Docslide - Us - T Marc 300 Series v101rx User Guide PDF

T-Marc 300 Series
(T-Marc 340 and T-Marc 380)
Demarcation Device
User Guide
Release 10.1.Rx
May 2010
MN100168 Rev R
The information in this document is subject to change without notice and describes only the product defined in
the introduction of this document. This document is intended for the use of customers of Telco Systems only
for the purposes of the agreement under which the document is submitted, and no part of it may be reproduced
or transmitted in any form or means without the prior written permission of Telco Systems. The document is
intended for use by professional and properly trained personnel, and the customer assumes full responsibility
when using it. Telco Systems welcomes customer comments as part of the process of continuous development
and improvement of the documentation.
If the Release Notes that are shipped with the device contain information that conflicts with the information in
the user guide or supplements it, the customer should follow the Release Notes.
The information or statements given in this document concerning the suitability, capacity, or performance of the
relevant hardware or software products are for general informational purposes only and are not considered
binding. Only those statements and/or representations defined in the agreement executed between Telco
Systems and the customer shall bind and obligate Telco Systems. Telco Systems however has made all
reasonable efforts to ensure that the instructions contained in this document are adequate and free of material
errors and omissions. Telco Systems will, if necessary, explain issues which may not be covered by the
document.
Telco Systems’ sole and exclusive liability for any errors in the document is limited to the documentary
correction of errors. TELCO SYSTEMS IS NOT AND SHALL NOT BE RESPONSIBLE IN ANY EVENT
FOR ERRORS IN THIS DOCUMENT OR FOR ANY DAMAGES OR LOSS OF WHATSOEVER KIND,
WHETHER DIRECT, INCIDENTAL, OR CONSEQUENTIAL (INCLUDING MONETARY LOSSES),
that might arise from the use of this document or the information in it.
This document and the product it describes are the property of Telco Systems, which is the owner of all
intellectual property rights therein, and are protected by copyright according to the applicable laws.
Telco Systems logo is a registered trademark of Telco Systems, a BATM Company. BiNOS®, BiNOSCenter®,
T-Marc®, T5 Compact™, T5C-XG™, T-Metro®, EdgeLink®, EdgeGate®, Access60®, AccessIP™,
AccessMPLS®, AccessTDM™, AccessEthernet®, NetBeacon®, Metrobility®, and OutBurst® are trademarks
of Telco Systems.
Other product and company names mentioned in this document reserve their copyrights, trademarks, and
registrations; they are mentioned for identification purposes only.
Copyright © Telco Systems 2010. All rights reserved.

Introduction
Telco Systems’ T-Marc 300 Series Ethernet Service-Demarcation and Extension product line
provides intelligent and remotely managed, multiport customer-located equipment (CLE) to deliver
managed converged services (voice, video, and data) over virtual Ethernet, MPLS/VPLS, and IP
networks.
This family of products allows service providers to deliver multiple services on separate customer
interfaces, including multiple services over a single customer interface. Since each service is isolated,
providers can troubleshoot each individual service without impacting others.
Using Operations, Administration, and Maintenance (OAM) tools, service providers can measure
and ensure provisioned Service Level Agreements (SLA).
The device’s embedded security controls ensure protection against denial-of service attacks.
Advanced Layer 2 Networking, using Telco Systems’ AccessEthernet, allows total flexibility in
deployment and delivery of Ethernet services. Physical and virtual networking capabilities provide
automated address-management and discovery, bandwidth profiles, advanced traffic classes, and
complete control over how subscriber traffic is transported across a service provider’s network.
The T-Marc 300 Series product line includes two models:
• T-Marc 340 offers two dual uplink ports (10/100/1000Base-T or 100Base-Fx/1000Base-X)
and four dual access ports (10/100/1000Base-T or 100Base-Fx/1000Base-X).
• T-Marc 380 offers the same as T-Marc 340 in addition to four dual access ports
(10/100/1000Base-T or 100Base-Fx/1000Base-X).
The devices operate using an internal AC or DC power supply. They can be rack/wall mounted or
placed on a table-top.
Page 1
Introduction (Rev. 12)
T-Marc 300 Series User Guide
Using This Document

Documentation Purpose
This user guide includes the relevant information for configuring the T-Marc 300 Series
functionalities.
It provides the complete syntax for the commands available in the currently-supported software
version and describes the features supplied with the device.
This guide does not include instructions on how to install the device. For more information
regarding the device installation, refer to the T-Marc 300 Series Installation Guide.
For the latest software updates, see the Release Notes for the relevant release. If the release notes
contain information that conflicts with the information in the user guide or supplements it, follow
the release notes' instructions.
Intended Audience
This user guide is intended for network administrators responsible for installing and configuring
network equipment.
You have to be familiar with the concepts and terminology of Ethernet and local area networking
(LAN) to use this guide.
Documentation Suite
This document is just one part of the full documentation suite provided with this product.
You are: Document Function Function
Installation Guide Contains information about installing the hardware and

software; including site preparation, testing, and safety
information.
User Guide Contains information on configuring and using the system.
Release Notes Contains information about the current release, including
new features, resolved issues (bug fixes), known issues,
and late-breaking information that supersedes information
in other documentation.
Page 2
Conventions Used
The conventions below are used to inform important information:
NOTE
Indicating special information to which the user needs to pay special attention.
CAUTION
Indicating special instructions to avoid possible damage to the product.
DANGER
Indicating special instructions to avoid possible injury or death.
The table below explains the conventions used within the document text:
Conventions Description
commands CLI and SNMP commands

command example CLI and SNMP examples
<Variable> user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
Page 3
Organization
The T-Marc 300 Series User Guide comprises the below list of chapters, each focusing on a
different feature or set of features. Each chapter begins with a brief overview of the feature/s,
followed by the configuration flow and corresponding commands' configuration section.
Chapter Name Description
Using the Command Line Basic information about the T-Marc 300 Series CLI, its modes, and
Interface (CLI) general usage details.
Device Setup and Accessing T-Marc 300 Series devices, login information, and the
Maintenance devices' reloading options.
Device Administration Administering T-Marc 300 Series devices and performing initial
device configuration (such as the device’s time and date, software
upgrade, and protecting the device from outside attacks).
Configuring Interfaces The device interface types and their configuration. The chapter
also offers information on static Link Aggregation Groups (LAGs),
establishing resilience across the network segments, and Alarm
Propagation.
Configuring VLANs and An overall understanding of VLANs and their configuration.
Super VLANs
Configuring Transparent The deployment of Transparent LAN Services.
LAN Services (TLS)
Configuring Spanning Tree The IEEE 802.1D STP standard and its configuration
Protocol (STP)
Configuring Rapid The IEEE 802.1W Rapid STP standard and its configuration.
Spanning Tree Protocol
(RSTP)
Configuring Multiple The IEEE 802.1S Multiple STP standard and its configuration.
Spanning Tree Protocol
(MSTP, IEEE 802.1s)
Configuring Access Control Creating ACLs, traffic rate-limit, and applying QoS using ACLs.
List (ACL)
DHCP Snooping DHCP Snooping security feature used to reinforce the client
network and create an environment resilient to outside attacks.
Configuring Quality of Configuring different service levels for traffic traversing the device,
Service (QoS) providing preferential treatment to specific traffic.
Operation Administration The different tools for monitoring and troubleshooting the network:
and Maintenance (OAM) • IEEE 802.3ah Ethernet in the First Mile (EFM)
• IEEE 802.1ag Connectivity Fault Management (CFM)
• SAA Test-Head and SAA Throughput Test
• ITU-T G.8031 Ethernet Protection Switching (EPS)
• Event Propagation (configuring automatic actions executed
upon the occurrence of specific events)
• Ethernet Local Management Interface (E-LMI), an OAM
protocol enabling the auto configuration of Metro Ethernet
services’ support
Page 4
Chapter Name Description
Configuring Link Layer Configuring the IEEE 802.1AB standard.

Discovery Protocol (LLDP)
Configuring Device The privileged access levels to commands used for protecting the
Authentication Features device from unauthorized access.
The chapter describes RADIUS, TACACS+, and SSH.
Internet Group Multicast Configuring the session-layer IGMP Protocol.
Protocol (IGMP) Snooping
Configuring Simple Configuring SNMP, community strings, and enabling trap
Network Management managers and traps.
Protocol (SNMP)
SNMP Reference Guide The detailed list of MIBs and objects for controlling, monitoring,
and managing the device and its features from a remote location.
Configuring Remote Configuring the RMON feature used with the SNMP agent.
Monitoring (RMON)
Configuring System Configure system message logging, message format, and
Message Logging message types displayed.
Troubleshooting and Troubleshooting and monitoring tools used to detect and solve
Monitoring BiNOS related problems. Provides a set of built-in tests that
examine hardware and its configuration validity.
This chapter also contains other information such as traffic
monitoring, monitoring the device's periodic operation, alert
behavior, and laser monitoring.
Appendix A: Default The device’s default configuration.
Configuration
Appendix B: Product The device’s supported features.
Capabilities
Appendix C: Acronyms The list of acronyms used in this user guide and their meaning.
Glossary
Page 5
Getting Documentation Updates

You can access the most current Telco Systems documentation on the following site:
http://support.batm.com/.
Access to most of the Telco Systems documentation is password protected. To obtain a password,
contact the BATM support center.
Technical Support
Telco Systems provides technical assistance for customers and partners. Users can obtain technical
assistance by any of the following phone, fax, and e-mail options:
Web Access: http://www.telco.com/
BATM Advanced Communications—Main Support Center in Israel
Tel: +972-4-993-5630
Fax: +972-4-993-7926
Email: mailto:support@batm.co.il
BATM/Telco Systems a BATM Company—for Americas
Tel: 1-800-227-0937 (U.S.), 1-781-255-2120 (Outside U.S.)
Fax: 1-781-255-2122
Email: techsupport@telco.com
BATM Germany—for Northern Europe
Tel: +49-241-463-5490
Fax: +49-241-463-5491
Email: info@batm.de
BATM France—for Southern Europe
Tel: +33-15-671-2773
Fax: +33-14-377-1780
Email: support@batm.fr
Telco Systems, a BATM Company Asia Pacific in Singapore
Tel: +65-6-725-9901
Fax: +65-6-725-9889
Email: enquiryapac@telco.com
Telco Systems Asia Pacific—Japan
Tel: +81-3-5215-5709
Fax: +81-3-5215-5704
Email: info.jp@telco.com
Page 6
Using the Command Line Interface (CLI)
Table of Contents
Overview ······························································································· 2
Accessing the CLI ··················································································· 2
The CLI Modes······················································································· 3

View Mode ························································································ 3
Privileged (Enable) Mode ········································································ 3
Configuration Modes············································································· 3
Using the CLI························································································· 5

Command Keywords and Arguments ·························································· 5
Minimum Abbreviation ·········································································· 6
Dynamic Completion of Commands ··························································· 7
Regular Expressions ·············································································· 7
Getting Help ······················································································ 8
CLI Keyboard Sequences ·······································································12
Using the Command History ···································································12
General Commands ·············································································13
CLI Messages ····················································································14
Page 1
Using the Command Line Interface (CLI) (Rev. 07)
Overview
CLI is a network management application operating through an ASCII terminal.
Using the CLI commands, users can configure the device parameters and maintain them, receiving
text output on the terminal monitor. These system parameters are stored in a non-volatile memory
and users have to set them up only once.
The device CLI is password protected.
Accessing the CLI

You can access the CLI:
• directly, by connecting a PC to the device’s console port
• over an IP network, using Telnet or SSH
Once the console port is displayed, users have to type the deivce password to execute CLI
commands.
Example:
User Access Verification
Password:batm
T-Marc_3X0>
For more information, refer to the Methods of Managing a Device section of the Device Setup and
Maintenance chapter.
Throughout this guide, we refer to the T-Marc 300 Series device prompt as device-name.
Page 2
The CLI Modes

The CLI is built in heirarchial modes, each mode grouping relevant CLI commands. Below is the
list of the device’s main CLI modes.
View Mode
This is the initial, user-level mode the CLI enters after successfully login on to the CLI. This mode’s
prompt is >:
device-name>
The View mode is password protected (the default password is batm)
Privileged (Enable) Mode

The Privileged (Enable) mode is primarily used for viewing the system status, controlling the CLI
environment, monitoring network connectivity, troubleshooting, and initiating the different
Configuration modes. This mode’s prompt is #.
To access this mode from View mode use the enable command:
device-name>enable
device-name#
The Privileged (Enable) mode is not password protected by default. However you can configure
password protection by using the enable password command (for more information, refer to the
Device Setup and Maintenance chapter of the user guide).
Configuration Modes
To change the device configuarion, users need to access the Configuration mode. This mode’s
prompt is (config)#.
To access this mode from the Privileged (Enable) mode, use the configure terminal command.
device-name#configure terminal
device-name(config)#
The Configuration mode has various sub-modes for configuring the different device features, as
shown in the below table.
Example
To access the Protocol Configuration mode, use the protocol command in Global Configuration
mode:
device-name(config)#protocol
device-name(cfg protocol)#
Page 3
Table 1: Configuration Sub-Modes Summary

Configuration Role Prompt
Mode
VTY Controlling the Virtual Telnet Type device-name(config-VTY)#

(VTY) connection to the device
Interface The device physical-interfaces device-name(config-config-if
configuration UU/SS/PP)#
Interface range configuration device-name(config-if-group)#
Link Aggregation Groups (LAG) device-name(config-if AG0N)#

interface configuration
LAG interface range configuration device-name(config-ag-group)#
ACG Interface Access Control Groups device-name(config-if UU/SS/PP

(ACG) configuration acg ACL-NUMBER)#
Virtual LAN (VLAN) ACG device-name(config-vlan VLAN-

configuration NAME acg ACL-NUMBER)#
LAG interface ACG configuration device-name(config-if AG0N acg

ACL-NUMBER)#
VLAN VLANs configuration device-name(config vlan)#
Specific VLAN configuration device-name(config vlan VLAN-

NAME)#
Protocol Protocols settings such as STP, device-name(cfg protocol)#
RSTP, MSTP, EFM-OAM and, LAG
Resilient Link Resilient links configuration device-name(config-resil-link
N)#
Script-file Script-file system management device-name(config-config
System script-file-system)#
Monitor Monitoring parameters settings device-name(config monitor N)#
MSTP MSTP configuration device-name(cfg protocol mstp)
CFM CFM-OAM protocol configuration device-name(config-cfm)
SAA SAA throughput test configuration device-name(config-saa-

Throughput throughput)
Test
SAA Test- SAA profile configuration device-name(config-saa-profile-
Head Profile_ID)
SAA test configuration device-name(config-saa-TESTNAME)
TLS TLS service configuration device-name(config-tls SERVICE-

NAME)#
EPS EPS configuration device-name(config-eps-SERVICE-
NAME)#
Event Event Propagation profile device-name(config-ep-profile
Propagation configuration ID)#
Page 4
Using the CLI

Command Keywords and Arguments
Each CLI command is build up of a series of keywords and arguments:
• Keywords identify the command’s action
• Arguments specify the command’s configuration parameters
The CLI commands are not case sensitive.
The general CLI syntax is represented by the following format:
device-name[(config ...)]#keyword(s) [argument(s)] ... [keyword(s)]
[argument(s)]
In this format:
• device-name[(config ...)]# represents the prompt displayed by the device. This prompt
includes:
the user-defined device-name
the current CLI mode
• the command keywords and arguments typed by the user
Example:
In the command below:
device-name(config vlan)#create NAME <vlan-id>
• the CLI mode is Config VLAN

• create is the command keyword
• NAME <vlan-id> are command arguments
Page 5
Table 2: CLI Syntax Conventions in the User Guide

Symbol/Format Description
<Italic, small A numerical argument:

letters>
<priority>
Italic, capital A string argument:
letters
NAME
bold letters A command keyword:
copy
A.B.C.D An IP address:
10.4.0.4
UU/SS/PP A physical port number in a unit/slot/port format:

1/2/6
HH:HH:HH:HH:HH:HH A MAC address in a hexadecimal format:

00:a0:12:07:0f:78
[] An optional argument or keyword:
[FILENAME]
{} A mandatory argument or keyword:

{enable | disable}
| An or between two arguments or keywords, the user should select from:

{true | false}
Minimum Abbreviation
The CLI accepts a minimum number of characters that uniquely identify a command. Therefore
you can abbreviate commands and parameters as long as they contain enough letters to differentiate
them from any other available commands or parameters on the specific CLI mode.
Example
You can type the config terminal command as config t.
device-name#config t
In case of an ambiguous entry (when the CLI mode includes more than once command matching
the characters typed), the system prompts for further input.
Example
device-name#con
[%Error] Command incomplete
Page 6
Dynamic Completion of Commands

In addition to the Minimum Abbreviation functionality, the CLI can display the commands’
possible completions.
To display possible command completions, type the partial command followed immediately by
<Tab> or <Space>.
• In case the partial command uniquely identifies a command, the CLI displays the full
command.
• Otherwise the CLI displays a list of possible completions.
device-name(config)#in
Possible completions:
interface
---
insert Insert a parameter
Regular Expressions
Regular expressions are a subset of EGREP and AWK programming-language regular expressions.
Table 3: Common Regular Expressions
Key Function
. Matches any character

^ Matches the beginning of a string
$ Matches the end of a string
[abc...] Character class that matches any of the characters: abc…
To specify a character range, type a pair of characters separated by a -.
[^abc...] Negated character class that matches any character except abc....
r1 | r2 Matches either r1 or r2
r1r2 Matches r1 and then r2
r+ Matches one or more r
r* Matches zero or more r
r? Matches zero or one r
(r) Matches a pattern group
Page 7
Getting Help
To get specific help on a command mode, keyword, or argument, use one of the following
commands or characters:
Table 4: CLI Help Options
Command Purpose
help Provides a brief description of the help system in any command

mode:
device-name(config)#help
BiNOS CLID VTY provides advanced help feature.
When you need help,
anytime at the command line please press '?'.
If nothing matches, the help list will be empty and

you must backup
until entering a '?' shows the available options.
Two styles of help are provided:
1. Full help is available when you are ready to
enter a
command argument (e.g. 'show ?') and describes
each possible
argument.
2. Partial help is provided when an abbreviated
argument is entered
and you want to know what arguments match the
input
(e.g. 'show me?'.)
abbreviated- To display a command’s possible completions, type the partial

command<Tab> <Tab> command followed immediately by <Tab> or <Space>.
or If the partially typed command uniquely identifies a command, the
abbreviated- full command name is displayed. Otherwise, the CLI displays a
command<Space> <Tab> list of possible completions:
device-name(config)#int
UU/SS/PP ag01 ag02 ag03 ag04
ag05 ag06 ag07 range sw0
command? (Leave no space between the command and ?) Provides a list of

or commands that begin with a particular string and their description:
abbreviated-command?
device-name#con?
configure Configuration from vty interface
Page 8
Command Purpose
? Lists all commands available in the particular command mode:
device-name(config)#?
aaa Authentication and accounting
method
access-list Set access list definition
alias Enable creating an alias of a
command. An alias is a short form of a command
banner Set the banner string
caps-lock Warn if passwords contains only
CAPITAL letters
cfm Connectivity Fault Management
cpu CPU utilization monitoring
--More—
command ? (Leave a space between command and ?) Lists the keywords or

or arguments that the user can type next on the command line:
abbreviated-command ?
device-name#show ?
access-class Access-class vty status
access-lists Display the named access
lists
alarm-inherit Show Alarm Propagation on
port
cfm Connectivity Fault
Management
clock Show current system date and
time
configuration-history Display stored configuration
history
cpu Display CPU monitoring
--More—
Page 9
Command Purpose
! The CLI ignores all the characters following ! and up to the next
new line.
Use this option when pasting a file that includes comments into
the CLI:
device-name#show running-config
Building the configuration ...
! T-Marc 300 Version 9.4

!
password:
3090372e3f8bc00eeacc46219f7557485983251a994551f918e
04712f86c5818
ip address 10.4.4.210 255.255.0.0
interface sw0
!
! Source Ip Configuration:
!
! Log Configuration:
--More--
NOTE
To use ! as an argument, prefix it with \ or inside
double quotes (“).
Page 10
Command Purpose
command | {include | Searches and filters the command output. Use this functionality to
exclude} regular- sort through a large output or to exclude irrelevant output.
expression
• include: displays output lines that contain the regular
expression
• exclude: displays output lines that do not contain the
regular expression
• any regular-expression (text string) found in the show
command output
Example 1
The example below displays only interface output lines:
device-name#show running-config | include interface
interface sw0
interface 1/1/1
interface 1/1/2
interface 1/2/1
interface 1/2/2
interface 1/2/3
interface 1/2/4
interface 1/2/5
interface 1/2/6
interface 1/2/7
interface 1/2/8
interface ag01
interface ag02
interface ag03
interface ag04
interface ag05
interface ag06
interface ag07
Example 2
The example below displays only lines that contain 2:
device-name#show running-config | include 2
password
3090372e3f8bc00eeacc46219f7557485983251a994551f918e
04712f86c5818
ip address 10.4.4.210 255.255.0.0
interface 1/2/2
interface 1/2/3
interface 1/2/4
interface 1/2/5
interface 1/2/6
interface 1/2/7
interface 1/2/8
interface ag02
Page 11
CLI Keyboard Sequences

Users can use keyboard sequences to move around the command line and edit it. They can also use
keyboard sequences to scroll through a list of recently executed commands.
Table 5: CLI Keyboard Sequences
Key Function
Backspace Deletes the character preceding the cursor

Ctrl-A Moves to the beginning of the line
Ctrl-B Moves one character back
Ctrl-C Interrupts the current input and moves to the next line
Ctrl-D Moves one node back
Ctrl-E Moves to the end of the line
Ctrl-F Moves one character forward
Ctrl-H Deletes the character preceding the cursor
Ctrl-K Deletes all characters to the end of the line
Ctrl-N Moves down to the next line in the history buffer
Ctrl-P Moves up to the previous line in the history buffer
Ctrl-U Deletes the line
Ctrl-W Erases the last word
Ctrl-Z Returns to Enable mode
Esc+B Moves one word back
Esc+D Deletes the characters after the cursor
Esc+F Moves one word forward
Esc Stops ping from the device (for more information regarding the ping
command, refer to the Device Administration chapter).
Tab Fills in the rest of the command line
Using the Command History

The CLI maintains a history of commands (used in any CLI mode) that users can modify and
execute.
To scroll back through the commands history, press the arrow-up key.
For more information, refer to the Configuring System Message Logging chapter.
Page 12
General Commands
You can use the following commands in all CLI modes:
Table 6: General Commands
Command Description
no Negates the command or resets the command to its default value.
To disable privilege-limited logging, type:

device-name#no log group users-limit
alias Associates a contiguous character string as an alias to a command that

optionally includes specific arguments. The defined alias is fully
equivalent to the command it is associated to, in the CLI mode the alias
was defined.
To assign an alias to the command show interface 1/1/1

statistics, type:
device-name#alias sint1 show interface 1/1/1 statistics
Once the alias is assigned, you can execute the command by typing the
alias (sint1) in the relevant mode (Privileged (Enable) mode):
device-name#sint1
Octets 212 In/OutPkts 64 383
Collisions 0 In/OutPkts 65-127 0
Broadcast 0 In/OutPkts 128-255 0
Multicast 0 In/OutPkts 256-511 0
CRCAlignErrors 0 In/OutPkts 512-1023 0
Undersize 0 In/OutPkts 1024-
MaxFrameSize 0
Oversize 0 TotalInPkts 383
Fragments 0 TotalIn/OutPkts 383
Jabbers 0 DropCount 0
DropEvents 0
Last5secInPkts 50 Last5secInBps 409
Last1minInPkts 353 Last1minInBps 408
Last5secOutPkts 0 Last5secOutBps 0
Last1minOutPkts 0 Last1minOutBps 0
exit Escapes the current mode and enters the previous mode:
device-name(config-if 1/1/1)#exit
device-name(cfg protocol)#exit
Page 13
Command Description
quit Logs out and disconnects from the device:
device-name(config-if 1/1/1)#quit
Connection to host lost
end Escapes the current mode and enters the Privileged (Enable) mode:
device-name(cfg protocol)#end
device-name#
CLI Messages
The CLI displays relevant messages in response to executed commands:
Table 7: CLI Messages
CLI Message Description
% is not recognized Displayed when the entry is not a command.

% command incomplete Displayed when the user types a valid command but fails to type
the command’s required arguments.
In this case, press <Tab> to display the command’s possible
completions.
% Ambiguous token Displayed when the user types too few characters. In these cases,
the CLI detects an ambiguity and displays the possible matches:
device-name(config)#w
% Ambiguous token : w
% It matches the following tokens : who write
Page 14
Device Setup and Maintenance
Table of Contents
Table of Figures ······················································································ 3
Overview ······························································································· 4
Methods of Managing a Device ··································································· 5

Connecting to the Console Port ··························································· 5
The Terminal Screen Display······························································· 6
Connecting the Device via Telnet ························································· 7
Managing the Device via SNMP ································································ 7
Login and Password ················································································· 8

Password Recovery ··············································································· 8
Default Passwords Recovery ······························································· 8
Backdoor Password Recovery······························································ 8
Device Passwords Configuration Commands ················································· 9
Configuring the View Mode Password ···················································· 9
Configuring the Privileged (Enabled) Mode Password ·································10
Configuring the Loader Mode Password·················································10
Enabling/Disabling Caps Lock Notification ············································11
The Device IP Commands ········································································12

Configuring the Device’s Primary IP Address ···········································12
Configuring the Device’s Secondary IP Address ········································13
Configuring a Default Gateway ···························································14
Displaying the Device IP Address ························································14
Displaying Routes ··········································································15
Telnet Commands ··················································································16

Telnet Session Configuration Commands·····················································16
Connecting a Remote Host via a Telnet Client ··········································17
Page 1
Device Setup and Maintenance (Rev. 09)
Enabling/Disabling the Device’s Telnet Server ·········································17

Displaying Current Telnet Connections··················································18
Displaying the Current Telnet-Session Index············································18
Terminating a Telnet Connection·························································19
Virtual Terminal (VTY) ············································································20

Switching Between VTY Sessions······························································20
The VTY Step by Step Configuration ·························································21
VTY Configuration Commands································································22
Accessing the VTY Configuration Mode ················································22
Configuring the Device Name ····························································23
Defining the VTY Connection Timeout ·················································23
Creating ACLs for Restricting Telnet and SSH Access to the Device·················24
Applying ACLs for Filtering Telnet/SSH Connections ································25
Defining the Terminal Length ····························································25
Enabling the Advanced VTY Mode ······················································26
Displaying Applied ACLs··································································26
Configuration Example ·········································································27
Creating a Login Banner/Message-of-the-Day (MOTD) ···································28

MOTD Configuration Commands·····························································28
Enabling/Disabling the Default-MOTD Display ·······································28
Configuring a Single-line MOTD ·························································29
Configuring a Multi-line MOTD··························································30
Saving and Displaying the Device Configuration·············································31

Saving, Erasing, and Displaying Configuration Commands ·································31
Saving the Device’s Running Configuration ·············································31
Restoring Factory Defaults’ Configuration ··············································32
Displaying the Device’s Running Configuration ········································32
Displaying the Device’s Start-up Configuration ·········································33
Reloading the Device···············································································34
Supported Platforms ················································································35
Supported Standards, MIBs and RFCs ·························································35
Page 2
Table of Figures
Figure 1: Initial Device Configuration ·························································· 4
Figure 2: Management Methods································································· 5
Figure 3: A Telnet Server Example ····························································27
Page 3
Overview
This chapter provides the initial necessary information for accessing a T-Marc 300 Series device,
password configuration, saving new configuation parameters, and reload options.
To start a T-Marc 300 Series device, follow the installation guide instructions about installing, and
powering on the device.
Below are the first steps for initializing and configuring the T-Marc 300 Series device.
Start
Connect to the device console port
Log on to the device as a default user
Configure the device IP address
Manage the device via CLI or/and SNMP
End
Figure 1: Initial Device Configuration
Page 4
Methods of Managing a Device

You can manage a device using one (or both) of the following methods:
• Command line interface (CLI)—either directly, connecting the device console port to a PC or over
the network using Telnet and/or SSH
• Simple Network Management Protocol (SNMP)
Figure 2: Management Methods
Connecting to the Console Port

The T-Marc 300 Series’ console port is a EIA232 VT-100 compatible, (optionaly) password-
protected port, through which you can define the device's basic operational parameters.
To connect your PC to the device’s console port follow the steps below:
1. Use the console cable shipped with the device and connect the cable’s RJ-45 connector to the
device's console port (CON).
The cable has the following pinout:
Device Side PC Side
RJ-45 Pin # DB-9 Female

3 2
2 3
5 5
2. Connect the other side of the cable to your PC’s serial port.
3. Set the PC port to 9600-N-8-1 or:
9600 bps
no parity
8 data bits
1 stop bit
no flow control
Page 5
The Terminal Screen Display

Once connected to the console port, turn on the device. A screen similar to the below example is
displayed after a few seconds:
BATM Telco Boot Loader
Device model : T-Marc 340

Loader version : 6.6 TMC 07 created Jan 15 2006 - 10:44:48
MAC Address : 00:A0:12:27:14:20
Press any key to stop auto-boot...

0
auto-booting...
Uncompressing 2131761 bytes...

Loading image... 8234000
Starting device application, please wait...

BUILT-IN SELF TEST
------------------
CPU Core Test : Passed
CPU Interface Test : Passed
Testing Device Core : Passed
Data Buffer Test : Passed
///////////////////////////////////////////////////////////////////////////
// //
// //
// B A T M A d v a n c e d C o m m u n i c a t i o n s //
// //
// T e l c o S y s t e m s //
// //
// Device model : T-Marc 380 //
// Product Category : AccessEthernet(TM) //
// SW version : 10.1 created Mar 17 2010 - 20:19:58 //
// //
// //
///////////////////////////////////////////////////////////////////////////
Password:
Page 6
Connecting the Device via Telnet

You can connect the device CLI using Telnet once the device has a configured IP address.
To connect the device using Telnet, follow the below steps:
1. Connect to the device console port (see above).
2. Power on the device. The device starts up, displaying the device terminal.
3. Type the device password at the prompt (the default password is batm).
Password: batm
4. Enter the Privileged (Enable) mode:

device-name>enable
device-name#
5. Enter the Configure mode:

6. Configure the device IP address and subnet mask (the default IP address is 20.20.5.254/16):
device-name(config)#ip address <A.B.C.D/M>
A.B.C.D The device IP address

/M The subnet mask, in the range of <1–30>
7. Define the default gateway IP address (if the host is on a different subnet):
device-name(config)#ip route 0.0.0.0/0 <A.B.C.D>
8. Return to the Privileged (Enable) mode:

device-name(config)#end
9. Save these parameters (from the running configuration to NVRAM):

device-name#write
10. Connect your PC to a device port that is in VLAN 1 (by default all the device ports are
members of this VLAN. For more information on VLANs, refer to the Configuring VLANs
and Super VLANs chapter of this User Guide).
11. Open a Telnet session and type the device IP address to connect to the device.
Managing the Device via SNMP

You can manage a T-Marc 300 Series device via SNMP using an SNMP based management-
application. For more information, refer to the Configuring SNMP and SNMP Reference Guide
chapters of this User Guide.
To manage a device via SNMP, connect you’re management PC to a device port that is in VLAN 1
(by default all the device ports are members of this VLAN. For more information on VLANs, refer
to the Configuring VLANs and Super VLANs chapter of this User Guide).
Page 7
Login and Password

The CLI is passowrd protected, enabling access only to authorised users.
To control the level of access to the device, the device has three privilege levels, each one with its
own configurable password:
• View mode
• Privileged (Enable) mode
• Loader mode
All device passwords are encrypted.
For information about adding new usernames and defining user privileges, refer to the Device
Authentication chapter of this User Guide.
Caution
To protect your device from unauthorized access, change all default passwords as
soon as possible.
Password Recovery
Password recovery techniques enable users to recover lost and forgotten passwords. There are two
available password-recovery methods:
Default Passwords Recovery

You can reset the device to factory defaults, including the default passwords, by using the clean
startup-config command (for more information, refer to the Device Administration chapter of this
User Guide).
Backdoor Password Recovery

You can access the device using the Backdoor password. BATM Technical Support can provide you
the device’s Backdoor password, based on the device’s MAC address.
You can find the device MAC address on the label found on the device rear panel or at the bottom
of the device. You can also obtain the device’s MAC address from the device’s boot loader, during
the device start up.
Once you regain access to the device, you can change the device passwords.
Page 8
Device Passwords Configuration Commands

Table 1: Password Commands
Command Description
password Configures the View mode password (see Configuring the View
Mode Password)
enable password Configures the Privileged (Enabled) mode password (see
Configuring the Privileged (Enabled) Mode Password)
password loader Configures the boot loader password (see Configuring the
Loader Mode Password)
caps-lock passwords Notifies the user when <Caps Lock> is activated, while changing
warning or typing a password (see Enabling/Disabling Caps Lock
Notification)
Configuring the View Mode Password

The password command configures the View mode password.
CLI Mode: Global Configuration
Command Syntax
device-name(config)#password PASSWORD CONFIRM-PASSWORD
Argument Description
PASSWORD An alphanumeric, case sensitive field of up to 64 characters (blank
spaces are not allowed)
batm
CONFIRM-PASSWORD Retype the password for confirmation
Example
The following example sets the View mode password to device12:
device-name(config)#password device12 device12
After setting the new password, use this password upon entering the device console:
Password:device12
device-name>
Page 9
Configuring the Privileged (Enabled) Mode Password

The enable password command configures the Privileged (Enabled) mode password.
Command Syntax
device-name(config)#enable password PASSWORD CONFIRM-PASSWORD
device-name(config)#no enable password
The Privileged (Enabled) mode does not require a password. However,
once you define this password, users are required to type the password
to enter this mode.
no Removes the mode’s password
Example
The following example sets the Privileged (Enabled) password to device12:
device-name(config)#enable password device12 device12
After setting the new password, use this password upon entering the Privileged (Enable) mode:
device-name>enable
Password:device12
device-name#
Configuring the Loader Mode Password

The password loader command configures the (boot) Loader mode password.
Command Syntax
device-name(config)#password loader PASSWORD CONFIRM-PASSWORD
batm
Page 10
Example
The following command sets the Loader mode password to loaderp:
device-name(config)#password loader loaderp loaderp
After setting the new password, use this password upon entering the Loader mode:
Password: loaderp
Loader>
Enabling/Disabling Caps Lock Notification

The caps-lock passwords warning command generates a notification in case the <Caps Lock>
is activated, while changing or typing a password.
Command Syntax
device-name(config)#caps-lock passwords warning {on | off}
on Enables caps lock notification
Caps lock notification is enabled
off Disables caps lock notification
Example
device-name(config)#caps-lock passwords warning on
device-name(config)#password batm batm
device-name(config)#password BATM BATM
% Warning! The password typed is all in uppercase characters. Please check if
your CapsLock key is not pressed by mistake.
Page 11
The Device IP Commands

Table 2: Device IP Commands
Commands Description
ip address Configures the device’s primary IP address (see Configuring the

Device’s Primary IP Address)
ip address secondary Configures the device’s secondary IP address (see Configuring
the Device’s Secondary IP Address)
ip route Configures the device’s default-gateway IP address (see
Configuring a Default Gateway)
show ip Displays the device IP address (see Displaying the Device IP
Address)
show ip route Displays the static and directly connected (via configured IP
interfaces) routes (see Displaying Routes)
Configuring the Device’s Primary IP Address

The ip address command configures the device’s primary (inband, sw0 interface) IP address. You
must configure the device’s primary IP address to be able to connect the device via the inband
(using Telnet, SSH, NTP, or SNMP).
Command Syntax
device-name(config)#ip address A.B.C.D [/M | A2.B2.C2.D2]
A.B.C.D The device’s primary IP address
20.20.5.254/16
/M (Optional) the IP address subnet-mask, in the range of <1–30>
A2.B2.C2.D2 (Optional) the IP address subnet-mask, in an IP format
Example
device-name(config)#ip address 100.1.2.3/16
Page 12
Configuring the Device’s Secondary IP Address

The ip address secondary command configures sw0 interface’s secondary IP address.
CLI Mode: IP Interface Configuration
NOTE
You have to configure the device’s primary IP address prior to configuring the
secondary one, otherwise the following prompt is displayed on the terminal:
% There is no primary address.
Command Syntax
device-name(config-if sw0)#ip address A.B.C.D [/M | A2.B2.C2.D2] secondary
device-name(config-if sw0)#no ip address A.B.C.D [/M | A2.B2.C2.D2] secondary
A.B.C.D The device’s secondary IP address
/M (Optional) the IP address subnet-mask, in the range of <1–30>
A2.B2.C2.D2 (Optional) the IP address subnet-mask, in an IP format
secondary Specifies that this is a secondary IP address
no Removes the secondary address (you cannot remove the primary IP
address)
Example
device-name(config)#interface sw0
device-name(config-if sw0)#ip address 100.1.2.3/16 secondary
Page 13
Configuring a Default Gateway

The ip route command configures the device’s default-gateway IP address.
Command Syntax
device-name(config)#[no] ip route A.B.C.D {/0 | 0.0.0.0} A2.B2.C2.D2
A.B.C.D The destination network IP-address
/0 The destination network subnet-mask (the only permitted destination
subnet-mask is 0)
0.0.0.0 The destination network mask, in an IP format
A2.B2.C2.D2 The gateway IP address
no Removes the specified destination network
Displaying the Device IP Address

The show ip command displays the device IP address.
CLI Mode: Privileged (Enable)
Command Syntax
device-name#show ip
Example
device-name#show ip
IP-ADDR : 100.1.2.3 NET-MASK : 255.255.0.0
Page 14
Displaying Routes
The show ip route command displays the static and directly connected (via configured IP
interfaces) routes.
Command Syntax
device-name#show ip route
Example
device-name#show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, > - selected route, * - FIB route
S>* 0.0.0.0/0 [1/0] via 10.4.10.1, outBand0

K>* 10.4.0.0/16 is directly connected, outBand0
K>* 10.4.4.225/32 is directly connected, outBand0
C>* 10.5.0.0/16 is directly connected, sw0
C>* 10.5.4.225/32 is directly connected, sw0
C>* 127.0.0.0/8 is directly connected, lo0
C>* 127.0.0.1/32 is directly connected, lo0
Page 15
Telnet Commands
T-Marc 300 Series devices have an internal Telnet server and client:
• You can connec to the device with a Telnet client (up to five concurrent sessions)
• You can connect to a remote host using the device’s internal Telnet client
Telnet Session Configuration Commands

Table 3: Telnet Configuration Commands
Command Description
telnet (In Privileged mode) initiates a Telnet connection to a remote host

(see Connecting a Remote Host via a Telnet Client)
telnet (In Global Configuration mode) enables/disables the local device’s
Telnet server (see Enabling/Disabling the Device’s Telnet Server)
who Displays information about currently logged on users. (see
Displaying Current Telnet Connections)
session Displays your current Telnet session-index to the device (see
Displaying the Current Telnet-Session Index)
session kill Terminates a specified Telnet/SSH session to the device (see
Terminating a Telnet Connection)
Page 16
Connecting a Remote Host via a Telnet Client

The telnet command initiates a Telnet connection to a specified remote host.
For more information about the Telnet log output, refer to the Configuring System Logging chapter of
this User Guide.
Command Syntax
device-name#telnet A.B.C.D [<port-num>]
A.B.C.D The remote host’s IP address
port-num (Optional) specifies a port number for the service, in the range of
<1–65535>
port 23
Enabling/Disabling the Device’s Telnet Server

The telnet command enables or disables the device’s internal Telnet server, allowing/disallowing
remote PCs to access the device.
Command Syntax
device-name(config)#telnet {start | stop}
start Enables the Telnet server, allowing remote hosts to connect the device via
Telnet
Telnet server is enabled
stop Disables the Telnet server. Executing this command terminates any open
Telnet connections immediately.
Page 17
Displaying Current Telnet Connections

The who command displays information about Telnet clients that are currently logged on to the
device.
CLI Modes: View and Privileged (Enable)
Command Syntax
device-name>who
device-name#who
Example
device-name#who
Codes: > - current session, * - configuring
vty on console connected on console.
>vty on telnet [1] connected from 10.2.71.137.
Displaying the Current Telnet-Session Index

The session command displays your current Telnet session-index to the device.
Command Syntax
device-name#session
Example
device-name#session
your current session is: 2
Page 18
Terminating a Telnet Connection

The session kill command terminates a specified Telent/SSH session to the device. Before
executing the command, BiNOS checks if the session number is not the master session’s number
(the VTY from which other sessions originate). If the result is negative, the command closes the
specified session to the remote host.
The CLI displays a notification in case the session terminates.
Command Syntax
device-name#session kill <session-number>
session-number The Telnet session number, in the range of <1–101>
Page 19
Virtual Terminal (VTY)

VTY is a logical conneciton used for controlling inbound Telnet/SSH/console connections.
BiNOS supports up to five concurrent VTY sessions (numbered VTY 1–5).
Switching Between VTY Sessions

To switch between sessions initiated from the same VTY terminal type:
<Ctrl+Shift+6>
or
<Ctrl+]>
Example
device-name#telnet 192.0.103.13
connecting to 192.0.103.13...
current session is 4.
...
device-name(config)#<ctrl+shift+6>
choose session to device to:
the current session is 4
your sessions are 0 4 > 0
current session is 0.
Page 20
The VTY Step by Step Configuration

To configure VTY, follow the below steps:
12. Enter the VTY Configuration mode (see Accessing the VTY Configuration Mode).
13. Optional configurations:
Configure the device name (see Configuring the Device Name)
Configure the VTY connection timeout (see Defining the VTY Connection Timeout)
Create access control lists (ACL) to restrict/filter Telnet and SSH connections to the
device and apply them to VTY (see Creating ACLs for Restricting Telnet and SSH Access to the
Device and Applying ACLs for Filtering Telnet/SSH Connections)
Define the number of command lines displayed on the terminal screen (see Defining the
Terminal Length)
Enable advanced mode VTY (see Enabling the Advanced VTY Mode)
Page 21
VTY Configuration Commands

Table 4: VTY Configuration Commands
Command Description
line vty Enters the VTY Configuration mode (see Accessing the VTY
Configuration Mode)
hostname Configures the device’s hostname (see Configuring the Device
Name)
exec-timeout Defines the VTY connection timeout (see Defining the VTY
Connection Timeout)
access-list Creates ACLs to restrict device management for specific IP
addresses (see Creating ACLs for Restricting Telnet and SSH
Access to the Device)
access-class Filters Telnet and SSH connections to the device (see
Applying ACLs for Filtering Telnet/SSH Connections)
terminal length Defines the number of commands lines displayed on the
terminal screen (see Defining the Terminal Length)
service terminal-length
service advanced-vty Enables the advanced VTY mode (see Enabling the Advanced
VTY Mode)
show access-lists Displays the applied VTY ACLs (see Displaying Applied ACLs)
Accessing the VTY Configuration Mode

The line vty command enters the VTY Configuration mode.
Command Syntax
device-name(config)#line vty
device-name(config-vty)#
Page 22
Configuring the Device Name

The hostname command specifies the name of the device (the name displayed at the prompt line).
Command Syntax
device-name(config)#hostname HOSTNAME
device-name(config)#no hostname
HOSTNAME An alphanumeric, case sensitive string of up to 30 characters (the string
must follow ARPANET rules for host names)
T-Marc
no Restores the default device name
Example
device-name(config)#hostname Demarc1
Demarc1(config)#
Defining the VTY Connection Timeout

The exec-timeout command defines the VTY connection timeout value. The VTY connection to
the device is terminated, if the session is not active for this period of time.
Executing this command without any arguments, displays the defined VTY connection-timeout.
CLI Mode: VTY Configuration
Command Syntax
device-name(config-vty)#exec-timeout [<minutes> [<seconds>] | unlimited]
device-name(config-vty)#no exec-timeout
minutes (Optional) the timeout, in the range of <0–35791> minutes (setting a
zero timeout means no timeout)
10 minutes
seconds (Optional) the timeout value in the range of <0–59> seconds
unlimited (Optional) unlimited timeout value
no Sets an unlimited timeout value
Page 23
Example
device-name(config-vty)#exec-timeout 3
device-name(config-vty)#exec-timeout
exec-timeout 3 min 0 sec
Creating ACLs for Restricting Telnet and SSH Access to the

Device
The access-list command creates ACLs to restrict the device management to specific IP
addresses. For more information about ACLs, refer to the Configuring Access Control List (ACL)
chapter of this User Guide.
Command Syntax
device-name(config)#access-list <ACL-NAME> {deny | permit} {any | SOURCE-MASK
[exact-match]}
device-name(config)#no access-list <ACL-NAME> [deny | permit] [any | SOURCE-
MASK [exact-match]]
ACL-NAME The ACL name
deny Denies access if conditions are matched
permit Permits access if conditions are matched
any The ACL is relevant to any source address
SOURCE-MASK The management source mask-bits. You can specify the source mask in one
of the below options:
• An IP address format, place ones (1) in the bit positions that should be
ignored
• /M (the IP mask in the range of <1–30>)
exact-match (Optional) prefixes exact matching
no Clears the specified ACL
Example
device-name(config)#access-list batm1 deny 192.98.0.0/16
device-name(config)#access-list batm2 permit 192.0.0.0/8
Page 24
Applying ACLs for Filtering Telnet/SSH Connections

The access-class command applies the defined ACLs (see above) to filter Telnet and SSH
connections to the device.
CLI Mode: VTY Configuration
Command Syntax
device-name(config-vty)#access-class ACL-NAME
device-name(config-vty)#no access-class [ACL-NAME]
ACL-NAME Restricts the Telnet connections to the addresses specified in the ACL
no Removes access restrictions. If you do not specify an ACL-NAME, this
command removes all access classes
Defining the Terminal Length

The terminal length command defines the number of command lines displayed on the terminal
screen (applied to all VTY interfaces).
CLI Mode: View and Privileged (Enable)

You can also use the service terminal-length command to define the number of command
lines.
Command Syntax
device-name>terminal length <number-of-lines>
device-name>no terminal length
device-name#terminal length <number-of-lines>

device-name#no terminal length
device-name(config)#service terminal-length <number-of-lines>

device-name(config)#no service terminal-length
number-of-lines The number of lines displayed, in the range of <0–512>
A value of zero removes the limit.
25 lines
no Restores to default
Page 25
Enabling the Advanced VTY Mode

The advanced VTY mode skips the CLI View mode when connecting to the device and moves
directly to the Privileged mode
The service advanced-vty command enables advanced VTY mode.
To access the device View mode, type the disable command in Privileged mode.
Command Syntax
device-name(config)#service advanced-vty
device-name(config)#no service advanced-vty
no Disables the advanced VTY mode
VTY mode is disabled
Example
device-name(config)#service advanced-vty
...
Password:
device-name#
Displaying Applied ACLs

The show access-lists command displays the applied filtering ACLs.
Command Syntax
device-name#show access-lists
Example
device-name(config)#access-list batm1 deny 192.98.0.0/16
device-name(config)#access-list batm2 permit 192.0.0.0/8
device-name#show ip access-lists
access-list batm1 deny 192.98.0.0/16
access-list batm2 permit 192.0.0.0/8
Page 26
Configuration Example
The following example shows how to restrict Telnet connections to one IP address:
Figure 3: A Telnet Server Example
1. Create an access list named Management to allow a Telnet connection only to management
station 212.192.50.2:
device-name(config)#access-list Management permit 212.192.50.2/32
2. Enter the VTY Configuration mode:

device-name(config)#line vty
3. Apply access list Management to the VTY:

device-name(config-vty)#access-class Management
4. Set the VTY timeout to one hour:

device-name(config-vty)#exec-timeout 60
device-name(config-vty)#end
5. Display the current open sessions to the device:

device-name#who
Codes: > - current session, * - configuring
vty on console connected on console.
>vty on telnet [1] connected from 212.192.50.2.
Page 27
Creating a Login Banner/Message-of-the-Day

(MOTD)
The MOTD (or login banner) is the text appearing on the terminal when initiating a Telnet session
or console connection to the device.
The MOTD is displayed before the User Access Verification and is useful for displaying messages
that affect all network users (such as impending a system shutdown).
MOTD Configuration Commands

NOTE
These commands take effect only after reloading the device.
Table 5: MOTD Commands

Command Description
banner motd default Enables the default MOTD string display (see Enabling/Disabling
the Default-MOTD)
banner set Enters a specified string to a single-line MOTD (see Configuring a
Single-line MOTD)
banner set multiline Enters a specified string to multi-line MOTD (see Configuring a
Multi-line MOTD)
Enabling/Disabling the Default-MOTD Display

The banner motd default command enables the default MOTD “Hello, this is OS CLI”..
Command Syntax
device-name(config)#banner motd default
device-name(config)#no banner
no Disables the default banner
MOTD is disabled
Page 28
Example
device-name(config)#banner motd default
device-name#write
Building the configuration …
Configuration is successfully written to NVRAM
device-name#reload no-save
...
Hello, this is OS CLI
Password:
Configuring a Single-line MOTD

The banner set command configures a user-defined single-line MOTD.
Command Syntax
device-name(config)#banner set MOTD-STRING
MOTD-STRING An alphanumeric string of up to 1024 characters, including blank
spaces and other characters except for a question mark (?)
no Removes the configured MOTD
Example
device-name(config)#banner set DO NOT CHANGE CONFIGURATION WITHOUT NOTICING THE
SYSADMIN!
device-name#write
...
DO NOT CHANGE CONFIGURATION WITHOUT NOTICING THE SYSADMIN!

