE) routers.
A PE router, located at the edge of the MPLS core, is administered only by the Service Provider
without customer management access. In case of VPLS, PE routers and LERs coincide since labels
are attached once packets arrive at PEs from a non-MPLS network. Each PE connects to
Customer Edge equipment administered solely by the customer.
Figure 2: VPLS Cloud
Pseudowire (PW) describes the connection between the end-points. A full mesh of PWs must exist
among PEs within the same VPLS instance. In order to prevent loops, a PE must not forward
traffic from one pseudowire to another in the same VPLS instance. Note that this does not apply to
traffic received on a PE user port that is considered an access port for the VPLS service. If a packet
with an unknown destination MAC address arrives at such a port, the PE must flood this packet to
all pseudowires and users ports (if any) pertaining to the VPLS instance.
While traveling along a PW, packets contain a stack of two labels. Both labels are added by PEs at
the time the packets enter the MPLS core. The core routers (LSRs) use the outer, transport label to
switch the packet through to the far-end PE. LSRs do not know that the packet belongs to a given
VPLS instance as they only take into account the outer label. This feature provides an additional
level of security for user traffic.
The other, inner, Virtual Circuit label, is put to use at the far-end PE. The Virtual Circuit label
identifies the VPLS instance to which the packet belongs (for example, it is used as a service
delimiter). Once the PE becomes aware of the VPLS, the packet is switched based on the
destination MAC address.
VPLS Packet Formats and VC Types

To traverse the MPLS network, MPLS packets contain encapsulated Ethernet packets.

Figure 3: Packets at Different Points of the VPLS
On receipt, the far-end PE strips the Ethernet header and labels used within the MPLS cloud off
the packet. Depending on the VC label, the PE sends the packet to a respective access port.
When the PE receives an Ethernet frame carrying a VLAN tag intended to go into the MPLS
cloud, the PE can operate using two encapsulation modes (VC types):
Ethernet-VLAN: The PE regards tags placed in the packet by customer equipment as
service-delimiting. The service provider uses that tag to segment traffic. For example, LANs
from different customers may be attached to the same service provider device which, in turn,
applies VLAN tags to distinguish between customer traffic and forwards the frames to the PE.
In this case, it is important to make sure the tag is kept while traveling in the MPLS cloud.
When pseudowire is operating in this mode, every packet sent on the pseudowire must
have a service-delimiting VLAN tag. If the frame is received by the PE from the user
without a VLAN tag, the PE prepends the frame with a dummy VLAN tag of 1 before
sending the frame on the pseudowire.
ETHERNET: The PE regards tags placed in the packet by customer equipment as not
service-delimiting. In this mode, the tag has no meaning to the PE. Service-delimiting tags
are never sent over the pseudowire. If a service-delimiting tag is present when the packet is
received from a user by the PE, the tag must be removed from the packet before the packet is
sent to the pseudowire.
When this mode is used, the remote PE receives an untagged frame from the pseudowire
after the original tag was stripped off by the transmitting PE. Depending on the VPLS
instance SAP (Service Access Point) configuration, the PE may add a different tag, on
frame reception, to achieve VLAN translation across the PW, or the PE may leave the
frame untagged.
In both modes, when a single Ethernet packet contains more than one tag, the PE device inspects
the outermost tag to adapt the Ethernet packet to the pseudowire, and encapsulates the stacked tags
in VC type VLAN mode or removes the outer tag before encapsulation in VC type Ethernet mode.
NOTE
The VC type should match on the PW endpoint device.

Hierarchical VPLS (H-VPLS)

The VPLS model described in the previous sections relies on a full mesh of pseudowires which
implement any-to-any connectivity in the provider core network. The pseudowires within the core
network are known as hub pseudowires. When large VPLSs are deployed, setting up the full
mesh of pseudowires may result in high signaling overhead. Hierarchical VPLS helps reduce the
overall number of pseudowires and relieves the overhead burdens of the PEs.
To accomplish this, H-VPLS uses MTU (Multi-Tenant Unit) devices. As a rule, MTU devices are
located in multi-tenant unit buildings and aggregate customer traffic before sending it to the PEs.
Figure 4: H-VPLS Topology
MTU and PE devices connect to each other via a single spoke pseudowire. There is no need
for a full mesh of pseudowires between an MTU and all the PEs of a particular VPLS instance
as in a classic VPLS application. This is achieved by introducing a slight change in PE
operation, specifically, PE devices treating spoke pseudowires as user access ports. As a result,
PEs flood packets received from spoke pseudowires to other spoke pseudowires and mesh
pseudowires associated with the same customer. The PE will flood packets received from
mesh pseudowires only to spoke pseudowires and not to other mesh pseudowires in order to
prevent loops and achieve Split-Horizon functionality.
Figure 5: Two-tiered Hierarchical VPLS Model

According to its position in the H-VPLS topology, the device operates in two modes:
MTU-S mode single-active-spoke and backup-spoke pseudowires are allowed per VPLS
instance.
NOTE
In H-VPLS terminology, spoke pseudowires are referred to as spoke-SDPs (service
distribution points), and mesh/hub pseudowire are referred to as mesh-SDPs.
NOTE
The VPT preservation is enabled by default.
NOTE
You cannot use the same service ID for all MPLS L2 services.
You cannot use the same physical port as a MPLS and TLS SAP.
PW RedundancyService Protection
In H-VPLS topology, VPLS core PWs (mesh) are augmented with access PWs (spokes) to form a
two-tier hierarchical VPLS. The use of Dual-Homing, Active and Backup PWs terminating on
different PEs provides protection against the failure of the spoke or the failure of the PE.
In certain applications, there is a need for a different mechanism to protect the target PE node or
the MTU Service Access Point failure. PW redundancy overcomes such failures by signaling the
preferred PW used for forwarding data traffic between the local and remote peers of the PW. This
mechanism becomes operational once multiple PWs (SDPs) are configured for the same service.
The status of a spoke-PW/SDP (Active/Backup) determines the order of precedence for the PW.
In an MTU VPLS service instance with two PWs, the PW with the lower value will be the Active
one. If both PWs are the same, with respect to precedence, the Active PW would be the first one
signaled to the PEs.
Mechanism behavior s defined per service using the redundancy-mode parameter. By default, the
parameter is set to independent mode in which the PW state is defined both by PW precedence and
remote requests.

NOTE
A Spoke PW Failure in a Hub and Spoke Topology

In case of a spoke PW failure, MTU notifies its remote PW peer on the preferred spoke PW used
to forward data traffic by clearing the preferential forwarding bit of the standby spoke PW. This
causes a switchover between the active and standby spoke PWs as illustrated in the following figure:

switchover between
Active and Standby 1 3
Active PW-sp
Active PW-spoke oke
PE VPLS
Mesh
PE
A MTU B MTU
Backup oke
PW-sp 2 4 PW-sp
oke Backup
PE PE
switchover request
(by clearing preferential forwarding bit)
Figure 6: A Spoke PW Failure in a Hub and Spoke Topology
Once the standby spoke PW is active and a new path is used, the MTU for the activated, standby
PW sends a MAC-Address Withdrawal to the PE, which in turn distributes the MAC-Address
Withdrawal to all other PE devices, allowing faster convergence:
1 3
Active PW-sp
Backup PW-spoke oke
PE VPLS
Mesh
PE
A MTU B MTU
Active oke
PW-sp 2 4 PW-sp
oke Backup
PE PE
MAC Address
Withdrawal
Figure 7: Recovery from a Spoke PW Failure
A Mesh PW Failure in a Hub and Spoke Topology

In case of a mesh failure, the PE device notifies the relevant MTU devices by setting the
preferential forwarding bit of the corresponding spoke PWs, allowing the MTU devices to
switchover between active and standby spoke PWs as illustrated in the following figure:
switchover request
(by setting preferential forwarding bit)
switchover between switchover between

Active and Standby 1 3 Active and Standby
Active PW-sp
Active PW-spoke oke
PE VPLS
Mesh
PE
A MTU B MTU
Backup oke
PW-sp 2 4 PW-sp
oke Backup
PE PE
switchover request switchover request
(by clearing preferential forwarding bit) (by clearing preferential forwarding bit)
Figure 8: A Mesh PW Failure in a Hub and Spoke Topology
With the backup spoke PW active, using a new path, the MTU for the standby PW, sends a MAC-
Address Withdrawal to the PE. To achieve faster convergence, the PE, in turn, distributes the
MAC-Address Withdrawal to all other PE devices.
1 3
Backup PW-sp
Backup PW-spoke oke
PE VPLS
Mesh
PE
A MTU B MTU
Active oke
PW-sp 2 4 PW-sp
oke Active
PE PE
MAC Address
Withdrawal
Figure 9: Recovery from A Mesh PW Failure

MPLS Transport and Service

You can signal MPLS transport LSPs (tunnels) using two types of protocols, specifically LDP and
RSVP-TE, which are responsible for the exchange and distribution of transport labels. Note that
the LDP protocol, which must be used for signaling service VC labels, requires routing adjacency
between PW end-points to exchange labels.
Resource Reservation Protocol And Traffic Engineering

Use traffic engineering to:
Route traffic around congested and failed network points
Maximize throughput
Minimize delay
MPLS directs a flow of IP packets along unidirectional LSPs. The physical path of the LSP is not
constrained to the shortest path, to reach the destination IP address, chosen by the IGP.
A host uses the Resource Reservation Protocol (RSVP) network protocol to request specific
qualities of service from the network for particular application data streams or flows. Routers also
use RSVP to deliver Quality of Service (QoS) to all nodes along the path of the flow and to
establish and maintain the state needed to provide the requested service. MPLS leverages RSVP to
set up traffic-engineered LSPs.
RSVP requests generally result in reservation of resources in each node along the data path. Hosts
and routers that support both MPLS and RSVP can associate labels with RSVP flows. When MPLS
and RSVP are combined, the definition of a flow can be made more flexible. Once an LSP is
established, the traffic through the path is defined by the label applied at the ingress node of the
LSP.
RSVP-TE Extensions for MPLS

RSVP-TE, an extension of RSVP, enables label-switched paths in MPLS. RSVP-TE defines a
session as a data flow with a particular destination and transport-layer protocol. The ingress node of
an LSP uses a number of methods to determine which packets are assigned a particular label. Once
a label is assigned to a set of packets, the label effectively defines the flow through the LSP.
Since flow along an LSP is completely identified by the label applied at the ingress node of the path,
these paths may be treated as LSP tunnels (refer to RFC 2702.)
Use RSVP-TE to establish explicitly routed, label-switched paths that use RSVP as a signaling
protocol. The result is the instantiation of label-switched tunnels that can be automatically routed
away from network failures, congestion, and bottlenecks.
RSVP, extended for MPLS, supports automatic signaling of LSPs. To enhance scalability, latency,
and reliability of RSVP signaling, several extensions have been defined. Refresh messages are still
transmitted; traffic volume, CPU utilization, and response latency are all substantially reduced while
maintaining reliability support.
In addition, RSVP-TE uses CSPF infrastructure to engineer constraint-based LSPs (forcing the
LPS to use a certain path or preventing the LSP from using a specific path).

Figure 10: Establishing a TE-tunnel
RSVP-TE Fast Reroute (FRR) Transport Protection

Use the Fast Reroute mechanism to facilitate fast, local repair of LSPs when a link or node fails. An
extension of RSVP, Fast Reroute, requests link or node protection by appending a Fast Reroute
object to the Path message. The Fast Reroute object indicates to the downstream LSRs that a
locally generated backup LSP should be set up as backup for the Protected LSP in case the
downstream link or node fails.
The FRR Advantage

Another extension of RSVP, FRR establishes backup label-switched path (LSP) tunnels used in
local repair of LSP tunnels. The extension attempts to reach the needs of real-time applications,
such as voice over IP, to redirect user traffic into backup LSP tunnels in tens of milliseconds. To
satisfy this timing requirement, FRR computes and signals backup LSP tunnels in advance of failure
and redirects traffic as close to the failure point as possible. In this way, the time need to redirect
user traffic includes no path computation and no signaling delays (including delays to propagate
failure notification between label-switched routers (LSRs)).
Speed of repair is the primary advantage to the methods and extensions described here. The term
local repair is used when referring to techniques that re-direct traffic to a backup LSP tunnel in
response to a local failure.
An FRR-enabled LSP is an RSVP tunnel in which the user configures the fast-reroute mode. The
fast-reroute model specifies the repair techniques described in the following section.
Fast Reroute Terms

Table 1: Term Definitions and Acronyms
Term Meaning
Local Repair Techniques used to repair LSP tunnels quickly when a node or link
along the LSP fails.
Merge Point (MP) The LSR where one or more backup tunnels rejoin the path of the
protected LSP downstream of the potential failure. The same LSR may

be both an MP and a PLR simultaneously.

Point of Local Repair The head-end LSR of a backup tunnel or a detour LSP.
(PLR)
Facility Backup Bypass tunnel used to protect one or more protected LSPs that
traverse the following (in the order shown):
The PLR
The protected resource
The Merge Point
Guarded-Destination Signal the primary tunnel through the ingress IP address of the Merge
Hop Point. To protect a group of primary tunnels traversing the hop, the
guarded-destination hop is defined on PLR as a for manual bypass
tunnel.
NOTE
For further details regarding protection establishment and the roles of devices in a
protected RSVP-TE based environment, refer to RFC 3209.
Local Repair Technique: One-to-One Method

In the traditional MPLS/VPN network architecture, each customer site was associated with a single
VPN with a one-to-one correspondence between customer sites and VPNs. In this architecture,
users can implement the FRR one-to-one method in which the PLR maintains a separate backup
path for each LSP. In the following figure, the protected LSP runs from R1 to R5. The example
shows the detour paths necessary to fully protect this LSP.
Figure 11: One-to-One Backup Method
R2 can provide user traffic protection by creating a partial backup LSP that merges with the
protected LSP at R4. The partial one-to-one backup LSP [R2->R7->R8->R4] is a detour.
To protect an LSP that traverses N nodes, there could be as many as (N - 1) detours.
To minimize the number of LSPs in the network, it is recommended to merge a detour back to its
protected LSP, whenever possible. Merger occurs when a detour LSP intersects its protected LSP at
an LSR with the same outgoing interface.
When a failure occurs along the protected LSP, the PLR redirects traffic onto the local detour. For
instance, if the [R2->R3] link fails, R2 switches traffic received from R1 onto the protected LSP
along link [R2->R7], using the label received when R2 created the detour.
When R4 receives traffic with the label provided for R2's detour, R4 switches this traffic onto link
[R4-R5], using the label received from R5 for the protected LSP.
At no point does the depth of the label stack increase as a result of the detour.

While R2 uses its detour, traffic uses the path [R1->R2->R7->R8->R4->R5].
Local Repair Technique: Facility Method

The Facility Backup method takes advantage of the MPLS label stack. Instead of creating a separate
LSP for every backed-up LSP, a single LSP serves as back up to a set of LSPs. This type of LSP
tunnel is called a bypass tunnel.
The bypass tunnel must intersect the path of the original LSP(s) somewhere downstream of the
PLR. As a result, the set of LSPs being back up via that bypass tunnel are constrained to those that
pass through some common downstream node. Candidates for this set of LSPs must:
Pass through the local repair point
Pass through this common node
Not use the facilities involved in the bypass tunnel
Figure 12: Facility Backup Method
In the above example, R2 has built a bypass tunnel to protect against link failure [R2->R3] and
node [R3]. The doubled lines represent this tunnel. This technique provides scalability improvement
in that the same bypass tunnel can also be used to protect LSPs from any of R1, R2, or R8 to any of
R4, R5, or R9. Example 2 describes three different protected LSPs that are using the same bypass
tunnel for protection.
There could be as many as (N-1) bypass tunnels to fully protect an LSP that traverses N nodes.
However, each of those bypass tunnels could protect a set of LSPs.
When a failure occurs along a protected LSP, the PLR redirects traffic into the appropriate bypass
tunnel. For instance, if link [R2->R3] fails in Example 2, R2 will switch traffic received from R1 on
the protected LSP onto link [R2->R6]. The label will be switched for one which will be understood
by R4 to indicate the protected LSP, and the bypass tunnel label will then be pushed onto the label-
stack of the redirected packets.
If penultimate-hop-popping is used, the merge point in Example 2, R4, will receive the redirected
packet with a label indicating the protected LSP that the packet is to follow. If penultimate-hop-
popping is not used, R4 will pop the bypass tunnel label and examine the label underneath to
determine the protected LSP that the packet is to follow. When R2 is using the bypass tunnel for
protected LSP 1, the traffic takes the path [R1->R2->R6->R7->R4->R5]; the bypass tunnel is the
connection between R2 and R4.

Secondary LSP
In addition to LSP FRR protection, which can be established dynamically (based on CSPF) or
defined explicitly to bypass a local failure, you can use a secondary pre-defined LSP, a redundant
path to the same end point of the protected LSP, to protect RSVP LSP. Same as an FRR bypass
LSP, the secondary LSP can be established dynamically (based on CSPF) or defined explicitly.
RSVP LSP can be protected by FRR, a secondary LSP, or both.
When both protection methods are applied on LSP, FRR will be the first to protect on failure; the
secondary LSP will be second. After an FRR event occurs, the bypass tunnel will be used until
expiration of the configured timeout. After expiration of the MBB timer, the bypass tunnel will be
torn down.
A secondary LSP will be used if it has been configured and established. In order to keep service
functional when the primary LSP fails to recover, the user must have configured a secondary
instance or the MBB timer must be disabled.
Penultimate Hop Popping (PHP)

In an MPLS-enabled network, PHP is a function performed by a Label Switch Router (LSR) before
passing the packet to an adjacent Label Edge Router (LER). In this process, the outermost label of
an MPLS process is removed thereby reducing the load on the LER. Without this process, the LER
would have to perform at least two label lookups:
Look up the outer label that identifies the packet should have its Transport label stripped on
this router.
Look up the inner label, that identifies which Virtual Routing/Forwarding (VRF in IP MPLS)
or Virtual Circuit (VC in MPLS VPLS) instance to use.
In a large network, two lookups can cause the CPU load on the LER to reach unacceptable levels.
By having PHP for an LER done on the connected LSRs, the load is effectively distributed among
neighboring routers.
PHP functionality is achieved by the LER advertising a label with a value of 3 to its neighbors. This
label is defined as implicit-null and informs the neighboring LSR(s) to perform PHP.
LSR receives implicit-null label from LER 2 to use for prefix 172.16.
Outer label is popped by LSR performing PHP before sending 172.16 to LER 2.

Figure 13: Penultimate Hop Popping
Traffic-Engineering Tool
When CSPF is used for automatic RSVP-TE based LSP management, you can determine the path
hops used between two endpoints in the MPLS topology using a CLI, Traffic Engineering tool that
queries the CSPF database and tracks all hops between the endpoints.
Since the CSPF database is used by RSVP-TE to establish an LSP, the path indicated by this tool
will represent the LSP to be established by RSVP-TE protocol. The tool can be used for advanced
troubleshooting; usage requires specifying the head and tail ends of a desired path as shown in the
following example.
NOTE
In addition, two more mpls connectivity tools are available: mpls-ping and mpls-
trace.
MPLS and VPLS/VPWS Configuration Flow

Figure 14: MPLS and VPLS Configuration Flow

MPLS and VPLS Configuration Commands

MPLS Configuration Commands Hierarchy
device-name#
+ config terminal
mpls tunnels rebuild-now <value>
no mpls-te automatic-bypass TunnelIndex <value>
+ [no] router
+ [no] mpls
- [no] lsr-id A.B.C.D
- [no] label-range-egress <lowest-value>-<highest-value>
- [no] label-range-ingress <lowest-value>-<highest-value>
+ mpls lsp-ping {lsp LSP_NAME | prefix A.B.C.D/M}
- count <count>
- size <octets>
- timeout <timeout>
- ttl <ttl>
+ mpls lsp-trace {lsp LSP_NAME | prefix A.B.C.D/M}
- size <octets>
- timeout <timeout>
- ttl <ttl>
MPLS Configuration Commands Description
Table 2: MPLS Configuration Commands

Command Description
mpls tunnels rebuild-now <value> Specifies index for the RSVP-TE tunnel to be
re-signaled manually:
no mpls-te automatic-bypass TunnelIndex Specifies index of the dynamic bypass tunnel to
<value> be deleted:
32767>
router Enters Router Configuration mode
mpls Enables MPLS and enters MPLS Configuration
mode

Command Description
no mpls Disables MPLS
lsr-id A.B.C.D Specifies the unique LSR ID of the device. This

address is used by all MPLS protocols :
A.B.C.D: a logical loopback IP
address (loN) in a dotted format
NOTE
To change the LSR ID, remove the
entire MPLS configuration.
no lsr-id A.B.C.D Removes the configured LSR ID:
A.B.C.D: a logical loopback IP
address (loN) in a dotted format
label-range-egress <lowest- Specifies a range within labels for a neighboring
value>-<highest-value> MPLS router are distributed.
lowest-value: in the range of
<28672-1048575>
28672
highest-value: in the range of
<28672-1048575>
1048575
no label-range-egress Restores to default
label-range-ingress <lowest- Specifies a range within labels from a

value>-<highest-value> neighboring MPLS router are accepted.
The device must be rebooted for the changes to
take effect.
lowest-value: in the range of
<16-1048575>
16
highest-value: in the range of
<16-1048575>
1048575
no label-range-ingress Restores to default
mpls lsp-ping {lsp LSP_NAME | prefix Starts an LSP connectivity-test by sending in-
A.B.C.D/M} band MPLS echo packets to the egress LSR:
LSP_NAME: the LSP name
A.B.C.D/M: the FECs prefix
count <count> The number of messages the test sends:
count: in the range of
<1100>
1
size <octets> The minimum packet size:
octets: in the range of
<84-1300> octets
No pad TLV added

Command Description
timeout <timeout> The number of seconds to wait for a

connectivity test reply:
timeout in the range of
<1-120> seconds
2
ttl <label-ttl> The maximum number of hops to reach the
specified IP address/LSP:
label-ttl: in the range of
<1255>
255
mpls lsp-trace {lsp LSP_NAME | prefix Verifies the packets hop-by-hop path by
A.B.C.D/M} sending in-band MPLS echo packets:
LSP_NAME: the LSP name
A.B.C.D/M: the FECs prefix
size <octets> The minimum packet size:
octets: in the range of
<84-1300> octets
No pad TLV added
timeout <timeout> The number of seconds to wait for a
connectivity test reply:
timeout: in the range of
<1-120> seconds
2
ttl <ttl> The maximum number of hops to reach the
specified IP address/LSP:
ttl: in the range of
<1255>
255
LDP Configuration Commands Hierarchy

device-name#
+ config terminal
+ [no] router
+ [no] ldp
+ [no] targeted-peer A.B.C.D
- [no] hello-hold-time <value>
- [no] keepalive-hold-time <value>
- [no] shutdown
+ [no] distribute
- [no] ingress {isis | ospf | static | ip A.B.C.D/M}
- [no] egress {connected | static | ospf | ip
A.B.C.D/M}
- [no] hello-hold-timer <value>

- [no] keepalive-hold-timer <value>

- [no] label-advertising-mode {explicit-null |
global-label-range | implicit-null}
- [no] shutdown
LDP Configuration Commands Description

Table 3: LDP Configuration Commands
Command Description

ldp Enables the LDP protocol and accesses LDP
Protocol Configuration mode
no ldp Removes the LDP configurations
targeted-peer A.B.C.D Specifies the targeted LDP peer IP address:

A.B.C.D: the remote LDP peer IP
address
no targeted-peer A.B.C.D Removes the targeted LDP peer:
A.B.C.D: the remote LDP peer IP
address
hello-hold-time <value> Specifies the LDP targeted session hello hold
time:
seconds. Shutdown the peer to
change this value
0 seconds
LDP hello messages are sent hello-hold-time/3
seconds.
no hello-hold-time Restores to default
keepalive-hold-time <value> Specifies the LDP targeted session keep-alive

hold time:
seconds
40 seconds
no keepalive-hold-time Restores to default
shutdown Disables the targeted peer
no shutdown Enables the targeted peer
distribute Specifies the distribution policy

Command Description
ingress {isis | ospf | static Specifies the ingress (remote router) distribution
| ip A.B.C.D/M} policy:
isis: marks the routes learned
from the IS-IS for usage of
ingress LDP LSPs
ospf: marks the routes learned
from the OSPF for usage of ingress
LDP LSPs
static: marks the static routes
for usage of ingress LDP LSPs
ip A.B.C.D: marks specific IP
address or network for usage for
ingress LDP LSPs
Distribution is disabled
no ingress {isis | ospf static Removes the ingress distribution policy:
| ip A.B.C.D/M}
isis: marks the routes learned
from the IS-IS for usage of
ingress LDP LSPs
from the OSPF for usage of ingress
LDP LSPs
for usage of ingress LDP LSPs
ip A.B.C.D: marks specific IP
address or network for usage for
ingress LDP LSPs
egress {connected | static | Specifies the egress (local router) distribution
ospf | ip A.B.C.D/M} policy:
connected: distributes all the
local interfaces
for usage of egress LDP LSPs
from the OSPF for usage of egress
LDP LSPs
ip A.B.C.D: distributes to a
specific IP route
Distribution is disabled
no egress {connected | static Removes the egress distribution policy:
| ospf | ip A.B.C.D/M}
connected: distributes all the
local interfaces
for usage of egress LDP LSPs
from the OSPF for usage of egress
LDP LSPs
ip A.B.C.D: distributes to a
specific IP route

Command Description
interface {outBand0 | loN | swN} Specifies LDP values for an already configured
IP interface:
interface
NOTE
LDP protocol is not supported on
the Eth interface.
IP-interface.
range of <09999>
no interface {outBand0 | loN | Disables MPLS on an already configured IP
swN} interface:
interface
NOTE
LDP protocol is not supported on
the Eth interface.
IP-interface.
range of <09999>
hello-hold-timer <value> Specifies the LDP link session hello-hold time:
seconds
15 seconds
LDP hello messages are sent hello-hold-time/3
seconds.
NOTE
Shutdown the peer to change this
value
no hello-hold-timer Restores to default
keepalive-hold-timer <value> Specifies the LDP link session keep-alive hold

time.
seconds
40 seconds
no keepalive-hold-timer Restores to default

Command Description
label-advertising-mode Specifies the label value advertised on the

{explicit-null | global- egress router of an LSP:
label-range | implicit-
null} explicit-null: this label is
assigned to preserve the TC
(traffic class) value of the top
label of an incoming packet. The
top label is swapped with a label
value of 0 (20 bit label field)
and forwarded as an MPLS packet to
the next-hop downstream router.
global-label-range: uses dynamic
MPLS labels, specified by commands
label-range-egress and label-
range-ingress in MPLS
configuration mode
implicit-null: this label is
assigned when the top label of the
incoming MPLS packet is removed
and the resulting MPLS or IP
packet is forwarded to the next-
hop downstream router. The value
for this label is 3 (20 bit label
field).
NOTE
When LDP and RSVP use the
same interface, changing label
advertising mode requires
recreation of the interface with a
new value. As a result, short period
of traffic loss can be expected.
Implicit-null label (label 3)
no label-advertising-mode Restores to default
shutdown Disables LDP
Disabled
no shutdown Enables LDP
RSVP and TE Configuration Commands Hierarchy

device-name#
+ config terminal
+ [no] router
+ [no] rsvp-te
- [no] ignore-ingress-interface-affinities
+ [no] admin-group <admin_group_id>
- name ADMIN_GROUP_NAME
- [no] admin-group <admin_group_id>
- [no] label-advertising-mode {explicit-null |
global-label-range | implicit-null}

- [no] te-metric <metric>

- [no] maximum-interface-bandwidth [speed <speed> |
unit {bps | gbps | kbps | mbps}]
- [no] maximum-reservable-bandwidth [speed <speed> |
unit {bps | gbps | kbps | mbps}]
- [no] maximum-diffserv-class-bandwidth [speed
<speed> | unit {bps | gbps | kbps | mbps}]
- [no] bypass-fast-reroute
- [no] detour-fast-reroute
- [no] dynamic-bypass
- [no] lsp-hold-timer <value>
+ [no] path <path>
+ [no] hop <id>
- [no] hop-type {strict | loose}
- [no] ip-address A.B.C.D {include | exclude}
- [no] shutdown
+ [no] lsp <lsp_id>
- [no] name LSP_NAME
- [no] backup-setup-priority <priority>
- [no] backup-holding-priority <priority>
- [no] far-end A.B.C.D
- [no] fast-reroute-mode {facility | one-to-one |
no-preference}
- [no] admin-group include-all <tunnel_affinity_id>
- [no] admin-group include-any <tunnel_affinity_id>
- [no] admin-group exclude-any <tunnel_affinity_id>
- [no] backup-admin-group exclude-any
<tunnel_affinity_id>
- [no] backup-admin-group include-all
- [no] backup-admin-group include-any
- [no] guarded-destination A.B.C.D
- [no] holding-priority <priority>
- [no] max-backup-hops <hops>
- [no] mbb-timeout <value>
- [no] mtu <mtu>
- [no] rebuild-timer <value>
- [no] setup-priority <priority>
- [no] cspf
- [no] path <path>

- [no] exclude-resource-affinity
+ [no] secondary
- [no] admin-group include-all
- [no] admin-group include-any
- [no] admin-group exclude-any
- [no] cspf
- [no] holding-priority <priority>
- [no] mbb-timeout <value>
- [no] rebuild-timer <value>
- [no] mtu <mtu>
- name LSP_NAME
- [no] setup-priority <priority>
- [no] path <path>
- [no] exclude-resource-affinity
- [no] shutdown
- [no] shutdown
RSVP and TE Configuration Commands Description

Table 4: RSVP and TE Entity Configuration Commands
Command Description

rsvp-te Enters the RSVP-TE Configuration mode
no rsvp-te Removes the RSVP-TE configurations
ignore-ingress-interface- Specifies that the admin-groups defined on the
affinities ingress interfaces are ignored
Admin-groups are not ignored
no ignore-ingress-interface- The admin-groups defined on ingress interfaces
affinities are not ignored
admin-group <admin_group_id> Creates a TE admin-group group or a range of
TE admin groups:
admin_group_id: in the range of
<132>
no admin-group <admin_group_id> Removes the TE admin-group:
<132>

Command Description
name ADMIN_GROUP_
NAME
The TE admin groups name:
ADMIN_GROUP_NAME: a string of <1
15> characters
interface {outBand0 | loN | swN} Enable RSVP on an already configured IP
interface (for more information on configuring IP
interfaces, refer to the Physical Ports and Logical
Interfaces chapter of this user guide):
interface
NOTE
RSVP protocol is not supported on
the Eth interface.
IP-interface.
range of <09999>
no interface {outBand0 | loN | Disables RSVP on an already configured IP
swN} interface:
interface
NOTE
RSVP protocol is not supported on
the Eth interface.
IP-interface.
range of <09999>
admin-group <admin_group_id> Selects an existing TE admin group or a range of
TE admin groups:
<132>
no admin-group Removes the TE admin-group
<admin_group_id>

Command Description
label-advertising-mode Specifies the label value advertised on the

{explicit-null | global- egress router of an LSP:
label-range | implicit-
null} explicit-null: this label is
assigned to preserve the TC
(traffic class) value of the top
label of an incoming packet. The
top label is swapped with a label
value of 0 (20 bit label field)
and forwarded as an MPLS packet to
the next-hop downstream router.
global-label-range: uses dynamic
MPLS labels, specified by commands
label-range-egress and label-
range-ingress in MPLS
configuration mode
implicit-null: this label is
assigned when the top label of the
incoming MPLS packet is removed
and the resulting MPLS or IP
packet is forwarded to the next-
hop downstream router. The value
for this label is 3 (20 bit label
field).
NOTE
When LDP and RSVP use the
same interface, changing label
advertising mode requires
recreation of the interface with a
new value. As a result, short period
of traffic loss can be expected.
Implicit-null label (label 3)
no label-advertising-mode Restores to default
maximum-interface-bandwidth Specifies the maximum available amount of
[speed <speed> | unit {bps bandwidth per interface:
| gbps | kbps | mbps}]
speed: in the range of <1-1000>
unit: bps, gbps, kbps, or mbps
no maximum-interface-bandwidth Removes the defined bandwidth
maximum-reservable-bandwidth Specifies the maximum bandwidth that is
[speed <speed> | unit {bps reserved per interface:
| gbps | kbps | mbps}]
speed: in the range of <1-1000>
no maximum-reservable- Removes the defined bandwidth
bandwidth
maximum-diffserv-class- Specifies the bandwidth allocation for DiffServ

bandwidth [speed <speed> | classes:
unit {bps | gbps | kbps |
mbps}] speed: in the range of <1-1000>
no maximum-diffserv-class- Removes the defined bandwidth
bandwidth

Command Description
te-metric <metric> Assigns a fixed metric value to an interface:

metric: in the range of <0-
4294967294>
10
no te-metric Restores to default
bypass-fast-reroute Enables FRR facility extensions. Mandatory if
1:N FRR is used.
Disabled
no bypass-fast-reroute Disables the FRR facility extensions
detour-fast-reroute Enables FRR detour extensions. Mandatory if 1:1
FRR is used
Disabled
no detour-fast-reroute Disables the FRR detour extensions
dynamic-bypass Enables the creation of dynamic bypass tunnels
when FRR facility method is selected for
protection
Enabled
no dynamic-bypass Disables the dynamic bypass tunnels
lsp-hold-timer <value> Specifies the time the device waits before

switching from active to MBB signaled instance:
<value>: in the range of <0-10>
seconds
0 seconds
no lsp-hold-timer Restores to default
path <path> The RSVP-TE unique path ID. Each path can
include multiple hops:
path: in the range of <0
4294967294>
no path [<path>] Removes the path (only if the path is not used):
path: (optional) in the range of
<04294967294>
hop <id> The hop used along the path:
id: any positive number
no hop [<id>] Removes the defined hop:
id: (optional) any positive number
hop-type {strict | loose} Specifies the hop type:
strict: only directly connected
hops are used between this hop and
the previous hop of the path
loose: non-directly connected hops
may be used between this hop and
the previous hop of the path
Loose
no hop-type Restores to default

Command Description
ip-address A.B.C.D
{include | exclude}
Specifies the hops IP address:
A.B.C.D: hop's IP address in

include: the hop's IP address is
included into the path
exclude: the hop's IP address is
excluded from the path
no ip-address A.B.C.D Removes the hops IP address:
A.B.C.D: hop's IP address in
shutdown Disables the defined path
no shutdown Enables the defined path
lsp <lsp_id> The LSP ID:

lsp_id: in the range of
<1-32638>
no lsp <lsp_id> Removes the LSP instance:
<1-32638>
name LSP_NAME
Specifies the LSP name:

LSP_NAME: a string of <1-30>
characters
no name LSP_NAME Removes the LSP name:
LSP_NAME: a string of <1-30>
characters
backup-setup-priority Specifies the setup priority for the backup tunnel:
<priority>
0
no backup-setup-priority Restores to default
backup-holding-priority Specifies the holding priority for the backup
<priority> tunnel:
7
no backup-holding-priority Restores to default
far-end A.B.C.D
Specifies the far-ends IP address:

A.B.C.D: IP address in dotted-
decimal format
no far-end A.B.C.D Removes the far-ends IP address:
A.B.C.D: IP address in dotted-
decimal format

Command Description
fast-reroute-mode {facility | Specifies the LSP FRR mode:

one-to-one | no-preference}
facility: selects facility method
for tunnel protection
one-to-one: selects detour method
for tunnel protection
no-preference: removes the fast
reroute object from the packet
Disabled
no fast-reroute-mode Restores to default
admin-group include-all Selects which admin-groups will be considered
<tunnel_affinity_ as mandatory when calculating CSPF path for
id> the primary tunnel.
All admin groups defined here must be available
on the links.
tunnel_affinity_id:
0
no admin-group include-all Restores to default
admin-group include-any Selects which admin-groups will be considered
<tunnel_affinity_ as optional when calculating CSPF path for the
id> primary tunnel.
At least one admin group specified here must be
available on the links.
tunnel_affinity_id:
0
no admin-group include-any Restores to default
admin-group exclude-any Selects which admin-groups will be considered
<tunnel_affinity_ as excluded when calculating CSPF path for the
id> primary tunnel.
Any admin group specified here must not be
present on the links.
tunnel_affinity_id:
0
no admin-group exclude-any Restores to default
backup-admin-group exclude-any Selects which admin-groups will be considered
<tunnel_affinity_ as excluded when calculating CSPF path for the
id> backup tunnel.
present on the links.
tunnel_affinity_id:
0
no backup-admin-group backup- Restores to default
exclude-any

Command Description
backup-admin-group include-all Selects which admin-groups will be considered

<tunnel_affinity_ as mandatory when calculating CSPF path for
id> the backup tunnel.
on the links.
tunnel_affinity_id:
0
no backup-admin-group include- Restores to default
all
backup-admin-group include-any Selects which admin-groups will be considered

<tunnel_affinity_id> as optional when calculating CSPF path for the
backup tunnel.
At least one admin group spcified here must be
tunnel_affinity_id:
0
no backup-admin-group include- Restores to default
any
description DESCRIPTION The MPLS tunnel description:

<132> characters
no description Removes the MPLS tunnel description
guarded-destination A.B.C.D Specifies the IP address of guarded destination

(see Table 1):
A.B.C.D: the ingress IP address
no guarded_ Removes the configured IP address
destination A.B.C.D
holding-priority <priority> Specifies the holding priority for a specific LSP.

The holding priority is the priority associated with
an LSP for this tunnel to determine if it should be
preempted by other LSPs that are being
signaled.
priority: in the range of <0-7>,
where a lower number indicates a
higher priority.
0
no holding-priority Restores to default
max-backup-hops The LSP maximum backup hops allowed:
<hops>
hops: in the range of <0
4294967294>
16
no max-backup-hops Restores to default

Command Description
mbb-timeout The amount of time an LSP tries to re-signal the

<value> MBB instance:
value: in the range of <-
21474836482147483647> minutes
10 minutes
no mbb-timeout Restores to default
mtu <mtu> The MTU size advertised by the RSVP-TE:

mtu: in the range of <64-12288>
9216
rebuild-timer <value> The amount of time needed to rebuild the

existing LSP:
4294967294> minutes
60 minutes
no rebuild-timer Restores to default
setup-priority Specifies the setup priority for a specific LSP.
<priority> The setup-priority is the priority used when
signaling an LSP for this tunnel to determine
which existing tunnels can be preempted.
priority: in the range of <0-7>. A
lower number indicates a higher
priority. An LSP with a setup
priority of 0 can preempt any LSP
with a non-0 priority.
0
no setup-priority Restores to default
cspf Enables the usage of CSPF for path calculation
CSPF is disabled by default
no cspf Disables the usage of CSPF for path calculation.
The tunnel must have a path with strict hops
when this option is selected.
path <path> The path used by the LSP:
4294967294>.
To modify the path, exit the LSP.
no path Removes the path
exclude-resource-affinity Removes the resource affinity object from the
packet session attributes
no exclude-resource-affinity Restores the resource affinity object in the
secondary Creates a secondary LSP instance
no secondary Removes the secondary instance

Command Description
admin-group include-all Selects which admin-groups will be considered

tunnel_ as mandatory when calculating CSPF path for
affinity_id the secondary tunnel.
on the links.
tunnel_affinity_id:
No admin groups
no admin-group include-all Restores to default
admin-group include-any Selects which admin-groups will be considered
tunnel_ as optional when calculating CSPF path for the
affinity_id secondary tunnel.
At least one admin group specified here must be
tunnel_affinity_id:
No admin groups
no admin-group include-any Restores to default
admin-group exclude-any Selects which admin-groups will be considered
tunnel_ as excluded when calculating CSPF path for the
affinity_id secondary tunnel.
tunnel_affinity_id:
No admin groups
no admin-group exclude-any Restores to default
description DESCRIPTION The MPLS tunnel description:

characters
no description Removes the MPLS tunnel description
holding-priority The LSP holding priority.
<priority>
0
no holding-priority Removes the LSP holding priority
mbb-timeout <value> The amount of time an LSP tries to re-signal the

MBB instance:
value: in the range of <-
21474836482147483647> minutes
10 minutes
no mbb-timeout Restores to default
rebuild-timer <value> The amount of time needed to rebuild the

existing LSP:
4294967294> minutes
60 minutes

Command Description
no rebuild-timer Restores to default
mtu <mtu> The MTU size advertised:

mtu: in the range of <6412288>
9216
name LSP_NAME
Specifies the secondary instance name

setup-priority <priority> Specifies the setup priority:
priority: in the range of <07>
0
no setup-priority Restores to default
path <path> The path used by the LSP:

4294967294>
no path Removes the defined path used by the LSP
exclude-resource-affinity Removes the resource affinity object from the
no exclude-resource- Restores the resource affinity object in the
affinity packet session attributes
shutdown Disables the secondary LSP
no shutdown Enables the secondary LSP
shutdown Disables the LSP
no shutdown Enables the LSP
dynamic-bypass Enables dynamic-bypasses.
Enabled
no dynamic-bypass Disables dynamic-bypasses

VPLS Configuration Commands Hierarchy

device-name#
+ config terminal
+ [no] service
+ [no] customer NAME
- [no] contact CONTACT_NAME
- [no] phone phone_number
+ [no] sdp <sdp-id>
- [no] far-end A.B.C.D
- [no] lsp LSP_NAME
- [no] path-mtu <mtu>
- mode mtu-s
- [no] revert-timer <value>
- [no] shutdown
- [no] redundancy-mode {master | slave | none |
independent}
- [no] shutdown
- [no] secured
- [no] untagged
+ [no] spoke-sdp [<sdp-id>]
- [no] vc-type {ethernet | ethernet-vlan}
- [no] shutdown
- [no] pw-status-signaling
- [no] pw-redundancy
- [no] pw-precedence <precedence>
- [no] pw-active
- [no] secured
+ [no] vpws <vpws-id>
- [no] shutdown


- [no] untagged
+ [no] sdp [<sdp-id>]
- [no] vc-type {ethernet | ethernet-vlan}
- [no] shutdown
- [no] pw-status-signaling
- [no] shutdown
VPLS Configuration Commands Description

Table 5: VPLS Commands
Command Description

customer NAME Stores general text information regarding the

customer:
NAME: a string of <1-29> characters
no customer NAME Removes the customer
contact CONTACT_NAME Specifies the contact persons name:

CONTACT_NAME: a string of <1-29>
characters
no contact Removes the contact persons name
phone phone_number Specifies a phone number for contacting the

customer:
phone_number: up to 29 numbers
no phone Removes the phone number
sdp <sdp-id> Creates an SDP:

sdp-id: in the range of <1
4294967295>
no sdp <sdp-id> Removes the SDP:
sdp-id: in the range of <1
4294967295>
description DESCRIPTION The SDP description:
<129> characters
no description Removes the SDP description
far-end A.B.C.D
Specifies the SDP destination IP address the PW

terminates at:
A.B.C.D: SDP destination IP address

Command Description
no far-end A.B.C.D Removes the SDP destination:

A.B.C.D: SDP destination IP address
lsp LSP_NAME Selects an RSVP LSP as the SDP transport:
LSP_NAME: an existing LSP name
No LSP is defined. The SDP uses LDP
transport.
no lsp LSP_NAME Removes the RSVP LSP as the SDP transport:
LSP_NAME: an existing LSP name
path-mtu <mtu> The MTU value used when negotiating a PW:
mtu: in the range of <512-9216>
9190
no path-mtu Restores to default

<14294967294>
<14294967294>
mode mtu-s
Specifies the MTU VPLS mode. VPLS is configured

with one active spoke SDP and one backup spoke
SDP.
revert-timer <value> Specifies the amount of time the VPLS must wait
before reverting the traffic from a backup SDP to a
primary SDP. If during this period the primary path
experiences any connectivity problem, the timer is
restarted.
seconds
0 (applicable on VPLS-MTU)
no revert-timer Restores to default
description DESCRIPTION The VPLS description:

<129> characters
no description Removes the VPLS description
shutdown Disables the VPLS
Disabled
no shutdown Enables the VPLS
redundancy-mode {master | slave | Specifies the VPLS PW redundancy mode:
none | independent}
master: the VPLS state is defined
only by PW precedence. Any remote
requests are discarded
slave: the VPLS state is defined
only by remote requests

Command Description
none: disables the PW redundancy for

the VPLS. The redundancy must also
be disabled for the SDPs.
independent: the VPLS state is
defined both by the PW precedence
and remote requests
None
no redundancy-mode Restores to default
sap {{UU/SS/PP | agN}[:[igmp] | Adds a client port to a specific VPLS instance and
:[<vlan-id>]:[igmp] | specifies the SAP attributes:
UU1/SS1/PP1:<ces-
circuit>:{ces | ces-oos}} UU/SS/PP: the corresponding physical
port (unit, slot and port) defined
as SAP.(can be obtained from the
show port command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
NOTE
definitions of unqualified
SAP, i.e: UU/SS/PP,
UU/SS/PP: or UU/SS/PP::.
All definitions result in
UU/SS/PP::.
definitions of qualified
SAP, i.e: UU/SS/PP:vlan-
id or UU/SS/PP:vlan-id:.
All definitions result in
UU/SS/PP:vlan-id:.
<1-14>
<1-4094>
values are: 1/3/9.
ces-circuit: circuit ID in the range
of <1-64>
packets
control packets
UU1/SS1/PP1:<ces- UU/SS/PP: (optional) the
corresponding physical port (unit,

Command Description
circuit>:{ces | ces-oos}} ] slot and port) defined as SAP.(can
be obtained from the show port
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
<1-4094>
values are: 1/3/9.
of <1-64>
packets
control packets
value: the valid values are: 0x8100,
0x9100, and 0x88a8
NOTE
The same ethertype value
must be configured for all
SAPs using the same
physical port.
remote and local SAPs in
the same service.
In case of matching the
VLAN ID of the SAP port
with the traffic VLAN ID,
the traffic is permitted
regardless of the
configured ethertype value.
0x8100
description DESCRIPTION The SAP description:

<129> characters
no description Removes the SAP description
shutdown Disables the SAP

Command Description
Disabled
no shutdown Enables the SAP
secured Enables secured mode on a SAP. Traffic from a
secured SAP can be switched only to a non-
secured SAP/SDP. Can only be set in admin down
state.
Disabled
no secured Disables secured mode on the SAP
untagged Only untagged traffic passes through the SAP

Disabled
no untagged Untagged and tagged traffic pass
spoke-sdp <sdp-id> Creates a spoke SDP:

sdp-id: (optional) in the range of
<14294967295>
no spoke-sdp [<sdp_id>] Removes the spoke SDP:
<14294967295>
vc-type {ethernet | ethernet- Specifies the VC type signaled for SDP:
vlan}
ethernet: strips the VLAN header
from the customer packets (the VC
type value is 0x0005)
ethernet-vlan: keeps the VLAN header
of the customer packets (the VC type
value is 0x0004).
ethernet-vlan
no vc-type Restores to default
shutdown Disables the spoke SDP
Disabled
no shutdown Enables the spoke SDP
pw-status-signaling Enables PW status signaling for the specific SDP:
Disabled
no pw-status-signaling Disables PW status signaling for the specific SDP
pw-redundancy Enables PW redundancy for the specific SDP (you
must enable PW status signaling to use this option).
Disabled
no pw-redundancy Disables PW redundancy for the specific SDP
pw-precedence <precedence> The PW precedence. The PW with the lowest

defined value has the highest precedence over
other PWs:
precedence: in the range of <1-7>
1
no pw-precedence Restores to default
pw-active Sends once a switchover request

Command Description
no pw-active Disables the sending

secured Enables the secured mode on the spoke SDP.
Traffic from a secured SDP can be switched only to
a non-secured SAP Disabled the spoke SDP to
change this setting.
Disabled
no secured Disables the secured mode
vpws <vpws-id> Creates a VPWS:

vpws-id: in the range of
<14294967294>
no vpws <vpws-id> Removes the VPWS:
vpws-id: in the range of
<14294967294>
sap {{UU/SS/PP | agN}[:[igmp] | Adds a client port to a specific VPWS instance and
:[<vlan-id>]:[igmp] | specifies the SAP attributes:
UU1/SS1/PP1:<ces-
circuit>:{ces | ces-oos}} UU/SS/PP: the corresponding physical
port (unit, slot and port) defined
show port command)
<1-14>
<1-4094>
values are: 1/3/9.
of <1-64>
packets
control packets
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
NOTE

Command Description

definitions of unqualified SAP,
i.e: UU/SS/PP, UU/SS/PP: or
UU/SS/PP::. All definitions
result in UU/SS/PP::.
definitions of qualified SAP,
i.e: UU/SS/PP:vlan-id or
UU/SS/PP:vlan-id:. All
definitions result in
UU/SS/PP:vlan-id:.
UU1/SS1/PP1:<ces- UU/SS/PP: the corresponding physical
circuit>:{ces | ces-oos}} ] port (unit, slot and port) defined
show port command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-1/2/8
<1-14>
<1-4094>
values are: 1/3/9.
of <1-64>
packets
control packets
description DESCRIPTION The SAP description:
<129> characters
no description Removes the SAP description

value: the valid values are: 0x8100,
0x9100, and 0x88a8
NOTE

Command Description

SAPs using the same
physical port.
remote and local SAPs in
the same service.
In case of matching the
VLAN ID of the SAP port
with the traffic VLAN ID,
the traffic is permitted
regardless of the
configured ethertype value.
0x8100
shutdown Disables the SAP
Disabled
no shutdown Enables the SAP
untagged Only untagged traffic passes through the SAP
Disabled
no untagged Untagged and tagged traffic pass
sdp <sdp_id> Creates a SDP:

sdp-id: in the range of
<14294967295>
no sdp [<sdp_id>] Removes the SDP:
<14294967295>
vc-type {ethernet | ethernet- Specifies the PW VC type:
vlan}
ethernet: 0x05 VC type
ethernet-vlan: 0x04 VC type
ethernet-vlan
no vc-type Restores to default
shutdown Enables the SDP
no shutdown Disables the SDP
pw-status-signaling Enables PW status signaling for the specific SDP
Disabled
no pw-status-signaling Disables PW status signaling for the specific SDP
shutdown Disables the VPWS
no shutdown Enables the VPWS
description DESCRIPTION The VPWS description:

<129> characters

Command Description
no description Removes the VPWS description
MPLS and VPLS Configuration Display Commands Hierarchy

device-name#
- show mpls interface [details]
- show mpls ldp {discovery | peer | session}
- show mpls tunnels [brief down | bypass-tunnels [brief] | bypass-
tunnels [protected-lsps] | down [brief]| egress [brief] | frr-
activated [brief] | frr-guarded [brief] | hold-timer | hops | non-
frr-guarded [brief] | transit [brief] | up [brief]]
- show mpls tunnels <lsp_id> [brief [egress] | brief [transit] | egress
[brief] | hops | transit [brief]]
- show mpls tunnels name string [brief [egress] | brief [transit] |
egress [brief] | hops | transit [brief]]
- show mpls tunnels interface <id> [brief [egress] | brief [transit] |
egress [brief] | hops | transit [brief]]
- show vpls [<vpls-id>] [details]
- show vpls [<vpls-id>] [sap [{{UU/SS/PP | agN}[:[igmp] | :[<vlan-
id>]:[igmp] | UU1/SS1/PP1:<ces-circuit>:{ces | ces-oos}} ][details]
- show vpls [<vpls-id>] sdp [<sdp-id>] [details]
- show vpws [<vpws-id>] [details]
- show vpws [<vpws-id>] [sap [{{UU/SS/PP | agN}[:[igmp] | :[<vlan-
]][details]
- show vpws [<vpws-id>] sdp [<sdp-id>] [details]
MPLS and VPLS Configuration Display Commands Description

Table 6: Show Commands
Command Description
show mpls interface [details] Displays the properties of the MPLS-enabled IP

interfaces:
details: detailed information is
displayed
show mpls ldp {discovery | peer | session} Displays the LDP details:
discovery: information about
current LDP Hello Adjacencies
peer: details on the LDP peers
discovered
session: information about the
current LDP session
show mpls tunnels [brief down | bypass- Displays information about the MPLS tunnels
tunnels [brief] | bypass-tunnels configuration, filtered by the below arguments:
[protected-lsps] | down [brief]| egress
[brief] | frr-activated [brief] | frr- brief: brief information

Command Description
guarded [brief] | hold-timer | hops |
non-frr-guarded [brief] | transit down: only inactive LSPs
[brief] | up [brief]]
bypass-tunnels: only bypass LSPs
protected-lsps: shows which
primary tunnels are protected by
which bypass tunnels
egress: only LSPs that end on
this device
frr-activated: FRR activated LSPs
only
frr-guarded: FRR guarded LSPs
only
hold-timer: the LSPs hold timer
hops: the LSPs hops
non-frr-guarded: non-FRR guarded
LSPs only
transit: only transit LSPs
up: only active LSPs
show mpls tunnels <lsp_id> [brief Displays information about the MPLS tunnels for
[egress] | brief [transit] | egress the specified LSP ID, filtered by the below
arguments:
<1-32767>
brief: brief information
this device
hops: the LSPs hops
show mpls tunnels name string [brief Displays information about the MPLS tunnels for
[egress] | brief [transit] | egress the specified LSP name, filtered by the below
arguments:
string: up to 32 characters
this device
hops: the LSPs hops
show mpls tunnels interface <id> [brief Displays information about the MPLS tunnels for
[egress] | brief [transit] | egress the specified interface ID, filtered by the below
arguments:
id: in the range of
<0-2147483647>
this device

Command Description
hops: the LSPs hops

show vpls [<vpls-id>] [details] Displays the VPLS settings and instances:
details: detailed VPLS
information
vpls-id: displays the specified
VPLS information
show vpls [<vpls-id>] [sap [{{UU/SS/PP | Displays the VPLS SAP information:
agN}[:[igmp] | :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces | ces- details: detailed VPLS
oos}} ][details] information
vpls-id: (optional) displays the
specified VPLS information
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-
1/2/8
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
show vpws [<vpls-id>] [sap [{{UU/SS/PP | Displays the VPWS SAP information:
agN}[:[igmp] | :[<vlan-id>]:[igmp] |
UU1/SS1/PP1:<ces-circuit>:{ces | ces- details: (optional) detailed SAP
oos}} ][details] information
vpws-id: (optional) displays the
specified VPWS information
command)
UU/SS/PP: 1/1/1-1/1/4, 1/2/1-

Command Description
1/2/8
<1-14>
of <1-4094>
values are: 1/3/9.
range of <1-64>
packets
control packets
show vpls [<vpls-id>] sdp [details] Displays the VPLS SDP information:
details: (optional) detailed SDPs
information
vpls-id: (optional) displays the
specified VPLS information
show vpws [<vpws-id>] [details] Displays the VPWS settings and instances:
details: (optional) detailed VPWS
information
show vpws [<vpws-id>] sdp [details] Displays the VPWS SDP information:
details: (optional) detailed SDP
information
Example
In the following example, the show mpls tunnel command displays the configured MPLS tunnels:
Table 7: Fields Displayed by show mpls tunnel command

device-name#show mpls tunnels
-------------------------------------------------------------------------------
RSVP LSPs - Ingress (Detail)
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Tunnel Name : frr1 (Ingress)
-------------------------------------------------------------------------------

Tunnel Index : 1 Tunnel IF Index : 1025

From : 1.1.1.1 To : 2.2.2.2
-------------------------------------------------------------------------------
LSP Name : frr1 (Primary)
Description :
-------------------------------------------------------------------------------
Instance Id : 1 Admin State : Up
Setup Prio : 0 Oper State : Up
Hold Prio : 0
Sess Attrib : LocProt, MergPerm, IsPers, RecRt, NodProt, RecLbl
Max Rate : 1000000 bps Mean Rate : 1000000 bps
Max Burst : 9216000 bytes Mean Burst : 9216000 bytes
L-LSP PSC : 0 DiffSrvClssType: 0
FastReroute : Enabled FRR Method : Facility
Bck HoldPrio: 7 Bck Bandwdth : 0 bps
Bck Stp Prio: 0 Bck Max Hops : 16
Bck Inc All : 0
Bck Inc Any : 0
Bck Exc Any : 0
Rebld Timer : 60 MTU : 9216
Owner : CLI MBB Timeout : 10
Path Comp : Explicit
Path In Use : 1
-----------------------------------------
Hop Index : 1 Hop Type : Loose
Ip Addr : 11.0.10.2/32 Include/Exclude: Include
Outgoing information
-----------------------------------------
Out If Idx : 35
Num Labels : 1 --> 285
Out Port : 3 VLAN : 10
Dest MAC : 00:00:0b:00:0a:02
-------------------------------------------------------------------------------
Tunnel Name : lsp2 (Ingress)
-------------------------------------------------------------------------------
Tunnel Index : 2 Tunnel IF Index : 1026
From : 1.1.1.1 To : 3.3.3.3
-------------------------------------------------------------------------------
LSP Name : lsp2 (Primary)
Description :
-------------------------------------------------------------------------------
Instance Id : 1 Admin State : Up
Setup Prio : 0 Oper State : Up
Hold Prio : 0
Sess Attrib : MergPerm, IsPers, RecRt, RecLbl
Max Rate : 1000000 bps Mean Rate : 1000000 bps

Max Burst : 9216000 bytes Mean Burst : 9216000 bytes

L-LSP PSC : 0 DiffSrvClssType: 0
FastReroute : Disabled
Rebld Timer : 60 MTU : 9216
Owner : CLI MBB Timeout : 10
Guarded Dest: 11.0.10.2
Path Comp : Dynamic Full
Path In Use : 2
-----------------------------------------
Outgoing information
-----------------------------------------
Out If Idx : 36
Num Labels : 1 --> 124
Out Port : 4 VLAN : 20
Dest MAC : 00:00:0b:00:14:02
-------------------------------------------------------------------------------
LSPs : 2
-------------------------------------------------------------------------------
Filed Description
Tunnel Name Name of the configured tunnel

Tunnel Index, Tunnel Tunnel index, tunnel interface index
IF Index
From, to IP address of the ingress and egress points of the tunnel
LSP Name, Description Name of the configured tunnel (primary or backup). The tunnel
description is provided, too.
Instance Id ID of the tunnel instance. Instance ID=1 for a primary tunnel,
instance ID=2 for a secondary tunnel.
Admin State Administrative state of the tunnel (up or down)
Setup Prio Setup priority of the tunnel. The valid values are <0-7> with 0
being the highest. Currently not in use.
Oper State Operational state of the tunnel. Take one of the following values:
Up
Down
Suppressed (only for secondary tunnel)
Down(Resig)tries to establish the tunnel
Up(Resign)FRR is in use for the current tunnel due to a
failure in the tunnel path
Hold Prio Holding priority of the tunnel. The valid values are <0-7> with 0
being the highest. Currently not in use.

Filed Description
Sess Attrib : Tunnel session attributes:

LocProt, MergPerm,
IsPers, RecRt, LocProtindicates that the any tunnel hop may choose to
NodProt, RecLbl reroute this tunnel without tearing it down. This flag permits
transit routers to use a local repair mechanism which may
result in violation of the explicit routing for this tunnel. When a
fault is detected on an adjacent downstream link or node, a
transit router can reroute traffic for fast service restoration.
MergPermpermits transit routers to merge this session with
other RSVP sessions for the purpose of reducing resource
overhead on downstream transit routers, thereby providing
better network scalability.
IsPersindicates whether the tunnel should be restored
automatically after a failure occurs.
IsPinindicates whether the loose-routed hops of this tunnel
are to be pinned.
RecRtindicates the actual route information that the LSP
tunnel traverse is recorded..
RecLblindicates that label information should be included
when recording the route.
BwProtindicates that a backup path with a bandwidth
guarantee is desired
NodProtindicates that a backup path that bypasses at least
the next node of the protected LSP is desired
Max Rate, Mean Rate Flow specification measured for this tunnel. Currently not in use.
Max Burst, Mean Burst
L-LSP PSC Label-only-inferred-LSP PSC.
PSC value of the label inferred tunnel (PHB Scheduling Class
(PSC))this field contains the16-bit encoding of the PHB (Per
Hop Behavior) Scheduling Class (PSC) to be used for packets on
this LSP. Currently not in use.
DiffSrvClssType DiffSrv class type. The valid range of <0-7>. Currently not in use.
FastReroute Fast Reroute protection status (enabled or disabled)
FRR Method Fast Reroute methods. Take one of the following values:
One-to-onecreates detour LSPs for each protected service
LSP at each potential point of failure.
Facilitycreates a bypass tunnel to protect a potential failure
point. Single LSP serves as backup to a set of protected
LSPs.
Bck HoldPrio Holding priority of the backup tunnel
Bck Bandwdth Reserved bandwidth for the backup tunnel
Bck Stp Prio Setup priority of the backup tunnel
Bck Max Hops Maximum number of hops for the backup tunnel
Bck Inc All All administrative group(s) included in the backup tunnel
Bck Inc Any Any administrative group(s) included in the backup tunnel
Bck Exc Any The administrative group(s) excluded in the backup tunnel
Rebld Timer The rebuild timer of the tunnel

Filed Description
MTU The MTU of the tunnel. The default value is 9216.

Guarded Dest Guarded-destination. The LSP carrying this configuration protects
a primary tunnel that passes through the specified hop, which is
also the MP of the protected tunnels.
MBB Timeout Make-before-break timeout. Amount of time an LSP uses for its
bypass
Path Comp Path computation mode. Takes one of the following values:
Explicitmanually created path using strict hop(s), not using
CSPF
Dynamicusing the CSPF calculator mechanism to select
the preferred path for the tunnel
Path In Use (only for Explicit Path) Index of the used path (internal)
Hop Index (only for Explicit Path) The index of the hops used along the path
Hop Type (only for Explicit Path) Type of the hop. Takes one of the following
values:
Strictthe hop is specified explicitly
Loosethe hop is chosen by CSPF
Ip Addr IP address of a hop in the path
Include/Exclude (only for Explicit Path) The hop is included/excluded to/from the
path by user configuration
ProtectFlags (only for Explicit Path) Protection availability on this hop:
LocProtAvaillocal protection is available
No Protection
Out If Idx Output interface index of the tunnel (internal)
Num Labels The Head-end egress label of the tunnel. If the tunnel is protected,
the Head-end egress label of the backup tunnel and the MP are
specified too.
Out Port Outbound port index of the tunnel (internal)
VLAN Outbound VLAN ID of the tunnel
Dest MAC MAC address of the next LSR along the path.

RSVP-TE Tunnels Configuration Examples

Create a Path:
This configuration creates an RSVP-TE path that combines loose with strict hops which can be
used in an LSP.
device-name(config)#router rsvp-te
device-name(config-rsvp-te)#path 1 hop 1 hop-type loose ip-address 3.3.3.3 true
device-name(config-hop-1)#commit
device-name(config-hop-1)#path 1 hop 2 hop-type strict ip-address 4.4.4.4 true
Create CSPF capable LSP:

This configuration creates a CSPF tunnel. The mandatory parameters are LSP-ID, egress
LSR-ID and LSP name. The system automatically signals the tunnel if the user validated the
prerequisites.
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
device-name(config-lsp-1)#commit
NOTE
You must enable OSPF TE protocol extensions - prior to this step.
Create CSPF Capable LSP with Administrative-Group Restriction:

This configuration creates a CSPF tunnel using admin-group. The mandatory parameters are LSP-
ID, egress LSR-ID, LSP name and the administrative group affinity (include/exclude). The system
automatically signals the tunnel if the user validated the prerequisites
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
admin-group include-any 2
NOTE
Create CSPF Capable LSP Using a Given Path:

This configuration creates a CSPF tunnel using specific path. The mandatory parameters are LSP-
ID, egress LSR-ID, LSP name, and the path used. The system automatically signals the tunnel if the
user validated the prerequisites
.
NOTE
You must shutdown an active tunnel before applying the path.

device-name(config)#router rsvp-te path 1 hop 1 hop-type loose ip-address

3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf
path 1
NOTE
Create Explicit LSP Using a Given Path:

This configuration creates an explicit tunnel which does not use CSPF. The specified path must
contain only strict hops. The mandatory parameters are LSP-ID, egress LSR-ID, LSP name, and
the path used. The system automatically signals the tunnel if the user validated the prerequisites
device-name(config)#router rsvp-te path 1 hop 1 hop-type strict ip-address

3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel path
1
device-name(config-lsp-1)#no cspf
NOTE
You must shutdown an active tunnel before applying the path.
Create CSPF FRR Capable LSP:

This configuration creates a FRR protected CSPF tunnel. The mandatory parameters are LSP-ID,
egress LSR-ID, LSP name, and the method of protection facility (one to many bypass) or detour
(one to one detour).
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel cspf fast-

reroute-mode facility
NOTE
You must define RSVP protocol extensionsto support facility mode, detour
mode, or bothprior to this step.
You can set an FRR set only on primary LSP.
Dynamic bypass are created for every FRR tunnel by default.
All routers within the topology must support a detour in order to establish
detour LSP.
Create CSPF Secondary LSP:

This configuration creates a CSPF tunnel with a secondary instance. The secondary instance
provides additional protection in case of a failure on the primary instance. The mandatory
parameters are LSP-ID, egress LSR-ID, LSP name, and the secondary instance name.

NOTE
NOTE
You must create the secondary LSP with an explicit path or administrative-group.
device-name(config)#router rsvp-te lsp 1 far-end 2.2.2.2 name tunnel1 path 1

secondary name tunnel1_sec path 2
Create a manual bypass LSP using a given path:

The device automatically creates bypass tunnels for each primary FRR tunnel. However, users can
create also manual bypass tunnels. In this case, the guarded-destination IP address must match the
address of the hop of the primary tunnel it should protect.
NOTE
Once defined, a manual bypass is preferred over dynamic bypass.
NOTE
The manual bypass must use a path or an administrative-group.

3.3.3.3 true
device-name(config-hop-1)#router rsvp-te lsp 1 far-end 2.2.2.2 name bypass path
11 guarded-dest 4.4.4.4
device-name(config-lsp-1)#no cspf
LDP Tunnels Configuration Example

Create LDP LSP:
This configuration creates a LDP tunnel. The mandatory parameters are ingress and egress
policy. The ingress ospf policy defines that all routes learned from the OSPF will be used for traffic
injection into the MPLS domain. Respectively the mpls egress policy means the device will accept
traffic going out of the MPLS domain for the specified local loopback FEC only.
device-name(config)#router ldp distribute ingress ospf
device-name(config-distribute)#router ldp distribute egress ip 1.1.1.1/32
device-name(config-ip-1.1.1.1/32)#commit
VPLS Configuration Examples

Create an SDP using LDP or RSVP-TE LSP Transport:
device-name(config)#service sdp 1 far-end 2.2.2.2
device-name(config-sdp-1)#lsp tunnel1

NOTE
The above command is optional when RSVP-TE LSP is needed.
device-name(config-sdp-1)#commit
device-name(config-sdp-1)#top
Create VPLS on an MTU Device Using LDP as Transport:

This example uses one unqualified SAP and one SDP, relying on LDP as the transport protocol
and VC label signaling. The configuration will only work if the correct configuration order has been
followed.
device-name(config-sdp-1)#top
device-name(config)#service vpls 100 mode mtu-s
device-name(config-vpls-100)#commit
device-name(config-vpls-100)#no shutdown
device-name(config-vpls-100)#sap 1/1/1::
device-name(config-sap-1/1/1::)#no shutdown
device-name(config-sap-1/1/1::)#commit
device-name(config-sap-1/1/1::)#exit
device-name(config-vpls-100)#spoke-sdp 1
device-name(config-spoke-sdp-1)#no shutdown
device-name(config-spoke-sdp-1)#commit
Create VPLS on an MTU device using RSVP as Transport, Protected by Dual

Homing:
This example uses one qualified SAP and two SDPs relying on RSVP as a transport protocol and
on LDP for VC label signaling. The configuration will only work if the correct configuration order
has been followed.
device-name(config-service)#sdp 1 far-end 2.2.2.2 lsp tunnel1
device-name(config-sdp-1)#exit
device-name(config-service)#sdp 2 far-end 3.3.3.3 lsp tunnel2
device-name(config-sdp-2)#exit
device-name(config-service)#vpls 101 mode mtu-s
device-name(config-sap-1/1/2:10:)#no shutdown
device-name(config-sap-1/1/2:10:)#commit
device-name(config-sap-1/1/2:10:)#exit

device-name(config-vpls-101)#spoke-sdp 2 pw-precedence 7
SAP Options on Services

Unqualified SAP
This configuration of SAP allows all traffic types to pass through the SAP.
Qualified Tagged SAP

This configuration of SAP allows only traffic with the configured VLAN to pass through the SAP.
All other traffic is dropped on the entrance to the SAP.
Unqualified Untagged SAP

This configuration of SAP allows only untagged traffic to pass through the SAP. All other traffic is
dropped on the SAP entrance
NOTE
Untagged mode is disabled by default.
device-name(config-sap-1/2/1::)#untagged
Triangle Topology Configuration Example

The following configuration example refers to the following topology:

Figure 15: A Triangle Topology Configuration Example
Configuring IP Interfaces and VLANs

PE1(config)#router interface sw12 address 150.2.1.1/30
PE1(config-interface-sw12)#exit
PE1(config)#router interface lo1 address 1.1.1.1/32
PE1(config-interface-lo1)#exit
PE1(config)#vlan 12 name PE1-PE2 routing-interface sw12 untagged 1/1/1
PE1(config-vlan-PE1-PE2/12)#exit
PE1(config)#vlan 13 name PE1-MTU routing-interface sw13 untagged 1/1/2
PE1(config-vlan-PE1-MTU/13)#exit
PE1(config-vlan)#exit
PE1(config)#no vlan 1 untagged 1/1/1
PE1(config)#port 1/1/1 default-vlan 12
PE1(config-port-1/1/1)#exit
PE1(config)#commit

PE2(config-interface-sw12)# exit
PE2(config)#router interface lo1 address 2.2.2.2/32
PE2(config)#vlan 12 name PE2-PE1 routing-interface sw12 untagged 1/1/2
PE2(config-vlan-PE2-PE1/12)#exit
PE2(config)#vlan 23 name PE2-MTU routing-interface sw23 untagged 1/1/1
PE2(config-vlan-PE2-MTU/23)#exit
PE2(config-vlan)#exit


PE2(config)#commit
MTU(config)#router interface sw13 address 150.3.1.2/30

MTU(config-interface-sw13)#exit
MTU(config)#router interface sw23 address 150.3.2.1/30
MTU(config)#router interface lo1 address 3.3.3.3/32
MTU(config-interface-lo1)#exit
MTU(config)#vlan 13 name MTU-PE1 routing-interface sw13 untagged 1/1/1
MTU(config-vlan-MTU-PE1/13)#exit
MTU(config)#vlan 23 name MTU-PE2 routing-interface sw23 untagged 1/1/2
MTU(config-vlan-MTU-PE2/23)#exit
MTU(config-vlan)#exit
MTU(config)#no vlan 1 untagged 1/1/1
MTU(config)#no vlan 1 untagged 1/1/2
MTU(config)#port 1/1/1 default-vlan 13
MTU(config-port-1/1/1)#exit
MTU(config)#port 1/1/2 default-vlan 23
MTU(config-port-1/1/2)#exit
MTU(config)#commit
Configuring OSPF:
PE1(config)#router
PE1(config-router)#ospf
PE1(config-ospf)#router-id 1.1.1.1
PE1(config-ospf)#trafic-engineering
PE1(config-ospf)#area 0.0.0.0
PE1(config-area-0.0.0.0)#interface 1.1.1.1
PE1(config-interface-1.1.1.1)#interface 150.2.1.1
PE1(config-interface-150.2.1.1)#dead-interval 10
PE1(config-interface-150.2.1.1)#hello-interval 3
PE2(config)#router
PE2(config-router)#ospf
PE2(config-ospf)#router-id 2.2.2.2
PE2(config-ospf)#trafic-engineering
PE2(config-ospf)#area 0.0.0.0
PE2(config-area-0.0.0.0)#interface 2.2.2.2

MTU(config)#router
MTU(config-router)#ospf
MTU(config-ospf)#router-id 3.3.3.3
MTU(config-ospf)#trafic-engineering
MTU(config-ospf)#area 0.0.0.0
MTU(config-area-0.0.0.0)#interface 3.3.3.3
MTU(config-interface-3.3.3.3)#interface 150.3.1.2
MTU(config-interface-150.3.1.2)#dead-interval 10
MTU(config-interface-150.3.1.2)#hello-interval 3
MTU(config-interface-150.3.1.2)#interface 150.3.2.1
MTU(config-interface-150.3.2.1)#dead-interval 10
MTU(config-interface-150.3.2.1)#hello-interval 3
Configuring MPLS
PE1(config)#router mpls
PE1(config-mpls)#lsr-id 1.1.1.1
PE1(config-mpls)#exit
PE1(config-router)#exit
PE1(config)#commit
PE2(config)#router mpls
PE2(config-mpls)#lsr-id 2.2.2.2
PE2(config-mpls)#exit
PE2(config-router)#exit
PE2(config)#commit
MTU(config)#router mpls
MTU(config-mpls)#lsr-id 3.3.3.3
MTU(config-mpls)#exit
MTU(config-router)#exit
MTU(config)#commit
Configuring LDP, Targeted Peers, and Distribution

PE1(config)#router ldp
PE1(config-ldp)#interface lo1
PE1 (config-interface-lo1)#exit
PE1(config-ldp)#interface sw12
PE1 (config-interface-sw12)#exit
PE1(config-ldp)#targeted-peer 2.2.2.2
PE1(config-targeted-peer-2.2.2.2)#exit
PE1(config-ldp)#distribute ingress ospf
PE1(config-distribute)#exit
PE1(config-ldp)#distribute egress connected

PE1(config-ldp)#exit
PE1(config-router)#commit
PE2(config)#router ldp
PE2(config-ldp)#interface lo1
PE2(config-ldp)#distribute ingress ospf
PE2(config-ldp)#distribute egress connected
PE2(config-ldp)#exit
PE2(config-router)#commit
MTU(config)#router ldp
MTU(config-ldp)#interface lo1
MTU(config-ldp)#interface sw23
MTU(config-ldp)#interface sw13
MTU(config-ldp)#targeted-peer 1.1.1.1
MTU(config-targeted-peer-1.1.1.1)#exit
MTU(config-ldp)#targeted-peer 2.2.2.2
MTU(config-targeted-peer-2.2.2.2)#exit
MTU(config-ldp)#distribute ingress ospf
MTU(config-distribute)#exit
MTU(config-ldp)#distribute egress connected
MTU(config-distribute)#exit
MTU(config-ldp)#exit
MTU(config-router)#commit
Configuring RSVP
PE1(config)#router rsvp-te
PE1(config-rsvp)#interface lo1
PE1 (config-interface-lo1)#exit
PE1(config-rsvp)#interface sw12
PE1(config-rsvp)#bypass-fast-reroute
PE1(config-rsvp-te)#ignore-ingress-interface-affinities
PE1(config-rsvp-te)#commit

PE2(config-rsvp)#interface lo1
PE2(config-rsvp-te)#ignore-ingress-interface-affinities
PE2(config-rsvp-te)#commit
MTU(config)#router rsvp-te
MTU(config-rsvp)#interface lo1
MTU(config-rsvp)#interface sw23
MTU(config-rsvp)#interface sw13
MTU(config-rsvp-te)#ignore-ingress-interface-affinities
MTU(config-rsvp-te)#commit
Configuring RSVP Path and LSPs

# PE1 uses Strict Hop for the path to reach directly PE2
# PE1 uses Loose Hop (via CSPF) for the path to reach MTU
PE1(config-rsvp-te)#path 1
PE1(config-path-1)#hop 1
PE1(config-hop-1)#ip-address 150.2.1.2 include
PE1(config-ip-address-150.2.1.2/true)#hop-type strict
PE1(config-hop-1)#no shutdown
PE1(config-hop-1)#exit
PE1(config-path-1)#exit
PE1(config-ip-address-3.3.3.3/true)hop-type loose
PE1(config-hop-1)#commit
PE1(config-rsvp-te)#lsp 1 name PE1_PE2 far-end 2.2.2.2
PE1(config-lsp-1)#fast-reroute-mode facility
PE1(config-lsp-1)#path 1
PE1(config-lsp-1)#no shutdown
PE1(config-lsp-1)#commit
PE1(config-lsp-1)#exit
PE1(config-rsvp-te)#lsp 2 name PE1_MTU far-end 3.3.3.3
PE1(config-lsp-2)#cspf

# PE2 uses Strict Hop for the path to reach directly PE1
# PE2 uses Loose Hop (via CSPF) for the path to reach MTU
PE2(config-ip-address-150.2.1.1/true)#hop-type strict
PE2(config-ip-address-3.3.3.3/true)hop-type loose
PE2(config-hop-1)#commit
PE2(config-rsvp-te)#lsp 1 name PE2_PE1 far-end 1.1.1.1
PE2(config-lsp-1)#no shutdown
PE2(config-lsp-1)#exit
PE2(config-rsvp-te)#lsp 2 name PE2_MTU far-end 3.3.3.3
PE2(config-lsp-2)#cspf
# MTU uses CSPF to reach PE1 and PE2