Password:
Page 29
Configuring a Multi-line MOTD

The banner set multiline command configures a user-defined multi-line MOTD. End the
multi-line MOTD with the caret (^) character.
Command Syntax
device-name(config)#banner set multiline
> MOTD-STRING
> MOTD-STRING An alphanumeric string of up to 1024 characters, including blank
spaces and other characters except for a question mark (?).
Type the caret (^) character on the last line to end the multi-line MOTD.
no Removes the banner
Example
device-name(config)#banner set multiline
% Enter a multiline text. Finish with '^' string at the beginning of a row
>this is
>multi-line
>text
^
device-name#write
...
this is
multi-line
text
Page 30
Saving and Displaying the Device Configuration

The device configuration is stored in the start-up configuration in NVRAM.
Any configuration changes are stored first on the running configuraiton, in RAM. These changes
are erased when the device shuts down. To save these configuration changes, you have to save
these changes in the startup configuration.
Saving, Erasing, and Displaying Configuration

Commands
Table 6: Saving, Erasing, and Displaying the Device Configuration Commands
Command Description
write memory Saves the running configuration to the NVRAM (see Saving the Device’s
Running Configuration)
write erase Restoring the device configuration to factory defaults, erasing the
configuration stored on the NVRAM (see Restoring Factory Defaults’
Configuration)
write terminal Displays the current running configuration information (see Displaying
show running- the Device’s Running Configuration)
config
show startup- Displays the startup configuration (see Displaying the Device’s Start-up
config Configuration)
Saving the Device’s Running Configuration

The write and write memory commands save the running configuration to the startup
configuration (NVRAM).
These commands are equivalent to the copy running-config startup-config command (see
the Device Administration chapter of this User Guide).
Command Syntax
device-name#write [memory]
Page 31
Restoring Factory Defaults’ Configuration

The write erase command erases the device startup configuration and restores the device to
factory defaults.
This command is like the reload-to-default command (see Reloading the Device), however it does
not reset the device.
Command Syntax
device-name#write erase
Displaying the Device’s Running Configuration

The write terminal and the show running-config commands display the delta between the
deivce’s running configuration and factory default-values.
Use the relevant command argument to view the Running Configuration for a specific feature.
Command Syntax
device-name#write terminal
device-name#show running-config [acl | cfm | dns | fpga | igmp | lag | log |
monitor-session | oam | port | protocol | ptp | qos | rmon | rtr | saa | snmp |
super-vlan | sw-watchdog | switch-monitoring | time-server | vlan]
Example 1
device-name#write terminal
! Current Configuration:
!
! T-Marc 380
!
password 3090372e3f8bc00eeacc46219f7557485983251a994551f918e04712f86c5818
ip address 3.0.0.1 255.0.0.0 .
Example 3
device-name#show running-config port
! Port Configuration:
!
interface 1/1/1
!
interface 1/1/2
!
interface 1/2/1
Page 32
!
interface 1/2/2
!
interface 1/2/3
!
interface 1/2/4
!
interface 1/2/5
!
interface 1/2/6
!
interface 1/2/7
!
interface 1/2/8
...
Displaying the Device’s Start-up Configuration

The show startup-config command displays the device’s startup configuration.
Command Syntax
device-name#show startup-config
Page 33
Reloading the Device

When reloading (restarting/rebooting) the device, you can select one of the below options:
• Reload the device, with or without saving the running configuration
• Reload the device with factory-default configuration
The reload command ceases the device’s operation and reloads it.
NOTE
The device’s running configuration stored on the device RAM is erased upon the
device reload, unless you save it to the device’s startup configuration.
To save the running configuration, refer to Saving the Device’s Running
Configuration.
Command Syntax
device-name#reload [save | no-save | to-defaults]
save (Optional) saves the running configuration to NVRAM and reloads the
device
save
no-save (Optional) does not save the running configuration to NVRAM and reloads
the device
to-defaults (Optional) reloads the device and resets the device configuration to its
factory defaults
Example 1
Saving the running configuration and reloading the device (the save keyword is optional):
device-name#reload save
save current configuration and reboot the switch ? [y/n]: y
Rebooting ...
Example 2
Reloading the device without saving the running configuration:
Proceed with reload ? [y/n] : y
Rebooting ...
Page 34
Supported Platforms
Features T-Marc 340 T-Marc 380
Accessing the Device using Telnet + +

VTY (Virtual Telnet Type) Commands + +
Configuring ACLs + +
Creating a Banner + +
Saving and Displaying the Device Configuration + +
How to Reload the Device + +
Supported Standards, MIBs and RFCs

Features Standards MIBs RFCs
Accessing the Device No standards are No MIBs are RFC 854, Telnet
using Telnet supported by this supported by this Protocol Specification
feature. feature.
VTY (Virtual Telnet No standards are No MIBs are RFC 791, Internet
Type) Commands supported by this supported by this Protocol DARPA
feature. feature. Internet Program
Protocol
Specifications
Configuring ACLs No standards are Private MIB, No RFCs are
supported by this prvt_switch_access_li supported by this
feature. st.mib feature.
Creating a Banner No standards are No MIBs are RFC 791, Internet
supported by this supported by this Protocol DARPA
feature. feature. Internet Program
Protocol
Specifications
Saving and Displaying No standards are No MIBs are RFC 1350, The TFTP
the Device supported by this supported by this Protocol (Revision 2)
Configuration feature. feature.
How to Reload the No standards are No MIBs are RFC 1350, The TFTP
Device supported by this supported by this Protocol (Revision 2)
feature. feature.
Page 35
Device Administration
Table of Figures ······················································································ 3
Features Included in this Chapter ································································ 4
MAC Address Table (FDB) ········································································ 5

Overview ·························································································· 5
The MAC Address Table Default Configuration ·············································· 7
The MAC Address Table Step by Step Configuration ········································ 7
The MAC Address Table Configuration Commands ········································· 8
ARP Table ····························································································21

Overview ·························································································21
Configuring the ARP Table·····································································21
Script Files System ··················································································23

Overview ·························································································23
The Script Files System Default Configuration ···············································23
The Script Files System Configuration Commands ··········································24
File System ···························································································33

Overview ·························································································33
The File System Default Folders ·······························································33
The File System Commands ····································································34
Modifying the Default Configuration ···························································41

Default Configuration Commands·····························································41
Zero-Touch Configuration ········································································44

Overview ·························································································44
Zero-touch Configuration Default Configuration ············································44
Zero-touch Configuration Commands ························································45
Software Upgrade and Boot Options ····························································50

Preparing to Download a BiNOS Software Image Using TFTP/FTP Connection·······50
Downloading the BiNOS Software Image ····················································51
Commands for Upgrading Software Images ··················································52
Page 1
Device Administration (Rev. 11)
Downloading and Uploading Configuration Files ············································60
Boot Loader ··························································································66

Overview ·························································································66
The Device Loader's Default Configuration ··················································67
The Loader Commands ·········································································67
System Time and Date ·············································································82

Daytime Protocol ················································································82
Time Protocol····················································································82
Summer Time (Daylight saving time) ··························································82
Network Time Protocol·········································································83
1588v2 Precision Time Protocol (PTP) ·······················································83
System Time and Date Default Configuration················································83
1588v2 PTP Default Configuration····························································83
System Time and Date Configuration Flow···················································85
System Time and Date Configuration Commands ···········································86
1588v2 PTP Configuration Flow·······························································96
1588v2 PTP Configuration Commands ·······················································97
Configuration Example ······································································· 104
DHCP Client······················································································· 105

Overview ······················································································· 105
When Should Clients Use DHCP ···························································· 106
The DHCP Client Default Configuration ··················································· 107
The DHCP Client Configuration Flow ······················································ 107
DHCP Client Configuration Commands···················································· 108
Controlling the Packet Rate······································································112

Overview ······················································································· 112
Packet-Rate Thresholds' Default Configuration ············································ 113
The Packet-Rate Thresholds' Commands ··················································· 113
Control Plane Priority per Protocol ·····························································116
Supported Platforms ···············································································117
Supported Standards, MIBs and RFCs ························································117
Page 2
Table of Figures
Figure 1: Obtaining an IP Address from a DHCP Server ································· 106
Figure 2: Rate Limit Mechanism ····························································· 112
Page 3
Features Included in this Chapter

This chapter describes how to perform operations to administer your T-Marc 300 Series devices.
This chapter consists of these sections:
• MAC Address Table (FDB)
The MAC address table contains address information that the device uses to forward
traffic between ports. The T-Marc 300 Series devices maintain a database of MAC
addresses; both manually configured (static) and dynamically learned entries. During
troubleshooting, it may be helpful to investigate the entries in the MAC address table.
• ARP Table
ARP table is another table that is supported on your device. It provides IP
communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address.
• Zero-Touch Configuration
Zero configuration networking allows inexpert users to connect network devices and
expect a functioning network to be established automatically.
• Script Files System, File System, Software Upgrade and Boot Options, Boot Loader, and Modifying the
Default Configuration
These sections describe some fundamental tasks you perform to maintain the
configuration files and system images used by your T-Marc 300 Series devices.
• System Time and Date
You can manage the system time and date on your device using automatic configuration,
such as the Network Time Protocol (NTP), or manual configuration methods. NTP
allows the synchronization of device clocks over TCP/IP networks. Having a common
view of time on the network makes many things easier, from correlating log files from
different devices to keeping file timestamps consistent.
• DHCP Client
The main advantage of dynamically assigning IP addresses using Dynamic Host
Configuration Protocol (DHCP) is that it allows such addresses to be reused, thereby
greatly increasing the total number of devices that can use the Internet.
• Controlling the Packet Rate
The ability to control the CPU resource allows you to protect the device from denial-of-
service attacks and to prevent excessive traffic to the CPU.
Page 4
MAC Address Table (FDB)

Overview
The MAC (Media Access Control) address is the unique hardware number that identifies the
computer on a local area network (LAN) or other network.
MAC addresses are 12-digit hexadecimal numbers (48 bits in length) in the following format:
MM:MM:MM:SS:SS:SS
Whereas MAC addressing works at the data link layer (layer 2), IP addressing functions at the
network layer (layer 3). MAC addresses are also known as hardware or physical addresses.
The MAC Address table holds the source MAC address, VLAN ID, MAC address priority and
port number.
MAC Address Table Entry Types

The following entry types can exist in the MAC address table:
• Dynamic entries—to learn a dynamic entry, the device examines packets to determine the
source MAC address, VLAN, and port information. Initially, all entries in the database are
dynamic, except for certain entries created by the device.
• Dynamic entries are flushed and updated when any of the following occurs:
A VLAN is removed
A VLAN ID is changed
A port mode is changed (tagged/untagged)
A port is removed from a VLAN
A port is disabled
A port QoS setting is changed
A port goes down
A new dynamic entry is created when the device identifies a source MAC address that
does not yet have an entry in the MAC address table. Dynamic entries are deleted from
the database if the device is reset or a power off/on occurs.
• Static entries—permanent entries are retained in the database if the device is reset or a power
off/on cycle occurs. A permanent entry can either be a unicast or multicast MAC address.
These entries are created through the CLI.
• Secure entries—a secure entry is configured to a secured port to allow only secured MAC
address to be learned by this port.
• Self entries—a self entry is automatically created by the device software for various reasons.
• Filtered entries—a filtered entry can be created in two ways. One way is to configure filter
entry statically for blocking the traffic from and to specific MAC address on the device. The
second way is to use the Port/VLAN Security or the Port Limit feature. The MAC addresses
in the filtered entries are the MAC addresses that caused security violation.
Page 5
• Multicast entries—Multicast entries are multicast MAC addresses that were created dynamically
by multicast protocol. The multicast entry is removed via the mac-address-table command,
multicast entries are added via the ip igmp snooping dynamic/static command.
For more information refer to the Configuring Multicast Layer 2 chapter of this User Guide.
NOTE
Only the dynamic MAC addresses age out.
You can remove MAC addresses (except Self) from the MAC Address table by using
one of the clear mac-address-table commands.
Adding Entries to a MAC Address Table

Entries can be added to the MAC address table in the following two ways:
• The device can learn entries by examining packets it receives. The system updates its MAC
Address table with the source MAC address from a packet, the VLAN, and the port identifier
on which the source packet is received. You can also limit the number of addresses that can be
learned on a port, or you can shut down the current port and prevent additional MAC address
learning.
• You can enter and update entries using the command-line interface (CLI).
Page 6
The MAC Address Table Default Configuration

Table 1: MAC Address Table Default Configuration
Feature Default Value
MAC address aging time 300 seconds

New MAC address learning Enabled
Displaying the learned MAC addresses Enabled
The MAC Address Table Step by Step Configuration

1. Add a static, dynamic or secure entry to the MAC address table (see Adding a New Entry)
or
2. Add a filtered entry to the MAC address table (see Adding a Filtered Entry)
Configure the MAC address table aging time (see Configuring the MAC Address Table Aging
Time)
Configure learning of new MAC addresses globally (see Configuring MAC Addresses Learning
Globally)
Configure learning of new MAC addresses on a port (see Configuring MAC Addresses
Learning per Port)
4. Delete a specific entry from the MAC address table (see Clearing a MAC Address Table)
5. Display entries from the MAC address table (see Displaying MAC Address Table Entries)
Page 7
The MAC Address Table Configuration Commands

Table 2: MAC Address Table Commands
Command Description
mac-address-table Adds a static, dynamic or secure entry to the MAC

address table (see Adding a New Entry)
mac-address-table filtered Adds a filtered entry to the MAC address table
(see Adding a Filtered Entry)
Table 3: MAC Address Table Optional Commands

Command Description
mac-address-table aging- Configures the MAC address table aging time

time (see Configuring the MAC Address Table Aging Time)
learning new-address Configures learning of new MAC addresses globally (see
Configuring MAC Addresses Learning Globally)
port learning new-address

Enables/disables learning of new MAC addresses on a
port (see Configuring MAC Addresses Learning per Port)
Table 4: Clear MAC Address Table Commands

Command Description
clear mac-address-table Clears a specific entry from the MAC address table
(see Clearing a MAC Address Table)
no mac-address-table
Table 5: MAC Address Table Display Commands

Command Description
show mac-address-table Displays the MAC address table contents

(see Displaying MAC Address Table Entries)
mac-address-table learning- Enables/disables displaying the MAC addresses, learned
display on a specific list of interfaces or on a list of VLANs (see
Displaying/Hiding MAC Addresses)
show mac-address-table Displays the MAC address table aging time
aging-time (see Displaying the MAC Address Table Aging Time)
show mac-address-table Displays the length of the MAC address table hash chain
hash-depth (see Displaying the Length of the MAC Address Hash
Chain)
Page 8
Adding a New Entry

The mac-address-table command adds a static, dynamic or secure entry to the MAC address
table.
Command Syntax
device-name(config)#mac-address-table {static | dynamic | secure}
HH:HH:HH:HH:HH:HH interface {UU/SS/PP | ag0N} vlan <vlan-id>
device-name(config)#no mac-address-table {static | dynamic | secure}

HH:HH:HH:HH:HH:HH [interface {UU/SS/PP | ag0N} | vlan <vlan-id>]
device-name(config)#mac-address-table {static | dynamic | secure}

HH:HH:HH:HH:HH:HH {service <service ID> [sap SAPSTRING | sdp SDPSTRING]
[interface UU/SS/PP vlan <vlan-id> [priority <0-7>]}
device-name(config)#no mac-address-table {static | dynamic | secure}

HH:HH:HH:HH:HH:HH [service <service ID> [sap SAPSTRING | sdp SDPSTRING]]
[vlan <vlan-id>] [interface UU/SS/PP]
static Adds a static entry.
dynamic Adds a dynamic entry.
secure Adds a secure entry for the secured port feature.
HH:HH:HH:HH:HH:HH Destination MAC address to be added to the MAC Address table.
Packets with this destination address received on a specific VLAN
are forwarded to the specified interface.
UU/SS/PP Port to which the received packets are forwarded.
ag0N The link aggregation ID (ag01, ag04–ag07). The allowed ID is in
the range of <1–7>.
vlan <vlan-id> Specifies a VLAN for which the packet with the desired MAC
address is received. The VLAN ID is in the range <2–4094>.
service <service ID> The service unique service identifier, in the range <1–
4294967295>.
sap SAPSTRING The SAPSTRING has the forms:
• UU/SS/PP:CVLANID:—use it if you configure the SAP on a
port
• AG0N:CVLANID:—use it if you configure the SAP on a link
aggregation
The C-VLAN ID is in the range of <1–4094>
Page 9
sdp SDPSTRING The SDPSTRING has the forms:

• UU/SS/PP:SVLANID:—use it if you configure the SDP on a
port
• AG0N:SVLANID:—use it if you configure the SDP on a link
aggregation
The S-VLAN ID is in the range of <1–4094>
priority <0-7> (Optional) specifies the priority range
no Removes entries from the MAC address table.
Adding a Filtered Entry

The mac-address-table filtered command adds a filtered entry to the MAC address table.

The filtered entry in the MAC address table is known as dangerous. This entry is denied as source and
as destination for each incoming and outgoing packet on the specified VLAN.
Command Syntax
device-name(config)#mac-address-table filtered HH:HH:HH:HH:HH:HH vlan <vlan-
id>
device-name(config)#no mac-address-table filtered HH:HH:HH:HH:HH:HH [interface
UU/SS/PP | vlan <vlan-id>]
HH:HH:HH:HH:HH:HH Destination MAC address to be filtered. Packets with this destination
address received on the specified VLAN are filtered.
vlan <vlan-id> Specifies the VLAN for which the packet with the specified MAC
address is filtered. The valid range is <2–4094>.
UU/SS/PP The interface's unit/slot/port.
no Removes entries from the MAC address table.
Example
device-name(config)#mac-address-table filtered 00:A0:12:02:03:04 vlan 2496
Page 10
Configuring the MAC Address Table Aging Time

The mac-address-table aging-time command configures the length of time that a dynamic
entry can remain in the MAC address table from the time the entry was used or last updated.
NOTE
The actual aging time period of the MAC address table may be any time period
between the specified value and twice the specified value.
By default, the aging-time value is 300 seconds.
Command Syntax
device-name(config)#mac-address-table aging-time <time>
device-name(config)#no mac-address-table aging-time
time Specifies how many seconds the address of a learned device remains on the
list of stations connected to your device. The address is removed from the list of
stations if no frame is received from that device during the aging time interval.
If the value assigned to the aging time is too short, this may increase the
amount of packets received by the device with unknown destinations and cause
the device to flood such packets to all ports in the VLAN. If the value assigned
to the aging time is too long, the MAC Address table may be loaded with
addresses that are no longer in use.
MAC address table aging time is in the range <10–1000000> seconds.
Example
The following example sets the MAC Address aging time to 1500 seconds (25 minutes):
device-name(config)#mac-address-table aging-time 1500
Page 11
Configuring MAC Addresses Learning Globally

The learning new-address command configures learning of new MAC addresses globally.

By default, the learning is enabled.
NOTE
When learning new-address is disabled per port or globally, the following features
will not work correctly:
• Port limit
• Port security
Command Syntax
device-name(config)#learning new-address {enable | disable}
enable Enables new MAC address learning.
disable Disables new MAC address learning. When learning is disabled, no new MAC
addresses will be learned in the MAC address table and the unicast traffic will
be flooded to all the relevant ports (depending on the VLAN configuration).
Configuring MAC Addresses Learning per Port

The port learning new-address command enables/disables learning new MAC addresses on a
port.
CLI Mode: Interface Configuration, Range Interface Configuration, LAG Range Interface
Configuration, and LAG Interface Configuration
When MAC address learning is disabled, no new MAC addresses are learned in the MAC address
table on the selected port.
The unicast traffic that is destined to devices connected to this port is flooded to the relevant ports.
By default, the learning is enabled.
NOTE
For the port limit feature to function correctly, enable first learning new-address per
port or globally.
Page 12
Command Syntax
device-name(config-if UU/SS/PP)#port learning new-address {enable | disable}
device-name(config-if-group)#port learning new-address {enable | disable}
device-name(config-ag-group)#port learning new-address {enable | disable}
device-name(config-if AG0N)#port learning new-address {enable | disable}
enable Enables the MAC address learning.
disable Disables the MAC address learning.
Example 1
device-name(config)#interface range 1/1/1
device-name(config-if-group)#port learning new-address enable
Example 2
device-name(config)#interface range ag01
device-name(config-ag-group)#port learning new-address disable
Clearing a MAC Address Table Entry

Clear a specific MAC address entry on a particular port, or on a particular VLAN from the MAC
address table with:
• clear mac-address-table command

• no mac-address-table command
Command Syntax
device-name#clear mac-address-table [dynamic | filtered | secure | static]
service <service ID> [sap SAPSTRING | sdp SDPSTRING]
device-name#clear mac-address-table [[dynamic | filtered | secure | static]

[address HH:HH:HH:HH:HH:HH] [vlan <vlan-id>] [interface UU/SS/PP]]
device-name#clear mac-address-table multicast [address HH:HH:HH:HH:HH:HH]

[vlan <vlan-id>]
device-name(config)#no mac-address-table {dynamic | filtered | secure | static

| multicast} address HH:HH:HH:HH:HH:HH [service <service ID> [sap SAPSTRING |
sdp SDPSTRING]] [vlan <vlan-id>][interface UU/SS/PP]
Page 13
dynamic (Optional). Only dynamic MAC address(es) are cleared.
filtered (Optional). Only filtered MAC address(es) are cleared.
secure (Optional). Only secure MAC address(es) are cleared.
static (Optional). Only static MAC address(es) are cleared.
multicast Only multicast MAC address(es) are cleared.
address (Optional in the clear mac-address-table command). MAC address
HH:HH:HH:HH:HH:HH to be cleared, if it complies with all other specified arguments.
interface UU/SS/PP (Optional). Removes the MAC address(es) on the specified
interface.
vlan <vlan-id> (Optional). Removes the MAC address(es) on the specified VLAN.
The VLAN ID is in the range <2–4094>.
service <service ID> The service unique service identifier, in the range <1–4294967295>.
• UU/SS/PP:CVLANID: —use it if you configured the SAP on a
port
• ag0N:CVLANID:—use it if you configured the SAP on a link
aggregation
The C-VLAN ID is in the range of <1–4094>.
• UU/SS/PP:SVLANID:—use it if you configured the SDP on a
port
• ag0N:SVLANID:—use it if you configured the SDP on a link
aggregation
The S-VLAN ID is in the range of <1–4094>.
NOTE
If you do not specify an argument, all MAC addresses are removed (except for the
self entries).
Page 14
Displaying MAC Address Table Entries

The show mac-address-table command displays the MAC address table contents.
Command Syntax
device-name#show mac-address-table [dynamic | filtered | multicast | secure |
static | self] [address HH:HH:HH:HH:HH:HH] [vlan <vlan-id>] [interface
UU/SS/PP]
device-name#show mac-address-table service <service ID> [sap SAPSTRING | sdp

SDPSTRING]
device-name#show mac-address-table count [vlan <vlan-id> interface UU/SS/PP |

interface UU/SS/PP]
device-name#show mac-address-table count [address HH:HH:HH:HH:HH:HH] [service

<service ID> [sap SAPSTRING | sdp SDPSTRING]] [interface UU/SS/PP] [vlan
<vlan-id>]
dynamic (Optional) information is displayed only about the dynamic MAC
address(es).
filtered (Optional) information is displayed only about the filtered MAC
address(es).
multicast (Optional) information is displayed only about the multicast MAC
address(es).
secure (Optional) information is displayed only about the secure MAC
address(es).
static (Optional) information is displayed only about the static MAC
address(es).
self (Optional) information is displayed only about the device MAC
address.
count Displays the number of MAC addresses in the MAC address table.
service <service ID> The service unique service identifier, in the range <1–4294967295>.
• UU/SS/PP:CVLANID: —use it if you configured the SAP on a
port
• ag0N:CVLANID:—use it if you configured the SAP on a link
aggregation
Page 15

• UU/SS/PP:SVLANID:—use it if you configured the SDP on a
port
aggregation
The S-VLAN ID is in the range of <1–4094>.
address (Optional in the show mac-address-table command) information
HH:HH:HH:HH:HH:HH is displayed about the specified MAC address, if it complies with all
other specified arguments.
vlan <vlan-id> (Optional) displays the MAC address(es) on the specified VLAN.
The VLAN ID is in the range <2–4094>. You can create a maximum
of 255 VLANs in this range.
interface UU/SS/PP (Optional) displays the MAC address(es) on the specified interface.
NOTE
If you do not specify any argument, the show mac-address-table command
displays the entire MAC address table.
Example
Display the entire MAC address table:
device-name#show mac-address-table
===+=======+===================+========+================+==========|
# | VID | Mac | PORT | STATUS | PRIORITY |
---+-------+-------------------+--------+----------------+----------+
1 | 0001 | 00:00:00:00:11:22 | 1/1/1 | static | 0 |
2 | 0001 | 00:40:95:30:0e:8f | 1/1/2 | dynamic | 0 |
3 | 0001 | 00:A0:12:05:36:80 | | self | 0 |
4 | 0001 | 01:00:5e:11:22:33 | | multicast | 0 |
5 | 0001 | 01:00:5e:11:22:44 | | multicast | 0 |
6 | 0001 | 01:00:5e:11:22:55 | | multicast | 0 |
Displaying/Hiding MAC Addresses

The mac-address-table learning-display command enables/disables displaying the MAC
addresses, learned on a specific list of interfaces or on a list of VLANs.

By default, displaying the learned MAC addresses is enabled.
Command Syntax
device-name(config)#mac-address-table learning-display interfaces PORT LIST
device-name(config)#no mac-address-table learning-display interfaces PORT LIST
device-name(config)#mac-address-table learning-display vlan VLAN LIST

device-name(config)#no mac-address-table learning-display vlan VLAN LIST
device-name(config)#mac-address-table learning-display interface UU/SS/PP vlan

<vlan-id>
Page 16
device-name(config)#no mac-address-table learning-display interface UU/SS/PP

vlan <vlan-id>
vlan VLAN LIST List of source VLAN IDs. Use commas as separators and hyphens
to indicate sub-ranges (e.g. 2–4,8). The VLAN IDs are in the range
<2–4094>.
interface PORT LIST Port list, in the form u[[/s[/p]]][-u[[/s[/p]]][,u[[/s[/p]]]]], etc.
Use commas as separators and hyphens to indicate sub-ranges
(for example, 1/1/1,1/2/1–1/2/3). Blank spaces are not allowed.
vlan <vlan-id> Specifies the VLAN for which enables or disables displaying the
learned MAC addresses. The VLAN ID is in the range <2–4094>.
interface UU/SS/PP Specifies the interface for which enables or disables displaying the
learned MAC addresses.
no Hides the MAC addresses that are learned on the selected

interfaces or VLAN.
Example 1
The following example shows the command that hides the MAC addresses that are learned on
interface 1/1/1:
===+========+====================+==========+===========+==========
# | VID | Mac | PORT | STATUS | PRIORITY|
---+--------+--------------------+----------+-----------+---------+
1 | 0001 | 00:80:00:00:03:01 | 1/1/1 | dynamic | 0 |
2 | 0001 | 00:80:1e:15:60:76 | 1/1/1 | dynamic | 0 |
3 | 0001 | 00:A0:12:00:00:02 | | self | 0 |
4 | 0010 | 00:A0:12:00:00:02 | | self | 0 |
device-name(config)#no mac-address-table learning-display interface 1/1/1

device-name(config)#exit
===+========+======================+========+=========+===========
---+--------+----------------------+--------+---------+----------+
1 | 0001 | 00:A0:12:00:00:02 | | self | 0 |
2 | 0010 | 00:A0:12:00:00:02 | | self | 0 |
Page 17
Example 2
The following example shows the command that hides the MAC addresses that are learned on
VLANs 1 to 9:
===+========+======================+========+===========+===========
---+--------+----------------------+--------+-----------+----------+
1 | 0001 | 00:80:00:00:03:01 | 1/1/1 | dynamic | 0 |
2 | 0001 | 00:80:1e:15:60:76 | 1/1/1 | dynamic | 0 |
3 | 0001 | 00:A0:12:00:00:02 | | self | 0 |
4 | 0010 | 00:A0:12:00:00:02 | | self | 0 |
device-name(config)#no mac-address-table learning-display vlan 1-9

===+========+=====================+=========+===========+===========
---+--------+---------------------+---------+-----------+----------+
1 | 0001 | 00:A0:12:00:00:02 | | self | 0 |
2 | 0010 | 00:A0:12:00:00:02 | | self | 0 |
Example 3
The following example enables displaying the MAC addresses that are learned on VLANs 1 to 9:
device-name(config)#mac-address-table learning-display vlan 1-9
===+========+======================+=========+==========+===========
---+--------+----------------------+---------+----------+----------+
1 | 0001 | 00:80:00:00:03:01 | 1/1/1 | dynamic | 0 |
2 | 0001 | 00:80:1e:15:60:76 | 1/1/1 | dynamic | 0 |
3 | 0001 | 00:A0:12:00:00:02 | | self | 0 |
4 | 0010 | 00:A0:12:00:00:02 | | self | 0 |
Page 18
Displaying the Length of the MAC Address Hash Chain

The show mac-address-table hash-depth command displays the length of the MAC address
table hash chain.
The length of the MAC address table hash database should be set according to the MAC addresses
available in the network. If the MAC address numbers are randomly distributed, it is recommended
to use the default value.
CLI Mode: Privileged (Enable) and Global Configuration
Command Syntax
device-name#show mac-address-table hash-depth
device-name(config)#mac-address-table hash-depth <value>
device-name(config)#no mac-address-table hash-depth
value The maximum lookup hash chain length in the range <2–16>. Only even values
are allowed.
no Sets default value of the MAC address table hash chain.
Example
device-name#show mac-address-table hash-depth
Max hash chain length is 14
Displaying the MAC Address Table Aging Time

The show mac-address-table aging-time command displays the MAC address table aging
time.
Command Syntax
device-name#show mac-address-table aging-time
Example 1
The following example shows how to display the currently configured aging time:
aging time is 1500 seconds
Example 2
The following example shows how to display the currently configured no aging time:
Page 19
aging is off
Page 20
ARP Table
Overview
ARP table provides mapping between the IP address and the MAC address of the device. It is built
dynamically.
===+==================+=================+========+========+=========+
# | IP Address | MAC |Age(min)| if | Type |
---+------------------+-----------------+--------+--------+---------+
0 | 10.0.0.10 |00:00:00:00:00:10| 1 | sw0 | Static |
When you want to send a packet to a local host, the software looks the IP in the ARP cache. After
finding the IP address, the software gets the MAC address, constructs an Ethernet header with the
correct source/destination MAC addresses, and sends it.
If the MAC address is not found for a specific IP, the device broadcasts an ARP request to every
host on Ethernet in order to learn it.
Configuring the ARP Table

Table 6: ARP Table Commands
Command Description
clear ip arp Clears dynamic and static entries learned in the ARP table
(see Clearing the ARP Table)
show ip arp Displays IP addresses learned by ARP packets
(see Displaying the ARP Table)
Clearing the ARP Table

The clear ip arp command clears entries from the ARP cache.
Command Syntax
device-name#clear ip arp [dynamic | static]
dynamic (Optional) clears only dynamic learned entries in the ARP table.
static (Optional) clears only the static learned entries in the ARP table.
Page 21
Displaying the ARP Table

The show ip arp command displays the ARP cache.
NOTE
You can store static MAC entries if implementing a static CPU cache when using
the ip arp command. BiNOS first looks up in this static CPU cache before looking
up in the cache containing dynamic MAC entries.
Command Syntax
device-name#show ip arp
Example
device-name#show ip arp
===+==================+=================+========+========+=========+
# | IP Address | MAC |Age(min)| if | Type |
---+------------------+-----------------+--------+--------+---------+
0 | 10.0.0.10 |00:00:00:00:00:10| 2 | sw0 | Dynamic|
Page 22
Script Files System

Overview
A script file is a text file that includes a sequence of configuration CLI commands.
The script files can be downloaded from the TFTP server, uploaded to the TFTP server, deleted,
renamed or executed. The contents of the script file can also be viewed. There also is the capability
to store running and startup configurations of the device into the file system.
When you run a script file, the current running configuration of the device is merged with the new
settings that are configured by the script file.
Every file in the script-file system has a unique name of maximum 32 characters without blank
spaces.
You can perform the following actions with script files:
• Download script files from the TFTP server
• Upload script files to the TFTP server
• Remove script files from the file system
• Rename script files
• Run script files
• View the contents of script files
The Script Files System Default Configuration

Table 7: Script File System Default Configuration
Startup configuration name startup_config

Running configuration name running_config
Page 23
The Script Files System Configuration Commands

Table 8: Script File System Commands
Command Description
script-file-system Accesses the Script-file-system Configuration mode

(see Script-file-system Configuration Mode)
copy running-config Copies the running configuration into the script-file system
(see Copying the Running Configuration)
copy startup-config Copies the startup configuration into the script-file system
(see Copying the Startup Configuration)
copy Copies a file (see Copying a File)
run Executes CLI commands contained in the specified script file (as
a batch file) (see Executing a Script File)
attrib Specifies file attributes (see Configuring File Attributes)
rename Renames a specific script file (see Renaming a Script File)
move Removes a file from its current location and places it at a new
location (see Moving a File)
Table 9: Commands for Removing Script-File System Files

Command Description
del Removes a specific file from the file system

(see Deleting a Specific File from the Script-file System)
Table 10: Script File System Display Commands

Command Description
display Displays the textual contents of the specified script file

(see Displaying Script File Textual Contents)
dir Displays the names and lengths of all script files stored in the file
system (see Displaying the Script-file Name and Length)
show script-file- Displays the names and lengths of all script files stored in the file
system system (see Displaying the Script-file Name and Length)
ls lists the files in Flash memory file system (see Listing Files)
help Provides description of the interactive help system
(see Describing the Interactive Help System)
Page 24
Script-file-system Configuration Mode

The script-file-system command accesses Script-file-system Configuration mode.
Command Syntax
device-name(config)#script-file-system
device-name(config script-file-system)#
Copying the Running Configuration

The copy running-config command saves a copy of the running configuration into the script-file
system.
CLI Mode: Script-file-system Configuration
Command Syntax
device-name(config script-file-system)#copy running-config [FILE-NAME]
FILE-NAME (Optional) the name of the destination file, in the script-file system. If no file
name is specified, a default name (running_config.cfg.) is assigned.
Example
device-name(config script-file-system)#copy running-config
building the configuration ...
Saving script file "flash:/Usr/running_config.cfg" to file system...
Done
Copying the Startup Configuration

The copy startup-config command saves a copy of the start-up configuration into the script-file
system.
NOTE
To execute this command, the startup configuration should be stored on the device.
Command Syntax
device-name(config script-file-system)#copy startup-config [FILE-NAME]
Page 25
FILE-NAME (Optional). The name of the destination file, in the script-file system. If no file
name is specified, a default name (startup_config.cfg.) is assigned.
Example
device-name(config script-file-system)#copy startup-config
Saving script file "flash:/Usr/startup_config.cfg" to file system...
Done
Copying a File
The copy command saves a copy of a file into the script file system.

This command is equivalent to the cp command in all modes.
Command Syntax (for Local Flash system)

device-name(config script-file-system)#copy [[device/]path/]file-name
[[device1/]path1/]file-name1
Command Syntax (for TFTP/FTP Server)

device-name(config script-file-system)#copy
protocol://[user[:pass]@]host[:port]/file-name
protocol1://[user1[:pass1]@]host1[:port1]/file-name1
Command Syntax (for SFTP server)

device-name(config script-file-system)#copy
device/user:pass@host/[path/]file-name
device1/user1:pass1@host1/[path1/]file-name1
device/ (Optional) the device from which the file is copied. It can be a TFTP server
(in format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D)
path (Optional) the path to the location where the file is copied.
protocol, Specifies the protocol type.
protocol1
user, user1 Optional) specifies the name of the user performing the operation.
pass, pass1 (Optional) specifies the password that authenticates the specified
username. Symbol (@) following the password is required.
• For the TFTP server, not need to specify the user, password and port
• For the FTP server, no need to specify the port number
host Specifies the server IP address in A.B.C.D format.
Page 26
port, port1 (Optional) specifies the port number.

file-name The source file name.
device1/ (Optional) the device to which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
path1 (Optional) the path to the location where the file is copied.
file-name1 The destination file name.
Example
The following command copies a file from a TFTP server to the local /Usr directory:
device-name(config script-file-system)#copy tftp://10.0.0.60/test usr/test1
The following command copies a file from the local Flash root directory to a remote TFTP server:
device-name(config script-file-system)#copy flash:/profile.cfg
tftp://10.0.0.60/profile.cfg
Executing a Script File

The run command executes CLI commands contained in the specified script file.
Command Syntax
device-name(config script-file-system)#run FILE-NAME
FILE-NAME The name of the script file, in the script-file system.
Example
device-name(config script-file-system)#run test1
Executing configuration script …
Configuration from file complete
Configuring File Attributes

The attrib command configures file attributes (read-only, archive, system and hidden).
Command Syntax
device-name(config script-file-system)#attrib FILE-NAME
Page 27
FILE-NAME The name of the file, which attributes must be configured, in the script-file
system.
Example
device-name(config script-file-system)#attrib run1
Read-only : -
Hydden : -
System : -
Archive : -
Renaming a Script File

The rename command renames the specified script file.

This command is equivalent to the rm command in all modes.
Command Syntax
device-name(config script-file-system)#rename [[device/]path/]file-name new-
file-name
device/ (Optional) The device on which the file to be renamed is stored. Can
only be flash:/ (the local Flash system).
path (Optional) The device and the path to the file to be renamed. The
path should end with the name of the file.
file-name The original name of the file to be renamed.
new-file-name The new name assigned to the file.
Moving a File
The move command removes a file from its current location and places it at a new location. The
name of the file can be optionally changed.

This command is equivalent to the mv command in all modes.
Command Syntax (for local Flash system)

device-name(config script-file-system)#move [[device/]path/]file-name
[[device1/]path1/]file-name1
Page 28

device-name(config script-file-system)#move
protocol://[user[:pass]@]host[:port]/file-name
device/ (Optional) the device from which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D),, or the local
Flash system (in format flash:/)
path (Optional) the path to the location where the file is moved.
protocol1
device1/ (Optional) the device to which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D),, or the local
path1 (Optional) the path to the location where the file is moved.
Deleting a Specific File from the Script-file System

The del command removes a specific file from the script-file system.
NOTE
The specified file is removed without requesting your confirmation.
Command Syntax for Local Flash System)

device-name(config script-file-system)#del [[device/]path/]file-name
Command Syntax (for SFTP Server)

device-name(config script-file-system)#del device/user:pass@host/[path/]file-
name
Page 29
device/ (Optional) the device from which the file is removed. It can be a SFTP
server (in format sftp://user:pass@A.B.C.D), or the local Flash system (in
format flash:/)
path (Optional) the path to the location where the file is removed.
user Optional) specifies the name of the user performing the operation.
pass (Optional) specifies the password that authenticates the specified
file-name The name of the file to be removed.
Displaying Script File Textual Contents

The display command displays textual contents of a specified script file.

This command is equivalent to the pwd command.
Command Syntax for Local Flash System)

device-name(config script-file-system)#display [[device/]path/]file-name
[dump] [START]
device/ (Optional) the device from which the file content is displayed. It can be the
Flash local system (in format flash:/)
path (Optional) the path to the location where the file content is displayed.
file-name The name of the file which content is displayed.
dump (Optional) hex format.
START (Optional) start offset.
Example
device-name(config script-file-system)#display test1
*********** FILE START *********
! T-Marc-380 Version 10.1.TMC3
!
ip address 1.0.0.1 255.0.0.0
interface sw0
!
…
!
! Technical Support Information Configuration:
!
Page 30
************ FILE END **********
Displaying the Script-file Name and Length

Display the names and lengths of all script files stored in the script-file system with:
• dir and show script-file-system commands

• show script-file-system command
Command Syntax
device-name(config script-file-system)#dir
device-name(config script-file-system)#show script-file-system
device-name>show script-file-system
device-name#show script-file-system
Example 1
device-name(config script-file-system)#dir
Listing Directory flash:/Usr/:

d S 2048 Jan 1 1993 01:04 ./
d 2048 Jan 1 1993 00:00 ../
- 9017 Jan 1 1993 00:21 test1.cfg
- 4220 Jan 1 1993 01:04 running_config.cfg
Free disk space 1929216
Example 2
device-name(config script-file-system)#show script-file-system
flash:/Usr/.
flash:/Usr/..
flash:/Usr/test1.cfg
flash:/Usr/running_config.cfg
Listing Files
The ls command lists files in Flash memory file system.
Command Syntax
device-name(config script-file-system)#ls
Page 31
Example
device-name(config script-file-system)#ls
Listing Directory flash:/Usr:
d S 2048 Jan 1 1993 00:59 ./
d 2048 Jan 1 1993 00:00 ../
- 176 Jan 1 1993 03:18 profile.cfg
- 5804 Jan 1 1993 00:12 acl.cfg
- 7069 Jan 1 1993 00:29 snmp.cfg
Describing the Interactive Help System

The help command provides description of the interactive help system.
Command Syntax
device-name(config script-file-system)#help
Page 32
File System
Overview
The Flash file system (also called Flash:) provides commands for defining, downloading, and
deleting software images and configuration files stored in a Flash memory. In addition, users can
define the different Loader parameters using the Flash file system.
The File System Default Folders

Table 11: System Directories Default Configuration
Directory Description
\Boot\ Contains all executable applications and firmware

images
\Log\ Stores all logs of the system operation
\Usr\ Contains all configuration scripts of the system
\Etc\ Contains default startup configuration
\Hidden\ Internal settings storage
\Java\ Not supported
NOTE
The system directories are locked for editing.
Table 12: Default System File Names and Settings

Parameter Default Value
Startup configuration name dflt_startup.cfg

Image name Image.Z
Auto-boot timeout 5 seconds
BiNOS System Loader password batm
Page 33
The File System Commands

Table 13: File System Directories Commands
Command Description
format Formats the file system and removes its contents

(see Formatting the File System)
mkdir Creates a new directory (see Creating a New Directory)
rmdir Deletes a directory (see Deleting a Directory)
dir Displays the contents of the current directory
(see Displaying the File System Contents)
pwd Displays the working directory (see Displaying the Working Directory)
Table 14: File Content Management Commands

Command Description
copy Copies a file from a TFTP server or from the local Flash system to the
specified path (see Copying a File)
rename Renames a file (see Renaming a File)
move Removes a file from its current location and places it at a new location
(see Moving a File)
del Deletes a specified file (see Deleting a File)
display Displays the contents of a text file (see Displaying the File Contents)
Page 34
Formatting the File System

The format command formats the file system and removes its contents.
CLI Mode: Loader and Privileged (Enable)
After the next start of the loader (or start-up of downloaded application), the default set of system
directories will be restored automatically. The command deletes all saved configuration files
(starting configuration).
Command Syntax
Loader>format [DEVICE-NAME]
device-name#format [DEVICE-NAME]
DEVICE-NAME The device name, valid device can be flash:/
Creating a New Directory

The mkdir command creates a new directory.
Command Syntax
Loader>mkdir PATH
device-name#mkdir PATH
PATH The destination path (directory) ends with the new directory that is created. The
directory name is a case insensitive string.
Deleting a Directory
The rmdir command deletes a directory.
Command Syntax
Loader>rmdir [PATH]
device-name#rmdir [PATH]
PATH The path ends with the directory to be deleted. The directory name is a case
insensitive string.
Page 35
NOTE
Non-empty and system directories cannot be removed.
Displaying the File System Contents

The dir command displays a list of files in the file system.
CLI Mode: Loader, View and Privileged (Enable)

This command is equivalent to the ls command in all modes.
Command Syntax
Loader>dir [PATH]
device-name>dir [PATH]
device-name#dir [PATH]
PATH (Optional) the name of a selected directory, which contents is displayed. The
directory name is a case insensitive string.
Displaying the Working Directory

The pwd command displays the working directory.
Command Syntax
Loader>pwd
device-name#pwd
Copying a File
The copy command copies a file from a TFTP/FTP/SFTP server or from the local Flash system
to another location. The name of the file can be optionally changed.

This command is equivalent to the cp command in all modes.
Command Syntax (for Local Flash System)

Loader>copy [[device://]path/]file-name [[device1://]path1/]file-name1
device-name#copy [[device://]path/]file-name [[device1://]path1/]file-name1

Loader>copy protocol://[user[:pass]@]host[:port]/file-name
Page 36
device-name#copy protocol://[user[:pass]@]host[:port]/file-name

Loader>copy device://user:pass@host/[path/]file-name
device-name#copy device://user:pass@host/[path/]file-name
device (Optional) the device from which the file is copied. It can be a TFTP server
dath (Optional) the path to the location where the file is copied.
protocol1
device1/ (Optional) the device to which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D ), the local Flash system (in format flash:/), or a
path1 (Optional) the path to the location where the file is copied.
Examples
• The following command copies a file from a TFTP server to the local /Usr directory:
device-name#copy tftp://10.0.0.60/test usr/test1
• The following command copies a file from the local Flash root directory to a remote TFTP
server:
device-name#copy flash://profile.cfg tftp://10.0.0.60/profile.cfg
Page 37
Renaming a File
The rename command renames a file.

Loader>rename [path/]file-name NEW-FILE-NAME
device-name#rename [path/]file-name NEW-FILE-NAME

Loader>rename device://user:pass@host/[path/]file-name NEW-FILE-NAME
device-name#rename device://user:pass@host/[path/]file-name NEW-FILE-NAME
device (Optional) the device on which the file to be renamed is stored. It can be a
SFTP server (in format sftp://user:pass@A.B.C.D), or the local Flash
system (in format flash:/)
path (Optional) the path to the file to be renamed.
file-name The original name of the file to be renamed.
NEW-FILE-NAME The new name assigned to the file.
Moving a File
The move command removes a file from its current location and places it at a new location. The
name of the file can be optionally changed.

This command is equivalent to the mv command in all modes.

Loader>move [[device://]path/]file-name [[device1://]path1/]file-name1
device-name#move [[device://]path/]file-name [[device1://]path1/]file-name1

Loader>move protocol://[user[:pass]@]host[:port]/file-name
device-name#move protocol://[user[:pass]@]host[:port]/file-name
Page 38
device/ (Optional) the device from which the file is moved. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D), or the local
path (Optional) the path to the location where the file is moved.
protocol1
device1/ (Optional) the device to which the file is moved. It can be a TFTP server
(in format tftp://A.B.C.D, or ftp://user:pass@A.B.C.D), or the local Flash
system (in format flash:/)
path1 (Optional) the path to the location where the file is moved.
Deleting a File
The del command deletes the specified file.

This command is equivalent to the rm command.

Loader>del [path/]file-name
device-name#del [path/]file-name

Loader>del device://user:pass@host/[path/]file-name
device-name#del device://user:pass@host/[path/]file-name
device/ (Optional) the device from which the file is removed. It can be a SFTP
server (in format sftp://user:pass@A.B.C.D), or the local Flash system (in
format flash:/)
path (Optional) the path to the location where the file is removed.
Page 39

file-name The name of the file to be removed.
Displaying the File Contents

The display command displays the contents of a text file.
CLI Mode: Loader, View and Privileged (Enable)

The command must not be applied to binary files.
Command Syntax
Loader>display {[path/] | [device://[path/]]}file-name [dump][START]
device-name>display {[path/] | [device://[path/]]}file-name [dump]
device-name#display {[path/] | [device://[path/]]}file-name [dump]
path (Optional). The path to the file to be displayed. The path should end with
the name of the file.
device: (Optional). The device on which the file to be displayed is stored. Can only
be flash:/ meaning the local Flash system.
device:path (Optional). The device and the path to the file to be displayed. The path
should end with the name of the file.
file-name The name of the file.
dump (Optional). HEX format.
START (Optional). Start offset.
NOTE
The dump option is mandatory to display binary files.
Page 40
Modifying the Default Configuration

The default settings feature allows you to modify the running configuration according your
preferences and saves it as a default configuration.
Default Configuration Commands

Table 15: Default Configuration Commands
Command Description
copy running-config Saves the running configuration as a default configuration

default-config (see Modifying the Default Configuration)
copy default-config Copies the default configuration to a TFTP/FTP server or to the
local Flash system
(see Copying the Default Configuration to a Specific Location)
copy Copies the default configuration from a TFTP/FTP server or from
the local Flash system
(see Copying the Default Configuration from a Specific Location)
write erase default Clears the default configuration
(see Clearing the Default Configuration)
show default-config Displays the default configuration ( see Displaying the Default
Configuration)
Page 41
Modifying the Default Configuration

The copy running-config default-config command saves the running configuration as a
default configuration.
Command Syntax
device-name#copy running-config default-config
Copying the Default Configuration to a Specific Location

The copy default-config command copies the default configuration to a TFTP/FTP server or
to the local Flash system.
Command Syntax
device-name#copy default-config [<device>:[<server IP>/]][<path>]<file name>
device/ (Optional) the device to which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D), a FTP server (in format ftp://user:pass@A.B.C.D), or the
local Flash system (in format flash:/):
• user—specifies the name of the user performing the operation
• pass—specifies the password that authenticates the specified username.
Symbol (@) following the password is required.
• For the TFTP server, no need to specify the user, password and port
path (Optional) the exact location path to which the file is copied. The path should
end with the name of the file.
server IP Specifies the TFTP/FTP server IP Address, in A.B.C.D format.
file-name The original file name.
Copying the Default Configuration from a Specific Location

The copy command copies the default configuration from a TFTP/FTP server or from the local
Flash system.
Command Syntax
device-name#copy [[<device>:[<server IP>/]][<path>]<file name> default-config
Page 42
device/ (Optional) the device from which the file is copied. It can be a TFTP server (in
format tftp://A.B.C.D), a FTP server (in format ftp://user:pass@A.B.C.D), or
the local Flash system (in format flash:/):
• user—specifies the name of the user performing the operation
• pass—specifies the password that authenticates the specified username.
Symbol (@) following the password is required
• For the TFTP server, no need to specify the user, password and port
path (Optional) the exact location path from which the file is copied. The path should
end with the name of the file.
server IP Specifies the TFTP/FTP server IP Address, in A.B.C.D format.
Clearing the Default Configuration

The write erase default command clears the default configuration.
Command Syntax
device-name#write erase default
Displaying the Default Configuration

The show default-config command displays the default configuration.
Command Syntax
device-name#show default-config
Example
device-name#show default-config
! Default Configuration:
!
. . .
! Ethernet in the First Mile OAM

!
! efm-oam disable
!
. . .
Page 43
Zero-Touch Configuration
Overview
Zero-touch configuration is a set of operations that provides two options for automatically
configuring the device:
• Via IP address that is assigned manually (static IP address).
• Via IP address that is obtained from a DHCP server (dynamic IP address).
The BiNOS configuration file is downloaded from a TFTP server after the device reloads to
defaults. The configuration details are stored in NVRAM.
In case of a zero-touch configuration failure, the factory default configuration is executed.
NOTE
When using a DHCP client, the system administrator has to configure a TFTP
server IP address (the siaddr field as specified in RFC 2131) and a Boot filename (the
filename field as specified in RFC 2131) on the DHCP server.
The example displays part of the DHCP server configuration file:
next-server X.X.X.X;
filename “configfile.cfg”
Zero-touch Configuration Default Configuration

Table 16: Zero-touch Configuration Default Configuration
Zero Touch Configuration Disabled

TFTP IP address 0.0.0.0
Configuration file Not saved to NVRAM
Number of retries 3 times
The time interval between each retry 64 seconds
Page 44
Zero-touch Configuration Commands

Table 17: Zero-touch Configuration Commands
Command Description
configure zero-touch Enters the Zero-touch Configuration mode

(see Accessing the Zero-touch Configuration Mode)
zero-touch Enables/disables the zero-touch configuration feature
(see Enabling/disabling the Zero-touch Configuration)
ip-address Specifies the device IP address
(see Specifying the Device IP Address)
tftp-server Specifies the TFTP IP address
(see Specifying the TFTP IP Address)
config-file Specifies the path to the configuration file
(see Specifying the Location of the Configuration File)
save-configuration Saves the downloaded configuration file to NVRAM
(see Saving the Configuration File to NVRAM)
retry-max Specifies the maximum number of retries for downloading
the configuration file
(see Specifying the Number of Retries for Downloading the
Configuration File)
execute Forces the device to reach the TFTP server and to obtain
the required configuration file
(see Forcing the Device to Reach the TFTP Server)
show zero-touch Display the zero-touch configuration details
show (see Displaying the Zero-touch Configuration)
Page 45
Accessing the Zero-touch Configuration Mode

The configure zero-touch command enters the Zero-touch Configuration mode.
Command Syntax
device-name#configure zero-touch
device-name(zero-touch)#
Enabling/disabling the Zero-touch Configuration

The zero-touch command enables/disables the zero-touch configuration feature.
CLI Mode: Zero-touch Configuration

By default, zero-touch configuration feature is disabled.
Command Syntax
device-name(zero-touch)#zero-touch
device-name(zero-touch)#no zero-touch
Specifying the Device IP Address

The ip-address command specifies the device IP address.
Command Syntax
device-name(zero-touch)#ip-address A.B.C.D/M
device-name(zero-touch)#no ip-address
A.B.C.D/M Specifies the device IP address and mask manually
no Obtains the device IP address via DHCP
Page 46
Specifying the TFTP IP Address

The tftp-address command specifies the TFTP IP address.

By default, the TFTP IP address is 0.0.0.0.
Command Syntax
device-name(zero-touch)#tftp-server A.B.C.D
device-name(zero-touch)#no tftp-server
A.B.C.D Specifies the TFTP IP address
Specifying the Location of the Configuration File

The config-file command specifies the path to the configuration file.
Command Syntax
device-name(zero-touch)#config-file [<path>]<file name>
device-name(zero-touch)#no config-file
[<path>]<file name> Specifies the original path to the configuration file. The path
should end with the name of the file. The maximum length of the
path is 20 symbols.
no Removes the necessity of obtaining the configuration file from
the TFTP server
Saving the Configuration File to NVRAM

The save-configuration command saves the downloaded configuration file to NVRAM.

By default, the configuration file is not saved to NVRAM.
Command Syntax
device-name(zero-touch)#save-configuration
device-name(zero-touch)#no save-configuration
Page 47
Specifying the Number of Retries for Downloading the

Configuration File
The retry-max command specifies the maximum number of retries for downloading the
configuration file.

By default:
• the number of retries is 3 times
• the time interval between each retry is 64 seconds
Command Syntax
device-name(zero-touch)#retry-max <1-10>
1-10 Specifies the number of retries.
Forcing the Device to Reach the TFTP Server

The execute command forces the device to reach the TFTP server and to obtain the required
configuration file. If the downloading is completed successfully, the configuration file is saved as a
start-up configuration, and it is not executed.
Command Syntax
device-name(zero-touch)#execute
Displaying the Zero-touch Configuration

The show command and the show zero-touch command display the zero-touch configuration
details.
CLI Mode: Privileged (Enable) and Zero-touch Configuration
Command Syntax
device-name#show zero-touch
device-name(zero-touch)#show
Page 48
Example 1
device-name(zero-touch)#show
State = disabled
IP address = 9.0.0.1/8
TFTP server = 9.0.0.34
Configuration file = dirname/device.cfg
Save file to NVRAM = Disabled
Number of retries = 3
Status =
Example 2
device-name#show zero-touch
State = disabled
Ip address = 0.0.0.0/0
TFTP server = 0.0.0.0
Configuration file =
Save file to NVRAM = Disabled
Number of retries = 3
Status =
Page 49
Software Upgrade and Boot Options

Preparing to Download a BiNOS Software Image
Using TFTP/FTP Connection
Before you begin to download a file from a TFTP/FTP server, take the following precautions:
1. Make sure that the device has a route to the TFTP/FTP server. The device and the
TFTP/FTP server must be in the same subnet, if you do not have a router to route traffic
between subnets. Check the connection to the TFTP/FTP server using the ping command
(refer to the Troubleshooting and Monitoring chapter of this User Guide).
2. Make sure that the software image file is in the download directory on the TFTP/FTP server.
3. Make sure that you have at least Read permissions for the software image for your username.
4. A power outage (or other problem) during the download procedure can corrupt the Flash
code. If the Flash code is corrupted, connect to the device through the console port, format
the Flash memory and download the application (see the Boot Loader section of the current
chapter).
Make sure that there is enough free space in the bootflash (at least 9.5 MB). To verify
this, use the dir command, as illustrated in the example below:
device-name#dir
Listing Directory flash:/:
d S 2048 Jan 1 1993 01:37 Boot/
d S 2048 Jan 1 1980 00:00 Etc/
d S 2048 Jan 1 1980 00:00 Java/
d S 2048 Jan 1 1980 00:00 Log/
d S 2048 Jan 1 1993 00:59 Usr/
d SH 2048 Jan 1 1993 00:00 Hidden/
- 43796 Jan 1 1993 00:00 dflt_startup_bin.cfg
- 217 Jan 1 1993 03:12 profile.cfg
- 2483 Jan 1 1993 03:37 start.cfg-
If necessary, delete unnecessary files to free some space:

device-name#del <foldername>/<file_name>
Example:
device-name#del boot/T-Marc 380_bm_fisw_7_1_TMC3.Z
Page 50
Downloading the BiNOS Software Image

To download a BiNOS software image from the TFTP/FTP server, proceed as follows:
1. Log on to the device through the console port or through a Telnet session and type your
password.
2. Enter the Privileged (Enable) mode.
3. Use the upgrade boot-profile command to upgrade the software image:
device-name#upgrade boot-profile tftp://<TFTP_server_IP_adress>/
<software_image filename> <local_software_image filename>
Example 1:
device-name#upgrade boot-profile tftp://9.0.0.7/BiNOS-v9.4.Z BiNOS-
v9.4.Z
TFTP receiving application.................................................
Application upgrade completed
An alternative method to upgrade the software image in two steps is by using the copy
application command and then the application command:
device-name#copy application tftp://<TFTP_server_IP_adress>/
<software_image filename>
device-name#configure boot-param
device-name(boot param)#application <local_software_image filename>
Example 2:
device-name#copy application tftp://9.0.0.7/BiNOS-v9.4.Z
TFTP receiving file ... 5300324
Image Size = 0x50E036 CRC Value = 0xD66707AE
device-name#configure boot-param
device-name(boot param)#application BiNOS-v9.4.Z
4. If the upgrade fails, verify that precautions above are taken.

5. To run the new software image, reload the device using the reload save command.
6. After the device reloads, type the show version command to verify the current device version
and the show running-config command to check the configuration of the device (refer to
the Device Setup and Maintenance chapter of this User Guide) .
Page 51
Commands for Upgrading Software Images

Table 18: Commands for Upgrading Software Images
Command Description
upgrade boot-profile Downloads a new software image and sets boot statements to
load the new image on startup.
(see Upgrading the BiNOS Software Image)
copy application Downloads a new software image to the device
(see Downloading a New BiNOS Software Image)
application Boots the device with the new image
(see Applying the New Boot Statement)
Table 19: Boot Commands for Upgrading Software Images

Command Description
device Displays the current software image location (see Displaying and
Specifying the Software Image Location)
ftp-password Displays the FTP connection password (see Displaying and
Specifying the FTP Password)
ftp-server Displays the FTP server IP-address (see Displaying and
Specifying the FTP Server IP-Address)
ftp-user Displays the FTP username (see Displaying and Specifying the
FTP Username)
startup-config Specifies which startup configuration file is loaded on startup (see
Specifying the Startup Configuration File)
show Displays the current boot statement (see Displaying Boot
Statements)
Table 20: Display Commands

Command Description
show version Displays the inventory information regarding the software versions
of the device
(see Displaying the Information Regarding the Software Versions)
show manufacturing- Displays detailed hardware information
details (see Displaying Hardware Information)
show uptime Displays how long the selected device has been operational
(see Displaying the Device Uptime)
Page 52
Upgrading the BiNOS Software Image

The upgrade boot-profile command downloads a new software image and sets boot statements
to load the new image on startup.

device-name#upgrade boot-profile {[[device://]path/]file-name DESTINATION
FILE-NAME | apply [device/]path/]file-name}

device-name#upgrade boot-profile {protocol://[user[:pass]@]host[:port]/file-
name DESTINATION FILE-NAME | apply
protocol://[user[:pass]@]host[:port]/file-name}
device (Optional) the device from which the file is copied. It can be a TFTP/FTP
server (in format tftp://A.B.C.D, ftp://user:pass@A.B.C.D) or as the local
Flash system (in format flash:/).
path (Optional) the path where the file is located
protocol Specifies the protocol type.
port (Optional) specifies the port number.
file-name The original name of the file.
DESTINATION- The destination file name as it appears on the local Flash system.
FILE-NAME
apply Applies directly the new boot statement.
PARAMS Specifies the parameters to be applied in the following format:
• [[device/]path/]file-name, when flash:/ system is used.
• protocol//[user[:pass]@]host[:port]/file-name, when TFTP or FTP
server is used.
Page 53
Example
The example specifies that the new application image is downloaded via TFTP from server with IP
10.3.71.101. It is searched in a directory called /MyApps/ under the TFTP server root directory.
The application filename on the TFTP server is Imagev1.5.Z; it is stored under the /Boot
directory on the local file system as BootAppv1.5.Z after it is validated; the boot parameters device
and Application are set to local and BootAppv1.5.Z.
device-name#upgrade boot-profile tftp://10.3.71.101/MyApps/Imagev1.5.Z
flash://Boot/BootAppv1.5.Z
Downloading a New BiNOS Software Image

The copy application command downloads a new software image to the device.
Command Syntax (for local Flash System)

device-name#copy application [[device://]path]file-name [DESTINATION-FILE-
NAME] [no-validation]

device-name#copy application protocol://[user[:pass]@]host[:port]/file-name
[DESTINATION-FILE-NAME] [no-validation]
device (Optional) the device from which the file is copied. It can be a
TFTP/FTP server (in format tftp://A.B.C.D, ftp://user:pass@A.B.C.D)
or as the local Flash system (in format flash:/).
path (Optional) the path where the file is located
• For the TFTP server, not need to specify the user, password and
port
file-name The original name of the file.
DESTINATION-FILE- The destination file name as it will appear on the local Flash system.
NAME
no-validation (Optional) skips the image validation check.
Example
device-name#copy application tftp://192.168.0.2/image.Z
Page 54
Applying the New Boot Statement

The application FILE NAME command boots the device with the new image.
CLI Mode: Boot Param Configuration
Command Syntax
device-name(boot param)#application FILE-NAME
FILE-NAME The name of the image file, a case-sensitive string.
Displaying and Specifying the Software Image Location

The device command displays the current software image location. Use one of the below
command arguments to specify the software image location.
Command Syntax
device-name(boot param)#device [local | network]
local (Optional). The device boots from the local software image
Local Flash file system
network (Optional). The device boots from a remote software image, using an FTP
server. Currently this option is not supported because an OutBound interface is
not available.
Displaying and Specifying the FTP Password

The ftp-password command displays the FTP connection password. Use the command argument
to specify the FTP password.
Command Syntax
device-name(boot param)#ftp-password [PASSWORD]
PASSWORD (Optional) specifies the password used for the FTP connection
Page 55
Displaying and Specifying the FTP Server IP-Address

The ftp-server command displays the FTP server IP-address. Use the command argument to
specify the FTP server IP-address.
Command Syntax
device-name(boot param)#ftp-server [A.B.C.D]
A.B.C.D (Optional) specifies the FTP server IP-address
Displaying and Specifying the FTP Username

The ftp-user command displays the FTP username. Use the command argument to specify the
FTP username.
Command Syntax
device-name(boot param)#ftp-user [NAME]
NAME (Optional) specifies the FTP username
Specifying the Startup Configuration File

The startup-config command specifies which startup configuration file is loaded on startup.
Command Syntax
device-name(boot param)#startup-config {FILE | binary {FILE | default} |
default}
FILE The startup configuration filename
binary Loads the startup configuration file in a binary format
default Loads the default startup configuration file
Page 56
Displaying Boot Statements

The show command displays the current boot statement.
Command Syntax
device-name(boot param)#show
device-name(boot param)#application
Example 1
device-name(boot param)#show
IP address = 2.2.2.2:ffffff00
Device = local
Application = BiNOS-TMarc_3X0-9.4.3.TMC3-pre3.Z
Startup configuration =
Statup binary config =
FTP server = 2.2.2.1
FTP user = mark3
FTP password = mark3
Boot flags =
Example 2
device-name(boot param)#application
BiNOS-TMarc_3X0-9.4.3.TMC3-pre3.Z
Displaying the Information Regarding the Software Versions

The show version command displays the inventory information regarding the software versions
of the device.