MTU(config)#router rsvp-te
MTU(config-rsvp-te)#lsp 1 name MTU_PE1 far-end 1.1.1.1
MTU(config-lsp-1)#fast-reroute-mode facility
MTU(config-lsp-1)#cspf
MTU(config-lsp-1)#no shutdown
MTU(config-lsp-1)#commit
MTU(config-lsp-1)#exit
MTU(config-rsvp-te)#lsp 2 name MTU_PE2 far-end 2.2.2.2
MTU(config-lsp-2)#fast-reroute-mode facility
MTU(config-lsp-2)#cspf
MTU(config-lsp-2)#no shutdown
MTU(config-lsp-2)#commit
Configuring a Service SDP

PE1(config)#service
PE1(config-service)#sdp 5002 far-end 2.2.2.2
PE1(config-sdp-5002)#description ldp_sdp_to_PE2
PE1(config-sdp-5002)#exit


PE1(config-sdp-5003)#description ldp_sdp_to_MTU
PE1(config-service)#commit
PE2(config)#service
PE2(config-sdp-5001)#description ldp_sdp_to_PE1
PE2(config-sdp-5003)#description ldp_sdp_to_MTU
PE2(config-service)#commit
MTU(config)#service
MTU(config-service)#sdp 5001 far-end 1.1.1.1
MTU(config-sdp-5001)#description ldp_sdp_to_PE1
MTU(config-sdp-5001)#exit
MTU(config-service)#sdp 5002 far-end 2.2.2.2
MTU(config-sdp-5002)#description ldp_sdp_to_PE2
MTU(config-sdp-5002)#no shutdown
MTU(config-sdp-5002)#exit
MTU(config-service)#commit
Configuring a Service VPLS

# VPLS (E-LAN) filtered for service-delimiter vlan 600
# MTU is in DUAL HOMED with an active SDP to PE1 and backup SDP to PE2
PE1(config-service)#vpls 50600
PE1(config-vpls-50600)#mode pe-rs
PE1(config-vpls-50600)#commit
PE1(config-vpls-50600)#no shutdown
PE1(config-vpls-50600)#sap 1/1/3:600:
PE1(config-sap-1/1/3:600:)#no shutdown
PE1(config-sap-1/1/3:600:)#commit
PE1(config-sap-1/1/3:600:)#exit
PE1(config-vpls-50600)#mesh-sdp 5002
PE1(config-mesh-sdp-5002)#commit
PE1(config-mesh-sdp-5002)#vc-type ethernet-vlan
PE1(config-mesh-sdp-5002)#no shutdown
PE1(config-mesh-sdp-5002)#exit
PE1(config-vpls-50600)#spoke-sdp 5003
PE1(config-spoke-sdp-5003)#commit
PE1(config-spoke-sdp-5003)#vc-type ethernet-vlan
PE1(config-spoke-sdp-5003)#no shutdown
PE2(config-service)#vpls 50600
PE2(config-vpls-50600)#mode pe-rs

PE2(config-vpls-50600)#no shutdown
PE2(config-vpls-50600)#sap 1/1/3:600:
PE2(config-vpls-50600)#mesh-sdp 5001
PE2(config-mesh-sdp-5001)#vc-type ethernet-vlan
PE2(config-mesh-sdp-5001)#no shutdown
PE2(config-mesh-sdp-5001)#exit
PE2(config-vpls-50600)#spoke-sdp 5003
PE2(config-spoke-sdp-5003)#vc-type ethernet-vlan
PE2(config-spoke-sdp-5003)#no shutdown
MTU(config-service)#vpls 50600
MTU(config-vpls-50600)#mode mtu-s
MTU(config-vpls-50600)#commit
MTU(config-vpls-50600)#no shutdown
MTU(config-vpls-50600)#commit
MTU(config-vpls-50600)#sap 1/1/3:600:
MTU(config-sap-1/1/3:600:)#no shutdown
MTU(config-sap-1/1/3:600:)#commit
MTU(config-sap-1/1/3:600:)#exit
MTU(config-vpls-50600)#spoke-sdp 5001
MTU(config-spoke-sdp-5001)#commit
MTU(config-spoke-sdp-5001)#vc-type ethernet-vlan
MTU(config-spoke-sdp-5001)#no shutdown
MTU(config-spoke-sdp-5001)#exit
MTU(config-vpls-50600)#spoke-sdp 5002
MTU(config-spoke-sdp-5002)#vc-type ethernet-vlan
MTU(config-spoke-sdp-5002)#backup
MTU(config-spoke-sdp-5002)#no shutdown
Configuring a Service VPWS

# VPWS (E-LINE) filtered for service-delimiter vlan 603
PE2(config-service)#vpws 52603
PE2(config-vpws-52603)#commit
PE2(config-vpws-52603)#no shutdown
PE2(config-vpws-52603)#commit
PE2(config-vpws-52603)#sap 1/1/3:603:

PE2(config-vpws-52603)#sdp 5103
PE2(config-sdp-5103)#commit
PE2(config-sdp-5103)#vc-type ethernet
PE2(config-sdp-5103)#no shutdown
PE2(config-sdp-5103)#commit
MTU(config-service)#vpws 52603
MTU(config-vpws-52603)#commit
MTU(config-vpws-52603)#no shutdown
MTU(config-vpws-52603)#commit
MTU(config-vpws-52603)#sap 1/1/3:603:
MTU(config-sap-1/1/3:603:)#no shutdown
MTU(config-sap-1/1/3:603:)#commit
MTU(config-sap-1/1/3:603:)#exit
MTU(config-vpws-52603)#sdp 5103
MTU(config-sdp-5103)#commit
MTU(config-sdp-5103)#vc-type ethernet
MTU(config-sdp-5103)#no shutdown
MTU(config-sdp-5103)#commit
Traffic-Engineering Tool Example

Specify the head-end and the tail-end of the required path between two end-points, and run the tool
to get the hops.
In the following example CSPF is used for automatic RSVP-TE based on LSP between node
1.1.0.54 and node 1.1.0.2. The tool indicates the hops used to establish the LSP between the nodes.
device-name#tool traffic-engineering originating ip 1.1.0.54
device-name#tool traffic-engineering destination ip 1.1.0.2
device-name#tool traffic-engineering run
===============================================================================
Traffic Engineering Query Tool
===============================================================================
CSPF Instance created.

Stage 1
Source address 1.1.0.54
Source address type IPV4
Source interface index 0
Source address 1.1.0.2
Source address type IPV4
Source interface index 0
Source interface address 0.0.0.0
Source interface address type UNKNOWN
Primary route:

Source output network interface address 105.54.53.2

Source output network interface index 36
Source output remote network interface address 105.54.53.1
Source output remote network interface index 0
Hops:
Address 1.1.0.53
Address type IPV4
Interface index 0
Interface address 105.53.52.2
Remote Interface Index 0
Remote Interface Address 105.53.52.1
Address 1.1.0.52
Address type IPV4
Interface index 0
Address 1.1.0.2
Address type IPV4
Interface index 0
te metric cost 30
max bandwidth 125000000
max reserve bandwidth 125000000
max unreserve bandwidth[0] = 125000000 bytes/sec
resource class 1,
srlg numbers: NONE
exclusion_overlap: routers = 0
exclusion_overlap: links = 0
exclusion_overlap: srlgs = 0
===============================================================================


Multiprotocol No standards are Private MIBs: RFC 3031,

Label Switching supported by this PRVT-LMGR- Multiprotocol Label
(MPLS) Protocols feature. MIB.mib Switching Architecture
and Services
PRVT-MPLS-LDP- RFC 3036, LDP
MIB.mib Specification
PRVT-CR-LDP- RFC 3063, MPLS
MIB.mib Loop Prevention
Mechanism
PRVT-RSVP-
MIB.mib RFC4379, Detecting
Multi-Protocol Label
PRVT-MPLS-TE- Switched (MPLS)
MIB.mib Data Plane Failures
PRVT-TEMIB- Draft-ietf-mpls-lsp-
ENTITY-MIB.mib ping-03
PRVT-SERV- Draft-ietf-l2vpn-vpls-
MIB.mib ldp
Draft-ietf-l2vpn-
signaling
RFC 4447,
Pseudowire Setup and
Maintenance Using
the Label Distribution
Protocol (LDP)
Resource No standards are Private MIB: RFC 2430 A Provider
ReSerVation supported by this PRVT-RSVP-MIB.mib Architecture for
Protocol with feature. DiffServ & TE
Traffic
Engineering
RFC 3209 Extensions
to RSVP for LSP
Extensions
Tunnels
(RSVP-TE)
RFC 3210
Applicability
Statement for
Extensions to RSVP
for LSP Tunnels
RFC 3175
Aggregation of RSVP
for IPv4 & IPv6
Reservations
RFC 3181 Signaled
Pre-emption Priority
Policy Element
draft-ietf-mpls-rsvp-
lsp-fastreroute-04.txt

Circuit Emulation Services (CES)
Table of Contents
Table of Figures 2
List of Tables 2
Supported Topologies 3
Operation 5
TDM Timing 5
Clock Controller 6
Clock Controller ID Assignment 6
Clock States 7
CES Packet Details 8
CES PDU Format 8
Structured Emulation 9
Unstructure (Unframed) Emulation 9
L-Bit and R-Bit 10
Real-time Transport Protocol (RTP) Timestamp 10
CES Features 10
Operation, Administration and Management (OAM) 10
Frame Aggregation 10
Jitter Buffer 11
Alarms 12
Log Messages 12
CES over MPLS 13

CES over MPLS Configuration Steps 13
CES Configuration Flow 14
CES Commands 15
Circuit Emulation Services (CES) (Rev. 01) Page 1

Table of Figures
Figure 1: A Schematic View of the CES Concept ............................................................................. 3
Figure 2: Ethernet CLE based on Ring Topology with Virtual TDM Lines ................................. 3
Figure 3: Ethernet CLE Including CES Transport to a Central Office Using a Distributed
CES TDM Multiplexer over PSN ........................................................................................................ 4
Figure 4: Client Device Using a Providers Packet Network for PBX Interconnection As Well
As Data Transmission ............................................................................................................................ 4
Figure 5: Circuit Emulation Service over Packet Network .............................................................. 5
Figure 6: Clock Controller..................................................................................................................... 6
Figure 7: Clock State Machine .............................................................................................................. 8
Figure 8: The CES PDU Format ......................................................................................................... 8
Figure 9: Structured Emulation ............................................................................................................ 9
Figure 10: Unstructured Emulation ..................................................................................................... 9
Figure 11: CES Configuration Flow .................................................................................................. 14
Figure 12: CES over Ethernet Configuration................................................................................... 27
Figure 13: CES over VPLS Configuration ........................................................................................ 34
Figure 14: CES over MPLS Configuration ....................................................................................... 44
List of Tables
Table 1: Clock Controller ID Assignment .......................................................................................... 7
Table 2: Parameters Affect in Packet Transit Delay........................................................................ 11
Table 3: CES Log Warning Levels ..................................................................................................... 12
Table 4: CES Commands .................................................................................................................... 16
Table 5: Local Port Circuit Default Values....................................................................................... 52
Page 2 Circuit Emulation Services (CES) (Rev. 01)

Circuit Emulation Services

Metro Ethernet Network Service can use CES over Ethernet to offer TDM services and to deliver
TDM voice traffic on the Ethernet and data transmission, as shown in the following figure.
Figure 1: A Schematic View of the CES Concept
Use CES over Ethernet to emulate Time-Division Multiplexing (TDM) services by tunneling TDM
circuits (such as T1 or E1) using the CES over a Packet-Switched Network (CESoPSN) method.
Supported Topologies
Use the device in the following topologies:
Ethernet CLE (Customer Located Equipment) based on a ring topology, providing virtual
TDM lines for service-provider clients over a packet network:
Figure 2: Ethernet CLE based on Ring Topology with Virtual TDM Lines

Ethernet CLE including CES transport to a central office, using a distributed CES TDM
Multiplexer over PSN, to provide TDM services to telephony clients (mostly PBXs and TDM
multiplexers) using the packet network.
Figure 3: Ethernet CLE Including CES Transport to a Central Office

Using a Distributed CES TDM Multiplexer over PSN
CPE using a provider packet network for PBX interconnection as well as data transmission.
Figure 4: Client Device Using a Providers Packet Network

for PBX Interconnection As Well As Data Transmission

Operation
CES over Ethernet, which encapsulates TDM data into a standard CES packet, forms packets on
ingress and reverses the process on egress, providing a transparent direct connection between any
two TDM devices, as shown in the following figure:
Figure 5: Circuit Emulation Service over Packet Network
To convert TDM data to a standard CES packet form, Customer Located Equipment (CLE) on
both sides of the PSN needs to employ an internet working function (IWF) that is based either on
structured or unstructured emulation.
Structured (Framed) Emulation uses the TDM framing structure, where each packet
comprises a sequence of timeslots.
Unstructured (Unframed) Emulation (also called structure-agnostic transport) disregards
the TDM framing structure, treating the TDM data as a stream of consecutive octets.
With its MPLS capabilities, the device can transmit converted TDM data to an MPLS-based
network as part of VPLS/VPWS services (CES over Ethernet encapsulated in MPLS header).
TDM Timing
TDM timing is a crucial aspect of CES implementation. To avoid an overflow/underflow due to
differences in the clock, the clock rate for TDM has to be consistent across the emulated circuit.
TDM signals (such as E1/T1 and SONET/SDH) are synchronous. Therefore, physical TDM lines
always carry a clock signal for synchronization. When replacing a physical TDM line with a CES
service, the CES service has to synchronize both sides of the service either by providing the same
clock to both sides or by transporting clock information and regenerating the clock.
The module supports the following TDM timing modes:
Internal (Local): The modules internal oscillator is of insufficient quality for most
applications. The Internal (Local) mode relies upon the oscillator and is used when no other
timing source is available. We recommend using Internal (Local) Mode for debug/testing
purposes only.
Loopback: Uses an incoming clock from the same TDM port.
Adaptive: generates the clock from incoming CES data packets.
The device supports the Multiple Clock domains. Each TDM port uses an independent clock
controlled by one clock controller.

Clock Controller
You can define only multiple clock domains for a CES module and define each of the eight TDM
interface clocks independently.
In this case, each TDM interface has a clock that is defined by a unique ID (as shown in the
following diagram). Each clock is assigned to a clock controller that retrieves the clock for the
specific TDM port. Each controller uses one of the TDM timing modes.
The other case is to direct each port to the internal oscillator.
Figure 6: Clock Controller
Clock Controller ID Assignment

Thefollowing table details the clock controller ID assignment. Use the relevant clock controller ID
to configure the appropriate clock controller for each TDM interface:

Table 1: Clock Controller ID Assignment

Interface Clock ID Clock Controller ID Clock Controller ID
(Interface) (CES Module)
1 1 primary 1
2 2 primary 2

7 7 primary 7
8 8 primary 8
NOTE
For the interface, the clock-controller terms are primary and back up. The clock-
controllers in the CES module are defined using numbers.
NOTE
For the interface, the clock-controller terms are primary and back up.
Clock States
The current status of a clock can be shown using the Show Clock-Controller Status command
with the following possible values:
freeRun: The operating condition of a clock when the output signal is internally controlled
without the influence of a present or previous reference.
acquisition: Clock synchronizes to the input reference. The output frequency and phase may
not be sufficiently stable and therefore may not conform to standards.
normal: Clock is synchronized to a reference. The output frequency of the clock is traceable
to the input reference frequency over the long term and the phase difference between the
input and output is bound.
holdover: Operating condition of a clock that, having lost its references, uses data previously
acquired (while operating in normal mode) to control the output signal. The stored data, or
holdover value, used by a clock in holdover mode is an average value obtained over a certain
period of time (to reduce the effects of short-term variations in reference frequency that may
occur during normal operation).
fastAcquisition: Fast pull-in of the clock to a reference (for example, when recovering from
holdover or when the input reference experiences an abrupt change in frequency). After
achieving a lock, the clock automatically changes to the slower-tracking, normal mode the
clock input controller mode. Not all clock input controllers support all modes.

NOTE
The clock input controller status is 'locked' only when the clock input controller
is in 'normal' mode.
Figure 7: Clock State Machine
CES Packet Details
CES PDU Format

The following figure shows CES Ethernet PDU format options for MEF8, SAToP, and CESoPSN
protocols. The protocol used is configurable.
Figure 8: The CES PDU Format

Structured Emulation
Structured (Framed) Emulation uses the TDM framing structure where each packet comsists of a
sequence of timeslots.
In structured emulation, the IWF strips the framing structure (for example, the F bit in a DS1) from
the data stream and places each timeslot in the packet payload followed by the same timeslots from
the next frame, and so on. Once the payload is complete, IWF adds a header and sends the packet
through the PSN to the CLE at the other end. On egress from the PSN, the CLE recreates the
TDM data stream.
The following figure presents a schematic example of how an IWF converts TDM frames into
structured CESoPSN packets where:
M represents the number of TDM frames received so far
K represents the number of frames aggregated in each packet.
Figure 9: Structured Emulation
Unstructure (Unframed) Emulation

18B
Unstructured (Unframed) Emulation (also called structure-agnostic transport) disregards the TDM
framing structure and treats TDM data as a stream of consecutive octets.
The number of octets that comprise each PSN packet payload (M in the figure below) is
independent of the number of timeslots in each TDM frame. Any alignment of these octets with
the underlying timeslots is coincidental and not guaranteed. The payload length (M) is typically
selected to make packet formation time approximately 1 millisecond in length (193 octets for a T1
circuit and 256 octets for an E1 circuit).
The following figure is a schematic example of how an IWF converts TDM frames into
unstructured CESoPSN packets (where N is the number of TDM octets received so far).
Figure 10: Unstructured Emulation

L-Bit and R-Bit

The CES header contains 32 bits, two of which are the L (local) -bit and R(remote)-bit, used by the
protocol to indicate packet error or loss.
L-bit is set: Indicates that the TDM data carried in the payload is invalid due to a Local TDM
defect.
R-bit is set: Indicates that the local egress IWF (packet to TDM) is in the packet loss state.
L-bit and R-bit are definable by the user to provide different bit messages according to the error.
See policy idle pattern and policy idle signaling commands.
Real-time Transport Protocol (RTP) Timestamp

An additional RTP timestamp, containing phase information about the TDM service clock, can be
added to the CES header.
If the peer circuit has RTP enabled then RTP must be enabled.
RTP is used in differential clock timing mode to detect and reconstruct the original clock. See the
circuit rtp command.
CES Features
Operation, Administration and Management (OAM)
The following OAM operations are supported for CES services:
Jitter-buffer size and frame aggregation level specification
Local loopback, the incoming CES packet stream is looped back to the PSN, per E1/T1 port
(used for testing)
Remote loopback, the incoming T1/E1 TDM stream is looped back including the clock, (used
for testing)
Generate and display MIB-II statistics for T1/E1 virtual channel connections to remote CES
devices
Display current connections using CLI show commands
Perform IP or MEF OAM pinging to the remote device
Display log messages
Frame Aggregation
To save bandwidth, several frames are aggregated and sent in a single packet using a common
header.
Without Frame Aggregation:

In structured mode, 8-bit samples are captured from each selected 64 Kbits DS0 timeslot and
transmitted in a single packet over the PSN. In this case, a separate CES protocol header is
transmitted for each set of selected 8-bit samples (from each frame).
In unstructured mode, each packet includes 24 timeslots for T1 and 32 timeslots for E1 and as
a result, transmits up to 193 bits plus a header for T1 and 256 bits plus a header for E1. Each
E1/T1 unstructured frame or DS0-structured frame sent over the packet-switched network
contains a payload of 132 bytes (8256 bits) and a header.
Transmission of T1/E1 frames over the packet network requires high bandwidth since in most
PSNs, the minimum packet size is 64 bytes and the minimum header size is 14-20 bytes.
With Frame Aggregation: To reduce the high bandwidth requirement, between 18 frames are
aggregated and sent in each PSN packet (usually between 18 frames). The frames use a common
header and reduce bandwidth overhead to only a few percentage points.
This minor disadvantage to this solution is longer delays since several frames need to be received
and aggregated before sending the constructed packet over the PSN.
Configuration: Define the number of TDM frames aggregated in each packet.
NOTE
Minimum payload is 32 bytes with at least two timeslots.
Jitter Buffer
Jitter refers to the deviation in packet transit delay time that is sometimes present in emulated circuit
output. Jitter can also disrupt packet order in the network. The Jitter Buffer handles jitter and is
essential to the maintainance of the constant packet transit delay required to operate the CES end-
to-end system over time.
Packet transit delay is a direct result of four parameters:
Table 2: Parameters Affect in Packet Transit Delay
Parameter Effect on Packet Transit Delay Time
Jitter Buffer Size: Can result in a delay of tens to hundreds of

Larger buffer increases overall delay but milliseconds
handles larger amounts of jitter
Smaller buffer size minimizes overall delay
but handles only a limited amount of jitter
Number of Frames Transported in a Single Can result in a delay of a few seconds
Packet
Operational Delay of the Local and Remote Can result in a delay of up to 12 milliseconds
CES Devices
Packet Transmit Delay between Local and Can result in a delay of tens to hundreds of
Remote Devices in PSN milliseconds
The device-names CES module uses a configurable jitter buffer to temporarily store ingressing
packets.
Configuration: Define the size the jitter buffer according to the maximum packet latency variation
expected in the network. The Jitter Buffer supports values between <1200> milliseconds.

NOTE
We recommend a jitter buffer size in the range of <140> milliseconds. However,
some applications require a larger jitter buffer of 150 milliseconds.
Alarms
E1/T1 performance defects that persist for more than 2.5 0.5 seconds generate corresponding
alarms. The T-Marc 3312SC/T-Marc 3312SCH supports the following alarms:
Remote Alarm Indication (RAI)
Loss of Frame (LOF)
Loss of Signal (LOS)
Alarm Indication Signal (AIS)
After ten seconds the alarm automatically shuts down if the defect that generated the alarm is not
detected.
Configuration: Configure the threshold levels for the alarms. For more information regarding
alarms and defects, refer to the ANSI T1.231-1997.
Log Messages
The CES application supports two types of log messages:
Local alert messages generated on the local device that are received from the CES board or
validated against a threshold value.
Remote alert messages generated from theSNMP private table of the remote device.
The following table shows the warning level of log messages defined in the CES application:
Table 3: CES Log Warning Levels
Warning Level Alert
Critical The local CES board 1/2 is not responding

Error Failed to execute the command on the CES board
Error The local CES board 1/2 is down. Details:
Peer: available/unavailable
Jitter buffer: overflow/underflow/normal
Notification Local 1/2/1 TDM port is up
Notification Local CES board 1/2 circuit is up
Notification Local CES board port:
Status: up/down
Alarm: blue/yellow/red

CES over MPLS

CES over MPLS feature transports CES traffic in the Ethernet environment using MPLS as
transport media. The CES traffic is carried by a tunnel called Pseudo Wire that provides connection
between the entry and the exit points of an MPLS cloud.
To achieve CES over MPLS transport, two additional headers are inserted in the CES packet:
VC label It is negotiated by a targeted LDP session between the two endpoints of a PW.
Used as service delimiter at the terminating endpoints of a PW.
Transport Label It is a result of label mapping agreement between the entry point of PW and
the next hop in the MPLS cloud. It is used to provide transport of the packets to the PWs
other end.
CES over MPLS Configuration Steps

Follow below steps to transport CES traffic through an MPLS cloud:
1. Define a CES circuit and specify an MPLS protocol type using command protocol mpls-
ldp
NOTE
1. The circuit destination MAC address, the MPLS transport label and the MPLS
VC label are not configurable.
2. The rest of CES circuit parameters needed for the CES circuit to become
operational are user-defined.
2. Enable the CES circuit using command no shutdown
NOTE
CES circuit remains operationally down until the configuration process is
completed.
3. Define an MPLS tunnel (refer to the MPLS Protocols and Services chapter of this User Guide)
4. Specify the defined CES circuit as only SAP point of the MPLS tunnel of point 3, using
command sap UU/SS/PP:<ces-circuit>:{ces | ces-oos} (refer to the MPLS Protocols
and Services chapter of this User Guide)
NOTE
Only when the CES circuit is successfully configured, it becomes operationally
up.

CES Configuration Flow
Figure 11: CES Configuration Flow

CES Commands
This section includes the CES Configuration Command Hierarchy, descriptions of available
commands, and a configuration example.
Command Hierarchy
NOTE
In order to use any of the commands successfully, the CES module must be in
Ready state.
+ config terminal
+ [no] ces
- module 1/3
- [no] mode {e1 | t1}
- [no] ip-address A.B.C.D
- [no] clock {backplane | internal}
- [no] policy lops {type {idle | all-one | channel-idle}} |
{threshold {enter <value> | exit <value>}}
- [no] policy unstructured-lops type {all-one | none}
- [no] policy lbit type {idle | all-one | channel-idle | none}
- [no] policy unstructured-lbit type {all-one | none}
- [no] policy structured-replace type {all-one | idle}
- [no] policy unstructured-replace {type {all-one | filler} |
pattern <value>}
- [no] policy rbit type {none | rai | channel-idle}
- [no] policy rd type {none | rai | channel-idle}
- [no] policy idle {pattern <value> | signaling <value>}
- [no] policy lbit-on-ais
+ [no] interface <CES_INTERFACE>
+ [no] clock-controller primary
- [no] circuit <value>
- [no] shutdown
- [no] clock {adaptive | diferential | loopback | module}
- [no] framing {cas | noncas | unframed | sf-cas | sf-
noncas | esf-cas | esf-noncas}
- [no] linecode {ami | hdb3 | b8zs}
+ [no] circuit <value>
- [no] exp-priority <value>
- [no] interface <CES_INTERFACE>
- timeslots TYPE

- [no] shutdown
- [no] vlan-id <id>
- [no] vlan-priority <priority>}
- rtp {enable | disable}
- policy-payload-suppress {enable | disable}
- [no] maximum-jitter-expected <value>
- [no] samples-aggregation <value>
- [no] protocol {satop-cesopsn | metro-ethernet | mpls-
ldp}
- [no] ip-tos <value>
- [no] oos-tos <value>
- [no] rtp-payload-type <value>
- [no] oos-payload-type <value>
- [no] local {udp-port <value> | oos-udp-port <value> |}
- [no] destination {ip-address A.B.C.D | udp-port <value>
| oos-udp-port <value>}
- clear ces module 1/3 statistics circuit
- show ces module 1/3 [circuit <number> [status] | clock-controller |
interface <CES_INTERFACE>
Table 4: CES Commands
Command Description

ces Enters CES Configuration mode
no ces Removes the CES configuration
module 1/3 Specifies the configured location of the CES
module, in a unit/slot format and enters CES
Module Configuration mode:
mode {e1 | t1} Specifies the cable line type attached to the TDM
ports on the CES module:
e1
t1
Command takes effect only after rebooting the
device.
e1
ip-address A.B.C.B Specifies an IP address for the currently

configured CES module.
A.B.C.D: the IP address of the CES
module, in dotted-decimal (Ipv4)
format

Command Description
NOTE
Command takes effect only after
rebooting the CES module.
The IP address of the CES
module must be configured as
the IP address of any swN
interface.
The IP address of the CES
module must be specified
before any CES circuit is
configured.
no ip-address Restores to default
clock {backplane | internal} Specifies the system clock source obtained
using SyncE protocol:
backplane: retrieves the clock
from the system clock source
internal: retrieves the clock from
internal oscillator
Internal
no clock Restores to default
policy lops {type {idle | all- Specifies what is sent to the TDM line or what
one | channel-idle}} | affects the TDM circuit in specific situations:
{threshold {enter <value> |
exit <value>}} lops: specifies the Loss Of Packet
Synchronization (LOPS) state
policy
type: specifies behavior when
packet synchronization is lost
idle: sends the idle configured
byte
all-one: selects the all-one TDM
policy (see below)
channel-idle: sends the idle byte
instead of the payload contents
and turns on the channel idle
indication in the trunk-signaling
during LOPS condition. Use with
CAS signaling
threshold: specifies the threshold
of entry and exit LOPS state
enter <value>: entries threshold,
(packets/second)
exit: exits threshold, in the
range of <1-1023> (packets/second)
All-One sends an AIS alarm:
When the circuit enters the LOPS state, an
AIS pattern (all ones for E1/T1) is sent on
the TDM transmit port.

Command Description
When the circuit exits the LOPS state, the

module sends TDM traffic from the Jitter
Buffer.
The advantage to All-One is that the user
receives an alert. The disadvantage is that this
setting causes downtime of more than 300 ms.
All-one
no policy Restores to default
policy unstructured-lops type Specifies the information sent on the TDM-bound
{all-one | none} interface during a LOPS (Loss of Packet
Synchronization) state in an unstructured circuit:
all-one: sends an AIS alarm:
When the circuit enters a LOPS state, an
AIS pattern with an appropriate amount of
data is sent on the TDM transmit interface.
When the circuit exits from the LOPS state,
the module sends TDM traffic from the jitter
buffer.
The user receives an alert; however, All-One has
a downtime of more than 300 millisecondes.
none: sends the data from the
fitter buffer
None
no policy unstructured-lops type Restores to default
policy lbit type {idle | all-one Specifies the payload pattern sent on a TDM
| channel-idle | none} bound interface for packets received with L Bit
(Local bit) set in a structured circuit:
all-one: sends Alarm Indication
Signal (AIS) alarm
channel-idle: uses with CAS
signaling. The idle byte is played
out instead of payload and
channel idle indication is set
up in the trunk signaling.
idle: sends configured idle
pattern
none: sends the received data as
received
Idle
no policy lbit type Restores to default
policy unstructured-lbit type Specifies the payload pattern sent on the TDM
{all-one | none} bound interface for packets received with the L
Bit set in an unstructured circuit:
all-one: sends AIS alarm
none: sends the received data as
received
None
no policy unstructured-lbit type Restores to default

Command Description
policy structured-replace type Specifies the information sent on the TDM bound
{all-one | idle} interface when a missing packet is detected in a
structured circuit:
all-one: sends an AIS alarm
idle: sends the configured idle
pattern
All-one
no policy structured-replace Restores to default
type
policy unstructured-replace Specifies the information sent on the TDM bound

{type {all-one | filler} | interface when a missing packet is detected in an
pattern <value>}
unstructured circuit:
all-one: sends an AIS alarm
filler: sends the configured idle
pattern
pattern: the filler pattern in the
range of <0-255>
All-one
no policy unstructured-replace Restores to default
policy rbit type {none | rai | Specifies the signaling information on TDM
channel-idle} bound circuit for packets with R Bit (Remote BIT)
set in an unstructured circuit:
channel-idle: use with CAS
rai: sends the TDM Remote Alarm
Indication (RAI) pattern
none: sends the received
information as received
None
no policy rbit type Restores to default
policy rd type {none | rai | Specifies the signaling information on the TDM-
channel-idle} bound interface for packets received with the M
Bits set to 10 and the L Bit set to 0 in an
structured circuit:
channel-idle: for use with CAS
rai: sends the TDM Remote Alarm
Indication (RAI) pattern
none: sends the received
information as received
None
no policy rd type Restores to default

Command Description
policy idle {pattern <value> | Specifies the idle pattern number for the module:
signaling <value>}
pattern <value>: specifies the
idle pattern sent on the TDM port
for the following events, in the
range of <0-255>:
the pattern includes receipt of L bit and
packet loss
the pseudo-wire is administratively disabled
for pseudo-wires
When detecting a missing packet and policy
structured/unstructured-replace is set to idle
When receiving a packet set with L bit, the
payload is present (not suppressed), and
policy L bit is set to idle
signaling <value>: specifies the
idle policy signaling number when
there is a failure on the TDM
port, including multi-frame
failures, in the range of <0-15>
no policy idle Restores to default
policy lbit-on-ais Configures the L-bit on the TX if AIS is detected
on the RX
Enabled
no policy lbit-on-ais Restores to default
interface <CES_INTERFACE> Specifies TDM CES interface and enters CES

Interface Configuration mode:
CES_INTERFACE: in the range of:
e1 mode: from e1-1.0.0.0 to e1-8.0.0.0
t1 mode: from t1-1.0.0.0 to t1-8.0.0.0
clock-controller primary Only for clock adaptive mode.
Specifies the source used by the clock controller
and enters CES Clock-controller Configuration
mode
no clock-controller Removes the configured controller
circuit <value> Assign a circuit ID to the clock controller:

value: circuit ID in the range of
<1-64>
no circuit Removes the configured value
shutdown Disables the specified interface
Shutdown
no shutdown Enables the specified interface
clock {adaptive | diferential Specifies the CES interface clock source.
| loopback | module} (Configure clock-controller command to
use differential or adaptive options)
module: the TDM port clock is

Command Description
retrieved from the main modules
clock. Define this parameter for
all or some of the eight TDM ports
when using a single clock domain
loopback: loops back the clock
received on the TDM port
differential: transmits only the
differences between the TDM clock
and the reference clock. In this
case, configure the clock
controller for the TDM port to
point to the relevant circuit
adaptive: retrieves the clock from
CES circuits. In this case,
configure the clock controller for
the TDM port to point to the
relevant circuit
Module
no clock Restores to default
description DESCRPTION Adds a description to the interface:

DESCRPTION: text string up to 30
characters
framing {cas | noncas | Specifies the E1 framing mode:
unframed | sf-cas | sf-
noncas | esf-cas | esf- unframed: configures the port to
noncas} work in an unframed mode
cas: specifies bandwidth as
56Kbps. Traffic carries CAS
information.

noncas: specifies bandwidth as 64
Kbps. Traffic does not carry
Channel Associated Signaling (CAS)
information.

Specifies the T1 framing mode:
sf-cas: configures port in
structured mode using SuperFrame
and supporting CAS.
sf-noncas: supports SF but does
not support CAS
esf-cas: configures port in
structured mode using Extended
SuperFrame and supporting CAS.
esf-noncas: configures port in
structured mode using Extended
SuperFrame and not supporting CAS
unframed: configures the port to
work in an unframed mode
Unframed

Command Description
no framing Restores to default

linecode {ami | hdb3 | b8zs} Specifies the E1 controllers line coding of the
CES module:
ami: Alternative Mark Inversion
(AMI)
hdb3: high density bipolar of
order 3 (HDB3)
b8zs: bipolar with eight-zero
substitution (B8ZS)
hdb3 for E1 and b8zs for T1
no linecode Restores to default
circuit <value> Enables the configuration of a specified existing

CES circuit and enters the CES Circuit
Configuration mode:
value: circuit ID in the range of
<1-64>
no circuit Removes the configured circuit
exp-priority <value> Specifies TC bits in the MPLS header if the CES
traffic is carried by the CES over MPLS service.
The command is applicable only if the circuit
protocol is mpls-ldp.
0
no exp-priority Restores to default
interface <CES_INTERFACE> Specifies an interface of the circuit (unit/slot):

CES_INTERFACE: in the range of:
for e1 mode: from e1-1.0.0.0 to e1-8.0.0.0
for t1 mode: from t1-1.0.0.0 to t1-8.0.0.0
timeslots TYPE Specifies the timeslots sent on this circuit:

TYPE: in the range of:
for e1: in the range of <1-31>
for t1: in the range of <1-24>
NOTE

Command Description
To configure a circuit follow the below

rules:
Frames * number of timeslots >=32
Valid range of frames are:
in E1 full mode: 2-25,
26, 28, 30, and etc (even
numbers)
in T1 full mode: 2-33,
34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8
frames <=(max-
jitter*8)/1.5
60 <= packet size <=1514; packet
size depends on: protocol, VLAN,
rtp, frames payload, number of
timeslots
shutdown Enables the circuit
no shutdown Disables the circuit
vlan-id <id> Specifies a VLAN tag used for the circuits

Ethernet traffic:
id: VLAN identifier, in the range
of <1-4094>
no vlan-id [<id>] Removes the configured VLAN tag
vlan-priority <priority> Specifies a VLAN priority used for the circuits

Ethernet traffic:
priority: VLAN priority in the
range of <0-7>
0
no vlan-priority [<priority>] Restores to default
rtp {enable | disable} Enables/Disables the Real Time Transport

Protocol on the circuit
Disabled
no rtp Restores to default
policy-payload-suppress When L-bit is set, suppress (enable) or do not
{enable | disable} suppress (disable) the payload.
Enable
no policy-payload-suppress Restores to default
maximum-jitter-expected Specifies the initial delay introduced by the jitter
<value> buffer:
value: dynamically calculated
5
NOTE

Command Description

rules:
numbers)
34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8
frames <=(max-
jitter*8)/1.5
timeslots
no maximum-jitter-expected Restores to default
samples-aggregation <value> Specifies the number of aggregated E1/T1

frames in each outgoing packet.
In structured mode, the list of valid values is 8,
16, and 32. When several timeslots are
selected, the payload has to be in multiples by 8.
In unstructured mode, select a value from a
dynamically defined range (depending on the
defined jitter buffer value).
For E1 mode, values greater than 26 have
to be even numbers (for example: 3, 5, 20,
25, 26, 28)
For T1 mode, values greater than 34 have
to be even numbers (for example: 3, 4, 5,
31, 32, 34, 36)
8
NOTE

Command Description

rules:
numbers)
34, 36, 38, and etc
(even numbers)
in factional mode:
multiple of 8
frames <=(max-
jitter*8)/1.5
timeslots
no samples-aggregation Restores to default
protocol {satop-cesopsn | Specifies the protocol used for the circuit.
metro-ethernet | mpls-ldp}
satop-cesopn: uses Structure
Agnostic TDM (SAToP) for
unstructured circuits and CES over
Packet Switched Network (CESoPSN)
for structured circuits
metro-ethernet: Metro-ethernet
header (does not include IP header
in the packet)
mpls-ldp: configures dynamic CES
over MPLS. Selects the LDP (Label
Distribution Protocol) type of
MPLS, as opposed to MPLS
encapsulation (static).
satop-cesopsn
no protocol Restores to default
ip-tos <value> Specifies type of service in the ToS field of the

VLAN header in the packets:
0
no ip-tos Restores to default
oos-tos <value> Specifies out-of-sequence and type of service

packets in the ToS field of the VLAN header in
the packets:
0
no oos-tos Restores to default

Command Description
rtp-payload-type <value> Specifies theRTP payload type for the CES

module. Must match the RTP Type for the
remote CES module (RTP must be enabled):
See RFC 3555, for table showing payloads
corresponding to numerical values.
0
no rtp-payload-type Restores to default
oos-payload-type <value> Specifies the OOS payload type for the RTP of
the CES module. Must match the OOS type for
the RTP of the remote CES module (RTP must
be enabled):
See RFC 3555, for table showing payloads
corresponding to numerical values.
0
local {udp-port <value> | Specifies the local UDP port receiving Ethernet
oos-udp-port <value> } traffic from the circuit being configured:
udp-port <value>: local UDP port
in the range of <0-65535>. For
details see Table 6
oos-udp-port <value>: local Out of
Band Signals (OOS) port, in the
range of <0-65535>. Send the
ignaling to a separate port. For
details see Table 6
no local Removes the configuration
destination {ip-address Configures the destination (remote peer) for the
A.B.C.D | udp-port specified CES circuit:
<value> | oos-udp-port
<value>} ip-address: the destination
(remote peer) IP address, in
dotted-decimal (Ipv4) format
udp-port <value>: the destination
UDP local port that receives
Ethernet traffic from the
currently configured circuit, in
the range of <0-65535>. This
command is valid only for circuits
not using the Metro-Ethernet
Packet protocol
oos-udp-port <value>: the
destination OOS UDP local port
that receives Ethernet traffic
from the currently configured
circuit, in the range of <0-65535>

show ces module 1/3 [circuit <number> Displays CES configuration information, filtered
[status] | clock-controller | policy | by command arguments:
interface <CES_INTERFACE>
1/3: CES module
circuit <number>: circuit ID in

Command Description
the range of <1-30>
status: circuit status
clock-controller: the source used
by the clock controller
interface <CES_INTERFACE>: CES
interfaces number. The valid
ranges are:
e1 mode: from e1-1.0.0.0 to e1-8.0.0.0
t1 mode: from t1-1.0.0.0 to t1-8.0.0.0

clear ces module 1/3 statistics circuit Clears statistics for all CES circuits, specified
CES circuit.
The following example displays how to configure CES over Ethernet.
Figure 12: CES over Ethernet Configuration
Connection: PSTN <-------->First Device is over SF-CAS TDM signaling. First Device receives
the clock from the TDM line. PSTN is responsible for providing the clock.
Connection: First Device<-------->Second Device is over Ethernet network using CESoPSN
protocol.
Devices are connected in VLAN ID 10 with priority 5 through ports 1/1/1<-------->1/1/1
Second Device receives the clock from the Ethernet.
Connection: Second Device <-------->PBX. is over SF-CAS TDM signaling. PBX is in receive
mode, PBX receives the clock from the second device.
1. Configuring First Device:
a. Define the SW interface configuration. This will also configure the CES IP address.
Device-name(config)#router interface sw0
Commit complete.
b. Define the VLAN configuration:

Device-name(config)#vlan 1
Device-name(config-vlan-1)#no routing-interface
Device-name(config-vlan-10)#routing-interface sw0
Device-name(config-vlan-10)#tagged 1/1/1
Device-name(config-tagged-1/1/1)#ex
Device-name(config-tagged-1/3/9)#exit
Device-name(config-vlan-10)#commit
Commit complete.
c. Define the CES IP address and mode configuration: Defining the CES IP is done via
defining sw0 IP, given in example 1a; changing of working mode requires that the device
be reloaded.
Device-name(config)#ces module 1/3
Device-name(config-module-1/3)#mode t1
Device-name(config-module-1/3)#commit
Device-name(config-module-1/3)#
Jan 1 15:53:40 critical Ces [1/3] To apply the new working mode restart
of device is required.
Device-name(config-module-1/3)#top
Device-name(config)#system reload
Are you sure you want to reload the device(yes/no)?yes
d. Define the TDM interface configuration:

Device-name(config-module-1/3)#interface t1-1.0.0.0
Device-name(config-interface-t1-1.0.0.0)#clock module
Device-name(config-interface-t1-1.0.0.0)#framing sf-cas
Device-name(config-interface-t1-1.0.0.0)#commit
Device-name(config-interface-t1-1.0.0.0)#exit
e. Define the Circuit configuration:

Device-name(config-module-1/3)#circuit 1
Device-name(config-circuit-1)#interface t1-1.0.0.0
Device-name(config-circuit-1)#timeslots 1-24
Device-name(config-circuit-1)#vlan-id 10
Device-name(config-circuit-1)#vlan-priority 5
Device-name(config-circuit-1)#maximum-jitter-expected 10
Device-name(config-circuit-1)#samples-aggregation 8
Device-name(config-circuit-1)#ip-tos 100
Device-name(config-circuit-1)#oos-tos 100
Device-name(config-circuit-1)#rtp-payload-type 110
Device-name(config-circuit-1)#oos-payload-type 115
Device-name(config-circuit-1)#local udp-port 2200
Device-name(config-circuit-1)#local oos-udp-port 2300
Device-name(config-circuit-1)#destination ip-address 1.0.0.177
Device-name(config-circuit-1)#destination udp-port 3000
Device-name(config-circuit-1)#destination oos-udp-port 3300
Device-name(config-circuit-1)#commit
f. Enable circuit after clock-controller configuration:

Device-name(config-circuit-1)#no shutdown
2. Configuring Second Device:

g. Define the SW interface configuration:
Device-name(config)#router interface sw0
Commit complete.
h. Define the VLAN configuration:

Device-name(config-vlan-1)#no routing-interface
Commit complete.
i. Define the CES IP address and mode configuration. Defining the CES IP is done via
defining sw0 IP, given in example 1a; changing of working mode requires that the device
be reloaded.
Device-name(config-module-1/3)#commit
Device-name(config-module-1/3)#top
Device-name(config)#system reload
Are you sure you want to reload the device(yes/no)?yes
j. Define the TDM interface configuration:

Device-name(config-interface-t1-1.0.0.0)#framing sf-cas
Device-name(config-interface-t1-1.0.0.0)#commit
k. Define the Circuit configuration:


Device-name(config-circuit-1)#vlan-priority 5
Device-name(config-circuit-1)#maximum-jitter-expected 10
Device-name(config-circuit-1)#samples-aggregation 8
Device-name(config-circuit-1)#ip-tos 100
Device-name(config-circuit-1)#oos-tos 100
Device-name(config-circuit-1)#rtp-payload-type 110
Device-name(config-circuit-1)#oos-payload-type 115
Device-name(config-circuit-1)#local udp-port 3000
Device-name(config-circuit-1)#local oos-udp-port 3300
Device-name(config-circuit-1)#destination ip-address 1.0.0.170
Device-name(config-circuit-1)#destination udp-port 2200
Device-name(config-circuit-1)#destination oos-udp-port 2300
l. Define the Clock-controller configuration:

Device-name(config-interface-t1-1.0.0.0)#clock adaptive
Device-name(config-interface-t1-1.0.0.0)#clock-controller primary circuit 1
Device-name(config-clock-controller-primary)#commit
Device-name(config-clock-controller-primary)#exit
m. Enable circuit after clock-controller configuration:

3. Display module details:

Device-name#show ces module 1/3
===========================================================================
CES
===========================================================================
Module 1/3
---------------------------------------------------------------------------
----
Description : CES 8 E1/T1
Type : CES-Integrated 8 Port
Status : Ready
Working mode : E1
Up Time : 16 hours, 5 minutes
Ready Time : Thu Jan 1 00:00:00 1970
Insert Time : Thu Jan 1 00:01:46 1970
Extract Time : Thu Jan 1 00:00:00 1970
MAC Address : 00:12:72:00:94:7e
IP Address : 1.0.0.170/255.255.255.0
Gateway : 192.168.0.1
Clock Mode : Internal
===========================================================================
4. Display Circuit details:

Device-name#show ces module 1/3 circuit 1
===========================================================================
CES

===========================================================================
Module 1/3
Circuit 1
---------------------------------------------------------------------------
----
Interface : t1-1.0.0.0
Timeslots : 1-24
Admin Status : Disabled
Mode : Structured
Vlan ID : 10
Priority : 5
RTP : Disabled
Policy Payload Suppress : Enabled
Maximum Jitter Expected : 10
Samples Aggregation : 8
Protocol : SATOP/CESOPSN
IP TOS : 100
IP OOS TOS : 100
Destination IP Address : 1.0.0.177
Destination UDP Port : 3000
Destination OOS UDP Port : 3300
Local UDP Port : 2200
Local OOS UDP Port : 2300
===========================================================================
===========================================================================
5. Display Circuit status:

Device-name#show ces module 1/3 circuit 1 status
===========================================================================
====
CES
===========================================================================
====
Module 1/3
Circuit 1
---------------------------------------------------------------------------
----
Admin status : Enabled
Operational Status : Up
Enable Time : Thu Jan 1 00:37:53 1970

Up Time : 00:07:16
Resolve status : Resolved
Peer MAC : 00:12:72:00:0b:d4
Used for clocking : No
Jitter Information : Yes
TDM Tx : Yes
TDM Rx : Yes
PSN Tx : UP
PSN Rx : UP
---------------------------------------------------------------------------
----
Counter Name Value

---------------------------------------------------------------------------
----
Tx Up Counter :0
Jitter Current (ms) 8.552
Jitter Buffer Delay (ms) 3.354
Jitter Min Level (ms) 6.677
Jitter Max Level (ms) 10.031
Ping to Peer 0
---------------------------------------------------------------------------
----
Counter Name Value
---------------------------------------------------------------------------
----
Valid Eth pps 100
Handled Eth pkts 270367
Unordered Eth pkts 0
Restarts TDM Tx 0
Restarts TDM Rx 1
Packets per sec 1000
Malformed Frames 106095
Underrun Eth pkts 11
LBit Counter pkts 481
RBit Counter pkts 429
Missing Eth pkts 16842752
===========================================================================
====
6. Display Clock-Controller status:

Device-name#show ces module 1/3 clock-controller 1
===========================================================================
====
CES
===========================================================================
====
---------------------------------------------------------------------------
----
Module 1/3
Clock-Controller 1
---------------------------------------------------------------------------
----
Destination Interface : t1-1.0.0.0
Status : Not Locked
State : Aquisition
Mode : Active
Recovery Method : Adaptive
Source Circuit Number : 1
Source TDM Interface : -
Source PTP Session Number : 0
---------------------------------------------------------------------------
----
Explanation of Clock States:

freeRun: The operating condition of a clock when the output signal is internally controlled,
without influence from a present or previous reference.
acquisition: Synchronization of the clock to the input reference. The output frequency and
phase may not be stable enough and therefore may not conform to standards.
normal: Synchronization of the clock to a reference. The output frequency of the clock is
traceable to the input reference frequency over the long term, and the phase difference
between the input and output is bound.
holdover: Operating condition of a clock when the clock has lost its references and is using
data acquired, during operation in normal mode, to control the output signal. In general, the
stored data or holdover value used by a clock in holdover mode is an average value obtained
over a certain period of time (to reduce the effects of short-term variations that may occur in
the reference frequency during normal operation).
fastAcquisition: Fast pull-in of the clock to a reference (for example, when recovering from
holdover or when the input reference has an abrupt change in frequency). After the clock
achieves a lock, the clock automatically changes to the slower-tracking, normal mode. The
mode of the clock input controller. Not all clock input controllers support all modes.
NOTE
The clock input controller status is 'locked' only if the clock input controller is
in 'normal' mode.
1. Display interface details:
NOTE
All 8 interfaces are displayed
Device-name#show ces module 1/3 interface
===============================================================================
CES
===============================================================================
Module 1/3
Interface e1-1.0.0.0
-------------------------------------------------------------------------------
Admin Status : Enabled
Link state : Down
Up Time : Thu Jan 1 19:48:02 1970
Service clock :
Framing : Unframed
Line Code : HDB3
Cable Length : 125 ohm
Loopback : None
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Module 1/3
Interface e1-8.0.0.0
-------------------------------------------------------------------------------
Link state : Down
Up Time : Thu Jan 1 19:48:03 1970
Service clock :
Framing : CAS-NON CRC
Line Code : HDB3

Cable Length : 125 ohm

Loopback : None
2. Single interface display

device-name#show ces module 1/3 interface t1-1.0.0.0
===============================================================================
CES
===============================================================================
Module 1/3
Interface t1-1.0.0.0
-------------------------------------------------------------------------------
Link State : Undefined
Up Time : Thu Jan 1 00:11:43 1970
Service Clock : Adaptive
Framing : Unframed
Line Code : B8ZS
Cable Length : Short 133 ft
Loopback : None
Remote loopback transmit : None
Inband loopback activate code : 10000
Inband loopback deactivate code: 100
Remote loopback receive : None
Alarms : undefined
===============================================================================
The following example displays how to configure CES over VPLS.
Figure 13: CES over VPLS Configuration
Connection: PSTN <-------->First Device is over SF-NONCAS TDM signaling. First Device
receives the clock from the TDM line. PSTN is responsible for providing the clock.
Connection: First Device<-------->Second Device is over VPLS network using CESoPSN over
Ethernet protocol to convert the TDM before encapsulating inside VPLS.
Devices are connected through ports 1/2/8<-------->1/2/8 running MPLS LDP LSPs over OSPF
infrastructure.
On both devices, TDM traffic is received on two circuits and converted into two Ethernet flows
carrying customer VLANs (C-VLANs) 100 and 200 entering into the MPLS cloud as two Service
Access Points (SAP) under the same VPLS service.
Second Device receives the clock from the Ethernet/MPLS.

Connection: Second Device<-------->PBX. is over SF-NONCAS TDM signaling. PBX is in

receive mode, PBX receives the clock from the second device.
1. First Device (CES master clock loopback) configuration:
n. Define the VPLS configuration:
device-name(config-circuit-1)#router
device-name(config-rsvp-te)#dynamic-bypass
device-name(config-rsvp-te)#interface lo1
device-name(config-interface-lo1)#exit
device-name(config-rsvp-te)#interface sw34
device-name(config-rsvp-te)#lsp 1
device-name(config-lsp-1)#far-end 4.4.4.4
device-name(config-lsp-1)#name 1
device-name(config-lsp-1)#cspf
device-name(config-lsp-1)#no shutdown
device-name(config-lsp-1)#exit
device-name(config-rsvp-te)#exit
device-name(config-router)#interface lo1
device-name(config-interface-lo1)#address 3.3.3.3/32
device-name(config-interface-lo1)#no shutdown
device-name(config-router)#ospf
device-name(config-ospf)#router-id 3.3.3.3
device-name(config-ospf)#dscp-mapping 48
device-name(config-ospf)#traffic-engineering
device-name(config-ospf)#area 0
device-name(config-area-0)#interface 3.3.3.3
device-name(config-interface-3.3.3.3)#exit
device-name(config-area-0)#exit
device-name(config-ospf)#mpls
device-name(config-mpls)#lsr-id 3.3.3.3
device-name(config-mpls)#exit
device-name(config-router)#ldp
device-name(config-ldp)#no shutdown
device-name(config-ldp)#targeted-peer 4.4.4.4
device-name(config-targeted-peer-4.4.4.4)#no shutdown
device-name(config-targeted-peer-4.4.4.4)#distribute
device-name(config-distribute)#ingress ospf
device-name(config-distribute)#egress connected
device-name(config-distribute)#interface lo1
device-name(config-ldp)#interface sw34
device-name(config-ldp)#exit

device-name(config-router)#port 1/2/8
device-name(config-port-1/2/8)#description 1/2/8
device-name(config-port-1/2/8)#service
device-name(config-service)#sdp 1
device-name(config-sdp-1)#far-end 4.4.4.4
device-name(config-sdp-1)#vpls 1
device-name(config-sap-1/3/9:100:)#spoke-sdp 1
device-name(config-spoke-sdp-1)#no pw-status-signaling
device-name(config-sap-1/3/9:200:)#ex
Commit complete.
device-name(config-spoke-sdp-1)#vlan 34
Commit complete.
o. Define the CES configuration:

device-name(config)#ces
device-name(config-ces)#module 1/3
device-name(config-module-1/3)#mode t1
device-name(config-module-1/3)#circuit 1
device-name(config-circuit-1)#interface t1-1.0.0.0
device-name(config-circuit-1)#vlan-id 100
device-name(config-circuit-1)#no shutdown
device-name(config-circuit-1)#protocol metro-ethernet
device-name(config-circuit-1)#local ecid 3333
device-name(config-circuit-1)#destination mac 00:a0:12:c2:01:e1
device-name(config-circuit-1)#destination ecid 4444
device-name(config-circuit-1)#commit
Commit complete.

device-name(config)#ces module 1/3

device-name(config-module-1/3)#interface t1-5.0.0.0
device-name(config-interface-t1-5.0.0.0)#framing sf-noncas
device-name(config-interface-t1-5.0.0.0)#ex
device-name(config-module-1/3)# circuit 5
device-name(config-circuit-5)#timeslots 1-24
device-name(config-circuit-5)#vlan-priority 7
device-name(config-circuit-5)#local udp-port 7777
device-name(config-circuit-5)#destination ip-address 7.7.7.7
device-name(config-circuit-5)#destination mac 00:a0:12:c2:01:e1
device-name(config-circuit-5)#destination udp-port 8888
Commit complete.
device-name(config-module-1/3)#ip-address 5.5.5.5
device-name(config-module-1/3)#commit
Commit complete.
p. Reload the device to apply the CES module configuration:

device-name(config)#system reload
q. Display the CES module configuration details:

device-name#show ces module
===========================================================================
CES
===========================================================================
Module 1/3
---------------------------------------------------------------------------
Status : Ready
Working mode : T1
Up Time : 1 day, 16 hours, 40 minutes
MAC Address : 00:a0:12:c2:02:21
IP Address : 5.5.5.5/255.255.255.0
Gateway : 192.168.0.1
===========================================================================
2. Device 2 (CES slave clock adaptive) configuration:

r. Define the VPLS configuration:
device-name(config-circuit-1)#router

device-name(config-rsvp-te)#dynamic-bypass
device-name(config-rsvp-te)#interface lo1
device-name(config-rsvp-te)#interface sw34
device-name(config-rsvp-te)#lsp 1
device-name(config-lsp-1)#far-end 3.3.3.3
device-name(config-lsp-1)#name 1
device-name(config-lsp-1)#cspf
device-name(config-lsp-1)#no shutdown
device-name(config-lsp-1)#exit
device-name(config-rsvp-te)#exit
device-name(config-router)#
device-name(config-router)#interface lo1
device-name(config-interface-lo1)#address 4.4.4.4/32
device-name(config-interface-lo1)#no shutdown
device-name(config-router)#ospf
device-name(config-ospf)#router-id 4.4.4.4
device-name(config-ospf)#dscp-mapping 48
device-name(config-ospf)#traffic-engineering
device-name(config-ospf)#area 0
device-name(config-area-0)#exit
device-name(config-ospf)#mpls
device-name(config-mpls)#lsr-id 4.4.4.4
device-name(config-router)#ldp
device-name(config-ldp)#no shutdown
device-name(config-ldp)#targeted-peer 3.3.3.3
device-name(config-targeted-peer-3.3.3.3)#no shutdown
device-name(config-targeted-peer-3.3.3.3)#distribute
device-name(config-distribute)#ingress ospf
device-name(config-distribute)#egress connected
device-name(config-distribute)#interface lo1
device-name(config-ldp)#interface sw34
device-name(config-ldp)#commit
Commit complete.
device-name(config-port-1/2/8)#service
device-name(config-service)#sdp 1
device-name(config-sdp-1)#far-end 3.3.3.3

device-name(config-sdp-1)#vpls 1
device-name(config-sap-1/3/9:100:)#spoke-sdp 1
device-name(config-spoke-sdp-1)#vc-type ethernet-vlan
device-name(config-service)#vpls 2
device-name(config-sap-1/3/9:200:)#ex
device-name(config-spoke-sdp-1)#vc-type ethernet-vlan
Commit complete.
device-name(config-router)#port 1/2/8
device-name(config-port-1/2/8)# default-vlan 34
device-name(config-port-1/2/8)# description 1/2/8
device-name(config-spoke-sdp-1)#vlan 34
Commit complete.
s. Define the CES configuration:

device-name(config)#ces
device-name(config-ces)#module 1/3
device-name(config-module-1/3)#mode t1
device-name(config-interface-t1-1.0.0.0)#clock adaptive
device-name(config-interface-t1-1.0.0.0)#clock-controller primary circuit
1
device-name(config-clock-controller-primary)#ex
device-name(config-interface-t1-1.0.0.0)#ex
device-name(config-circuit-1)#protocol metro-ethernet
device-name(config-circuit-1)#local ecid 4444
device-name(config-circuit-1)#destination mac 00:a0:12:c2:02:21

device-name(config-circuit-1)#destination ecid 3333

Commit complete.
device-name(config-interface-t1-5.0.0.0)#clock adaptive
device-name(config-interface-t1-5.0.0.0)#framing sf-noncas
device-name(config-interface-t1-5.0.0.0)#clock-controller primary
device-name(config-clock-controller-primary)#circuit 5
device-name(config-clock-controller-primary)#exit
device-name(config-interface-t1-5.0.0.0)#exit
device-name(config-circuit-5)#timeslots 1-24
device-name(config-circuit-5)#vlan-priority 7
device-name(config-circuit-5)#local udp-port 8888
device-name(config-circuit-5)#destination ip-address 5.5.5.5
device-name(config-circuit-5)#destination mac 00:a0:12:c2:02:21
device-name(config-circuit-5)#destination udp-port 7777
Commit complete.
t. The following configuration is obligatory for setting CES ip address

device-name#con te
device-name(config-interface-sw10)#ex
device-name(config-router)#ex
device-name(config-module-1/3)#ip-address 7.7.7.7
device-name(config-module-1/3)#commit
Commit complete.
u. Reload the device to apply the CES module configuration:

device-name(config)#system reload
v. Display CES module configuration details:

device-name#show ces module 1/3
===========================================================================
CES
===========================================================================
Module 1/3
---------------------------------------------------------------------------
Status : Ready
Working mode : T1
Up Time : 17 minutes


MAC Address : 00:a0:12:c2:01:e1
IP Address : 7.7.7.7/255.255.255.0
Gateway : 192.168.0.1
device-name#show ces module 1/3 circuit 1

===========================================================================
CES
===========================================================================
Module 1/3
Circuit 1
---------------------------------------------------------------------------
Mode : Unstructured
Vlan ID : 100
Priority : 0
RTP : Disabled
Protocol : Metro-Ethernet
Destination MAC Address : 00:a0:12:c2:02:21
Destination ECID : 3333
Destination OOS ECID : 8193
Local ECID : 4444
Local OOS ECID : 8193
===========================================================================
device-name#show ces module 1/3 circuit 1 status

===========================================================================
CES
===========================================================================
Module 1/3
Circuit 1
---------------------------------------------------------------------------
Oper status : Up
Up Time : 341881:09:39
Resolve status : Not needed
Peer MAC : 00:a0:12:c2:02:21
Used for clocking : Yes
TDM Tx : Yes
TDM Rx : Yes
PSN Tx : Up
PSN Rx : Up
Tx Up Counter : 0


Ping to Peer 0
---------------------------------------------------------------------------
Counter Name Value
---------------------------------------------------------------------------
Valid Eth pps 1007
Restarts TDM Tx 0
Restarts TDM Rx 0
Malformed Frames 0
Underrun Eth pkts 0
LBit Counter pkts 0
RBit Counter pkts 0
Missing Eth pkts 0
===========================================================================
device-name#show ces module 1/3 clock-controller

===========================================================================
CES
===========================================================================
---------------------------------------------------------------------------
Module 1/3
Clock-Controller 1
---------------------------------------------------------------------------
Status : Locked
State : Normal
Mode : Active
---------------------------------------------------------------------------
---------------------------------------------------------------------------

===========================================================================
CES
===========================================================================
Module 1/3
Circuit 5
---------------------------------------------------------------------------
Oper status : Up
Up Time : 341880:29:20

Resolve status : Not needed

Peer MAC : 00:a0:12:c2:02:21
TDM Tx : Yes
TDM Rx : Yes
PSN Tx : Up
PSN Rx : Up
Tx Up Counter : 1
Ping to Peer 0
---------------------------------------------------------------------------
Counter Name Value
---------------------------------------------------------------------------
Valid Eth pps 0
Restarts TDM Tx 1
Restarts TDM Rx 0
Malformed Frames 0
Underrun Eth pkts 0
LBit Counter pkts 0
RBit Counter pkts 5
Missing Eth pkts 0
===========================================================================
device-name#show ces module 1/3 circuit 5

===========================================================================
CES
===========================================================================
Module 1/3
Circuit 5
---------------------------------------------------------------------------
Timeslots : 1-24
Mode : Structured
Vlan ID : 200
Priority : 7
RTP : Disabled
Protocol : SATOP/CESOPSN
IP TOS : 0
IP OOS TOS : 0
Destination IP Address : 5.5.5.5

Destination UDP Port : 7777

Destination OOS UDP Port : 49156
Local UDP Port : 8888
Local OOS UDP Port : 49156
===========================================================================
device-name#show ces module 1/3 clock-controller 5

===========================================================================
CES
===========================================================================
---------------------------------------------------------------------------
Module 1/3
Clock-Controller 5
---------------------------------------------------------------------------
Status : Locked
State : Aquisition
Mode : Active
---------------------------------------------------------------------------
===========================================================================
The following example displays how to configure CES over MPLS.
Figure 14: CES over MPLS Configuration
Connection: PSTN <-------->First Device is over SF-CAS TDM signaling. First Device receives
the clock from the TDM line. PSTN is responsible for providing the clock.
Connection: First Device<-------->Second Device is over MPLS network using CESoPSN
protocol to convert the TDM before encapsulating inside MPLS.
Devices are connected through ports 1/1/1<-------->1/2/1 running MPLS LDP LSPs over OSPF
infrastructure.
On both devices, TDM traffic is encapsulated with the MPLS header.
Second Device receives the clock from the CES over MPLS.
Connection: Second Device<-------->PBX. is over SF-CAS TDM signaling. PBX is in receive
mode, PBX receives the clock from the second device.

1. First Device (CES master clock loopback) configuration:

w. a. Define the CES configuration:
Device-name(config)#ces
Device-name(config-ces)#module 1/3
Device-name(config-interface-t1-1.0.0.0)#framing esf-cas
Device-name(config-interface-t1-1.0.0.0)#circuit 1
Device-name(config-circuit-1)#policy-payload-suppress disable
Device-name(config-circuit-1)#protocol mpls-ldp
Device-name(config-circuit-1)#top
x. b. Define the MPLS configuration:

Device-name(config-router)#static-route 104.104.104.104/32 22.0.0.104 1
Device-name(config-router)#interface lo1
Device-name(config-interface-lo1)#address 106.106.106.106/32
Device-name(config-interface-lo1)#no shutdown
Device-name(config-interface-lo1)#exit
Device-name(config-interface-sw0)#description sw0
Device-name(config-interface-sw0)#no shutdown
Device-name(config-interface-sw0)#exit
Device-name(config-router)#ospf
Device-name(config-ospf)#router-id 106.106.106.106
Device-name(config-ospf)#dscp-mapping 48
Device-name(config-ospf)#mpls
Device-name(config-mpls)#lsr-id 106.106.106.106
Device-name(config-mpls)#exit
Device-name(config-router)#ldp
Device-name(config-ldp)#no shutdown
Device-name(config-ldp)#distribute
Device-name(config-distribute)#ingress static
Device-name(config-distribute)#interface sw1
Device-name(config-ldp)#top
Device-name(config-port-1/1/1)#default-vlan 11
Device-name(config)#service

Device-name(config-service)#sdp 1
Device-name(config-sdp-1)#far-end 104.104.104.104
Device-name(config-sdp-1)#vpls 1
Device-name(config-vpls-1)#no shutdown
Device-name(config-vpls-1)#mode mtu-s
Device-name(config-vpls-1)#sap 1/3/9:1:ces-oos
Device-name(config-sap-1/3/9:1:ces-oos)#no shutdown
Device-name(config-sap-1/3/9:1:ces-oos)#
Device-name(config-sap-1/3/9:1:ces-oos)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#no shutdown
Device-name(config-spoke-sdp-1)#vc-type ces_o_psn_tdm_cas
Device-name(config-spoke-sdp-1)#no pw-status-signaling
Device-name(config-spoke-sdp-1)#
Device-name(config-spoke-sdp-1)#vpls 2
Device-name(config-vpls-2)#sap 1/3/9:1:ces
Device-name(config-sap-1/3/9:1:ces)#no shutdown
Device-name(config-sap-1/3/9:1:ces)#
Device-name(config-sap-1/3/9:1:ces)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#top
Device-name(config-vlan-11)#name 11
Device-name(config-vlan-11)#no management
Device-name(config-vlan-11)#untagged 1/1/1
Device-name(config-untagged-1/1/1)#exit
2. Device 2 (CES slave clock adaptive) configuration:

y. Define the CES configuration:
Device-name(config)#ces
Device-name(config-ces)#module 1/3
Device-name(config-interface-t1-1.0.0.0)#clock adaptive
Device-name(config-interface-t1-1.0.0.0)#framing esf-cas
Device-name(config-interface-t1-1.0.0.0)#clock-controller primary
Device-name(config-clock-controller-primary)#circuit 1
Device-name(config-clock-controller-primary)#exit
Device-name(config-interface-t1-1.0.0.0)#
Device-name(config-interface-t1-1.0.0.0)#circuit 1

Device-name(config-circuit-1)#policy-payload-suppress disable
Device-name(config-circuit-1)#protocol mpls-ldp
Device-name(config-circuit-1)#top
z. a. Define the MPLS configuration:

Device-name(config-router)#static-route 106.106.106.106/32 22.0.0.106 1
Device-name(config-router)#interface lo1
Device-name(config-interface-lo1)#address 104.104.104.104/32
Device-name(config-interface-lo1)#no shutdown
Device-name(config-interface-lo1)#exit
Device-name(config-router)#ospf
Device-name(config-ospf)#router-id 104.104.104.104
Device-name(config-ospf)#dscp-mapping 48
Device-name(config-ospf)#mpls
Device-name(config-mpls)#lsr-id 104.104.104.104
Device-name(config-mpls)#exit
Device-name(config-router)#ldp
Device-name(config-ldp)#no shutdown
Device-name(config-ldp)#distribute
Device-name(config-distribute)#ingress static
Device-name(config-distribute)#interface sw1
Device-name(config-ldp)#top
Device-name(config-port-1/2/1)#default-vlan 11
Device-name(config)#service
Device-name(config-service)#sdp 1
Device-name(config-sdp-1)#far-end 106.106.106.106
Device-name(config-sdp-1)#vpls 1
Device-name(config-vpls-1)#sap 1/3/9:1:ces-oos
Device-name(config-sap-1/3/9:1:ces-oos)#no shutdown
Device-name(config-sap-1/3/9:1:ces-oos)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#vpls 2

Device-name(config-vpls-2)#sap 1/3/9:1:ces
Device-name(config-sap-1/3/9:1:ces)#no shutdown
Device-name(config-sap-1/3/9:1:ces)#
Device-name(config-sap-1/3/9:1:ces)#spoke-sdp 1
Device-name(config-spoke-sdp-1)#top
Device-name(config-vlan-11)#name 11
Device-name(config-vlan-11)#no management
Device-name(config-vlan-11)#untagged 1/2/1
Device-name(config-untagged-1/2/1)#exit
Display Configuration details:

device-name#show vpls details
-------------------------------------------------------------------------------
Display VPLS all (details)
===============================================================================
-------------------------------------------------------------------------------
Service Description -
===============================================================================
Service ID : 1 Admin Status : Up
Service Type : MTU Oper Status : Up
VC ID : 1 Up Time : 02:34:53
Number SDPs (UP): 1 (1 ) Last Status Change : Oct 01 15:09:10 2009
Number SAPs (UP): 1 (1 ) Last Mnmt Change : Oct 01 15:06:46 2009
Secure SAPs mode: Disabled
Revert timer : 0
Mesh oper mode : Disabled
Spoke oper mode : Disabled
SDP Table - 1 SDPs

-------------------------------------------------------------------------------
SDP: 106.106.106.106
===============================================================================
SDP Role : Primary Admin Status : Up
VC Type : CESoPSN-TDM-with-sCAS Oper Status : Up
Signaling : LDP Up Time : 02:34:53
Group ID : 0 Last Status Change : Oct 01 15:09:10 2009
MTU : 9190 Last Mnmt Change : Oct 01 15:06:46 2009
Transport : 106.106.106.106/32 Outgoing VC Label : 28673
Out Intf : 44 Incoming VC Label : 28673
Nexthop : 22.0.0.106 Transport Label : 3
Learning : Enabled PW status signaling: Disabled
Secured : Disabled PW redundancy : Disabled

Local PW precedence: 1
Local VCCV : ttl/lsp-ping VCCV in use : ttl/lsp-ping
MAC Count : 0
SAP Table - 1 SAPs

-------------------------------------------------------------------------------
SAP: 1/3/9:1:CES-OOS
===============================================================================
Admin Status: Up Up Time : 02:36:50
Oper Status : Up Last Status Change : Oct 01 15:07:13 2009
Learning : Enabled Last Mnmt Change : Oct 01 15:06:46 2009
Ethertype : 0x8100 Untagged : false
Secured : Disabled
MAC Count : 0
-------------------------------------------------------------------------------
Service Description -
===============================================================================
Service ID : 2 Admin Status : Up
Service Type : MTU Oper Status : Up
VC ID : 2 Up Time : 02:34:53
Number SDPs (UP): 1 (1 ) Last Status Change : Oct 01 15:09:10 2009
Number SAPs (UP): 1 (1 ) Last Mnmt Change : Oct 01 15:06:46 2009
Secure SAPs mode: Disabled
Revert timer : 0
Mesh oper mode : Disabled
Spoke oper mode : Disabled
SDP Table - 1 SDPs

-------------------------------------------------------------------------------
SDP: 106.106.106.106
===============================================================================
SDP Role : Primary Admin Status : Up
VC Type : CESoPSN-TDM-with-sCAS Oper Status : Up
Signaling : LDP Up Time : 02:34:53
Group ID : 0 Last Status Change : Oct 01 15:09:10 2009
MTU : 9190 Last Mnmt Change : Oct 01 15:06:46 2009
Transport : 106.106.106.106/32 Outgoing VC Label : 28674
Out Intf : 44 Incoming VC Label : 28674
Nexthop : 22.0.0.106 Transport Label : 3
Learning : Enabled PW status signaling: Disabled
Secured : Disabled PW redundancy : Disabled
Local PW precedence: 1
Local VCCV : ttl/lsp-ping VCCV in use : ttl/lsp-ping
MAC Count : 0
SAP Table - 1 SAPs

-------------------------------------------------------------------------------
SAP: 1/3/9:1:CES
===============================================================================
Admin Status: Up Up Time : 02:36:50
Oper Status : Up Last Status Change : Oct 01 15:07:13 2009

Learning : Enabled Last Mnmt Change : Oct 01 15:06:46 2009

Ethertype : 0x8100 Untagged : false
Secured : Disabled
MAC Count : 0

===============================================================================
CES
===============================================================================
Module 1/3
Circuit 1
-------------------------------------------------------------------------------
Oper status : Up
Enable Time : Thu Oct 1 15:07:13 2009
Up Time : 02:37:41
TDM Tx : Yes
TDM Rx : Yes
PSN Tx : Up
PSN Rx : Up
Tx Up Counter : 0
Ping to Peer 0
-------------------------------------------------------------------------------
Counter Name Value
-------------------------------------------------------------------------------
Valid Eth pps 1000
Restarts TDM Tx 0
Restarts TDM Rx 0
Malformed Frames 0
Underrun Eth pkts 0
LBit Counter pkts 0
RBit Counter pkts 0
Missing Eth pkts 0
===============================================================================


Features Standards MIB RFC
CES Not supported Not supported draft-ietf-pwe3-satopStructure

agnostic TDM over packet
draft-ietf-pwe3-cesopsnTDM
circuit emulation service over
packet switched network.
MEF-8Implementation
agreement for the emulation of
PDH circuits over Metro-Ethernet
networks.

Appendix I. Tables of Values

Table 5: Local Port Circuit Default Values
Parameter Default Value
The number of the local/destination UDP port 49152 for circuit 1

port that receives the circuit's traffic
port 49153 for circuit 2
(up to port 49181 for circuit 30)
The number of the local/destination OOS port 49152 for circuit 1
UDP port that receives the circuit's traffic
(up to port 49181 for circuit 30)

Troubleshooting
Table of Contents
Table of Figures 2
List of Tables 2
System Manager's Console 4

System Manager's Console Features 4
Accessing System Manager's Console 4
Examples 6
Built-In Self Tests (BISTs) 9

BIST Commands 9
Periodic Monitoring 11
Alert Types 12
Periodic Monitoring Commands 12
Diagnosing Connectivity Problems22

Packet Internet Groper (PING) 22
Traceroute 22
Connectivity Diagnostic Commands 23
Port Mirroring (Port Monitoring) 25

Ethernet Loopback Test 29

Ethernet Loopback Test Commands 29
Technical Support Information35

Technical Support Commands 35
Troubleshooting (Rev. 01) Page 1

Table of Figures
Figure 1: Periodic Monitoring Configuration Flow ......................................................................... 11
Figure 2: Port Mirroring ...................................................................................................................... 25
List of Tables
Table 1: BIST Result Groups ............................................................................................................... 9
Table 2: BIST Commands ..................................................................................................................... 9
Table 3: Periodic Monitor Types and Results .................................................................................. 12
Table 4: Periodic Monitoring Commands ........................................................................................ 14
Table 5: Monitor Indicators ................................................................................................................ 19
Table 6: Connectivity Diagnostic Commands.................................................................................. 23
Table 7: Characteristics of Port Types............................................................................................... 25
Table 8: Port Mirroring Commands .................................................................................................. 26
Table 9: Ethernet Loopback Test Commands ................................................................................. 30
Table 10: Technical Support Commands .......................................................................................... 35
Page 2 Troubleshooting (Rev. 01)


This chapter describes the available tools used to troubleshoot and resolve technical issues with
Telco Systems devices.
System Manager's Console
System Manager's Console provides access to a minimum set of device management
commands.
Built-In Self Tests (BISTs)
Performs basic and configuration validity tests that report hardware failures automatically on
startup. Built In Self Tests can also be performed whenever needed.
Periodic Monitoring
Monitors hardware conditions to identify problematic hardware and deteriorated
environmental conditions.
Ethernet Loopback Test
The Ethernet Loopback test gives cost-effective method for testing.
Diagnosing Connectivity Problems
Diagnoses connectivity problems using the Ping and Traceroute utilities.
Port Mirroring (Port Monitoring)
Monitors network traffic by sending copies of all incoming and outgoing packets from
one port to a monitoring port for analysis.
Technical Support Commands
As part of standard troubleshooting methodology, retrieves technical information for the
device and forwards command output to the Telco Systems technical support team.