The command displays the following information:
• Device model—the platform name
• SW version—displays the installed application image
• Java version—not loaded
• Loader version—displays the installed Loader image
• Up time—displays the time elapsed since the device is turned on
Command Syntax
device-name>show version
device-name#show version
Page 57
Example
device-name#show version
BATM Advanced Communications

Product Category : AccessEthernet(TM)
Device running SW version : 10.1-pre8 created Mar 17 2010 - 20:19:58
Device Default SW file : BiNOS-TMarc_3X0-10.1.BETA-dev26.Z

Device Default SW version : 10.1-pre8
BiNOSView file : java.img - NOT FOUND

BiNOSView version : -
FPGA version : 1.2 (maint/build 9/1)
Loader version : 8.2.0 created Jan 31 2008 - 16:29:48
Up time : 0 days, 0 hours, 45 min, 16 sec.
Displaying Hardware Information

The show manufacturing-details command displays detailed hardware information.
Command Syntax
device-name#show manufacturing-details
Example
device-name#show manufacturing-details
Serial number : 8807340077
Assembly No : AL001350
HW revision : 05
HW subrevision : 02
Displaying the Device Uptime

The show uptime command displays how long the selected device has been operational.
Command Syntax
device-name#show uptime
Example:
Page 58
device-name#show uptime
Up time : 0 days, 4 hours, 1 min, 52 sec.
Page 59
Downloading and Uploading Configuration Files

You can perform the following operations:
• Download new embedded software versions to the Flash memory component of the device
• Save the startup configuration on a remote server
• Load a startup configuration from a remote server
• Save the startup configuration as the running configuration
Table 21: Commands for Downloading and Uploading Configuration Files

Command Description
copy FILE-NAME Loads a start-up configuration with a specified file name from a
startup-config remote server (see Downloading the Startup Configuration)
copy FILE-NAME Loads a running-configuration with a specified file name, from a
running-config remote server (see Downloading the Running Configuration)
copy startup-config Saves a copy of the start-up configuration on a remote server
(see Copying the Start-up Configuration)
copy running-config Saves a copy of the running configuration on a remote server
(see Copying the Running Configuration)
copy running-config Saves the current running-configuration to the start-up configuration
startup-config file in NVRAM (see Saving the Device Configuration)
reload Reloads the device (see Reloading the Operating System)
Downloading the Startup Configuration

The copy FILE-NAME startup-config command loads a start-up configuration with a specified
file name from a remote server.

After the configuration is downloaded, you need to reload the device. When the device completes
booting, it treats the downloaded configuration file as a script of CLI commands, and automatically
executes them. If your CLI connection is through Telnet, the connection is terminated when the
device reloads, but the commands execute normally.
NOTE
After using this command, use the reload no-save command. Otherwise, the
downloaded configuration is removed.
Page 60

device-name#copy [[device/]path]file-name startup-config

device-name#copy protocol://[user[:pass]@]host[:port]/file-name startup-
config

device-name#copy device/user:pass@host/[path/]file-name startup-config
device (Optional) the device from which the file is copied. It can be a TFTP server
user (Optional) specifies the name of the user performing the operation.
pass (Optional) specifies the password that authenticates the specified username.
path (Optional) the exact location path from which the file is copied. The path
ends with the name of the file.
Example
The following command downloads the start-up configuration file named START001 located on
the TFTP server at IP address 192.192.54.1:
device-name#copy tftp://192.192.54.1/START001 startup-config
Downloading the Running Configuration

The copy FILE-NAME running-config command loads the running-configuration with the
specified file name from a remote server.

device-name#copy [[device/]path]file-name running-config

device-name#copy protocol://[user[:pass]@]host[:port]/file-name running-
config
Page 61

device-name#copy device/user:pass@host/[path/]file-name running-config
device/ (Optional) the device from which the file is copied. It can be a TFTP server
(in format tftp://A.B.C.D),as the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D).
path (Optional) the exact location path from which the file is copied. The path
should end with the name of the file.
Example
The following command downloads the running-configuration file named RUN001 located on the
TFTP server at IP address 192.192.54.1:
device-name#copy tftp://192.192.54.1/RUN001 running-config
Copying the Start-up Configuration

The copy startup-config command saves a copy of the start-up configuration on a remote
server to a specific folder under a specified file name.

When you upload the current configuration, you can modify the configuration using a text editor.
Command Syntax (for Local Flash System and TFTP/FTP Server)

device-name#copy startup-config [<device>:[<server IP>/]][<path>]<file name>

device-name#copy startup-config device/user:pass@host/[path/]file-name
device/ (Optional) the device to which the file is copied. It can be a TFTP server (in
format tftp://:A.B.C.D), the local Flash system (in format flash:/), or a
SFTP/FTP server (in format sftp://user:pass@A.B.C.D).
server IP Server IP address.
Page 62
path (Optional) the exact location path where the file is copied.
Example
The following command uploads the start-up configuration under a file named START002 located
on the TFTP server at IP address 192.192.54.1:
device-name#copy startup-config tftp://192.192.54.1/START002
Copying the Running Configuration

The copy running-config command saves a copy of the running configuration on a remote
server to a specific folder under a specified file name.

When you upload the current configuration, you can modify the configuration using a text editor.
Command Syntax (for Local Flash System and TFTP/FTP Server)

device-name#copy running-config [<device>:[<server IP>/]][<path>]<file name>

device-name#copy running-config device/user:pass@host/[path/]file-name
device/ (Optional). The device to which the file is to be copied. It can be a TFTP
server (in format tftp://:A.B.C.D), the local flash system (in format flash:/), or
a SFTP server (in format sftp://A.B.C.D).
server IP (Optional). Server IP address.
path (Optional). The exact location path where the file is to be copied.
Example
The following command uploads the running-configuration under a new file named RUN002 on
device-name#copy running-config tftp://192.192.54.1/RUN002
Page 63
Saving the Device Configuration

The copy running-config startup-config command saves the current running configuration
to the start-up configuration file in NVRAM.

This command is equivalent to the write memory command in Privileged (Enable) mode (refer to
the Device Setup and Maintenance chapter of the BiNOS User Guide).
Command Syntax
device-name#copy running-config startup-config
Reloading the Operating System

The reload command reloads the device.
NOTE
Use the reload command after configuration information is entered into a file and
saved to the startup configuration.
The reload command requires confirmation before reloading!
NOTE
The reload to-defaults command does not affect the contents of the file system.
Command Syntax
device-name#reload [save | no-save | to-defaults]
save (Optional). Saves the running configuration to NVRAM and restart the
device. This is the default status.
no-save (Optional). Does not save the current running configuration and restart the
device.
to-defaults (Optional). Sets the device configuration to its factory defaults and restart.
Example 1
Saving the current configuration and reloading the device:
Save current configuration and reboot the device ? [y/n]: y
Rebooting ...
Page 64
Example 2
Reloading the device without saving the current configuration:
Rebooting ...
Page 65
Boot Loader
Overview
The boot process performs low-level CPU initialization, and loads a default operating system
software image into memory and boots the device.
When starting, the loader counts down a few seconds, allowing you an entry point into the loader’
CLI. The loader then passes to interactive mode, requests a login password, and starts a CLI
session. If no key is pressed, the device initiates the auto-startup application is started.
Initially the device expects the default password batm. This password may be changed by using the
password loader command (refer to the Device Setup and Maintenance chapter of the BiNOS User
Guide).
While the device reboots, numbers appear on the console terminal following the line Press any key to
stop auto-boot.... To enter the Loader mode, press <Enter> while the numbers are running.
Rebooting ...

Loader version : 8.0.0 created Oct 29 2007 - 21:59:11
MAC Address : 00:A0:12:27:0E:E0
usrBootLineInit finish OK
Attaching network interface lo0... done.
Press any key to stop auto-boot...

2
start CLI
Password: batm
Loader>
Page 66
The Device Loader's Default Configuration

Table 22: Default Loader Configuration
Password batm
Block start address 0
Block length 256
Simulation of CPM redundancy Disabled
The Loader Commands

Table 23: Loader Application Commands
Command Description
start application Exits the loader and starts using the BiNOS software image
(see Starting the BiNOS Software Image)
copy application Downloads the software image to the device by using TFTP
server
(see Downloading the Application Software by using TFTP)
download application Downloads the BiNOS application using X-modem (see
Downloading the BiNOS Application by Using X-modem)
ip-address Displays the OutBand port IP address
(see Displaying the Device IP Address and Mask)
version Displays the device model type and the loader version
(see Displaying the Loader Version)
manufacturing-details Displays detailed hardware information of the board
(see Displaying Hardware Details)
Table 24: Loader Configuration Commands

Command Description
config Enters the loader configuration mode (see Loader

Configuration Mode)
ip-address Displays the OutBand port IP address and subnet mask
(see Displaying and Specifying the OutBand Port IP Address)
mac-address Displays the device MAC address
(see Displaying and Specifying the MAC Address)
clean startup-config Sets the startup configuration file to the factory default values
(see Resetting the Startup Configuration File)
clean boot-config Clears the Loader EEPROM
(see Deleting the Boot Configuration)
clean log-history Cleans all history records (see Erasing Log History Records)
clean flash all Cleans the Flash memory (see Cleaning the Flash Memory)
backup Makes a backup copy of the Flash or EEPROM memory
Page 67
Command Description
contents (see Making a Backup Copy)
refresh flash Rewrites the Flash memory (see Rewriting the Flash Memory)
restore flash Restores the Flash memory
(see Restoring the Flash Memory)
Table 25: The Boot Parameters Commands
NOTE
Currently these commands are not supported because the OutBound interface is not
available.
Command Description
boot-param device Displays the current software image location

(see Displaying and Specifying the Software Image Location)
boot-param application Displays the current boot statement (see Displaying and
Applying the Boot Statement)
boot-param ftp-server Displays the FTP server IP-address (see Displaying and
Specifying the FTP Server IP-Address)
boot-param ftp-user Displays the FTP username (see Displaying and Specifying
the FTP Username)
boot-param ftp-password Displays the FTP connection password (see Specifying the
FTP Access Password)
boot-param startup-config Specifies which startup configuration file is loaded on startup
(see Specifying the Startup Configuration Name)
boot-param Displays the current boot statement
(see Displaying Boot Statements)
Table 26: Memory Debug Commands
CAUTION
The commands in the following table can be used only by Telco Systems Technical
Support.
Command Description
memory Accesses the Loader memory mode

(see Loader Memory Mode)
copy Copies a block of memory (see Copying a Block of Memory)
check-device Checks the integrity of the file system and repairs lost clusters
and file structure
(see Checking and Repairing File-system Integrity)
display Displays a block of memory
(see Displaying a Block of Memory)
fill Fills a block of memory (see Filling a Block of Memory)
Page 68
Command Description
list Prints a command list (see Printing a Command List)
Page 69
Starting the BiNOS Software Image

The start application command exits the loader and starts using the BiNOS software image.
CLI Mode: Loader
Command Syntax
Loader>start application
Example
Loader>start application
auto-booting...
Uncompressing 3994461 bytes...

Loading image... 14284304
BUILT-IN SELF TEST

------------------
Power Supply Test : Passed
Fan Test : Passed
///////////////////////////////////////////////////////////////////////////
// //
// //
// B A T M A d v a n c e d C o m m u n i c a t i o n s //
// //
// T e l c o S y s t e m s //
// //
// Device model : T-Marc 380 //
// Product Category : AccessEthernet(TM) //
// SW version : 10.1 created Mar 17 2010 - 20:19:58 //
// //
// //
///////////////////////////////////////////////////////////////////////////
Password:
Page 70
Downloading the Application Software by using TFTP

The copy application command downloads the software image to the device by using TFTP
server.
Command Syntax
Loader>copy application [[[device/]path]file-name [DESTINATION FILE-NAME]
[no-validation]
device/ (Optional) the device to which the file is copied (in format tftp://A.B.C.D)
path (Optional) the path to the location where the file is copied
file-name The original name of the file
DESTINATION-FILE- The destination file name as it will appear on the local flash system
NAME
no-validation (Optional) skips the image validation check
Example
The following command downloads the new software-version file named VERxxx that is located
in the Root directory on the TFTP server at IP address 192.192.54.1:
Loader>copy application tftp://192.192.54.1/VERxxx.Z
Downloading the BiNOS Application by Using X-modem

The download application command copies the BiNOS application from a source computer to
the device permanent storage memory, through a console connection by X-modem transfer.
CLI Mode: Loader

The role of this command is to provide a rescue solution when the device becomes inoperable and
a new application image cannot be received by the TFTP transfer!
Command Syntax
Loader>download application
Example
Loader>download application
XMODEM application download to flash 0
XMODEM Receive: Waiting for Sender
Image Size = 0xBD552 CRC Value = 0x691181F3
Saving application code to FLASH bank 0....Success.
Loader>
Page 71
Displaying the Device IP Address and Mask

The ip-address command displays the OutBand port IP interface address and subnet mask.
CLI Mode: Loader
Command Syntax
Loader>ip-address
Example
Loader>ip-address
Loader IP address = 10.2.111.111, subnet mask = ffff0000
Displaying the Loader Version

The version command displays the device model type and the loader version.
CLI Mode: Loader
Command Syntax
Loader>version
Example
Loader>version
Loader version : 8.0.0 created Oct 29 2007 - 21:59:11
Displaying Hardware Details

The manufacturing-details command displays detailed hardware information.
CLI Mode: Loader
Command Syntax
Loader>manufacturing-details
Example
Loader>manufacturing-details
Serial number : 8807340077
Assembly No : AL001350
Part number : Not Available
CLEI : Not Available
HW revision : 05
HW subrevision : 02
Page 72
Manufacturing Date : Not Available
Loader Configuration Mode

The config command enters the Loader Configuration mode.
CLI Mode: Loader
Command Syntax
Loader>config
Loader(config)#
Displaying and Specifying the OutBand Port IP Address

The ip-address command displays the OutBand port IP address and subnet mask. Use one of
the command arguments below to specify a new IP address and subnet mask.
CLI Mode: Loader Configuration
Command Syntax
Loader(config)#ip-address [A.B.C.D/M | A1.B1.C1.D1 M1.M2.M3.M4]
A.B.C.D/M (Optional). Specifies the new IP address with mask by number of bits.
A1.B1.C1.D1 (Optional). Specifies the new IP address with mask in dotted decimal
M1.M2.M3.M4 notation.
Example
The following example displays the Loader current IP address:
Loader(config)#ip-address
Loader IP address = 10.2.111.111, subnet mask = ffff0000
Displaying and Specifying the MAC Address

The mac-address command displays the device MAC address. Use the command argument to
specify a new device MAC address.
All LAN devices must have different MAC addresses.
Command Syntax
Loader(config)#mac-address [HH:HH:HH:HH:HH:HH]
Page 73
HH:HH:HH:HH:HH:HH (Optional). Specifies the new MAC address
Example 1
The following example displays the device current MAC address:
Loader(config)#mac-address
Current base MAC Address of device = 00:A0:12:CE:10:61
OutBand MAC Address (base + 1) = 00:A0:12:CE:10:62
Example 2
The following example assigns a new MAC address to the device. The response indicates that the
new MAC address is accepted and stored in the device memory.
Loader(config)#mac-address 00:A0:12:07:0f:78
New MAC Address of device = 00:A0:12:07:0F:78
Resetting the Startup Configuration File

The clean startup-config command cleans the startup configuration database in the permanent
storage memory of the device, and sets it to its default values.
Command Syntax
Loader(config)#clean startup-config [all]
all (Optional). Cleans the startup configuration and all system settings like
authentication data and configuration profiles.
Example
Loader(config)#clean startup-configuration all
Warning: IP address will be lost.
Deleting the Boot Configuration

The clean boot-config command clears the Loader EPROM.
CAUTION
This command should be used only by Telco Systems Technical Support.
Command Syntax
Loader(config)#clean boot-config {remove-board-data | remove-all}
Page 74
remove-board- Clears the NVRAM board configuration, keeping the management IP
data address, boot profile and manufacturing details.
remove-all Clears all settings in non-volatile memory, including all above.
Erasing Log History Records

The clean log-history command erases all log history records.
Command Syntax
Loader(config)#clean log-history
Cleaning the Flash Memory

The clean flash all command erases all Flash memory records.
Command Syntax
Loader(config)#clean flash all
Making a Backup Copy

The backup command makes a backup copy of the Flash or EEPROM memory contents.
Command Syntax
Loader(config)#backup eeprom A.B.C.D FILE-NAME
Loader(config)#backup flash {1 | 2 | boot} A.B.C.D FILE-NAME
eeprom Specifies that a backup copy of the EEPROM memory contents is made.
flash Specifies that a backup copy of the Flash memory contents is made.
A.B.C.D Specifies the IP address of the TFTP server where the backup copy is
written.
FILE-NAME Specifies the name of the backup file to be copied.
1 Makes a backup of the primary Flash.
2 Makes a backup of the secondary Flash.
boot Makes a backup of the boot Flash.
Page 75
Rewriting the Flash Memory

The refresh flash command rewrites the Flash memory.
Command Syntax
Loader(config)#refresh flash {1 | 2 | all}
1 Rewrites the primary Flash memory.
2 Rewrites the secondary Flash memory.
all Rewrites all Flash memory.
Restoring the Flash Memory

The restore flash command restores the Flash memory.
Command Syntax
Loader(config)#restore flash {1 | 2} A.B.C.D FILE-NAME
1 Restores the primary Flash.
2 Restores the secondary Flash.
A.B.C.D Specifies the IP address of the TFTP server where the Flash memory will
be restored.
FILE-NAME The name of the backup file.
Displaying and Specifying the Software Image Location

The boot-param device command displays the current software image location. Use one of the
below command arguments to specify the software image location.
CLI Mode: Loader and Loader Configuration
Command Syntax
Loader(config)#boot-param device
Loader(config)#boot-param device [local | network]
Page 76
local (Optional). The device boots from the local software image
network (Optional). The device boots from a remote software image, using an FTP
server
Displaying and Applying the Boot Statement

The boot-param application command displays the current boot statement.
Command Syntax
Loader#boot-param application
Loader(config)#boot-param application [FILE-NAME]
FILE-NAME The name of the image file, a case-sensitive string.
Displaying and Specifying the FTP Server IP-Address

The boot-param ftp-server command displays the FTP server IP-address. Use the command
argument to specify the FTP server IP-address.
Command Syntax
Loader#boot-param ftp-server
Loader(config)#boot-param ftp-server [A.B.C.D]
A.B.C.D (Optional) specifies the FTP server IP-address
Displaying and Specifying the FTP Username

The boot-param ftp-user command displays the FTP username. Use the command argument to
specify the FTP username.
Command Syntax
Loader#boot-param ftp-user
Loader(config)#boot-param ftp-user [NAME]
Page 77
NAME (Optional). The FTP access user name.
Specifying the FTP Access Password

The boot-param ftp-password command specifies the password for FTP server access.
Command Syntax
Loader#boot-param ftp-password
Loader(config)#boot-param ftp-password [PASSWORD]
PASSWORD (Optional). The FTP authentication password for the configured FTP user name.
Specifying the Startup Configuration Name

The boot-param startup-config command specifies the name of the startup configuration.
Command Syntax
Loader#boot-param startup-config [binary]
Loader(config)#boot-param startup-config [FILE-NAME | binary [FILE-NAME |
default] | default]
FILE-NAME (Optional). The name of the startup-configuration
default (Optional). Sets the default name of the startup configuration
binary (Optional). Sets the binary startup configuration.
Displaying Boot Statements

The boot-param command displays the current boot statement.
Command Syntax
Loader>boot-param
Loader(config)#boot-param
Page 78
Example
Loader>boot-param
IP address = 10.0.0.1:ffffff00
Device = local
Application = BiNOS-TMarc_3X0-9.4.3.TMC3-pre3.Z
Startup configuration =
Statup binary config =
FTP server =
FTP user =
FTP password =
Boot flags =
Loader Memory Mode

The memory command enters the Loader memory mode.
CLI Mode: Loader
Command Syntax
Loader>memory
Loader(memory)#
Copying a Block of Memory

The copy command copies a block of memory that is specified by block-length from the specified
source address to the specified destination address.
CLI Mode: Loader Memory
Command Syntax
Loader(memory)#copy <src-addr> <dst-addr> <blk-len>
src-addr Hexadecimal source address (optionally prefixed with 0x).
dst-addr Hexadecimal destination address (optionally prefixed with 0x).
blk-len Hexadecimal or decimal block length (use 0x prefix for hexadecimal
number).
Page 79
Checking and Repairing File-system Integrity

The check-device command checks the integrity of the file system and repairs lost clusters and file
structure.
Command Syntax
Loader(config)#check-device flash:
Example
Loader(config)#check-device flash:
flash:/ - disk check in progress ...
dosChkLib : CLOCK_REALTIME is being reset to THU DEC 27 00:00:00 1990
Value obtained from file system volume descriptor pointer: 0xfffdd38
The old setting was THU JAN 01 00:16:22 1970
Accepted system dates are greater than THU DEC 27 00:00:00 1990
flash:/ - Volume is OK
Change volume Id from 0x0 to 0xe696
total # of clusters: 15,237
# of free clusters: 12,042
# of bad clusters: 0
total free space: 24,084 Kb
max contiguous free space: 24,659,968 bytes
# of files: 8
# of folders: 9
total bytes in files: 6,360 Kb
# of lost chains: 0
total bytes in lost chains: 0
Displaying a Block of Memory

The display command displays a block of memory.
Command Syntax
Loader(memory)#display [<st-addr> [<blk-len>]]
st-addr (Optional). Hexadecimal start address (optionally prefixed with 0x). If only
the start address is specified, the previous or default block length is
repeated.
blk-len (Optional). Hexadecimal or decimal block length (use 0x prefix for
hexadecimal number).
Page 80
Filling a Block of Memory

The fill command fills a block of memory.
Command Syntax
Loader(memory)#fill <st-addr> <blk-len> <value>
st-addr Hexadecimal start address (optionally prefixed with 0x).
blk-len Hexadecimal or decimal block length (use 0x prefix for hexadecimal
number).
value Hexadecimal byte value to fill (optionally prefixed with 0x).
Printing a Command List

The list command prints the executed commands in a list format.
CLI Mode: Loader
Command Syntax
Loader(memory)#list
Updating the Application Software from Loader:
1. Configure boot parameters in profile (to configure any application file as a default one, the file
must be downloaded first):
Loader>config
Loader(config)#boot-param device local
2. Download the application by TFTP (it is stored with the source name. To change the target
name, specify the name as an additional command argument). If an application file with the
specified target name exists, it is overwritten.
Loader(config)#exit
Loader>copy application tftp:10.4.0.4/BiNOS-sfm880.Z
TFTP receiving file ... 3385202
3. Set the default application (when the file is already stored in FS):
Loader>config
Loader(config)#boot-param application BiNOS-sfm880.Z
Page 81
System Time and Date

The device internal clock runs from the moment the system starts up and keeps track of the date
and time. It is set from the following sources:
• Manual configuration
• Daytime Protocol
• Time Protocol
• Summer Time (Daylight Saving Time)
• Network Time Protocol
• 1588v2 Precision Time Protocol
Daytime Protocol
The Daytime protocol is defined in RFC 867. A host connects to a server that supports the
Daytime protocol, on either TCP or UDP port 13. The server then returns the current date and
time as an ASCII string with an unspecified format.
Time Protocol
The Time protocol is defined in RFC 868. This protocol provides a site-independent, machine
readable date and time.
The Time protocol operates over either TCP or UDP. A host connects to a server that supports
the Time protocol, on port 37. The server then sends the time as a 32-bit unsigned binary number
in network byte order representing a number of seconds since 00:00 (midnight) 1 January, 1900
GMT and closes the connection. The host receives the time and closes the connection.
NOTE
In BiNOS, the Daytime protocol and the Time protocol use TCP.
Summer Time (Daylight saving time)

Daylight saving time (DST) is the practice of temporarily advancing clocks. Computer-based
systems adjust automatically when DST starts and finishes, based on their time zone settings
You can have the device advance the clock one hour at 2:00 a.m. on the first Sunday in April and
move back the clock one hour at 2:00 a.m. on the last Sunday in October. You can explicitly specify
the start and end dates and times and whether or not the time adjustment recurs every year.
Page 82
Network Time Protocol

Network Time Protocol (NTP) provides a reliable way of transmitting and receiving the time over
IP networks. NTP is organized as a client-server model. An NTP network usually gets its time from
an authoritative time source, such as a radio clock or an atomic clock connected to a Time server.
NTP then distributes this time across the network.
1588v2 Precision Time Protocol (PTP)

IEEE-1588v2, also known as PTP, provides an Ethernet-based, scalable clock-synchronization
mechanism with various master-clock and quality options.
Precise time synchronization is essential for monitoring performance measurements in order to
ensure a high quality of service.
Enable this protocol for synchronizing the T-Marc 300 Series devices, in order to measure
extremely accurate Service Assurance Application (SAA) one-way delay (for more information,
refer to the Service Assurance Application section of the Operation, Administration, and Maintenance
chapter of this user guide).
The PTP mechanism functions as follows:
• One clock in a defined domain within the network serves as the master clock (either a grand-
master clock or one T-Marc 300 Series device configured as a master clock)
• The master clock periodically announces itself as the master clock to the slave clocks within
the defined domain
• The master clock sends periodical synchronization messages to the slave clocks within the
domain
• In case more than one master announces itself within the domain, the master clock with the
highest defined 1588v2 priority and quality remains the master clock while the other master
clock/s' mode is automatically switched to slave
To configure the PTP feature, refer to 1588v2 PTP Configuration Flow.
System Time and Date Default Configuration

Table 27: System Time and Date Default Configuration
NTP authentication Disabled

Summer time (Daylight Saving Time) Disabled
1588v2 PTP Default Configuration

Table 28: 1588v2 PTP Default Configuration
PTP Disabled
Page 83
PTP mode Slave

PTP primary priority (priority1) 255
PTP secondary priority (priority2) 255
Domain number 0
Announce interval 16 seconds
Synchronization interval 4 seconds
Static master address (none)
PTP per interface Disabled
Announce-receipt timeout intervals 3
Synchronization-receipt timeout intervals 3
Page 84
System Time and Date Configuration Flow

1. Manually configure the system time and date (see Configuring System Time and Date)
or
2. Configure the device to synchronize the system time with a specific remote daytime or time
server (see Configuring a Daytime or Time Server)
or
3. Configure an NTP server (see Configuring an NTP Server)
4. Start the NTP server polling (see Configuring the NTP Server Polling)
Define an MD5 authentication key (see Configuring the MD5 Authentication Key)
Adjust the system time to DST and then back to standard time on pre-set dates (see
Specifying a One-time Summer Time (DST) Period)
Adjust the system time and date to an annually-recurring summer time (DST) period (see
Specifying a Recurrent Summer Time (DST) Period)
6. Remove the NTP server (see Removing an NTP Server)
7. Display the NTP server configuration (see Removing an NTP Server)
8. Display the current time server configuration (see Displaying the Time Server Configuration)
9. Display the current time and date (see Displaying the Current System Time)
Page 85
System Time and Date Configuration Commands

Table 29: Time and Date Configuration Commands
Command Description
date Manually configures the system time and date

(see Configuring System Time and Date)
time-server Configures the device to synchronize the system time with
a specific remote daytime or time server
(see Configuring a Daytime or Time Server)
time-server ntp add Configures an NTP server
(see Configuring an NTP Server)
time-server ntp start Configures the NTP server polling
(see Configuring the NTP Server Polling)
Table 30: Time Server Optional Commands

Command Description
time-server ntp key Configures the MD5 authentication key

(see Configuring the MD5 Authentication Key)
time-server summer-time Adjusts the system time to DST and then back to standard
date time on pre-set dates
(see Specifying a One-time Summer Time (DST) Period)
time-server summer-time Adjusts the system time and date to an annually-recurring
recurring summer time (DST) period
(see Specifying a Recurrent Summer Time (DST) Period)
Table 31: Commands for Removing the NTP Server

Command Description
time-server ntp delete Deletes the existing NTP server

(see Removing an NTP Server)
Table 32: Time Servers Display Commands

Command Description
time-server ntp show Displays defined NTP servers

(see Displaying NTP Servers)
time-server ntp key show Displays existing NTP keys
(see Displaying the MD5 Authentication Key)
show time-server Displays the current Time server configuration
(see Displaying the Time Server Configuration)
show date Display the current time and date
show clock (see Displaying the Current System Time)
Page 86
Configuring System Time and Date

The date command manually configures the system time and date.
Command Syntax
device-name(config)#date hh:mm:ss <day> MONTH <year>
hh:mm:ss Specifies the time (24-hour format) in hours and minutes.
day Day in month, in the range <1–31>.
MONTH Specifies the month: January, February, March, April, May, June, July,
August, September, October, November, and December.
year Year in four digits, in the range <1993–2035>.
Example
The following example sets system time to 12:30:00 and date 1 April 2008:
device-name(config)#date 12:30:00 1 april 2008
Configuring a Daytime or Time Server

The time-server command configures the device to synchronize the system time with a specific
remote server.

To use this feature, select the remote time synchronization protocol:
• The Daytime Protocol (RFC 867) specifies the date and time as a character string
• The Time Protocol (RFC 868) specifies the time in seconds since midnight, January 01, 1900
The server for remote synchronization can be any PC running Windows NT/2000 or the UNIX
operating system.
Command Syntax
device-name(config)#time-server daytime swap
device-name(config)#time-server {daytime | time} A.B.C.D <refresh-time>
[<zone> [timeout <timeout>]] [timeout <timeout>]
device-name(config)#time-server {daytime | time} A.B.C.D <refresh-time>
timezone <zone> {<1-59> timeout <timeout> | timeout <timeout>}
device-name(config)#no time-server [daytime swap]
Page 87
NOTE
The old style of this command, wherein the IP address argument precedes the
daytime protocol, is supported for backward compatibility. However, Telco Systems
strongly recommends using only the new style of the command for setting up time
synchronization clients.
time Specifies Time Protocol (RFC868).
daytime Specifies Daytime Protocol (RFC867).
swap Swaps day and month (for daytime format). This would be required if the
positions of day and month are interchanged in the daytime server’s
format, to prevent the device from interpreting the day value as the
month and the month value as the day.
A.B.C.D IP address of the time-server.
refresh-time Synchronization polling interval, in the range of <10–44640> minutes.
timezone Specifies the time zone.
zone Shifts of local hour relative to the server (positive East, negative West of
server’s time zone). The range is <-12–12>.
timeout <timeout> Specifies the Time server session timeout in seconds. The range is <2–
20> seconds.
1-59 Specifies a number of minutes to synchronize accurately the system time
to the time server.
no Removes the Time server definitions.
Example 1
The following command synchronizes the system time with host 192.168.0.1, using the Time
Protocol. Synchronization is performed every 10 minutes. Local time is two hours behind the GMT
.
device-name(config)#time-server time 192.168.0.1 10 -2
Example 2
The following command synchronizes the system time with host 192.168.0.1, using the Daytime
Protocol. Synchronization is performed every 10 minutes. Local time is two hours ahead of the
GMT.
device-name(config)#time-server daytime 192.168.0.1 10 2
Page 88
Configuring an NTP Server

The time-server ntp add command configures an NTP server.

You can define up to five NTP servers.
Command Syntax
device-name(config)#time-server ntp add A.B.C.D
A.B.C.D Specifies the IP address of the Time server to be added.
Example
The following example adds the NTP server with IP address 186.102.20.11:
device-name(config)#time-server ntp add 186.102.20.11
Configuring the NTP Server Polling

The time-server ntp start command configures the NTP server polling interval. The polling
interval is the period of time between polling cycles.
NOTE
To end the NTP server polling use the no time-server command.
Command Syntax
device-name(config)#time-server ntp start <polling-interval> {<zone> |
timezone <zone> <1-59>}
polling-interval The synchronization refresh period in minutes, in the range <10–
44640> (the upper limit is equivalent to 31 days).
zone Shift of local hour relative to GMT (positive East, negative West of
Greenwich). The range is <-12–12>.
timezone Specifies the time zone.
1-59 Specifies a number of minutes to synchronize accurately the system
time to the time server.
Page 89
Configuring the MD5 Authentication Key

The time-server ntp key command configures the MD5 authentication key.

Time synchronization can be authenticated to make sure that the local device obtains its time
services only from known sources.
By default, network time synchronization is unauthenticated.
Command Syntax
device-name(config)#time-server ntp key {add | delete} <key-id> KEY [A.B.C.D]
add Defines the MD5 authentication key.
delete Removes the existing MD5 authentication key.
key-id The key number in the range <1–65535>.
KEY String up to 20 non-blank characters. The string is case-sensitive. Some special
characters, such as question marks, are not allowed.
A.B.C.D (Optional). NTP server address.
Example
The following example adds an MD5 authentication key with key ID of 27 and plain-text key qwerty:
device-name(config)#time-server ntp key add 27 qwerty
Configuration changes will take effect after ntp client is restarted
Specifying a One-time Summer Time (DST) Period

The time-server summer-time date command adjusts the system time to DST and then back to
standard time on pre-set dates.
Adjusts the system time to DST and then back to standard time on pre-set dates

By default, the summer time definition is disabled.
Command Syntax
device-name(config)#time-server summer-time date <day> MONTH <year> HH:MM:SS
<day> MONTH <year> HH:MM:SS <shift>
device-name(config)#no time-server summer-time
Page 90
day The start day of the month, in range <1–31>.
MONTH The start summer-time month: January, February, March, April, May, June,
July, August, September, October, November and December.
year The start summer-time year, in range <1993–2035>.
HH:MM:SS Specify the start summer-time time.
day The end day of the month, in range <1–31>.
MONTH The end summer-time month: January, February, March, April, May, June,
July, August, September, October, November and December.
year The end summer-time year, in range <1993–2035>.
HH:MM:SS Specify the end summer-time time.
shift The number of minutes to add during summer time, in range <1–1440>.
no Remove the summer time settings.
Example
The following example demonstrates advancing the system time 1 hour on May 1st, 2004, at
02:00:00 and shifting it back on December 3rd, 2004, at 02:00:00:
device-name(config)#time-server summer-time date 1 May 2004 02:00:00 3 Dec
2004 02:00:00 60
Specifying a Recurrent Summer Time (DST) Period

The time-server summer-time recurring command adjusts the system time and date to an
annually-recurring summer time (DST) period.

By default, the summer time definition is disabled.
Command Syntax
device-name(config)#time-server summer-time recurring {first | <week> | last}
<day> MONTH HH:MM:SS {first | <week> | last) <day> MONTH HH:MM:SS <shift>
device-name(config)#no time-server summer-time
first The first week of the month to start.
week Specify the week of the month to start in, the range <1–4>.
last The last week of the month to start.
day The start summer-time day in the week: Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday and Saturday.
MONTH The start summer-time month: January, February, March, April, May,
June, July, August, September, October, November, and December.
Page 91
HH:MM:SS Specify the start summer-time time.

first The first week of the month to end.
week Specify the week of the month to end, in the range <1–4>.
last The last week of the month to end.
day The end summer-time day in the week: Sunday, Monday, Tuesday,
Wednesday, Thursday, Friday and Saturday.
MONTH The end summer-time month: January, February, March, April, May,
June, July, August, September, October, November, and December.
HH:MM:SS Specify the end summer-time time.
shift The number of minutes to add during summer time, in the range <1–
1440>.
no Remove the summer-time settings.
Example
The following example shows how to advance the system time automatically by one hour every
year, starting on the second Monday of April at 01:00:00 this year and move the system time back
on the second Tuesday of October at 01:00:00:
device-name(config)#time-server summer-time recurring 2 mon apr 01:00:00 2
tue oct 01:00:00 60
Removing an NTP Server

The time-server ntp delete command deletes the existing NTP server.
Command Syntax
device-name(config)#time-server ntp delete A.B.C.D
A.B.C.D Specify the IP address of the Time server to be deleted.
Example
The following example removes the NTP server with IP address 186.102.20.11:
device-name(config)#time-server ntp delete 186.102.20.11
Page 92
Displaying NTP Servers

The time-server ntp show command displays defined NTP servers.
Command Syntax
device-name(config)#time-server ntp show
Example
The following example displays the three existing NTP servers:
device-name(config)#time-server ntp show
186.102.20.11
182.21.2.31
128.11.24.6
Displaying the MD5 Authentication Key

The time-server ntp key show command displays the existing MD5 authentication key ID and
string.
Command Syntax
device-name(config)#time-server ntp key show
Example
device-name(config)#time-server ntp key show
192.168.0.40:
1 key1
2 key2
192.168.0.32:
1 key1
Displaying the Time Server Configuration

The show time-server command displays the current Time server configuration.
Command Syntax
device-name#show time-server
Page 93
Example
device-name#show time-server
Current system time MON OCT 13 19:00:25 2003
Time server protocol : NTP
Refresh : 23 min
Time zone : 2h:10m
Displaying the Current System Time

The show date and show clock commands display the current system time and date.
Command Syntax
device-name#show date
device-name#show clock [detail]
detail (Optional). The command also displays the type of the currently used
synchronization client and the time zone indication. If detail is not specified, the
command displays the current system time.
Example 1
device-name#show date
Current system time TUE APR 10 13:45:04 2001
Example 2
The following example displays the date and time:
device-name#show clock
Current system time TUE APR 10 13:45:04 2008
Example 3
The following example displays the date and time, and the currently used synchronization client (if
available):
device-name#show clock detail
Current system time THU JAN 01 00:01:02 1998
Time client is running with following peers:
Time server: 192.168.0.4
Refresh time: 10 minutes
Time zone shift: 2 hour(s)
Page 94
The following example demonstrates how the device uses an NTP server.
1. Add the NTP server located in IP address 212.90.11.2:
device-name(config)#time-server ntp add 212.90.11.2
2. Add an MD5 authentication key with key ID of 27 and plain-text key qwerty:
device-name(config)#time-server ntp key add 27 qwerty
3. Start the NTP server polling with refresh period of 10 minutes and time zone 2:
device-name(config)#time-server ntp start 10 2
Page 95
1588v2 PTP Configuration Flow

To configure the 1588v2 PTP, proceed as follows:
1. Enable 1588v2 PTP on the device (see Configuring PTP).
2. Define the device's PTP mode (master or slave, see Defining the Device's PTP Mode).
3. (For master devices only) define the clock's primary 1588v2 priority (see Defining a Master
Clock's 1588v2 Primary Priority).
4. (For master devices only) define the clock's secondary 1588v2 priority (see Defining a Master
Clock's 1588v2 Secondary Priority).
5. Specify the PTP domain (logical grouping) the device belongs to (see Assigning the Device to a
PTP Domain).
6. (For master devices only) define the interval for sending announce messages (see Defining the
Interval for Sending Announce Messages).
7. (For master devices only) define the interval for sending synchronization messages (see
Defining the Interval for Sending Synchronization Messages).
8. (Optional, for slaves only) define a static master for the device (see Selecting a Static Master
Clock).
9. Enable PTP on the interface/s (see Enabling PTP on a Port).
10. (For slave devices only) define the announce-receipt timeout from a master clock (see Defining
the Announce-Receipt Timeout).
11. (For slave devices only) define the synchronization-receipt timeout from a master clock (see
Defining the Synchronization-Receipt Timeout).
12. Display the PTP status (see Displaying the PTP Status).
Page 96
1588v2 PTP Configuration Commands

Table 33: 1588v2 PTP Configuration Commands
Command Description
ptp Configures PTP on the local device and enters the PTP
Configuration mode (see Configuring PTP)
encapsulation all-ports Defines the network technology used to transport PTP
messages (see Defining the Packet Encapsulation
Type)
priority1 Defines the 1588v2 primary priority of the master clock
(see Defining a Master Clock's 1588v2 Primary Priority)
priority2 Defines the 1588v2 secondary priority of the master
clock (see Defining a Master Clock's 1588v2 Secondary
Priority)
domain-number Defines the PTP domain the device belongs to (see
Assigning the Device to a PTP Domain)
ptp-mode Defines whether the device is a slave or a master (see
Defining the PTP Mode)
master-address Defines a static master's MAC address for a slave
device (see Selecting a Static Master Clock)
announce-interval Defines the interval the master sends announce
messages (see Defining the Interval for Sending
Announce Messages)
sync-interval Defines the interval the master sends announce
messages (see Defining the Interval for Sending
Synchronization Messages)
master-vlan Defines a VLAN used for sending master clock
messages or sync messages (Defining the Master
VLAN)
ptp enable Enables PTP on port/s (see Enabling PTP on a Port)
ptp-announce-receipt-timeout Defines the number of announce intervals to pass
without receiving an announce message before
dropping the current master and selecting a different
one (see Defining the Announce-Receipt Timeout)
ptp-sync-receipt-timeout Defines the number of synchronization intervals to pass
without receiving a synchronization message before the
slave becomes unsynchronized with the master (see
Defining the Synchronization-Receipt Timeout)
show ptp Displays the PTP state (see Displaying the PTP Status)
Page 97
Configuring PTP
The ptp command configures PTP on the local device and enters the PTP Configuration mode.
Enable this protocol for accurate SAA one-way delay measurement (refer to the Service Assurance
Application section of the Operation, Administration, and Maintenance chapter of BiNOS User Guide).

PTP is disabled by default.
Command Syntax
device-name(config)#ptp [enable]
device-name(config-ptp)#
device-name(config)#no ptp
enable Enters the PTP Configuration mode
no Disables PTP
Defining the Packet Encapsulation Type

The encapsulation all-ports command defines the network technology used to transport PTP
messages.
CLI Mode: PTP Configuration

By default, the encapsulation type is ieee8023.
Command Syntax
device-name(config-ptp)#encapsulation all-ports {ipv4 | ieee8023}
device-name(config-ptp)#no encapsulation all-ports
ipv4 PTP over UDP/IPv4. When carried over UDP, the first byte of the PTP
message immediately follows the final byte of the UDP header.
ieee8023 PTP over IEEE 802.3/ Ethernet. When carried over Ethernet, the first byte
of the PTP message occupies the first byte of the data field of the Ethernet
frame.
Defining the 1588v2 Primary Priority of the Master Clock

The priority1 command defines the 1588v2 primary priority of the master clock.
If there is more than one master device in a PTP domain, the device with the highest priority
(lowest number) remains the master while the other device/s switch to slave.
Page 98

The default priority1 is 255.
Command Syntax
device-name(config-ptp)#priority1 <priority1>
device-name(config-ptp)#no priority1
priority1 The priority1 value, in the range of <0–255>
Defining the 1588v2 Secondary Priority of the Master Clock

The priority2 command defines a finer grained ordering among otherwise equivalent master
clocks (see above).

The default priority2 is 255.
Command Syntax
device-name(config-ptp)#priority2 <priority2>
device-name(config-ptp)#no priority2
priority2 The priority2 value, in the range of <0–255>
Assigning the Device to a PTP Domain

The domain-number command specifies the PTP domain the device belongs to.
The PTP domain is the logical grouping of PTP clocks that synchronize to each other.

The default domain number is 0.
Command Syntax
device-name(config-ptp)#domain-number <domain_number>
device-name(config-ptp)#no domain-number
domain-number The PTP domain number, in the range of <0–255>
Page 99
Defining the PTP Mode

The ptp-mode command switches between slave and master modes.
NOTE
If the master device receives announce messages from a different PTP master device
with a higher 1588v2 priority and quality, it automatically switches to a slave mode
without any warnings.

The default mode is slave.
Command Syntax
device-name(config-ptp)#ptp-mode {master | slave}
master Defines the device as a master clock
slave Defines the device as a slave clock
Selecting a Static Master Clock

The master-address command allows you to select a static master manually. In this case the slave
device skips the master election algorithm and ignores announce messages from other maters.

By default, the device has no static master.
Command Syntax
device-name(config-ptp)#master-address <XX:XX:XX:XX:XX:XX>
device-name(config-ptp)#no master-address
XX:XX:XX:XX:XX:XX The static master's MAC address
Defining the Interval for Sending Announce Messages

The announce-interval command defines the interval for a master device to announce itself as
master clock, in seconds.

The default interval is 16 seconds.
Page 100
Command Syntax
device-name(config-ptp)#announce-interval <announce interval>
device-name(config-ptp)#no announce-interval
announce interval The interval between two consecutive announce messages, in
the range of {1 | 2 | 4 | 8 | 16 | 32 | 64 | 128} seconds.
Defining the Interval for Sending Synchronization Messages

The sync-interval command defines the interval for a master device to send synchronization
messages, in seconds.

The default interval is 4 seconds.
Command Syntax
device-name(config-ptp)#sync-interval <synch interval>
device-name(config-ptp)#no sync-interval
synch interval Specifies the interval between two consecutive synchronization
messages, in the range of {1 | 2 | 4 | 8 | 16 | 32 | 64 | 128}
seconds.
Defining the Master VLAN

The master-vlan command defines a VLAN used for sending master clock messages or sync
messages.
Command Syntax
device-name(config-ptp)#master-vlan <master-vlan-id>
device-name(config-ptp)#no master-vlan
master-vlan-id The master VLAN ID, in the range of <1–4094>.The VLAN must
be already configured (see the Configuring VLANs and Super
VLANs chapter of the current User Guide).
no Removes the VLAN from being a master VLAN.
Page 101
Enabling PTP on a Port

The ptp enable command enables PTP for on a specific port. When you enable PTP on a port,
this port is able to receive and send PTP packets.
CLI Mode: Interface Configuration
By default, PTP is disabled on ports.
Command Syntax
device-name(config-if UU/SS/PP)#ptp {enable | disable}
enable Enables PTP
disable Disables PTP
Defining the Announce-Receipt Timeout

The ptp-announce-receipt-timeout command defines the announce-receipt timeout.
This value defines the number of announce-receipt intervals that pass before the slave interface
drops the selected master and initiates an ANNOUNCE_RECEIPT_TIMEOUT_EXPIRES
event.
Command Syntax
device-name(config-if UU/SS/PP)#ptp-announce-receipt-timeout
<announce_receipt_timeout>
device-name(config-if UU/SS/PP)#no ptp-announce-receipt-timeout
The default number of announce-receipt intervals is 3.
announce_receipt The number of announce-receipt intervals, in the range of <2–
_timeout 255>
Defining the Synchronization-Receipt Timeout

The ptp-sync-receipt-timeout command defines the synchronization-receipt timeout.
This value defines the number of synchronization-receipt intervals that pass before the slave is no
longer synchronized with the master.

The default number of the synchronization-receipt intervals is 3.
Page 102
Command Syntax
device-name(config-if UU/SS/PP)#ptp-sync-receipt-timeout
<sync_receipt_timeout>
device-name(config-if UU/SS/PP)#no ptp-sync-receipt-timeout
synch_receipt The number of the synchronization-receipt intervals, in the range
_timeout of <2–255>
Displaying the PTP Status

The show ptp command displays the PTP configuration details as specified below.
• If you do not use the interface argument, the command displays the common device's PTP
settings without interfaces information.
• If you use the interface argument without specifying an interface number, the command
displays the enabled PTP interfaces on the device.
• If you use the interface argument and specify an interface number, the command displays
the specified interface's PTP state.
Refer to Table 34 for the parameters displayed by this command.
Command Syntax
device-name#show ptp [interface [UU/SS/PP | AG0N]
UU/SS/PP The interface displayed
AG0N The aggregated interface displayed
Example 1
device-name#show ptp
PTP Configuration (slave):
Number of PTP enabled ports: 1
Domain Number: 0
Master Address: 00:A0:12:27:0E:40
Mean path delay : 5 usec
Offset from master: 1 usec
Example 2
device-name#show ptp interface 1/1/1
This port is PTP Enabled
Port State: Master
Page 103
Announce receipt timeout: 16

Sync receipt timeout: 4
Table 34: Parameters displayed by the show ptp command

Parameters Description
Mean Path Delay The average between the delay from the master to slave and the
delay from the slave to master
Offset from Master The offset between the slave and the master calculated by the slave
Below is an example of configuring a master device.
1. Enable PTP on the device:
device-name(config)#ptp enable
2. Define a device to PTP master mode:

device-name(config-ptp)#ptp-mode master
device-name(config-ptp)#exit
3. Enter the configuration mode for interface 1/1/1:

device-name(config)#interface 1/1/1
4. Enable PTP on interface 1/1/1:

device-name(config-if 1/1/1)#ptp enable
device-name(config-if 1/1/1)#end
5. Display the PTP configuration:

device-name#show ptp
PTP Configuration (master):
Number of PTP enabled ports: 1
Domain Number: 0
Priority 1: 255
Priority 2: 255
Announce Interval: 16
Sync Interval: 4
Page 104
DHCP Client
Overview
DHCP (Dynamic Host Configuration Protocol) is a TCP/IP protocol for dynamically assigning IP
addresses to devices on a network. DHCP is built on a client-server model, in which designated
DHCP servers allocate network addresses and deliver configuration parameters to dynamically
configured devices (DHCP clients).
The DHCP client use DHCP to reacquire or verify its IP address and network parameters
whenever the local network parameters may have changed (e.g. at the device boot time or after a
disconnection from the local network), as the local network configuration may change without the
client’s or user’s knowledge.
If a DHCP client has knowledge of a previous network address and is unable to contact a local
DHCP server, the DHCP client may continue to use the previous network address until the lease
for that address expires. If the lease expires before the client can contact a DHCP server, the
DHCP client must immediately discontinue use of the previous network address and may inform
local users of the problem.
DHCP consists of two components:
• mechanism for delivering configuration parameters from a DHCP server to a device
• mechanism for allocating network addresses to devices
DHCP supports three mechanisms for IP address allocation:
• Automatic allocation—DHCP assigns a permanent IP address to the user
• Dynamic allocation—DHCP assigns an IP address to the user for a limited period of time.
Dynamic allocation allows automatic reuse of an address that is no longer needed by the user
to which it is assigned. Thus, dynamic allocation is particularly useful for assigning an address
to the user that connected to the network only temporarily or for sharing a limited pool of IP
addresses among a group of users that do not need permanent IP addresses.
• Manual allocation—the system administrator assigns to the user an IP address, and DHCP is
used simply to convey the assigned address. A particular network uses one or more of these
mechanisms, depending on the policies of the network administrator. Manual allocation allows
DHCP to be used to eliminate the error-prone process of manually configuring hosts with IP
addresses in environments where it is desirable to manage IP address assignment outside of
the DHCP mechanisms.
Page 105
The DHCP Negotiation Process

As shown in below figure, the parameter negotiation starts with a DHCPDISCOVER broadcast
message from the client seeking a DHCP server. The DHCP Server responds with a
DHCPOFFER unicast message offering configuration parameters (such as an IP address, a MAC
address, a domain name, and a lease for the IP address) to the client. The client returns a
DHCPREQUEST broadcast message requesting the offered IP address from the DHCP Server.
The DHCP Server responds with a DHCPACK unicast message confirming that the IP address
has been allocated to the client.
Figure 1: Obtaining an IP Address from a DHCP Server
The client may suggest values for the IP address and lease time in the DHCPDISCOVER message.
The client may include the requested IP address option to suggest that a particular IP address can be
assigned, and may include the IP address lease time option to suggest the lease time it would like to
have it. The requested IP address option is filled in a DHCPREQUEST message only when the client
is verifying network parameters obtained previously.
If a server receives a DHCPREQUEST message with an invalid requested IP address, the server
should respond to the client with a DHCPNAK message and may choose to report the problem to
the system administrator. The server may include an error message in the message option.
When Should Clients Use DHCP

A client should use DHCP to reacquire or verify its IP address and network parameters whenever
the local network parameters may have changed (e.g. at the switch boot time or after a
disconnection from the local network), as the local network configuration may change without the
client or user knowledge.
If a client has knowledge of a previous network address and is unable to contact a local DHCP
Server, the client may continue to use the previous network address until the lease for that address
expires. If the lease expires before the client can contact a DHCP Server, the client must
immediately discontinue use of the previous network address and may inform local users of the
problem.
Page 106
The DHCP Client Default Configuration

Table 35: DHCP Client Default Configuration
DHCP Client Disabled

The DHCPDISCOVER message 8 minutes
retransmission timeout
The DHCP Client Configuration Flow

1. Optional configuration:
Enable the DHCP client security feature
(see Enabling the DHCP Client Security (Authentication Option 90))
Permit the DHCP client to receive unauthenticated packets
(see Controlling the Unauthenticated Packets Flow)
Specify DHCP server discover attempts (see Specifying DHCP Server Discover Attempts)
Configure the maximum time that the DHCP Client is allowed to be active
(see Changing the DHCPDISCOVER Messages Retransmission Timeout)
2. Provide the device its IP configuration information dynamically and configures the DHCP
lease period (see Configuring the DHCP Client)
3. Display the DHCP Client status and the DISCOVER message timeout
(see Displaying the DHCP Client Configuration)
Page 107
DHCP Client Configuration Commands

NOTE
The commands in the following table are applied on demarcation devices in a
topology with proxy management feature started.
Table 36: DHCP Client Security Commands

Command Description
dhcp-client security enable Enables the DHCP client security feature (see Enabling
the DHCP Client Security (Authentication Option 90))
dhcp-client security accept Permits the DHCP client to receive unauthenticated
packets
(see Controlling the Unauthenticated Packets Flow)
dhcp-client security attempts Specifying DHCP server discover attempts (see
Specifying DHCP Server Discover Attempts)
Table 37: DHCP Client Commands

Command Description
dhcp-client discover-rto Configures the maximum time that the DHCP Client is
allowed to be active (see Changing the
DHCPDISCOVER Messages Retransmission Timeout)
ip address dhcp Provides the device its IP configuration information
dynamically and configures the DHCP lease period
(see Configuring the DHCP Client)
Table 38: DHCP Client Display Command

Command Description
show dhcp-client Displays the DHCP Client status and the DISCOVER
message timeout
(see Displaying the DHCP Client Configuration)
Page 108
Enabling the DHCP Client Security (Authentication Option 90)

The dhcp-client security enable command enables the DHCP client security feature.

By default, the DHCP client security is disabled.
Command Syntax
device-name(config)#dhcp-client security enable
device-name(config)#no dhcp-client security
no Disables the DHCP client security feature.
Controlling the Unauthenticated Packets Flow

The dhcp-client security accept command permits the DHCP client to receive
unauthenticated packets.

By default, the all unauthenticated packets are received.
Command Syntax
device-name(config)#dhcp-client security accept {all | authenticated-only}
all Permits all unauthenticated packets.
authenticated-only Permits only authenticated packets.
Specifying DHCP Server Discover Attempts

The dhcp-client security attempts command specifies the number of attempts, which the
DHCP client makes to locate a DHCP server and obtain a configuration from it.

By default, the number of attempts is infinitely.
Command Syntax
device-name(config)#dhcp-client security attempts (<1-512> | infinitely)
Page 109
1-512 Specifies the number of attempts.
infinitely Sets the number of attempts to infinitely.
Changing the DHCPDISCOVER Messages Retransmission

Timeout
The dhcp-client discover-rto command configures the maximum time that the DHCP Client
is allowed to be active and to send DHCPDISCOVER frames.

The client resends a DHCPDISCOVER frame after 4, 8, 16, 32 and 64 seconds.
By default, the DHCPDISCOVER timeout is 8 minutes.
Command Syntax
device-name(config)#dhcp-client discover-rto <time>
device-name(config)#no dhcp-client discover-rto
time The DHCPDISCOVER message retransmission timeout, in the range <1–32>
minutes.
no Disables the retransmission timeout, i.e. the DHCP client keeps sending requests
until it negotiates an IP address.
Configuring the DHCP Client

The ip address dhcp command provides the device its IP configuration information dynamically
and configures the requested lease period.

By default, the dynamic address allocation is disabled.
Command Syntax
device-name(config)#ip address dhcp [A.B.C.D | renew]
device-name(config)#ip address dhcp lease {<1-10080> | infinite} [A.B.C.D |
renew]
device-name(config)#no ip address dhcp
1-10080 Specifies a value for the lease period, in minutes.
infinite Sets the lease period to be an infinite period. This is the default value.
Page 110
A.B.C.D (Optional). The requested IP address. The DHCP Client is initiated with
DHCP negotiation. If the IP address is specified, the DHCP Client sends a
request for this address, and if the requested IP address is not available the
server returns another IP address. To see the IP address provided by the
DHCP server, use the show ip command in Privileged (Enable) mode (refer
to the Device Setup and Maintenance chapter of the BiNOS User Guide).
renew (Optional). Restarts the DHCP client, freeing the IP address previously
allocated.
no Stops the DHCP Client and restores the IP address, subnet mask and IP
gateway to their default values.
Displaying the DHCP Client Configuration

The show dhcp-client command displays the DHCP client status and the DISCOVER message
timeout.
Command Syntax
device-name#show dhcp-client
Example
device-name(config)#ip address dhcp lease infinite
device-name#show dhcp-client
DHCP client is active
IP address is acquired by DHCP
DISCOVER messages retransmission timeout - 8 minute(s)
Lease time left: 86394
Page 111
Controlling the Packet Rate

Overview
To break the correlation between the management device (the CPU), the remaining switching and
routing devices, the device implements four queues for outgoing packets to the CPU, and a
standalone New Address message queue destined to the CPU. Each queue has a fixed depth. Packet
dropping is enabled when the queues reach their limit.
Two mechanisms are set:
• Protecting Against New Address Attacks— The rate limit mechanism for learning new addresses is
hardware based. It is designed to prevent overloading the CPU when new MAC address
requests arrive at a high pace.
• Protecting Against CPU Attacks— The rate limiting hardware mechanism is designed to reduce
CPU usage. You can define a rate limit for traffic to the CPU to prevent overloading the CPU
when the pace at which packets are forwarded to it is too high.
• Figure 2 shows the packet flow through the device when the rate limit mechanism is enabled.
Figure 2: Rate Limit Mechanism
Page 112
Packet-Rate Thresholds' Default Configuration

Table 39: Packet-Rate Threshold Default Configuration
Rate limit for learning new addresses for 1500 packets per second
the entire device
Rate limit to the CPU for the entire device 1500 packets per second
Low packet-rate threshold 200 packets per second
High packet-rate threshold 5000 packets per second
The Packet-Rate Thresholds' Commands

Table 40: Packet-Rate Threshold Commands
Command Description
set packets_threshold Configures packet-rate threshold levels

(see Configuring Packet-Rate Thresholds)
reset packets_threshold Clears the CPU packet-rate statistics
statistics (see Clearing the CPU Packet Threshold)
show packets_threshold Displays the current packet-rate threshold levels
(see Displaying Packet-Rate Thresholds)
Configuring Packet-Rate Thresholds

The set packets_threshold command configures rate threshold levels for packets that load the
CPU.
CLI Mode: Global Configuration mode

Default packet-rate threshold levels are described in Table 39.
Command Syntax
device-name(config)#set packets_threshold <low> <high>
low Low packet rate threshold in packets per second. The range is <50–10000>.
high High packet rate threshold in packets per second. The range is <100–
10000>.
Page 113
Example
The following example sets the threshold levels to:
• Accept all packets if the rate is less or equal to 300 packets per second
• Accept only high-priority packets if the rate is higher than 300 packets per second, but not
more than 4000 packets per second
• Reject all packets if the rate exceeds 4000 packets per second
device-name(config)#set packets_threshold 300 4000
Clearing the CPU Packet Threshold

The reset packets_threshold statistics command clears the CPU packet-rate statistics.
Command Syntax
device-name#reset packets_threshold statistics
Displaying Packet-Rate Thresholds

The show packets_threshold command displays the current packet-rate threshold levels.

Table 41 describes the parameters displayed by the show packets_threshold command.
Command Syntax
device-name#show packets_threshold
Example
device-name#show packets_threshold
Low packet rate threshold is 200 pps
High packet rate threshold is 5000 pps
Packets rate per sec: 6 In packets: 1425 Drop packets: 0
Table 41: Parameters Displayed by the show packets_threshold Command

Parameter Description
Low packet rate threshold Low packet rate threshold in packets per second.
High packet rate threshold High packet rate threshold in packets per second.
In packets The number of packets accepted (within the threshold limits)
in the current session.
Drop packets The number of packets rejected (beyond the threshold
limits) in the current session.
Page 114
Packets rate per sec The current rate of information flows to the CPU, in terms of
packets-per-second.
Page 115
Control Plane Priority per Protocol

Table 42: Control Plane Priority per Protocol
Protocol Control Packets Priority
LACP LACPDU 7
MEF8 Ethernet 0–7
CFM BPDU 6
EFM OAM BPDU 6
DHCP IP 6
ICMP IP 6
ARP Ethernet 6
SNMP UDP 6
Telnet TCP 6
SSH TCP 6
TFTP UDP 6
DHCP Client UDP 6
RADIUS UDP 6
TACAS + TCP 6
SYSLOG messages UDP 6
Page 116
Supported Platforms
Managing the MAC Address Table + +

Managing the ARP Table + +
Script Files System + +
Configuring Default Settings + +
Zero Configuration Networking + +
Software Upgrade and Boot Options + +
Boot Loader + +
Managing the System Time and Date + +
DHCP Client + +
CPU Resource Control + +

Managing the MAC No Standards are Standard MIB, No RFCs are

Address Table supported by this 8021Q_d6.mib supported by this
feature. feature.
Managing the ARP No standards are Private MIB, RFC 791, Internet
Table supported by this prvt_switch_ipvaln.mib Protocol DARPA
feature. Internet Program
Protocol Specifications
RFC 919,
Broadcasting Internet
Datagrams
RFC 922,
Broadcasting Internet
Datagrams in the
Presence of Subnets
RFC 1042, A Standard
for the Transmission
of IP Datagrams over
IEEE 802 Networks
RFC 1122,
Requirements for
Internet Hosts --
Communication
Layers
RFC 1812,
Requirements for IP
Version 4 Routers
Page 117
Script Files System No standards are No MIBs are supported No RFCs are
supported by this by this feature. supported by this
feature. feature
Configuring Default No standards are No MIBs are supported No RFCs are
Settings supported by this by this feature. supported by this
feature. feature
Zero Configuration No standards are No MIBs are supported RFC 2131, Dynamic
Networking supported by this by this feature. Host Configuration
feature. Protocol
RFC 2132, DHCP
Options and BOOTP
Vendor Extensions
Software Upgrade and No standards are No MIBs are supported No RFCs are
Boot Options supported by this by this feature. supported by this
feature. feature.
Boot Loader No Standards are No MIBs are supported No RFCs are
supported by this by this feature. supported by this
feature. feature.
Managing the System No standards are No MIBs are supported RFC 867, Daytime
Time and Date supported by this by this feature. Protocol
feature. RFC 868, Time
Protocol
DHCP Client No standards are No MIBs are supported RFC 951, Bootstrap
supported by this by this feature. Protocol (BOOTP)
feature. RFC 1542,
Clarifications and
Extensions for the
Bootstrap Protocol
RFC 2131, Dynamic
Host Configuration
Protocol
RFC 2132, DHCP
Options and BOOTP
Vendor Extensions
CPU Resource No standards are Private MIB, No RFCs are
Control supported by this prvt_bist.mib supported by this
feature. feature.
Page 118
Configuring Interfaces
Table of Figures ······················································································ 3
Fast Ethernet and Giga Ethernet Ports ·························································· 5

Overview ·························································································· 5
Fast and Giga Ethernet Ports Default Configuration ········································· 6
Fast and Giga Ethernet Ports Configuration Commands····································· 7
Link Aggregation Control Protocol (LACP) ···················································23

LACP Modes·····················································································23
LACP Parameters················································································23
Link Aggregation Groups (LAGs) ·····························································24
LAG Default Configuration ····································································26
LAG Configuration Flow ·······································································26
LAG Configuration Commands································································27
Configuration Examples ········································································34
Resilient Links·······················································································43
Overview ·························································································43
Resilient Links Default Configuration ·························································43
Resilient Links Configuration Flow ····························································44
Resilient Links Configuration Commands ····················································45
Port Security Techniques ··········································································51

Overview ·························································································51
The Port Security Default Configuration······················································52
The Port Security Configuration Commands ·················································52
The Port Limit Feature ············································································61

Overview ·························································································61
Port Limit Default Configuration ······························································61
Port Limit Commands ··········································································61
Page 1
Configuring Interfaces (Rev. 08)
Interfaces Management············································································65
Overview ·························································································65
Interfaces Management Commands ···························································65
Alarm Propagation Feature ·······································································67

Overview ·························································································67
Alarm Propagation Commands ································································67
Page 2
Table of Figures
Figure 1: Four Ports Combined into a Link Aggregation Group ···························24
Figure 2: Example of LAG Containing Two Ports···········································34
Figure 3: Example of Two LAGs Configured on the Same Device ························35
Figure 4: Example of Two Static LAGs with RSTP··········································40
Figure 5: Example of a Resilient Link Topology··············································50
Figure 6: Alarm Propagation Configuration Example········································69
Page 3

This chapter describes the T-Marc 300 Series device interface types and their configuration. In
addition, the chapter includes port security methods.
The chapter includes the following sections:
• Fast Ethernet and Giga Ethernet Ports
This section details the T-Marc 300 Series device interfaces and the commands to
configure them.
• Link Aggregation Control Protocol (LACP)
This protocol provides increased bandwidth, increased redundancy, and higher
availability.
• Resilient Links
Resilient links allow protecting critical links and preventing network downtime.
• Port Security Techniques
Using port security techniques on T-Marc 300 Series device provides control over every
device plugged into the internal network.
• Alarm Propagation Feature
Alarm Propagation is a fault detection feature that identifies faults in network uplinks and
alarms downstream devices.
Page 4
Fast Ethernet and Giga Ethernet Ports

Overview
T-Marc 300 Series device allows service providers to deliver multiple services on separate user
ports. It supports multiple application-flows over a single customer interface, mapping each flow to
a different traffic class.
The device supports:
• Flexible Ethernet combo-port interfaces
Dual-speed (100M and 1000M) fiber interfaces
Pluggable optics, including CWDM
Tri-speed (10/100/1000M) copper interfaces
• ASCII/RJ-45 management ports
Page 5
Fast and Giga Ethernet Ports Default Configuration

Table 1: Fast Ethernet and Giga Ethernet Ports Default Configuration
Interface state Enabled

Port name None
Backpressure mode Disabled
Duplex speed For Fast Ethernet Fiber: Auto-negotiation.
For Giga Ethernet Fiber: Auto-negotiation.
For Fast Ethernet and Giga Ethernet Copper: Auto-
negotiation.
Flow Control mode Disabled
Default VLAN 1
Broadcast rate limit Unlimited
Multicast rate limit Unlimited
Unknown rate limit Unlimited
Packet size limit 1632
Remote fault detect Disabled
Crossover detection Automatic
Learning new address Enabled
Page 6
Fast and Giga Ethernet Ports Configuration

Commands
Table 2: Fast and Giga Ethernet Configuration Commands
Command Description
interface Enters the configuration mode of a specific physical interface, a

LAG, an interface range, or a LAG range (see Entering the
Interface Configuration Mode)
name Assigns a name to a physical interface or a group of interfaces
(see Specifying the Interface Name)
speed Specifies the interface speed (see Specifying the Interface
Speed)
duplex Specifies a duplex parameter for the specified interface (see
Specifying the Interface Duplex Mode)
backpressure Enables/disables the backpressure mode (see Defining the
Backpressure Mode)
flow control Changes the flow control mode (see Defining the Flow Control
Mode)
default vlan
Specifies a default VLAN for a physical interface or group of
interfaces (see Adding Ports to a Default VLAN)
packet-size-limit Specifies the jumbo frame size (see Specifying the Jumbo
Frames Size)
remote-fault-detect Enables remote fault detection on the configured interface that is
connected to a 100Base Fiber pair (see Configuring the Remote
Fault Detection)
shutdown Disables all functions of a specific port (see Disabling an
Interface)
Table 3: IP Interface Commands

Command Description
interface Enters the IP interface configuration mode (see IP Interface

Configuration Mode)
show ip interface Displays the IP interface configuration and statistics (see
Displaying the IP Interface Configuration)
Page 7
Table 4: Commands for Displaying and Clearing Interface Settings and Statistics
Command Description
show Display the status and configuration of all interfaces or for the
specified interface (see Displaying Interface Configuration
and
Settings).
show interface
show interface Displays interface statistics and packet counters (see Displaying
statistics Interface Statistics)
reset Clear all current statistics from a specific physical interface or a
group of interfaces (see Clearing Interface Statistics)
and
clear interface
statistics
Entering the Interface Configuration Mode

The interface command enters the configuration mode of a specific physical interface, a LAG, an
interface range, or a LAG range.
When in the Range Configuration mode, all the commands are applied to all ports/LAGs within
that range, until exiting this mode.
CLI Mode: Global Configuration, Interface Configuration, Interface Range Configuration,

LAG Configuration, and LAG Range Configuration
Command Syntax
device-name(config)#interface {UU/SS/PP | ag0N | range PORT-LIST | range
PORT-AG-LIST}
device-name(config-if UU/SS/PP)#
device-name(config-if AG0N)#
device-name(config-if UU1/SS1/PP1)#interface UU2/SS2/PP2

device-name(config-if UU2/SS2/PP2)#
device-name(config-if-group)#interface {UU/SS/PP | ag0N | range PORT-LIST|

range PORT-AG-LIST}
device-name(config-ag-group)#interface {UU/SS/PP | ag0N | range PORT-LIST|
range PORT-AG-LIST}
device-name(config-if AG0N)#interface {UU/SS/PP | ag0N | range PORT-LIST|
range PORT-AG-LIST}
UU/SS/PP Represents the unit, slot, and port numbers of the configured interface.
ag0N Represents a LAG ID in the range of <1–7>.
range PORT- Specifies one or more port numbers. Use commas as separators and
LIST hyphens to indicate sub-ranges (for example, 1/2/1–1/2/8, 1/1/2).
Page 8
range PORT- Specifies a LAG names’ list (for example AG01, AG04–AG07), in the range
AG-LIST <01–07>.
Example 1
device-name(config-if 1/1/1)#interface 1/1/2
device-name(config-if 1/1/2)#
Example 2
device-name(config)#interface ag01
device-name(config-if AG01)#interface 1/1/2
Example 3
device-name(config)#interface range ag01
device-name(config-ag-group)#interface 1/1/1
Specifying the Interface Name

The name command assigns a name to a physical interface or a group of interfaces.
CLI Mode: Interface Configuration and Range Interface Configuration

By default, the port has no name.
Command Syntax
device-name(config-if UU/SS/PP)#name NAME
device-name(config-if UU/SS/PP)#no name
device-name(config-if-group)#name NAME
device-name(config-if-group)#no name
NAME An alphanumeric name of up to 256 characters. Spaces are allowed.
no Removes the port name.
Page 9
Specifying the Interface Speed

The speed command defines the duplex speed of a specified interface or interface range.
The Giga copper ports support crossover detection. This feature allows a device port to automatically
detect, transmit, and receive the Ethernet cable’s polarity (the relevant cable type).
NOTE
To ensure reliable performance, it is essential to configure the same settings for two
Gigabit fiber ports communicating with each other.
Either enable autonegotiation on both interfaces or set the same duplex speed for
both.

By default, the device is configured to use auto-negotiation to determine the port speed and duplex
setting.
Command Syntax
device-name(config-if UU/SS/PP)#speed {auto | 10 | 100 | 1000}
device-name(config-if-group)#speed {auto | 10 | 100 | 1000}
auto The port automatically finds the highest speed supported on the link.
10 Sets the duplex speed type to 10Mbps.
100 Sets the duplex speed type to 100Mbps.
1000 Sets the duplex speed type to 1Gbps.
Specifying the Interface Duplex Mode

The duplex command specifies the duplex mode of a physical interface or a group of interfaces.

In full-duplex mode, two devices can send and receive at the same time. Full-duplex
communication is often an effective solution for collisions, which are major constrictions in
Ethernet networks. 10 Mbps ports usually operate in half-duplex mode (the device can either
receive or transmit).
NOTE
To ensure reliable performance, it is essential to configure the same settings for two
Gigabit fiber ports communicating with each other.
Either enable autonegotiation on both interfaces or set the same duplex mode for
both.
By default, the device is configured to use auto-negotiation to determine the port speed and duplex
setting.
Page 10
Command Syntax
device-name(config-if UU/SS/PP)#duplex {auto | full | half}
device-name(config-if-group)#duplex {auto | full | half}
auto Enables the auto detect mode.
full Enables the full duplex mode.
half Enables the half duplex mode.
Defining the Backpressure Mode

The backpressure command enables/disables the backpressure mode.

Backpressure is a technique for ensuring that a transmitting port does not send too much data to a
receiving port at a given time. When the buffer capacity of a receiving port exceeds, it sends a Jam
message to the transmitting port to halt transmission.
NOTE
Backpressure functions only if the port operates in half-duplex mode.
By default, backpressure is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#backpressure {enable | disable}
device-name(config-if-group)#backpressure {enable | disable}
enable Enables backpressure mode.
disable Disables backpressure mode.
Defining the Flow Control Mode

The flow-control command enables/disables the flow control mode.
Flow control is a technique for ensuring that a transmitting port does not send too much data to a
receiving port at a given time. When the port’s buffer is filled, the port transmits a special packet
requesting remote ports to delay sending packets for a period of time.
NOTE
Valid only in full-duplex mode.

By default the flow control is disabled.
Page 11
Command Syntax
device-name(config-if UU/SS/PP)#flow-control {enable | disable | autonegotiate}
device-name(config-if-group)#flow-control {enable | disable | autonegotiate}
enable Enables flow control.
disable Disables flow control.
autonegotiate Enables flow control autonegotiation.
Adding Ports to a Default VLAN

The default vlan command specifies a default VLAN for a physical interface or a group of
interfaces.
You can define only one default VLAN per port. For more information regarding VLAN
commands, refer to the Configuring VLANs and Super VLANs chapter of this User Guide.

By default, the default VLAN (PVID) for all ports is 1.
Command Syntax
device-name(config-if UU/SS/PP)#default vlan <vlan-id>
device-name(config-if UU/SS/PP)#no default vlan
device-name(config-if-group)#default vlan <vlan-id>

device-name(config-if-group)#no default vlan
vlan-id The interface’s default VLAN, in the range of <1–4094>.
no Restores the default VLAN to VLAN 1.
Specifying the Jumbo Frames Size

The packet-size-limit command specifies the maximum packet size allowed for a specific
physical interface or a group of interfaces.
CLI Modes: Interface Configuration and Range Interface Configuration

The default packet size limit is 1632 bytes.
Command Syntax
device-name(config-if UU/SS/PP)#packet-size-limit {NUMBER | default}
device-name(config-if-group)#packet-size-limit {NUMBER | default}
Page 12
NUMBER Specifies the maximum allowed packet size on the port, <512–9216> bytes.
default Restores the default value of the packet size to 1632 bytes.
Example
device-name(config-if 1/1/1)#packet-size-limit 1522
device-name(config-if 1/1/1)#show
...
...
Maximum Packet Size (MTU) = 1522
Configuring the Remote Fault Detection

The remote-fault-detect command enables remote fault detection on the configured interface
that is connected to a 100Base Fiber pair.

When enabling remote fault detection on such an interface, the device indicates link down on the
port if the remote peer detects link down.
NOTE
The remote-fault-detect command is available only on 100Base Fiber ports.
Command Syntax
device-name(config-if UU/SS/PP)#remote-fault-detect {on | off}
device-name(config-if-group)#remote-fault-detect {on | off}
on Enables the remote fault detection.
off Disables the remote fault detection.
Disabling an Interface
The shutdown command disables all functions of a specific port (receive, forward, and learn).

By default, the port is enabled (active).
Command Syntax
device-name(config-if UU/SS/PP)#shutdown
device-name(config-if UU/SS/PP)#no shutdown
device-name(config-if-group)#shutdown
device-name(config-if-group)#no shutdown
Page 13
no Enables the interface.
IP Interface Configuration Mode

The interface command enters the IP Interface Configuration mode.
Command Syntax
device-name(config)#interface sw0
device-name(config-if sw0)#
Displaying the IP Interface Configuration

The show ip interface command displays the IP interface configuration and statistics.
Command Syntax
device-name#show ip interface [brief | sw0 | lo0]
brief (Optional). Displays brief information of all the defined IP interfaces.
sw0 (Optional). Specifies the number of the IP interface.
lo0 (Optional). Specifies the loopback interface.
Example 1
device-name#show ip interface sw0
Interface sw0
index 3 metric 1 mtu 1500
directed-broadcast disabled
Flags : <UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 1.1.1.1/8 broadcast 1.255.255.255
Secondary inet 2.1.1.1/8 broadcast 2.255.255.255
239538 packets received; 15206 packets sent
3617 multicast packets received
56 multicast packets sent
0 input errors; 0 output errors
0 collisions; 0 dropped
0 down count
Page 14
Example 2
device-name#show ip interface brief
Interface lo0
Flags : <UP,LOOPBACK,NOTRAILERS,RUNNING,MULTICAST>
inet 127.0.0.1/8
Interface sw0
Flags : <UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 1.1.1.1/8 broadcast 1.255.255.255
Secondary inet 2.1.1.1/8 broadcast 2.255.255.255
Table 5: Parameters Displayed by the show ip interface Command

index The Internal index of the IP interface

metric The IP interface metric value
mtu The Maximum Transfer Unit
flags UP/DOWN—IP interface status
BROADCAST—The broadcast address is valid
NOTRAILERS—The device must avoid using trailers
RUNNING—The device has successfully allocated needed resources
SIMPLEX—The device cannot hear its own transmissions
MULTICAST—The device supports multicast
ALLMULTI—This port receives all multicast packets
LOOPBACK—This is a loopback net
NOARP—There is no address resolution protocol
POINTOPOINT—The IP interface is a point-to-point link
inet The interface's configured IP address and subnet mask
broadcast The broadcast address of the IP interface
Ethernet address The MAC address of the IP interface
packets received The number of packets received on the IP interface
packets sent The number of packets sent from the IP interface
multicast packets The number of multicast packets sent from the IP interface
sent
input errors The number of error packets received on the IP interface
output errors The number of error packets sent from the IP interface
collisions (always 0)
dropped The number of packets dropped on the IP interface
down count The number of times the IP interface went down
Page 15
Displaying Interface Configuration Settings

The commands below display the status and configuration for all ports or for a specified port:
• show interface command
• show command
Command Syntax
device-name#show interface [UU/SS/PP]
device-name(config-if UU/SS/PP)#show
UU/SS/PP (Optional). Selects a specific port to display.
Example 1
The following example displays the settings of all the device interfaces:
device-name#show interface
==========================================================================
|Port |Name |Type |State |Link|DuplSpeed |Flow |Backpres|Default
+-----+--------+--------+-------+----+----------+-------+--------+--------
1/1/1 DUAL disable down unknown disable disable 0001
1/1/2 DUAL enable up full-100 disable disable 0001
1/2/1 DUAL enable down unknown disable disable 0001
Page 16
Example 2
The following example displays the settings of a specific interface:
device-name#show interface 1/1/2
Name =
Type = DUAL (10/100/1000BaseT,MEDIA not installed)
EnableState = enable
Link = up (TX)
Duplex mode = autonegotiate
Speed = autonegotiate
Duplex speed status = full-100
Flow control mode = disable
Flow control status = disable
Backpressure = disable
Broadcast limit = unlimited
Default VLAN = 1
Super VLAN Port = No
Learning new address = Enabled
Max Packet Size (MRU)= 1632
Displaying Interface Statistics

The commands below display the interface statistics and packet counters:
• show interface statistics command
• show statistics command
CLI Mode: Interface Configuration and LAG Interface Configuration
NOTE
The MaxPacketSize refers to the maximum supported packet size depending on the
configuration (512 bytes or 9216 Kbytes).
Command Syntax
device-name#show interface [UU/SS/PP | ag0N] statistics [extended]
device-name(config-if AG0N)#show statistics [extended]
UU/SS/PP (Optional). Displays statistics information of a specified interface.
ag0N (Optional). N, the LAG ID number, in the range <1–7>.
extended (Optional). Displays additional packet counters.
Page 17
Example 1
The following example display various packet counters for 1/2/1 interface:
device-name#show interface 1/2/1 statistics
Undersize 0 In/OutPkts 1024-MaxFrameSize 0
Jabbers 0 DownCount 0
DropEvents 0
Table 6: Counters Displayed by the show interface statistics Command

Counter Description
Octets The number of data octets of all received packets on the line. This
includes data octets of rejected and local packets that are not forwarded
to the switching core for transmission.
In case of oversized packets that exceed the allocated buffer-size, only
buffer-size bytes are counted.
Collisions The number of received packet when detecting a collision event.
Broadcast The number of good Broadcast packet received.
Multicast The number of good Multicast packet received.
CRCAlignErrors The number of received packets that meet all the following conditions:
• data-length is between <64–MaxFrameSize> bytes inclusive
• have an invalid CRC
• not detected a collision event
• not detected a late collision event
Undersize The number of received packets that meet all the following conditions:
• data length is less than 64 bytes
• have a valid CRC
Page 18
Counter Description
Oversize The number of received packets that meet all the following conditions:
• data length is greater than MRU
• have valid CRC
NOTE
When the maximum packet size is below 1632,
oversized packets are counted as FCS errored bytes.
The default MRU size is 1632 bytes.
Fragments The number of received packets that meet all the following conditions:
• data length is less than 64 bytes, or the packet does not have a Start
Frame Delimiter (SFD) and is less than 64 bytes
• have an invalid CRC
Jabbers The number of packets that meet one of the following conditions:
• data length is greater than MaxFrameSize and CRC is invalid
• packet length is greater than MaxPacketSize
DropEvents Not supported.
Down Count The number of port disconnections.
The counter is initialized in the following cases:
• When the device starts running (provided that the link to the port is
connected), the counter is zeroed
• When the module is inserted at run-time (hot-swapped), the counter
is initialized to one
• When the link to the port is connected for the first time during run-
time, the counter is initialized to one
TotalInPkts The number of received packets received on the line. This includes
rejected and local packets that are not forwarded to the switching core for
transmission.
In/OutPkts 64 The number of 64 bytes received and transmitted packets including
rejected, received, and transmitted packets.
In/OutPkts 65-127 The number of received and transmitted packets in the range of
<65–127> bytes including rejected, received, and transmitted packets.
In/OutPkts 128- The number of received and transmitted packets in the range of
255 <128–255> bytes including rejected, received, and transmitted packets.
511 <256–511> bytes, including rejected, received, and transmitted packets.
1023 <512–1023> bytes including rejected, received, and transmitted packets.
MaxFrameSize <1024–MaxFrameSize> bytes including rejected, received, and
transmitted packets. The default MaxFrameSize is 1632 bytes.
TotalIn/OutPkts The number of received and transmitted packets in the range of <64–
MaxFrameSize> bytes including rejected, received, and transmitted
packets.
Page 19
Counter Description
Last5secInPkts The number of packets received during the five seconds before executing
the command.
Last1minInPkts The number of packets received during the minute before executing the
command.
Last5minInPkts The number of packets received during the five minutes before executing
the command.
Last5secOutPkts The number of packets transmitted during the five seconds before
executing the command.
Last1minOutPkts The number of packets transmitted during the minute before executing
the command.
Last5minOutPkts The number of packets transmitted during the five minutes before
Last5secInBps The rate of packets received, in bits per second, during the five seconds
before executing the command.
Last1minInBps The rate of packets received, in bits per second, during the minute before
Last5minInBps The rate of packets received, in bits per second, during the five minutes
Last5secOutBps The rate of packets transmitted, in bits per second, during the five
seconds before executing the command.
Last1minOutBps The rate of packets transmitted, in bits per second, during the minute
Last5minOutBps The rate of packets transmitted, in bits per second, during the five
minutes before executing the command.
NOTE
The Last5secInBps, Last1minInBps, Last5minInBps, Last5secOutBps,
Last1minOutBps, and Last5minOutBps counters are updated every 5 seconds. After
receiving/transmitting the packets, you must wait for 10 seconds to pass in order to
receive a correct value of the corresponding statistics.
Example 2
The following example uses the extended keyword to display additional packet counters:
device-name#show interface 1/1/1 statistics extended
InOctets 41061272 OutOctets 7948538
InUcastPkts 73572 OutUcastPkts 73825
InNUcastPkts 3873 OutNUcastPkts 28439
InDiscards 0 OutDiscards N/A
InErrors 1 OutErrors N/A
InUnknownProtos N/A
Page 20
Table 7: Counters Displayed by the show interface statistics extended Command

Counter Description
InOctets The number of data octets of all the received packets on the line. This
includes data octets of rejected and local packets that are not forwarded
to the switching core for transmission.
In case of oversized packets that exceed the allocated buffer-size, only
buffer-size bytes are counted.
InUcastPkts The number of good unicast packets (not including Multicast and
Broadcast packets) received.
InNUcastPkts The number of good Broadcast and Multicast packets received.
InDiscards The number of incoming packets dropped due to lack of receive buffers or
due to exceeding the interface’s Rx buffer threshold.
InErrors This counter is incremented when any of the following events occurs:
• Undersized frames (less than 64 bytes) that are correctly aligned and
well formed without Frame Check Sequence (FCS) Errors
• Fragments (less than 64 bytes) that are misaligned and/or with
Frame Check Sequence (FCS) Errors
• Oversized frames (frames with size bigger than the MTU value) that
are without FCS errors
• Jabber frames (frames with size bigger than the MTU value) that
have FCS errors
• CRC errors
• Fragments and Runts—when the interface goes down while
receiving traffic
• Increment in InDiscards counter
InUnknownProtos Not supported.
OutOctets The number of data octets of good packets transmitted.
OutUcastPkts The number of good Unicast packets transmitted (not including Multicast
and Broadcast packets).
OutNUcastPkts The number of good Broadcast and Multicast packets transmitted.
OutDiscards Not supported.
OutErrors Not supported.
Clearing Interface Statistics

The commands below clear all current statistics from a specific physical interface, a group of
interfaces, or LAG interface:
• reset command
CLI Mode: Interface Configuration, Range Interface Configuration, and LAG

Interface Configuration
• clear interface statistics command
Page 21
Command Syntax
device-name(config-if UU/SS/PP)#reset [all]
device-name(config-if-group)#reset [all]
device-name(config-if AG0N)#reset [all]
device-name#clear interface statistics
all (Optional). Clear the statistics of all ports.
Page 22
Link Aggregation Control Protocol (LACP)

LACP, defined in IEEE 802.3ad, dynamically groups similarly configured ports into a single logical
link (aggregate port). This protocol provides increased bandwidth, increased redundancy, and
higher availability. You can group ports based on hardware, administrative, and port parameter
constraints.
The device exchanges LACP frames for synchronizing the databases of the LACP-enabled ports.
Due to hardware limitations, you can group up to eight compatible ports in a LAG.
LACP Modes
There are two LACP operation modes:
• Active—an interface in active mode can start LACP negotiation and thus form a link with
another device (whether active or passive).
• Passive—does not start LACP negotiation; thus cannot form a link with another device.
LACP Parameters
A port’s ability to aggregate with other ports is determined by the following factors:
• The port physical characteristics such as, data transfer rate, duplex capability, and medium type
• User defined configuration constraints
To use LACP, you need to define the following parameters:
1. System ID: the ID identifying an LACP system negotiating with other LACP systems. The
device uses its MAC address as a unique system ID.
2. System priority: the system priority along with the port priority allows connected LACP ports to
determine their exchange policy dynamically.
3. Administrative key: define the port’s ability to aggregate with other ports.
4. Port priority: the port priority and the system priority allow connected LACP ports to determine
their exchange policy dynamically.
When enabled, LACP attempts to group the maximum of eight compatible ports in a LAG.
However, if LACP is unable to aggregate compatible ports (for example, due to limitations of the
remote device), it leaves these ports in a hot standby state and uses them when one of the
channeled ports fails.
Page 23
Link Aggregation Groups (LAGs)

LAGs, also known as trunks, provide increased bandwidth and high reliability while saving the cost
of upgrading the hardware.
By combining several interfaces in one logical link, LAGs fill the gaps between 10 Mbps, 100 Mbps,
and 1 Gbps with intermediate bandwidth values.
LAGs also enable bandwidths beyond 1 Gbps by aggregating multiple Giga ports (as shown in the
below figure).
NOTE
The LAGs are numbered from 1 to 7.
Each LAG can consist of up to eight compatibly configured interfaces.
Figure 1: Four Ports Combined into a Link Aggregation Group
There are two LAG types:

• Static LAGs consist of individual Gigabit Ethernet links bundled into a single logical link. They
provide the ability to treat multiple device ports as one device port. These port groups act as a
single logical port for high-bandwidth connections between two network devices. A static
LAG balances the traffic load across the links in the channel. If a physical link within the static
LAG fails, traffic previously carried over the failed link is moved to the remaining links.
Most protocols operate over either single ports or aggregated device-ports and do not
recognize the physical interface within the port group.
• Dynamic LAGs dynamically adapt aggregated links to changes in traffic conditions. This allows
load sharing and automatic readjustments in case of LAG link-failures and recovery.
Page 24
You can configure both static and dynamic LAGs simultaneously, assuming the following
restrictions:
• LAG IDs of both static and dynamic LAGs occupy the same available LAG IDs’ space
• You cannot define a static LAG and a dynamic LAG with the same LAG ID number
• You can include each port in a single LAG that is either static or dynamic
Prerequisites
Follow the below guidelines for LAG configuration:
• You do not need to modify existing higher-layer protocols or applications in order to use
LACP
• Some links cannot participate in LAGs due to inherent capabilities, capabilities of the devices
they are connected to, or management configuration. These links operate as individual links.
• LACP supports only point-to-point full-duplex links. You cannot aggregate links among more
than two devices (multipoint aggregations) and half-duplex operation.
• When the device is connected to a LAN and Spanning Tree protocol (STP) is not active, you
need to physically attach the aggregated ports only after completing the LAG configuration.
Page 25
LAG Default Configuration

Table 8: LAG Default Configuration
Static Link Aggregation Disabled

Global Link Aggregation Control Protocol (LACP) Disabled
Per port Link Aggregation Control Protocol (LACP) Disabled
LACP system priority 32768
LACP port mode Active
LACP port priority 32768
LACP administrative key 1
LAG distribution MAC address
The marker PDU responder per port Disabled
LAG Configuration Flow

To create a static LAG, proceed as follows:
1. Add a specific interface to a static LAG (see Configuring a Static LAG)
2. Optional configuration: Assign a user-defined name for a specific static LAG (see Naming a
Static LAG)
To create a dynamic LAG, proceed as follows:

1. Configure LACP (see Enabling LACP)
2. Assign a physical interface(s) to a LAG (see Assigning Interfaces to a Dynamic LAG)
3. Optional configuration:
Specify the LACP system priority (see Specifying the LACP System Priority)
Specify the LACP administrative key (see Specifying the LACP Administrative Key)
Configure the processing of LACP PDU marker (see Configuring the LACP Marker)
Specify the LAG packet distribution between the ports (see Specifying the LAG Distribution)
Page 26
LAG Configuration Commands

Table 9: Static LAG Configuration Commands
Command Description
link-aggregation static id Adds a physical interface or a group of interfaces to a

static LAG (see Configuring a Static LAG)
link-aggregation static id Assigns a user-defined name for a specific static LAG
name
(see Naming a Static LAG)
Table 10: Dynamic LAG Configuration Commands

Command Description
link-aggregation lacp Configures LACP (see Enabling LACP)

enable/disable
link-aggregation lacp Assigns a physical interface or group of interfaces to a
LAG, and specifies LACP parameters (see Assigning
Interfaces to a Dynamic LAG)
link-aggregation lacp Specifies the LACP system priority (see Specifying the
system-priority LACP System Priority)
link-aggregation lacp key Specifies the LACP administrative key (see Specifying the
LACP Administrative Key)
link-aggregation lacp Configures the processing of LACP PDU marker (see
marker Configuring the LACP Marker)
link-aggregation distribute Specifies the LAG packet distribution between the ports
(see Specifying the LAG Distribution)
Table 11: Commands for Displaying the Static LAG and LACP Configuration
Command Description
show interface link- Displays all static and dynamic LAGs (see Displaying
aggregation LAGs)
show link-aggregation lacp Displays a list of all LACP enabled interfaces (see
Displaying LACP Interfaces)
show link-aggregation Displays the LAG packet distribution configuration (see
distribute Displaying the LAG Distribution)
Page 27
Configuring a Static LAG

The link-aggregation static id command adds a physical interface or a group of interfaces to
a static LAG.
NOTE
The link-aggregation static command replaces the trunk command.
By default, static LAG is disabled
Command Syntax
device-name(config-if UU/SS/PP)#link-aggregation static id <id-number>
device-name(config-if UU/SS/PP)#no link-aggregation
device-name(config-if-group)#link-aggregation static id <id-number>

device-name(config-if-group)#no link-aggregation
id <id-number> LAG ID in the range <1–7>.
no Removes the configured interface or a group of interface from the static
LAG.
Naming a Static LAG

The link-aggregation static id name command assigns a user-defined name for a specific
static LAG.

By default, the static LAG is not named.
Command Syntax
device-name(config)#link-aggregation static id <id-number> name NAME
device-name(config)#no link-aggregation static id <id-number> name
id-number LAG ID in the range <1–7>.
NAME Alphanumeric string up to 32 characters.
no Removes the user-defined name.
Page 28
Enabling LACP
The link-aggregation lacp enable/disable command enables LACP.
CLI Mode: Protocol Configuration

By default, LACP is disabled.
Command Syntax
device-name(cfg protocol)#link-aggregation lacp {enable | disable}
enable Enables LACP.
disable Disables LACP.
Assigning Interfaces to a Dynamic LAG

The link-aggregation lacp command enables LACP on a physical interface or group of
interfaces, assigns them to a dynamic LAG, and specifies the LACP parameters.
If you do not specify optional arguments and you do not enable LACP on the interface, the
interface is configured with default argument values.
If you enable LACP on the interface, only explicitly defined optional arguments take effect.

By default, the LACP port is in active LACP mode with priority 32768.
Command Syntax
device-name(config-if UU/SS/PP)#link-aggregation lacp [active | passive] [port-
priority [<priority>] key <number>]]
device-name(config-if UU/SS/PP)#no link-aggregation lacp port-priority
device-name(config-if UU/SS/PP)#no link-aggregation
device-name(config-if-group)#link-aggregation lacp [active | passive] [port-

priority [<priority>] key <number>]]
device-name(config-if-group)#no link-aggregation lacp port-priority
device-name(config-if-group)#no link-aggregation
active (Optional). Enables LACP in active mode.
passive (Optional). Enables LACP in passive mode.
port-priority The port priority value, in the range <1–65535>.
<priority>
key <number> (Optional). Number of the LACP administrative key, in the range <1–
65535>.
Page 29
no Disables LACP and restores to defaults.
Specifying the LACP System Priority

The link-aggregation lacp system-priority command specifies the LACP system priority.

By default, the LACP system priority is 32768.
Command Syntax
device-name(cfg protocol)#link-aggregation lacp system-priority [<priority>]
device-name(cfg protocol)#no link-aggregation lacp system-priority
priority (Optional). Priority value, in the range of 1 (highest priority) to 65535 (lowest
priority).
no Restores to default.
Specifying the LACP Administrative Key

The link-aggregation lacp key command specifies the LACP administrative key, determining
the ability of the port to aggregate with other ports.
CLI Mode: Interface Configuration, Range Interface Configuration

By default, the LACP administrative key is 1.
Command Syntax
device-name(config–if UU/SS/PP)#link-aggregation lacp key <number>
device-name(config–if-group)#link-aggregation lacp key <number>
number LACP administrative key in the range <1–65535>.
Page 30
Example
The following example shows how to set the LACP key to 65535:
device-name(config-if 1/1/1)#link-aggregation lacp
device-name(config–if 1/1/1)#link-aggregation lacp key 65535
Value is displayed in the output issued by the show link-aggregation lacp command:
device-name#show link-aggregation lacp
System ID = 00 a0 12 17 01 00
System priority = 32768
========+========+=======+=========
Port | Mode | Key | Prty |
--------+--------+-------+--------+
1/1/1 | active | 65535| 32768 |
========+========+=======+=========
Configuring the LACP Marker

The link-aggregation lacp marker command configures the processing of the LACP PDU
marker on a specific port.

By default, the marker PDU responder per port is disabled.
Command Syntax
device-name(config–if UU/SS/PP)#link-aggregation lacp marker {enable | disable}
device-name(config–if-group)#link-aggregation lacp marker {enable | disable}
enable Enables the processing of LACP PDU marker.
disable Disables the processing of LACP PDU marker.
Example
device-name(config-if 1/1/1)#link-aggregation lacp marker enable
Page 31
Specifying the LAG Distribution

The link-aggregation distribute command specifies the LAG packet-distribution between
the ports.
You can define the packet distribution based on:
• the source and destination MAC addresses (Layer 2)
• the source and destination IP addresses (Layer3)

By default, the traffic on the LAG is distributed by Layer 2 (MAC addresses).
Command Syntax
device-name(cfg protocol)#link-aggregation distribute {layer3 | layer4}
device-name(cfg protocol)#no link-aggregation distribute
layer3 Distributes packets based on the packets’ source and destination IP addresses.
layer4 Distributes packets based on the TCP/UDP ports and the source and destination IP
addresses for the TCP and UDP packets.
no Restores to the default settings.
Displaying LAGs
The show interface link-aggregation command displays all static and dynamic LAGs.
NOTE
The show link aggregation command replaces the show trunk command.
The show trunk command is also supported.
Command Syntax
device-name#show interface link-aggregation [static | dynamic | id <id-number>]
static (Optional) displays static LAGs only.
dynamic (Optional) displays dynamic LAGs only.
id <id-number> (Optional) displays the LAG specified.
Page 32
Example
device-name#show interface link-aggregation
==========+========+=================+=====================
Agg# |Type | Management Name | Ports |
----------+--------+-----------------+--------------------+
AG01 | static | TRUNK1 | 1/1/1,1/1/2,1/2/5 |
|=========+========+=================+=====================
Displaying LACP Interfaces

The show link-aggregation lacp command displays a list of all LACP enabled interfaces.
Command Syntax
Example
System ID = 00 a0 12 02 02 02
========+========+=======+=======+
--------+--------+-------+-------+
1/2/1 | active | 1 | 32768 |
1/2/2 | active | 1 | 32768 |
========+========+=======+=======+
Displaying the LAG Distribution

The show link-aggregation distribute command displays the LAG packet-distribution
configuration.
Command Syntax
device-name#show link-aggregation distribute
Example
device-name#show link-aggregation distribute
Link aggregation distribution mode is Layer 2
Page 33
Configuration Examples
Simple LACP Configuration
The following example establishes dynamic link aggregation between two devices, as shown in
Figure 2.
Figure 2: Example of LAG Containing Two Ports
On each of the two devices, LACP is enabled in active mode on interfaces 1/1/1 and 1/1/2 as an
aggregated link. The configuration of Device2 is identical to that of Device1.
4. Display the LACP status:
LACP disabled on the system
5. Enable the LACP:

device-name(cfg protocol)#link-aggregation lacp enable
6. Display the LACP configuration:

System ID = 00 A0 12 03 04 05
No LAC ports configured
7. Enable LACP on interface 1/1/1:

8. Enable LACP on interface 1/1/2:

Page 34

System ID = 00 A0 12 03 04 05
========+========+=======+======+
Port | Mode | Key |Prty |
--------+--------+-------+------+
1/1/1 | active | 1 |32768 |
1/1/2 | active | 1 |32768 |
========+========+=======+======+
10. If there is a link between the devices, the following results on each device are displayed:
device-name#show interface link-aggregation
==========+========+=================+=====================
----------+--------+-----------------+--------------------+
AG01 | LACP | LACP1 | 1/1/1,1/1/2 |
==========+========+=================+=====================
Complex LACP Configuration

The following example establishes two dynamic link aggregation groups between Device 1,
Devices2 and 3, as shown in Figure 3.
Figure 3: Example of Two LAGs Configured on the Same Device
Page 35
Configuring Device 1:
On Device1, LACP is enabled in active mode on the following interfaces:
• 1/1/1, 1/1/2, 1/2/1 and 1/2/2, as an aggregated link to Device2
• 1/2/3 and 1/2/4, as an aggregated link to Device3
1. Enter Protocol Configuration mode and enable the LACP on Device1:
Device1#configure terminal
Device1(config)#protocol
Device1(cfg protocol)#link-aggregation lacp enable
Device1(cfg protocol)#end

Device1#show link-aggregation lacp
System ID = 00 00 02 03 04 05
3. Enable LACP on interfaces 1/1/1, 1/1/2, 1/2/1, 1/2/2, 1/2/3 and 1/2/5:
Device1(config)#interface range 1/1/1-1/2/5
Device1(config-if-group)#link-aggregation lacp
Device1(config-if-group)#end

System ID = 00 00 02 03 04 05
========+========+=======+======+
--------+--------+-------+------+
1/1/1 | active | 1 |32768 |
1/1/2 | active | 1 |32768 |
1/2/1 | active | 1 |32768 |
1/2/2 | active | 1 |32768 |
1/2/3 | active | 1 |32768 |
1/2/5 | active | 1 |32768 |
========+========+=======+======+
Page 36
On Device2, LACP is enabled in active mode on interfaces 1/1/1, 1/1/2, 1/2/1 and 1/2/2, as an
aggregated link to Device1.

System ID = 00 a0 12 05 3a 80
3. Enable LACP on interfaces 1/1/1, 1/1/2, 1/2/1 and 1/2/2:

Device2(config)#interface range 1/1/1-1/2/2
Device2(config-if-group)#link-aggregation lacp
Device2(config-if-group)#end

System ID = 00 a0 12 05 3a 80
========+========+=======+======+
--------+--------+-------+------+
1/1/1 | active | 1 |32768 |
1/1/2 | active | 1 |32768 |
1/2/1 | active | 1 |32768 |
1/2/2 | active | 1 |32768 |
========+========+======+======+
Page 37
On Device3, LACP is enabled in active mode on interfaces 1/2/3 and 1/2/4, as an aggregated link
to Device 1.

System ID = 00 a0 12 10 94 c0
3. Enable LACP on interfaces 1/2/3 and 1/2/4:

Device3(config)#interface 1/2/3
Device3(config-if 1/2/3)#link-aggregation lacp
Device3(config-if 1/2/3)#interface 1/2/4
Device3(config-if 1/2/4)#link-aggregation lacp
Device3(config-if 1/2/4)#end

System ID = 00 a0 12 10 94 c0
========+========+=======+=======+
--------+--------+-------+-------+
1/2/3 | active | 1 |32768 |
1/2/4 | active | 1 |32768 |
========+========+=======+=======+
Page 38
After the LACP operation the following results on each device are displayed:
Displaying Device 1 Configuration:

Device3#show interface link-aggregation
==========+========+=================+=====================
----------+--------+-----------------+--------------------+
AG01 | LACP | LACP1 | 1/1/1,1/1/2 |
AG02 | LACP | LACP2 | 1/2/3,1/2/5 |
==========+========+=================+=====================

==========+========+=================+=========================
----------+--------+-----------------+------------------------+
AG01 | LACP | LACP1 | 1/1/1,1/1/2,1/2/1,1/2/2|
==========+========+=================+=========================

==========+========+=================+=====================
----------+--------+-----------------+--------------------+
AG02 | LACP | LACP2 | 1/2/3,1/2/4 |
==========+========+=================+=====================
Page 39
Static LAG with RSTP

The following example shows how to establish two static LAGs between two devices.
This setup requires a mechanism such as RSTP to prevent the two LAGs from forming a loop. For
more information, refer to the Configuring Rapid Spanning Tree Protocol (RSTP) chapter of this User
Guide.
The configuration of Device2 is identical to that of Device1. However, there are differences in the
RSTP configuration parameters, since RSTP automatically selects one device (Device 1 in our case)
as the root bridge and the other device (Device 2) as the designated bridge.
Figure 4: Example of Two Static LAGs with RSTP
1. Enable RSTP:
Device1(cfg protocol)#rapid-spanning-tree enable
2. Enable static LAG on interfaces 1/1/1 and 1/2/4:

Device1(config-if 1/1/1)#link-aggregation static id 1
3. Enable Static LAG on interfaces 1/2/7 and 1/2/8:

NOTE
Repeat the above steps on device 2
Page 40

1. Display the static LAG configuration:
Device1#show interface link-aggregation static
=========+======+=======================+=======================
Agg# | Type | Management Name | Ports
---------+------+-----------------------+-----------------------
AG01 |STATIC|TRUNK1 |1/1/1,1/2/4
2. Display the RSTP parameters and Rapid Spanning-Tree topology:

Device1#show rapid-spanning-tree
Rapid spanning tree = enabled
ProtocolSpecification = ieee8021w
Priority = 32768
TimeSinceTopologyChange = 41 (Sec)
TopChanges = 2
DesignatedRoot = This bridge is the root
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
ForwardDelay = 15 (Sec)
BridgeMaxAge = 20 (Sec)
BridgeHelloTime = 2 (Sec)
BridgeForwardDelay = 15 (Sec)
TxHoldCount = 3
MigrationTimer = 3 (Sec)
DetectLineCRCReconfig = disabled
DetectLineFlapping = disabled
SpanIgmpFastRecovery = disabled
===============================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt |FwrdT
--------+---+--------+-----+---------+---------+------------------+------+-----
AG01 128 Designat frwrd 10000 0 32768.00A0121102A3 128.88 1
AG02 128 Designat frwrd 10000 0 32768.00A0121102A3 128.90 1

1. Display the static LAG configuration:
Device2#show interface link-aggregation static
=========+======+=======================+=======================
Agg# | Type | Management Name | Ports
---------+------+-----------------------+-----------------------
Page 41
2. Display the RSTP parameter settings and Rapid Spanning-Tree topology:

Device2#show rapid-spanning-tree
Priority = 32768
TopChanges = 1
DesignatedRoot = 32768.00:A0:12:11:02:A3
RootPort = AG01
RootCost = 10
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
===============================================================================
--------+---+--------+-----+---------+---------+------------------+------+-----
AG01 128 Root frwrd 10000 0 32768.00A0121102A3 128.88 1
AG02 128 Altern discr 10000 0 32768.00A0121102A3 128.90 1
Page 42
Resilient Links
Overview
Resilient links allows protecting critical links and preventing network downtime. A resilient link
consists of a main link and a standby (backup) link together forming a resilient-link pair. Under
normal network conditions, the main link carries network traffic. In case of signal loss, the device
immediately enables the standby link which takes over the main link’s task. Since the switchover
time to the standby link is less than 1 second, there is no session timeout.
If the main link has a higher bandwidth than its standby or if the main link is configured as a
preferred one, traffic is switched back to the main link as soon as its connection is recovered.
Otherwise, you must manually switch traffic back to the main link.
Resilient Links Default Configuration

Table 12: Resilient Link Default Configuration
Preferred port The port with the higher bandwidth.

Active port The port with the higher bandwidth, if both ports are up. If both
ports have the same bandwidth, the active port is the port with
the lower port number (for example, for ports 1/2/3 and 1/2/6 the
active port is 1/2/3).
Backup port status Power-on enabled.
Page 43
Resilient Links Configuration Flow

Configuration Notes
When configuring resilient links, note the following:
• You should define a resilient-link pair only on one end of the link. This provides the ability for
a full redundant network, even when connecting the device to other devices, such as routers
and servers.
• If using the shutdown mode, configure it on one device (either local or remote).
• If you configure a VLAN, the resilient link ports must belong to the same VLAN.
• Adding a new port to an existing resilient link, synchronizes the port’s VLAN to the resilient
link’s VLAN
• If the ports do not use the same VLAN tagging system (802.1Q tagging), the VLAN tagging
of the first port is applied to the second port added.
You can configure a resilient link pair only if:
• the ports have the same PVID
• neither of the ports is part of a LAG
• neither of the ports belongs to another resilient-link pair
Step by Step Configuration

To configure a resilient link, proceed as follows:
1. Enter the Resilient-link Configuration mode (see Entering the Resilient Link Configuration Mode)
2. Add a port pair as a resilient link (see Assigning Ports to a Resilient Link)
3. Optional Configuration:
Specify one of the ports of the resilient link as preferred (see Selecting a Preferred Port)
Switch the active port of the currently edited resilient link (see Switching the Active Port)
Specify the backup link behavior (see Specifying the Backup Link Behavior)
Page 44
Resilient Links Configuration Commands

Table 13: Resilient Link Configuration Commands
Command Description
resilient-link Enters the Resilient-link Configuration mode (see Entering the

Resilient Link Configuration Mode)
ports Adds a port pair as a resilient link (see Assigning Ports to a Resilient
Link)
Table 14: Resilient Link Optional Commands

Command Description
prefer port Specifies one of the ports of the resilient link as preferred (see
Selecting a Preferred Port)
active port Changes the active port of the selected resilient link (see Switching
the Active Port)
backup-link shut- Specifies the backup link behavior (see Specifying the Backup Link
down Behavior)
Table 15: Resilient Link Display Commands

Command Description
show Displays a table of the configured resilient links (see Displaying

the Resilient Link Configuration)
show resilient-links Displays a table of the configured resilient links (see Displaying
the Resilient Link Configuration)
show counter Displays how many swaps each resilient link has undergone in
the current session (see Displaying Resilient Link Counters)
show resilient-links Displays how many swaps each resilient link has undergone in
counter the current session (see Displaying Resilient Link Counters)
Page 45
Entering the Resilient Link Configuration Mode

The resilient-link command enables the resilient link feature and enters the Resilient-link
Configuration mode.
You can use this command within one resilient-link’s configuration mode to enter a different
resilient link configuration.
Command Syntax
device-name(config)#resilient-link <N>
device-name(config-resil-link N)#
device-name(config-resil-link N1)#resilient-link <N2>

device-name(config)#no resilient-link <N>
N The resilient link’s number in the range of <1–32>.
no Removes the specified resilient link.
Example
device-name(config)#resilient-link 1
device-name(config-resil-link 1)#
Assigning Ports to a Resilient Link

The ports command assigns a pair of ports to a resilient link.
CLI Mode: Resilient-link Configuration
Command Syntax
device-name(config-resil-link N)#ports UU1/SS1/PP1 UU2/SS2/PP2
UU1/SS1/PP1 The first resilient link port number.
UU2/SS2/PP2 The second resilient link port number.
Page 46
Selecting a Preferred Port

The prefer port command specifies one port as the preferred resilient-link port.
The preferred port is the active port as long as it has a link and traffic is switched back to this port
when its connection is recovered.