System Manager's Console

System Manager's Console provides access to a minimum set of device management commands
which you can use in case of:
error during the startup process, which prevents the devices initialization
failure of a hardware component (unit), which prevents the operating system from starting up
failure to locate the devices root file system
failure after system upgrade
lost administrators password
System Manager's Console Features

System Manager's Consoles Startup screen enables you to perform the following operations:
Reload the device
Check the connectivity (ping and traceroute commands )
Reset the devices configuration to the default factory settings
Reset the devices password to the default factory password
Provide software installation, recovery and upgrade services (for the file system, software
image file, and etc)
The recovery and upgrade service operation provides access to a Device Software Installation menu,
which you can use to:
Download a software image from TFTP/FTP server, via a serial console port (using the
Xmodem protocol) or from a HTTP web site
Activate a new software image
List the available software images or displaying the active software image
Remove a software image
Display the free space available in the area of the local file system that stores software
images (image file system)
Accessing System Manager's Console

NOTE
To enter System Manager's Console, you need to first connect to the device
directly through the devices serial console port.
To access System Manager's Console:
1. Power on or reload the device.
2. During the devices initialization, press the S key within 6 seconds until the System Manager's
Consoles startup screen appears:

Entering the System Manager's console...

starting pid 74, tty '': '/bin/system-manager'
ssss
____________________________
_____ _.\ ___________________ \
/ \------------------------/ || (___________________) |
> .________________________. || ____________________ |
\_____/ \// (____________________) |
\___________________________/
____________________________________________________________________________
(-) Mounting the /proc file system... OK

(-) Mounting required pseudo file systems... OK
(-) Reading the flash partitions table from /proc/mtd... OK
ssssssssssss (-) Mounting flash file system... (/real-
root,mmcblk0p2,ext3,rw)...
OK
(-) Reading the file systems table from /real-root/etc/fstab... OK
(-) Mounting flash file system... (applicfs,mmcblk0p3,auto,rw)... OK
(-) Mounting flash file system... (applicvarfs,mmcblk0p4,auto,rw)... OK
(-) Mounting flash file system... (/real-root/boot,mmcblk0p1,vfat,rw)...
O
K
(-) Collecting host system information... OK
(-) Preparing the IP network connectivity... OK
(-) Enabling remote access via telnet on port 23... OK
(-) Checking for task script to execute... OK
____________________________________________________________________________
(SysMan version Platform/1.1/T-Marc-3312/dev-4)

_______ __
| __|.--.--..-----.| |_.-----..--------.
|__ || | ||__ --|| _| -__|| |
|_______||___ ||_____||____|_____||__|__|__|
_______ |_____|
| | |.---.-..-----..---.-..-----..-----..----.
| || _ || || _ || _ || -__|| _|
|__|_|__||___._||__|__||___._||___ ||_____||__|
|_____|
_________________________________________________________________________
/ \
| SysMan - Device Maintenance and Management - Main Menu |
\_________________________________________________________________________/
0 | reset : Reset the device

1 | outband : Change the outband IP address and netmask
2 | defgw : Change the default gateway
3 | ping : Execute ping
4 | traceroute : Execute traceroute
5 | defcfg : Load the factory-default configuration for the device
6 | passwd : Change the administrator password
7 | install : Install and recover software images

8 | speed : Change the baud rate of the EIA232 serial interface

9 | dns : Configure DNS domain name servers
R | remote : Enable or disable remote access to this console
O | outif : Change the outband interface
H | help : Display help about this utility
Q | exit : Exit the console (reboot the device)
Type the desired menu option or command:
3. From the textual menu, select the appropriate option. This will display the command prompt
for the selected options.
Examples
Example 1:
In the following example, the outband (option 1) command changes the OutBand IP address and
netmask of the device:
Type the desired menu option or command: outband
Changing the outband IP address:

_______________________________________________________________________
NOTICE: Only the current session is affected by the IP address you set
for the outband interface (no system configuration file is modified).
Entering an empty text will show the current outband parameters.

Type the outband new IP address (A.B.C.D) or `DHCP': 192.168.1.20
Type the outband new netmask (A.B.C.D): 255.255.255.0
Outband IP address changed successfully.
Press Enter to continue:
******************************************************************************

_______ __
| __|.--.--..-----.| |_.-----..--------.
|__ || | ||__ --|| _| -__|| |
|_______||___ ||_____||____|_____||__|__|__|
_______ |_____|
| | |.---.-..-----..---.-..-----..-----..----.
| || _ || || _ || _ || -__|| _|
|__|_|__||___._||__|__||___._||___ ||_____||__|
|_____|
_________________________________________________________________________
/ \
\_________________________________________________________________________/



Type the desired menu option or command:
Example 2:
In the following example, the passwd (option 6) command restores the users password to its
default value (admin):
_______ __
| __|.--.--..-----.| |_.-----..--------.
|__ || | ||__ --|| _| -__|| |
|_______||___ ||_____||____|_____||__|__|__|
_______ |_____|
| | |.---.-..-----..---.-..-----..-----..----.
| || _ || || _ || _ || -__|| _|
|__|_|__||___._||__|__||___._||___ ||_____||__|
|_____|
_________________________________________________________________________
/ \
\_________________________________________________________________________/

Type the desired menu option or command: 6
Type 'yes' if you are sure you want to change the administrator password: yes

The administrator password will be reset on the next boot.

Example 3:
In the following example, the free (option 9) command displays the free space available on the
image file system:
Type the desired menu option or command: free
_______________________________________________________________________
Filesystem Size Used Available Use% Mounted on

/dev/mmcblk0p3 502.0M 44.5M 432.0M 9% /real-
root/applic/applis
******************************************************************************
############################################################################
### Device Software Installation and Recovery ###########################
############################################################################
1 | tftp : Download a software image from a TFTP server

2 | ftp : Download a software image from a FTP server
3 | xmodem : Download a software image with the XMODEM protocol
4 | http : Download a software image from a HTTP web site
L | flash : Install a software image directly from the flash
5 | ls : List the available software images
6 | activate : Change the active working application
D | deactive : Deactivate any active working application
7 | show : Display the active working application
8 | remove : Delete an application
9 | free : Display the free space in the application file system
X | main : Return to the main menu
H | help : Display help about this menu

Built-In Self Tests (BISTs)

On startup, the device performs a series of basic hardware and configuration validity tests. If the
device passes all of the tests, the Platform HW fault LED (FLT) is off; if the device fails one or
more of the tests, the LED turns red and blinks. Results are summarized, by test group, on the
terminal above the switch banner (see the following table). If so configured, the device sends an
SNMP trap with information on the test failures.
The device administrator can run these self tests at any time during the device operation. Test
results are grouped as follows:
Table 1: BIST Result Groups
Test Group Description
CPU usage test Checks the CPU usage

CPU temperature test Check the temperature around the CPU
Fans test Checks integrity of the fan tray
Power supply test Checks the status of the 2 power supplies
Port statistics Test Checks CRC and malformed packets on port
RAM Usage test Checks the amount of used RAM
BIST Commands
This section defines the command hierarchy for BISTs and provides a list of available commands.
Included also, is a configuration example.
Command Hierarchy
device-name#
- system monitor self-test [execute-now | full]
Table 2: BIST Commands
Command Description

system monitor self-test [execute-now | Initiates the execution of built-in test sequence
full] that automatically tests the system. Execute the
command without argument to display only failed
tests:
execute-now: executes BIST
immediately
full: the state of all tests
(passed and failed tests)

Example:
device-name#system monitor self-test full
self-test-result
CPU Temperature Test
Status : PASSED
Measure : 39C
CPU Resources Test
Status : PASSED
Measure : 4%
RAM Resources Test
Status : PASSED
Measure : 51%
Fan Test
Status : PASSED
Power Supply Test
Status : PASSED (primary) PASSED (primary)
Port Statistics Test
Status : PASSED
Measure : 0%

Periodic Monitoring
Through periodic monitoring, you can:
periodically monitor crucial device functions in the background and receive alerts when the
monitored indicators vary from operating norms
as a troubleshooting tool, monitor transient conditions and track irregular behaviors. You can
use this method for triggering diagnostic data-polling based on the device operational status
The following flow chart shows the steps need to define a monitor:
Figure 1: Periodic Monitoring Configuration Flow
When a monitor is defined for a device function (such as CPU temperature or RAM usage), results
are returned and actions taken according to a predefined configuration. The monitor can report two
types of results:
Pass/Fail: Operational status is reported as a simple Pass or Fail
Measurement: The monitor returns a specific, measured value (for example, the device CPU
usage)
The following table describes available monitors and the results returned by that monitor type.

Table 3: Periodic Monitor Types and Results

Indicator Monitored As
Power Supply Fans Pass/Fail

Laser Pass/Fail
CPU Resources Measured value
RAM Resources Measured value
Power Supply Pass/Fail
CPU Temperature Measured value
Port Statistics Measured value
Alert Types
For each monitor you establish, you also define the action or actions that will occur as a result.
These actions are defined individually for each monitor:
log: writes to the Command Line Interface (CLI) history and error message log files
led: flashes the FLT LED on the device front panel
trap: generates an SNMP trap
When monitoring a device function that returns a measurement, you can also define limit values so
that alerts are generated only when the device functions outside of the defined range. Log, LED,
and/or Trap alerts would be generated when:
the measured value rises above the defined limit
the measured value drops below the defined limit
the measured value is outside of the defined limits (above or below)
Periodic Monitoring Commands

This section describes the command hierarchy for periodic monitoring as well as the available
commands.
Command Hierarchy
NOTE
All periodic monitoring commands are applied immediately, no commit is required.
device-name#
+ config terminal
+ system
+ [no] monitor
+ [no] cpu-temperature
- [no] high-threshold <value>
- [no] led

- [no] log
- [no] low-threshold <value>
- [no] shutdown
- [no] trap
+ [no] cpu-usage
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ [no] fan
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ [no] port-statistics
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ [no] power-supply
- [no] led
- [no] log
- [no] shutdown
- [no] trap
+ [no] ram-usage
- [no] led
- [no] log

- [no] shutdown
- [no] trap
+ [no] laser
- [no] led
- [no] log
- [no] shutdown
- [no] trap
- [no] port UU/SS/PP
- [no] rx-power {high-threshold <value> | low-
threshold <value>}
- [no] tx-power {high-threshold <value> | low-
threshold <value>}
- [no] temperature {high-threshold <value> |
low-threshold <value>}
- [no] shutdown
- [no] rx-power {high-threshold <value> | low-
threshold <value>}
- [no] tx-power {high-threshold <value> | low-
threshold <value>}
- [no] temperature {high-threshold <value> | low-
threshold <value>}
- [no] shutdown
- show system monitor [cpu-temperature | cpu-usage | | fan | port-
statistics [failed-ports | power-supply [fan] | ram-usage | laser
[port UU/SS/PP] [detail]]
- show system cpu-usage
- show system ram-usage
- show system temperature
Table 4: Periodic Monitoring Commands
Command Description

monitor Enters Periodic Monitoring Configuration mode
no monitor Removes periodic monitoring configurations

Command Description
cpu-temperature Enables CPU temperature monitoring and

enters Temperature Monitoring Configuration
mode
Enabled
no cpu-temperature Restores to default
cpu-usage Enables CPU monitoring and enters the CPU
Monitoring Configuration mode. CPU monitoring
collects CPU usage samples and periodically
calculates the average value from previous
percentage estimates. If the calculated value
exceeds a configured limit value, the monitor
triggers an alert.
Disabled
no cpu-usage Restores to default
fan Enables fan monitoring and enters Fan
Monitoring Configuration mode
Enabled
no fan Restores to default
port-statistics Enables port monitoring (monitoring of
ifInErrors) and enters Port Monitoring
Configuration mode
Disabled
no port-statistics Restores to default
ram-usage Enables RAM monitoring and enters RAM
Monitoring Configuration mode. RAM usage
monitoring periodically checks the remaining
RAM available for allocation. If the amount is
less than the configured limit, the monitor
triggers an alert.
Disabled
no ram-usage Restores to default
laser Enables Laser Management monitoring and
enters Laser Monitoring Configuration mode.
Laser Management monitors SFP transceivers
parameters (received optical power, transmitter
(Tx)/receiver (Rx) output power, and transceiver
temperature).
This feature is based on the enhanced digital-
diagnostic interface, described in SFF-
8472 specification.
Disabled
no laser Restores to default
power-supply Enables power supply monitoring and enters
Power Supply Monitoring Configuration mode
Enabled
no power-supply Restores to default

Command Description
high-threshold <value> Specifies the high threshold value for a specific

monitoring:
value: high threshold value
90% high threshold for RAM-usage
75% high threshold for CPU-usage
0% high threshold for port statistics
70C high threshold for CPU-temperature
no high-threshold Removes the high threshold value
led Enables FLT LED-alert notification.
The FLT LED starts blinking when one of the
following conditions occurs:
the indicator shows a fail status
the measured value for the indicator
exceeds its configured limit
Disabled
no led Restores to default
log Enables alert-notification logging.
An alert message is written to the log and
history files when one of the following conditions
occurs:
Disabled
no log Restores to default
low-threshold <value> Specifies the low threshold value for a specific

monitoring:
value: low threshold value
0% low threshold for CPU-usage, RAM-
usage, and port statistics
-3C low threshold for CPU-temperature
no low-threshold Removes the low threshold value
period <value> Specifies an interval at which an indicator is

polled:
seconds
60 seconds

Command Description
trap Enables SNMP trap notification receiving for a

specific monitoring.
When enabled, an SNMP trap is issued when
one of the following conditions occurs:
Disabled
no trap Restores to default
port UU/SS/PP (Only for laser management monitoring)

Specifies a port for which thresholds will be
configured:
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no port [UU/SS/PP] Removes the configured port
and 1/2/1-1/2/8
rx-power {high-threshold (Only for laser management monitoring)
<value> | low-threshold
Specifies a Rx power threshold per port:
<value>}
high-threshold <value>: from -40
dBm to 8 dBm
- 7 dBm
low-threshold <value>: from -40
dBm to 8 dBm
- 32 dBm
no rx-power {high-threshold Restores to default
| low-threshold}
tx-power {high-threshold (Only for laser management monitoring)

Specifies a Tx power threshold per port:
<value>}
to 8 dBm
- 5 dBm
to 8 dBm
- 16 dBm
no tx-power {high-threshold Restores to default
| low-threshold}
temperature {high-threshold (Only for laser management monitoring)

Specifies a temperature threshold per port:
<value>}
C0 to 128 C0
85 C0
C0 to 128 C0
- 40 C0

Command Description
no temperature {high- Restores to default

threshold | low-
threshold}
shutdown Disables the port

no shutdown Enables the port
rx-power {high-threshold (Only for laser management monitoring)
Specifies a Rx power threshold:
<value>}
to 8 dBm
- 7 dBm
to 8 dBm
- 32 dBm
no rx-power {high-threshold | Restores to default
low-threshold}
tx-power {high-threshold (Only for laser management monitoring)

Specifies a Tx power threshold:
<value>}
to 8 dBm
- 5 dBm
to 8 dBm
- 16 dBm
no tx-power {high-threshold | Restores to default
low-threshold}
temperature {high-threshold <- (Only for laser management monitoring)

128-128> | low-threshold <-
128-128>} Specifies a temperature threshold:
to 128 C0
85 C0
to 128 C0
- 40 C0
no temperature {high-threshold Restores to default
| low-threshold}
shutdown Disables a specific monitoring

no shutdown Enables a specific monitoring
show system monitor [cpu-temperature | Displays monitor settings filtered by the
cpu-usage | | fan | port-statistics command arguments (see Table 5)
[failed-ports] | power-supply [fan] |
ram-usage | laser [port UU/SS/PP]
[detail]]
show system cpu-usage Displays CPU Usage for the current device
show system ram-usage Displays RAM load in percent
show system temperature Displays the temperature of the current device

Table 5: Monitor Indicators

Indicator Description
cpu-temperature CPU temperature monitoring settings

cpu-usage CPU usage monitoring settings
fan Fan monitoring settings
laser Laser monitoring settings
port-statistics Port monitoring settings
power Power monitoring settings
ram-usage RAM usage monitoring settings
CPU Usage Monitoring

1. Enter the CPU Monitoring Configuration mode:
device-name(config)#system monitor
device-name((config-monitor)#cpu-usage
2. Define the CPU usage high limit value to 10 and the low limit to 1:
device-name(config-cpu-usage)#high-threshold 10
device-name(config-cpu-usage)#low-threshold 1
3. Define the monitoring interval to 20 seconds:

device-name(config-cpu-usage)#period 20
device-name(config-cpu-usage)#no shutdown
device-name(config-cpu-usage)#commit
device-name(config-cpu-usage)#end
4. Display the CPU usage monitoring settings:

device-name#show system monitor cpu-usage
cpu-usage
status PASSED
RAM Usage Monitoring

1. Enter the RAM Monitoring Configuration mode:
device-name(config-monitor)#ram-usage
2. Define the RAM usage high limit value to 10 and the low limit to 3:
device-name(config-ram-usage)#high-threshold 10

device-name(config-ram-usage)#low-threshold 3

device-name(config-ram-usage)#period 5
device-name(config-ram-usage)#no shutdown
device-name(config-ram-usage)#commit
device-name(config-ram-usage)#end
4. Display the RAM usage monitoring settings:

device-name#show system monitor ram-usage
ram-usage
status FAIL
Laser Management Monitoring

1. Enter the Laser Monitoring Configuration mode:
device-name(config-monitor)#laser
2. Define the Laser monitor temperature thresholds to be in the range of -10 to 60 degrees and
to indicate by the led on a problem:
device-name(config-laser)#temperature high-threshold 60
device-name(config-laser)#temperature low-threshold -10
device-name(config-laser)#led

device-name(config-laser)#period 600
device-name(config-laser)#no shutdown
device-name(config-laser)#end
4. Display the Laser monitoring settings:

device-name#show system monitor laser
Laser Monitor Test
Period : 600
Status LED : Enabled
Traps : Disabled
Logging : Disabled
Temperature Limit :
Common : -10C..60C
1/2/7 : -5C..85C
1/2/8 : -5C..85C
Tx-Power :
Common : -16dBm..-5dBm
1/2/7 : -11dBm..-3dBm
1/2/8 : -11dBm..-3dBm
Rx-Power :
Common : -32dBm..-7dBm
1/2/7 : -20dBm..0dBm

1/2/8 : -20dBm..0dBm

Diagnosing Connectivity Problems

The device offers two utilities for troubleshooting network-connectivity issues:
Packet Internet Groper (PING)
Traceroute
Packet Internet Groper (PING)

To verify Internet connectivity at the IP level, PING sends an Internet Control Message Protocol
(ICMP) echo request to a specified IP address or device name and waits for one of the following
ICMP responses:
Normal response: device replies within 110 seconds depending on network traffic.
Destination does not respond: the device does not respond. One of two messages is returned. If no
response, a no-answer message is returned. If the device does not exist, an unknown message
is returned.
Destination unreachable: the default gateway cannot reach the specified network.
Network or device unreachable: the route table does not include the device or network.
Example: Reachable Device

device-name#ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
64 bytes from 192.168.1.100: icmp_seq=0 ttl=128 time=1.4 ms
--- 192.168.1.100 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.3/1.3/1.4 ms
Example: Unreachable Device

device-name#ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101): 56 data bytes
--- 192.168.1.101 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss
Traceroute
Traceroute sends ICMP echo packets with varying IP Time-to-Live (TTL) values to the destination.
Upon receipt of an ICMP echo packet with a TTL value of 1 or 0, the device drops the packet and

sends a time-to-live-exceeded message back to the sender. Traceroute uses this mechanism to determine
the route to the destination:
Traceroute sends a User Datagram Protocol (UDP) to the destination device that sets the TTL
value to 1 and receives a time-to-live-exceeded message.
To identify the next hop, Traceroute sends another UDP packet, this time setting the TTL value to
2. The first device reached by the UDP decreases the TTL field by 1 and sends the datagram to the
next device. That device discards the datagram, with its TTL value of 1, and returns a time-to-live-
exceeded message to the source.
This process continues until the TTL has been incremented to a value large enough for the
datagram to reach the destination device (or until reaching the maximum value for the TTL is
reached).
To determine when a datagram reaches its destination, Traceroute sets the UDP destination port
number in the datagram to a value unlikely to be used by the destination device. When a device
receives a self-destined datagram containing a destination port number that is unused locally, it
sends an ICMP port unreachable error to the source. Because all errors except port unreachable errors
come from intermediate hops, the receipt of a port unreachable error means that the message was sent
by the destination.
Connectivity Diagnostic Commands

This section defines the Connectivity Diagnostic Command Hierarchy and provides a list of
command descriptions as well as an example.
Command Hierarchy
device-name#
- traceroute {A.B.C.D | HOSTNAME} [ttl <ttl> | timeout <timeout>]
- ping {A.B.C.D | HOSTNAME} [number <number> | length <length>]
+ config terminal
+ system
- [no] icmp access source-ip A.B.C.D/M
Table 6: Connectivity Diagnostic Commands
Command Description

Command Description
traceroute {A.B.C.D | HOSTNAME} [ttl Traces the data-packet route to the destination IP
<ttl> | timeout <timeout>] address:

pinged device

device
ttl: the maximum number of devices
the traceroute command passes, in
the range of <1255>
30
timeout: the timeout for receiving
responses, in the range of <1600>
seconds
5 seconds
ping {A.B.C.D | HOSTNAME} [number Pings a remote device:
<number> | length <length>]

pinged device

device
number: the number of ICMP echo
packets sent, in the range of
<12147483646>
5
length: the size of the ICMP echo
packet, in the range of
<5665535>
56
icmp access source-ip A.B.C.D/M Limits the access to the ICMP server only from
the specific sources IP address(es):
address.
no icmp access source-ip Removes the trusted IP address(es)
A.B.C.D/M

Port Mirroring (Port Monitoring)

Port Mirroring is a method used to monitor network traffic. Port mirroring forwards all the data
transmitted and received by a port to a different location for analysis. The port receiving the
mirrored traffic must be connected to a Network Analyzer or RMON probe for packet analysis.
Port Mirroring copies and sends packets passing through one or more ports (source ports) to a
monitor port (destination port). Both the source and destination ports are located on the same device.
Figure 2: Port Mirroring
Network traffic monitoring includes the following traffic types:

Receive (Rx, ingress monitoring): Destination port receives a copy of the packets transmitted to the
source port before the source device modifies or processes them.
Transmit (Tx, egress monitoring): Destination port receives a copy of the packets transmitted by
the source port after the source device modifies and processes them.

NOTE
In egress monitoring, packets are forwarded to the destination port before the source
port changes the 802.1q packet header. Therefore, the packets transmitted to the
destination port may differ from the packets sent out by the source port.
Table 7: Characteristics of Port Types

Ports Type Description
Source Port The device can monitor egress traffic, ingress

traffic, or both simultaneously:
When monitoring egress traffic, the device
supports up to eight source ports.
The device can monitor port types such as
Fast Ethernet, Gigabit Ethernet, and link-
aggregation group.
The source port cannot be a destination port.
Source ports can be in the same or
different VLANs.

Ports Type Description
Destination Port The destination port:

must reside on the same device as the
source port (for local network traffic
monitoring)
can be any physical Ethernet port
cannot be a source port
can participate in only one network traffic
monitor at a time (it cannot be a destination
port for a second network traffic monitoring)
does not transmit any traffic except the traffic
required for the network traffic monitoring
has a limited capacity, any traffic exceeding
port capacity is dropped
Commands Hierarchy
device-name#
+ config terminal
+ system
+ [no] mirror UU/SS/PP
- [no] rx source UU/SS/PP
- [no] tx source {UU/SS/PP | cpu-port}
Table 8: Port Mirroring Commands
Command Description

mirror UU/SS/PP Initiates network traffic monitoring by specifying

destination port/s (also called monitoring port/s)
and enters the Mirror Configuration mode.
Up to 4 simultaneously acting monitoring ports
are supported.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
Disabled
no mirror [UU/SS/PP] Disables network traffic monitoring on all ports
or on the selected port in case the command

Command Description
rx source UU/SS/PP Specifies source port/s (also called monitored

port/s), monitored for ingress network traffic. Up
to 32 ports can be monitored simultaneously.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
no rx source [UU/SS/PP] Releases source port/s from being monitored for
ingress traffic
tx source {UU/SS/PP | cpu-port} Specifies source port/s (also called monitored
port/s ), monitored for egress network traffic. Up
to 8 ports can be monitored simultaneously.
UU/SS/PP: 1/1/1-1/1/4 and 1/2/1-
1/2/8
cpu-port: allows the CPU to
mirror ingress packets (which are
egress for the packet processor)
no tx source [UU/SS/PP | cpu-port] Releases source port/s from being monitored for
egress traffic
Example
The following example shows how to configure the network traffic monitoring on ports. Ports
1/1/3 and 1/1/4 mirror the received and transmitted traffic on ports 1/1/1 and 1/1/2. Set the
destination port (sniffer port):
1. Set the destination port 1/1/3 and the group of source ports that will be monitored:
device-name(config-system)#mirror 1/1/3
device-name(config-mirror-1/1/3)#tx source 1/1/1
device-name(config-mirror-1/1/3)#rx source 1/1/1
2. Set the destination port 1/1/4 and the group of source ports that will be monitored:
device-name(config-mirror-1/1/3)#mirror 1/1/4
device-name(config-mirror-1/1/4)#commit
Commit complete.
device-name(config-mirror-1/1/4)#end
3. Display the configuration results:

device-name#show running-config system mirror
system
mirror 1/1/3
tx source 1/1/1
tx source 1/1/2
rx source 1/1/1
rx source 1/1/2

!
mirror 1/1/4
tx source 1/1/1
tx source 1/1/2
rx source 1/1/1
rx source 1/1/2

Ethernet Loopback Test

The Ethernet loopback testing is a diagnostic procedure based on the Ethernet/MAC header in
which a signal is transmitted and returned back to the same sending device after passing through all
or a portion of a network to test transportation or transportation infrastructure. A comparison of
the returned signal with the transmitted signal conveys the integrity of the transmission path.
There are two major cases for loopback test to work:
1. Non-SLA-Aware on access/user port or uplink/network port - loopback is applied on a
specific port and expected to be looped and forwarded back to the same port.
2. SLA-Aware on access/user port - loopback is applied on a specific port and expected to be
looped and forwarded back to port different from the port the loopback is applied.
NOTE
In case the Ethernet Loopback Test is initiated on port/LAG/SAP where
ACL/QoS policy is applied, any further modification of ACL/QoS policy
during the test, will not affect the loopback traffic.
If the Ethernet Loopback Test is initiated on one of the SAPs/SDPs of a
service, and traffic with a destination MAC address and VLAN tag
matching the configured Loopback test arrives on another SAP/SDP of the
same service, that traffic will also be looped back.
Ethernet Loopback Test Commands
Commands Hierarchy
device-name#
+ config terminal
+ [no] oam
+ [no] loopback-test NAME
- [no] amount <value>
- [no] destination-mac HH:HH:HH:HH:HH:HH
- [no] inner-vlan-id <vlan-id>
- [no] inner-vlan-priority <value>
- [no] outer-vlan-id <vlan-id>
- [no] outer-vlan-priority <value>
- [no] source-mac HH:HH:HH:HH:HH:HH
- [no] untagged
- [no] oam loopback-test NAME port UU/SS/PP [duration <value> | sla-
aware]
- [no] oam loopback-test NAME lag agN [duration <value> | sla-aware]

- [no] oam loopback-test NAME service dot1q <service-id> {sap {UU/SS/PP |

agN} |sdp {UU/SS/PP | agN}} [duration <value> | sla-aware]
- [no] oam loopback-test NAME service tls <service-id> {sap {UU/SS/PP |
agN} |sdp {UU/SS/PP | agN}} [duration <value> | sla-aware]
- show oam loopback-test NAME
Table 9: Ethernet Loopback Test Commands
Command Description

no oam Removes the OAM configurations
loopback-test NAME
Specifies Ethernet loopback test and enters

Ethernet Loopback test Configuration mode:
NAME: a string of up to 32
characters
no loopback-test Removes the configured test
amount <value> Specifies the number of destination MAC

addresses to be looped back:
1
no amount Restores to default
destination-mac
HH:HH:HH:HH:HH:HH
Configures Ethernet traffic stream with
individual destination MAC address used to
verify if the processed packets are looped back
after MAC swapping:
HH:HH:HH:HH:HH:HH: destination
MAC address, hexadecimal format
no destination-mac Removes the configured MAC address
ethertype <value> Configures Ethernet traffic stream with specific

packet ethertype value:
value: in hexadecimal format (for
example 0x9000)
0x8100
inner-vlan-id <vlan-id> (valid only for double-tagged traffic stream)

Configures Ethernet traffic stream with specific
VLAN ID (inner VLAN tag) in order to verify the
correct transmission of the stream through the
network.
4092>

Command Description
no inner-vlan-id Removes the configured VLAN ID.
inner-vlan-priority <value> Configures Ethernet traffic stream with specific

VLAN Priority Tag (VPT) in the inner-VLAN tag
header in order to verify the correct prioritization
of the stream through the network:
no inner-vlan-priority Removes the configured value
outer-vlan-id <vlan-id>
(valid for double and single tagged traffic)

Configures Ethernet traffic stream with specific
VLAN ID (outer VLAN tag, in case of double-
tagged traffic) in order to verify the correct
transmission of the stream through the network.
4092>
no outer-vlan-id Removes the configured VLAN ID.
outer-vlan-priority <value> Configures Ethernet traffic stream with specific

VLAN Priority Tag (VPT) in the outer-VLAN tag
header in order to verify the correct prioritization
of the stream through the network:
no outer-vlan-priority Removes the configured value
source-mac HH:HH:HH:HH:HH:HH Configures Ethernet traffic stream with

individual source MAC address:
HH:HH:HH:HH:HH:HH: source MAC
address, hexadecimal format
no source-mac Removes the configured MAC address
untagged Configures untagged Ethernet traffic stream
tagged
no untagged Configures tagged Ethernet traffic stream
oam loopback-test NAME port UU/SS/PP Applies the configured Ethernet loopback test
[duration <value> | sla-aware] on a specified port.
NOTE
The selected port must be member
of the Outer VLAN, if the traffic is
tagged.
NAME: Ethernet loopback test
name, previously configured
UU/SS/PP: port, in the range of
1/1/1-1/1/4 and 1/2/1-1/2/8.
duration <value>: (optional) test
duration, in the range of <1-
1440> min
5 minutes
sla-aware: (optional) specifies
test mechanism

Command Description
not sla-aware
oam loopback-test NAME lag agN [duration Applies the configured Ethernet loopback test
<value> | sla-aware] on a specified LAG:
<1-14>
1440> min
5 minutes
test mechanism
not sla-aware
oam loopback-test NAME service dot1q Applies the configured Ethernet loopback test
<service-id> {sap {UU/SS/PP | agN} on a specified 802.1Q service:
|sdp {UU/SS/PP | agN}} [duration
<value> | sla-aware] NOTE
When the Ethernet loopback
test is applied on SDP/SAP
port, the outer VLAN ID must
be the same as the service
VLAN ID for the specific
service. Inner VLAN ID must
be the same as C-VLAN ID,
member of which is the SAP
port.
4294967294>
UU/SS/PP: SAP/SDP port, in the
range of 1/1/1-1/1/4 and 1/2/1-
1/2/8.
agN: SAP/SDP LAG ID. N is in the
range of <1-14>
1440> min
5 minutes
test mechanism
not sla-aware
oam loopback-test NAME service tls Applies the configured Ethernet loopback test
<service-id> {sap {UU/SS/PP | agN} on a specified TLS service
|sdp {UU/SS/PP | agN}} [duration
<value> | sla-aware] NOTE

Command Description

test is applied on SDP port, the
outer VLAN ID must be the
same as the service VLAN ID
for the specific service.
test is applied on SAP port,
member of specific C-VLAN
ID:
Outer VLAN ID must be the same
as the service VLAN ID for the
specific service.
Inner VLAN ID must be the same
as C-VLAN ID, member of which is
the SAP port.
member of specific C-VLAN
untagged:
specific service.
Inner VLAN ID must not be
defined.
member of specific C-VLAN all:
specific service.
Inner VLAN ID is optional but must
match the test traffic.
4294967294>
UU/SS/PP: SAP/SDP port, in the
range of 1/1/1-1/1/4 and 1/2/1-
1/2/8.
agN: SAP/SDP LAG ID. N is in the
range of <1-14>
1440> min
5 minutes
test mechanism
not sla-aware
no oam loopback-test NAME Stops the Ethernet loopback test:

Command Description
NAME: Ethernet loopback test name

currently running
show oam loopback-test NAME Displays Ethernet loopback test information:
Example
1. Configure the Ethernet Loopback test:
Device-name(config)#oam
Device-name(config-oam)#loopback-test A1
Device-name(config-loopback-test-A1)#destination-mac 00:00:00:01:01:01
Device-name(config-loopback-test-A1)#outer-vlan-id 7
Device-name(config-loopback-test-A1)#outer-vlan-priority 5
2. Configure VLAN and add ports 1/1/1 and 1/1/2 as tagged members of it:
Device-name(config)#vlan v7 7
3. Apply the A1 test on port 1/1/1:

Device-name#oam loopback-test A5 port 1/1/1
Starting test A1 with duration 5 minutes ...Success!

Technical Support Information

Telco Systems provides special-purpose CLI commands used to retrieve the technical information
about the device. Forward this information to Telco Systems technical support to aid in tracking
and resolving issues that cause system failures.
Technical Support commands dump the required information onto the screen. You can also save
the command output as an encrypted file locally or to a specific remote server.
Technical Support Commands

The following section defines the command hierarchy for Technical Support and provides a list of
available commands as well as a configuration example.
Command Hierarchy
device-name#
- file cp technical-support PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-
NAME
- file cp technical-support use-external-file FILE-NAME USE-EXTERNAL-
FILE-NAME
- file cp technical-support use-external-file FILE-NAME
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME USE-EXTERNAL-FILE-NAME
- file cp technical-support FILE-NAME
- show technical-support use-external-file USE-EXTERNAL-FILE-NAME
- show technical-support
Table 10: Technical Support Commands
Command Description

file cp technical-support Uploads the output of the show technical-
PROTOCOL[USER[:PASSWORD]@]IPv4[:P support command to a TFTP/FTP server:
ORT]/FILE-NAME
ftp://user:pass@A.B.C.D. For TFTP
servers, no user, password, and
port are required. For FTP
required.
USER: FTP user name
server in A.B.C.D format

Command Description

transfer
file cp technical-support FILE-NAME Saves the output of the show technical-
support command to the local file system:
file cp technical-support use-external- Saves a filtered output of the show technical-
file FILE-NAME USE-EXTERNAL- support command to the local file system:
FILE-NAME
FILE-NAME: name of the file that
contains the original command
output
the file that contains a modified
copy of the commands to be
executed
file cp technical-support use-external- Uploads a filtered output of the show
file FILE-NAME technical-support command to a TFTP/FTP
PROTOCOL[USER[:PASSWORD]@]IPv4[:P
server:
ORT]/FILE-NAME USE-EXTERNAL-
FILE-NAME PROTOCOL type: tftp://A.B.C.D or
ftp://user:pass@A.B.C.D. For TFTP
servers, no user, password, and
port are required. For FTP
required.
USER: FTP user name
server in A.B.C.D format
transfer
FILE-NAME: name of the file that
contains the original command
output
the file that contains a modified
copy of the command output
show technical-support use-external- Displays the content of a file containing an
file USE-EXTERNAL-FILE-NAME output of the show technical-support
command:
the file
show technical-support Displays the selected technical-support
parameter information

Execute commands from default TSDB and display the output:
device-name#show technical-support
===============================================================================
TECHNICAL SUPPORT
===============================================================================
It could take several minutes to complete the command. Please wait ...
-------------------------------------------------------------------------------
output from command show running-config
-------------------------------------------------------------------------------
snmp-server
no enable
port 161
engineID 80:00:61:81:05:01
notify linkDown
tag tag
type trap

-------------------------------------------------------------------------------
TSDB_default.db had 2 commands to process
Started at Wed Jul 20 15:05:10 EET 2010
Finished at Wed Jul 20 15:05:10 EET 2010
-------------------------------------------------------------------------------
===============================================================================


Features Standards MIB RFC
Periodic Monitoring No standards are Private MIB, No RFCs are

supported by this PRVT-SYS-MON- supported by this
feature. MIB.mib feature.
Diagnosing Connectivity No standards are No MIBs are RFC 792-Internet
Problems supported by this supported by this Control Message
feature. feature. Protocol
Port Monitoring No standards are No MIBs are No RFCs are
supported by this supported by this supported by this
feature. feature. feature.
Technical Support No standards are Private MIB, No RFCs are
Information supported by this PRVT- supported by this
feature. INTERWORKING- feature.
OS-MIB

Appendix A: SNMP Reference Guide
Table of Contents
Table of Figures 1
List of Tables 2
Getting Started 3
Audience 3
Introduction 3
Obtaining MIB Files 3
Compiling MIB Files 3
MIB Tree 4
Object Identifier (OID) 5
Managing Objects 6
SNMP Object Parameters 6
MIB Architecture and Configuration 8

Managing the Device 8
Device Authentication20
Filtering Traffic 26
Traffic Control 31
VLANs 34
Service Configuration 42
Basic Routing and Router Protocols 47
Network Monitoring and Troubleshooting 60
Traffic Engineering 78
Table of Figures
Figure 1: The MIB Tree ......................................................................................................................... 4
Appendix A: SNMP Reference Guide (Rev. 01) Page 1

Figure 2: Branch of the MIB Object Identifier Tree ......................................................................... 5

Figure 3: Communication between an SNMP Agent and Manager............................................... 6
List of Tables
Table 1: Predefined SNMP Object Parameters ................................................................................. 6
Page 2 Appendix A: SNMP Reference Guide (Rev. 01)

Getting Started
This guide describes the objects supported in the Management Information Base (MIB) on the
device and illustrates all parameters in the MIB structure. Many configuration examples are
provided to help you make the required changes to your system.
For more detailed information regarding any of the features described in this guide, please refer to
the BiNOX User Guide.
Audience
This guide is intended for network administrators who want to manage the system using SNMP
MIB applications.
Introduction
The Management Information Base (MIB) is a database of objects that can be used by a network
management system (NMS) to manage and monitor devices on the network. The managed objects
are structured in the form of a hierarchical tree.
The MIB can be retrieved by an NMS using Simple Network Management Protocol (SNMP). The
MIB structure determines the scope of management access allowed by a device.
SNMP defines the type of messages that are exchanged between the manager and agent (refer to
the Simple Network Management Protocol (SNMP) chapter). By using SNMP, a management application
can issue read or write operations within the scope of the MIB. Three versions of SNMP are
supported: SNMPv1, SNMPv2, and SNMPv3.
Obtaining MIB Files

There are two options to obtain the MIBs:
By contacting the support center
Customers that have a valid Support Contract can freely download MIBs from the Telco
Systems Web site
Compiling MIB Files

After obtaining the MIBs, follow the instructions of your network management system regarding
usage.