By default, the port with the higher bandwidth (operational speed). If both ports have the same
bandwidth, no port is the preferred one.
Command Syntax
device-name(config-resil-link N)#prefer port UU/SS/PP
device-name(config-resil-link N)#no prefer port
UU/SS/PP The preferred port number.
no Cancels the port preference.
Switching the Active Port

The active port command changes the current active port (the port currently carrying traffic) of
the selected resilient link.
NOTE
You can use this command only if you did not define a preferred port.

By default, (in case the two ports have the same bandwidth capacity and no preferred port was
defined) the first port added to the resilient link using the ports command.
Command Syntax
device-name(config-resil-link N)#active port UU/SS/PP
UU/SS/PP The active port number.
Page 47
Specifying the Backup Link Behavior

The backup-link shut-down command specifies the standby link behavior:
4. The port is powered off (the port’s LED is off). Use this option when transmitting to a non-
resilient link device.
5. The port is powered on (the port’s LED is on). Use this option when transmitting to a resilient
link on a remote device.
Command Syntax
device-name(config-resil-link N)#backup-link shut-down
device-name(config-resil-link N)#no backup-link shut-down
no Powers on the standby port.
Displaying the Resilient Link Configuration

The show and show resilient-links commands display the list of configured resilient links.
The command output displays the resilient-link ID, the resilient link’s ports, the preferred port (if
defined), the standby link behavior, and the current active link.
CLI Mode: Resilient-link Configuration and Privileged (Enable)
Command Syntax
device-name(config-resil-link N)#show [N1 | N1 N2]
device-name#show resilient-links [N1 | N1 N2]
N1 (Optional). The resilient link’s ID number.
N1 N2 (Optional). A range of resilient link ID numbers.
Example 1
Displaying information on all currently configured resilient links:
device-name(config-resil-link 1)#show
=====================================================
| RLink | Port1 | Port2 | Prefer | Backup | Active |
+-------+-------+-------+--------+---------+--------+
| 1 | 1/2/1 | 1/2/2 | 1/2/1 |shut down| 1/2/1 |
| 2 | 1/2/3 | 1/2/4 | | standby | 1/2/4 |
=====================================================
Page 48
Displaying Resilient Link Counters

The show counter command and the show resilient-links counter command display how
many swaps each resilient link has undergone in the current session.
CLI Mode: Resilient-link Configuration and Privileged (Enable)
Command Syntax
device-name(config-resil-link N)#show counter [N1 | N1 N2]
device-name#show resilient-link counter [N1 | N1 N2]
N1 (Optional). The resilient link’s ID number.
N1 N2 (Optional). A range of resilient link ID numbers.
Example 1
Displaying information on all currently configured resilient links:
=====================================================
+-------+-------+-------+--------+---------+--------+
| 1 | 1/1/1 | 1/1/2 | 1/1/1 |shut down| 1/1/1 |
| 2 | 1/2/5 | 1/2/6 | | standby | 1/2/5 |
| 3 | 1/2/3 | 1/2/4 | | standby | 1/2/3 |
=====================================================
Example 2
Displaying information on specific resilient link #3:
device-name(config-resil-link 1)#show 3
=====================================================
+-------+-------+-------+--------+---------+--------+
| 3 | 1/2/3 | 1/2/4 | | standby | |
=====================================================
Example 3
Displaying information on the configured resilient links in the range #1 to #2:
device-name#show resilient-links 1 2
=====================================================
+-------+-------+-------+--------+---------+--------+
| 1 | 1/1/1 | 1/1/2 | 1/1/1 | standby | 1/1/1 |
| 2 | 1/2/5 | 1/2/6 | | standby | 1/2/5 |
=====================================================
Page 49
The following figure shows a simple network diagram of the resilient link on an Ethernet LAN.
Figure 5: Example of a Resilient Link Topology
1. Enter Resilient-link Configuration mode:

2. Set ports 1/1/1 and 1/2/1 as Resilient Links:

device-name(config-resil-link 2)#ports 1/1/1 1/2/1
3. Set the port 1/2/1 to be preferred:

device-name(config-resil-link 2)#prefer port 1/2/1
4. Display the Resilient Link configuration:

=======================================================
| RLink | Port 1 | Port 2 | Prefer | Backup | Active |
+-------+--------+--------+--------+---------+--------|
| 2 | 1/1/1 | 1/2/1 | 1/2/1 | standby | 1/2/1 |
Page 50
Port Security Techniques

Overview
The Port Security feature restricts an interface or VLAN input by limiting and identifying MAC
addresses of devices allowed to access the interface/VLAN.
When a secured port receives a packet, it compares the packet’s source MAC address to the secured
MAC address list.
• If the packet’s source MAC address is in the list, the incoming packet is forwarded.
• If the packet’s source MAC address is not in the secured list, the port does not forward the
packet. In this case, the port either shuts down permanently or drops incoming packets from
the unauthorized device, generating an SNMP trap.
You can configure two types of secured MAC addresses:
• Static secured MAC addresses created manually by the mac-address-table command (for
more information, refer to the Device Administration chapter of this User Guide). These
addresses are stored in the address table and added to the device’s running configuration
• Dynamic secured MAC addresses that are learned dynamically learned. These addresses are
stored in the address table but are removed when the device restarts.
NOTE
Secured MAC addresses do not age.
Page 51
The Port Security Default Configuration

Table 16: Port Security Default Configuration
Port security Disabled

Port security action Trap
Learning the filtered MAC addresses Disabled
The Port Security Configuration Commands

Table 17: Port Security Configuration Commands
Command Description
port security Configures port security (see Configuring Port Security)

port security enable- Re-enables a port that shuts down due to a security violation
shutdown-port (see Re-Enabling a Shut Down Port)
Table 18: Port Security Display Commands

Command Description
show port security Displays the security status of a specific port (see Displaying the
Port Security Configuration)
Page 52
Configuring Port Security

The port security command configures port security on a specific interface or interface range.
NOTE
When configuring port security on a port, the initial frame is lost since the first
packet received from any source is used solely for learning its MAC address.
NOTE
When a packet with a secured source MAC address matches more than one port
security setting, the port security per port and VLAN has precedence over the port
security per port.
By default:
• filtered MAC addresses are learned in the MAC address table
• SNMP trap and a log message are generated when a security violation occurs
• all MAC addresses are learned as secured
Command Syntax
device-name(config-if UU/SS/PP)#port security [max-mac-count <number-of-
addresses> [filter-learn-disable]] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port security [max-mac-count [filter-learn-

disable]] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port security all
device-name(config-if UU/SS/PP)#port security action {shutdown | trap} [vlan
<vlan-id>]
device-name(config-if UU/SS/PP)#no port security action {shutdown | trap} [vlan
<vlan-id>]
device-name(config-if-group)#port security [max-mac-count <number-of-addresses>

[filter-learn-disable]] [vlan <vlan-id>]
device-name(config-if-group)#no port security [max-mac-count [filter-learn-

disable]] [vlan <vlan-id>]
device-name(config-if-group)#no port security all
device-name(config-if-group)#port security action {shutdown | trap} [vlan

<vlan-id>]
device-name(config-if-group)#no port security action {shutdown | trap} [vlan
<vlan-id>]
Page 53
The arguments are mutually exclusive. You can specify an action (shutdown or trap) in one port
security command and specify the maximum number of secured MAC addresses (max-mac-
count) in a second port security command for the same port. Both settings are effective.
action {shutdown | Defines the port reaction upon a security violation:

trap}
• The port shuts down
• An SNMP trap and log message are generated
max-mac-count (Optional). The maximum numbers of secured MAC addresses the
<number-of- port supports, in the range of <1–2048>.
addresses> In this case, an attempt to exceed the maximum-allowed secured
MAC addresses on the port produces an address violation event.
NOTE
Enable new MAC address learning prior to using this
argument to ensure its proper function (see the
Device Administration chapter of this User Guide).
When MAC address learning is not enabled the
following warning message is displayed: “Warning!
Port security may not work correctly since
learning is disabled on the port.”
filter-learn- (Optional). The filtered MAC addresses are not learned in the MAC
disable address table.
vlan <vlan-id> (Optional). Enables port security on the specified VLAN the port is a
member of. The VLAN ID number is in the range of <2–4094>.
NOTE
Using the no port security action trap command
stops the SNMP trap generation when a security violation
occurs.
Example 1
The following example disables learning of the violating MAC address in the MAC address table:
device-name(config-if 1/2/3)#port security max-mac-count 15 filter-learn-
disable
Example 2
The following example displays how to secure port 1/2/3 for VLAN 5 with a maximum of 5
secured MAC addresses:
device-name(config-if 1/2/3)#port security max-mac-count 5 vlan 5
Page 54
Re-Enabling a Shut Down Port

The port security enable-shutdown-port command re-enables a port shut down due to a
security violation.
Command Syntax
device-name(config-if UU/SS/PP)#port security enable-shutdown-port [vlan <vlan-
id>]
device-name(config-if-group)#port security enable-shutdown-port [vlan <vlan-
id>]
vlan <vlan-id> (Optional). Re-enables the port also on the VLAN this port is a member of.
The VLAN ID number is in the range of <1–4094>.
Displaying the Port Security Configuration

The show port security command displays the port security configuration for all device ports.
Command Syntax
device-name#show port security [UU/SS/PP] [vlan <vlan-id>]
UU/SS/PP (Optional). Displays the port security configuration of a specified port.
vlan <vlan-id> (Optional). Displays the port security configuration of a specified VLAN.
Example 1
The following example shows the port security configuration on port 1/1/1 and VLAN 5 when
the allowed numbers of secured MAC addresses is 5:
device-name#show port security
|===================================================================|
| port #| vid | action | max addr |secure addr|filtered addr|status |
|-------+-----+--------+----------+-----------+-------------+-------|
| 1/1/1 | 5 | trap | 5 | 0 | 0 |enabled|
Page 55
Example 2
The following example details how to enable port security on port 1/1/1 per VLAN 5, set a
maximum of 5 MAC addresses, and set the action to shutdown:
device-name(config-if 1/1/1)#port security action shutdown vlan 5
|===================================================================|
|port # | vid | action | max addr |secure addr|filtered addr|status |
|-------+-----+--------+----------+-----------+-------------+-------|
| 1/1/1 | 5 |shutdown| 5 | 0 | 0 |enabled|
After sending traffic with tag 5 on port 1/1/1 with more than 5 source MAC addresses, only 5
MAC addresses are learned and the port is disabled:
|===================================================================|
|port # | vid | action | max addr|secure addr|filtered addr| status |
|-------+-----+--------+---------+-----------+-------------+--------|
| 1/1/1 | 5 |shutdown| 5 | 5 | 0 |disabled|
Example 3
The following example details how to set the port security on port 1/2/4 with a maximum of 20
secured MAC addresses. The example also details how to set a maximum of 10 secured MAC
addresses per port and VLAN:
device-name(config-if 1/2/4)#port security max-mac-count 20
|===================================================================|
|port # | vid |action|max addr|secure addr|filtered addr|status |
|-------+---------+------+--------+-----------+-------------+-------|
| 1/2/4 |all vlans| trap | 20 | 0 | 0 |enabled|
| 1/2/4 | 100 | trap | 10 | 0 | 0 |enabled|
device-name#show port security 1/2/4 vlan 100

VLAN 100:
The port/vlan is : secured
State : enabled
Action : send a trap
Limit Type: : learn as filtered
Max secured addresses = 10
Current secured addresses = 0
Current filtered addresses = 0
Page 56
Defining Port Security with Dynamic Learned MAC Addresses
The following example configures various port security settings for ports 1/1/2, 1/1/3, and 1/1/4
for all VLANs.
1. Enable port security with default settings on port 1/2/2. All the MAC addresses are learned as
secure.
device-name(config-if 1/2/2)#port security
2. Enable port security on port 1/2/3 with action shutdown and a maximum of six MAC
addresses. After six MAC addresses are learned as secure, any additional MAC address sent to
this interface causes the interface to shut down:
device-name(config-if 1/2/3)#port security action shutdown
3. Enable port security on port 1/2/4 with a maximum of six MAC addresses. After six MAC
addresses are learned as secure, the following MAC addresses are learned as filtered and a
security violation trap is generated:
4. The configured settings are displayed by the show command in Privileged mode as follows:
|======================================================================|
|port#| vid |action | max addr |secure addr|filtered addr|status |
|-----+---------+--------+-----------+-----------+-------------|-------|
|1/2/2|all vlans|trap | unlimited | 0 | 0 |enabled|
|1/2/3|all vlans|shutdown| 6 | 0 | 0 |enabled|
|1/2/4|all vlans|trap | 6 | 0 | 0 |enabled|
Page 57
Defining Port Security with Static MAC Addresses

The following example sets a maximum three addresses and sends SNMP traps in the event of
over-learning.
1. Configure the SNMP trap host to receive traps:
device-name(config)#snmp-server enable
device-name(config)#snmp-server view viewAll 1.3 included
device-name(config)#snmp-server group notify_only v1 read none write none
notify viewAll
device-name(config)#snmp-server user notify_user group notify_only v1
device-name(config)#snmp-server target-param MyParam notify_user v1
device-name(config)#snmp-server target-addr blaaddr1 10.2.3.44 162 MyParam
tag_1
device-name(config)#snmp-server notify portSecurityViolation tag_1
2. Configure the port 1/2/2 to learn a maximum of three MAC addresses.

3. Return to Global Configuration mode and define three MAC addresses to be learned:
device-name(config)#mac-address-table secure 00:02:4b:82:60:e2 interface
1/2/2 vlan 2
device-name(config)#mac-address-table secure 00:02:55:58:0d:8c interface
1/2/2 vlan 2
device-name(config)#mac-address-table secure 00:02:55:98:52:f4 interface
1/2/2 vlan 2
4. In Privileged (Enable) mode, check that the MAC addresses are learned:
+===========+===================+=========+===========+==========
| vid | mac | port | status | priority
+-----------+-------------------+---------+-----------+----------
| 0000 | 00:a0:12:07:13:29| | self | 0
| 0001 | 00:a0:12:07:13:29| | self | 0
| 0002 | 00:02:4b:82:60:e2| 1/2/2 | secure | 0
| 0002 | 00:02:55:58:0d:8c| 1/2/2 | secure | 0
| 0002 | 00:02:55:98:52:f4| 1/2/2 | secure | 0
| 0002 | 00:40:95:30:0b:f8| 1/2/3 | dynamic | 0
Page 58
5. Check the port security definitions:

device-name#show port security 1/2/2
ALL VLANS:
The port is : secured
State : enabled
Action : send a trap
Limit Type: : learn as filtered
Re-Enabling Shut-down Ports

The following example sets the maximum number of secure addresses to five. The example details
how to re-enable a port that is shut down due to a security violation.
1. Configure port 1/2/4 as secured, learning maximum 5 secure addresses, and shutting down in
case of a security violation:
device-name(config-if 1/2/4)#port security action shutdown

|===================================================================|
|port#| vid |action |max addr|secure addr|filtered addr|status |
|-----+---------+--------+--------+-----------+-------------+-------|
2. Allow the port to learn 10 addresses and inspect what show port security displays. The
port has learned 5 addresses as secure and the rest as filtered. The port’s current state is
disabled (shut down):
|====================================================================|
|-----+---------+--------+--------+-----------+-------------+--------|
|1/2/4|all vlans|shutdown| 5 | 5 | 5 |disabled|
Page 59
3. Re-enable the port:

device-name(config-if 1/2/4)#port security enable-shutdown-port
|===================================================================|
|-----+---------+--------+--------+-----------+-------------+-------|
device-name#show port security 1/2/4

All Vlans:
The port is : secured
State : enabled
Action : shutdown
Page 60
The Port Limit Feature

Overview
The Port Limit feature limits the number of MAC addresses learned by a port. When enabling this
feature:
• MAC addresses within the limit are learned as dynamic
• MAC addresses that exceed the limit are learned as filtered MAC addresses.
Port Limit Default Configuration

Table 19: Port Limit Default Configuration
Port limit Disabled
Port Limit Commands

Table 20: Port Limit Configuration Commands
Command Description
port limit Configures a limit on the number of learned MAC addresses on

a physical interface or a group of interfaces (see Limiting MAC
Addresses a Port)
Table 21: Port Limit Display Commands

Command Description
show port limit Displays the port limit configuration for all device ports (see
Displaying the Port Limit Configuration)
Page 61
Limiting MAC Addresses a Port

The port limit command limits the number of learned MAC addresses on a physical interface or
a group of interfaces.
NOTE
When configuring port limit on a port, the initial frame is lost since the first packet
received from any source is used solely for learning its MAC address.
NOTE
A secured port does not support the port limit functionality.
By default, the port limit feature is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#port limit max-mac-count <max-count> [filter-
learn-disable] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port limit [max-mac-count filter-learn-
disable] [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no port limit all
device-name(config-if UU/SS/PP)#port limit forward-unknown

device-name(config-if UU/SS/PP)#no port limit forward-unknown
device-name(config-if-group)#port limit max-mac-count <max-count> [filter-

learn-disable] [vlan <vlan-id>]
device-name(config-if-group)#no port limit [max-mac-count filter-learn-disable]
[vlan <vlan-id>]
device-name(config-if-group)#port limit forward-unknown

device-name(config-if-group)#no port limit forward-unknown
device-name(config-if-group)#no port limit all
max-mac-count <max- The number of MAC addresses the port is allowed to learn, in the
count> range of <1–2048>.
NOTE
Enable new MAC address learning prior to using this
argument to ensure its proper function (see the
Device Administration chapter of this User Guide).
When MAC address learning is not enabled the
following warning message is displayed: “Warning!
Port limit may not work correctly since
learning is disabled on the port.”
filter-learn- (Optional). The filtered MAC addresses are not learned in the MAC
disable address table.
Page 62
MAC addresses are learned in the MAC address table

vlan <vlan-id> (Optional). Enables port limit on the specified VLAN the port is a
member of. The VLAN ID number is in the range of <1–4094>.
forward-unknown Forwards unknown egress traffic on a port when this port is
secured/limited. This command can be used together with the
port security command to allow egress flooding.
NOTE
Using the no port limit all command removes port
limit on a port per all VLANs.
Example
The following example disables learning of the violating MAC address in the MAC address table.
The filtered MAC addresses corresponding to VLAN 20 are not learned on port 1/2/3.
device-name(config-if 1/2/3)#port limit max-mac-count 15 filter-learn-disable
vlan 20
Displaying the Port Limit Configuration

The show port limit command displays the port limit configuration for all device ports.
Command Syntax
device-name#show port limit [UU/SS/PP] [vlan <vlan-id>]
UU/SS/PP (Optional). Displays the port limit configuration of a specified port.
vlan <vlan-id> (Optional). Displays the port limit configuration of a specified VLAN.
Example 1
device-name#show port limit
===========================================================
|port num | vlan | max-mac-count |current mac-count
-------------+--------+-----------------+------------------
1/2/3 20 15 0
Example 2
device-name#show port limit 1/2/3
VLAN 20:
The port/vlan is : limited
Limit type : learn as filtered
Max limited addresses = 15
Page 63
Current limited addresses = 0
Page 64
Interfaces Management
Overview
The interface management feature allows system administrators to isolate the device’s management
traffic from the normal data traffic. This way they can eliminate unauthorized users and malicious
attacks to the device.
Disabling port management disallows:
• Telnet to the device
• SSH to the device
• SNMP management
• SNMP traps and informs
• Ping to the device
• TFTP download or upload
• Outgoing Syslog messages
Interfaces Management Commands

Table 22: Interface management Commands
Command Description
port management Limits the device management access only to ports that you
specify in the PORT LIST (see Setting Management Ports)
show port management Displays which ports provide management access (see Displaying
Management Ports)
Setting Management Ports

The port management command limits the device management access only to specified ports.
NOTE
Ensure that your PC is connected to a management enabled port prior to disabling
management on ports.
NOTE
You can also disable management on a VLAN (refer to the Configuring VLANs and
Super VLANs chapter of this User Guide). Management traffic on a VLAN is
allowed on a member port only if management is enabled both on the port and the
VLAN.

By default, management of the device is accessible on all ports.
Page 65
Command Syntax
device-name(config)#port management PORT-LIST
device-name(config)#no port management PORT-LIST
PORT-LIST Specifies one or more port numbers. Use commas as separators and hyphens
to indicate sub-ranges (for example, 1/2/1–1/2/8, 1/1/2).
no Specifies a list of ports prohibited from management access.
Displaying Management Ports

The show port management command displays the ports that provide management access to the
device.
Command Syntax
device-name#show port management
Example
device-name#show port management
Management ports: 1/2/1,1/2/2
Page 66
Alarm Propagation Feature

Overview
Alarm Propagation is a fault detection feature that identifies faults in network uplinks and
alarms downstream devices. When the uplink interface goes down, the user interfaces are also shut
down and the customer device stops sending traffic over the original route, until the authorized
person becomes aware of the alarm.
The customer device can attempt to forward traffic over another available (alternative) route.
Alarm Propagation Commands

Table 23: Alarm Propagation Commands
Command Description
alarm-status- Enables the alarm propagation process on a group of interfaces or a

inherit source-port group of aggregated interfaces (see Enabling Alarm Propagation )
show alarm-inherit Displays the alarm propagation configuration (see Displaying the
Alarm Propagation)
Enabling Alarm Propagation

The alarm-status-inherit source-port command enables the alarm propagation process on a
group of interfaces or a group of aggregated interfaces that will be shut down when the network
uplink goes down.
NOTE
Notes and limitations:
If all alarm-inherit configurations on a port are either a user (downlink) or
uplink, for example a port cannot be uplink in part of the configurations and
user in the rest of them.
An alarm-inheriting (user) port cannot be part of a resilient link nor can port
security with shutdown-violation-action be configured on it.
Command Syntax
device-name(config-if UU/SS/PP)#alarm-status-inherit source-port {PORT-LIST |
PORT-AG-LIST}
device-name(config-if UU/SS/PP)#no alarm-inherit
Page 67
PORT-LIST Specifies one or more port numbers. Use commas as separators and
hyphens to indicate sub-ranges (for example, 1/2/1–1/2/8, 1/1/2).
PORT-AG-LIST Specifies the list of LAG names (for example AG01, AG04–AG06).
The LAG ID is in the range <1–7>.
no Disables the Alarm Propagation.
Displaying the Alarm Propagation

The show alarm-inherit command displays the alarm propagation configuration.
Command Syntax
device-name#show alarm-inherit
Example
device-name#show alarm-inherit
|==================================================|
| port # | propagating alarm for uplink ports |
|--------------------------------------------------|
| 1/2/1 | 1/1/2
Page 68
The following example (Figure 6) shows how to the set alarm propagation feature:
Figure 6: Alarm Propagation Configuration Example
1. Set user port 1/2/1 link state to be dependent upon the state of uplink port 1/1/2 (inherit
alarm on the uplink port):
DeviceC#configure terminal
DeviceC(config)#interface 1/2/1
DeviceC(config-if 1/2/1)#alarm-status-inherit source-port 1/1/2
DeviceC(config-if 1/2/1)#end
DeviceC#show alarm-inherit
|==================================================|
| port # | propagating alarm for uplink ports |
|--------------------------------------------------|
| 1/2/1 | 1/1/2
Page 69
2. Verify the port states and configuration. Port 1/2/1 inherits on the state of port 1/1/2.Initially
the two ports are up:
DeviceC#show interface 1/1/2
Name =
Link = up
Default VLAN = 1

Name =
Link = up
Default VLAN = 1
Page 70
3. Disconnect port 1/1/2 forces port link state 1/2/1 to go also down:
Name =
Link = down
Duplex speed status = unknown
Default VLAN = 1

Name =
Link = down
Duplex speed status = unknown
Default VLAN = 1
Page 71
Supported Platforms
Fast Ethernet and Giga Ethernet Port + +

Link Aggregation Groups (LAGs) + +
Resilience Links + +
Port Security Techniques + +
Alarm Propagation + +
Supported Standards, MIBs, and RFCs

Fast Ethernet IEEE 802.3 Ethernet Public MIBs: RFC 2863 The
and Giga IEEE 802.3u Fast • RFC 1213, Management Interfaces Group
Ethernet Port Ethernet Information Base for MIB
Network Management of (configL2IfaceTable
IEEE 802.3x Flow
TCP/IP-based and interface table)
Control
IEEE 802.3z Gigabit internets:MIB-II
Ethernet (qwerinterface table and
onfigL2IfaceTable)
• RMON MIB
Private MIB, prvt_switch.mib
Link Aggregation IEEE 802.3ad Private MIB, No RFCs are
Groups (LAGs) prvt_Ports_Aggregation.mib supported by this
feature.
Resilience Links No standards are Private MIB, No RFCs are
supported by this prvt_resilient_link.mib supported by this
feature. feature.
Port Security No standards are No MIBs are supported by No RFCs are
Techniques supported by this this feature. supported by this
feature. feature.
Alarm IEEE 802.3 Ethernet Public MIBs: RFC 2863 The
Propagation IEEE 802.3u Fast • RFC 1213, Management Interfaces Group
Ethernet Information Base for MIB
Network Management of (configL2IfaceTable
IEEE 802.3x Flow
TCP/IP-based and interface table)
Control
IEEE 802.3z Gigabit internets:MIB-II
Ethernet (qwerinterface table and
onfigL2IfaceTable)
• RMON MIB
Private MIB, prvt_switch.mib
Page 72
Configuring VLANs and Super VLANs
Table of Figures ······················································································ 3
Virtual LANs ·························································································· 5

Overview ·························································································· 5
The VLAN Tagging Benefits ···································································· 5
VLAN Traffic Behavior·········································································· 6
VLAN Tagging and Ingress Traffic ······················································· 6
VLAN Tagging and Egress Traffic ························································ 7
VLAN Default Configuration ··································································· 8
VLAN Configuration Flow ······································································ 9
VLAN Configuration Commands ·····························································10
Entering the VLAN Configuration Mode ···············································12
Creating a New VLAN ····································································12
Entering an Existing VLAN Configuration Mode ······································12
Adding Ports to a VLAN ··································································13
Adding Ports to a Default VLAN ························································14
Creating a Range of VLANs ······························································14
Securing Management Access Based on VLAN ID·····································15
Modifying the CPU Port Membership ···················································16
Removing the CPU Port···································································16
Deleting a VLAN (by VLAN Name) ·····················································17
Deleting a VLAN (by VLAN ID) ························································17
Deleting a Range of VLANs ······························································18
Removing Ports from a VLAN ···························································19
Removing Ports from a Default VLAN··················································20
Displaying the VLAN Configuration ·····················································20
Displaying VLAN Management Information············································20
Page 1
Configuring VLANs and Super VLANs (Rev. 07)

VLAN Configuration Example ···························································21
Management VLAN Configuration Example············································31
Super VLANs ························································································33

Overview ·························································································33
Super VLAN Types ·············································································34
The Super VLAN Default Configuration ·····················································35
The Super VLAN Configuration Commands·················································35
Defining a Super VLAN ···································································35
Configuring the Super VLAN Ring Topology···········································36
Displaying the Super VLAN Configuration ·············································36
Super VLAN Configuration Example ····················································37
Super VLAN with Aggregated Uplink Configuration Example ·······················39
Super VLAN Ring Topology Configuration·············································41
Page 2
Table of Figures
Figure 1: IEEE 802.1Q Frame Tag Structure·················································· 6
Figure 2: VLANs in Ingress Traffic····························································· 7
Figure 3: VLANs in Egress Traffic ····························································· 7
Figure 4: VLAN Configuration Flow ··························································· 9
Figure 5: VLAN Configuration Example······················································21
Figure 6: Management VLAN Configuration Example ······································31
Figure 7: Switching Decisions without the Super VLAN Agent ····························33
Figure 8: Switching Decisions with the Super VLAN Agent ································33
Figure 9: Super VLAN Ring Mode Configuration Example ································34
Figure 10: Super VLAN Configuration························································37
Figure 11: Super VLAN Configuration with LAG Uplink···································39
Figure 12: Super VLAN Ring Topology Example············································41
Page 3

This chapter provides an overall understanding of Virtual Local Area Network (VLAN) concepts,
including different configuration examples.
The chapter contains the following sections:
• Virtual LANs
VLANs are used to group users’ traffic with common requirements, as if they were on the
same LAN although they may be in separate physical locations. The key benefit of
VLANs is its flexibility in allowing any logical LAN to be implemented on any physical
infrastructure.
• Super VLANs
The Super VLAN is a mechanism for aggregating VLANs that share the same default
router address and subnet mask, but remain isolated from one another's network traffic.
Page 4
Virtual LANs
Overview
VLAN tagging is a standard designed for grouping hosts with common requirements, allowing
them to communicate as if they were on the same LAN regardless of their physical location. This
allows a logical partition of a physical LAN into different broadcast domains.
This standard also ensures that VLAN traffic is isolated from hosts that are not members of the
VLAN.
This technology is based on tagging Ethernet frames with VLAN IDs, assigning each user to a
specific VLAN. This prohibits Layer 2 mutual access between workgroups with different VLAN
IDs.
The VLAN Tagging Benefits

Implementing VLANs on the network has the following advantages:
• Flexibility—when a user moves to a different broadcast domain, the system administrator only
has to reconfigure the port the user is connected to.
• Security—VLANs provide a greater degree of security than a traditional LAN since data
packets of one VLAN are not transmitted to a different VLAN.
• Scalability—VLANs are not limited to a single device, spanning over an enterprise
organization or a WAN link.
• Service per VLAN—you can use separate VLANs for different services and features
corresponding to each VLAN.
Page 5
VLAN Traffic Behavior

VLAN tagging inserts a VLAN ID into the Ethernet frame header, associating each frame with a
specific VLAN. Using this method, the port that interconnects devices can carry traffic for multiple
VLANs over the same physical connection.
Figure 1: IEEE 802.1Q Frame Tag Structure
A port can be a member of one or more VLANs. However, only one of these VLANs can be the
port’s default VLAN. Initially all the device ports are members of a VLAN named Default (VLAN
ID 1).
Ports assigned to different VLANs can communicate only through routing (and not on Layer 2).
VLAN Tagging and Ingress Traffic

The VLAN membership and the port’s default VLAN affect the incoming (ingress) traffic process
as follows:
• When the traffic has a VLAN tagging:
if the port is a member of the VLAN, it processes the traffic
otherwise, the port drops this traffic
• If the traffic has no VLAN tagging, the port adds its default VLAN ID to the frames and
processes them accordingly.
Page 6
Figure 2: VLANs in Ingress Traffic
VLAN Tagging and Egress Traffic

In addition to the VLANs a port is assigned to, the system administrator defines whether the port is
a tagged or an untagged member of a specified VLAN. This affects the outgoing (egress) traffic
process:
• If the port is an untagged member of a VLAN, it removes the VLAN ID tagging from these
VLAN’s frames before forwarding them
• If the port is a tagged member of a VLAN, it forwards these VLAN’s frames with their
VLAN ID (without changing the frames)
Figure 3: VLANs in Egress Traffic
Page 7
VLAN Default Configuration

Table 1: VLAN Default Configuration
All ports’ VLAN VLAN 1

PVID of all ports VLAN 1
VLAN management Enabled
Page 8
VLAN Configuration Flow

Start
Enter VLAN Configuration mode
Create a VLAN
Enter a specific VLAN

Configuration mode
Add port(s) as tagged or untagged

members
Configure a Yes
Default VLAN
Add ports to a default VLAN

No
Modify Yes
Management
VLANs
Secure management access
Remove CPU from VLAN
No
Modify the CPU Yes

port membership
Remove the CPU port
No
End
Figure 4: VLAN Configuration Flow
Page 9
VLAN Configuration Commands

Table 2: VLAN Configuration Commands
Command Description
vlan Enters the VLAN Configuration mode (see Entering the VLAN
Configuration Mode)
create Creates a VLAN with a specific name and ID number (see Creating
a New VLAN)
config Enters a specific VLAN Configuration mode (see Entering an
Existing VLAN Configuration Mode)
add ports Adds specified ports as either tagged or untagged ports (see Adding
Ports to a Default VLAN)
add ports default Specifies a default VLAN for a group of ports (see Adding Ports to a
Default VLAN)
create range Creates a range of VLANs (see Creating a Range of VLANs)
Table 3: VLAN Optional Commands

Command Description
management Limits the device management access to VLANs that you specify by
a list of VLAN ID numbers (see Securing Management Access
Based on VLAN ID)
add cpu-port Enables the device to receive broadcast and multicast traffic in the
specified VLAN (see Modifying the CPU Port Membership)
remove cpu-port Protects the device from receiving broadcast and multicast traffic in
the specified VLAN (see Removing the CPU Port)
Table 4: Commands for Removing VLANs

Command Description
delete Deletes a VLAN, specified by its name (see Deleting a VLAN (by
VLAN Name))
delete id Deletes a VLAN, specified by its VLAN ID (see Deleting a VLAN (by
VLAN ID))
delete range Deletes a range of VLANs (see Deleting a Range of VLANs)
Table 5: Commands for Removing Ports from a VLAN

Command Description
remove ports Removes ports from a VLAN (see Removing Ports from a VLAN)
remove ports default Removes ports from the default VLAN (see Removing Ports from a
Default VLAN)
Page 10
Table 6: VLAN Display Commands

Command Description
show, show vlan Displays the static VLAN configuration (see Displaying the VLAN
Configuration)
show vlan Display VLAN management access information (see Displaying
management VLAN Management Information)
Page 11
Entering the VLAN Configuration Mode

The vlan command enters the VLAN Configuration mode.
Command Syntax
device-name(config)#vlan
device-name(config vlan)#
Creating a New VLAN

The create command creates a VLAN with the specified name and ID (VLAN tag).
CLI Mode: VLAN Configuration
NOTE
vlan_ and default are reserved names and you cannot use them as VLAN names.
Attempting to do so generates the following message (vlan-id represents the VLAN
ID that the user is attempting to create): “% VLAN <vlan-id> system name“
Command Syntax
device-name(config vlan)#create NAME <vlan-id>
NAME The VLAN name.
vlan-id The VLAN tag number, in the range <2–4094>.
Example
Use the following example to create a VLAN named accounting with tag number 2:
device-name(config vlan)#create accounting 2
Entering an Existing VLAN Configuration Mode

The config command enters the configuration mode for a specific VLAN.
Use this command in a Specific VLAN Configuration mode to switch to a different VLANs
Configuration mode.
CLI Mode: VLAN Configuration and Specific VLAN Configuration
Page 12
Command Syntax
device-name(config vlan)#config NAME1
device-name(config-vlan NAME1)#
device-name(config-vlan NAME1)#config NAME2

device-name(config-vlan NAME2)#
NAME1, NAME2 The names of existing VLANs.
Examples
• Access vlan_52 configuration from Global VLAN Configuration mode, as indicated by the
prompt-line:
device-name(config vlan)#config vlan_52
device-name(config-vlan vlan_52)#
• Switch from vlan_52 Configuration mode to XYZ Configuration mode, as indicated by the
prompt-line:
device-name(config-vlan vlan_52)#config XYZ
device-name(config-vlan XYZ)#
Adding Ports to a VLAN

The add ports command assigns ports to a VLAN. Ports drop ingress packets tagged with a
different VLAN-tag than the one they belong to.
In egress traffic tagged ports send tagged packets while untagged ports send these packets without a
VLAN tag.
CLI Mode: Specific VLAN Configuration
Command Syntax
device-name(config-vlan VLAN-NAME)#add ports PORT-LIST {tagged | untagged}
PORT-LIST • (Optional) specifies one or more port numbers. Use commas as separators
and hyphens to indicate sub-ranges (for example, 1/2/1–1/2/8, 1/1/2).
•
NOTE
Do not leave blank spaces before or after the comma separating
sequential lists.
tagged (Optional) the specified ports are tagged.
untagged (Optional) the specified ports are untagged
Page 13
Adding Ports to a Default VLAN

The add ports default command specifies a default VLAN for a group of ports.
Command Syntax
device-name(config-vlan VLAN-NAME)#add ports default PORT-LIST
See the Argument Description table above.
Creating a Range of VLANs

The create range command creates a range of VLANs and automatically assigns VLAN names
that match the tag-numbers.
The VLAN name format is Vlan_dddd, where dddd represents the matching VLAN ID. For
example, VLAN ID 123 is named Vlan_123.
Command Syntax
device-name(config vlan)#create range <vlan-id1> <vlan-id2> [PORT-LIST tagged
[PORT-LIST untagged]] [remove cpu-port]
device-name(config vlan)#create range <vlan-id1> <vlan-id2> [PORT-LIST untagged
[PORT-LIST tagged]] [remove cpu-port]
vlan-id1 The first VLAN ID, in the range of <2–4094>
vlan-id2 The last VLAN ID, in the range of <2–4094>
PORT-LIST (Optional) one or more port numbers, specified by the following options:
• UU/SS/PP—a single port specified by unit, slot, and port number
• UU—all ports on the specified unit
• UU/SS—all ports on the specified slot that
• A hyphenated range of ports
(for example: 1/2/1–1/2/8 or 1/1–1/2)
• Several port numbers and/or ranges, separated by commas (for
example: 1/1/1, 1/1/2, 1/2/1–1/2/8).
NOTE
sequential lists.
tagged (Optional) the specified ports are tagged
untagged (Optional) the specified ports are untagged
Page 14
remove cpu- (Optional) prevents the device from receiving broadcast and multicast traffic
port in the specified VLAN (see the remove cpu-port command)
Example
Use the following example to create a sequence of VLANs and then to display the results:
device-name(config vlan)#create range 15 21 1/1/1-1/1/2 untagged 1/2/2 tagged
device-name(config vlan)#show
==================================================================
Name |VTag| Rout If | Tagged ports | Untagged ports
-----------------+----+---------+-----------------+---------------
default |1 | sw0 | |1/1/1-1/2/8
Vlan_15 |15 | | 1/2/2 |1/1/1,1/1/2
Vlan_16 |16 | | 1/2/2 |1/1/1,1/1/2
Vlan_17 |17 | | 1/2/2 |1/1/1,1/1/2
Vlan_18 |18 | | 1/2/2 |1/1/1,1/1/2
Vlan_19 |19 | | 1/2/2 |1/1/1,1/1/2
Vlan_20 |20 | | 1/2/2 |1/1/1,1/1/2
Vlan_21 |21 | | 1/2/2 |1/1/1,1/1/2
Securing Management Access Based on VLAN ID

The management command limits the device management access only to VLANs that you specify
by a list of VLAN ID numbers. You may include VLANs that have not been created yet.
The management VLAN isolates the device’s management IP address from data traffic, preventing
unauthorized access and malicious attacks.
When using this feature, you can manage the device though a PC—connected to a port assigned to
a management VLAN—via Telnet or SNMP.
When management VLAN is disabled, you are not allowed to perform the following tasks:
• SNMP management
• Ping the device
• TFTP download or upload
• Receive outgoing Syslog messages
You cannot delete the management VLAN 1.
By default, management of the device is accessible on all VLANs.
NOTE
You can also disable management on a port by the port management command in
Global Configuration mode (refer to the Configuring Interfaces chapter of this User
Guide).
Management traffic on a VLAN is allowed on a port that is a member of that VLAN
only if management is enabled both on the port and on the VLAN.
Page 15
Command Syntax
device-name(config vlan)#management VLAN-LIST
device-name(config vlan)#no management VLAN-LIST
VLAN-LIST A list of VLAN IDs in the below format:
• A hyphenated range of VLANs (for example: 8–32)
• Several VLAN numbers and/or ranges, separated by commas (for example:
2,4,8–32)
no The list of VLANs with no management access.
Modifying the CPU Port Membership

The add cpu-port command enables the device to receive broadcast and multicast traffic in the
specified VLAN.

By default, the CPU port is a member of all VLANs.
Command Syntax
device-name(config-vlan VLAN-NAME)#add cpu-port
Removing the CPU Port

The remove cpu-port command protects the device's CPU from receiving broadcast and
multicast traffic on the specified VLAN.
NOTE
The device performs switching even if its CPU is not a member of the VLAN.
Enabling this feature does not block unicast traffic to the CPU.
Command Syntax
device-name(config-vlan VLAN-NAME)#remove cpu-port
Page 16
Deleting a VLAN (by VLAN Name)

The delete command deletes an existing VLAN by its VLAN name.
NOTE
The VLAN named default (VLAN ID 1) is part of the default configuration and you
cannot delete it.
Command Syntax
device-name(config vlan)#delete NAME
NAME The name of an existing VLAN
Example
The following example deletes the VLAN named accounting:
device-name(config vlan)#delete accounting
Deleting a VLAN (by VLAN ID)

The delete id command deletes an existing VLAN by its VLAN ID.
Command Syntax
device-name(config vlan)#delete id <vlan-id>
vlan-id An existing VLAN ID
Example
This following example deletes the VLAN with ID 10:
device-name(config vlan)#delete id 10
Page 17
Deleting a Range of VLANs

The delete range command deletes a range of VLANs.
Command Syntax
device-name(config vlan)#delete range <vlan-id1> <vlan-id2>
vlan-id1 The first VLAN ID in the range (must be smaller than vlan-id2).
The valid range is <2–4094>.
vlan-id2 The last VLAN ID (must be greater than vlan-id1).
Example
===================================================================
-----------------+----+---------+-----------------+----------------
default |1 | sw0 | |1/1/1-1/2/8
Vlan_15 |15 | | 1/2/2 |1/1/1,1/1/2
Vlan_16 |16 | | 1/2/2 |1/1/1,1/1/2
Vlan_17 |17 | | 1/2/2 |1/1/1,1/1/2
Vlan_18 |18 | | 1/2/2 |1/1/1,1/1/2
Vlan_19 |19 | | 1/2/2 |1/1/1,1/1/2
Vlan_20 |20 | | 1/2/2 |1/1/1,1/1/2
Vlan_21 |21 | | 1/2/2 |1/1/1,1/1/2
device-name(config vlan)#delete range 15 19

===================================================================
-----------------+----+---------+-----------------+----------------
default |1 | sw0 | |1/1/1-1/2/8
Vlan_20 |20 | | 1/2/2 |1/1/1,1/1/2
Vlan_21 |21 | | 1/2/2 |1/1/1,1/1/2
Page 18
Removing Ports from a VLAN

The remove ports command removes the specified port(s).
Command Syntax
device-name(config-vlan VLAN-NAME)#remove ports PORT-LIST
PORT- (Optional) one or more port numbers assigned to the VLANs, specified by the
LIST following options:
• UU—all ports on the specified unit
• UU/SS—all ports on the specified slot that
(for example: 1/2/1–1/2/8 or 1/1–1/2)
• Several port numbers and/or ranges, separated by commas (for example: 1/1/1,
1/1/2, 1/2/1–1/2/8).
NOTE
sequential lists.
Example
The example shows how to remove ports from the VLAN named xxx. The result displayed by the
show command that can be applied in any Specific or Global VLAN Configuration mode:
device-name(config-vlan xxx)#remove ports 1/2/2-1/2/4
device-name(config-vlan xxx)#show
==================================================================
-------------+----+---------+---------------------+---------------
default |1 | sw0 | |1/1/1-1/2/8
xxx |9 | |1/1/1,1/2/1, |1/2/1,1/2/5
| | |1/2/5-1/2/7 |
Page 19
Removing Ports from a Default VLAN

The remove ports default command removes ports from the default VLAN.
Command Syntax
device-name(config-vlan VLAN-NAME)#remove ports default PORT-LIST
See the argument table above.
Displaying the VLAN Configuration

The commands below display VLAN configuration information:
• show command
CLI Mode: VLAN Configuration and Specific VLAN Configuration

• show vlan command
Command Syntax
device-name#show vlan
device-name(config-vlan VLAN-NAME)#show
Displaying VLAN Management Information

The show vlan management command displays VLAN management access information.
Command Syntax
device-name#show vlan management
Example
The following example shows that by default, management is accessible on all VLANs.
Management VLANs: 1-4094
Page 20
VLAN Configuration Example
The figure below represents an example of a simple VLAN configuration.
Figure 5: VLAN Configuration Example
1. Create VLAN user_100 with VLAN ID 100:
device-name(config vlan)#create user_100 100
2. Remove port 1/1/1 from Default VLAN, add port 1/1/1 as untagged (connected to a user) to
VLAN user_100 and add VLAN user_100 as PVID to port 1/1/1. Add port 1/2/1 as
tagged (connected to Device 4):
device-name(config vlan)#config default
device-name(config-vlan default)#remove ports 1/1/1
device-name(config-vlan default)#exit
device-name(config vlan)#config user_100
device-name(config-vlan user_100)#add ports 1/1/1 untagged
device-name(config-vlan user_100)#add ports default 1/1/1
device-name(config-vlan user_100)#add ports 1/2/1 tagged
device-name(config-vlan user_100)#exit
Page 21

VLAN user_101, and add VLAN user_101 as PVID to port 1/1/2. Add port 1/2/1 as
5. Create the VLAN user_102 with VLAN ID 102:

7. Display the configured VLANs:

device-name(config-vlan user_102)#show
==================================================================
---------------+----+---------+------------------+----------------
default |1 | sw0 | |1/1/1-1/2/8
user_100 |100 | |1/2/1 |1/1/1
user_101 |101 | |1/2/1 |1/1/2
user_102 |102 | |1/2/1 |1/2/3
device-name(config-vlan user_102)#end
...
! Port configuration:
!
interface 1/1/1
default vlan 100
!
interface 1/1/2
default vlan 101
!
Page 22
interface 1/2/3
default vlan 102
!
...
! VLAN configuration:
!
vlan
create user_100 100
config user_100
add ports 1/2/1 tagged
add ports 1/1/1 untagged
!
vlan
create user_101 101
config user_101
!
vlan
create user_102 102
config user_102
!
...
2. Remove port 1/1/1 from Default VLAN, add port 1/1/1 as untagged (connected to a user)
to VLAN user_200, and add VLAN user_200 as PVID to port 1/1/1. Add port 1/2/1 as

Page 23
4. Remove port 1/1/2 from Default VLAN add port 1/1/2 as untagged (connected to a user) to

tagged (connected to Device 4)

=================================================================
---------------+----+---------+------------------+---------------
default |1 | sw0 | |1/1/1-1/2/8
user_200 |200 | |1/2/1 |1/1/1
user_201 |201 | |1/2/1 |1/1/2
user_202 |202 | |1/2/1 |1/2/3
...
!
interface 1/1/1
default vlan 200
!
interface 1/1/2
default vlan 201
!
interface 1/2/3
default vlan 202
!
Page 24
...
!
vlan
create user_200 200
config user_200
!
vlan
create user_201 201
config user_201
!
vlan
create user_202 202
config user_202
!
...

Page 25

tagged (connected to Device 4)

==================================================================
---------------+----+---------+------------------+----------------
default |1 | sw0 | |1/1/1-1/2/8
user_300 |300 | |1/2/1 |1/1/1
user_301 |301 | |1/2/1 |1/1/2
user_302 |302 | |1/2/1 |1/2/3
...
!
interface 1/1/1
default vlan 300
!
interface 1/1/2
default vlan 301
!
interface 1/2/3
default vlan 302
!
Page 26
...
!
vlan
create user_300 300
config user_300
!
vlan
create user_301 301
config user_301
!
vlan
create user_302 302
config user_302
!
...
2. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1 is
connected to the router) to VLAN user_100:
device-name(config-vlan user_100)#add ports 1/1/1,1/2/1 tagged

4. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1
is connected to the router) to VLAN user_101:

Page 27
6. Add ports 1/1/1, 1/2/1 as tagged (1/1/1 is connected to the users on Device 1 and 1/2/1
is connected to the router) to VLAN user_102:





Page 28


==================================================================
Name |VTag| Rout If| Tagged ports | Untagged ports
------------+----+---------+---------------------+----------------
default |1 | sw0 | |1/1/1-1/2/8
user_100 |100 | |1/1/1,1/2/1 |
user_101 |101 | |1/1/1,1/2/1 |
user_102 |102 | |1/1/1,1/2/1 |
user_200 |200 | |1/1/2,1/2/1 |
user_201 |201 | |1/1/2,1/2/1 |
user_202 |202 | |1/1/2,1/2/1 |
user_300 |300 | |1/2/3,1/2/1 |
user_301 |301 | |1/2/3,1/2/1 |
user_302 |302 | |1/2/3,1/2/1 |
device-name#show running-config vlan

...
!
vlan
create user_100 100
config user_100
add ports 1/1/1,1/2/1 tagged
!
vlan
create user_101 101
config user_101
!
vlan
create user_102 102
config user_102
!
vlan
create user_200 200
config user_200
!
vlan
Page 29
create user_201 201

config user_201
!
vlan
create user_202 202
config user_202
!
vlan
create user_300 300
config user_300
!
vlan
create user_301 301
config user_301
!
vlan
create user_302 302
config user_302
!...
Page 30
Management VLAN Configuration Example

This is an example for the management VLAN configuration. The device can be managed only by
VLAN 2. VLANs 100, 101 and 102 are created but the device cannot be managed from the
workstations, only from the management station.
Figure 6: Management VLAN Configuration Example
1. Enter VLAN Configuration mode:

2. Remove management from VLANs 1, 3–4094 (only ports configured with VLAN ID 2 can
be use to manage the device):
device-name(config vlan)#no management 1,3-4094
3. Create the VLAN manage with VLAN ID 2:

device-name(config vlan)#create manage 2
4. Add port 1/1/2 as untagged to VLAN manage and add VLAN manage as PVID to port
1/1/2:
device-name(config vlan)#config manage
device-name(config-vlan manage)#add ports 1/1/2 untagged
device-name(config-vlan manage)#add ports default 1/1/2
device-name(config-vlan manage)#exit
5. Create the VLAN v100 with VLAN ID 100:

device-name(config vlan)#create v100 100
Page 31
6. Add port 1/2/3 as untagged to VLAN v100 and add VLAN v100 as PVID to port 1/2/3.
Add port 1/2/7 as tagged to VLAN v100:
device-name(config vlan)#config v100
device-name(config-vlan v100)#add ports 1/2/3 untagged
device-name(config-vlan v100)#add ports default 1/2/3
device-name(config-vlan v100)#add ports 1/2/7 tagged
device-name(config-vlan v100)#exit

8. Add port 1/2/4 as untagged to VLAN v101 and set VLAN v101 as PVID. Add port 1/2/7
as tagged to VLAN v101:

10. Add port 1/2/5 as untagged to VLAN v102 and set VLAN v102 as PVID. Add port 1/2/7 as
tagged to VLAN v102:
11. Remove ports 1/1/2–1/2/5 from VLAN default:

device-name(config-vlan default)#remove ports 1/1/2-1/2/5
device-name(config-vlan default)#end
12. Display the management VLANs:

Management VLANs: 2
13. Display the VLAN configuration:

device-name#show vlan
===================================================================
-----------+----+---------+--------------------+-------------------
default |1 | sw0 | |1/1/1,1/2/6-1/2/8
manage |2 | | |1/1/2
v100 |100 | |1/2/7 |1/2/3
v101 |101 | |1/2/7 |1/2/4
v102 |102 | |1/2/7 |1/2/5
Page 32
Super VLANs
Overview
Super VLAN is a mechanism used to separate users which reside in the same VLAN into multiple
virtual broadcast domains.
With Super VLAN, systems administrators can use the same IPv4 subnet and default gateway IP
address for users residing in the same switched infrastructure. This helps in decreasing IPv4 address
consumption and the need for dedicated IP subnet for each VLAN.
VLANs that are members of a Super VLAN are called sub-VLANs. Each sub-VLAN is a
broadcast domain isolated at Layer 2. When users in different sub-VLANs need to communicate
with each other, they use the IP address of the virtual interface of the Super VLAN as the IP
address of the gateway. The virtual interface IP address is shared by multiple VLANs. This
minimizes the number of required IP addresses.
In case a sub VLAN needs to communicate with a sub VLAN in a different sub VLAN at Layer 3,
or in case a sub-VLAN communicates with other networks, you need to enable ARP proxy (for
more information, refer to the Device Administration chapter of this User Guide).
The below example illustrates the traffic flow in case Super VLAN is not configured: traffic
entering the user device port is not restricted to the uplink port; therefore, all the broadcast,
unknown, and multicast packets are spread over the entire device VLANs.
Figure 7: Switching Decisions without the Super VLAN Agent
As oppose to the above, the below example illustrates the traffic flow in case Super VLAN is
configured: once switching decisions are done, the Super VLAN agent overrules these decisions
and directs the traffic to the Super VLAN uplink port.
Figure 8: Switching Decisions with the Super VLAN Agent
Page 33
Super VLAN Types

There are two types of Super VLAN:
• Super VLAN layer 2—Suitable for a Layer-2 switching environment, where the sub-VLANs
and Super VLAN share the same IP subnet mask. The Super VLAN provides enhanced
security between the customers, by disallowing communication between the sub-VLANs,
whether or not they are located in the same LAN.
• Super VLAN ring topology—Suitable for ring topology networks using the Multiple Spanning
Tree Protocol (MSTP). In these cases traffic can flow either clockwise or counterclockwise.
Both ports connected to the ring are referred to as uplink ports, while the rest of the ports are
referred to as user ports. In this case the Super VLAN uplink has to be one of the two ports
that are connected to the rest of the ring.
Use this topology when the Super VLAN port has to be the root port of the bridge. In
this topology, the Super VLAN uplink-port is selected dynamically by the bridge between
the two uplink ports. If a topology change occurs, the Super VLAN uplink changes
automatically and the new Root port is selected as a Super VLAN uplink port.
In the figure below, one of the clients connected to device D sends broadcast traffic. The
traffic travels counterclockwise only, since the Super VLAN active uplink-port is the root
port. If the link between device B and A is disconnected, a topology change occurs and
Device D selects a new Super VLAN uplink-port. As a result traffic flows clockwise only.
Dynamic Super VLAN takes affect on all the bridges, except for the root bridge since it
does not have a root port (only designated ports).
Figure 9: Super VLAN Ring Mode Configuration Example
Page 34
The Super VLAN Default Configuration

Table 7: Super VLAN Default Configuration
Super VLAN Disabled

Residential user Disabled
Super VLAN ring mode Disabled
The Super VLAN Configuration Commands

Table 8: Super VLAN Commands
Command Description
super-vlan Configures Super VLAN (see Defining a Super VLAN)

super-vlan ring-topology Configures Super VLAN for networks with a ring topology
(see Configuring the Super VLAN Ring Topology)
show super-vlan Displays the Super VLAN configuration (see Displaying
the Super VLAN Configuration)
Defining a Super VLAN

The super-vlan command configures Super VLAN on a physical port or a group of ports.
CLI Mode: Interface Configuration, Range Interface Configuration, LAG Range Interface
Configuration, and LAG Interface Configuration
Command Syntax
device-name(config-if UU1/SS1/PP1)#super-vlan {UU2/SS2/PP2 | ag0N}
device-name(config-if UU1/SS1/PP1)#no super-vlan
device-name(config-if-group)#super-vlan {UU2/SS2/PP2 | ag0N}

device-name(config-if-group)#no super-vlan
device-name(config-ag-group)#super-vlan {UU2/SS2/PP2 | ag0N}

device-name(config-ag-group)#no super-vlan
device-name(config-if AG0N)#super-vlan {UU2/SS2/PP2 | ag0N}

device-name(config-if AG0N)#no super-vlan
UU2/SS2/PP2 The Unit, slot, and port number of the uplink port.
ag0N The LAG interface name, where N represents the LAG ID number in the range of
<01–07>.
For detailed information, refer to the Configuring Interfaces chapter of this User
Guide.
Page 35
no Removes the Super VLAN from the port.
Configuring the Super VLAN Ring Topology

The super-vlan ring-topology command configures Super VLAN for networks with a ring
topology.
NOTE
You can enable the Super VLAN for a ring topology only if the MSTP (Multiple
Spanning Tree Protocol) is enabled.
By default, the Super VLAN ring topology is disabled.
CLI Mode:: Interface Configuration
Command Syntax
device-name(config-if UU/SS/PP)#super-vlan ring-topology UU1/SS1/PP1
UU2/SS2/PP2 [vlan <vlan-id>]
device-name(config-if UU/SS/PP)#no super-vlan
UU1/SS1/PP1 The first ring-port of the Super VLAN.
UU2/SS2/PP2 The second ring-port of the Super VLAN.
vlan <vlan-id> (Optional) an existing VLAN ID in the range <2–4094>. When you
specify this argument, only the corresponding MSTP instance root
decision is taken. If you do not use this argument, the MSTP instance
zero root decision is taken.
no Removes Super VLAN from the configured user port.
Displaying the Super VLAN Configuration

The show super-vlan command displays the Super VLAN configuration.
Command Syntax
device-name#show super-vlan
Example
===========================================================
User Interface | Super VLAN Type | Uplink
-----------------+-----------------+-----------------------
1/1/1 | regular | 1/2/2
1/2/2 | regular | 1/2/4
Page 36
Super VLAN Configuration Example
In the figure below three users are connected to one uplink port. The users can connect only to this
uplink port.
Figure 10: Super VLAN Configuration
1. Enable Super VLAN on port 1/1/1 with the uplink 1/2/1:

device-name(config-if 1/1/1)#super-vlan 1/2/1


Page 37
4. Display the port 1/1/1 configuration:

device-name#show interface 1/1/1
Name =
Link = down
Default VLAN = 1
Super VLAN Port = 1/2/1
5. Display the Super VLAN configuration:

==================================================
-----------------+-----------------+--------------
1/1/1 | regular | 1/2/1
1/1/2 | regular | 1/2/1
1/2/3 | regular | 1/2/1
Page 38
Super VLAN with Aggregated Uplink Configuration Example

In the following example, two users are connected to one uplink LAG (Link Aggregation Group)
port.
Figure 11: Super VLAN Configuration with LAG Uplink
Configure static link aggregation on ports 1/1/1 and 1/1/2:
device-name(config-if 1/1/1)#link-aggregation static id 1
Page 39
1. Configure static link aggregation on ports 1/2/1 and 1/2/2:
2. Enable Super VLAN on ports 1/1/1 and 1/1/2 with uplink ag07:
device-name(config-if 1/1/1)#super-vlan ag07
device-name(config-if 1/1/2)#super-vlan ag07

=====================================================================
-----------------+-----------------+---------------------------------
1/1/1 | regular | AG07
1/1/2 | regular | AG07
Page 40
Super VLAN Ring Topology Configuration

The figure below shows a ring topology with an entry point. Devices 2, 3 and 4 are configured with
Super VLAN in ring mode and MSTP is enabled. Device 1 is the MSTP Root and port 1/2/8 of
Device 4 is blocked.
For more information regarding the MSTP, refer to the Configuring Multiple Spanning Tree Protocol
(MSTP) chapter of this User Guide.
Figure 12: Super VLAN Ring Topology Example
Configuring Device 1
1. Configure Device 1 as MSTP Root and the bridge priority 0 for MST instance 0:
Device1(cfg protocol)#mstp 0 priority 0
Device1(cfg protocol)#exit
2. Configure the ring ports as Super VLAN ports:

Device1(config-if 1/2/6)#super-vlan ring-topology 1/1/1 1/1/2
Page 41

Device1#show super-vlan
=====================================================================
-----------------+-----------------+---------------------------------
1/2/6 | ring-topology | 1/1/1 (active), 1/1/2
1. Enable MSTP and MSTP fast ring:
Device2(cfg protocol)#mstp enable
Device2(cfg protocol)#mstp fast-ring enable
2. Configure the ring ports as Super VLAN ports:


=====================================================================
-----------------+-----------------+---------------------------------
Device3(cfg protocol)#mstp fast-ring ring-ports 1/1/1 1/1/2
2. Configure Super VLAN on the user port 1/2/2:


=====================================================================
-----------------+-----------------+---------------------------------
1/2/2 | ring-topology | 1/1/1, 1/1/2 (active)
Page 42
2. Configure Super VLAN on the user port 1/2/2:

3. Display port 1/2/2 configuration:

Device4#show interface 1/2/2
…
Super VLAN Ports = 1/2/7 (active), 1/2/8

=====================================================================
-----------------+-----------------+---------------------------------
5. Display the MSTP Configuration:

Device4#show mstp
…
SpanIgmpFastRecovery = enabled
FastRing = enabled
…
01/01/21 128 Root frwrd 200000 0 04096.00A012170100 128.002
01/01/22 128 Alternate block 200000 0 32768.00A012171600 128.001
01/01/24 128 Designated frwrd 200000 0 32768.00A012010102 128.024
Page 43
Supported Platforms
Virtual LANs + +
Super VLANs + +

Virtual LANs IEEE 802.1Q-1998 IEEE 802.1Q No RFCs are

IEEE 802.1Q-2003 supported by this
feature.
IEEE 802.1P
IEEE 802.1u-2001
Super VLANs No standards are No MIBs are RFC 3069, VLAN
supported by this feature. supported by this Aggregation for
feature. Efficient IP Address
Allocation
Page 44
Configuring Transparent LAN Services (TLS)
Table of Figures ······················································································ 3
TLS Overview························································································· 4
802.1Q Tunneling ················································································ 4
Layer-2 Protocol Tunneling (L2PT) ···························································· 5
The TLS Default Configuration ··································································· 6
TLS Configuration Flow ············································································ 7
The TLS Configuration Commands······························································ 8

Configuring a TLS Service ······································································10
Configuring TLS Service Distribution Paths (SDP) ··········································10
Configuring TLS Service Access Point (SAP)·················································12
Configuring TLS ·················································································13
Configuring the TLS EtherType Value ························································13
Selecting a TLS Core (Uplink) Port ····························································13
Selecting a TLS Access (User) Port ····························································14
Securing the Management Device Access based on C-VLAN······························15
Configuring the Layer-2 Protocol Tunneling ·················································15
TLS Tunnel Profile Configuration Mode······················································16
Configuring Layer-2 Protocol PDUs ··························································16
Defining Tunnel MAC Addresses for Predefined Protocols ································17
Defining Tunnel MAC Addresses for User-Defined Protocols ·····························19
Tunneling of Layer-2 Protocol PDUs for SDP ···············································20
Tunneling of Layer-2 Protocol PDUs for SAP ···············································21
Displaying the TLS Configuration ·····························································22
Displaying the L2PT Encapsulation Information ············································22
Displaying the L2PT Configuration Information·············································23
Displaying Layer-2 Protocol Tunneling Statistics·············································24
Displaying TLS Profile Names ·································································25
Displaying TLS Services ········································································26
TLS Configuration Examples·····································································27
Page 1
Configuring Transparent LAN Services (TLS) (Rev. 10)
Example 1 ························································································27
Example 2 ························································································28
Supported Standards, MIBs, and RFCs·························································30
Page 2
Table of Figures
Figure 1: 802.1Q Tunneling Configuration····················································· 4
Figure 2: TLS Configuration Flow ······························································ 7
Figure 3: TLS Interface Example ······························································27
Figure 4: TLS Tunneling Example ·····························································28
Page 3
Overview
Deploying the Transparent LAN Services (TLS) requires network operators to transport a large
number of customers’ virtual LANs (VLANs) while keeping traffic secured in each VLAN. This
mechanism establishes Layer-2 tunnels inside the service provider network where traffic from
different customers is segregated and where it is marked with an appropriate tunnel name.
802.1Q Tunneling
802.1Q tunneling allows the deployment of secure TLS, using IEEE 802.1Q standard tags. The
main advantage of 802.1Q tunneling is that it enables service providers to use a separate VLAN
(service VLAN, S-VLAN) to support the customers who have multiple VLANs, while preserving
the customer VLAN IDs and keeping traffic in the different customer’s VLANs (C-VLAN)
segregated.
802.1Q tunneling expands the VLAN space by adding an additional 802.1Q tag (the tunnel ID) to
all previously-tagged packets when they enter the service provider infrastructure, as illustrated in
below figure.
Figure 1: 802.1Q Tunneling Configuration
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port that is configured to support 802.1Q tunneling is called a tunnel port. When you configure
tunneling, you assign a tunnel port to a VLAN that you dedicate to tunneling. To keep the
customer traffic segregated, each customer requires a separate VLAN, but that one VLAN
supports all of the customer’s VLANs.
Page 4
Three types of ports are defined in the network devices deployed by the service provider:
• Residential port—a port that is connected to a user and does not participate in the TLS. Packets
that are transmitted through this port have no added tag
• Access (SAP) ports—a port that is connected to a user. Packets that are transmitted through this
port have no added tag (see Configuring TLS Service Access Point (SAP))
• Core (SDP) port—a port that is connected to the service provider’s network. All packets that are
transmitted through this port are either control packets or packets with an additional tag. If the
packets arrive from an access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header will not be added (see Configuring TLS
Service Distribution Paths (SDP))
When a access port (SAP) receives tagged customer traffic from an 802.1Q-port on the customer
device, it does not strip the received 802.1Q tag from the frame header; instead, the access port
(SAP) leaves the 802.1Q tag intact, adds a 2-byte EtherType field (0x8100) followed by a 2-byte
field containing the priority (CoS) and the VLAN (see Configuring the TLS EtherType Value).
An egress core port (SDP) strips the 2-byte EtherType field (0x8100) and the 2-byte length field
and transmits the traffic with the 802.1Q tag still intact to the customer device. The 802.1Q-port on
the customer device strips the 802.1Q tag and puts the traffic into the appropriate customer
VLAN.
Layer-2 Protocol Tunneling (L2PT)

Layer-2 protocol tunneling allows IEEE Layer-2 protocol data units (PDUs) to be tunneled
through a network. The L2PT is based on PDUs software encapsulating in the ingress service
provide edge devices. All devices inside the service provider network treat these encapsulated
frames as regular data packets and forward them out appropriately. The egress service provides
edge devices that listen for these special encapsulated frames and decapsulates them before
forwarding them out of the tunnel.
The encapsulation involves rewriting the destination media access control (MAC) address in the
PDU. An ingress service provides edge devices that rewrite the destination multicast MAC address
of the PDUs received with a predefined multicast tunnel MAC addresses that ensure transparent
L2CP traffic flow (see Defining Tunnel MAC Addresses for Predefined Protocols and Defining Tunnel MAC
Addresses for User-Defined Protocols).
Page 5
The TLS Default Configuration

Table 1: TLS Default Configuration
Transparent LAN Services (TLS) Disabled

TLS port Residential port
EtherType 0x8100
IEEE control packets tunneling Disabled
Page 6
TLS Configuration Flow

Start
Enable/disable
the Layer 2 Yes
Protocol
Tunneling
No Configure the
Yes
TLS tunnel
profile
Set the TLS Configure the TLS
EtherType Yes
tunnel profile
value
No
Specify the TLS
EtherType value
Configure
Create TLS service Custom MAC Yes
Address for
Tunneled
Packets
Create SDP
Define Tunnel MAC
Addresses for
Predefined Protocols
Create SAP No
End Enable
Tunneling of Yes
IEEE Control
Packets
Define Tunnel MAC

Addresses for User-
Defined Protocols
No
Figure 2: TLS Configuration Flow
Page 7
The TLS Configuration Commands

Table 2: TLS Services Configuration Commands
Command Description
tls Creates a specific TLS service instance (see Configuring

a TLS Service)
sdp Configures a service distribution point (SDP) for the
specified TLS instance (see Configuring TLS Service
Distribution Paths (SDP))
sap Configures a service access point (SAP) for the specified
TLS instance (see Configuring TLS Service Access Point
(SAP))
Table 3: TLS Services Optional Commands

Command Description
tls Enables/disables the TLS (see Configuring TLS)

tls ethertype Assigns an EtherType value (see Configuring the TLS
EtherType Value)
tls uplink Configures a physical interface or group of interfaces as a
TLS core (uplink) port/groups (see Selecting a TLS Core
(Uplink) Port)
tls user Configures a physical interface or group of interfaces as a
TLS access (user) port/groups (see Selecting a TLS
Access (User) Port )
management c-vlan Limits the device management access only to a specified
C-VLAN
(see Securing the Management Device Access based on
C-VLAN)
The following table lists the command for configuring L2PT. The whole L2PT configuration is
optional.
NOTE
For the tls tunneled-ieee-pdu command to take effect, first enable TLS
tunneling globally by the tls tunneled-ieee-pdu enable command.
Table 4: L2PT Configuration Command

Command Description
tls tunneled-ieee-pdu Enables/disables the Layer-2 protocol tunneling (see

enable/disable Configuring the Layer-2 Protocol Tunneling)
tls tunnel-profile Enables a configuration of a specific TLS tunnel profile
(see TLS Tunnel Profile Configuration Mode)
tls tunnel/discard Specifies one of the allowed Layer-2 protocol PDUs to be
tunneled/discarded (see Configuring Layer-2 Protocol
PDUs)
Page 8
Command Description
tls tunneled-ieee-pdu Defines a multicast tunnel MAC address that rewrites the
HH:HH:HH:HH:HH:HH original multicast destination MAC address (see Defining
Tunnel MAC Addresses for Predefined Protocols )
tls tunneled-ieee-pdu add Defines a multicast tunnel MAC address that rewrites the
original multicast destination MAC address (Defining
Tunnel MAC Addresses for User-Defined Protocols)
tls tunneled-ieee-pdu Enables tunneling of IEEE control packets for SDP (see
(in SDP Service Configuration) Tunneling of Layer-2 Protocol PDUs for SDP)
tls tunneled-ieee-pdu Enables tunneling of IEEE control packets for SAP (see
(in SAP Service Configuration) Tunneling of Layer-2 Protocol PDUs for SAP)
Table 5: TLS Display Commands

Command Description
show tls Displays the global TLS configuration (see Displaying the
TLS Configuration)
show tls tunneled-ieee-pdu Displays the L2PT encapsulation information (see
Displaying the L2PT Encapsulation Information)
show tls tunneled-ieee-pdu Displays the L2PT configuration information (see
service Displaying the L2PT Configuration Information)
show tls tunneled-ieee-pdu Displays Layer-2 protocol tunneling statistics (see
statistics Displaying Layer-2 Protocol Tunneling Statistics)
show tls tunnel-profile Displays the specified custom profile name (see
Displaying TLS Profile Names)
show tls-services Displays information about all currently configured TLS
services (see Displaying TLS Services)
Page 9
Configuring a TLS Service

The tls command creates a specific TLS service instance.
Command Syntax
device-name(config)#tls SERVICE-NAME [<service ID>]
device-name(config)#no tls SERVICE-NAME
device-name(config)#no tls id <service ID>
SERVICE-NAME A unique alpha-numeric string service name. When defining the service
via SNMP, it generates dynamically
service ID (Optional) the unique service identifier, in the range <1–4294967295>
no Removes the defined TLS instance
Example
device-name(config)#tls serv 5
device-name(config-tls serv)
Configuring TLS Service Distribution Paths (SDP)

The sdp command configures a service distribution point (SDP) for the specified TLS instance.
CLI Mode: TLS Service Configuration
NOTE
Create the SDP VLAN and add ports as tagged to this VLAN before creating the
SDP, see Example 1.
Command Syntax
device-name(config-tls SERVICE-NAME)#sdp {UU/SS/PP | ag0N} s-vlan <SVLAN-ID>
[primary | secondary]
device-name(config-tls SERVICE-NAME)#sdp {UU/SS/PP | ag0N} s-vlan <SVLAN-ID>
[option]
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#
device-name(config-tls-sdp AG0N:SVLAN-ID:)#
device-name(config-tls SERVICE-NAME)#no sdp {UU/SS/PP | ag0N}
Page 10
UU/SS/PP The SDP port. The SDP port has to be a tagged member of the S-
VLAN
ag0N The SDP aggregation port. N in the range <1–7>
s-vlan <SVLAN-ID> The SDP Service VLAN ID, in the range of <1–4094>
primary (Optional) SDP EPS primary
secondary (Optional) SDP EPS secondary
option (Optional) changes the mode to SDP Service Configuration mode (see
Example 2)
no Removes the defined SDP
For detailed information about EPS, refer to the ITU-T G.8031 Ethernet Protection Switching (EPS)
section of Operations, Administration and Maintenance (OAM) chapter.
Examples
1. Create the SDP VLAN and add ports as tagged to this VLAN before creating the SDP:
device-name(config vlan)#exit
device-name(config)#tls tunneled-ieee-pdu enable
device-name(config-tls serv)#sdp 1/2/1 s-vlan 5
device-name(config-tls serv)#
2. Enter SDP Service Configuration mode:

device-name(config-tls serv)#sdp 1/2/1 s-vlan 5 option
device-name(config-tls-sdp 1/2/1:5:)#
Page 11
Configuring TLS Service Access Point (SAP)

The sap command configures a service access point (SAP) for the specified TLS instance.
Command Syntax
device-name(config-tls SERVICE-NAME)#sap UU/SS/PP {c-vlans <CVLAN-ID> | c-
vlans VLAN-LIST | c-vlan-wildcard 0xffff 0xffff | c-vlan-wildcard all}
[option | untagged]
device-name(config-tls SERVICE-NAME)#no sap UU/SS/PP {c-vlans <CVLAN-ID> | c-

vlans VLAN-LIST | c-vlan-wildcard 0xffff 0xffff | c-vlan-wildcard all}
[untagged]
UU/SS/PP The SAP port. The SAP port has to be an untagged member of the S-
VLAN. Default VLAN for SAP port is the S-VLAN
CVLAN-ID The SAP Customer VLAN ID, in the range of <1–4094>
VLAN-LIST The SAP Customer VLAN ID list (for example 2–4,8) defining the
number of SAPs
c-vlan-wildcard A group of Customer VLANs, identified by matching mask
0xffff 0xffff
c-vlan-wildcard Tunnels the tagged traffic only
all
option (Optional) changes the mode to SAP Service Configuration mode (see
Example 2)
untagged (Optional) tunnels untagged traffic only
no Removes the defined SAP
Examples
1. Configure SAP:
device-name(config-tls serv)#sap 1/1/1 c-vlan-wildcard all
device-name(config-tls serv)#sap 1/2/2 c-vlans 4,7-9
device-name(config-tls serv)#sap 1/2/3 c-vlans 5 untagged
2. Enter SAP Service Configuration mode:

device-name(config-tls serv)#sap 1/2/2 c-vlans 4 option
device-name(config-tls-sap 1/2/2:4:)#
Page 12
Configuring TLS
The tls command enables/disables the TLS.
Command Syntax
device-name(config)#tls {enable | disable}
enable Enables TLS
disable Disables TLS
Configuring the TLS EtherType Value

The tls ethertype command configures the EtherType value.

By default, the EtherType value is 0x8100.
Command Syntax
device-name(config)#tls ethertype <number>
number Hexadecimal VLAN EtherType value (for example 0x9000)
Selecting a TLS Core (Uplink) Port

The tls uplink command configures a physical interface or group of interfaces as a TLS core
(uplink) port/groups.
CLI Mode: Interface Configuration, LAG Interface Configuration, Range Interface

Configuration, and LAG Range Interface Configuration
The TLS core port is configured at the Provider-network side of the provider-edge (PE) switch.
NOTE
For the tls uplink command to take effect, first enable TLS by using the tls
enable command.
Page 13
NOTE
For TLS to be successfully enabled on an uplink, which is a port aggregation (LAG),
the tls uplink command should be executed in Interface LAG Configuration
mode. Enabling TLS on a single port of the LAG will have no effect on the
aggregation.
By default, all ports are residential.
Command Syntax
device-name(config-if UU/SS/PP)#[no] tls uplink
device-name(config-if AG0N)#[no] tls uplink
device-name(config-if-group)#[no] tls uplink
device-name(config-ag-group)#[no] tls uplink
no Configures the selected port or link aggregation to a residential port/group of ports
Selecting a TLS Access (User) Port

The tls user command configures a physical interface or group of interfaces as a TLS access
(user) port/groups.
CLI Mode: Interface Configuration, LAG Interface Configuration, Range Interface

The TLS access port is configured at the Provider-network side of the Customer Edge (CE) switch.
NOTE
For the tls user command to take effect, first enable TLS by using the tls
enable command.
By default, all the ports are set as residential ports.
Command Syntax
device-name(config-if UU/SS/PP)#[no] tls user
device-name(config-if AG0N)#[no] tls user
device-name(config-if-group)#[no] tls user
device-name(config-ag-group)#[no] tls user
no Configures the selected port or link aggregation to a residential port/group of ports
Page 14
Securing the Management Device Access based on

C-VLAN
The management c-vlan command limits the device management access only through specified C-
VLANs.

TLS service-enabled devices are located at the edge of two domains and thus at the administrative
edge of two business entities. A remote business entity manages these devices remotely through a
service-encapsulated traffic (the traffic that is encapsulated with TLS service tag).
The management service-encapsulated traffic is tunneled through a dedicated management C-
VLAN in order to separate it from the data service-encapsulated traffic.
Configuring a management C-VLAN is mandatory, in order to manage these devices through the
TLS Service.
If the management C-VLAN is disabled, the following are not allowed:
• SNMP management
NOTE
Only one management C-VLAN per TLS service is supported.
The management C-VLAN must not match C-VLANs that are used in SAP definitions.
By default, no management C-VLAN is configured on a TLS service.
Command Syntax
device-name(config-tls SERVICE-NAME)#management c-vlan <CVLAN-ID>
CVLAN-ID The C-VLAN ID, in the range of <1–4094> (CVLAN-ID)
Configuring the Layer-2 Protocol Tunneling

The tls tunneled-ieee-pdu enable/disable command enables or disables the Layer-2
protocol tunneling.

By default, the Layer-2 protocol tunneling is disabled.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu {enable | disable}
Page 15
enable Enables the Layer-2 protocol tunneling
disable Disables the Layer-2 protocol tunneling
TLS Tunnel Profile Configuration Mode

The tls tunnel-profile command enters the configuration mode for a specific TLS tunnel
profile.
CLI Mode: Global Configuration and TLS Tunnel Profile Configuration
NOTE
Use this command in a Specific TLS Tunnel Profile Configuration mode to switch to
the Configuration mode of another TLS tunnel profile; see Example.
Command Syntax
device-name(config)#tls tunnel-profile TLS-PROFILE-NAME
device-name(tls-profile TLS-PROFILE-NAME)#
device-name(tls-profile TLS-PROFILE-NAME)#tls tunnel-profile TLS-PROFILE-

NAME1
device-name(tls-profile TLS-PROFILE-NAME1)#
TLS-PROFILE-NAME The TLS profile name
Example
device-name(config)#tls tunnel-profile system
device-name(tls-profile system)#tls tunnel-profile p5
device-name(tls-profile p5)#tls tunnel stp
Configuring Layer-2 Protocol PDUs

The tls tunnel/discard command specifies one of the allowed Layer-2 protocol PDUs to be
tunneled or discarded.
CLI Mode: TLS Tunnel Profile Configuration
Command Syntax
device-name(tls-profile PROFILE-NAME)#tls {tunnel | discard} {all-brs | other
| dot1x | efm-oam | e-lmi | garp | lacp | lldp | pvst | pb-stp | stp}
Page 16
tunnel Specifies one of the allowed Layer-2 Protocol PDUs to be tunneled
discard Specifies one of the allowed Layer-2 Protocol PDUs to be discarded
all-brs Specifies that the PDUs intended for the MAC address that is reserved
for the exclusive use by the All Bridges are tunneled
other Specifies that the PDUs intended for the MAC addresses from the bridge
block but are not PDUs of any of the specified protocols are tunneled
dot1x IEEE 802.1x standard
efm-oam Ethernet in the First Mile-Operations, Administration and Maintenance
standard
e-lmi Enhanced Local Management Interface
garp Generic Attribute Registration Protocol
lacp Link Aggregation Protocol
lldp Link Layer Discovery Protocol
pvst Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance for
each VLAN configured in the network. Since PVST treats each VLAN as
a separate network, it has the ability to load balance traffic (at layer-2) by
forwarding some VLANs on one link and other VLANs on another link
without causing a spanning tree loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp Spanning Tree Protocol
Defining Tunnel MAC Addresses for Predefined

Protocols
The tls tunneled-ieee-pdu HH:HH:HH:HH:HH:HH command defines a multicast tunnel MAC
address that rewrites the original multicast destination MAC address in the encapsulated Layer-2
PDUs.
The Layer-2 PDU is transported across the provider network transparently to the other end of the
tunnel and the original multicast destination MAC address is restored when the packet is
transmitted.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu {all-brs | other | dot1x | efm-oam |
e-lmi | garp | lacp | lldp | pvst | pb-stp | stp} HH:HH:HH:HH:HH:HH
Page 17
all-brs Specifies that PDUs intended for the MAC address that is reserved for
the exclusive use by the All Bridges are tunneled
other Specifies that PDUs intended for the MAC addresses from the bridge
block but are not PDUs of any of the specified protocols are tunneled
dot1x IEEE 802.1x standard
efm-oam Ethernet in the First Mile-Operations, Administration and Maintenance
standard
e-lmi Enhanced Local Management Interface
garp Generic Attribute Registration Protocol
lacp Link Aggregation Protocol
lldp Link Layer Discovery Protocol
pvst Per-VLAN Spanning Tree (PVST) maintains a spanning tree instance
for each VLAN configured in the network. Since PVST treats each
VLAN as a separate network, it has the ability to load balance traffic
(at layer-2) by forwarding some VLANs on one link and other VLANs
on another link without causing a spanning tree loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp Spanning Tree Protocol
HH:HH:HH:HH:HH:HH Multicast tunnel MAC address, in hexadecimal format
Refer to Table 6 for default multicast tunnel MAC addresses
NOTE
If you do not specify a MAC address, the default
replacement MAC address for each of the specified
protocols is used.
Table 6: Default Multicast Tunnel MAC Addresses

Protocol MAC Address
xSTP 01-A0-12-FF-FF-00
LACP/LAMP 01-A0-12-FF-FF-02
Link OAM (802.3ah) 01-A0-12-FF-FF-02
Port Authentication (802.1x) 01-A0-12-FF-FF-03
E-LMI 01-A0-12-FF-FF-07
LLDP (802.1AB) 01-A0-12-FF-FF-0E
Bridge block of protocols 01-A0-12-FF-FF-0X
NOTE
X denotes a random digit from 0 to F. When it
is found in the original MAC, is preserved in
the replacement MAC.
All Bridges 01-A0-12-FF-FF-10
Page 18
Protocol MAC Address
GARP Block of protocols 01-A0-12-FF-FF-2X
NOTE
X denotes a random digit from 0 to F. When it
is found in the original MAC, is preserved in
the replacement MAC.
Provider bridge STP 01-A0-12-FF-FF-08
PVST 01-A0-12-CC-CC-CD
When you configure the destination MAC address for encapsulated PDUs, you must leave the last
byte of the MAC address for protocols Bridge block of protocols and GARP Block of protocols as default
values:
• 00—for Bridge block of protocols
• 20—for GARP Block of protocols
Defining Tunnel MAC Addresses for User-Defined

Protocols
The tls tunneled-ieee-pdu add command defines a multicast tunnel MAC address that
rewrites the original multicast destination MAC address in the encapsulated PDU for user-defined
Layer-2 protocols.
Command Syntax
device-name(config)#tls tunneled-ieee-pdu add L2TUN-PROTOCOL-NAME
ORIGINAL_HH:HH:HH:HH:HH:HH [TUNNEL_HH:HH:HH:HH:HH:HH] [ETHERTYPE]
device-name(config)#no tls tunneled-ieee-pdu L2TUN-PROTOCOL-NAME
L2TUN-PROTOCOL-NAME A text string of <1–16> characters
ORIGINAL_HH:HH:HH:HH:HH:HH Original multicast destination MAC address of the specified
protocol
TUNNEL_HH:HH:HH:HH:HH:HH (Optional) multicast tunnel MAC address used for the
replacement
ETHERTYPE (Optional) indicates which protocol is encapsulated in the
payload of the Ethernet frame
no Restores the original multicast destination MAC address
Page 19
Tunneling of Layer-2 Protocol PDUs for SDP

The tls tunneled-ieee-pdu command enables tunneling of Layer-2 protocol PDUs for SDP.
CLI Mode: SDP Service Configuration

By default, TLS tunneling is disabled. When TLS tunneling is enabled on a TLS service, the default
policy is Discard-all.
Command Syntax
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#tls tunneled-ieee-pdu [discard-
all | tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sdp UU/SS/PP:SVLAN-ID:)#no tls tunneled-ieee-pdu
device-name(config-tls-sdp AG0N:SVLAN-ID:)#tls tunneled-ieee-pdu [discard-all

| tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sdp AG0N:SVLAN-ID:)#no tls tunneled-ieee-pdu
discard-all (Optional) specifies a policy of discarding only Layer-2 protocol PDUs
tunnel-all (Optional) specifies a policy of tunneling only Layer-2 protocol PDUs
tunnel-bpdu (Optional) specifies a policy of tunneling only xSTP packets. When the
tunneling of xSTP protocols is enabled, it allows tunneling BPDUs
between the TLS access (user) ports over the TLS core (uplink) ports.
The tunneling is done for packets with Multicast DA of 01-80-c2-00-00-
00 (STP).
TLS-PROFILE-NAME (Optional) specifies the custom profile name used to define the tunneling
policy on the specified SDP
no Disables tunneling of IEEE Control packets
Example
device-name(config-tls-sdp 1/1/1:4:)#tls tunneled-ieee-pdu tunnel-bpdu
Page 20
Tunneling of Layer-2 Protocol PDUs for SAP

The tls tunneled-ieee-pdu command enables tunneling of Layer-2 protocol PDUs for SAP.
CLI Mode: SAP Service Configuration
NOTE
In SAP Service Configuration mode also exist:
the apply-qos-service-policy command. For more information, refer to the
Applying the Service Policy on a SAP section of the Configuring Quality of
Service (QoS) chapter.
the mac access-group and ip access-group commands. For more
information, refer to the Configuring Access Control Lists (ACLs) chapter.
the event-propagation profile command. For more information, refer to
the Applying a Profile to a SAP or a Port section of the Operations,
Administration & Maintenance (OAM) chapter.
By default, TLS tunneling is disabled. When TLS tunneling is enabled on a TLS service, the default
policy is Discard-all.
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#tls tunneled-ieee-pdu [discard-
all | tunnel-all | tunnel-bpdu | TLS-PROFILE-NAME]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no tls tunneled-ieee-pdu
discard-all (Optional) specifies a policy of discarding only Layer-2 protocol PDUs
tunnel-all (Optional) specifies a policy of tunneling only Layer-2 protocol PDUs
tunnel-bpdu (Optional) specifies a policy of tunneling only xSTP packets. When the
tunneling of xSTP protocols is enabled, it allows tunneling the BPDUs
between the TLS access (user) ports over the TLS core (uplink) ports.
The tunneling is done for packets with Multicast DA of 01-80-c2-00-00-
00 (STP).
TLS-PROFILE-NAME (Optional) specifies the custom profile name used to define the
tunneling policy on the specified SAP
no Disables tunneling of IEEE Control packets
Example
device-name(config-tls-sap 1/1/1:5:)#tls tunneled-ieee-pdu tunnel-all
Page 21
Displaying the TLS Configuration

The show tls command displays the TLS configuration.

• The TLS configuration includes:
• The TLS status
• The TLS EtherType
• The TLS core (uplink) ports
• The TLS access (user) ports
Command Syntax
device-name#show tls
Example
TLS is enabled
TLS EtherType 0x8100
==============================+
|Interface |Mode |
-------------+----------------+
|1/2/1 | User |
|1/3/1 | Uplink |
|AG01 | Residential |
Displaying the L2PT Encapsulation Information

The show tls tunneled-ieee-pdu command displays the L2PT encapsulation information.
Command Syntax
device-name#show tls tunneled-ieee-pdu
Page 22
Example
device-name#show tls tunneled-ieee-pdu
+-----------------+------------------+------------------+----------+
|Protocol |Protocol MAC |Encapsulation MAC |EtherType |
+-----------------+------------------+------------------+----------+
|stp |01:80:c2:00:00:00 |01:a0:12:ff:ff:00 |N/A |
|lacp |01:80:c2:00:00:02 |01:a0:12:ff:ff:02 |0x8809 |
|efm-oam |01:80:c2:00:00:02 |01:a0:12:ff:ff:02 |0x8809 |
|dot1x |01:80:c2:00:00:03 |01:a0:12:ff:ff:03 |N/A |
|e-lmi |01:80:c2:00:00:07 |01:a0:12:ff:ff:07 |N/A |
|lldp |01:80:c2:00:00:0e |01:a0:12:ff:ff:0e |N/A |
|other |01:80:c2:00:00:0X |01:a0:12:ff:ff:0X |N/A |
|all-brs |01:80:c2:00:00:10 |01:a0:12:ff:ff:10 |N/A |
|garp |01:80:c2:00:00:2X |01:a0:12:ff:ff:2X |N/A |
|pb-stp |01:80:c2:00:00:08 |01:a0:12:ff:ff:08 |N/A |
|pvst |01:00:0c:cc:cc:cd |01:a0:12:cc:cc:cd |N/A |
|protocol_name |01:80:c2:00:00:02 |01:a0:12:ff:ff:02 |0x9530 |
+-----------------+------------------+------------------+----------+
Displaying the L2PT Configuration Information

The show tls tunneled-ieee-pdu service command displays the L2PT configuration
information.
Command Syntax
device-name#show tls tunneled-ieee-pdu service <service ID> {sap SAPSTRING |
sdp SDPSTRING}
service ID The unique service identifier, in the range of <1–4294967295>
sap SAPSTRING The SAPSTRING has the form UU/SS/PP:CVLANID:
• UU/SS/PP:SVLANID:—use it if you configured the SDP on a port
aggregation
The S-VLAN ID is in the range of <1–4094>
Page 23
Example
device-name(config-tls-sdp 1/2/1:5:)#end
device-name#show tls tunneled-ieee-pdu service 5 sdp 1/2/1:5:
+--------------------------------+--------------------------------+
|Vi Id |Profile Applied |
+--------------------------------+--------------------------------+
|1/2/1:5: |tunnel-bpdu |
Displaying Layer-2 Protocol Tunneling Statistics

The show tls tunneled-ieee-pdu statistics command displays Layer-2 protocol tunneling
statistics.
Command Syntax
device-name#show tls tunneled-ieee-pdu statistics
Example
device-name#show tls tunneled-ieee-pdu statistics
+--------------------------------------------------------------------------+
| SVC_ID|SAP/SDP_STRING|PROTO_NAME| ACTION| RX| TX|
+--------------------------------------------------------------------------+
| 7268| 1/1/2:5| stp| tunnel| 0| 0|
| 7268| 1/1/2:5| lacp|discard| 0| 0|
| 7268| 1/1/2:5| efm-oam|discard| 0| 0|
| 7268| 1/1/2:5| dot1x|discard| 0| 0|
| 7268| 1/1/2:5| e-lmi|discard| 0| 0|
| 7268| 1/1/2:5| lldp|discard| 0| 0|
| 7268| 1/1/2:5| other|discard| 0| 0|
| 7268| 1/1/2:5| all-brs|discard| 0| 0|
| 7268| 1/1/2:5| garp|discard| 0| 0|
| 7268| 1/1/2:5| pb-stp|discard| 0| 0|
| 7268| 1/1/2:5| pvst|discard| 0| 0|
+--------------------------------------------------------------------------+
Page 24
Displaying TLS Profile Names

The show tls tunnel-profile command displays the TLS profile names used to define the
tunneling policy.
Command Syntax
device-name#show tls tunnel-profile [TLS-PROFILE-NAME]
TLS-PROFILE-NAME (Optional) displays the specified custom profile name used to define
the tunneling policy on a specified port
Example
device-name#show tls tunnel-profile
ProfileName: my_tunnel
+-----------------+-----------+
|Protocol |Action |
+-----------------+-----------+
|stp |tunnel |
|lacp |tunnel |
|efm-oam |discard |
|dot1x |discard |
|e-lmi |discard |
|lldp |discard |
|other |discard |
|all-brs |tunnel |
|garp |discard |
|pb-stp |discard |
|pvst |discard |
+-----------------+-----------+
ProfileName: lacp_tunnel
+-----------------+-----------+
|Protocol |Action |
+-----------------+-----------+
|stp |discard |
|lacp |tunnel |
|efm-oam |discard |
|dot1x |discard |
|e-lmi |discard |
|lldp |discard |
|other |discard |
|all-brs |discard |
|garp |discard |
|pb-stp |discard |
Page 25
|pvst |discard |
+-----------------+-----------+
Displaying TLS Services

The show tls-services command displays information about all currently configured TLS
services.
CLI Mode: Privileged (Enable), and TLS Service Configuration
Command Syntax
device-name#show tls-services
device-name(config-tls SERVICE-NAME)#show tls-services
Example
+---------+--------------------------------+------+-----+-----+
| Idx | Service Name |S-VLAN|Encap|State|
+---------+--------------------------------+------+-----+-----+
|00007615 |test | 0002 |QinQ |Up |
Page 26
TLS Configuration Examples

Example 1
The following figure shows an example of an interface TLS configuration.
Figure 3: TLS Interface Example
1. Enable TLS:
device-name(config)#tls enable
2. Configure the TLS core (uplink) port on port 1/2/1:

device-name(config-if 1/2/1)#tls uplink
3. Configure the TLS access (user) port on port 1/2/8:

device-name(config-if 1/2/8)#tls user
4. Add the TLS core (uplink) port as a tagged member to VLAN 10. Also add access (user) port
as an untagged member to that VLAN.
device-name(config-vlan v10)#end
Page 27
5. Display the TLS configuration:

TLS is enabled
TLS EtherType 0x8100
+===========+================+
| Interface | Mode |
+-----------+----------------+
| 1/2/1 | uplink |
| 1/2/8 | user |
…
Example 2
Figure 4 shows an example of a TLS tunneling configuration.
Figure 4: TLS Tunneling Example
1. Create the VLAN vl5 with ID 5 and add to it the 1/2/1 port (SDP port) as tagged and 1/2/2
port (SAP port) as untagged:
2. Define a new TLS service and enable TLS tunneling:

3. Define SDP:
device-name(config-tls-sdp 1/2/1:5:)#exit
Page 28
4. Add wildcard VLAN for SAP:

device-name(config-tls serv)#sap 1/2/2 c-vlans 6
device-name(config-tls-sap 1/2/2:6:)#tls tunneled-ieee-pdu tunnel-bpdu
device-name(config-tls-sap 1/2/2:6:)#end
5. Display TLS services:

+---------+--------------------------------+------+-----+-----+
| Idx | Service Name |S-VLAN|Encap|State|
+---------+--------------------------------+------+-----+-----+
|00000005 |serv | 0005 |QinQ |Up |
6. Display TLS tunneling:

device-name#show tls tunneled-ieee-pdu service 5 sdp 1/2/1:5:
+--------------------------------+--------------------------------+
+--------------------------------+--------------------------------+
device-name#show tls tunneled-ieee-pdu service 5 sap 1/2/2:6:

+--------------------------------+--------------------------------+
+--------------------------------+--------------------------------+
Page 29
Supported Platforms
Feature T-Marc 340 T-Marc 380
Transparent LAN Services (TLS) + +

Feature Standards MIBs RFCs
Transparent LAN No standards are Private MIBs: No RFCs are

Services (TLS) supported by this • prvt_serv.mib supported by this
feature. feature.
• prvt_L2tunneling.mib
Page 30
Configuring Spanning Tree Protocol (STP)
Table of Figures ······················································································ 3
Overview ······························································································· 4
Architecture ··························································································· 4
The Election Algorithm············································································· 4

Selecting a Root Bridge ·········································································· 4
Selecting a Designated Bridge per Network Segment ········································· 4
Selecting the Root and Alternate Ports ························································· 5
Line Error Detection ············································································· 5
Bridge Protocol Data Units (BPDUs) ·························································· 5
The STP Path Cost ·················································································· 6
The STP Port States ················································································· 6
Topology Changes Detection······································································ 8

Broadcasting an Event to the Network························································· 9
The STP Timers······················································································ 9

Message Age ·····················································································10
The STP Diameter···············································································11
Calculating the STP Timers·····································································11
STP Address Management ········································································12
STP Loop Guard ····················································································12
Internet Group Multicast Protocol (IGMP) Fast Recovery ·································13

STP Default Configuration ·····································································15
STP Configuration Flow ···········································································16
STP Configuration Commands···································································17

Enabling/Disabling STP ········································································19
Enabling/Disabling STP per Port······························································19
Defining the STP Bridge Priority ······························································20
Defining the STP Priority per Port ····························································20
Page 1
Configuring Spanning Tree Protocol (STP) (Rev. 06)
Defining the Hello-Time········································································21

Defining the Maximum Aging Timer ··························································21
Defining the Forward-Delay Timer ····························································22
Defining the Port Path Cost ····································································22
Enabling/Disabling STP Topology Change Detection ······································23
Enabling/Disabling Line Error Detection ····················································23
Enabling/Disabling Line Flapping Detection ················································24
Setting the BPDU Guard ·······································································24
Enabling/Disabling the Loop Guard per Port················································25
Enabling/Disabling Root Restriction··························································25
Configuring the BPDUs MAC Address ·······················································26
Restoring STP Port Parameters to Defaults···················································26
Configuring IGMP Fast Recovery ·····························································26
Displaying the STP Configuration ·····························································27
Displaying the Ports’ STP Configuration······················································28
Displaying the STP Topology for a Specific Port ············································32
Enabling STP Debug Information ·····························································33
Displaying the STP Debug Status ······························································33
STP Configuration Example ······································································34
Page 2
Table of Figures
Figure 1: The Spanning Tree Port States ······················································· 7
Figure 2: Topology Change ······································································ 8
Figure 3: Topology Change with TC Message ················································· 9
Figure 4: BPDU Age Parameter ································································10
Figure 5: Calculating the Diameter ·····························································11
Figure 6: Spanning Tree IGMP Configuration················································13
Figure 7: Spanning Tree IGMP Fast Recovery Configuration ······························14
Figure 8: STP Configuration Flow ·····························································16
Figure 9: Spanning Tree Configuration Example·············································34
Page 3
T-Marc 300 Series Series User Guide
Overview
Spanning Tree Protocol (STP, IEEE 802.1d) is a Layer 2 protocol that provides path redundancy,
ensuring a loop-free topology for bridged LANs.
Using this protocol, a network can include redundant links that provide automatic backup paths in
case of an active link failure. It controls the links, leaving only a single active path between any two
network nodes.
Architecture
The STP algorithm calculates each path cost throughout all the devices within the network’s
spanning tree, remaining the paths with the lower cost as active paths and blocking others. It
activates the blocked paths in case the active link fails or if the path cost changes.
The Election Algorithm

Selecting a Root Bridge
In order to elect the active paths within a network, STP first determines a Root bridge. The Root is
the device towards which all other devices calculate the path cost. The protocol then selects the
path with the lowest cost between each device to the Root as the active path, while blocking all
other redundant paths.
Each bridge within the spanning tree has a unique ID that is made up of the bridge’s user-defined
priority and MAC address. The protocol selects the bridge with the lowest ID as the Root.
System administrators can alter the bridge ID by configuring the bridge priority, thus control the
probability of a bridge becoming a Root.
Selecting a Designated Bridge per Network Segment

After selecting the Root bridge, STP selects a Designated bridge per network segment. This is the
closest bridge to the Root, forwarding packets from that segment towards the root bridge.
Each segment has only one Designated bridge. The Designated bridge has one Designated port
that forwards packets from the Root bridge to this segment.
Page 4
Selecting the Root and Alternate Ports

The last election step is selecting a Root port (per bridge) that sends data towards the Root bridge.
In order to avoid loops, all other ports that provide redundant paths to the Root bridge are set as
Alternate ports. These ports do not forward traffic unless the Root port goes down.
Each bridge has only one Root port, as a single path toward the Root bridge.
Line Error Detection

The protocol allows interchanging the roles of the Root port and an Alternate port when the CRC
errors on the line reach a critical level. In this case the Root port’s path cost automatically changes
into a higher value, triggering the interchange of the Root and Alternate port statuses.
For detailed information regarding the port role assignments, refer to the RSTP Port Roles section
from Configuring Rapid Spanning Tree Protocol (RSTP) chapter.
Bridge Protocol Data Units (BPDUs)

Bridges exchange the above information using Bridge Protocol Data Units (BPDUs) that include
the following information:
• the Root bridge ID
• the designated bridge ID
• the path cost—the distance between the Root to the device
• the designated port ID
The protocol uses three BPDU types:
• Configuration BPDUs, used for the election algorithm
• Topology Change Notification (TCN) BPDUs, announcing network topology changes
• Topology Change Notification Acknowledgment BPDUs, sent when a device receives a TCN,
forwarding the TCN on its Root port.
Page 5
The STP Path Cost

Each bridge port has an assigned path cost, a user-definable parameter that determines the port’s
preference to be included in the active spanning tree topology. During BPDU exchange, STP sums
up the path costs along all Designated ports (Designated path cost). This value then serves as the
bridge’s distance from the Root.
The lower the cost, the closer the device is to the Root. If two devices have identical path costs,
STP selects the path based on port priority and bridge IDs as a tiebreaker.
The STP Port States

STP uses five port states controlling the BDPU traffic.
To ensure a loop-free network during topology changes inactive ports:
• cannot start forwarding prior to the new topology-information propagating through the
switched LAN
• have to allow frames—that were forwarded using the old topology—to expire
Table 1: STP States
STP State Description
Blocking The port does not forward frames. It moves to this state after the initialization
phase, when a different device/port was elected as Root.
If there is only one device in the network, no exchange occurs, the forward-
delay timer expires, and the ports move to Listening state.
A port in blocking state:
• discards frames
• discards frames switched from another port for forwarding
• does not learn MAC addresses
• receives BPDUs
A Blocking port can enter Listening or Disabled states.
Listening This is the first state a Blocking port transitions to when STP determines that
the port should participate in frame forwarding. The device processes
BPDUs and waits for possible new information that might cause it to return to
the Blocking state.
A port in Listening state performs the same steps as Blocking state.
From this state the port can enter Learning or Disabled states.
Page 6
STP State Description
Learning This is the second state the port enters when preparing to participate in
frame-forwarding.
The port does not yet forward frames. However it learns source addresses
from received frames, adding them to the filtering database.
A port in Learning state:
• discards frames
• discards frames switched from another port for forwarding
• learns MAC addresses
• receives BPDUs
From this state the port can enter Forwarding or Disabled states.
Forwarding The port forwards frames. The device processes BPDUs and waits for
possible new information that might cause it to return to Blocking state to
prevent a loop.
A port in Forwarding state:
• receives and forwards frames
• forwards frames switched from other ports
• learns MAC addresses
• receives BPDUs
From this state the port can enter Disabled state.
Disabled A port in this state does not participate in frame forwarding and spanning
tree.
The port performs the same steps as Blocking state, except it does not
receive BPDUs.
The following figure illustrates how a port moves through the above states.
Figure 1: The Spanning Tree Port States
Page 7
Topology Changes Detection

When a bridge detects a topology change in the network (such as a link failure or the link changing
to Forwarding state), it sends this event to the entire bridged network.
The process is done in two stages:
1. The bridge notifies the STP Root.
2. The Root broadcasts the information to the whole network.
Upon a topology change the address tables of all devices are flushed and new paths are learned.
The below figure illustrates the network’s reaction to a topology change. The initial data path
between Computer 1 and Computer 2 is via Device A→Device B→Device C.
Figure 2: Topology Change
After a topology change the new data path becomes Device A→Device D→Device C.
During the topology-change period, devices C and D are not aware of the topology change. During
this period frames sent from Computer 1 are forwarded to Device B and there is no connection
between the Computer 1 and Computer 2 until the address table ages out.
To avoid connection loss caused by a topology change, STP implements a mechanism called
Topology Change Notification (TCN). This mechanism flushes the devices’ MAC addresses upon a
topology change.
Page 8
Broadcasting an Event to the Network

When the Root is aware of a topology change, it sends out configuration BPDUs with the
Topology Change (TC) flag set. As a result, all bridges become aware of the topology change and
reduce the MaxAge timer to the forward-delay timer (see below The STP Timers).
Bridges receive topology-change BPDUs on both forwarding and blocking ports.
Figure 3: Topology Change with TC Message
The STP Timers

The following table describes the timers affecting the STP performance.
Table 2: STP Timers
Variable Description
Hello timer The interval between two consecutive BPDUs a device sends to other
devices.
Forward-delay timer The time a port is in Listening and Learning states before the port begins
forwarding.
Maximum-age timer The time the device stores protocol information received on a port.
(MaxAge)
Message Age How far a device is from the Root when it receives a BDPU
Page 9
Message Age
The message age value of all BPDUs the Root sends are zero. Each subsequent device increments
the message age value by one, as illustrated in the below figure:
Figure 4: BPDU Age Parameter
After receiving a new BPDU equal to or greater than the recorded information on the port, all
BPDU information is stored, and the age timer begins to run, starting at the message age. If this age
timer reaches MaxAge before receiving another BPDU, the information ages out for that port.
For example, in the above figure:
• Device B and C receive a BPDU from Device A with message age value zero. On the port
going to Device A, it takes MaxAge seconds before the information ages out.
• Device D and E receive a BPDU from Device B with message age value one. On the port
going to Device A, it takes MaxAge-1 seconds before the information ages out.
• Device F receives a BPDU from Device E with message age value two. On the port going to
Device E, it takes MaxAge-2 seconds before the information ages out.
Page 10
The STP Diameter

The STP timers’ settings are based on the STP diameter, the maximum number of bridges between
any two end points on the network. IEEE 802.1D specification recommends a maximum network
diameter of 7 hops. (Therefore the maximum STP ring size is 14 devices: a distance of seven hops
from the root to the last bridge in the ring.)
The below figure illustrates a network built up of a diameter of five (path A-C-B-E-D). It contains
three access devices (C, D, and E) attached to two distribution devices (A and B) and a Layer 3
boundary between the distribution devices and the core. The bridged domain stops at the
distribution devices.
The maximum STP diameter of five is between:
• C-A-D-B-E
• D-A-C-B-E
Figure 5: Calculating the Diameter
Calculating the STP Timers

To calculate the STP timers use the following formulas:
Max_age = 4 x hello +2 x dia - 2
Forward_delay = (4 x hello + 3 x dia) / 2
Based on the above formulas, lowering the hello-timer value decreases the other STP parameters.
However, it doubles the amount of BPDUs sent/received by each bridge, causing additional load
on the CPU.
Page 11
STP Address Management

IEEE 802.1D specifies 17 multicast MAC addresses, with a valid range from 0x0180C2000000 to
0x0180C2000010, to use by different bridge protocols. These addresses are static addresses that
cannot be removed.
Regardless of the STP state, the device receives but does not forward packets destined for addresses
between 0x0180c2000000 and 0x0180C200000F.
If STP is enabled, the CPU of the device receives packets destined for 0x0180C2000000 and
0x0180C2000010. If STP is disabled, the device forwards those packets as unknown multicast
addresses.
STP Loop Guard

STP relies on continuous reception or transmission of BPDUs based on port roles.
However, there are cases where an STP loop is created when a Blocking port in a redundant
topology transitions to Forwarding state by mistake. This happens when one of the ports of a
physically redundant topology no longer receives STP BPDUs. As a result the Alternate port,
Backup port, or Root port eventually becomes Designated and moves to Forwarding state, creating
a loop.
The STP Loop Guard feature provides additional protection against STP loops. This feature
implements a mechanism that maintains the port in Blocking state, instead of transitioning it to
Forwarding state, whenever BPDUs from a neighbor are lost.
Page 12
Internet Group Multicast Protocol (IGMP) Fast

Recovery
When using the IGMP Fast Recovery feature, the multicast traffic takes advantage of the
connectivity and convergence time provided by STP.
In the following figure, all devices run IGMP snooping and a spanning tree protocol (STP, RSTP,
or MSTP). In this figure:
1. The Multicast Router floods traffic for multicast groups that the client is subscribed to.
Figure 6: Spanning Tree IGMP Configuration
2. The Multicast Router sends an IGMP query to the clients for their multicast group
memberships.
3. The client(s) reply with IGMP Reports. The traffic flows from the Multicast Router, through
Device D and Device A, to Device C. All ports between the devices and the Multicast Router
are mrouter ports. Device C’s mrouter port that links to Device B is blocked. If a topology
change occurs and the link between Device C and Device A goes down, the Device C’s
blocked port transitions into Forwarding state.
4. If you configure IGMP Fast Recovery on Device C, the device reacts to the topology change
by sending an IGMP General Query to all its non-mrouter ports.
Page 13
5. The client(s) respond to the General IGMP Query with an IGMP report.
6. Device C forwards the IGMP report to its mrouter ports and the report is then sent to the
Multicast Router through Device B and Device D.
7. Client(s) traffic connected to Device C is transmitted through Device B instead of Device A,
as shown on the figure below.
Figure 7: Spanning Tree IGMP Fast Recovery Configuration
Page 14
STP Default Configuration

Table 3: STP Default Configuration
Spanning Tree Protocol Disabled

STP bridge priority 32768
STP hello-time 2 seconds
STP forward-delay timer 15 seconds
STP MaxAge timer 20 seconds
Line error detection Disabled
STP path cost 10
STP port priority 128
STP topology change detection Enabled
Debug STP Disabled
Page 15
STP Configuration Flow

Start
Enable STP
Is this bridge the Yes

root?
Change the priority to the

No lowest in the network
Set the STP Timers (hello-timer, MaxAge, forward-delay)
Define the ports path cost
Disable TC detection on loop-free ports (Optional)
Optional STP Configuration
End
Figure 8: STP Configuration Flow
Page 16
STP Configuration Commands

The STP default values are sufficient for obtaining a loop-free redundant network topology.
However, to enforce topology demands on the dynamically built topology, configure several
parameters before connecting the network.
Table 4: STP Configuration Commands
Command Description
spanning-tree Enables/disables the STP on the device (see

Enabling/Disabling STP)
spanning-tree Enables/disables the STP per port (see Enabling/Disabling
STP per Port)
spanning-tree priority Defines the STP bridge priority (see Defining the STP Bridge
Priority)
spanning-tree priority Defines the STP port priority (see Enabling/Disabling STP per
Port)
spanning-tree hello-time Defines the hello-time interval (see Defining the Hello-Time)
spanning-tree max-age Defines the Maximum Age timer (see Defining the Maximum
Aging Timer)
spanning-tree forward- Defines the forward-delay timer (see Defining the Forward-
delay Delay Timer)
spanning-tree path-cost Defines the STP port path cost (see Defining the Port Path
Cost)
Table 5: Optional STP Configuration Commands

Command Description
spanning-tree detect-tc Enables topology-change detection on the configured port

(see Enabling/Disabling STP Topology Change Detection)
spanning-tree line- Enables line-error detection (see Enabling/Disabling Line Error
error-detect Detection)
spanning-tree line- Causes the Root and Alternate ports to change roles in case
flapping-detect of flapping (see Enabling/Disabling Line Flapping Detection)
spanning-tree bpdu-rx Prevents an STP port from receiving BPDUs (see Setting the
BPDU Guard)
spanning-tree detect- Enables/disables the Loop Guard on a port (see
bpdu-loss Enabling/Disabling the Loop )
spanning-tree restrict- Enables/disables the selection of a port as the Root port (see
root Enabling/Disabling Root Restriction)
spanning-tree Specifies the MAC address used for BPDUs destination
destination address (see Configuring the BPDUs MAC Address)
spanning-tree defaults Restores a port’s STP parameters to their defaults (see
Restoring STP Port Parameters to Defaults)
spanning-tree igmp-fast- Configures the IGMP fast recovery feature (see Configuring
recovery
IGMP Fast Recovery)
Page 17
Table 6: STP Display Commands

Command Description
spanning-tree Displays the current STP configuration (see Displaying the

STP Configuration)
spanning-tree interface Displays the STP settings and topology per port or for all ports
(see Displaying the Ports’ STP Configuration)
spanning-tree all
show spanning-tree
show spanning-tree Displays the spanning tree topology for a specified port (see
interface Displaying the STP Topology for a Specific Port)
Table 7: STP Debugging Commands

Command Description
debug stp Enables the debugging STP information (see Enabling STP
Debug Information)
show debug stp Displays the STP debug status (see Displaying the STP
Debug Status)
Page 18
Enabling/Disabling STP
The spanning-tree command enables/disables STP on the device.