MIB Tree
The MIB database is presented in a tree form with conceptual tables, where each managed resource
is represented by an object. Individual data items, the MIB objects, make up the leaves of the tree.
At the top of the tree is the most general information available about the network. Each branch of
the tree gets more detailed into a specific network area.
Figure 1: The MIB Tree

Object Identifier (OID)

Each item on the MIB tree is assigned a number which creates a path to objects in the MIB; the
path is known as the object identifier (OID). The OID value consists of two or more integers
(called subidentifiers) separated by a dot (.).
Due to Basic Encoding Rules (the part of ASN.1 that defines how values are encoded for
transmission "on the wire"), the first subidentifier must be 0, 1 or 2. The second subidentifier must
be between 0 and 39 if the first subidentifier is 0 or 1. Otherwise, the only restrictions imposed by
SNMP are that (1) there is a limit of 128 subidentifiers in an OID value, and (2) that each
subidentifier is restricted to the range from 0 to 4294967295.
Figure 2: Branch of the MIB Object Identifier Tree
Example:
To retrieve an object from the OSPF MIB, the software uses this OID:
1.3.6.1.2.1.14
which indicates this path:
iso(1).org(3).dod(6).internet(1).mgmt(2).mib-2(1).ospf(14)
T-Marc 3312SC OID is 1.3.6.1.4.1.738.10.5.100.1.1.10005

T-Marc 3312SCH OID is 1.3.6.1.4.1.738.10.5.100.1.1.10011

Managing Objects
An SNMP application can read values for the objects (for device monitoring) and some
applications can also change the variables (to provide remote management of devices). Basic SNMP
operations include:
Get: Gets a specified SNMP object for a device
Get Next: Gets the next object in a table or list
Set: Sets the value of an SNMP object on a device
B: Sends a message about an event (that occurs on the device) to the management application
When you perform an SNMP Get operation, the SNMP manager sends the OID to the Agent,
which in turn determines whether the OID is supported. If the OID is supported, the Agent
returns information about the object (refer to the Simple Network Management Protocol (SNMP)
chapter).
Figure 3: Communication between an SNMP Agent and Manager
SNMP Object Parameters

The MIB file contains the definition of the global tree and the definition of leaf object.
Table 1: Predefined SNMP Object Parameters
Field Name Description
TYPE Provides a unique, object name used to collect information by using

names instead of numbers.
SYNTAX Defined in RFC 1212, Syntax holds the value type managed by the
object. Value types are:
INTEGER
IP ADDRESS
BITS
GAUGE
COUNTER
TIMESTAMP
OCTET STRING
OBJECT IDENTIFIER
NULL
DisplayString
Unsigned

Field Name Description
It is possible to create a new syntax from those defined in this last. A new
syntax uses the keyword TEXTUAL CONVENTION.
ACCESS Indicates how the object could be addressed. Possible values are:
Read-only
Read-write
Read-create
Not-accessible
STATUS Indicates the status of the object
A standard MIB file defines a set of objects, some of which should be
implemented in the Agent. A query should have an answer to follow the
norm. Possible values are:
Mandatory: This object should be implemented in the agent.
Optional: This object could be implemented in the agent.
Obsolete: This object is no longer implemented on the new
generation of agent.
DESCRIPTION Information, presented in text format, describing the objects use and
associated value. Text is between quotes.

MIB Architecture and Configuration

Managing the Device
This section contains MIBs used to manage the software image and device configuration:
PRVT-INTERWORKING-OS-MIB
PRVT-CONFIGCHANGE-MIB
PRVT-SWITCH-MIB (only sysManufacturing table )
PRVT-SYNC-ETHERNET-MIB
PRVT-STATHIST-MIB
PRVT-STATISTICS-MIB
PRVT-LLDP-MIB
PRVT-INTERWORKING-OS-MIB
This MIB displays and manages the OS features of the device including OS upgrades. The MIB is
used to:
reset the device
change the active image
download a new image
download/upload running configuration
download technical support information rename or merge files
delete images

NOTE
For the purposes of system information management via SNMP, only the
prvtInterworkingOSMibObjects node of the PRVT-INTERWORKING-OS-MIB
is used.
Examples:
Software Update via SNMP

1. Download image from tftp:

SET prvtBootUpgradeSrcURI = tftp://1.0.0.26/new image.tar.7z
2. Set a new application name different from batmBootApplicationNameURI:

SET prvtBootApplicationNameURI = new image.tar.7z
3. Start application replacement:

SET prvtBootUpgradeCmd = applyExec(3)
4. Check if the status is upgradeInProgress(3):

GET prvtBootOperStatus upgradeInProgress(3)
5.After transfer complete check the status is ready(1):

GET prvtBootOperStatus ready(1)
6. Verify that the image appears in the device and becomes active.
device-name#file ls os-image
The active image has star (*) symbol.
Upload a configuration file from the local file system to a TFTP server
via CLI:
1. Save the running configuration file to the local file system:
device-name#file cp running-configuration myconfig.cfg
device-name#file ls
2. Upload the running configuration file to a TFTP server:

device-name#file cp running-configuration tftp://10.3.71.167/myconfig.cfg
3. Check if the file is stored in TFTP.
Upload a configuration file from the local file system to a TFTP server
via SNMP:
1. Configure the source type to be the file system:
SET prvtConfigSourceType.0 (integer) fileSystem(1)
2. Add a name of the file in example myconfig.cfg:

SET prvtConfigSourceFileName.0 (octet string) myconfig.cfg
3. Configure the destination type to be tftp:

SET prvtConfigTargetType.0 (integer) tftp(5)
4. Add a name of the file that will be uploaded in example myconfig.cfg:

SET prvtConfigTargetFileName.0 (octet string) myconfig.cfg
5. Configure the type of the remote address to be IPv4:

SET prvtConfigRemoteAddressType.0 (integer) ipv4(1)
6. Fill IP of the tftp server in example. The IP is 10.3.71.167:

SET prvtConfigRemoteAddress.0 (octet string)#0x0A 0x03 0x47 0xA7
7. Add a port for tftp. The port number is 69:

SET prvtConfigRemotePort.0 (gauge) 69

8. Configure the type of the file action. First to be prepare, and second to be copy:
SET prvtConfigAction.0 (integer) prepare(2)
SET prvtConfigAction.0 (integer) copy(3)
NOTE
Refer to the Managing the device chapter to see Software Upgrade example via CLI.
PRVT-CONFIGCHANGE-MIB
A private MIB providing notification for configuration changes as SNMP traps. Each trap contains:
Time at which the configuration change was committed
Name of the user who made the change
Method by which the change was made
Examples:
Configuration Management via CLI
1. Configure SNMP with Traps:
device-name(config-system)#snmp
device-name(config-snmp)#view myview 1.3 included
device-name(config-snmp)#group mygroup noAuthNoPriv read myview write
myview notify myview
device-name(config-snmp)#user tester mygroup v3
device-name(config-snmp)#target-address mycomp
device-name(config-target-address-mycomp)#dst-port 162
device-name(config-target-address-mycomp)#address 10.3.71.167
device-name(config-target-address-mycomp)#security-name tester
device-name(config-target-address-mycomp)#security-level noAuthNoPriv
device-name(config-target-address-mycomp)#message-model v3
device-name(config-target-address-mycomp)#type trap
device-name(config-target-address-mycomp)#com
Commit complete.
device-name(config-target-address-mycomp)#exit
2. Configure notification change trap to be true:

device-name(config-snmp)#notification-change-trap
device-name(config-snmp)#com
Commit complete.
Configure system location .
device-name(config-snmp)#system-location LAB
device-name(config-snmp)#com
Commit complete.

device-name(config-snmp)#
PRVT-SWITCH-MIB (only sysManufacturing table)

The private Switch MIB manages internal device parameters and contains additional configuration
options and device information.
The manufacturing details are retrieved from the sysManufacturing table of the MIB.
Examples:
Retrieving via CLI
Display manufacturing details using the show system manufacturing-details command:
device-name#show system manufacturing-details
===============================
System Manufacturing-Details
===============================
Main board
Serial number: 0309342504
Assembly No: AL001392
Part number: T-Marc 3312SC/T-Marc 3312SCH
CLEI:
HW revision: 02
HW subrevision:
Date: 30/09/2009
FW version: 32.77.48.21
Base MAC addr: 00:a0:12:64:08:60
Retrieving via SNMP

Retrieve manufacturing details using SNMP query:
1: sysSerialNumber.0 (octet string) 0309342504
[30.33.30.39.33.34.32.35.30.34 (hex)]
2: sysAssemblyNumber.0 (octet string) AL001392 [41.4C.30.30.31.33.39.32
(hex)]
3: sysPartNumber.0 (octet string) T-Marc 3312SC/T-Marc 3312SCH [54.4D.58.47
(hex)]

4: sysCLEI.0 (octet string) (zero-length)

5: sysHwRevision.0 (octet string) 02 [30.32 (hex)]
6: sysManufacturingDate.0 (octet string) 30/09/2009
[33.30.2F.30.39.2F.32.30.30.39 (hex)]
7: sysHwSubRevision.0 (octet string) (zero-length)
8: sysBaseMacAddress.0 (octet string) 00:a0:12:64:08:60
Display manufacturing details via SNMP :

***** SNMP QUERY STARTED *****
1: moduleSysSerialNumber.1 (octet string) (zero-length)
4: moduleSysAssemblyNumber.1 (octet string) (zero-length)
7: moduleSysHwRevision.1 (octet string) (zero-length)
10: moduleSysHwSubRevision.1 (octet string) (zero-length)
13: moduleSysPartNumber.1 (octet string) (zero-length)
16: moduleSysCLEI.1 (octet string) (zero-length)
19: moduleSysManufacturingDate.1 (octet string) 1/1/2011
20: moduleSysManufacturingDate.2 (octet string) (zero-length)
21: moduleSysManufacturingDate.3 (octet string) (zero-length)
22: moduleSysBaseMacAddress.1 (octet string) 00:A0:12:9A:08:40
25: moduleSysFirmwareVersion.1 (octet string) 0.0.21.4
26: moduleSysFirmwareVersion.2 (octet string) n/a
27: moduleSysFirmwareVersion.3 (octet string) n/a
***** SNMP QUERY FINISHED *****
***** SNMP QUERY STARTED *****

1: sysSerialNumber.0 (octet string) (zero-length)
2: sysAssemblyNumber.0 (octet string) (zero-length)
3: sysPartNumber.0 (octet string) (zero-length)
4: sysCLEI.0 (octet string) (zero-length)
5: sysHwRevision.0 (octet string) (zero-length)
6: sysManufacturingDate.0 (octet string) 1/1/2011
7: sysHwSubRevision.0 (octet string) (zero-length)
8: sysBaseMacAddress.0 (octet string) 00:A0:12:9A:08:40
9: sysFirmwareVersion.0 (octet string) 0.0.21.4

RVT-SYNC-ETHERNET-MIB
This private MIB provides complete SNMP management of Synchronous Ethernet (SyncE).
PRVT-STATHIST-MIB
This section describes MIBs used to provide historical view of the interface statistics.

Example
Configuration via CLI
Device-name(config)#system
Device-name(config-system)#statistics-history
Device-name(config-statistics-history)#profile FFF xpath-template
/bridge:interfaces/interface{%s}/Counters/ifInOctets
Device-name(config-statistics-history)#com
Commit complete.
Device-name(config-statistics-history)#control 1 profile-name FFF xpath-key
1/1/1
Device-name(config-statistics-history)#type delta get-interval 10
Device-name(config-statistics-history)#no shutdown
Device-name(config-statistics-history)#commit
Commit complete.
Configuration via SNMP

prvtStatHistMIB with OID 1.3.6.1.4.1.738.10.5.180
prvtStatHistProfileRowStatus.3.70.70.70 (integer) createAndWait(5)
prvtStatHistProfileXPathTemplate.3.70.70.70 (octet string)
/bridge:interfaces/interface{%s}/Counters/ifInOctets
prvtStatHistProfileRowStatus.3.70.70.70 (integer) active(1)
prvtStatHistType.0 (integer) delta(2)
prvtStatHistGetInterval.0 (gauge) 10
prvtStatHistControlRowStatus.1 (integer) createAndWait(5)
prvtStatHistControlProfileName.1 (octet string) FFF
prvtStatHistControlXPathKey.1 (octet string) 1/1/1
prvtStatHistControlRowStatus.1 (integer) active(1)
prvtStatHistShutdown.0 (integer) false(2)
PRVT-STATISTICS-MIB
This section describes MIBs used to provide Service statistics provide important information for
troubleshooting device problems at the service level in format of statistics, including the number of
bytes, number of unicast, multicast, broadcast packets, and the number of packets with specified
color or FC, a SAP/SDP port has received.

Examples:
Configuring service statistics via CLI:

device-name(config-statistics)#ingress-statistics-policy A2
device-name(config-ingress-statistics-policy-A2)#fc
device-name(config-ingress-statistics-policy-A2)#fc-bw-measurement all
device-name(config-ingress-statistics-policy-A2)#commit
Commit complete.
device-name(config-ingress-statistics-policy-A2)#
device-name(config)#service statistics egress-statistics-policy B7
device-name(config-egress-statistics-policy-B7)#da-type
device-name(config-egress-statistics-policy-B7)#da-type-bw-measurement
packets
device-name(config-egress-statistics-policy-B7)#commit
Configuring service statistics via SNMP:

1. Create ingress statistics policy:
***** SNMP SET-RESPONSE START *****

1: prvtStatIngressPolicyRowStatus.2.65.51 (integer) createAndWait(5)

***** SNMP SET-RESPONSE END *****
1: prvtStatIngressPolicyFc.2.65.51 (integer) true(1)
1: prvtStatIngressPolicyFcBwMeasurement.2.65.51 (integer) bytes(2)
1: prvtStatIngressPolicyRowStatus.2.65.51 (integer) active(1)
2. Create egress statistic policy:

1: prvtStatEgressPolicyRowStatus.2.66.55 (integer) createAndWait(5)
1: prvtStatEgressPolicyDaType.2.66.55 (integer) true(1)
1: prvtStatEgressPolicyDaTypeBwMeasurement.2.66.55 (integer) packet(1)
1: prvtStatEgressPolicyRowStatus.2.66.55 (integer) active(1)
3. Apply the ingress and egress statistics policies on SAP and SDP ports:
1: prvtStatSapEgressPolicy.1.1101.20490 (octet string) B7
1: prvtStatSapIngressPolicy.1.1101.20490 (octet string) A2
1: prvtStatSdpIngressPolicy.1.1 (octet string) A2
1: prvtStatSdpEgressPolicy.1.1 (octet string) B7

PRVT-LLDP-MIB
This section describes the MIB used by network devices for advertising their identity, capabilities,
interconnections, and store information about the network.
Examples:
Configuring LLDP via CLI:

1. Local peer config:
LocalPeer(config)#ethernet
LocalPeer(config-ethernet)#lldp
LocalPeer(config-lldp)#no shutdown
LocalPeer(config-lldp)#port 1/2/1
LocalPeer(config-port-1/2/1)#advertise-basic management-address
LocalPeer(config-port-1/2/1)#advertise-basic port-description
LocalPeer(config-port-1/2/1)#advertise-basic system-capabilities
LocalPeer(config-port-1/2/1)#advertise-basic system-description
LocalPeer(config-port-1/2/1)#advertise-basic system-name
2. Display the LLDP configuration on remote peer:

RemotePeer#show ethernet lldp remote-system-data

======================================================================
Chassis Id : 00:a0:12:ef:ce:41
Port ID : 00:a0:12:ef:ce:46
System Description : device-name Switch software version
5.0.R2.C8.005 Mon Nov 16 18:30:53 EET 2015
Router

Router

----------------------------------------------------------------------
Address : (IPv4) 1.0.0.78
Interface ID : 21
Address : (IPv4) 10.3.134.3

Interface ID : 2
Configuring LLDP via SNMP:

Security level: None
Security model: USM
1: usmStatsUnknownEngineIDs.0 (counter) 0
Response:
User profile name: tester
Context name: (zero-length)
Context engine ID: 80.00.02.E2.03.00.A0.12.EF.CE.40 (hex)
Security user name: tester
Security engine ID: 80.00.02.E2.03.00.A0.12.EF.CE.40 (hex)
Authentication protocol: None
Privacy protocol: None
Security level: None
Security model: USM
1: sysUpTime.0 (timeticks) 0 days 03h:32m:22s.66th (1274266)
1: prvtLldpEnable.0 (integer) true(1)
1: prvtLldpCfgPortRowStatus.5.49.47.50.47.49 (integer) createAndGo(4)
1: prvtLldpAdvBasicPortManAddr.5.49.47.50.47.49 (integer) true(1)
1: prvtLldpAdvBasicPortDescr.5.49.47.50.47.49 (integer) true(1)


1: prvtLldpAdvBasicPortSysCap.5.49.47.50.47.49 (integer) true(1)
1: prvtLldpAdvBasicPortSysDescr.5.49.47.50.47.49 (integer) true(1)
1: prvtLldpAdvBasicPortSysName.5.49.47.50.47.49 (integer) true(1)
Note: format 5.49.47.50.47.49 is ASCII and means

5 the length - 5 simbols in ASCII
49.47.50.47.49 = 1 / 2 / 1
Device Authentication
This section describes MIBs used to define interfaces on a device and contains the following MIBs:
PRVT-MAC-SECURITY-MIB
PRVT-SWITCH-MIB (only configL2IfaceTable table)
PRVT-PORTS-AGGREGATION-MIB
PRVT-RESILIENT-LINK-MIB
PRVT-SWITCH-IPVLAN-MIB
PRVT-MAC-SECURITY-MIB
This private MIB provides complete SNMP management of port security.
Examples:
1. Create a MAC learning profile with the following parameters:

profile name = test1

Maximum MAC Count = 30
Profile policy = port-limit
device-name(config-ethernet)#mac-learning learning-profile test1
device-name(config-learning-profile-test1)#max-mac-count 30
device-name(config-learning-profile-test1)#policy port-limit
device-name(config-learning-profile-test1)#commit
2. Apply the configured profile on port 1/1/1:

device-name(config-port-1/1/1)#mac-learning-profile test1

1. Using SNMP create a MAC learning profile (test1) with the following parameters:
prvtMacSecLrnProfRowStatus.5.116.101.115.116.49 (integer) create and
wait(5)
prvtMacSecLrnProfPolicy.5.116.101.115.116.49 (integer) portLimit(2)
prvtMacSecLrnProfMaxMacCount.5.116.101.115.116.49 (gauge) 30
prvtMacSecLrnProfRowStatus.5.116.101.115.116.49 (integer) active(1)
2. Apply the configured profile on port A (1/1/1):

prvtMacSecIfProfRowStatus.1101.5.116.101.115.116.49(integer) createAndGo(4)
PRVT-SWITCH-MIB (only configL2IfaceTable table)

A private MIB used to manage internal device parameters containing additional configuration
options and device information beyond the requirements defined by the RFC 2863 standard.
The Fast Ethernet and Giga Ethernet port configuration is done through the configL2IfaceTable
table of the MIB.

Examples:
1. Configure the desired speed on port 1/1/1:
device-name(config-port-1/1/1)#speed 1000
2. Configure the desired duplex-mode on port 1/1/1:

device-name(config-port-1/1/1)#duplex full
3. Define the ports MTU:


1. Configure the desired speed on port 1/1/1:
snmpset configL2IfaceSpeedSet.1.1.1 integer 1000 (1000 mbps)
2. Configure the desired duplex-mode on port 1/1/1:

snmpset configL2IfaceDuplexModeSet.1.1.1 integer 2 (full)
3. Define the ports MTU:

snmpset configL2IfaceMtu.1.1.1 (integer) 4096

PRVT-PORTS-AGGREGATION-MIB
The private Ports Aggregation MIB is used to manage static and dynamic port aggregation for the
device.
Examples:

1. Configure static link aggregation:

device-name(config)#ethernet lag lag-id ag2
device-name(config-lag-id-ag2)#description Uplink12
2. Remove the port from aggregation:

device-name(config-lag-id-ag2)#no port 1/1/1
Static Link Aggregation Configuration via SNMP

3. Configure static link aggregation:
portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
portsAggregationDescription.3.97.103.50 (octet string) Uplink12
portsAggregationPortsRowStatus.3.97.103.50.1101 (integer) createAndWait(5)
portsAggregationRowStatus.3.97.103.50 (integer) active(1)
portsAggregationPortsRowStatus.3.97.103.50.1101 (integer) active(1)
4. Remove the port from aggregation:

portsAggregationPortsRowStatus.3.97.103.50.1104 (integer) destroy(6)
LACP Configuration via SNMP

portsAggregationRowStatus.3.97.103.50 (integer) createAndWait(5)
portsAggregationDescription.3.97.103.50 (octet string) Uplink12
portsAggregationRowStatus.3.97.103.50 (integer) active(1)
portsAggregationLacpEnable.3.97.103.50 (integer) true(1)
PRVT-RESILIENT-LINK-MIB
The Resilient link MIB is used to manage the resilient link of the device.

Examples:
device-name(config-ethernet)#resilient-link res1
device-name(config-resilient-link-res1)#primary-port 1/1/1
device-name(config-resilient-link-res1)#backup-port 1/1/2
device-name(config-resilient-link-res1)#backup-mode shutdown
device-name(config-resilient-link-res1)#commit
Commit complete

prvtResilientLinkRowStatus.1 (integer) createAndWait(5)
prvtResilientLinkPrimaryPort.1 (integer) 1101 [1101]
prvtResilientLinkBackupPort.1 (integer) 1102 [1102]
prvtResilientLinkBackupMode.1 (integer) shutdown(2)
prvtResilientLinkRowStatus.1 (integer) active(1)
PRVT-SWITCH-IPVLAN-MIB
The IPVLAN MIB controls the assignment of IP subnets to VLANs.

Example:
Configuration via CLI:
1. Define an IP interface with name sw2:
2. Configure the IP address 2.0.0.1 for sw2:

3. Attach sw2 to VLAN 2:

device-name(config-vlan-v2/2)#routing-interface sw2
4. Configure VLAN 2 as a management VLAN:

device-name(config-vlan-v2/2)#management
Configuration via SNMP:

1. Define an IP interface with name sw2 and address 2.0.0.1 with mask 8:
ipInterfaceRowStatus.3.115.119.50 (integer) createAndWait(5)
ipInterfaceIpAddress.3.115.119.50 (ipaddress) 2.0.0.1
ipInterfaceSubnetMask.3.115.119.50 (ipaddress) 255.0.0.0
ipInterfaceRowStatus.3.115.119.50 (integer) active(1)
2. Attach sw2 to VLAN2:

ipVlanStatus.2.3.115.119.50 (integer) attached(1)
3. Configure VLAN 2 as a management VLAN:

ipVlanManagementStatus.2 (integer) true(1)
Filtering Traffic
PRVT-SWITCH-ACCESS-LIST-MIB
The private Switch Access List MIB is used to manage ACL rules.

Examples:
Creating a Standard IP ACL

The following example creates and configures a standard IP ACL 1:
device-name(config-rule-1)#source_ip 9.0.0.1/32

Commit complete.
device-name(config-rule-1)#

prvtSwAclStdRowStatus.1.49.(integer) createAndGo(4)
prvtSwAclStdRuleRowStatus.1.49.1 (integer) createAndWait(5)
prvtSwAclStdRuleAction.1.49.1 (integer) permit(0)
prvtSwAclStdRuleIpSrcPrefix.1.49.1 (octet string) 9.0.0.1/32
[09.00.00.01.20 (hex)]
prvtSwAclStdRuleRowStatus.1.49.1 (integer) active(1)
Creating an Extended IP ACL

The following example creates and configures an extended IP ACL 101:
device-name(config-extended-101)#rule 1
device-name(config-rule-1)#source_ip 9.0.0.2/32
device-name(config-rule-1)#destination_ip any
device-name(config-rule-1)#protocol tcp
device-name(config-rule-1)#rule 2
device-name(config-rule-2)#source_ip any
device-name(config-rule-2)#destination_ip any
device-name(config-rule-2)#protocol ip
Commit complete.

prvtSwAclExtRuleRowStatus.3.49.48.49 (integer) createAndWait(5)
prvtSwAclExtRuleAction.3.49.48.49.1 (integer) permit(0)
prvtSwAclExtRuleIpProtocol.3.49.48.49.1 (integer) 6 [6]
prvtSwAclExtRuleIpSrcPrefix.3.49.48.49.1 (octet string) 9.0.0.2/32
[09.00.00.02.20 (hex)]
prvtSwAclExtRuleIpDstPrefix.3.49.48.49.1 (octet string) 255.255.255.255/0
[FF.FF.FF.FF.00 (hex)]
prvtSwAclExtRuleRowStatus.3.49.48.49.1 (integer) active(1)
prvtSwAclExtRuleRowStatus.3.49.48.49.2 (integer) createAndWait(5)
prvtSwAclExtRuleAction.3.49.48.49.2 (integer) deny(1)
prvtSwAclExtRuleIpProtocol.3.49.48.49.2 (integer) 0 [0]
prvtSwAclExtRuleIpSrcPrefix.3.49.48.49.2 (octet string) 255.255.255.255/0
prvtSwAclExtRuleIpDstPrefix.3.49.48.49.2 (octet string) 255.255.255.255/0
prvtSwAclExtRuleRowStatus.3.49.48.49.2 (integer) active(1)
Creating an Extended MAC ACL

The following example creates and configures an extended MAC ACL 400:
device-name(config-rule-255)#source_mac 00:00:00:aa:00:01
device-name(config-rule-255)#destination_mac any
device-name(config-rule-255)#vlan 10
Commit complete.

prvtSwAclMacRowStatus.3.52.48.48 (integer) createAndGo(4)
prvtSwAclMacRuleRowStatus.3.52.48.48.250 (integer) createAndWait(5)
prvtSwAclMacRuleAction.3.52.48.48.250 (integer) permit(0)
prvtSwAclMacRuleMacSrc.3.52.48.48.250 (octet string) 00:00:00:AA:00:01
[00.00.00.AA.00.01 (hex)]
prvtSwAclMacRuleMacDst.3.52.48.48.250 (octet string) FF:FF:FF:FF:FF:FF
[FF.FF.FF.FF.FF.FF (hex)]
prvtSwAclMacRuleVlanId.3.52.48.48.250 (integer) 10 [10]
prvtSwAclMacRuleVpt.3.52.48.48.250 (gauge) 5
prvtSwAclMacRuleRowStatus.3.52.48.48.250 (integer) active(1)
Creating an EtherType ACL

The following example creates and configures an EtherType ACL 500:
device-name(config)#ether-type access-list 501
device-name(config-rule-1)#ether-type 98:76
Commit complete.

prvtSwAclEthRowStatus.3.53.48.49 (integer) createAndGo(4)
prvtSwAclEthRuleRowStatus.3.53.48.49.1 (integer) createAndWait(5)
prvtSwAclEthRuleAction.3.53.48.49.1 (integer) permit(0)
prvtSwAclEthRuleEthType.3.53.48.49.1 (octet string) 98:76 [98.76 (hex)]
prvtSwAclEthRuleRowStatus.3.53.48.49.1 (integer) active(1)
Applying an Extended IP ACL to a Port

The following example applies the extended IP ACL 100 to the ingress traffic on port 1/1/1 with
single-type rate limit, Committed Information Rate (CIR) of 1000 Kbps, and Committed Burst Size
(CBS) of 16 KB:
Applying via CLI

device-name(config-port-1/1/1)#access-groups-rule-sequence 1 ip-access-group-
extended 100 in
device-name(config-ip-access-group-extended-100/in)#rate-limit single cir 1000
cbs 16
Commit complete.
device-name(config-rate-limit-single)#
Applying via SNMP

prvtSwAclIfAcgRowStatus.1101.1.1.3.49.48.49.1 (integer) createAndWait(5)
prvtSwAclIfAcgRLimitRowStatus.1101.1.1.3.49.48.49.1.1 (integer)
createAndWait(5)
prvtSwAclIfAcgRLimitCir.1101.1.1.3.49.48.49.1.1 (gauge) 1000
prvtSwAclIfAcgRLimitCbs.1101.1.1.3.49.48.49.1.1 (gauge) 16
prvtSwAclIfAcgRowStatus.1101.1.1.3.49.48.49.1 (integer) active(1)
prvtSwAclIfAcgRLimitRowStatus.1101.1.1.3.49.48.49.1.1 (integer) active(1)
Applying an Extended MAC ACL to a Port

The following example applies the extended MAC ACL 400 to egress traffic on port 1/1/2 with
remarking by dscp:
Applying via CLI

device-name(config-port-1/1/2)#access-groups-rule-sequence 1 mac-access-group
400 out
device-name(config-mac-access-group-400/out)# dscp 44
device-name(config-mac-access-group-400/out)# commit
Commit complete.
Applying via SNMP

prvtSwAclIfAcgDscp.1102.1.2.3.52.48.48.2 (gauge) 44
Applying an EtherType ACL to a Port

The following example applies the EtherType ACL 500 as VLAN translation to port 1/1/3:
Applying via CLI

device-name(config-port-1/1/3)#access-groups-rule-sequence 1 ether-type-access-
group 500 vlan
device-name(config-ether-type-access-group-500/vlan)#vlan 100
device-name(config-ether-type-access-group-500/vlan)#commit
Commit complete.
device-name(config-ether-type-access-group-500/vlan)#
Applying via SNMP

prvtSwAclIfAcgVlan.1103.1.3.3.53.48.48.3 (integer) 100 [100]
Traffic Control
This section includes the PRVT-QOS-MIB MIB. For more information on the Traffic Control
feature, refer to the BiNOX User Guide.
PRVT-QOS-MIB

Examples:
Configuring QoS Policies per Port

1. Configure the shaper profile:
device-name(config)#qos shaper-profile port 2 cir 5555 cbs 55
device-name(config-port-2)#description descr
2. Configure the scheduling profile:

device-name(config)#qos scheduling-profile 5 scheduling-type hybrid-2

queue1-weight 11 queue2-weight 22 queue3-weight 33 queue4-weight 44 queue5-
weight 55 queue6-weight 66
device-name(config-scheduling-profile-5)#exit
3. Configure the port ingress policy:

device-name(config)#qos port-ingress-policy 2
device-name(config-port-ingress-policy-2)#description snmp
device-name(config-port-ingress-policy-2)#trust-mode trust-priority-and-
dscp
device-name(config-port-ingress-policy-2)#exit
device-name(config)#qos port-egress-policy 2
device-name(config-port-egress-policy-2)#description snmp
device-name(config-port-egress-policy-2)#shaper-profile 2
device-name(config-port-egress-policy-2)#scheduling-profile 5

device-name(config-port-egress-policy-2)#commit
Creating a Scheduler Profile

1. Configure the scheduling row:
prvtQosSchedProfileRowStatus.5 (integer) createAndWait(5)
2. Configure the scheduling type:

prvtQosSchedProfileType.5 (integer) hybrid2(4)
3. Configure the values for the queues:

prvtQosSchedProfileQueue1Weight.5 (integer) 11 [11]
4. Activate the scheduling row:

prvtQosSchedProfileRowStatus.5 (integer) active(1)
Creating a Shaper Profile

5. Configure the shaper row:
prvtQosPortShaperProfRowStatus.2 (integer) createAndWait(5)
6. Configure the shaper values:

prvtQosPortShaperProfCIR.2 (gauge) 5555
prvtQosPortShaperProfCBS.2 (gauge) 55
7. Add a description of the shaper:

prvtQosPortShaperProfDescr.2 (octet string) descr [64.65.73.63.72 (hex)]

8. Activate the shaper row:

prvtQosPortShaperProfRowStatus.2 (integer) active(1)
Creating an Ingress Policy

1. Create the ingress policys RowStatus:
prvtQosPortIngPolRowStatus.1.50 (integer) createAndWait(5)
2. Add a description of the policy:

prvtQosPortIngPolDescr.1.50 (octet string) snmp [73.6E.6D.70 (hex)]
3. Modify the ingress policy:

prvtQosPortIngPolTrustMode.1.50 (integer) trustPriorityAndDscp(4)
4. Activate the ingress policys RowStatus:

prvtQosPortIngPolRowStatus.1.50 (integer) active(1)
Creating an Egress Policy

1. Create the egress policys RowStatus:
prvtQosPortEgrPolRowStatus.1.50 (integer) createAndWait(5)
2. Add a description of the policy:

prvtQosPortEgrPolDescr.1.50 (octet string) snmp [73.6E.6D.70 (hex)]
3. Modify the egress policy:

prvtQosPortEgrPolShaperProf.1.50 (integer) 2 [2]
prvtQosPortEgrPolSchedProf.1.50 (integer) 5 [5]
4. Activate the egress policys RowStatus:

prvtQosPortEgrPolRowStatus.1.50 (integer) active(1)
VLANs
This section includes the following MIBs:
Q-BRIDGE-MIB
PRVT-SUPER-VLAN-MIB
Q-BRIDGE-MIB
The VLAN Bridge MIB used to manage VLAN networks. The Q-BRIDGE-MIB manages the
MAC address table and is also referred to as 8021Q_d6.mib.

NOTE
Configuration via SNMP uses only the dot1qVlanStaticTable.
Examples:
1. Create a VLAN with the specified name vlan3 and ID 3:
device-name(config)#vlan vlan3 3
2. Add port 1/1/1 as tagged to the created VLAN:

device-name(config-vlan-vlan3/3)#tagged 1/1/1
3. Add port 1/1/2 as untagged to the created VLAN:

device-name(config-vlan-vlan3/3)#untagged 1/1/2

set dot1qVlanStaticRowStatus.3 (integer) createAndWait(5)
set dot1qVlanStaticName.3(octet string) vlan3

set value: # 0xC0 0x00 0x00 0x00 to
dot1qVlanStaticEgressPorts.3 (octet string) C0.00.00.00 (hex)

set value: # 0x40 0x00 0x00 0x00 to

ste dot1qVlanStaticUntaggedPorts.3 (octet string) 40.00.00.00 (hex)

set dot1qVlanStaticRowStatus.3 (integer) active(1)
Examples:
device-name(config)#vlan vlan3 3

device-name(config-vlan-vlan3/3)#tagged 1/1/1

device-name(config-vlan-vlan3/3)#untagged 1/1/2

set dot1qVlanStaticRowStatus.3 (integer) createAndWait(5)
set dot1qVlanStaticName.3(octet string) vlan3

set value: # 0x00 0x00 0x00 0xC0 to
dot1qVlanStaticEgressPorts.3 (octet string) 00.00.00.C0 (hex)

set value: # 0x00 0x00 0x00 0x40 to
dot1qVlanStaticUntaggedPorts.3 (octet string) 00.00.00.40 (hex)
set dot1qVlanStaticRowStatus.3 (integer) active(1)
PRVT-SUPER-VLAN-MIB
PRVT-SUPER-VLAN-MIB is a private MIB that provides complete SNMP management of Super
Virtual Local Area Network (VLAN).

Examples:
Configuration via CLI with target port
Create a Super-VLAN with the specified name vlan2:
device-name(config-super-vlan-1/1/1)#target-port 1/1/2device-name(config-c-
vlan-2)#commit
Commit complete
Configuration via SNMP with target port

prvtSuperVlanIfRowStatus.1101 (integer) createAndWait(5)
prvtSuperVlanIfTargetPort.1101 (integer) 1102 [1102]
prvtSuperVlanIfRowStatus.1101 (integer) active(1)
Configuration via CLI with ring ports

device-name(config-super-vlan-1/1/1)#ring-ports 1/1/2 1/1/3 preferred-port
1/1/2 vlan 2
device-name(config-ring-ports-1/1/2/1/1/3)#commit
Commit complete
Configuration via SNMP with ring ports

prvtSuperVlanIfRingPortRowStatus.1101.1102.1103 (integer) createAndWait(5)
prvtSuperVlanIfRingPortPreferred.1101.1102.1103 (integer) 1102 [1102]
prvtSuperVlanIfRingPortVlanId.1101.1102.1103 (integer) 2
set simultaneously both
prvtSuperVlanIfRowStatus and prvtSuperValnIfRingPortRowStatus to active
state

prvtSuperVlanIfRowStatus.1101 (integer) activate(1)

prvtSuperVlanIfRingPortRowStatus.1101.1102.1103 (integer) activate(1)
PRVT-SPANNING-TREE-MIB
The private Spanning Tree MIB is used to manage spanning tree and fast ring protocols.

Examples:
Pending Configuration
1. Enable MSTP:
device-name(config)#config

device-name(config)#ethernet spanning-tree protocol-mstp

device-name(config-protocol-mstp)#no shutdown
device-name(config-protocol-mstp)#commit
2. Map VLANs 1 and 2 to MST instance 1:

device-name(config-protocol-mstp)#vlan-per-instance 1 instance-id 1
device-name(config-protocol-mstp)#vlan-per-instance 2 instance-id 1
3. Assign name region1 and the revision number 2 to the MSTP:

device-name(config-protocol-mstp)#region-name region1
device-name(config-protocol-mstp)#region-revision 2
Configuration of the Global MSTP Parameters

1. Enable MSTP and configure the forward-delay value to 14 seconds:
device-name(config)#ethernet spanning-tree protocol-mstp
device-name(config-protocol-mstp)#no shutdown
device-name(config-protocol-mstp)#exit
device-name(config-spanning-tree)#forward-delay 14
2. Configure parameters:
bridge priority: 4096
hello-time: 5 seconds
MaxAge time: 14 seconds
max-hop count: 23
device-name(config-spanning-tree)#priority 4096
device-name(config-spanning-tree)#hello-time 5
device-name(config-spanning-tree)#max-age 14
device-name(config-protocol-mstp)#max-hops 23
Configuration of the MSTP Port Parameters

1. Configure port 1/1/3 as edge port:
device-name(config-spanning-tree)#port 1/1/3 edge-port
2. Set port priority 80 and path-cost 1000 on port 1/1/1 for MSTI0:
device-name(config-spanning-tree)#port 1/1/1 path-cost 1000
device-name(config-spanning-tree)#port 1/1/1 priority 80
3. Set port priority 0 and path-cost 300 on port 1/1/1 for MSTI1:
device-name(config-spanning-tree)#port 1/1/1 mstp instance-id 1 priority 0
device-name(config-spanning-tree)#port 1/1/1 mstp instance-id 1 path-cost
300
Fast Ring Configuration

1. Enter into fast-ring node:
device-name(config-spanning-tree)#protocol-fast-ring

2. Configure ports 1/1/1 and 1/1/2 as ring ports:

device-name(config-protocol-fast-ring)#ring-ports 1/1/1 1/1/2
3. Enable MSTP Fast-Ring:

device-name(config-protocol-fast-ring)#no shutdown
Pending Configuration
1. Enable MSTP:
prvtStMstpProtocolEnable.0 (integer) true(1)
2. Map VLANs 1 and 2 to MST instance 1:

prvtStMstpVlanPerInstRowStatus.1 (integer) createAndWait(5)
prvtStMstpVlanPerInstMstId.1 (gauge) 1
prvtStMstpVlanPerInstRowStatus.1 (integer) active(1)
prvtStMstpVlanPerInstRowStatus.2 (integer) createAndWait(5)
prvtStMstpVlanPerInstMstId.2 (gauge) 1
prvtStMstpVlanPerInstRowStatus.2 (integer) active(1)
3. Assign bridge priority for MST instance 1:

prvtStMstpInstPriority.1 (gauge) 4096
4. Assign name region1 and the revision number 2 to the MSTP:

prvtStMstpRegionName.0 (octet string) region1[72.65.67.69.6F.6E.31 (hex)]
prvtStMstpRegionRevision.0 (gauge) 2
Configuration of the Global MSTP Parameters

1. Enable MSTP and configure the forward-delay value to 14 seconds:
prvtStMstpProtocolEnable.0 (integer) true(1)
prvtStForwardDelay.0 (gauge) 14
2. Configure parameters:
bridge priority: 4096
hello-time: 5 seconds
MaxAge time: 14 seconds
max-hop count: 23
prvtStPriority.0 (gauge) 4096
prvtStHelloTime.0 (gauge) 5
prvtStMaxAge.0 (gauge) 14
prvtStMstpMaxHops.0 (gauge) 23
Configuration of the MSTP Port Parameters

1. Configure port 1/1/3 as edge port:
prvtStPortEdge.1103 (integer) true(1)
2. Set port priority 80 and path-cost 1000 on port 1/1/1 for MSTI 0:

prvtStPortPriority.1101 (gauge) 80
prvtStPortPathCost.1101 (gauge) 1000
3. Set port priority 0 and path-cost 300 on port 1/1/1 for MSTI 1:
prvtStMInstPortPriority.1.1101 (gauge) 0
prvtStMInstPortPathCost.1.1101 (gauge) 300
Fast Ring Configuration

1. Configure ports 1/1/1 and 1/1/2 as ring ports:
prvtStFRingInstRowStatus.1101.1102 (integer) createAndWait(5)
prvtStFRingInstRowStatus.1101.1102 (integer) active(1)
2. Enable MSTP Fast-Ring:

prvtStFRingProtocolEnable.0 (integer) true(1)
3. Enable RSTP:
prvtStRstpProtocolEnable.0 (integer) true(1)
4. Enable STP:
prvtStStpProtocolEnable.0 (integer) true(1)
Service Configuration
This section includes the PRVT-SERV- MIB.
PRVT-SERV-MIB
The private Service MIB manages and provides various services on the device.