STP is disabled by default.
Command Syntax
device-name(cfg protocol)#spanning-tree [enable | disable]
device-name(cfg protocol)#no spanning-tree
enable (Optional) enables STP, the device becoming a node in the tree
disable (Optional) disables STP
Enabling/Disabling STP per Port

The spanning-tree command enables/disables STP per port. You can enable/disable STP per
port only if the feature is enabled on the device.
CLI Modes: Interface Configuration and Interface Range Configuration
By default, enabling STP on the device enables the feature on all ports. Disabling STP on the device
disables it on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree [enable | disable | all]
device-name(config-if-group)#spanning-tree [enable | disable]
enable (Optional) enables STP on the specified port
disable (Optional) disables STP on the specified port
all (Optional) enables STP on all ports
Page 19
Defining the STP Bridge Priority

The spanning-tree priority command defines the STP bridge priority.

The default bridge priority is 32768.
Command Syntax
device-name(cfg protocol)#spanning-tree priority <bridge-priority>
device-name(cfg protocol)#no spanning-tree priority
bridge-priority The bridge priority, in the range of <0–65535>. The bridge with the highest
bridge priority (the lowest numerical priority value) is selected as Root
device
Defining the STP Priority per Port

The spanning-tree priority command defines the STP port priority. The STP port priority
represents the location of a port in the network topology and determines how well it is located for
forwarding traffic.
The default port priority is 128.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree priority <priority>
device-name(config-if UU/SS/PP)#no spanning-tree priority
device-name(config-if-group)#spanning-tree priority <priority>

device-name(config-if-group)#no spanning-tree priority
priority The port STP priority, in the range of <0–240>. This value is a multiple of 16.
Assign lower values (higher priorities) to preferred ports.
If all the ports have the same priority value, STP selects the port with the lowest
number in Forwarding state and blocks other ports.
Page 20
Defining the Hello-Time

The spanning-tree hello-time command defines the interval between consecutive BPDUs the
device transmits.
Use this command when the device is the Root, or trying to become one.

The default hello-time is 2 seconds.
Command Syntax
device-name(cfg protocol)#spanning-tree hello-time <hello-time>
device-name(cfg protocol)#no spanning-tree hello-time
hello-time The interval between transmitting BPDUs, in the range of <1–9> seconds.
This value must be less than MaxAge/2-1 (refer to the Defining the Maximum
Aging Timer section).
no Configures the hello-time interval to its default value.
Defining the Maximum Aging Timer

The spanning-tree max-age command defines the interval the device waits for receiving a
BPDU before attempting a reconfiguration.

The default value is 20 seconds.
Command Syntax
device-name(cfg protocol)#spanning-tree max-age <max-age>
device-name(cfg protocol)#no spanning-tree max-age
max-age The maximum aging time, in the range of <6–28> seconds.
The MaxAge value must be greater than 2*(hello-time+1) and less than 2*(forward-
delay-1).
Page 21
Defining the Forward-Delay Timer

The spanning-tree forward-delay command defines the interval the device waits before
transitioning from Learning and Listening states to Forwarding state.

The default forward-delay value is 15 seconds.
NOTE
The forward-delay value must be greater than MaxAge/2+1.
Command Syntax
device-name(cfg protocol)#spanning-tree forward-delay <forward-delay>
device-name(cfg protocol)#no spanning-tree forward-delay
forward-delay The interval before transitioning from Listening and Learning states to
Forwarding State, in the range of <11–30> seconds.
This value must be greater than MaxAge/2+1.
When a topology change is underway and is detected, use this parameter to
age all dynamic entries in the Forwarding database.
Defining the Port Path Cost

The spanning-tree path-cost command defines the STP port path cost.

The default port path cost is 10.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree path-cost <path-cost>
device-name(config-if UU/SS/PP)#no spanning-tree path-cost
device-name(config-if-group)#spanning-tree path-cost <path-cost>

device-name(config-if-group)#no spanning-tree path-cost
path-cost The path cost value, in the range of <1–200000000>.
Assign lower cost values to ports that you want to select first. If all ports have
the same cost value, STP selects the port with the lowest number in
Forwarding state and blocks other ports.
Page 22
Enabling/Disabling STP Topology Change Detection

The spanning-tree detect-tc command enables topology change detection on the configured
port.
Topology change detection is enabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree detect-tc
device-name(config-if UU/SS/PP)#no spanning-tree detect-tc
device-name(config-if-group)#spanning-tree detect-tc
device-name(config-if-group)#no spanning-tree detect-tc
no Disables topology change detection on specified ports, preventing the switch from
detecting and propagating topology changes on the specified port/s.
Enabling/Disabling Line Error Detection

The spanning-tree line-error-detect command enables/disables line error detection. The
error level is considered critical when the CRC error rate exceeds 1% within a 3 seconds interval.

Line error detection is disabled by default.
Command Syntax
device-name(cfg protocol)#spanning-tree line-error-detect {enable | disable}
enable Enables line error detection
disable Disables line error detection
Page 23
Enabling/Disabling Line Flapping Detection

The spanning-tree line-flapping-detect command causes the Root and Alternate ports to
change roles in case of flapping (continued and uncontrolled link up and down event) on a physical
port.
Command Syntax
device-name(cfg protocol)#spanning-tree line-flapping-detect {enable | disable}
enable Enables line flapping detection
disable Disables line flapping detection
Setting the BPDU Guard

The spanning-tree bpdu-rx command defines the STP reaction when receiving a BPDU on the
specified port.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree bpdu-rx {discard | disable-port
| standard}
device-name(config-if-group)#spanning-tree bpdu-rx {discard | disable-port |
standard}
discard The device drops received BPDUs (ignores the BPDU information)
disable-port Receiving a BPDU disables the port
standard BPDUs are processed according to standard STP mechanisms (default)
Page 24
Enabling/Disabling the Loop Guard per Port

The spanning-tree detect-bpdu-loss command enables/disables the Loop Guard on a
specific port.
The Loop Guard is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree detect-bpdu-loss {enable |
disable}
device-name(config-if-group)#spanning-tree detect-bpdu-loss {enable | disable}
enable Enables BPDU loss detection (Loop Guard is disabled).
disable Disables BPDU loss detection (Enables Loop Guard on the port).
This parameter does not change the port’s state, if the port is not a
Designated port, even if the port stops receiving BPDUs from its peer port.
Disables Loop Guard on the specified port: the port state does not change,
even if stops receiving BPDUs.
Enabling/Disabling Root Restriction

The spanning-tree restrict-root command enables/disables selecting a port as the Root port.

Root restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree restrict-root {enable |
disable}
device-name(config-if-group)#spanning-tree restrict-root {enable | disable}
enable Enables root restriction on the specified port (the port is not selected as Root
port)
disable Disables root restriction
Page 25
Configuring the BPDUs MAC Address

The spanning-tree destination command specifies the MAC address used for BPDUs
destination address.
This command configures STP to send BPDUs to destination MAC address 01:80:C2:00:00:08.

The default value is customer, when BPDUs are sent to destination MAC address
01:80:C2:00:00:00.
Command Syntax
device-name(cfg protocol)#spanning-tree destination {customer | provider}
customer Customer mode 802.1D compliant
provider Provider mode 802.1ad compliant
Restoring STP Port Parameters to Defaults

The spanning-tree defaults command restores the port’s STP parameters to default values.
Command Syntax
device-name(config-if UU/SS/PP)#spanning-tree defaults
device-name(config-if-group)#spanning-tree defaults
Configuring IGMP Fast Recovery

The spanning-tree igmp-fast-recovery command configures the IGMP fast recovery feature
on the device.
Command Syntax
device-name(cfg protocol)#spanning-tree igmp-fast-recovery {enable | disable |
vlan VLAN-LIST ports PORT-LIST}
device-name(cfg protocol)#no spanning-tree igmp-fast-recovery vlan VLAN-LIST
ports PORT-LIST
Page 26
enable Globally enables the fast recovery
disable Globally disables the fast recovery
Disabled
vlan VLAN-LIST A list of VLAN IDs, in the range of <1–4094>, in the below format:
• Several VLAN numbers and/or ranges, separated by commas (for
example: 2,4,8–32)
ports PORT-LIST Specifies one or more port numbers. Use commas as separators and
hyphens to indicate sub-ranges (for example: 1/1/1, 1/2/1–1/2/8)
no Disables the fast recovery on specified VLAN and port lists.
Displaying the STP Configuration

The spanning-tree command displays the current STP configuration.
NOTE
You can also display the current STP configuration using the show spanning-tree
command.
Command Syntax
device-name(cfg protocol)#spanning-tree
Example
device-name(cfg protocol)#spanning-tree
Spanning tree enabled
ProtocolSpecification = ieee8021d
Priority = 32768
TopChanges = 3
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
HoldTime = 1 (Sec)
Page 27
Table 8: The Parameters Displayed by the STP show Commands

Spanning tree The STP global state

ProtocolSpecification The protocol standard
Priority The bridge priority
TimeSinceTopologyChange The time since the last topology change, in seconds
TopChanges The number of times the topology change flag parameter for
the bridge was set the last time the device was turned on
DesignatedRoot The Root’s unique bridge identifier. This value is used in all
Configuration BPDUs transmitted by the bridge.
MaxAge The configured maximum-aging timer, in seconds
HelloTime The configured hello timer, in seconds
ForwardDelay The configured forward-delay timer, in seconds
HoldTime The minimum interval between Configuration BPDUs
transmission through a given LAN port (this parameter is fixed
to 1 second)
BridgeMaxAge The maximum-aging timer when the bridge is the Root or is
attempting to become the Root, in seconds
BridgeHelloTime The hello timer when the bridge is the Root or is attempting to
become the Root, in seconds
BridgeForwardDelay The forward-delay timer when the bridge is the Root or is
attempting to become the Root, in seconds
DetectLineCRCReconfig Indicates whether line error detection is enabled or not
DetectLineFlapping Indicates whether link flapping is enabled or not
SpanIgmpFastRecovery Indicates whether IGMP fast recovery is enabled or disabled
Displaying the Ports’ STP Configuration

The spanning-tree interface command displays the STP settings for a specified port. This
command also enters the Interface Configuration mode.

The spanning-tree all command displays the STP topology for all ports.
The show spanning-tree command displays the STP settings and the STP topology for all ports.
Page 28
Command Syntax
device-name(cfg protocol)#spanning-tree interface UU/SS/PP
device-name(cfg protocol)#spanning-tree interface all
device-name(config-if UU/SS/PP)#spanning-tree all
device-name#show spanning-tree
UU/SS/PP The port number, in a unit, slot, and port number format
all Displays the STP settings for all ports
Example 1
Display the STP settings for port 1/1/1:
device-name(cfg protocol)#spanning-tree interface 1/1/1
PortPriority = 128
PortState = disabled
PortEnable = disabled
PortPathCost = 10
DesignatedRoot = 08192.00:A0:12:00:00:03
DesignatedCost = 19
DesignatedBridge = 32768.00:A0:12:11:29:82
DesignatedPort = 128.1
FrwrdTransitions = 0
TopChangeDetection = Enabled
Example 2
Display the STP topology for all ports:
device-name(cfg protocol)#spanning-tree interface all
========================================================================
Port |Pri|State|PCost| DCost |Designated bridge |DPrt |FwrdT|DtctTc
--------+---+-----+-----+-------+------------------+------+-----+-------
01/02/01 128 listn 19 19 32768.00A012000003 128.01 2 Disabled
01/02/02 128 block 19 0 32768.000002030405 128.63 0 Enabled
01/02/03 128 listn 19 0 32768.000002030405 128.62 2 Enabled
Page 29
Example 3
Display the STP settings and topology for all ports:
device-name#show spanning-tree
Priority = 32768
TopChanges = 0
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
HoldTime = 1 (Sec)
Port |Pri|State|PCost | DCost |Designated bridge |DPrt |FwrdT|DtctTc
--------+---+-----+------+-------------+------------------+------+-----+--------
01/02/01 128 listn 19 19 32768.00A012000003 128.02 2 Disabled
01/02/02 128 block 19 0 32768.000002030405 128.03 0 Enabled
01/02/03 128 listn 19 0 32768.000002030405 128.04 2 Enabled
Table 9: Parameters Displayed by the spanning-tree interface command

PortPriority The port priority

PortState The port state
PortEnable Displays whether the port is enabled or disabled
PortPathCost The STP port path cost
DesignatedRoot The unique Root bridge identifier, in the root identifier parameter of
Configuration BPDUs transmitted by the designated bridge of the
LAN to which the port is attached.
Use this parameter to test the root identifier parameter value
conveyed in received Configuration BPDUs.
DesignatedCost The designated port’s path cost (equal to the root path cost of the
bridge), offered to the LAN to which the port is attached.
Otherwise, this is the path cost to the root offered by the
designated port on the LAN to which this port is attached.
Use this parameter to test the value of the root path-cost
parameter conveyed in received Configuration BPDUs.
Page 30
DesignatedBridge The unique bridge identifier of one of the following:

• in the case of a designated port, the bridge the port belongs
to
• the designated bridge of the LAN to which this port is
attached
Use this parameter:
• together with the designated port and port identifier
parameters to test if this port is the designated port for the
LAN to which it is attached
• to test the value of the bridge identifier parameter conveyed
in received configuration BPDUs
DesignatedPort The designated bridge-port identifier, through which the bridge
transmits the configuration message-information stored by this
port.
Use this parameter:
• together with the designated bridge and port identifier
parameters to test if this port is the designated port for the
LAN to which it is attached
• by management to determine the topology of the bridged LAN
FrwrdTransitions The number time the port transitioned into Forwarding state.
TopChangeDetection Indicates whether topology-changes detection is enabled or not.
Table 10: Parameters Displayed by the spanning-tree all and spanning-tree

interface all commands
Port The port’s unit/slot/port

Pri Refer to PortPriority in the above table
State Refer to PortState in the above table
PCost Refer to PortPathCost in the above table
DCost Refer to DesignatedCost in the above table
Designated bridge Refer to DesignatedBridge in the above table
DPrt Refer to DesignatedPort in the above table
FwrdT Refer to FrwrdTransitions in the above table
DtctTc Refer to TopChangeDetection in the above table
Page 31
Displaying the STP Topology for a Specific Port

The show spanning-tree interface command displays the STP topology for the specified port.

Table 9 describes the parameters displayed by this command.
Command Syntax
device-name#show spanning-tree interface UU/SS/PP
Example 1
Display the STP topology when the bridge is not the root bridge:
device-name#show spanning-tree interface 1/1/1
PortPriority = 128
PortPathCost = 10
DesignatedCost = 19
DesignatedBridge = 32768.00:A0:12:11:29:82
Example 2
Display the STP topology when the bridge is the root bridge:
device-name#show spanning-tree interface 1/1/1
PortPriority = 128
PortPathCost = 10
DesignatedCost = 0
DesignatedBridge = This bridge
Page 32
Enabling STP Debug Information

The debug stp command enables the STP debug information.
This command is not saved after a device reload.

Debugging is disabled by default.
Command Syntax
device-name#debug stp {all | flush | tc | tcn}
device-name#no debug stp {all | flush | tc | tcn}
all Activates all STP debug options
flush Activates MAC address table flush debugging
tc Activates debugging when the device receives or transmits BPDUs with topology
changes
tcn Activates debugging when the device receives TCNs or transmits BPDUs with
topology change acknowledgment
no Disables the debug information display
Displaying the STP Debug Status

The show debug stp command displays the STP debug status.
Command Syntax
device-name#show debug stp
Example
device-name#show debug stp
STP debugging status:
STP debug TNC is on
STP debug flush is on
STP debug TC is on
Page 33
STP Configuration Example

The following figure is a configuration example using STP.
Figure 9: Spanning Tree Configuration Example
Configuring Device A:
1. Enable STP:
DeviceA#configure terminal
DeviceA(config)#protocol
DeviceA(cfg protocol)#spanning-tree enable
2. Set the STP bridge priority to 4096, to make Device A the Bridge Root.
DeviceA(cfg protocol)#spanning-tree priority 4096
3. Set the STP MaxAge timer to 10. Calculate the timer according to the following formula:
Max_age = (4 x hello) + (2 x dia) - 2, when the hello-time is 2 and the diameter is 2 (based on
the figure above):
DeviceA(cfg protocol)#spanning-tree max-age 10
Page 34
4. Set the STP forward-delay timer to 7. Calculate this timer according to the following formula:
Forward_delay = ((4 x hello) + (3 x dia)) / 2, when the hello-time is 2 and the diameter is 2
(based on the figure above):
DeviceA(cfg protocol)#spanning-tree forward-delay 7
Configuring Device B:
1. Enable STP:
DeviceB#configure terminal
DeviceB(config)#protocol
DeviceB(cfg protocol)#spanning-tree enable
2. Set port 1/2/1 with path cost 1:

DeviceB(config)#interface 1/2/1
DeviceB(config-if 1/2/1)#spanning-tree path-cost 1
Configuring Device C:
Enable STP:
DeviceC(config)#protocol
DeviceC(cfg protocol)#spanning-tree enable
Configuring Device D:
1. Enable STP:
DeviceD#configure terminal
DeviceD(config)#protocol
DeviceD(cfg protocol)#spanning-tree enable
DeviceD(cfg protocol)#exit

DeviceD(config)#interface 1/2/1
DeviceD(config-if 1/2/1)#spanning-tree path-cost 4
3. Disable topology change detection on ports 1/2/3 and 1/2/4 (these ports are attached to
PCs):
DeviceD(config-if 1/2/1)#interface 1/2/3
DeviceD(config-if 1/2/3)#no spanning-tree detect-tc
DeviceD(config-if 1/2/4)#no spanning-tree detect-tc
DeviceD(config-if 1/2/4)#end
Page 35
Configuring Device E:
1. Enable STP:
DeviceE#configure terminal
DeviceE(config)#protocol
DeviceE(cfg protocol)#spanning-tree enable
DeviceE(cfg protocol)#exit
2. Disable topology change detection on ports 1/2/3 and 1/2/4 (these ports are attached to
PCs):
DeviceE(config)#interface 1/2/3
DeviceE(config-if 1/2/3)#no spanning-tree detect-tc
DeviceE(config-if 1/2/3)#interface 1/2/4
DeviceE(config-if 1/2/4)#no spanning-tree detect-tc
DeviceE(config-if 1/2/4)#end
Displaying Device D Configuration:

DeviceD#show spanning-tree
Priority = 32768
TopChanges = 4
DesignatedRoot = 04096.00:A0:12:27:00:C0
RootPort = 1/2/1
RootCost = 8
MaxAge = 10 (Sec)
HelloTime = 2 (Sec)
HoldTime = 1 (Sec)
===============================================================================
Port |Pri|State|PCost |DCost |Designated bridge |DPrt |FwrdT|DtctTc
--------+---+-----+---------+---------+------------------+------+-----+--------
01/01/01 128 frwrd 4 8 32768.00A012271420 128.01 1 Enabled
01/02/01 128 frwrd 4 4 32768.00A012270080 128.03 1 Enabled
01/02/02 128 block 19 4 32768.00A012270080 128.04 1 Enabled
01/02/03 128 frwrd 19 8 32768.00A012010101 128.05 1 Disabled
01/02/04 128 frwrd 19 8 32768.00A012010101 128.06 1 Disabled
Page 36
Displaying Device E Configuration:

DeviceE#show spanning-tree
Priority = 32768
TopChanges = 2
RootPort = 1/1/1
RootCost = 12
MaxAge = 10 (Sec)
HelloTime = 2 (Sec)
HoldTime = 1 (Sec)
===============================================================================
Port |Pri|State|PCost |DCost |Designated bridge |DPrt |FwrdT|DtctTc
--------+---+-----+---------+---------+------------------+------+-----+--------
01/01/01 128 frwrd 4 8 32768.00A012271420 128.01 2 Enabled
01/02/02 128 block 19 1 32768.00A012271240 128.01 2 Enabled
01/02/03 128 frwrd 19 38 32768.00A012270120 128.03 1 Disabled
01/02/04 128 frwrd 19 38 32768.00A012270120 128.04 1 Disabled
Page 37
Supported Platforms
Spanning Tree Protocol (STP) + +

Spanning Tree Protocol (STP) IEEE 802.1d-1998 Public MIBs: RFC 1493,
• bridge.mib Definitions of
Managed Objects for
• rstp.mib Bridges
Private MIB, RFC 2863, Interfaces
prvt_switch.mib Group MIB
(configL2IfaceTable)
Page 38
Configuring Rapid Spanning Tree Protocol
(RSTP)
Table of Figures ······················································································ 3
Architecture ··························································································· 4
RSTP Port States ················································································· 4
RSTP Port Roles·················································································· 5
Rapid Recovery and Convergence ······························································ 6
Determining the Port Link-Type································································ 7
Synchronization of Port Roles··································································· 7
RSTP BPDU Format and Processing··························································· 8
Line Error Detection ············································································· 9
IGMP Fast Recovery ················································································ 9
RSTP Default Configuration······································································10
RSTP Configuration Flow ········································································· 11
RSTP Configuration Commands·································································12

Enabling/Disabling RSTP on the Device ·····················································14
Enabling/Disabling RSTP per Port····························································15
Defining the RSTP Bridge Priority·····························································15
Defining the RSTP Priority per Port···························································16
Defining the RSTP Hello-Time ································································17
Defining the RSTP Maximum Aging Timer ··················································17
Defining the RSTP Forward-Delay Timer ····················································18
Defining Edge Port(s) ···········································································18
Defining the RSTP Port Path Cost ····························································20
Defining the Link-Type ·········································································21
Forcing a Port to Work with RSTP ····························································22
Restoring the RSTP Port Parameters to Defaults ············································23
Displaying the RSTP Configuration ···························································23
Displaying the RSTP Port Configuration······················································25
Displaying the RSTP for a Specific Port·······················································28
Page 1
Configuring Rapid Spanning Tree Protocol (RSTP) (Rev. 04)
Displaying the RSTP Configuration and Topology for All Ports ···························29
Enabling RSTP Debug Information ···························································30
Displaying the RSTP Debug Status ····························································31
RSTP Configuration Example····································································32
Page 2
Table of Figures
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence ·················· 6
Figure 2: Sequence of Events during Rapid Convergence ···································· 8
Figure 3: RSTP BPDU Flags ···································································· 8
Figure 4: RSTP Configuration Flow ···························································11
Figure 5: Point-to-point MAC··································································21
Figure 6: Rapid Spanning Tree Configuration Example ·····································32
Page 3
Overview
Rapid Spanning Tree Protocol (RSTP) is an evolution of STP providing faster convergence (less
than one second) upon a network topology change. This is critical in networks that carry voice,
video, and other delay-sensitive traffic.
The RSTP algorithm dynamically creates a tree through the network, used to efficiently direct
packets to their destinations. It reduces the bridged network to a single spanning tree topology in
order to eliminate packet loops (multiple paths linking one device to another, resulting in an infinite
loop situation).
The RSTP algorithm reactivates redundant connections in the event of a link or device failure.
Architecture
RSTP distinguishes between the port state and the port role:
• The port state describes the relationship of that port to the frame processing (filtering and
forwarding) and learning functions.
• The port role describes the role of the port in the spanning tree function.
RSTP Port States

There are three RSTP port states (as oppose to five STP states):
Table 1: RSTP Port States
Port State Description
Learning As in STP, the port prepares to participate in frame-forwarding. It learns

source addresses from frames received and adds them to the filtering
database.
From this state the port can enter a Forwarding state.
Forwarding As in STP, the port enters this state from the Learning state. The device
processes BPDUs and waits for possible new information that may cause
it to switch to the Discarding state to prevent a loop.
A port in Forwarding state:
• Receives and forwards frames
• Forwards frames switched from another port
• Learns MAC addresses
• Receives BPDUs
From this state, the port can only switch to Discarding state.
Discarding STP states Disabled, Blocking, and Listening are merged into this state.
This state describes a port that does not forward user traffic in either
direction. The port discards received frames and no learning occurs. As a
result, there are no entries in the filtering database pointing to this port and
no traffic is forwarded across it.
Page 4
RSTP Port Roles

In order to create a loop-free environment and to provide rapid convergence, RSTP selects the
device with the highest priority as the root bridge, assigns port roles, and determines the active
topology.
RSTP assigns a role to each bridge port throughout the bridged LAN:
Table 2: RSTP Port Role Assignments
Port Role Description
Root port Provides the best path (lowest cost) for packets forwarded from a device
to the root device.
A Root port is in Forwarding state.
Designated port Connects to the designated device that provides the best path for packets
forwarded from that LAN to the root device.
A Designated port is in Forwarding state.
Alternate port Offers an alternative path to the one provided by the current Root port.
Alternate ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Backup port Acts as a backup for the path provided by a Designated port in the
direction of the spanning tree leaves (end nodes).
A Backup port exists only when two ports are connected together in a
loopback by a point-to-point link or when a device has two or more
connections to a shared LAN segment.
Backup ports are in Discarding state.
This role is equivalent to the STP Blocking state.
Disabled port Disabled ports do not participate in frame forwarding and are not
operational. These ports:
• discard frames
• discard frames switched from another port for forwarding
• do not learn MAC addresses
• do not receive BPDUs
Page 5
Rapid Recovery and Convergence

Edge ports, new Root ports, and ports connected through point-to-point links converge rapidly
upon a link failure.
Table 3: The RSTP Rapid Convergence
Port Type Description
Edge ports Edge ports are configured by users on RSTP enables devices. Once
configured, these ports immediately transit to Forwarding state.
NOTE
You should configure Edge ports only on ports
connected to end devices (such as hosts and printers).
Root ports When RSTP selects a new Root port, it blocks the old Root port and
immediately transitions the new Root port to Forwarding state.
Point-to-point links Point-to-point links are links directly connecting two devices.
When you connect two devices using a point-to-point link the
Designated port negotiates rapid transition with the remote port by using
the proposal-agreement handshake to ensure a loop-free topology.
The figure below shows a rapid convergence example. In this example, Devices A and B are
connected through a point-to-point link and all the ports are in blocking state. Assume that Device
A’s priority is higher than Device B’s.
The proposal-agreement handshaking proceeds as follows:
1. Device A proposes itself as the designated device by sending a proposal message (a
configuration BPDU with the proposal flag set).
2. Device B reacts to Device A’s proposal message as follows:
1.1. It assigns the port on which the proposal message was received as its new Root port.
1.2. It forces all non-edge ports to Discarding state to avoid loops.
1.3. It sends an agreement message to Device A (a BPDU with the agreement flag set)
through its new Root port.
Figure 1: Proposal and Agreement Handshaking for Rapid Convergence
Page 6
3. Device A immediately transitions its Designated port to Forwarding state.

4. The same handshaking process is repeated for each device that joins the active topology,
progressing from the root toward the leaves of the spanning tree as the network converges.
Determining the Port Link-Type

RSTP can implement a rapid transition only on point-to-point links. The link type is automatically
derived from the port’s duplex mode:
• A port operating in full-duplex mode is assumed to be point-to-point
• A port operating in half-duplex mode is considered as a shared port by default.
You can override this automatic link-type setting by explicit configuration.
Today in most switched networks most links operate in full-duplex mode and are treated as point-
to-point links by RSTP. This makes them candidates for rapid transition to Forwarding state.
You can override the default setting that is determined by the duplex mode by using the rapid-
spanning-tree link-type command.
Synchronization of Port Roles

Upon receiving a proposal message for best path to the root through a port, the RSTP selects that
port as the new Root port and forces all other ports to synchronize with the new root information.
An individual port on the device is synchronized if:
• the port is in Discarding state
• it is an edge port
If a Designated port is in Forwarding state and is not configured as an edge port, it transitions to
Discarding state when RSTP forces it to synchronize with new root information. When RSTP
forces a port to synchronize with root information and the port does not satisfy any of the above
conditions, it transitions to Discarding state.
After synchronizing all ports, the device sends an agreement message to the designated device
corresponding to its Root port. At this point RSTP immediately transitions the port states to
Forwarding.
Page 7
The sequence of events is displayed in the figure below:
Figure 2: Sequence of Events during Rapid Convergence
RSTP BPDU Format and Processing

The RSTP BPDU has the same format as the STP BPDU except for the protocol version that is
set to 2.
Figure 3: RSTP BPDU Flags
The sending device proposes itself to be the designated device by setting:

• the Proposal flag (bit 1)
• the Port Role flag (bits 2-3) to Designated port
The receiving device accepts the proposal by setting:
• the Agreement flag (bit 6)
• the Port role flag to Root port
Page 8
RSTP uses the Topology Change (TC) flag to indicate topology changes. Unlike STP, the RSTP
does not have a separate topology change notification (TCN) BPDU. However, for interoperability
with STP devices, the RSTP device processes and generates TCN BPDUs.
The Learning and Forwarding flags (bits 4 and 5) are determined according to the sending port
state.
Line Error Detection

This feature is the same as in STP. For more information, refer to the Line Error Detection section of
Configuring Spanning Tree Protocol (STP) chapter of this User Guide.
IGMP Fast Recovery

This feature is the same as in STP. For more information, refer to the Internet Group Multicast Protocol
(IGMP) Fast Recovery section of the Configuring Spanning Tree Protocol (STP) chapter of this User Guide.
Page 9
RSTP Default Configuration

Table 4: RSTP Default Configuration
Rapid Spanning Tree Protocol Disabled

RSTP bridge priority 32768
RSTP hello-time 2 seconds
RSTP forward-delay 15 seconds
RSTP MaxAge time 20 seconds
RSTP edge port Disabled
RSTP link-type Auto
RSTP port path cost See
Table 5
RSTP port priority 128
RSTP debug Disabled
Table 5: Path Cost Default Configuration (IEEE802.1s)
Link Speed Recommended Value Recommended Range Range
<=100 Kbps 200,000,000 20,000,000–200,000,000 1–200,000,000

1 Mbps 20,000,000 2,000,000–20,000,000 1–200,000,000
10 Mbps 2,000,000 200,000–2,000,000 1–200,000,000
100 Mbps 200,000 20,000–200,000 1–200,000,000
1 Gbps 20,000 2,000–200,000 1–200,000,000
10 Gbps 2,000 200–20,000 1–200,000,000
100 Gbps 200 20–2,000 1–200,000,000
1 Tbps 20 2–200 1–200,000,000
10 Tbps 2 1–20 1–200,000,000
Page 10
RSTP Configuration Flow
Start
Enable RSTP
No Is the bridge selected Yes

as root?
Change the priority to be

the lowest in the network
Set the RSTP Timers (hello-time, MaxAge, forward-

delay)
Set the loop free ports as edge ports
Change the path cost of ports to customize the topology
Optional RSTP Configuration
End
Figure 4: RSTP Configuration Flow
Page 11
RSTP Configuration Commands

Normally, the RSTP default parameter values are sufficient for obtaining a loop free redundant
network topology. However, to enforce topology demands on the dynamically built topology,
configure several parameters before connecting the network.
Table 6: RSTP Global Configuration Commands

Command Description
rapid-spanning-tree Enables/disables the RSTP option (see

Enabling/Disabling RSTP on the Device)
rapid-spanning-tree Enables/disables the Rapid Spanning Tree Protocol per
port (see Defining the RSTP Priority per Port)
rapid-spanning-tree priority Assigns the RSTP bridge priority value (see Defining the
RSTP Priority)
rapid-spanning-tree priority Sets the RSTP priority for the configured port (see
Defining the RSTP Priority per Port)
rapid-spanning-tree Sets the time interval, in seconds, between BPDU
hello-time transmissions from the ports of this device (see Defining
the RSTP Hello-Time)
rapid-spanning-tree max-age Sets the time, in seconds, that learned Rapid Spanning
Tree information is kept before being discarded (see
Defining the RSTP Maximum Aging Timer)
rapid-spanning-tree Sets the time duration in Listening and Learning states
forward-delay that precede the Forwarding state, in seconds (see
Defining the RSTP Forward-Delay Timer)
rapid-spanning-tree edge-port Changes the port’s admin status (see Defining Edge
Port(s))
rapid-spanning-tree path-cost Sets the RSTP port path cost for the configured port
(see
Defining the RSTP Port Path Cost)
Page 12
Table 7: Optional RSTP Configuration Commands

Command Description
rapid-spanning-tree link-type Sets the RSTP port’s administrative link-type (see

Defining the Link-Type)
rapid-spanning-tree detect- Forces the port to work using the RSTP instead of the
protocols STP (see Forcing a Port to Work with RSTP)
rapid-spanning-tree defaults Restores the RSTP parameters to their defaults for the
configured port (see
Restoring the RSTP Port Parameters to Defaults)
Table 8: RSTP Display Commands

Command Description
rapid-spanning-tree Displays the current RSTP parameter configuration (see

Enabling/Disabling RSTP on the Device)
rapid-spanning-tree interface Displays the RSTP settings for a specified port or for all
and ports (see Displaying the RSTP Port Configuration)
rapid-spanning-tree all
show rapid-spanning-tree Displays the RSTP topology for the specified port (see
interface Displaying the RSTP for a Specific Port)
show rapid-spanning-tree Displays the current RSTP parameters settings and the
RSTP topology for all ports (see Displaying the RSTP
Configuration and Topology for All Ports)
Table 9: RSTP Debugging Commands

Command Description
debug rstp Enables and displays RSTP-related debug information

(see Enabling RSTP Debug Information)
show debug rstp Displays the status of Rapid Spanning Tree protocol
(RSTP) debugging (see Displaying the RSTP Debug
Status)
Page 13
Enabling/Disabling RSTP on the Device

The rapid-spanning-tree command enables/disables the RSTP. Using this command without
any argument displays the RSTP configuration.

By default, RSTP is disabled.
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree [enable | disable]
device-name(cfg protocol)#no rapid-spanning-tree
enable (Optional) enables RSTP. When enabling RSTP, the device acts as a node in
the tree.
disable (Optional) disables RSTP.
no Removes the RSTP configuration.
Example 1
device-name(cfg protocol)#rapid-spanning-tree
% Rstp is disabled
device-name(cfg protocol)#rapid-spanning-tree enable
Example 2
Priority = 32768
TopChanges = 4
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
Page 14
Enabling/Disabling RSTP per Port

The rapid-spanning-tree command enables/disables the Rapid Spanning Tree Protocol per
port.
Using this command without any argument displays the RSTP configuration.
CLI Mode: Interface Configuration, Interface Range Configuration, LAG Configuration, and
LAG Range Configuration
NOTE
You can enable/disable RSTP per port only if RSTP is enabled globally.
By default, when enabling RSTP in Protocol Configuration mode, it is enabled on all ports and
when disabling RSTP in Protocol Configuration mode, it is disabled on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree [enable | disable | all]
device-name(config-if-group)#rapid-spanning-tree [enable | disable]
device-name(config-ag-group)#rapid-spanning-tree [enable | disable]
device-name(config-if AG0N)#rapid-spanning-tree [enable | disable]
enable (Optional) enables RSTP on the specified port.
disable (Optional) disables RSTP on the specified port.
all (Optional) displays RSTP on all ports.
Defining the RSTP Bridge Priority

The rapid-spanning-tree priority command defines the RSTP bridge priority value. Using
this command without any argument displays the configured bridge priority.

By default, the RSTP priority value is 32768 (IEEE802.1w).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree priority [<bridge-priority>]
device-name(cfg protocol)#no rapid-spanning-tree priority
Page 15
bridge- (Optional) specifies the RSTP bridge priority in increments of 4096.
priority
The valid priority values are: 0, 4096, 8192, 12288, 16384, 20480, 24576,
28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
Example
device-name(cfg protocol)#rapid-spanning-tree priority
Rapid-spanning-tree bridge priority is 32768
Defining the RSTP Priority per Port

The rapid-spanning-tree priority command defines the port’s RSTP priority.
By default, the priority value is 128.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree priority <priority>
device-name(config-if UU/SS/PP)#no rapid-spanning-tree priority
device-name(config-if-group)#rapid-spanning-tree priority <priority>

device-name(config-if-group)#no rapid-spanning-tree priority
device-name(config-ag-group)#rapid-spanning-tree priority <priority>

device-name(config-ag-group)#no rapid-spanning-tree priority
device-name(config-if AG0N)#rapid-spanning-tree priority <priority>

device-name(config-if AG0N)#no rapid-spanning-tree priority
priority Specifies the RSTP priority value in the range of 0 (highest priority) to 240
(lowest priority) in increments of 16.
Assign high-priority values (low numerical values) to ports that you want to
select first and low-priority values to ports that you want to select last.
If all ports that connect to the root-bridge’s redundant paths have the same
priority, RSTP puts the port with the lowest port number in Forwarding state
and blocks all other ports.
Page 16
Defining the RSTP Hello-Time

The rapid-spanning-tree hello-time command sets the time interval between BPDU
transmissions by the root, indicating that the device is alive.

By default, the hello-time value is 2 seconds and its range depends on the MaxAge value (between 1
and 9 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree hello-time <hello-time>
device-name(cfg protocol)#no rapid-spanning-tree hello-time
hello-time The hello-time interval in the range of <1–9> seconds.
NOTE
Define a value that is less than MaxAge/2-1 (see below command)
Defining the RSTP Maximum Aging Timer

The rapid-spanning-tree max-age command defines the time that learned RSTP information is
kept before being discarded.

By default, the MaxAge value is 20 seconds, and its range depends on the hello-time and forward-
delay values (between 6 and 28 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree max-age <max-age>
device-name(cfg protocol)#no rapid-spanning-tree max-age
max-age The MaxAge time in the range of <4–60> seconds.
NOTE
The value must be greater than 2*(hello-time+1) and less
than 2*(forward-delay-1).
Page 17
Defining the RSTP Forward-Delay Timer

The rapid-spanning-tree forward-delay command defines the time duration for the listening
and learning states that precede Forwarding state. In addition this timer is used when aging the
dynamic Forwarding database entries when a topology change is detected

By default, the forward-delay value is 15 seconds, and its range depends on the MaxAge value
(between 11 and 30 seconds).
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree forward-delay <forward-delay>
device-name(cfg protocol)#no rapid-spanning-tree forward-delay
forward-delay The forward-delay time, in the range of <4–60> seconds).
NOTE
The value must be greater than MaxAge/2+1.
Defining Edge Port(s)

The rapid-spanning-tree edge-port command changes the port’s administrative status, setting
it as an Edge Port.
NOTES
If the device receives a BPDU on a port configured as an edge port, the port
automatically changes its operational state to operate as a non-Edge Port. After a
link up/down, the port returns to the Edge port administrative status.
By default, the Admin status is disabled.
Page 18
The EdgePort parameter is controlled by the RSTP state machine and CLI:
Table 10: RSTP Edge Port
Type Description
Admin Configuring a port as an Edge port is known as Administrative Edge Port. This
EdgePort indicates that the port is permitted to transition directly to Forwarding state when
it becomes designated.
Configure Edge ports on ports that are known to be at the edge of the bridged
LAN in order to transition to Forwarding without delay.
EdgePort The port’s actual status is known as its operational state. This indicates whether
the port operates as an Edge Port or not.
When a port that was configured as Administrative Edge Port receives a BPDU,
it automatically changes its operational state to operate as a non-Edge Port, in
order to prevent loops in the network.
Therefore, if a port marked as an edge port proves not to be one (due to the
presence of another bridge), it ceases to behave like an edge port until it is
reinitialized (either by a link up/down event or by reissuing the CLI command).
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree edge-port
device-name(config-if UU/SS/PP)#no rapid-spanning-tree edge-port
device-name(config-if-group)#rapid-spanning-tree edge-port
device-name(config-if-group)#no rapid-spanning-tree edge-port
device-name(config-ag-group)#rapid-spanning-tree edge-port
device-name(config-ag-group)#no rapid-spanning-tree edge-port
device-name(config-if AG0N)#rapid-spanning-tree edge-port

device-name(config-if AG0N)#no rapid-spanning-tree edge-port
Page 19
Defining the RSTP Port Path Cost

The rapid-spanning-tree path-cost command defines the RSTP path cost for the configured
port.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree path-cost <path-cost>
device-name(config-if UU/SS/PP)#no rapid-spanning-tree path-cost
device-name(config-if-group)#rapid-spanning-tree path-cost <path-cost>

device-name(config-if-group)#no rapid-spanning-tree path-cost
device-name(config-ag-group)#rapid-spanning-tree path-cost <path-cost>

device-name(config-ag-group)#no rapid-spanning-tree path-cost
device-name(config-if AG0N)#rapid-spanning-tree path-cost <path-cost>

device-name(config-if AG0N)#no rapid-spanning-tree path-cost
path-cost The RSTP path cost value, in the range of <1–200000000>.
You can use the path cost value to give priority to preferred links (for
example physical speed and bandwidth). When building the active
spanning tree, the port path-cost determines which port is included in the
active topology. Ports with lower-cost values are preferred to ports with
higher cost values. If all ports that provide redundant paths to the root
bridge have the same path-cost value, RSTP puts the port with the lowest
number in Forwarding state and blocks the other ports.
Table 11: Path Cost Default Configuration

Link Speed Default Value
4 Mbps 5,000,000
10 Mbps 2,000,000
16 Mbps 1,250,000
100 Mbps 200,000
1 Gbps 20,000
2 Gbps 10,000
10 Gbps 2,000
Page 20
Defining the Link-Type

The rapid-spanning-tree link-type command defines the RSTP port’s administrative link-type.

By default, the admin link type is Auto.
There are two statuses of link-type:
Table 12: RSTP Link-types
Link-Type Description
Admin Link-Type auto The device automatically manages the port's link-type.
The device considers the port connected to a point-to-
point LAN segment if any of the following conditions
are met:
• The MST algorithm determines that the LAN

segment operates in full duplex mode.
• If you configure the port by management means
to a full duplex operation. Otherwise, consider the
MAC to be connected to a LAN segment that is
not point-to-point (shared media).
point-to- Consider the device connected to a point-to-point LAN

point segment that forces the operational link-type to be
point-to-point.
shared Consider the device connected to a shared media
LAN segment that forces the operational link-type to
be shared.
Operational If you configure Admin link-type to auto, then you can determine the
Link-Type value of Operational link-type in accordance with the specific procedures
defined for the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then
Operational link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of
link-type is shared.
Figure 5: Point-to-point MAC
Page 21
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree link-type {auto | point-
to-point | shared}
device-name(config-if UU/SS/PP)#no rapid-spanning-tree link-type
device-name(config-if-group)#rapid-spanning-tree link-type {auto | point-to-

point | shared}
device-name(config-if-group)#no rapid-spanning-tree link-type
auto Sets the RSTP link-type to auto.
point-to-point Sets the RSTP link-type to point-to-point.
shared Sets the RSTP link-type to share.
Forcing a Port to Work with RSTP

A device running RSTP supports a built-in protocol migration mechanism that enables RSTP to
interoperate with legacy 802.1D STP.
When an RSTP device receives a legacy 802.1D configuration BPDU (BPDU with protocol
version 0) it starts transmitting legacy 802.1D BPDUs (configuration messages and TCN messages).
However, when the device stops receiving BPDUs, it does not automatically revert to RSTP mode.
The device cannot determine whether the legacy device is removed from that link unless the legacy
device is a designated device.
RSTP supports a mechanism that forces the port to restart a protocol migration process (force re-
negotiation with neighboring devices).
The rapid-spanning-tree detect-protocols command forces the port to operate using RSTP
instead of the STP in the case of a link up event
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree detect-protocols
device-name(config-if-group)#rapid-spanning-tree detect-protocols
device-name(config-ag-group)#rapid-spanning-tree detect-protocols
device-name(config-if AG0N)#rapid-spanning-tree detect-protocols
Page 22
Restoring the RSTP Port Parameters to Defaults

The rapid-spanning-tree defaults command restores the port’s RSTP parameters to their
default values.
Command Syntax
device-name(config-if UU/SS/PP)#rapid-spanning-tree defaults
device-name(config-if-group)#rapid-spanning-tree defaults
Displaying the RSTP Configuration

The rapid-spanning-tree command displays the current RSTP configuration.
You can also use the show rapid-spanning-tree command.
Command Syntax
Example
Priority = 32768
TopChanges = 4
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
Page 23
Table 13: Parameters Displayed by the rapid-spanning-tree Commands

Rapid Spanning tree The RSTP global state.

ProtocolSpecification The protocol standard.
Priority The bridge priority that is part of the bridge identifier.
TimeSinceTopologyChange The time since the last topology change in seconds.
TopChanges The number of times the Topology Change flag was changed
since the device was turned on.
DesignatedRoot The unique Bridge Identifier of the root.
Use this parameter as the Root Identifier value in all
Configuration BPDUs transmitted by the bridge.
MaxAge The maximum time, in seconds, of learned protocol
information before it is discarded.
HelloTime The time interval, in seconds, between the transmission of
Configuration BPDUs by a bridge that is attempting to become
the root or is the root.
ForwardDelay The minimum time period, in seconds, to elapse between the
transmissions of Configuration BPDUs through a given LAN
port. At most, one Configuration BPDU is transmitted in any
hold-time period. This parameter is fixed at 1 second.
BridgeMaxAge The value of the MaxAge parameter, in seconds, when the
bridge is the root or is attempting to become the root.
BridgeHelloTime The value of the hello-time parameter, in seconds,
determining the time interval between transmissions of:
• BPDUs to all Designated ports of the root device
• BPDUs to Designated ports of all devices in the topology
having the same root
• BPDUs to the Root port during Topology Change
notification
BridgeForwardDelay The value of the forward-delay parameter, in seconds, when
the bridge is the root or is attempting to become the root.
TxHoldCount Maximum number of BPDUs transmitted during the hello-time
interval.
MigrationTimer The time interval to wait before performing protocol
migrations. A protocol migration occurs when the device
degrades from RSTP to a legacy spanning protocol (such as,
STP).
DetectLineCRCReconfig Indicates whether CRC errors detection is enabled.
DetectLineFlapping Indicates whether link flapping detection is enabled on the
line.
SpanIgmpFastRecovery Indicates whether IGMP fast recovery is enabled on the line.
Page 24
Displaying the RSTP Port Configuration

The rapid-spanning-tree interface command displays the port’s RSTP parameters. The
command also changes the mode to the Interface Configuration mode and enables the setting of
the RSTP in the specified port.

The rapid-spanning-tree all command displays the settings of the RSTP parameters for all
ports.
CLI Mode: Protocol Configuration and Interface Configuration
Command Syntax
device-name(cfg protocol)#rapid-spanning-tree interface UU/SS/PP
device-name(cfg protocol)#rapid-spanning-tree interface all

device-name(config-if UU/SS/PP)#rapid-spanning-tree all
UU/SS/PP Specifies the unit, slot, and port number
all Displays the RSTP settings for all ports. The configuration mode does not
change.
Example 1
Display the output of the RSTP configuration for port 1/1/1 with link enabled:
device-name(cfg protocol)#rapid-spanning-tree interface 1/1/1
PortPriority = 128
PortState = forwarding
PortRole = Designated Port
PortEnable = enabled
PortPathCost = 20000
DesignatedCost = 0
DesignatedBridge = This bridge
Admin EdgePort = disabled
EdgePort = disabled
AdminLink-Type = Auto
Link-Type = P2P
MigrationTimer = 3
Detected Protocol = RSTP
Page 25
Example 2
Display the RSTP topology for all ports:
device-name(cfg protocol)#rapid-spanning-tree interface all
============================================================================
Port |Pri|Prt role|State |PCost |DCost |Designated bridge |DPrt |FwrdT
--------+---+--------+-------+-------+-------+------------------+------+-
01/01/01 128 Designat frwrd 40000 400000 32768.00A012010101 128.01 2
01/01/02 128 Designat frwrd 200000 400000 32768.00A012010101 128.03 1
01/02/01 128 Designat frwrd 200000 400000 32768.00A012010101 128.04 1
01/02/02 128 Altern discr 200000 200000 32768.00A012112990 128.20 1
01/02/03 128 Root frwrd 200000 200000 32768.00A012112990 064.21 3
Example 3
Display the RSTP topology for all ports from Interface Configuration mode:
device-name(config-if 1/1/1)#rapid-spanning-tree all
============================================================================
--------+---+--------+-------+-------+-------+------------------+------+-
01/01/01 128 Designat frwrd 40000 400000 32768.00A012010101 128.01 2
01/01/02 128 Designat frwrd 200000 400000 32768.00A012010101 128.03 1
01/02/01 128 Designat frwrd 200000 400000 32768.00A012010101 128.04 1
01/02/02 128 Altern discr 200000 200000 32768.00A012112990 128.20 1
01/02/03 128 Root frwrd 200000 200000 32768.00A012112990 064.21 3
Table 14: Parameters Displayed by rapid-spanning-tree interface command

PortPriority The port priority that is part of the port identifier.

PortState The current port state of the port.
PortRole The current port role of the port
PortEnable The port’s link state of the port.
PortPathCost The contribution of the path through this port, when the port is the
Root port, to the total cost of the path to the root for this bridge.
DesignatedRoot The topology's root device.
DesignatedCost For a Designated port, the path cost (equal to the root path cost of
the bridge) offered to the LAN to which the port is connected;
otherwise, it is the cost of the path to the root offered by the
Designated port on the LAN to which this port is connected.
Use this parameter to test the value of the root path cost parameter
Page 26
DesignatedBridge The unique bridge Identifier of one of the following:

The bridge the port belongs to in case of a Designated port.
The bridge assumed to be the designated bridge for the LAN to
which this port is attached.
Use this parameter:
• Together with the Designated port and port Identifier
parameters for the port to know if this port is the Designated
port for the LAN to which it is attached.
• To test the value of the bridge Identifier parameter conveyed in
received Configuration BPDUs.
DesignatedPort The port Identifier of the bridge port, on the designated bridge,
through which the designated bridge transmits the configuration
message information stored by this port.
Use this parameter:
• Together with the designated bridge and port Identifier
parameters for the port to know if this port is the Designated
port for the LAN to which it is attached.
• By management to determine the topology of the bridged LAN.
FrwrdTransitions Number of port state transitions into forwarding state that have
occurred.
Admin EdgePort This value indicates whether the user forced the port to be an edge
port (a port attached to a PC or any non spanning tree capable
device on the edge of the network), or it is set by the RSTP.
EdgePort The actual value of the edge port parameter for this port either
forced by the user or set automatically by the RSTP.
AdminLink-Type This value reflects the user-defined link-type of this port. If you set it
to auto, then set the link-type according to the duplex mode of the
port.
Link-Type The actual value of the link-type for this port either forced by the
user or set automatically by the RSTP.
MigrationTimer The time interval to wait before performing protocol migrations. A
protocol migration occurs when the device degrades from RSTP to
a legacy spanning protocol (such as, STP).
Page 27
Table 15: Parameters Displayed by rapid-spanning-tree interface all and rapid-

spanning-tree all commands
Port The port’s unit/slot/port.

Pri See PortPriority in the above table.
Prt Role See PortRole in the above table.
State See PortState in the above table.
PCost See PortPathCost in the above table.
DCost See DesignatedCost in the above table.
Designated bridge See DesignatedBridge in the above table.
DPrt See DesignatedPort in the above table.
FwrdT See FrwrdTransitions in the above table.
Displaying the RSTP for a Specific Port

The show rapid-spanning-tree interface command displays the RSTP topology for the
specified port.

Table 14 describes the parameters displayed by this command.
Command Syntax
device-name#show rapid-spanning-tree interface UU/SS/PP
Example
In the following example the DesignatedRoot value indicates that the bridge is the root:
device-name#show rapid-spanning-tree interface 1/1/1
PortPriority = 128
PortState = forwarding
PortRole = Designated Port
PortEnable = enabled
PortPathCost = 200000
DesignatedCost = 0
DesignatedRoot = This bridge
Admin EdgePort = disabled
EdgePort = disabled
AdminLink-Type = Auto
Link-Type = P2P
MigrationTimer = 3
Page 28
Detected Protocol = RSTP
Displaying the RSTP Configuration and Topology for

All Ports
The show rapid-spanning-tree command displays the current RSTP parameters settings and the
RSTP topology for all ports.

Table 13 and Table 15 describe the parameters displayed by this command.
Command Syntax
device-name#show rapid-spanning-tree
Example
device-name#show rapid-spanning-tree
Priority = 32768
TopChanges = 5
RootPort = 1/1/1
RootCost = 400000
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
===================================================================
Port |Pri|Prt role|State |PCost |DCost |Designated bridge |DPrt FwrdT
--------+---+--------+-------+-------+--------+------------------+----------
01/01/01 128 Designat frwrd 40000 400000 32768.00A012010101 128.01 2
01/02/01 128 Designat frwrd 200000 400000 32768.00A012010101 128.03 1
01/02/02 128 Designat frwrd 200000 400000 32768.00A012010101 128.04 1
01/02/03 128 Altern discr 200000 200000 32768.00A012112990 128.20 1
01/02/04 128 Root frwrd 200000 200000 32768.00A012112990 064.21 3
Page 29
Enabling RSTP Debug Information

The debug rstp command enables and displays RSTP-related debug information.
The RSTP debug commands are not saved after reload.