VPLS Configuration Examples:

Creating a VPLS Instance and Activating It
1. Create VPLS on an MTU device:
device-name(config)#no service vpls 1 shutdown
2. Create the primary and backup SDPs using LDP transport:

3. Add spoke SDPs to a specific VPLS instance:

device-name(config)#service vpls 1 spoke-sdp 1
device-name(config)#no service vpls 1 spoke-sdp 1 shutdown
device-name(config)#service vpls 1 spoke-sdp 2 backup
4. Add an qualified SAP to a specific VPLS instance:

device-name(config)#service vpls 1 sap 1/1/1:10:

device-name(config)#no service vpls 1 sap 1/1/1:10: shutdown

1. Create the service entity:
Set serviceRowStatus.1 with value CreateAndWait(5)
2. Set the VPN ID:

Set serviceVpnId.1 with value 1

Set serviceType.1 with value vplsMtu(11)
4. Activate the service:

Set serviceRowStatus.1 with value active(1)
5. Enable the service:

Set serviceAdminStatus.1 with value up(1)
6. Create primary SDP:

Set sdpRowStatus.1.1 with value CreateAndWait(5)
Set sdpFarEndIpAddress.1.1 with value 112.112.112.112
Set sdpType.1.1 with value spoke(2)
Set sdpPwPrecedence.1.1 with value 1
Set sdpRowStatus.1.1 with value active(1)
Set sdpAdminStatus.1.1 with value up(1)
7. Create backup SDP:


Set sapRowStatus.1.1101.10 with value CreateAndGo(4)
Create and Configure a VPLS Service with Spoke SDPs and Unqualified SAPs
device-name(config)#no service vpls 1 shutdown
2. Create the primary and backup SDPs using LDP transport:


3. Add spoke SDPs to a specific VPLS instance:

device-name(config)#service vpls 1 spoke-sdp 1
device-name(config)#service vpls 1 spoke-sdp 2 backup

device-name(config)#service vpls 1 sap 1/1/1::
device-name(config)#no service vpls 1 sap 1/1/1:: shutdown

1. Create the service entity:
Set serviceRowStatus.1 with value CreateAndWait(5)
2. Set the VPN ID:

Set serviceVpnId.1 with value 1

Set serviceType.1 with value vplsMtu(11)
4. Activate the service:

Set serviceRowStatus.1 with value active(1)
5. Enable the service:

Set serviceAdminStatus.1 with value up(1)
6. Create primary SDP:

7. Create backup SDP:



Set sapRowStatus.1.1101.4095 with value CreateAndGo(4)
TLS Configuration Example

Creating and Configuring a TLS Service
1. Create and configure TLS service 1:
device-name(config)#service tls 1
device-name(config-tls-1)#no shutdown
device-name(config-tls-1)#sap 1/1/1 c-vlan 3
device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
Commit complete.
device-name(config-interface-1/1/2)#
2. Display the created TLS configuration:

device-name(config-interface-1/1/2)#exit
device-name(config-s-vlan-10)#exit
device-name(config-tls-1)#top
device-name(config)#exit
device-nameshow running-config service tls
service
tls 1
sap 1/1/1
c-vlan 3
!
!
sdp s-vlan 10
port 1/1/2
!

1. Create the TLS service:
serviceRowStatus.1 (integer) createAndWait(5)
serviceType.1 (integer) tls(3)
serviceAdminStatus.1(integer) up(2)
serviceVpnId.1 (gauge) 10
serviceRowStatus.1 (integer) active(1)
2. Get the next free id value (Needed to configure the SDP port.):
sdpNextFreeId.0 (gauge)16
3. Configure the SDP RowStatus:

sdpRowStatus.1.16 (integer) createAndWait(5)
4. Configure the service Vlan:

sdpBindVlanTag.1.16 (gauge) 10

5. Configure the SDP interface:

sdpOutInterface.1.16 (integer) 1102 [1102]
6. Set the SDP/SAP RowStatuses to active:

sdpRowStatus.1.16 (integer) active(1)
sapRowStatus.1.1101.3 (integer) createAndWait(5)
sapRowStatus.1.1101.3 (integer) active(1)
Basic Routing and Router Protocols

This section includes the following MIBs:
PRVT-ROUTE-MIB
PRVT-OSPF-MIB
PRVT-ISIS-MIB
PRVT-ROUTE-MIB
The private MIB, PRVT-ROUTE-MIB, isused to manage static and dynamic IP routes.
Example
1. Create Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
device-name(config)#router static-route 11.0.0.0/8 5.0.0.1 1
2. Delete Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:

device-name(config)#no router static-route 11.0.0.0/8 5.0.0.1 1

3. Create Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
set prvtCfgRouteRowStatus (integer) 11.0.0.0.8.5.0.0.1.1 createAndGo(4)
4. Delete Static Route to network 11.0.0.0/8 via next hop 5.0.0.1 and administrative distance 1:
set prvtCfgRouteRowStatus (integer) 11.0.0.0.8.5.0.0.1.1 destroy(6)
PRVT-OSPF-MIB
The private OSPF MIB, which enables the OSPF protocol, redistributes other routing protocols in
the OSPF and contains additional configuration not provided in the standard RFC 1850.
Examples:

1. Set the OSPF router ID:
device-name(config)#router ospf router-id 1.1.1.1
device-name(config-ospf)#commit
2. Create an OSPF area:

device-name(config)#router ospf area 0.0.0.3
device-name(config-area-0.0.0.3)#commit

3. Map the software interfaces to the created area:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4
device-name(config-interface-10.3.2.4)#commit
4. Configure the OSPF hello-interval:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4 hello-
interval 3
5. Configure the OSPF dead-interval:

device-name(config)#router ospf area 0.0.0.3 interface 10.3.2.4 dead-
interval 10

1. Set the OSPF router ID:
Set prvtOspfRouterId.0 with value 1.1.1.1
2. Create an OSPF area:

Set prvtOspfAreaRowStatus.0.0.0.3 with value createAndGo(4)
3. Map the software interfaces to the created area:

Set prvtOspfIfRowStatus.10.3.2.4 with value createAndWait(5)
Set prvtOspfIfAreaId.10.3.2.4 with value 0.0.0.3
Set prvtOspfIfRowStatus.10.3.2.4 with value active(1)
4. Configure the OSPF hello-interval:

Set prvtOspfIfRowStatus.10.3.2.4 with value notInService(2)
Set prvtOspfIfHelloTimer.10.3.2.4 with value 3
5. Configure the OSPF dead-interval:

Set prvtOspfIfRowStatus.10.3.2.4 with value notInService(2)
Set prvtOspfIfDeadTimer.10.3.2.5 with value 10

PRVT-ISIS-MIB
This private MIB provides complete SNMP management of Intermediate System-to-
Intermediate System (IS-IS).
Example
1. Set the ISIS router ID:
device-name(config)#router isis router-id 11:22:33:44:55:66
device-name(config-isis)#commit
2. Create an ISIS area:

device-name(config)#router isis area-address 01:02:03
device-name(config-area-address-01:02:03)#commit
3. Enable ISIS on a software interface:

device-name(config)#router isis interface sw11

4. Enable ISIS globally:

device-name(config)#router isis
device-name(config-isis)#no shutdown
5. Configure the ISIS spf-interval:

device-name(config)#router isis spf-interval 1000
6. Configure the ISIS level 1 metric style:

device-name(config)#router isis level-1 metric-style wide
device-name((config-level-1)#commit

1. Set the ISIS router ID:
Set prvtIsisSysExistState.1 to createAndGo(4)
Set prvtIsisSysID.1 to 11:22:33:44:55:66
2. Create an ISIS area:

Set prvtIsisManAreaAddrExistState.1.3.1.2.3 to createAndGo(4)
3. Enable ISIS on a software interface:

Set prvtIsisCircExistState.1.40011 to createAndGo(4)
Set prvtIsisCircShutdown.1.40011 to false(2)
4. Enable ISIS globally:

Set prvtIsisSysShutdown.1 to false(2)
5. Configure the ISIS spf-interval:

Set prvtIsisSysCalcMaxDelay.1 to 1000
6. Configure the ISIS level 1 metric style:

Set prvtIsisSysLvl1MetricStyle.1 to wide(2)
Multiprotocol Label Switching

This section presents SNMP MIBs for the Multiprotocol Label Switching (MPLS) feature:
PRVT-L2TUNNELING-MIB
PRVT-MPLS-TE-MIB
PRVT-TEMIB-ENTITY-MIB
PRVT-RSVP-MIB
PRVT-MPLS-IF-MIB
PRVT-LMGR-MIB
PRVT-MPLS-LDP-MIB
PRVT-CR-LDP-MIB

PRVT-L2TUNNELING-MIB
The private Layer 2 Tunneling MIB manages the Layer 2 Protocol Tunneling feature designed for
service providers. L2 tunneling profile on SAP and SDP port is not supported.
Example
device-name(config)#l2-tunneling
device-name(config-l2-tunneling)#no shutdown
device-name(config-l2-tunneling)#commmit
Commit complete.
device-name(config-l2-tunneling)#exit
device-name(config)#service tls 1
device-name(config-c-vlan-3)#tunnel-profile tunnel-all
device-name(config-c-vlan-3)#exit
device-name(config-sap-1/1/1)#exit
device-name(config-tls-1)#sdp s-vlan 10 port 1/1/2
device-name(config-interface-1/1/2)#tunnel-profile tunnel-bpdu
Commit complete.

device-name(config-interface-1/1/2)#

1. Enable Layer 2 tunneling and create TLS:
prvtL2TunnEnable.0 (integer) enable(1)
serviceRowStatus.1 (integer) createAndWait(5)
serviceType.1 (integer) tls(3)
serviceVpnId.1 (gauge) 10
serviceRowStatus.1 (integer) active(1)
2. Get next free id value (Needed to configure the SDP port.):

sdpNextFreeId.0 (gauge)16
Use return value to configure sdp port:
3. Configure the SDP RowStatus:

sdpRowStatus.1.16 (integer) createAndWait(5)
4. Configure the service vlan:

sdpBindVlanTag.1.16 (gauge) 10
5. Configure the SDP interface:

sdpOutInterface.1.16 (integer) 1102 [1102]
6. Set the SDP/SAP RowStatus to active:

sdpRowStatus.1.16 (integer) active(1)
sapRowStatus.1.1101.3 (integer) createAndWait(5)
sapRowStatus.1.1101.3 (integer) active(1)
PRVT-MPLS-TE-MIB
The private MPLS-TE MIB supports tables for configuring:
tunnels
tunnel hop
tunnel resources
differential Service
tunnel trap
Actual Route Hop
Calculated Hop

Creating a single tunnel is equivalent to creating a row in the Tunnel table. Path nodes are in the
Nodes table. The same table also provides a field to set the path name used to unite the nodes. The
same rules apply for two-phase setting: first create and configure the tunnel and then activate the
tunnel. Activating a tunnel works with all active nodes. You cannot create nodes that are intended
to belong to the same path but have different path names.
PRVT-TEMIB-ENTITY-MIB
The private TE Entity MIB is designed to list tunnel entities. Such entities are needed to use RSVP
tunnel router functionality and cannot be created manually. Using only one RSVP router means
only one tunnel entity is created when creating the router.

Examples:
Enable RSVP prior to configure MPLS (refer to Examples).
1. Create the path:
100.0.0.2 true
device-name(config-hop-1)#exit
2. Create the tunnel, assign a name to the tunnel, configure the tunnel attributes, and specify the
explicit route hops for this tunnel:
device-name(config)#router rsvp-te lsp 1 far-end 1.1.1.1 name 3_to_1 fast-
reroute-mode facility max-backup-hops 20 cspf path 1

1. Create the tunnel:
Set mplsManTunnelRowStatus.1.1.1 with value createAndWait(5)
Set mplsManTunnelIngressLSRId.1.1.1 with value 0A0A0A0A
Set mplsManTunnelEgressLSRId.1.1.1 with value 0B0B0B0B
2. Assign a name to the tunnel:

Set mplsManTunnelName with value 3_to_1
3. Configure the tunnel attributes:

Set mplsManTunnelSessionAttributes.1.1.1 with value fast reroute
Set mplsManTunnelFastRerouteMode.1.1.1 with value facilityFastReroute(2)
Set mplsManTunnelBackupMaxHops.1.1.1 with value 20
4. Specify the explicit route hops for this tunnel:

Set mplsManTunnelHopTableIndex.1.1.1 with value 1
Set mplsManTunnelPathInUse.1.1.1 with value 1
5. Create the tunnel hop:

Set mplsTunnelManHopRowStatus.1.1.1.1 with value createAndWait(5)
6. Set the tunnel hop address:

Set mplsTunnelManHopIpAddr.1.1.1.1 with value 64000002
7. Set the hop type:

Set mplsTunnelManHopType.1.1.1.1 with value strict(1)
8. Activate the hop:

Set mplsTunnelManHopRowStatus.1.1.1.1 with value active(1)
9. Activate the tunnel:

Set mplsManTunnelRowStatus.1.1.1 with value active(1)
PRVT-RSVP-MIB
The private MIB, PRVT-RSVP-MIB, provides configuration capabilities for RSVP functionality.
Examples:
Enable MPLS on software interfaces prior to configuring RSVP.
1. Enable RSVP router:
device-name(config)#router rsvp-te
device-name(config-rsvp-te)#commit
2. Set RSVP-extensions:
device-name(config-rsvp-te)#bypass-fast-reroute true
device-name(config-rsvp-te)#commit

3. Enable RSVP router:
Set prvtMplsTeMibEntityRowStatus.1 with value createAndGo(4)
Set prvtRsvpProductRowStatus.1 with value createAndGo(4)
4. Set RSVP-extensions:
Set prvtRsvpProductProtocolExtensions.1 with value bypassFastReroute(0)
PRVT-MPLS-IF-MIB
The private MIB, PRVT-MPLS-IF-MIB, manages specific MPLS and RSVP interface parameters.

Examples:
Enable MPLS on previously created IP interfaces lo1 and sw1.
device-name(config)#router mpls interface lo1
device-name(config)#router mpls interface sw1

Create LSR entity with LSR ID and transport address:
Set ifaceMplsRowStatus.20001 with value createAndGo(4)
Set ifaceMplsRowStatus.40001 with value createAndGo(4)
PRVT-LMGR-MIB
The private LMGR MIB is designed to support Label Manager settings.

PRVT-MPLS-LDP-MIB
The private LDP MIB contains information about negotiated parameters when starting an LDP
router. The MIB configures remote peers to hear LDP multicast advertisements. This MIB
includes:
LDP entities
LDP peers
LDP sessions
FECs

PRVT-CR-LDP-MIB
This private CR LDP MIB contains two tables for viewing and configuring the path manager and
the session manager. Tables are read-only and cannot have multiple instances for either the path or
session manager. A single instance is created (with index 1) when activating the LDP entity in the
LDP entity table.
Examples:
Enable MPLS on software interfaces prior to configuring RSVP.
1. Create LSR entity with LSR ID:
device-name(config)#router mpls lsr-id 10.10.10.10
device-name(config-mpls)#commit
2. Enable LDP protocol and assign the transport address:

device-name(config)#router ldp
device-name(config-ldp)#commit
3. Create two targeted peers and assign them IP addresses:

device-name(config)#router ldp targeted-peer 11.11.11.11
device-name(config-targeted-peer-11.11.11.11)#commit
device-name(config-targeted-peer-11.11.11.11)#exit
device-name(config)#router ldp targeted-peer 12.12.12.12
device-name(config-targeted-peer-12.12.12.12)#commit

1. Create LSR entity with LSR ID and transport address:
Set prvtLmgrLsrEntityRowStatus.1 with value createAndWait(5)
Set prvtLmgrLsrEntityLsrId.1 with value 168430090
Set prvtLmgrLsrEntityTranAddr with value 0A0A0A0A
Set prvtLmgrLsrEntityRowStatus.1 with value active(1))
2. Enable LDP protocol:

Set prvtcrldpSigRowStatus.1 with value createAndGo(4)
Set prvtcrldpPmRowStatus.1 with value createAndGo(4)
Configuring the Targeted Peers

3. Create two targeted peers:

Set mplsLdpEntityRowStatus.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value
CreateAndWait(5)
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value
CreateAndWait(5)
4. Assign them IP addresses:

Set mplsLdpEntityTargetPeerAddr.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value 0B0B0B0B
Set mplsLdpEntityTargetPeerAddr.
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value 0C0C0C0C
5. Activate the entries:

1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.1 with value active(1)
1.14.49.48.46.49.48.46.49.48.46.49.48.58.48.48.2 with value active(1)
Network Monitoring and Troubleshooting

This chapter presents MIBs used to monitor and troubleshoot technical issues and includes the
following sections:
PRVT-CFM-MIB
PRVT-SYS-MON-MIB
PRVT-ALARM-MIB
PRVT-STORM-CTL-MIB
PRVT-LMM-MIB
PRVT-EFM-OAM-MIB
PRVT-RAPS-MIB
PRVT-SAA-MIB
PRVT-TWAMP-MIB
PRVT-CFM-MIB
The private CFM MIB is an extension of the Connectivity Fault Management module for managing
IEEE 802.1ag connectivity. The MIB provides proactive and diagnostic connectivity fault
localization capabilities over SNMP for Ethernet Virtual Connections (EVC) that span one or more
links.

Example
In the following example, a domain MA is created for a VLAN and port 1/1/1 is added as a MEP
to the specified MA.
1. Enable CFM:
2. Create the domain_1 domain:

device-name(config-cfm)#domain-name domain_1 level 1
3. Create ma_1 MA:

device-name(config-domain-name-domain_1)#ma ma_1 vlan 251
4. Create a MEP:
device-name(config-ma-ma_1)#mep 105 bind-to 1/1/1
device-name(config-mep-105/1/1/1)#direction down
device-name(config-mep-105/1/1/1)#ccm-enabled
device-name(config-mep-105/1/1/1)#no shutdown
device-name(config-mep-105/1/1/1)#commit
Commit complete.
device-name(config-mep-105/1/1/1)#

1. Enable CFM:
1: prvtCfmShutdown.0
It`s value should be set to 2 in order to activate oam cfm.:
1: prvtCfmShutdown.0 (integer) false(2)
2. Create domain_1 domain:

1: prvtCfmMdRowStatus.8.100.111.109.97.105.110.95.49 = 5
2: prvtCfmMdLevel.8.100.111.109.97.105.110.95.49 (integer) 1 [1]
3: prvtCfmMdFormat.8.100.111.109.97.105.110.95.49 (integer) charString(4)
4: prvtCfmMdMhfIdPermission.8.100.111.109.97.105.110.95.49 (integer)
sendIdNone(1)
5: prvtCfmMdRowStatus.8.100.111.109.97.105.110.95.49 = 1
The same applies for MA configuration:
1: prvtCfmMaRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49 = 5
2: prvtCfmMaVlanId.8.100.111.109.97.105.110.95.49.4.109.97.95.49 (integer)
3
3: prvtCfmMaMhfCreation.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) defMHFdefer(4)
4: prvtCfmMaPermission.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) sendIdDefer(5)
5: prvtCfmMaFormat.8.100.111.109.97.105.110.95.49.4.109.97.95.49 (integer)
charString(2)
6: prvtCfmMaCcmInterval.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) interval1s(4)
7: prvtCfmMaAisLckReceive.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) false(2)
8: prvtCfmMaAisLckInterval.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) interval1s(1)
9:1:prvtCfmMaRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49
(integer) active(1)
3. Create ma_1 MA:

get prvtCfmMdMaNextIndex.1 (gauge) 1
prvtCfmMaRowStatus.1.1 5
prvtCfmMaName.1.1 ma_1
prvtCfmMaVlanId.1.1 251
prvtCfmMaRowStatus.1.1 1
4. Create a MEP with ID 105:

1: prvtCfmMepRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105 =
5
2:prvtCfmMepInterfaceIndex.8.100.111.109.97.105.110.95.49.4.109.97.95.49.10
5 (integer) 1101 [1101]
3: prvtCfmMepDirection.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) down(1)
4: prvtCfmMepShutdown.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) false(2)
5: prvtCfmMepCciEnabled.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) true(1)
6: prvtCfmMepRowStatus.8.100.111.109.97.105.110.95.49.4.109.97.95.49.105
(integer) active(1)
PRVT-SYS-MON-MIB
The MIB contains settings for system monitoring and periodic system self-tests.
Examples:
Displaying the Self-Test Results via CLI

Type the show system self-test full command:
device-name#system monitor self-test full
self-test-result
CPU Temperature Test
Status : PASSED
Measure : 39C
CPU Resources Test
Status : PASSED

Measure : 4%
RAM Resources Test
Status : PASSED
Measure : 51%
Fan Test
Status : PASSED
Power Supply Test
Status : PASSED (primary) PASSED (primary)
Port Statistics Test
Status : PASSED
Measure : 0%
Displaying the Self-Test Results via SNMP
Start an SNMP query***** SNMP QUERY STARTED *****

1: prvtSysMonCurrentCpuUsage.0 (octet string) 6%
2: prvtSysMonCurrentCpuTemperature.0 (octet string) 39C
3: prvtSysMonCurrentRamUsage.0 (octet string) 42%
4: prvtSysMonSelfTestExecuteNow.0 (integer) 0
5: prvtSysMonCpuUsageShutdown.0 (integer) true(1)
6: prvtSysMonCpuUsageLog.0 (integer) false(2)
7: prvtSysMonCpuUsageLed.0 (integer) false(2)
8: prvtSysMonCpuUsageTrap.0 (integer) false(2)
9: prvtSysMonCpuUsagePeriod.0 (gauge) 60
10: prvtSysMonCpuUsageLowThreshold.0 (integer) 0
11: prvtSysMonCpuUsageHighThreshold.0 (integer) 75
12: prvtSysMonCpuTemperatureShutdown.0 (integer) false(2)
13: prvtSysMonCpuTemperatureLog.0 (integer) true(1)
14: prvtSysMonCpuTemperatureLed.0 (integer) false(2)
15: prvtSysMonCpuTemperatureTrap.0 (integer) false(2)
16: prvtSysMonCpuTemperaturePeriod.0 (gauge) 60
17: prvtSysMonCpuTemperatureLowThreshold.0 (integer) -3
18: prvtSysMonCpuTemperatureHighThreshold.0 (integer) 70
19: prvtSysMonCpuTemperatureLastStatus.0 (octet string) PASSED
20: prvtSysMonRamUsageShutdown.0 (integer) true(1)
21: prvtSysMonRamUsageLog.0 (integer) false(2)
22: prvtSysMonRamUsageLed.0 (integer) false(2)
23: prvtSysMonRamUsageTrap.0 (integer) false(2)
24: prvtSysMonRamUsagePeriod.0 (gauge) 60
25: prvtSysMonRamUsageLowThreshold.0 (integer) 0
26: prvtSysMonRamUsageHighThreshold.0 (integer) 90
27: prvtSysMonPortStatisticsShutdown.0 (integer) true(1)

28: prvtSysMonPortStatisticsLog.0 (integer) false(2)

29: prvtSysMonPortStatisticsLed.0 (integer) false(2)
30: prvtSysMonPortStatisticsTrap.0 (integer) false(2)
31: prvtSysMonPortStatisticsPeriod.0 (gauge) 60
32: prvtSysMonPortStatisticsLowThreshold.0 (integer) 0
33: prvtSysMonPortStatisticsHighThreshold.0 (integer) 0
34: prvtSysMonFanShutdown.0 (integer) true(1)
35: prvtSysMonFanLog.0 (integer) false(2)
36: prvtSysMonFanLed.0 (integer) false(2)
37: prvtSysMonFanTrap.0 (integer) false(2)
38: prvtSysMonFanPeriod.0 (gauge) 60
39: prvtSysMonOnboardPowerShutdown.0 (integer) true(1)
40: prvtSysMonOnboardPowerLog.0 (integer) false(2)
41: prvtSysMonOnboardPowerLed.0 (integer) false(2)
42: prvtSysMonOnboardPowerTrap.0 (integer) false(2)
43: prvtSysMonOnboardPowerPeriod.0 (gauge) 60
44: prvtSysMonPowerSupplyShutdown.0 (integer) true(1)
45: prvtSysMonPowerSupplyLog.0 (integer) false(2)
46: prvtSysMonPowerSupplyLed.0 (integer) false(2)
47: prvtSysMonPowerSupplyTrap.0 (integer) false(2)
48: prvtSysMonPowerSupplyPeriod.0 (gauge) 60
PRVT-ALARM-MIB
This private MIB provides information for the following alarms:
Temperature test fail
Power-supply test fail
Power-supply fan test fail
Onboard power test fail
Fan test fail
CPU-usage test fail
RAM-usage test fail
Port statistics test fail
Link Down
Lag Down
SyncE alarms

Event Alarm
lagLinkDown Raise LAG agXX is down
lagLinkUp Clear
lagMemberLinkDown Raise lagMemberLink agXX down
lagMemberLinkUp Clear
linkDown Raise Interface XX/XX/XX down
linkUp Clear
syncEthernetDPLLLockFailed - for DPLL 0 Raise DPLL 0 lock failed
syncEthernetDPLLChanged==Locked for DPLL 0 Clear
syncEthernetDPLLLockFailed - for DPLL 1 Raise DPLL 1 lock failed
syncEthernetDPLLChanged==Locked for DPLL 1 Clear
cpu-temperature test failed Raise "Temperature test failed."
cpu-temperature test passed Clear
power supply test failed Raise "Power-supply test failed. PS1

FAILED, PS2 OK
Raise "Power-supply test failed. PS1
FAILED, PS2 FAILED
Raise "Power-supply test failed. PS1
FAILED, PS2 ABSENT"
power supply test passed Clear
power supply fan test failed Raise "Power-supply fan test failed. PS1 fan
OK, PS2 fan FAILED."
Raise "Power-supply fan test failed. PS1 fan
FAILED, PS2 fan OK"
FAILED, PS2 fan FAILED"
FAILED, PS2 fan ABSENT"
ABSENT, PS2 fan FAILED"
ABSENT, PS2 fan OK"
ABSENT, PS2 fan ABSENT"

Event Alarm
FAIL, PS2 fan ABSENT"

ABSENT, PS2 fan ABSENT"
power supply fan test passed Clear
onboard-power test failed Raise "Onboard power test failed"
onboard-power test passed Clear
fan test failed Raise "Fan test failed"

Raise "Fan test found empty tray"
fan test passed Clear
cpu-usage test failed Raise "Cpu-usage test failed."
cpu-usage test passed Clear
ram-usage test failed Raise "Ram-usage test failed"
ram-usage test passed Clear
port-statistics test failed Raise "Port statistics test failed"
port-statistics test passed Clear
The MIB contains list of predefined device alarms with index, time of occurrence and description.
Every time an alarm is triggered, a new row is added to the prvtAlarmCurrentTable.
Once the alarm goes off, the relevant row is removed from the prvtAlarmCurrentTable.
PRVT-LMM-MIB
This private MIB provides complete SNMP management of the Laser Management feature.

Example:
device-name(config-monitor)#laser
device-name(config-laser)#no shutdown
device-name(config-laser)#period 60
device-name(config-laser)#log
device-name(config-laser)#led
device-name(config-laser)#temperature low-threshold -10
device-name(config-laser)#temperature high-threshold 60
device-name(config-laser)#tx-power low-threshold -5
device-name(config-laser)#tx-power high-threshold 5
device-name(config-laser)#commit
Commit complete.

prvtLmmShutdown.0 (integer) false(2)
prvtLmmPeriod.0 (integer) 60
prvtLmmLog.0 (integer) true(1)
prvtLmmLed.0 (integer) true(1)

prvtLmmTemperatureLowThreshold.0 (integer) -10

prvtLmmTemperatureHighThreshold.0 (integer) 60
prvtLmmTxPowerLowThreshold.0 (integer) -5
prvtLmmTxPowerHighThreshold.0 (integer) 5
PRVT-STORM-CTL-MIB
This private MIB provides complete SNMP management of the Traffic Storm Control feature.
Example:
Device-name(config)#ethernet
Device-name(config-ethernet)#storm-control
Device-name(config-storm-control)#port 1/1/1
Device-name(config-port-1/1/1)#traffic-type unknown rate-threshold 100
Device-name(config-traffic-type-unknown)#exit
Device-name(config-port-1/1/1)#no shutdown
Commit complete.

prvtStrmCtlPortRowStatus.1201 (integer) createAndWait(5)
prvtStrmCtlPortTrafficRowStatus.1201.1 (integer) createAndWait(5)
prvtStrmCtlPortTrafficThreshold.1201.1 (gauge) 100
prvtStrmCtlPortShutdown.1201 (integer) false(2)
prvtStrmCtlPortRowStatus.1201 (integer) active(1)
prvtStrmCtlPortTrafficRowStatus.1201.1 (integer) active(1)
PRVT-EFM-OAM-MIB
This private MIB provides complete SNMP management of 802.3ah Ethernet in the First Mile
(EFM-OAM).

Examples:
Device-name(config-port-1/1/1)#efm role active
Device-name(config-port-1/1/1)#
Device-name(config-port-1/1/1)#efm event-return-shutdown 5
Device-name(config-port-1/1/1)#efm event-forward-status 1/1/2

set prvtEfmOamInterfaceRole(1.3.6.1.4.1.738.10.5.133.1.23.1.3).1101
(integer) active(2)
or
set prvtEfmOamInterfaceRole.1101 (integer) active(2)
set prvtEfmOamInterfaceEventReturnShutdown(1.3.6.1.4.1.738.10.5.133.1.23.1.
12).1101 (gauge) 5
or
set prvtEfmOamInterfaceEventReturnShutdown.1101 (gauge) 5
set prvtEfmOamEventForwardStatusRowStatus(1.3.6.1.4.1.738.10.5.133.1.24.1.2
).1101.1102 createAndWait(5)
or
set prvtEfmOamEventForwardStatusRowStatus.1101.1102 (integer)
createAndWait(5)
set prvtEfmOamEventForwardStatusRowStatus(1.3.6.1.4.1.738.10.5.133.1.24.1.2
).1101.1102 active(1)
or
set prvtEfmOamEventForwardStatusRowStatus.1101.1102 (integer) active(1)
PRVT-RAPS-MIB
This private MIB provides complete SNMP management of ITU-T G.8032v2 Ring Automatic
Protection Switching (R-APS).
Example
Device-name(config)#ethernet ring-aps instance 1
Device-name(config-instance-1)#role simple-node
Device-name(config-instance-1)#control-vlan 2
Device-name(config-instance-1)#cfm-domain-level 2
Device-name(config-instance-1)#no shutdown

Device-name(config-instance-1)#monitor-vlan 4
Device-name(config-instance-1)#port 1
Device-name(config-instance-1)#port 1 port-id 1/1/1 mep 13
Device-name(config-port-1)#exit
Device-name(config-instance-1)#port 0 port-id 1/1/2 mep 14
Device-name(config-instance-1)#commit

To create RAPS instance via SNMP the last four objects from the below configuration
have to be activated in a single action.
prvtRapsInstRowStatus.1 = 5
prvtRapsInstRole.1 = 0
prvtRapsInstControlVlan.1 = 2
prvtRapsInstCfmDomainLevel.1 = 2
prvtRapsInstShutdown.1 = 2
prvtRapsInstRingPortRowStatus.1.0 = 5
prvtRapsInstRingPortIfIndex.1.0 = 1102
prvtRapsInstRingPortMep.1.0 = 14
prvtRapsInstRingPortRowStatus.1.1 = 5
prvtRapsInstRingPortIfIndex.1.1 = 1101
prvtRapsInstRingPortMep.1.1 = 13
prvtRapsInstMonVlanRowStatus.1.4 = 5
prvtRapsInstRingPortRowStatus.1.1
prvtRapsInstRingPortRowStatus.1.0
prvtRapsInstMonVlanRowStatus.1.4 i
prvtRapsInstRowStatus.1
PRVT-SAA-MIB
This private MIB provides complete SNMP management of SAA tests.

Examples:
SAA RFC 2544 SNMP configuration:

Specify SAA RFC 2544 profile:
device-name(config)#saa profile 1 rfc2544 frameloss 100000
prvtSaaProfileRowStatus.1.49 = 5
prvtSaaProfileType.1.49 = rfc2544
prvtSaaProfileRfc2544FrameLoss.1.49 = 100000
prvtSaaProfileRowStatus.1.49 = 1
Configure bi-directional loopback:

device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode bi-
test-loopback
device-name(config-rfc2544)#domain d2 ma ma2 mep 1001

prvtSaaTestRowStatus.1.49.1.49 = 5
prvtSaaTestType.1.49.1.49 = rfc2544
prvtSaaTestEnable.1.49.1.49 = true
prvtSaaTestRfc2544Mode.1.49.1.49 = biTestLoopback=4

prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
Configure bi-directional-head test:

Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode bi-
test-head
Device-name(config-rfc2544)#cir 750000
Device-name(config-rfc2544)#data-size 64
Device-name(config-rfc2544)#domain d2
Device-name(config-rfc2544)#ma ma2
Device-name(config-rfc2544)#mep 1001
Device-name(config-rfc2544)#target-type mep
Device-name(config-rfc2544)#target-mep 2001
Device-name(config-rfc2544)#commit

Step 00. prvtSaaTestRowStatus.1.49.1.49 = 5
Step 1. prvtSaaTestType.1.49.1.49 = rfc2544
Step 2. prvtSaaTestProfile.1.49.1.49 = 1
Step 3. prvtSaaTestEnable.1.49.1.49 = true
Step 4. prvtSaaTestRfc2544Mode.1.49.1.49 = biTestHead=2
Step 5. prvtSaaTestRfc2544Domain.1.49.1.49 = "d2"
Step 6. prvtSaaTestRfc2544MA.1.49.1.49 = "ma2"
Step 7. prvtSaaTestRfc2544Mep.1.49.1.49 = 1001
Step 8. prvtSaaTestRfc2544TargetType.1.49.1.49 = mep
Step 9. prvtSaaTestRfc2544TargetMep.1.49.1.49 = 2001
Step 10. prvtSaaTestRfc2544Cir.1.49.1.49 = 750000
Step 11. prvtSaaTestRfc2544Cbs.1.49.1.49 = 1024
Step 12. prvtSaaTestRfc2544BurstPercentage.1.49.1.49 = 10
Step 13. prvtSaaTestRfc2544Duration.1.49.1.49 = 5
Step 14. prvtSaaTestRfc2544Pattern.1.49.1.49 = prbsCrc
Step 15. prvtSaaTestRfc2544LoopbackType.1.49.1.49 = oam
Step 16. prvtSaaTestRfc2544CVlanDropEligible.1.49.1.49 = false
Step 17. prvtSaaTestRfc2544SVlanPriority.1.49.1.49 = 5
Step 18. prvtSaaTestRfc2544SVlanDropEligible.1.49.1.49 = false
Step 19. prvtSaaTestRfc2544Timeout.1.49.1.49 = 10
Step 20. prvtSaaTestRfc2544ResultAckTimeout.1.49.1.49 = 5
Step 21. Create few data sizes:
prvtSaaTestDataSizeRowStatus.1.49.1.49.i64 = 5
Step 22. Simultaneously set status "1" on all rowstatuses (must be executed
in 1 SNMP Set command):
Configure uni-test-Tail:
Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode uni-
test-tail

Device-name(config-rfc2544)#domain d2 ma ma2 mep 1001


Step 4. prvtSaaTestRfc2544Mode.1.49.1.49 = uniTestTail=3
Configure uni-test-head test:

Device-name(config)#saa test 1 1 type rfc2544 profile 1 rfc2544 mode uni-
test-head
Device-name(config-rfc2544)#cir 750000
Device-name(config-rfc2544)#burst-percentage 0
Device-name(config-rfc2544)#domain d2
Device-name(config-rfc2544)#ma ma2
Device-name(config-rfc2544)#mep 1001
Device-name(config-rfc2544)#target-type mep
Device-name(config-rfc2544)#target-mep 2001

Step 4. prvtSaaTestRfc2544Mode.1.49.1.49 = uniTestHead=1
Step 8. prvtSaaTestRfc2544TargetType.1.49.1.49 = mep
Step 9. prvtSaaTestRfc2544TargetMep.1.49.1.49 = 2001
Step 10. prvtSaaTestRfc2544Cir.1.49.1.49 = 750000
Step 11. prvtSaaTestRfc2544Cbs.1.49.1.49 = 1024
Step 12. prvtSaaTestRfc2544BurstPercentage.1.49.1.49 = 0
Step 13. prvtSaaTestRfc2544Duration.1.49.1.49 = 5
Step 14. prvtSaaTestRfc2544Pattern.1.49.1.49 = prbsCrc =4
Step 15. prvtSaaTestRfc2544LoopbackType.1.49.1.49 = oam =2
Step 16. prvtSaaTestRfc2544CVlanDropEligible.1.49.1.49 = false
Step 17. prvtSaaTestRfc2544SVlanPriority.1.49.1.49 = 5
Step 18. prvtSaaTestRfc2544SVlanDropEligible.1.49.1.49 = false
Step 19. prvtSaaTestRfc2544Timeout.1.49.1.49 = 10
Step 20. prvtSaaTestRfc2544ResultAckTimeout.1.49.1.49 = 5
Step 21. Create few data sizes:
Step 22. Simultaneously set status "1" on all rowstatuses (must be executed
in 1 SNMP Set command):

SAA Y1731 configuration:

device-name(config)#saa profile 1 type y1731 y1731 delay-near-end 1000
delay-far-end 1000 jitter-near-end 10 jitter-far-end 10 frameloss-near-end
1000 frameloss-far-end 1000
Commit complete.

Y1731 threshold profile
Step 1. prvtSaaProfileRowStatus.1.49 = 5
Step 2. prvtSaaProfileType.1.49 = 1
Step 3. prvtSaaProfileY1731DelayNearEnd.1.49 = 1000
Step 4. prvtSaaProfileY1731DelayFarEnd.1.49 = 1000
Step 5. prvtSaaProfileY1731JitterNearEnd.1.49 = 10
Step 6. prvtSaaProfileY1731JitterFarEnd.1.49 = 10
Step 7. prvtSaaProfileY1731FrameLossNearEnd.1.49 = 1000
Step 8. prvtSaaProfileY1731FrameLossFarEnd.1.49 = 1000
Step 9. prvtSaaProfileRowStatus.1.49 = 1
Y1731 Test-head device configuration:

device-name(config)#saa test 2 2 type y1731 profile 1
device-name(config-test-2/2)#y1731 mode test domain d2 ma ma2
device-name(config-y1731)#history 20 priority 0 interval 60 frequency 1
period 100
device-name(config-y1731)#mep 3002 target-type mep target-mep 2106

Step 02. prvtSaaTestType.1.50.1.50 = y1731
Step 05. prvtSaaTestY1731Mode.1.50.1.50 = test
Step 06. prvtSaaTestY1731Domain.1.50.1.50 = "d2"
Step 07. prvtSaaTestY1731MA.1.50.1.50 = "ma2"
Step 08. prvtSaaTestY1731Mep.1.50.1.50 = 3002
Step 09. prvtSaaTestY1731TargetType.1.50.1.50 = mep
Step 10. prvtSaaTestY1731TargetMep.1.50.1.50 = 2106
Step 11. prvtSaaTestY1731Priority.1.50.1.50 = 0
Step 12. prvtSaaTestY1731Frequency.1.50.1.50 = 1
Step 13. prvtSaaTestY1731Interval.1.50.1.50 = 60
Step 14. prvtSaaTestY1731Period.1.50.1.50 = 100
Step 15. prvtSaaTestY1731Timeout.1.50.1.50 = 3
Step 16. prvtSaaTestY1731Function.1.50.1.50 = both
Step 17. prvtSaaTestY1731DelayMode.1.50.1.50 = twoWay
Step 18. prvtSaaTestY1731DelayMethod.1.50.1.50 = average
Step 19. prvtSaaTestY1731DelayPValue.1.50.1.50 = 50
Step 20. prvtSaaTestY1731JitterMethod.1.50.1.50 = variance
Step 21. prvtSaaTestY1731JitterPValue.1.50.1.50 = 50

Step 22. prvtSaaTestY1731History.1.50.1.50 = 20

Y1731 loopback device configuration:

device-name(config)#saa test 2 2 type y1731 profile 1
device-name(config-test-2/2)#y1731 mode loopback
device-name(config-y1731)#domain d2 ma ma2

Step 02. prvtSaaTestType.1.50.1.50 = y1731
Step 03. prvtSaaTestProfile.1.50.1.50 = #0x31=1
Step 05. prvtSaaTestY1731Mode.1.50.1.50 = loopback = 2
Step 06. prvtSaaTestY1731Domain.1.50.1.50 = "d2"
Step 07. prvtSaaTestY1731MA.1.50.1.50 = "ma2"
Step 08. prvtSaaTestY1731Mep.1.50.1.50 = 2106
Step 09. prvtSaaTestY1731Priority.1.50.1.50 = 6
Step 10. prvtSaaTestY1731Frequency.1.50.1.50 = 1
Step 11. prvtSaaTestY1731Interval.1.50.1.50 = 900
Step 12. prvtSaaTestY1731Period.1.50.1.50 = 1000
Step 13. prvtSaaTestY1731Timeout.1.50.1.50 = 3
Step 14. prvtSaaTestY1731Function.1.50.1.50 = both
Step 15. prvtSaaTestY1731DelayMode.1.50.1.50 = twoWay
Step 16. prvtSaaTestY1731DelayMethod.1.50.1.50 = average
Step 17. prvtSaaTestY1731DelayPValue.1.50.1.50 = 50
Step 18. prvtSaaTestY1731JitterMethod.1.50.1.50 = variance
Step 19. prvtSaaTestY1731JitterPValue.1.50.1.50 = 50
Step 20. prvtSaaTestY1731History.1.50.1.50 = 96
PRVT-TWAMP-MIB
The TWAMP MIB includes objects describing features that support TWAMP testing facilities:

Traffic Engineering
This section presents the SNMP MIB, PRVT-TE-PARAM-MIB, used for the Multiprotocol Label
Switching (MPLS) feature:
PRVT-TE-PARAM-MIB
PRVT-TE-PARAM-MIB
The TE MIB includes objects describing features that support traffic engineering.

Examples:
Setting Admin Group 1 with the name "green":
device-name(config)#router rsvp-te admin-group 1 name green
device-name(config-admin-group-1)#commit

Setting Admin Group 1 with the name "green":
Set prvtTeParamAdminGroupRowStatus.1 with value createAndWait(5)
Set prvtTeParamAdminGroupName.1 with value green
Set prvtTeParamAdminGroupRowStatus.1 with value active(1)

The following example creates VPWS between two devices: Device1 and Device2.
1. Configure a VLAN with ID 10 and add port 1/1/5 as a tagged member of it:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
dot1qVlanStaticRowStatus.10 i 5 Q-BRIDGE-MIB::dot1qVlanStaticRowStatus.10 =
INTEGER: createAndWait(5) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
dot1qVlanStaticEgressPorts.10 x 08000000 Q-BRIDGE-
MIB::dot1qVlanStaticEgressPorts.10 = Hex-STRING: 08 00 00 00 snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.51 dot1qVlanStaticName.10 s vlan10 Q-
BRIDGE-MIB::dot1qVlanStaticName.10 = STRING: vlan10 snmpset -t 10 -L n -
v2c -c user-v2c 10.3.155.51 dot1qVlanStaticRowStatus.10 i 1 Q-BRIDGE-
MIB::dot1qVlanStaticRowStatus.10 = INTEGER: active(1)
2. Configure IP interface sw1with IP address 100.1.1.51/24:

ipInterfaceRowStatus.3.115.119.49 i 5
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."sw1" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.3.115.119.49 a 100.1.1.51 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceIpAddress."sw1" = IpAddress: 100.1.1.51 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.51
ipInterfaceSubnetMask.3.115.119.49 a 255.255.255.0 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceSubnetMask."sw1" = IpAddress:
255.255.255.0
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."sw1" = INTEGER: active(1)
3. Configure loopback interface lo1 with IP address 1.1.155.51/32:

PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER:
createAndWait(5)
MIB::ipInterfaceIpAddress."lo1" = IpAddress: 1.1.155.51 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.51
MIB::ipInterfaceSubnetMask."lo1" = IpAddress:
255.255.255.255
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER: active(1)
4. Attach IP interface sw1 to VLAN 10:

ipVLANStatus.10.3.115.119.49 i 1

PRVT-SWITCH-IPVLAN-MIB::ipVLANStatus.10."sw1" = INTEGER: attached(1)
5. Enable OSPF. Interfaces lo1 and sw1 are configured in Area 0.0.0.0:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtOspfRouterId.0 a
1.1.155.51
PRVT-OSPF-MIB::prvtOspfRouterId.0 = IpAddress: 1.1.155.51 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.51 prvtOspfAreaRowStatus.0.0.0.0 i 4 PRVT-
OSPF-MIB::prvtOspfAreaRowStatus.0.0.0.0 = INTEGER: createAndGo(4) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.51
prvtOspfIfRowStatus.100.1.1.51 i 5
PRVT-OSPF-MIB::prvtOspfIfRowStatus.100.1.1.51 = INTEGER: createAndWait(5)
prvtOspfIfAreaId.100.1.1.51 a 0.0.0.0
PRVT-OSPF-MIB::prvtOspfIfAreaId.100.1.1.51 = IpAddress: 0.0.0.0 snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51
PRVT-OSPF-MIB::prvtOspfIfRowStatus.100.1.1.51 = INTEGER: active(1)

10 -L n -v2c -c user-v2c 10.3.155.51
prvtOspfIfWorkingMode.1.1.155.51 i 1
PRVT-OSPF-MIB::prvtOspfIfWorkingMode.1.1.155.51 = INTEGER: passive(1)
6. Enable the Label manager. Configure LSR ID 1.1.155.51:

prvtLmgrLsrEntityRowStatus.1 i 5
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtLmgrLsrEntityLsrId.1 u
16882483
PRVT-LMGR-MIB::prvtLmgrLsrEntityLsrId.1 = Gauge32: 16882483 snmpset -t 10 -
L n -v2c -c user-v2c 10.3.155.51
prvtLmgrLsrEntityTranAddr.1 x 01019B33
PRVT-LMGR-MIB::prvtLmgrLsrEntityTranAddr.1 = Hex-STRING: 01 01 9B 33
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: active(1)
7. Enable MPLS on interfaces lo1 and sw1:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 ifaceMplsRowStatus.20001 i
4
PRVT-MPLS-IF-MIB::ifaceMplsRowStatus.20001 = INTEGER: createAndGo(4)
4
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 ifaceMplsEnable.20001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.20001 = INTEGER: true(1) snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.51 ifaceMplsEnable.40001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.40001 = INTEGER: true(1)

8. Enable LDP:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtcrldpPmRowStatus.1 i 4
Error in packet.
Reason: inconsistentValue (The set value is illegal or unsupported in some
way) Failed object: PRVT-CR-LDP-MIB::prvtcrldpPmRowStatus.1
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 prvtcrldpSigRowStatus.1 i 4

PRVT-CR-LDP-MIB::prvtcrldpSigRowStatus.1 = INTEGER: createAndGo(4)
9. Configure LDP targeted peer with IP address 1.1.155.56:

mplsLdpEntityRowStatus.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 i 5
PRVT-MPLS-LDP-MIB::mplsLdpEntityRowStatus.1."1.1.155.51:00".1 = INTEGER:
createAndWait(5)
mplsLdpEntityTargetPeerAddr.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 x
01019b38
PRVT-MPLS-LDP-MIB::mplsLdpEntityTargetPeerAddr.1."1.1.155.51:00".1 =
STRING: 1 1 9b 38
mplsLdpEntityAdminStatus.1.13.49.46.49.46.49.53.53.46.53.49.58.48.48.1 i 1
PRVT-MPLS-LDP-MIB::mplsLdpEntityAdminStatus.1."1.1.155.51:00".1 =
INTEGER: enable(1)
active(1)
echo "10.Set LDP distribuition - ingress OSPF, egress ip 1.1.155.51/32:"

10.Set LDP distribuition - ingress OSPF, egress ip 1.1.155.51/32:

prvtMplsRouteProtocolRowStatus.ingress.ospf i 4 PRVT-MPLS-IF-
MIB::prvtMplsRouteProtocolRowStatus.ingress.ospf = INTEGER:
createAndGo(4)
prvtMplsRouteAddressRowStatus.egress.1.1.155.51.32 i 4
PRVT-MPLS-IF-MIB::prvtMplsRouteAddressRowStatus.egress.'...3 ' =
INTEGER: createAndGo(4)
10. Enable RSVP:

prvtMplsTeMibEntityRowStatus.1 i 4
PRVT-TEMIB-ENTITY-MIB::prvtMplsTeMibEntityRowStatus.1 = INTEGER:
createAndGo(4)
prvtRsvpProductRowStatus.1 i 4
PRVT-RSVP-MIB::prvtRsvpProductRowStatus.1 = INTEGER: createAndGo(4)
11. Configure RSVP path 10 and next hop IP address 100.1.1.56:

mplsTunnelManHopRowStatus.1.10.1.1 i 5
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.10.1.1 = INTEGER:

createAndWait(5)
mplsTunnelManHopType.1.10.1.1 i 1
PRVT-MPLS-TE-MIB::mplsTunnelManHopType.1.10.1.1 = INTEGER: strict(1)
mplsTunnelManHopIpAddr.1.10.1.1 x 64010138
PRVT-MPLS-TE-MIB::mplsTunnelManHopIpAddr.1.10.1.1 = Hex-STRING: 64 01 01 38
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.10.1.1 = INTEGER: active(1)
12. Create RSVP LSP 10 with ingress LSR ID 1.1.155.51 , egress LSR ID 1.1.155.56 :
mplsManTunnelRowStatus.1.10.1 i 5
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.10.1 = INTEGER: createAndWait(5)
mplsManTunnelIngressLSRId.1.10.1 x 01019b33
PRVT-MPLS-TE-MIB::mplsManTunnelIngressLSRId.1.10.1 = STRING: 1.1.155.51
mplsManTunnelEgressLSRId.1.10.1 x 01019b38
PRVT-MPLS-TE-MIB::mplsManTunnelEgressLSRId.1.10.1 = STRING: 1.1.155.56
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 mplsManTunnelName.1.10.1 s
lsp10
PRVT-MPLS-TE-MIB::mplsManTunnelName.1.10.1 = STRING: "lsp10"
mplsManTunnelAdminStatus.1.10.1 i 1
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: up(1) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.51
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.10.1 = INTEGER: active(1)
13. Apply the configured RSVP path 10 to LSP 10:

PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: down(2)
mplsManTunnelPathInUse.1.10.1 u 1 mplsManTunnelHopTableIndex.1.10.1 u 10
PRVT-MPLS-TE-MIB::mplsManTunnelPathInUse.1.10.1 = Gauge32: 1
PRVT-MPLS-TE-MIB::mplsManTunnelHopTableIndex.1.10.1 = Gauge32: 10 snmpset -
t 10 -L n -v2c -c user-v2c 10.3.155.51
mplsManTunnelPathComp.1.10.1 i 2
PRVT-MPLS-TE-MIB::mplsManTunnelPathComp.1.10.1 = INTEGER: explicit(2)
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.10.1 = INTEGER: up(1)
14. Configure VPWS with ID 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceRowStatus.10 i 5
PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: createAndWait(5) snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51 serviceVpnId.10 u 10 PRVT-SERV-
MIB::serviceVpnId.10 = Gauge32: 10 snmpset -t 10 -L n -v2c -c user-v2c
10.3.155.51 serviceType.10 i 9 PRVT-SERV-MIB::serviceType.10 = INTEGER:
vpws(9) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51
serviceAdminStatus.10 i 1 PRVT-SERV-MIB::serviceAdminStatus.10 = INTEGER:
up(1) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceRowStatus.10 i
1 PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: active(1)

15. Configure SAP 1/1/10:10: for VPWS 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sapRowStatus.10.1110.10 i 5
| tee PRVT-SERV-MIB::sapRowStatus.10.1110.10 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sapAdminStatus.10.1110.10 i
1 PRVT-SERV-MIB::sapAdminStatus.10.1110.10 = INTEGER: up(1) snmpset -t 10 -
L n -v2c -c user-v2c 10.3.155.51 sapRowStatus.10.1110.10 i 1 PRVT-SERV-
MIB::sapRowStatus.10.1110.10 = INTEGER: active(1)
16. Configure SDP (SDP uses the configured LSP 10) for VPWS 10:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sdpRowStatus.10.1 i 5
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: createAndWait(5) snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.51 sdpFarEndIpAddress.10.1 a 1.1.155.56
PRVT-SERV-MIB::sdpFarEndIpAddress.10.1 = IpAddress: 1.1.155.56 snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.51 sdpAdminStatus.10.1 i 1
PRVT-SERV-MIB::sdpAdminStatus.10.1 = INTEGER: up(1) snmpset -t 10 -L n -v2c
-c user-v2c 10.3.155.51
sdpTransportTunnelName.10.1 s lsp10
PRVT-SERV-MIB::sdpTransportTunnelName.10.1 = STRING: "lsp10"
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.51 sdpVCType.10.1 i 5
PRVT-SERV-MIB::sdpVCType.10.1 = INTEGER: ethernet(5) snmpset -t 10 -L n -
v2c -c user-v2c 10.3.155.51 sdpType.10.1 i 3
PRVT-SERV-MIB::sdpType.10.1 = INTEGER: mesh(3) snmpset -t 10 -L n -v2c -c
user-v2c 10.3.155.51 sdpMtu.10.1 i 9190
PRVT-SERV-MIB::sdpMtu.10.1 = INTEGER: 9190 snmpset -t 10 -L n -v2c -c user-
v2c 10.3.155.51 sdpRowStatus.10.1 i 1
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: active(1)
17. Verify the VPWS configuration:

snmpget -t 10 -L n -v2c -c user-v2c 10.3.155.51 serviceOperStatus.10 PRVT-
SERV-MIB::serviceOperStatus.10 = INTEGER: down(2)
18. Configure a VLAN with ID 10 and add port 1/1/5 as a tagged member of it:
dot1qVlanStaticRowStatus.10 i 5 Q-BRIDGE-MIB::dot1qVlanStaticRowStatus.10 =
INTEGER: createAndWait(5) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56
dot1qVlanStaticEgressPorts.10 x 08000000 Q-BRIDGE-
MIB::dot1qVlanStaticEgressPorts.10 = Hex-STRING: 08 00 00 00 snmpset -t 10
-L n -v2c -c user-v2c 10.3.155.56 dot1qVlanStaticName.10 s vlan10 Q-
BRIDGE-MIB::dot1qVlanStaticName.10 = STRING: vlan10 snmpset -t 10 -L n -
v2c -c user-v2c 10.3.155.56 dot1qVlanStaticRowStatus.10 i 1 Q-BRIDGE-
MIB::dot1qVlanStaticRowStatus.10 = INTEGER: active(1)
19. Configure IP interface sw1with IP address 100.1.1.56/24:

ipInterfaceRowStatus.4.115.119.49.48 i 5 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceRowStatus."sw10" = INTEGER:
createAndWait(5)
ipInterfaceIpAddress.4.115.119.49.48 a 100.1.1.56 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceIpAddress."sw10" = IpAddress: 100.1.1.56 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56
ipInterfaceSubnetMask.4.115.119.49.48 a 255.255.255.0 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceSubnetMask."sw10" = IpAddress:
255.255.255.0

ipInterfaceRowStatus.4.115.119.49.48 i 1 PRVT-SWITCH-IPVLAN-
MIB::ipInterfaceRowStatus."sw10" = INTEGER: active(1)
20. Configure loopback interface lo1 with IP address 1.1.155.56/32:

PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER:
createAndWait(5)
MIB::ipInterfaceIpAddress."lo1" = IpAddress: 1.1.155.56 snmpset -t 10 -L n
-v2c -c user-v2c 10.3.155.56
MIB::ipInterfaceSubnetMask."lo1" = IpAddress:
255.255.255.255
PRVT-SWITCH-IPVLAN-MIB::ipInterfaceRowStatus."lo1" = INTEGER: active(1)
21. Attach interface sw10 to VLAN 10:

ipVLANStatus.10.4.115.119.49.48 i 1
PRVT-SWITCH-IPVLAN-MIB::ipVLANStatus.10."sw10" = INTEGER: attached(1)
22. Enable OSPF. Interfaces lo1 and sw10 are configured in Area 0.0.0.0:
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtOspfRouterId.0 a
1.1.155.56
PRVT-OSPF-MIB::prvtOspfRouterId.0 = IpAddress: 1.1.155.56 snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56 prvtOspfAreaRowStatus.0.0.0.0 i 4 PRVT-
OSPF-MIB::prvtOspfAreaRowStatus.0.0.0.0 = INTEGER: createAndGo(4) snmpset -
t 10 -L n -v2c -c user-v2c 10.3.155.56
10 -L n -v2c -c user-v2c 10.3.155.56

10 -L n -v2c -c user-v2c 10.3.155.56
prvtOspfIfWorkingMode.1.1.155.56 i 1
PRVT-OSPF-MIB::prvtOspfIfWorkingMode.1.1.155.56 = INTEGER: passive(1)
23. Enable the Label manager. Configure LSR ID 1.1.155.56:


PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtLmgrLsrEntityLsrId.1 u
16882488
PRVT-LMGR-MIB::prvtLmgrLsrEntityLsrId.1 = Gauge32: 16882488 snmpset -t 10 -
L n -v2c -c user-v2c 10.3.155.56
prvtLmgrLsrEntityTranAddr.1 x 01019B38
PRVT-LMGR-MIB::prvtLmgrLsrEntityTranAddr.1 = Hex-STRING: 01 01 9B 38
PRVT-LMGR-MIB::prvtLmgrLsrEntityRowStatus.1 = INTEGER: active(1)
24. Enable MPLS on interfaces lo1 and sw10:

4
4 PRVT-MPLS-IF-MIB::ifaceMplsRowStatus.40010 = INTEGER: createAndGo(4)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 ifaceMplsEnable.20001 i 1
PRVT-MPLS-IF-MIB::ifaceMplsEnable.20001 = INTEGER: true(1) snmpset -t 10 -L
n -v2c -c user-v2c 10.3.155.56 ifaceMplsEnable.40010 i 1 PRVT-MPLS-IF-
MIB::ifaceMplsEnable.40010 = INTEGER: true(1)
25. Enable LDP:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtcrldpPmRowStatus.1 i 4
PRVT-CR-LDP-MIB::prvtcrldpPmRowStatus.1 = INTEGER: createAndGo(4) snmpset -
t 10 -L n -v2c -c user-v2c 10.3.155.56 prvtcrldpSigRowStatus.1 i 4
PRVT-CR-LDP-MIB::prvtcrldpSigRowStatus.1 = INTEGER: createAndGo(4)
26. Configure LDP targeted peer with IP address 1.1.155.51:

createAndWait(5)
mplsLdpEntityTargetPeerAddr.1.13.49.46.49.46.49.53.53.46.53.54.58.48.48.1 x
01019b33
PRVT-MPLS-LDP-MIB::mplsLdpEntityTargetPeerAddr.1."1.1.155.56:00".1 =
STRING: 1 1 9b 33
mplsLdpEntityAdminStatus.1.13.49.46.49.46.49.53.53.46.53.54.58.48.48.1 i 1
PRVT-MPLS-LDP-MIB::mplsLdpEntityAdminStatus.1."1.1.155.56:00".1 =
INTEGER: enable(1)
active(1)
27. Configure LDP distribution policy with ingress OSPF and egress IP address 1.1.155.56:
prvtMplsRouteProtocolRowStatus.ingress.ospf i 4 PRVT-MPLS-IF-
MIB::prvtMplsRouteProtocolRowStatus.ingress.ospf = INTEGER:
createAndGo(4)
prvtMplsRouteAddressRowStatus.egress.1.1.155.56.32 i 4

PRVT-MPLS-IF-MIB::prvtMplsRouteAddressRowStatus.egress.'...8 ' =
INTEGER: createAndGo(4)
28. Enable RSVP:

prvtMplsTeMibEntityRowStatus.1 i 4
PRVT-TEMIB-ENTITY-MIB::prvtMplsTeMibEntityRowStatus.1 = INTEGER:
createAndGo(4)
prvtRsvpProductRowStatus.1 i 4
PRVT-RSVP-MIB::prvtRsvpProductRowStatus.1 = INTEGER: createAndGo(4)
29. Configure RSVP path 20 and next hop IP address 100.1.1.51:

PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.20.1.1 = INTEGER:
createAndWait(5)
mplsTunnelManHopType.1.20.1.1 i 1
PRVT-MPLS-TE-MIB::mplsTunnelManHopType.1.20.1.1 = INTEGER: strict(1)
mplsTunnelManHopIpAddr.1.20.1.1 x 64010133
PRVT-MPLS-TE-MIB::mplsTunnelManHopIpAddr.1.20.1.1 = Hex-STRING: 64 01 01 33
PRVT-MPLS-TE-MIB::mplsTunnelManHopRowStatus.1.20.1.1 = INTEGER: active(1)
30. Configure RSVP LSP 20 with ingress IP address 1.1.155.56 and egress IP address 1.1.155.51:
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.20.1 = INTEGER: createAndWait(5)
mplsManTunnelIngressLSRId.1.20.1 x 01019b38
PRVT-MPLS-TE-MIB::mplsManTunnelIngressLSRId.1.20.1 = STRING: 1.1.155.56
mplsManTunnelEgressLSRId.1.20.1 x 01019b33
PRVT-MPLS-TE-MIB::mplsManTunnelEgressLSRId.1.20.1 = STRING: 1.1.155.51
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 mplsManTunnelName.1.20.1 s
lsp20
PRVT-MPLS-TE-MIB::mplsManTunnelName.1.20.1 = STRING: "lsp20"
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: up(1) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.56
PRVT-MPLS-TE-MIB::mplsManTunnelRowStatus.1.20.1 = INTEGER: active(1)
31. Apply the configured path 20 to LSP 20:

PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: down(2)
mplsManTunnelPathInUse.1.20.1 u 1 mplsManTunnelHopTableIndex.1.20.1 u 20
PRVT-MPLS-TE-MIB::mplsManTunnelPathInUse.1.20.1 = Gauge32: 1

PRVT-MPLS-TE-MIB::mplsManTunnelHopTableIndex.1.20.1 = Gauge32: 20 snmpset -

t 10 -L n -v2c -c user-v2c 10.3.155.56
mplsManTunnelPathComp.1.20.1 i 2
PRVT-MPLS-TE-MIB::mplsManTunnelPathComp.1.20.1 = INTEGER: explicit(2)
PRVT-MPLS-TE-MIB::mplsManTunnelAdminStatus.1.20.1 = INTEGER: up(1)
32. Configure VPWS with ID 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 serviceRowStatus.10 i 5
PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: createAndWait(5) snmpset -t
10 -L n -v2c -c user-v2c 10.3.155.56 serviceVpnId.10 u 10 PRVT-SERV-
MIB::serviceVpnId.10 = Gauge32: 10 snmpset -t 10 -L n -v2c -c user-v2c
10.3.155.56 serviceType.10 i 9 PRVT-SERV-MIB::serviceType.10 = INTEGER:
vpws(9) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56
serviceAdminStatus.10 i 1 PRVT-SERV-MIB::serviceAdminStatus.10 = INTEGER:
up(1) snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 serviceRowStatus.10 i
1 PRVT-SERV-MIB::serviceRowStatus.10 = INTEGER: active(1)
33. Configure SAP 1/1/10:10: for VPWS 10:

snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sapRowStatus.10.1110.10 i 5
PRVT-SERV-MIB::sapRowStatus.10.1110.10 = INTEGER: createAndWait(5) snmpset
-t 10 -L n -v2c -c user-v2c 10.3.155.56 sapAdminStatus.10.1110.10 i 1 PRVT-
SERV-MIB::sapAdminStatus.10.1110.10 = INTEGER: up(1) snmpset -t 10 -L n -
v2c -c user-v2c 10.3.155.56 sapRowStatus.10.1110.10 i 1 PRVT-SERV-
MIB::sapRowStatus.10.1110.10 = INTEGER: active(1)
34. Configure SDP (SDP uses the configured LSP 20) for VPWS 10:
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: createAndWait(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpFarEndIpAddress.10.1
a 1.1.155.51
PRVT-SERV-MIB::sdpFarEndIpAddress.10.1 = IpAddress: 1.1.155.51
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpAdminStatus.10.1 i 1
PRVT-SERV-MIB::sdpAdminStatus.10.1 = INTEGER: up(1)
sdpTransportTunnelName.10.1 s lsp20
PRVT-SERV-MIB::sdpTransportTunnelName.10.1 = STRING: "lsp20"
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpVCType.10.1 i 5
PRVT-SERV-MIB::sdpVCType.10.1 = INTEGER: ethernet(5)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpType.10.1 i 3
PRVT-SERV-MIB::sdpType.10.1 = INTEGER: mesh(3)
snmpset -t 10 -L n -v2c -c user-v2c 10.3.155.56 sdpMtu.10.1 i 9190
PRVT-SERV-MIB::sdpMtu.10.1 = INTEGER: 9190
PRVT-SERV-MIB::sdpRowStatus.10.1 = INTEGER: active(1)
35. Verify the VPWS configuration:

snmpget -L n -v2c -c user-v2c 10.3.155.56 serviceOperStatus.10
PRVT-SERV-MIB::serviceOperStatus.10 = INTEGER: up(1)

Appendix B: Specifications
Physical Specifications
Width 221mm (8.7)

Height 44 mm (1RU 1.75)
Depth 235 mm (9.25)
Weight 1.1 kg (2.42 lbs)
Power Sources
AC Power Source Input 100-240 VAC@ 0.5A maximum, 50-60 Hz

Power Nominal 47W
DC Power Source Input -24VDC to -72VDC @ 2.2A Maximum
Power Nominal 43W
Power Consumption Typical 35 W
Maximum 47 W
External PSU UL or compatible NRTL approved certification
Certification
Operating Conditions
Operating Temperature 0C to 50C (32F to 122F)

Short term extended -20C to 65C (-4F to 149 F) Note: Powering On at sub-zero
temperature temperature is prohibited
Humidity 5% to 95% non-condensing
Environment The equipment is designed for use in indoor applications only
Storage Temperature -25 C to 70 C (-13 F to 158 F)
Storage Relative 5% to 95% non-condensing
Humidity
Specifications (Rev. 01) Page 1

Appendix C: Acronyms Glossary
Term Meaning
AAA Authentication, Authorization, and Accounting

ACG Access Control Group
ACL Access List
AIS Alarm Indication Signal
AMI Alternate Mark Inversion
ARP Address Resolution Protocol
AS Autonomous System
ASIC Application Specific Integrated Circuit
ATM Asynchronous Transfer Mode
BES Bursty Error Seconds
BFD Bidirectional Forwarding Detection
BID Bridge ID
BiST Built-in Self Test
BPDU Bridge Protocol Data Units
CCM Continuity Check Message
CCS Common Channel Signalling
CES Circuit Emulation Service
CFM Connectivity Fault Management
CIC Clock Input Controller
CIR Committed Information Rate
CIST Common and Internal Spanning Tree
CLE Customer Located Equipment
CLI Command Line Interface
CO Central Office
CoLo Co-Location
CPE Customer Premise Equipment
CPU Central Processing Unit
CRC Cyclical Redundancy Checking
CSS Controlled Slip Seconds
CST Common Spanning Tree
C-VLAN Customer VLAN
DAI Dynamic ARP Inspection
Page 1
Appendix C: Acronyms Glossary (Rev 01)
Term Meaning
DHCP Dynamic Host Configuration Protocol

DLC Data-Link Control
DNS Domain Name System
DoS Denial of Service
DoSAP Denial of Service Access Point
DRR Deficit Round Robin
DSCP Differentiated Services Code Point
DSx Digital Signal Level x
DSA Digital Signature Algorithm
DSS Digital Signature Standard
DST Daylight Saving Time
DTE Data Terminating Entity
EAP Extensible Authentication Protocol
EAPOL EAP Encapsulation over LAN
ECN Explicit Congestion Notification
EFM-OAM Ethernet in the First Mile
EPS Ethernet Protection Switching
ES Error Seconds
ESF Extended Super Frame
EVC Ethernet Virtual Connections
FC Forwarding Class
FDB Forwarding Database Table
FEC Forwarding Equivalence Class
FIB Forwarding Information Base
FRR Fast Re-Route
FS File System
H-VPLS Hierarchical VPLS
IETF Internet Engineering Task Force
IGMP Internet Group Multicast Protocol
IP Internet Protocol
ISAP Intermediate Service Access Protocol
IST Internal Spanning Tree
ITU-T International Telecommunications Union-
IWF InterWorking Function
LACP Link Aggregation Control Protocol
LAG Link Aggregation Group
LAN Local Area Network
Page 2
Term Meaning
LBM Loopback Message

LBR Loopback Reply
LCK Ethernet Lock Signal
LCV Line Code Violations
LDP Label Distribution Protocol
LER Label Edge Router
LES Line Error Seconds
LIU Line Interface Unit
LLDP Link Layer Discovery Protocol
LMM Laser Management Monitoring
LOPS Loss of Packet Synchronization
LSL Logical Service Loopback
LSP Label Switched Path
LSR Label Switch Router
LTM Link Trace Message
LTR Link Trace Reply
MA Maintenance Association
MAID Maintenance Association Identifier
MAC Media Access Control
MCID MST Configuration Identifier
MBB Make-Before-Break
MEP Maintenance Association End Point
MEPID Maintenance association End Point Identifier
MIB Management Information Base
MIP Maintenance Intermediate Points
MOTD Message of the Day
MPLS Multi Protocol Label Switching
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration
NAS Network Access Server
NMS Network Management System
NTP Network Time Protocol
OAM Operations, Management and Maintenance
OAMPDU OAM Protocol Data Units
OSPF Open Shortest Path First
Page 3
Term Meaning
PCV Path Coding Violations

PDU Protocol Data Unit
PE Provider Edge
PHP Penultimate Hop popping
PING Packet Internet Groper
PIR Peak Information Rate
PLR Point of Local Repair
POP Point of Presence
PSN Packet Switched Network
PVID Port VLAN Identifier
PVST Per-VLAN Spanning Tree
PW Pseudo Wire
PWE Pseudo Wire Emulation
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
R-APS Ring Automatic Protection Switching
RED Random Early Detection
RFC Request for Comments
RIP Routing Information Protocol
RMON Remote Monitoring
RSTP Rapid Spanning Tree Protocol
RSVP Resource Reservation Protocol
RTP Real-Time Transport Protocol
RTR Response Time Reporter
SA Service Agreement
SAA Service Assurance Application
SAP Service Access Point
SCP Secure Copy Server
SDP Service Distribution Path
SES Server Error Seconds
SF Super Frame
SFD Start of Frame Delimiter
SFP Small Form-factor Pluggable
SLA Service Level Agreement
SLO Service Level Objectives
SNMP Simple Network Management Protocol
SSH Secure Shell
Page 4
Term Meaning
SST Bridge Single Spanning Tree Bridge

STP Spanning Tree Protocol
SW Software
TACACS+ Terminal Access Controller Access Control System Plus
TC Topology Change
TCA Threshold Crossing Alarm
TCN TC Notification
TCP Transmission Control Protocol
TDM Time Division Multiplexing
TFTP Trivial File Transfer Protocol
TIME Time Synchronization Control Protocol
TLS Transparent LAN Service
TLV Type Length Value
TTL Time-to Live
ToS Type of Service
UAS Unavailable Seconds
UDP User Datagram Protocol
USM User-based Security Model
VACM View-based AccessSecurity Model
VCCV Virtual Circuit Connection Verification
VID VLAN Identifier
VLAN Virtual LAN
VPLS Virtual Private LAN Service
VPT VLAN Priority Tag
VPWS Virtual Private Wire Service
VRED Virtual Random Early Detection
VRRP Virtual Router Redundancy Protocol
VTY Virtual Telnet Type
WAN World Area Network
WRR Weighted Round Robin
Page 5

T-Marc 3312SC Amp T-Marc 3312SCH User Guide Ver 5.0.R2.2

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

T-Marc 3312SC Amp T-Marc 3312SCH User Guide Ver 5.0.R2.2

Caricato da

Copyright:

Formati disponibili

T-Marc 3312SC

Using This Document 3

Getting Documentation Updates 6

Introduction (Rev. 01) Page 1

Figure 1: T-Marc 3312SC View

Figure 2: T-Marc 3312SCH View

Page 2 Introduction (Rev. 01)

Circuit emulation support (CES) and time synchronization support (SyncE)

Using This Document

Installation Guide Contains information about installing the hardware and

Introduction (Rev. 01) Page 3

commands CLI and SNMP commands

Chapter Name Description

Introduction Overview of product and document

Page 4 Introduction (Rev. 01)

Chapter Name Description

Multicast Layer 2 Features Understanding and configuring Internet Group Management

Introduction (Rev. 01) Page 5

Chapter Name Description

Getting Documentation Updates

US: North America and Latin America

Page 6 Introduction (Rev. 01)

Asia Pacific (APAC)

Europe, Middle East and Africa (EMEA)

Introduction (Rev. 01) Page 7

Committing Configuration Commands 4

Command Keywords and Arguments 6

The range Expression 20

Using Command Line Interface (CLI) (Rev. 01) Page 1

Page 2 Using Command Line Interface (CLI) (Rev. 01)

Accessing the CLI

The default password is admin.

The Operational mode is primarily used for:

Using Command Line Interface (CLI) (Rev. 01) Page 3

Figure 1: CLI Modes Hierarchy

Committing Configuration Commands

Page 4 Using Command Line Interface (CLI) (Rev. 01)

Using Command Line Interface (CLI) (Rev. 01) Page 5

Command Keywords and Arguments

the CLI mode is config-port-1/1/10

default-vlan is the command keyword

<Italic, small A numerical argument:

Italic, capital A string argument:

bold letters A command keyword:

UU/SS/PP A physical port number in a unit/slot/port format:

HH:HH:HH:HH:HH:HH A MAC address in a hexadecimal format:

Page 6 Using Command Line Interface (CLI) (Rev. 01)

[] An optional argument or keyword:

{} A mandatory argument or keyword:

| An or between two arguments or keywords, the user should select from:

abbreviated- To display a commands possible completions, type the partial command

Using Command Line Interface (CLI) (Rev. 01) Page 7

? Lists all commands available in the current command mode.

Page 8 Using Command Line Interface (CLI) (Rev. 01)

command | Searches and filters the command output. This functionality is

You can use more than one filter on a single command.

Using Command Line Interface (CLI) (Rev. 01) Page 9

You can type the config terminal command as con t

Dynamic Completion of Commands

Using the Command History

Page 10 Using Command Line Interface (CLI) (Rev. 01)

00:06:29 -- show port

CLI Keyboard Sequences

Ctrl+b or Left Arrow Moves one character back