By default, RSTP debug information is disabled.
Command Syntax
device-name#debug rstp {all | hand-shake | roles | flush}
device-name#no debug rstp {all | hand-shake | roles | flush}
all Activates all RSTP debug options.
hand-shake Activates Hand Shake protocol debugging (IEEE 802.1w).
roles Activates port-role selection debugging
flush Activates debugging of port table flushing (MAC addresses).
no Disables the RSTP-related debug information display.
Example:
Below is an example of the debug output after a link failure:
tSpanRecv: 2008/01/01 04:11:03 : link down on port 1/2/4
0xa1391880 (tSpanPRS):
0xa1391880 (tSpanPRS): Select-Port-Roles
=================
0xa1391880 (tSpanPRS): Port 1/2/1 Is DesignatedPort
0xa1391880 (tSpanPRS): End-Roles-Selection
tSpanRecv: 2008/01/01 04:11:06 : link up on port 1/2/4
=================
Page 30
0xa139eb20 (tSpanPRT): Designated synced port 1/2/4

0xa139eb20 (tSpanPRT): Designated proposing port 1/2/4
=================
=================
0xa1391880 (tSpanPRS): Port 1/2/4 Is BackupPort
Displaying the RSTP Debug Status

The show debug rstp command displays the RSTP debug status.
Command Syntax
device-name#show debug rstp
Example
device-name#show debug rstp
RSTP debugging status:
RSTP debug roles is on
RSTP debug flush is on
RSTP debug handshake is on
Page 31
RSTP Configuration Example

The following is details RSTP configuration in a network and the devices within the network. For
more information regarding the formulas that appear in this example, refer to Calculating the STP
Timers section of the Configuring Spanning Tree Protocol (STP) chapter.
Figure 6: Rapid Spanning Tree Configuration Example
1. Enable RSTP:
DeviceA#configure terminal
DeviceA(config)#protocol
DeviceA(cfg protocol)#rapid-spanning-tree enable
2. Set the RSTP bridge priority to 4096, As a result the Device A becomes the Root Bridge:
DeviceA(cfg protocol)#rapid-spanning-tree priority 4096
3. Set the RSTP MaxAge timer to 10, due to the following calculation: Max_age = (4 x hello) +
(2 x dia) - 2, where the hello-time is 2 and the diameter is 2, according to the above figure:
DeviceA(cfg protocol)#rapid-spanning-tree max-age 10
Page 32
4. Set the RSTP forward-delay timer to 7, due to the following calculation: Forward_delay = ((4 x
hello) + (3 x dia)) / 2, where the hello-time is 2 and the diameter is 2, according to the above
figure:
DeviceA(cfg protocol)#rapid-spanning-tree forward-delay 7
Enable RSTP:
DeviceB#configure terminal
DeviceB(config)#protocol
DeviceB(cfg protocol)#rapid-spanning-tree enable
1. Enable RSTP:
DeviceC(config)#protocol
DeviceC(cfg protocol)#rapid-spanning-tree enable
DeviceC(cfg protocol)#exit
2. Set port 1/1/1 priority to 64 to cause it to be the forwarding port of Device C:

DeviceC(config)#interface 1/1/1
DeviceC(config-if 1/1/1)#rapid-spanning-tree priority 64
1. Enable RSTP:
DeviceD#configure terminal
DeviceD(config)#protocol
DeviceD(cfg protocol)#rapid-spanning-tree enable
DeviceD(cfg protocol)#exit

DeviceD(config)#interface 1/1/1
DeviceD(config-if 1/1/1)#rapid-spanning-tree path-cost 40000
3. Configure ports 1/2/3 and 1/2/4 on Device D as edge ports, since they are attached to PCs.
This disables the topology change detection on these ports:
DeviceD(config-if 1/2/3)#rapid-spanning-tree edge-port
DeviceD(config-if 1/2/4)#rapid-spanning-tree edge-port
DeviceD(config-if 1/2/4)#end
Page 33
1. Enable RSTP:
DeviceE#configure terminal
DeviceE(config)#protocol
DeviceE(cfg protocol)#rapid-spanning-tree enable
DeviceE(cfg protocol)#exit
2. Configure ports 1/2/3 and 1/2/4 on Device E as edge ports, since they are attached to PCs:
DeviceE(config)#interface 1/2/3
DeviceE(config-if 1/2/3)#rapid-spanning-tree edge-port
DeviceE(config-if 1/2/3)#interface 1/2/4
DeviceE(config-if 1/2/4)#rapid-spanning-tree edge-port
DeviceE(config-if 1/2/4)#end
Displaying Device D Configuration:

DeviceD#show rapid-spanning-tree
Priority = 32768
TopChanges = 5
RootPort = 1/2/1
RootCost = 220000
MaxAge = 10 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
====================================================================================
--------+---+--------+---------+---------+---------+------------------+------+------
01/01/01 128 Designat frwrd 40000 220000 32768.00A012271420 128.01 2
01/02/01 128 Root frwrd 200000 20000 32768.00A012270080 128.03 2
01/02/02 128 Altern discr 200000 20000 32768.00A012270080 128.04 1
01/02/03 128 Designat frwrd 200000 220000 32768.00A012271420 128.05 2
01/02/04 128 Designat frwrd 200000 220000 32768.00A012271420 064.06 2
NOTE
Port 1/2/2 is the Alternate port since the value of DPrt (the port Identifier of
the bridge port) for 1/2/1 is better than 1/2/2. Device A is the root since its
bridge priority has the lowest value (4096).
Page 34
Displaying Device E Configuration:

DeviceE#show rapid-spanning-tree
Priority = 32768
TopChanges = 5
RootPort = 1/2/2
RootCost = 240000
MaxAge = 10 (Sec)
HelloTime = 2 (Sec)
TxHoldCount = 3
===============================================================================
--------+---+--------+-----+---------+---------+------------------+------+-----
01/01/01 128 Root frwrd 20000 220000 32768.00A012271420 128.01 2
01/02/02 128 Altern discr 200000 200000 32768.00A012271240 128.03 1
01/02/03 128 Designat frwrd 200000 240000 32768.00A012270120 128.04 2
01/02/04 128 Designat frwrd 200000 240000 32768.00A012270120 128.04 2
NOTE
Select port 1/2/2 (connected to Device D) as alternate since the cost to the
root via this port is higher than via port 1/1/1.
Page 35
Supported Platforms
RSTP + +

Feature Standard MIBs RFCs
RSTP • IEEE 802.1d-1998 Public MIBs: • RFC 1493, Definitions of

• IEEE 802.1t-2001 • bridge.mib Managed Objects for Bridges
• IEEE 802.1w-2001 • rstp.mib • RFC 2863, Interfaces Group

MIB (configL2IfaceTable)
Private MIB,
prvt_switch.mib
Page 36
Configuring Multiple Spanning Tree Protocol
(MSTP, IEEE 802.1s)
Table of Figures ······················································································ 3
Overview ······························································································· 4
MSTP Regions························································································ 4
MST Instances (MSTI) ··········································································· 4
MST-to-Single Spanning Tree (SST) Interoperability ········································· 5
The MSTI Parameters ·············································································· 6
Interoperability with 802.1D STP ································································· 7
Fast Ring Modes ····················································································· 8

Fast Ring··························································································· 8
Interoperability Fast Ring ·······································································10
IGMP Fast Recovery ···············································································12
Cisco Compliance···················································································12
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs ······································12
MSTP Default Configuration ·····································································17
MSTP Configuration Flow ········································································19
MSTP Configuration Commands ································································20

Enabling/Disabling MSTP ·····································································22
Defining the Bridge Priority ····································································22
Defining the Port Priority·······································································23
Enabling/Disabling MSTP and an MSTP Instance on a Port·······························23
Mapping VLANs to an MST Instance·························································24
Defining the MSTP Region Name ·····························································24
Defining the Region Revision-Number ·······················································25
Saving the MSTP VLAN Mapping·····························································25
Exiting the MSTP Protocol Configuration Mode without Saving the MST Mapping ····25
Defining the Hello-Time········································································26
Page 1
Configuring Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) (Rev. 04)
Defining the Forward-Delay Timer ····························································26

Defining the Maximum Aging Timer ··························································27
Defining the Maximum Hop Count ···························································27
Enabling the MSTP Fast Ring Mode ··························································28
Configuring the Device as an MSTP Border Bridge ·········································28
Defining the Learning/Flushing Mode in a Fast Ring ·······································29
Configuring Edge Ports ·········································································29
Configuring the Path Cost ······································································31
Enabling the BPDU Guard ·····································································31
Enabling/Disabling BPDU Transmission·····················································32
Enabling/Disabling the Loop Guard ··························································32
Enabling MSTP Migration (Interoperability with 802.1D) ··································33
Enabling MSTP Link Flapping ·································································33
Defining the Port’s Link Type··································································34
Enabling/Disabling Root Restriction··························································35
Enabling/Disabling TCN Restriction ·························································35
Configuring the Cisco-Compliant Mode ······················································36
Restoring the Port’s MSTP Defaults···························································36
Displaying the MSTP Temporary Configuration ·············································36
Displaying the Current MSTP Configuration ·················································37
Displaying the MSTP Region Configuration ··················································38
Displaying the MSTP Configuration···························································38
Displaying the MST Instances Configuration ·················································42
Enabling MSTP Debug Information ··························································44
Displaying the MSTP Debug ···································································45
MSTP Configuration Examples ··································································46

Pending Configuration ··········································································46
MSTP Port Configuration ······································································47
MSTP Global Parameters Configuration ······················································48
Network Configuration ·········································································50
Fast Recovery Configuration ···································································61
MSTP BPDU Guard, Loop Guard, Restricted Root and Restricted TCN Configuration63
Configuring a Fast Ring ·········································································65
Page 2
Table of Figures
Figure 1: MSTP within a Region ································································ 5
Figure 3: MSTP in Ring Topology in a Link-Down Event ··································· 9
Figure 4: MSTP in Ring Topology with a Device in Link-Down Event ···················10
Figure 5: MSTP Configuration Flow···························································19
Figure 6: Schematic MSTI Configuration ·····················································50
Figure 7: Link Failure between Two Devicees ················································58
Figure 8: Spanning Tree IGMP Fast Recovery Configuration Example ···················61
Figure 9: BPDU Guard, Loop Guard, Restricted Root and Restricted TCN ··············63
Figure 10: Fast Ring Topology ·································································65
Page 3
Overview
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI) while mapping each
VLAN or VLAN group to the most appropriate instance. Each MSTI is an RSTP instance that has
its own independent topology, thus improving network fault tolerance.
This protocol provides a faster convergence-time and load balancing. Telco Systems’ recovery time
for link or device failure is less than 50 milliseconds and can be tuned to as low as 15 milliseconds
(in a ring of up to 14 devices).
MSTP includes all its spanning tree information in a single BPDU format. This reduces the number
of BPDUs required on a LAN to communicate spanning tree information for each VLAN and
ensures backward compatibility with RSTP and STP.
For more information regarding VLANs, refer to the Configuring VLANs and Super VLANs
MSTP Regions
An MSTP region is a collection of interconnected bridges that share the same MSTP configuration.
Devices in the same MST region share the following attributes:
• region name
• the region’s revision number
• the MST instance-to-VLAN assignment map (each VLAN can be maped only to one instance)
MST Instances (MSTI)

Each bridge in the MSTP region contains up to 16 MSTIs which act like separate RSTP bridges for
a specific set of configured VLANs. All MSTIs within the same region share the same protocol
timers, but each instance has its own topology parameters, such as root-device ID, root path-cost,
and active topology. By manipulating these parameters, systems administrator can modify the
spanning tree topology (defining forwarding ports and blocked ports) for the MSTI VLANs, thus
achieving traffic load-balancing within the region.
The MSTIs are identified by their instance ID:
• Instance 0: this is the Common Internal Spanning Tree (CIST) to which all VLANs are
mapped by default. This instance is obligatory and cannot be removed.
• Instances 1–15: user-configurable, optional instances, to which the system administrator maps
sets of VLANs.
Page 4
The figure below illustrates load balancing. In MSTI 1:

• Device C is the MST Root
• The port on Device B connected to Device A is blocked
• Traffic for VLANs 101–200 flows between Device C and Device A
However, for MSTI 2:
• Device B is the MST Root
• The port on Device C connected to Device A is blocked
• Traffic for VLANs 201–300 flows between Device B and Device A
Figure 1: MSTP within a Region
MST-to-Single Spanning Tree (SST) Interoperability

Load balancing is supported only within the MSTP region.
Outside the region the spanning tree information is carried by MST instance 0, enabling the MST
region to participate in the Common Spanning Tree (CST ) of legacy xSTP bridges and other
MSTP regions it is connected to.
This region is responsible for combining all Internal Spanning Tree (IST) information and
forwarding it to the CST, handling the CST information and setting the roles of the region’s
boundary ports. As a consequence each MSTP region acts as a single RSTP bridge within the CST
topology.
Each region has only one boundary port that can be the region’s Root port, connecting the region
to the CST Root bridge (the CIST Root). This port is called the Master port. Boundary ports
providing alternative paths from the region to the CIST Root are blocked (set to Alternative).
Boundary ports that provide connectivy to Designated LANs can be set as Designated ports.
Page 5
The MSTI Parameters

Table 1: MSTI Parameters
Boundary Ports Connect the designated bridge (an SST bridge or a bridge with a
different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the boundary flag
set) if it detects an STP bridge or receives an agreement message from
an RST or MST bridge with a different configuration.
The MST port’s role at the boundary is not important; since they are
forced the same state as the IST port state. The IST port at the
boundary can take any port role except a backup port role.
IST Master The IST master of an MST region is the bridge with the lowest bridge
identifier and the lowest path cost to the CST root.
• If an MST bridge is the root bridge of the CIST in a region, then it is
the IST master of that MST region.
• If the CST root is outside the MST region, then one of the MST
bridges at the boundary is selected as the IST master. Other
bridges on the boundary that belong to the same region eventually
block the boundary ports that lead to the root.
• If two or more bridges have an identical path to the root, you can
set a lower bridge priority value to make a specific bridge the IST
master.
The root path-cost and message age inside a region stay constant.
However the IST path cost is incremented and the IST remaining hops
are decremented at each hop.
Regional Root The MSTI Regional root is the root bridge of each MSTI within a region.
In case of IST, it is the CIST Regional root. Therefore, the terms “IST
Master” and “CIST Regional root” are interchangeable.
Edge Ports A port connected to a non-bridging device (for example, a host or a
device). A port that connects to a hub is also an edge port if the hub or
any LAN that is connected to it does not have a bridge.
An edge port can start forwarding as soon as its link is up.
Link-Type Rapid connectivity is established only on point-to-point links.
When connecting a port to another port through a point-to-point link and
the local port becomes a designated port, RSTP negotiates a rapid
transition with the other port, using the proposal-agreement handshake
to ensure a loop-free topology.
By default, the link-type is automatically determined by the port’s duplex
state. However in case of a half-duplex link physically connected point-
to-point to a single port on a remote device running RSTP, you can
override the link-type default setting and enable rapid transitions to
Forwarding state.
Page 6
Message Age and IST and MSTIs use a hop count mechanism similar to the IP time-to live
Hop Count (TTL) mechanism. Users can configure the maximum MST bridge hop
count.
The MSTI root bridge sends a BPDU (or M-record) with the remaining
hop count. The bridge receiving the BPDU (or M-record) decrements the
remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge discards
the BPDU and ages out the port information. Non-root bridges propagate
the decremented count as the remaining hop count in the BPDUs they
generate.
Port Priority The port priority determines the port’s Forwarding state in case of a loop.
MSTP selects the port with the highest priority (lower priority value) first.
In case all ports have the same priority, MSTP selects the port with the
lowest number and blocks all other ports.
Path Cost MSTP uses the path cost when selecting the forwarding port in case of a
loop.
The port’s default path-cost derives from its link speed. However, you
can define lower cost values to ports you want selected first and higher
cost values to ports you want selected last.
In case all ports have the same path cost value, MSTP selects the port
with the lowest number and blocks all other ports.
Interoperability with 802.1D STP

A device running both MSTP and RSTP supports a built-in protocol migration mechanism that
enables it to interoperate with legacy 802.1D devices.
If this device receives a legacy 802.1D configuration BPDU (a BPDU with the protocol version set
to 0), it sends only 802.1D BPDUs on that port. An MSTP device can also detect that a port is at
the boundary of a region when it receives a legacy BPDU, an MST BPDU (version 3) associated
with a different region, or an RST BPDU (version 2).
However, the device cannot determine whether the legacy device is removed from the link (unless
the legacy device is the designated device). Therefore, it does not automatically revert to the MSTP
mode if it no longer receives 802.1D BPDUs.
Also, a device might continue to assign a boundary role to a port when the device to which it is
connected has joined the region.
If all the legacy devices on the link are RSTP devices, they can process MSTP BPDUs as if they are
RSTP BPDUs. Therefore, MSTP devices send either a version 0 configuration and TCN BPDUs
or version 3 MSTP BPDUs on a boundary port. A boundary port connects the designated device
to a LAN that is either a single spanning tree device or a device with a different MST configuration.
Page 7
Fast Ring Modes

Telco Systems fast ring mode shortens the MSTP convergence time below 50 milliseconds in case
of a disconnection in a ring topology.
To achieve this recovery time you have to ensure the following conditions:
• Set the mstp learn-mode command to none or temporary-disabled (see Defining the
Learning/Flushing Mode in a Fast Ring). Alternatively use up to 100 MAC addresses in a standard
learning mode.
• Configure up to 50 VLANs in MSTI 0.
NOTE
You can use the MSTP Fast Ring solution only in instance 0 .
Telco Systems offers two Fast Ring solutions:

• Fast Ring
• Interoperability Fast Ring
NOTE
Use a standard MSTP as a ring solution, if your network demands a topology
different from the one offered here.
Fast Ring
Use this solution when all the devices in the ring are Telco Systems devices.
To use Fast Ring:
1. Select one bridge to be the root bridge: set this bridge’s priority to the lowest value (0) and do
not enable the Fast Ring feature on this bridge (to avoid instability).
2. Configure all the user ports as MSTP edge ports.
3. To optimize network performance, increment the bridges priority value as you draw away
from the root bridge.
Page 8
The figure below shows a ring topology using MSTP:

• Device 1 is the MST root bridge
• All the ports have equal priority thus one of Device 8's uplink ports is in Alternate state.
In case of a link failure between Device 14 and Device 1:
1. Device 14 detects the link failure on its root port.
2. Telco Systems ring solution immediately changes the traffic flow to a new direction.
Figure 2: MSTP in Ring Topology in a Link-Down Event
Page 9
Interoperability Fast Ring

This solution is designed especially for interoperation with devices that do not support MSTP or
RSTP protocols. Use Interoperability Fast Ring when you use a non Telco Systems gateway as a
part of the ring.
The figure below shows a ring topology using MSTP, when one of the devices (Router, in the figure
below) does not support MSTP, but is capable of switching the MSTP BPDUs between the ports
connected in the topology.
Figure 3: MSTP in Ring Topology with a Device in Link-Down Event
To use an Interoperability Fast Ring:

1. Configure the two devices closest to the Router (Device 1 and Device 8) as Border Bridges to
avoid network-performance degrade.
2. Do not define any MSTP priorities on Border Bridges. These are automatically set once the
brdiges are set as border bridges.
Page 10
3. Increment the bridges priority value as you draw away from the root bridge, starting with
priority value 8192.
4. Configure all the user ports as MSTP edge ports.
Page 11
In case the link between Device 8 and the Router fails:

• Device 1 becomes the root
• Traffic changes its direction toward the new root
IGMP Fast Recovery

When using the IGMP Fast Recovery feature, multicast traffic takes advantage of the connectivity
and convergence time provided by MSTP.
For more information, refer to the Internet Group Multicast Protocol (IGMP) Fast Recovery section of the
Configuring Spanning Tree Protocol (STP) chapter of this User Guide.
Cisco Compliance
Cisco compliance is a feature that enables the Cisco-compliant mode, changing the BPDU format
to conform to the standard adopted in Cisco devices.
When the device is not in Cisco-compliant mode, the root port is synchronized only if it receives an
agreement together with the proposal flag from the designated port.
IEEE 802.1s-Compliant vs. Cisco-Compliant BPDUs

Both Cisco-compliant and IEEE 802.1s-compliant modes, send an Agreement flag in response to a
Proposal flag when the port transitions to Root role. However there are differences between the
two modes in the conditions under which the Agreement flag is set:
• In the standard IEEE 802.1s-compliant mode, MSTP sets the Agreement flag when:
the port is either a Designated or a Root port
and
all the device ports are synchronized (when all the ports participate only in loop-free
topologies)
• In Cisco-compliant mode the Agreement flag is set also when the port is going to Alternate
role.
The following two tables compare two BPDUs:
• Table 2 displays a BPDU generated in IEEE 802.1s-compliant mode and includes two
M-records.
• Table 3 displays a BPDU generated in Cisco-compliant mode, parsed in the format generated
by Cisco devices.
Page 12
Standard BiNOS Dump (IEEE 802.1s-Compliant)

01 80 c2 00 00 00 00 a0 12 11 29 92 00 89 42 42
03 00 00 03 02 4e 80 00 00 a0 12 11 29 92 00 00
00 00 80 00 00 a0 12 11 29 92 80 0b 00 00 14 00
02 00 0f 00 00 00 60 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 01 60 b0 d3 6e cc e1
45 40 14 da 65 22 bd 08 f3 cd 00 00 00 00 80 00
00 a0 12 11 29 92 28 4e 80 01 00 a0 12 11 29 92
00 00 00 00 80 80 28 4e 80 02 00 a0 12 11 29 92
00 00 00 00 80 80 28
Cisco-Compliant Dump
01 80 c2 00 00 00 00 08 a3 37 f1 c1 00 84 42 42
03 00 00 03 02 68 60 00 00 07 eb d5 a2 00 00 00
00 00 60 00 00 07 eb d5 a2 00 80 01 00 00 14 00
02 00 0f 00 00 00 00 5a 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 64 b1 f4 bb 1f 3c
6d 4d a3 00 94 c1 11 b7 c0 92 60 00 00 07 eb d5
a2 00 00 00 00 00 14 00 01 69 60 01 00 07 eb d5
a2 00 00 00 00 00 60 01 00 07 eb d5 a2 00 80 01
14 00
Table 2: BiNOS BPDU Parsed According to IEEE 802.1s

Field Name Content
ETH Dest. 01 80 c2 00 00 00
ETH Src 00 a0 12 11 29 92
ETH Len 00 89
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 4e
CIST Root Identifier 80 00 00 a0 12 11 29 92
CIST Ext. Path Cost 00 00 00 00
CIST Regional Root Identifier 80 00 00 a0 12 11 29 92
CIST Port Identifier 80 0b
Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00
Page 13
Field Name Content
Version 1 length (must be 0) 00

Version 3 length (Mrecords total length) 00 60
MSTI configuration Identifier (Key, 00 00 00 00 00 00 00 00 00 00 00 00
Revision, Name) 51 Bytes 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 01 60
b0 d3 6e cc e1 45 40 14 da 65 22 bd
08 f3 cd
CIST Internal Root Path Cost 00 00 00 00
CIST Bridge Identifier 80 00 00 a0 12 11 29 92
CIST Remaining hops 28
MSTI1
• Flags 4e
• MSTI Regional Root Identifier 80 01 00 a0 12 11 29 92
00 00 00 00
• MSTI Internal root path cost
80
• MSTI Bridge Priority
80
• MSTI Port Priority
28
• MSTI Remaining hops
MSTI2
• Flags 4e
• MSTI Regional Root Identifier 80 02 00 a0 12 11 29 92
00 00 00 00
• MSTI Internal root path cost
80
• MSTI Bridge Priority
80
• MSTI Port Priority
28
• MSTI Remaining hops
Table 3: Cisco BPDU Parsed by a Telco Systems Device

Field Name Content Notes
ETH Dest. 01 80 c2 00 00 00 Matches the IEEE-802.1s

ETH Src 00 08 a3 37 f1 c1
ETH Len 00 84
LLC 42 42 03
Protocol Identifier 00 00
Protocol version Identifier 03
BPDU type 02
CIST Flags 68
CIST Root Identifier 60 00 00 07 eb d5 a2 00
CIST Ext. Path Cost 00 00 00 00
CIST Bridge Identifier 60 00 00 07 eb d5 a2 00
CIST Port Identifier 80 01
Page 14
Message age 00 00
MaxAge 14 00
Hello-time 02 00
Forward-delay 0f 00
Version 1 length (must be 00
0)
Extra byte 00 If the Cisco BPDUs are parsed
as specified in the IEEE 802.1s
standard, some offsets and
shifts may cause wrong values
for the M-records and for the
matching fields that are located
after the version 3 length—
CIST Internal root path cost,
CIST Bridge identifier, CIST
remaining hops.
Version 3 length (Mrecords 00 5a
total length)
MSTI configuration 00 00 00 00 00 00 00 00 00 00 The first byte of the
Identifier (Key, Revision, 00 00 00 00 00 00 00 00 00 00 configuration is called selector,
Name) 50 Bytes. 00 00 00 00 00 00 00 00 00 00 and is omitted (or over-ridden
00 00 00 00 64 b1 f4 bb 1f 3c by the version 3 length field).
6d 4d a3 00 94 c1 11 b7 c0 92
CIST Regional Root 60 00 00 07 eb d5 a2 00 Fields’ order is flipped.
Identifier
CIST Remaining hops—2 14 00 Extra byte-Cisco BPDU with no
bytes instead of 1. MSTIs ends here and contains
the extra byte.
MSTI1 The whole M-Record structure
is different. In the 802.1s there
is no MSTID field. The priority
of the sending bridge and the
port priority are sent without
bridge ID and port ID of the
sending bridge.
MSTID 01 The whole M-Record structure
sending bridge.
Flags 69 The whole M-Record structure
sending bridge.
Page 15
MSTI Regional Root 60 01 00 07 eb d5 a2 00 The whole M-Record structure

Identifier is different. In the 802.1s there
sending bridge.
MSTI Internal root path 00 00 00 00 The whole M-Record structure
cost is different. In the 802.1s there
sending bridge.
MSTI Transmitting Bridge 60 01 00 07 eb d5 a2 00 The whole M-Record structure
Identifier is different. In the 802.1s there
sending bridge.
MSTI Port Identifier 80 01 The whole M-Record structure
sending bridge.
MSTI Remaining hops 14 00 The whole M-Record structure
sending bridge.
Page 16
MSTP Default Configuration

Table 4: MSTP Default Configuration
MSTP Disabled
MSTP port priority 128
Hello-time 2 seconds
Forward-delay time 15 seconds
Maximum aging time 20 seconds
Maximum hop count 40 hops
Revision number 1
Default MST Instance 0
Bridge priority 32768
Path cost See Table 5
Edge port Disabled
Flush edge port Disabled
Link-type Auto
MSTP Link Flapping feature Disabled
Cisco MSTP compliance Disabled (IEE 802.1s-2002 compliance is enabled)
Fast Ring mode Disabled
Fast Ring Border Bridge mode Disabled
Learn mode Standard
BPDU guard Disabled
Loop guard Disabled
Restricted root Disabled
Restricted TCN Disabled
MSTP debug Disabled
Page 17
Table 5: Default Path Cost Configuration (IEEE802.1s)

<=100 Kbps 200,000,000 20,000,000–200,000,000 1–200,000,000

1 Mbps 20,000,000 2,000,000–20,000,000 1–200,000,000
10 Mbps 2,000,000 200,000–2,000,000 1–200,000,000
100 Mbps 200,000 20,000–200,000 1–200,000,000
1 Gbps 20,000 2,000–200,000 1–200,000,000
10 Gbps 2,000 200–20,000 1–200,000,000
100 Gbps 200 20–2,000 1–200,000,000
1 Tbps 20 2–200 1–200,000,000
10 Tbps 2 1–20 1–200,000,000
Page 18
MSTP Configuration Flow

Start
Define the MSTP Timers (hello-time, forward-delay,

MaxAge, max-hops)
Enable the MSTP Fast Ring mode
Configure the learning mode
Configure the loop free ports as edge ports
Enable the BPDU Guard
End
Figure 4: MSTP Configuration Flow
Page 19
MSTP Configuration Commands

The MSTP default values are sufficient for obtaining a loop-free redundant network topology.
However, to enforce topology demands on the dynamically built topology, configure several
parameters before connecting the network.
Table 6: MSTP Global Configuration Commands
Command Description
mstp Enables/disables MSTP (see Enabling/Disabling MSTP)

mstp priority Defines the MSTP bridge priority (see Defining the Bridge
Priority)
mstp port-priority Defines the MSTP port priority (see Defining the Port Priority)
mstp Enables/disables MSTP on a specified port (see
Enabling/Disabling MSTP and an MSTP Instance on a Port)
instance vlan Maps a VLAN to an MSTP instance (see Mapping VLANs to an
MST Instance)
name Defines the configuration name (see Defining the MSTP Region
Name)
revision Defines the configuration revision (see Defining the Region
Revision-Number)
apply Saves the MST configuration map and exits the configuration
(see Saving the MSTP VLAN Mapping)
abort Exits the MSTP configuration without saving the MST
configuration map (see Exiting the MSTP Protocol Configuration
Mode without Saving the MST Mapping)
mstp hello-time Defines the hello-time (see Defining the Hello-Time)
mstp forward-delay Defines the forward-delay timer (see Defining the Forward-Delay
Timer)
mstp max-age Defines the maximum aging time (seeDefining the Maximum
Aging Timer)
mstp max-hops Defines the max-hop count (see Defining the Maximum Hop
Count)
mstp fast-ring ring- Enables the Fast Ring mode (see Enabling the MSTP Fast Ring
ports Mode)
mstp fast-ring border- Enables the Ring Border Bridge functionality (see Configuring
bridge the Device as an MSTP Border Bridge)
mstp learn-mode Defines the mode in which the MAC addresses are
learnt/flushed (see Defining the Learning/Flushing Mode in a
Fast Ring)
mstp edge-port Configures the edge port (see Configuring Edge Ports)
mstp path-cost Configures sn MSTP port path-cost (see Configuring the Path
Cost )
mstp bpdu-rx Prevents an MSTP edge port from receiving BPDUs (see
Enabling the BPDU Guard)
Page 20
Table 7: MSTP Port Configuration Commands

Command Description
mstp bpdu-tx Enables/disables sending BPDU packets on a specified port

(see Enabling/Disabling BPDU Transmission)
mstp detect-bpdu-loss Enables/disables Loop Guard on a port (see Enabling/Disabling
the Loop Guard)
mstp detect-protocols Enables MSTP migration (see Enabling MSTP Migration
(Interoperability with 802.1D))
mstp link-flapping Enables the MSTP Link Flapping feature (see Enabling MSTP
Link Flapping)
mstp link-type Specifies a port’s link type (see Defining the Port’s Link Type)
mstp restrict-root Enables/disables the selection of a port as the root port (see
Enabling/Disabling Root Restriction)
mstp restrict-tcn Enables/disables the propagation of TCNs to other ports on the
device (see Enabling/Disabling TCN Restriction)
mstp cisco-compliant Forces the port to work in compliance with Cisco devices (see
Configuring the Cisco-Compliant Mode)
mstp default Restores the default MSTP settings (see Restoring the Port’s
MSTP Defaults)
Table 8: MSTP Display Commands

Command Description
show pending Displays the temporary MSTP configuration (see Displaying the
MSTP Temporary Configuration)
show Displays the MSTP configuration (see Displaying the Current
MSTP Configuration)
show mstp configuration Displays the MSTP configuration in the current region (see
Displaying the MSTP Region Configuration)
show mstp Displays the whole MSTP configuration (see Displaying the
MSTP Configuration)
show mstp instance Displays the configured instances (see Displaying the MST
Instances Configuration)
Table 9: MSTP Debug Commands

Command Description
debug mstp Debugs the port roles and port handshaking (see Enabling
MSTP Debug Information)
show debug mstp Displays the debug MSTP logs (see Displaying the MSTP
Debug)
Page 21
Enabling/Disabling MSTP
The mstp command enables/disables the MSTP and enters MSTP Protocol Configuration mode.

MSTP is disabled by default.
Command Syntax
device-name(cfg protocol)#mstp [enable | disable]
enable (Optional) enables MSTP
disable (Optional) disables MSTP
Defining the Bridge Priority

The mstp priority command defines the bridge priority of an MSTP instance.
NOTE
Do not define any bridge priority to 0 or 4096 when using Fast Ring Border Bridge
mode.

The default MSTP priority is 32768.
Command Syntax
device-name(cfg protocol)#mstp <instance-id> priority <priority>
device-name(cfg protocol)#no mstp <instance-id> priority
instance-id The MSTP instance ID, in the range of <1–15>
priority The bridge priority values: 0, 4096, 8192, 12288, 16384, 20480, 24576,
<priority> 28672, 32768, 36864, 40960, 45056, 49152, 53248, 57344, and 61440.
The bridge with the highest bridge priority (the lowest numerical priority
value) is selected as Root device.
no Restored to default
Page 22
Defining the Port Priority

The mstp port-priority command defines the MSTP port priority.

The default port priority is 128.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> port-priority <priority>
device-name(config-if UU/SS/PP)#no mstp <instance-id> port-priority
priority The port priority value, in the range of <0–240>, in multiple of 16 (for
<priority> example: 0, 16, 32)
Assign higher priority (lower values) to ports you want selected first
Enabling/Disabling MSTP and an MSTP Instance on a

Port
The mstp command enables/disables MSTP on a specified port.
Using this command, you can also enable/disable an MSTP instance on the port. When enabling
this option, the port forwards traffic of all VLANs belonging to the particular MSTP instance.

By default, all instances are enabled on all ports.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> {enable | disable}
device-name(config-if-group)#mstp <instance-id> {enable | disable}
enable Enables MSTP on the specified port
disable Disables MSTP on the specified port
If you specify this option, the selected MSTP instance is disabled and the
MSTP port role in that instance is disabled.
Page 23
Mapping VLANs to an MST Instance

The instance vlan command maps VLANs to an MST instance. You can map each VLAN to
one MST instance; therefore mapping a VLAN to an MST instance removes them from the VLAN
list.
CLI Mode: MSTP Protocol Configuration

By default, all VLANs are mapped to instance 0.
Command Syntax
device-name(cfg protocol mstp)#instance <instance-id> vlan VLAN-LIST
device-name(cfg protocol mstp)#no instance <instance-id>
instance-id The MSTP instance ID, in the range of <1–15>. Instance 0 is mandatory while
others are optional.
VLAN-LIST The list of VLANs mapped to this instance, in the range of <2–4094>.
• To specify a VLAN rane, use a hyphen, for example:
instance 1 vlan 1-63
• To specify a VLAN list, type the VLAN numbers in an increasing order,
separating them with commas, for example:
instance 1 vlan 10, 20, 30
Defining the MSTP Region Name

The name command defines the MSTP region name.
Command Syntax
device-name(cfg protocol mstp)#name NAME
device-name(cfg protocol mstp)#no name
NAME The MSTP region name, a case-sensitive string of up to 31 characters
no Removes the name
Example
device-name(cfg protocol mstp)#name region1
Page 24
Defining the Region Revision-Number

The revision command defines the region revision-number.

The default revision number is 1.
Command Syntax
device-name(cfg protocol mstp)#revision <revision-number>
device-name(cfg protocol mstp)#no revision
revision-number The revision number, in the range of <0–65535>
Example
device-name(cfg protocol mstp)#revision 1
Saving the MSTP VLAN Mapping

The apply command saves the MSTP VLAN mapping and exits the MSTP Protocol
Configuration mode (this commands has the same affect as the exit command or <Ctrl+D>).
Command Syntax
device-name(cfg protocol mstp)#apply
Exiting the MSTP Protocol Configuration Mode without

Saving the MST Mapping
The abort command exits the MSTP Protocol Configuration mode without saving the MST
configuration map. Use this command if you do not want to save the VLAN mapping.
Command Syntax
device-name(cfg protocol mstp)#abort
Page 25
Defining the Hello-Time

The mstp hello-time command defines the hello-time for all MST instances. The hello-time is
the interval between consecutive configuration messages generated by the root device, indicating
that the device is alive.

The default hello-time is 2 seconds.
Command Syntax
device-name(cfg protocol)#mstp hello-time <seconds>
device-name(cfg protocol)#no mstp hello-time
seconds The MSTP hello-time, in the range of <1–10> seconds
Defining the Forward-Delay Timer

The mstp forward-delay command configures the forward-delay time for all MST instances. The
forward-delay is the time the port waits in Learning and Listening states before moving to
Forwarding state.

The default forward-delay time is 15 seconds.
Command Syntax
device-name(cfg protocol)#mstp forward-delay <seconds>
device-name(cfg protocol)#no mstp forward-delay
seconds The MSTP forward-delay time, in the range of <4–30> seconds
Page 26
Defining the Maximum Aging Timer

The mstp max-age command configures the maximum-aging (MaxAge) time for all MST
instances. The MaxAge time is the number of seconds a device waits without receiving
configuration messages before attempting a reconfiguration.

The default maximum aging time is 20 seconds.
Command Syntax
device-name(cfg protocol)#mstp max-age <seconds>
device-name(cfg protocol)#no mstp max-age
seconds The MSTP MaxAge time, in the range of <6–40> seconds
Defining the Maximum Hop Count

The mstp max-hops command defines the maximum number of hops allowed in a region before
discarding a BPDU.

The default max-hops count is 40.
Command Syntax
device-name(cfg protocol)#mstp max-hops <hops-count>
device-name(cfg protocol)#no mstp max-hops
hops-count The number of hops in a region, in the range of <1–40>
Page 27
Enabling the MSTP Fast Ring Mode

The mstp fast-ring ring-ports command enables the MSTP Fast Ring mode. The command
defines the two physical ports that provide connectivity in the ring.
NOTE
Avoid using this command for any topology other than a ring topology.

By default, MSTP Fast Ring is disabled.
Command Syntax
device-name(cfg protocol)#mstp fast-ring ring-ports UU1/SS1/PP1 UU2/SS2/PP2
device-name(cfg protocol)#no mstp fast-ring
UU1/SS1/PP1 Specifies the first ring port
UU2/SS2/PP2 Specifies the second ring port
Configuring the Device as an MSTP Border Bridge

The mstp fast-ring border-bridge command configures the device as a border bridge,
enabling the Ring Border Bridge functionality.

By default, the MSTP Ring Border Bridge is disabled.
Command Syntax
device-name(cfg protocol)#mstp fast-ring <instance-id> border-bridge
preferred-link UU/SS/PP
device-name(cfg protocol)#no mstp fast-ring <instance-id> border-bridge
instance-id The instance ID the Ring Border Bridge functionality operates.
NOTE
Uou can use the MSTP Fast Ring solution only in instance 0
(CIST).
preferred-link The preferred MSTP Fast Ring physical port that connects the ring
topology to the network gateway.
Configure the preferred Fast Ring physical using the mstp fast-ring
ring-ports command.
Page 28
UU/SS/PP The preferred ring port.

Defining the Learning/Flushing Mode in a Fast Ring

The mstp learn-mode command defines the mode in which MAC addresses are learned and
flushed.

By default, learning/flushing is permanently enabled, using a standard learning mode.
Command Syntax
device-name(cfg protocol)#mstp learn-mode {none | temporary-disabled [<2-100>]
| standard}
none Permanently disables learning on non-edge/ring ports
temporary- Enables learning, except for cases where an MSTP topology change occurs
disabled and learning is temporarily disabled
2-100 (Optional) defines the time period learning is disabled after a topology change
occurred, in the range of <2–100> seconds
standard Permanently enables learning on non-edge/ring ports
Configuring Edge Ports

The mstp edge-port command changes the port’s administrative status, setting it as an Edge Port
NOTE
If the device receives a BPDU on a port configured as an edge port, the port
automatically reverts to Disabled status. After a link up/down, the port returns to the
Edge port administrative status.
Page 29
The EdgePort parameter is controlled by the MSTP state machine and the CLI.
Table 10: MSTP Edge Port
Type Description
Admin Configuring a port as an Edge port is known as Administrative Edge Port. This
EdgePort indicates that the port is permitted to transition directly to Forwarding state when
it becomes designated.
Configure Edge ports on ports that are known to be at the edge of the bridged
LAN in order to transition to Forwarding without delay.
EdgePort The port’s actual status is known as its operational state. This indicates whether
the port operates as an Edge Port or not.
When a port that was configured as Administrative Edge Port receives a BPDU,
it automatically changes its operational state to operate as a non-Edge Port, in
order to prevent loops in the network.
Therefore, if a port marked as an edge port proves not to be one (due to the
presence of another bridge), it ceases to behave like an edge port until it is
reinitialized (either by a link up/down event or by reissuing the CLI command).
By default, the port is not an edge port. If you set the port as an edge port, the Flush Port option is
disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp edge-port [flush-port]
device-name(config-if UU/SS/PP)#no mstp edge-port [flush-port]
device-name(config-if-group)#mstp edge-port [flush-port]

device-name(config-if-group)#no mstp edge-port [flush-port
flush-port (Optional) MSTP flushes the edge port it is configured on, when the link on
the port is down.
Use the MSTP edge port when neither the device connected to the port nor
the network connected to this device is MSTP enabled (configure an MSTP
edge port only if there is no possibility that BPDUs are received on the
connected port). If you connect a network (not a single device) to the port,
use the Flush Port option to prevent sending packets to unconnected links.
no Configures the edge port value to its default settings. Also it disables the
admin status.
Page 30
Configuring the Path Cost

The mstp path-cost command configures the path cost of an MST instance. A lower path cost
represents a higher-speed transmission.
Table 5 displays the default value calculated by the port’s media speed.
Command Syntax
device-name(config-if UU/SS/PP)#mstp <instance-id> path-cost <cost>
device-name(config-if UU/SS/PP)#no mstp <instance-id> path-cost
cost The path cost value, in the range of <1–200000000>. Assign lower cost
values to ports you want to select first and higher-cost values to other
ports.
Enabling the BPDU Guard

The mstp bpdu-rx command prevents an MSTP edge port from receiving BPDUs.
NOTE
This command takes effect only if the port is an MSTP edge port.

The default value is standard.
Command Syntax
device-name(config-if UU/SS/PP)#mstp bpdu-rx {discard | disable-port |
standard}
device-name(config-if-group)#mstp bpdu-rx {discard | disable-port | standard}
discard The port drops BPDUs received on it and continues to operate as an edge
port.
NOTE
Use this option to prevent receiving unwanted BPDU packets
from user ports.
disable-port Disables the port when it receives
standard Processes received BPDUs and invalidates the edge port’s operational status
Page 31
Example
Configure the device to disable port 1/2/3 if a BPDU is received on it:
device-name(config-if 1/2/3)#mstp bpdu-rx disable-port
Enabling/Disabling BPDU Transmission

The mstp bpdu-tx command enables/disables BPDU packets transmission on the specified port.
CLI Mode: Interface Configuration, Interface Range Configuration

BPDU transmission is enabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp bpdu-tx {enable | disable}
device-name(config-if-group)#mstp bpdu-tx {enable | disable}
enable Enables the BPDU transmission
disable Disables the BPDU transmission
Enabling/Disabling the Loop Guard

The mstp detect-bpdu-loss command enables/disables the Loop Guard on a port.
For more information regarding this feature, refer to the STP Loop Guard section of Configuring
Spanning Tree Protocol (STP) chapter.
CLI Mode: Interface Configuration, Interface Range Configuration

Loop Guard is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp detect-bpdu-loss {enable | disable}
device-name(config-if-group)#mstp detect-bpdu-loss {enable | disable}
enable Enables Loop Guard on the port
disable Disables Loop Guard on the port
This parameter does not change the port’s state, if the port is not a Designated
port, even if the port stops receiving BPDUs from its peer port.
Page 32
Example
device-name(config-if 1/2/2)#mstp detect-bpdu-loss disable
Enabling MSTP Migration (Interoperability with 802.1D)

The mstp detect-protocols command defines the MSTP communication mode. The command
instructs MSTP to send the next BPDU as an MSTP/RSTP BPDU.
The command does not reboot the port or send a BPDU immediately.
Command Syntax
device-name(config-if UU/SS/PP)#mstp detect-protocols
device-name(config-if-group)#mstp detect-protocols
Enabling MSTP Link Flapping

The mstp link-flapping command enables the MSTP Link Flapping detection feature.

MSTP Link Flapping is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp link-flapping <period>
device-name(config-if UU/SS/PP)#no mstp link-flapping
device-name(config-if-group)#mstp link-flapping <period>

device-name(config-if-group)#no mstp link-flapping
period The flapping interval (the time between a LinkDown and LinkUp status), in the range
of <200–10000> milliseconds (recommended interval is 2000 ms). The link shuts
down if the flapping interval is lower than the time defined.
Example 1
Set the MSTP Link Flapping control period to 1.5 seconds on port 1/1/1:
device-name(config-if 1/1/1)#mstp link-flapping 1500
Page 33
Example 2
Disable MSTP Link Flapping on ports 1/2/1–1/2/4:
device-name(config)#interface range 1/2/1-1/2/4
device-name(config-if-group)#no mstp link-flapping
Defining the Port’s Link Type

The mstp link-type command defines the RSTP port’s administrative link-type.

There are two statuses of link-type:
Table 11: MSTP Link-types
Link-Type Description
Admin Link-Type auto The device automatically manages the port's link-type. The
device considers the port connected to a point-to-point LAN
segment if any of the following conditions are met:
• The MST algorithm determines that the LAN segment
operates in full duplex mode.
• If you configure the port by management means to a
full duplex operation. Otherwise, consider the MAC to
be connected to a LAN segment that is not point-to-
point (shared media).
point-to-point Consider the device connected to a point-to-point LAN
segment that forces the operational link-type to be point-to-
point.
shared Consider the device connected to a shared media LAN
segment that forces the operational link-type to be shared.
Operational Link- If you configure Admin link-type to auto, then you can determine the value of
Type Operational link-type in accordance with the specific procedures defined for
the device entity, as defined in Admin link-type (auto).
If the port is connected to a point-to-point LAN segment, then Operational
link-type is set to point-to-point, otherwise it is set to shared.
In the absence of a specific definition of how to determine whether the
device is connected to a point-to-point LAN segment or not, the value of link-
type is shared.
The default link type is Auto.
Command Syntax
device-name(config-if UU/SS/PP)#mstp link-type {auto | point-to-point |
shared}
device-name(config-if UU/SS/PP)#no mstp link-type {auto | point-to-point |
shared}
device-name(config-if-group)#mstp link-type {auto | point-to-point | shared}

device-name(config-if-group)#no mstp link-type {auto | point-to-point | shared}
Page 34
auto Sets the RSTP link-type to auto.
point-to-point Sets the RSTP link-type to point-to-point.
shared Sets the RSTP link-type to share.
Enabling/Disabling Root Restriction

The mstp restrict-root command enables/disables the selection of a port as the Root port.

Root restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp restrict-root {enable | disable}
device-name(config-if-group)#mstp restrict-root {enable | disable}
enable Enables root restriction on the specified port (the port is not selected as Root
port)
disable Disables root restriction
Enabling/Disabling TCN Restriction

The mstp restrict-tcn command enables/disables receiving Topology Change notifications
(TCN) and propagating them to other ports on the device (for more information refer to the
Configuring Spanning Tree Protocol (STP) chapter).

TCN restriction is disabled by default.
Command Syntax
device-name(config-if UU/SS/PP)#mstp restrict-tcn {enable | disable}
device-name(config-if-group)#mstp restrict-tcn {enable | disable}
enable Enables TCN restriction: the port does not propagate detected topology
changes to other ports on the bridge and other bridges in the topology. This
prevents the unnecessary update of learnt devices locations.
disable Disables TCN restriction.
Page 35
Configuring the Cisco-Compliant Mode

The mstp cisco-compliant command changes the port’s mode to Cisco-compliant mode. Use
this mode for ports connected to Cisco devices.

By default, the device is IEEE 802.1s-compliant.
Command Syntax
device-name(config-if UU/SS/PP)#mstp cisco-compliant
device-name(config-if UU/SS/PP)#no mstp cisco-compliant
device-name(config-if-group)#mstp cisco-compliant
device-name(config-if-group)#no mstp cisco-compliant
Restoring the Port’s MSTP Defaults

The mstp default command restores the port’s MSTP configuration default values.
Command Syntax
device-name(config-if UU/SS/PP)#mstp default
device-name(config-if-group)#mstp default
Displaying the MSTP Temporary Configuration

The show pending command displays the temporary MSTP configuration. The command displays
the region name, revision number, and the VLAN-to-MSTI mapping.
Command Syntax
device-name(cfg protocol mstp)#show pending
Page 36
Example
Pending MST configuration
Name region 1
Revision 1
Instance Vlans mapped
--------- ----------------------------------------------------
0 1-4094
--------------------------------------------------------------
Displaying the Current MSTP Configuration

The show command displays the current MSTP configuration. The command displays the region
name, revision number, and the VLAN-to-MSTI mapping.
Command Syntax
device-name(cfg protocol mstp)#show
Example
device-name(cfg protocol mstp)#show
Name []
Revision 1
--------- ------------------
0 1-10,12-13
1 14-4094
6 11
----------------------------
Page 37
Displaying the MSTP Region Configuration

The show mstp configuration command displays the current region’s MSTP configuration.
CLI Mode: MSTP Protocol Configuration and Privileged (Enable)
Command Syntax
device-name(cfg protocol mstp)#show mstp configuration
device-name#show mstp configuration
Example
device-name(cfg protocol mstp)#show mstp configuration
Name [man]
Revision 56
--------- --------------
0 1-10,12-13
1 14-4094
6 11
------------------------
Displaying the MSTP Configuration

The show mstp command displays the MSTP configuration and the MSTP ports state.
The tables below describe the parameters displayed by this command.
Command Syntax
device-name#show mstp
Page 38
Example
Multiple spanning trees = enabled
ProtocolSpecification = ieee8021s
Priority = 32768
TopChanges = 1
CIST Root = 32768.00:A0:12:0A:01:B6
CIST Port = 01/02/01
CIST External Path Cost = 200000
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
ProtoMigratioDelay = 3 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
LearnMode = Standard
MST00
VLAN mapped = 1-4094
Priority = 32768
Regional Root = This bridge is the root
RemainingHopCount = 40
TopChanges = 1
Border Bridge = disabled
=====================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+------+-------+------------------+-------
01/02/02 128 Root frwrd 200000 0 00000.00A0120F2F27 128.006
MST01
VLAN mapped = 3
Priority = 32768
TopChanges = 0
Border Bridge = disabled
========================================================================
Port |Pri|Prt role |State|PCost |DCost |Designated bridge |DPrt
---------+---+-----------+-----+------+-------+------------------+-------
01/02/01 128 Designated frwrd 200000 200000 32768.00A012270120 128.002
01/02/02 128 Root frwrd 200000 200000 32768.00A0120A01B6 128.024
01/02/03 128 Alternate block 200000 200000 32768.00A012270120 128.007
Page 39
Table 12: Parameters Displayed by show mstp Command

Multiple spanning trees Indicates whether MSTP is enabled or disabled on the device
ProtocolSpecification Displays the supported IEEE standard
Priority The bridge priority
TimeSinceTopologyChange The time since the last topology change, in seconds
TopChanges The number of topology changes detected for all the MSTIs
CIST Root The CIST regional root Identifier (the bridge Identifier of the
current CIST regional root)
CIST Port The port from which traffic flows to the CIST root
CIST Cost The CIST path cost from the transmitting bridge to the CIST
regional root
MaxAge The maximum age of received protocol information before it is
discarded, in seconds
HelloTime The hello-time time interval in seconds
ForwardDelay The forward-delay time in seconds
BridgeMaxAge The Max Age time in seconds
BridgeHelloTime The value of the hello-time parameter in seconds determining
the interval between transmissions of the following BPDUs:
• BPDUs to all designated ports of the root device
• BPDUs to designated ports of all devices in the topology
that have the same root
• BPDUs to the root port during TCN
BridgeForwardDelay The forward-delay time in seconds, when the bridge is the root
or is attempting to become the root
ProtoMigratioDelay This value is used by the Protocol Migration Machine to limit the
transition between port states
MaxHopCount The maximum number of hops in a region before the BPDU is
discarded
TxHoldCount The value used to limit the rate of at which packets are sent
(relates to the port transmit state machine)
SpanIgmpFastRecovery Indicates whether the IGMP Fast Recovery feature is enabled
on the device
FastRing Indicates whether the Fast Ring feature is enabled on the device
MST00 Indicates MST instance 0
VLAN mapped The MSTI VLAN mapping
Regional Root The MSTI regional root
RemainingHopCount The value that determines the scope of an MSTP region
TopChanges The number of the topology changes occurred in the specified
MSTI
Border Bridge The MSTP ring border bridge status
Page 40
Table 13: Interface Parameters Displayed by show mstp Command

Port The port’s unit/slot/port

Pri The port priority
Prt Role The current port role(Root, Designated, Alternate, Backup, or
Disabled)
State The current port state(Disabled, Listening, Learning, Forwarding,
or Discarding)
PCost The actual cumulative distance to the Root bridge through this
port, when the port is the Root port, This is the sum of all
designated costs of the bridges along the path to the Root.
This value is added to the designaed cost parameter of the
Designated ports of this bridge and transmitted in the BPDUs
through Designated ports.
DCost The Root bridge path cost in the Configuration BPDUs root
identifier parameter, transmitted by the designated bridge for the
LAN the port is connected to.
Use this parameter to test the port identifier parameter value
Designated bridge The unique bridge identifier of one of the following:
• (in case of a designated port) the bridge the port belongs to
• the bridge believed to be the designated bridge for the LAN to
which the port is attached
Use this parameter:
• together with the designated port and port identifier
parameters for the port to verify if this port is the designated
port of the LAN it is attached to
• to test the value of the bridge identifier parameter conveyed
in received Configuration BPDUs
DPrt The bridge port’s identifier through which the designated bridge
transmits configuration message information stored by this port.
Use this parameter:
• together with the designated bridge and port identifier
parameters to verify if this port is the designated port of the
LAN to which the port is attached
• by management to determine the topology of the bridged LAN
Page 41
Displaying the MST Instances Configuration

The show mstp instance command displays the specified MST instance configuration for a
specified port or for all ports.
Command Syntax
device-name#show mstp instance {<instance-id> | all} [interface UU/SS/PP]
instance-id The MST instance ID, in the range of <0–15>
all Displays all instances
interface UU/SS/PP (Optional) specifies a port to display
Example
device-name#show mstp instance 0 interface 1/1/1
MST instance 0
Port Enable = enabled
Port Priority = 128
Port State = forwarding
Forward Transitions = 34
Port Role = Root
Port Path Cost = 200000
CIST Root = 24576.0009B7990300
ExternalPortPathCost= 200000
Designated Root = This bridge is the regional root
Designated Bridge = 24576.0009B7990300
Designated Port Id = 96.1
Designated Path Cost= 200000
AdminEdgePort = disabled
OperEdgePort = disabled
BPDU processing = Standard
AdminLink-Type = PointToPoint
Link-Type = PointToPoint
RestrictRoot = enabled
RestrictTCN = disabled
Detect lost BPDUs = enabled
Running Version = RSTP
Link flapping = disabled
Page 42
Table 14: The MSTP show mstp instance Command Parameters

Port Enable Indicates whether the port is enabled or disabled

Port Priority The port priority for this MST instance
Port State The port state for this MST instance
Forward Transitions The number of times the port has transitioned into Forward state
Port Role The port role for this MST instance
Port Path Cost The port path cost for this MST instance
CIST Root The CIST regional root identifier (the bridge identifier of the current
CIST regional root)
ExternalPortPathCost The external port path cost
Designated Root The designated root ID
Designated Bridge The designated bridge ID for this network
Designated Port Id The designated bridge port ID
Designated Path Cost The designated bridge port path cost
AdminEdgePort The edge port’s administrative settings
OperEdgePort The current edge port working mode
BPDU processing The port action if it receives a BPDU (applies to edge ports only)
AdminLink-Type The link-type administrative settings
Link-Type The current link-type working mode
RestrictRoot Whether root restriction is enabled
RestrictedTCN Whether TCN restriction is enabled
Detect lost BPDUs Whether a loss of BPDUs is an indication for a link failure
Running Version The MSTP version:
• RSTP when the neighbor is an RSTP or MSTP device
• STP when the neighbor is an STP device
• Cisco-compliant if the Cisco-compliant mode is defined
Link Flapping The Link Flapping feature status and (if enabled) the control period
Page 43
Enabling MSTP Debug Information

The debug mstp command displays information related to port roles and port handshaking.
This command is not saved after a device reload.

Debug is disabled by default.
Command Syntax
device-name#debug mstp {roles | handshake} {all | <instance-id>}
device-name#no debug mstp {roles | handshake} {all | <instance-id>}
roles The port roles to debug
handshake Specifies the mechanism of proposals and agreements
all Debugs all instances
instance-id The MST instance ID, in the range of <0–15>
no Disables the debug information display
Example
Below is a debug output:
mstp:Port 1/1/1 msti 1 Synced
mstp:Port 1/1/1 msti 1 Agrees
mstp:Port 1/1/1 msti 0 Agrees
mstp:Reroot bridge by ( 1/1/1 )
mstp:Port 1/1/1 msti 0 Rerooted
Page 44
Displaying the MSTP Debug

The show debug mstp command displays the MSTP debug status.
Command Syntax
device-name#show debug mstp
Example
device-name#show debug mstp
MSTP debugging status:
|MSTI |Dbg Role|Dbg Handshake|
|0 |ON |ON |
|10 |ON |ON |
|11 |ON |ON |
Page 45
MSTP Configuration Examples

Pending Configuration
The following example shows how to configure MSTP and display the temporary (pending)
configuration.
1. Enter the MSTP Protocol Configuration mode and map the VLANs ranging from 1 to 10 to
MST instance 1:
device-name(cfg protocol)#mstp
device-name(cfg protocol mstp)#instance 1 vlan 1-10
2. Assign the name region1 and the revision number 1 to the MSTP region:
device-name(cfg protocol mstp)#name region1
device-name(cfg protocol mstp)#revision 1
3. Display the pending configuration:


Name [region1]
Revision 1
--------- --------------
0 11-4094
1 1-10
Page 46
MSTP Port Configuration

The following example shows how to configure MSTP on port 1/1/1 and how to display the
configuration.
1. Enable MSTP:
device-name(cfg protocol)#mstp enable
2. Assign port priority 16 to instance 0, and path cost 22 to instance 1. Enable BPDU guard,
restrict root, and restrict TCN on port 1/1/1:
device-name(config-if 1/1/1)#mstp 0 port-priority 16
device-name(config-if 1/1/1)#mstp 1 path-cost 22
device-name(config-if 1/1/1)#mstp detect-bpdu-loss enable
device-name(config-if 1/1/1)#mstp restrict-root enable
device-name(config-if 1/1/1)#mstp restrict-tcn enable
3. Display the MSTP port configuration:

device-name#show mstp instance all interface 1/1/1
MST instance 0
Port Priority = 16
Port Role = Designated
CIST Root = 00000.00A0120F2F27
ExternalPortPathCost = 200000
Designated Root = This bridge is the regional root
Designated Bridge = 32768.00A01211227A
Designated Path Cost = 0
RestrictedRoot = enabled
RestrictedTCN = enabled
MST instance 1
Port Priority = 0
Page 47

Port Role = Root
CIST Root = 00000.000000000000
ExternalPortPathCost = 200000
Designated Root = 32768.00A012110708
Port Path Cost = 22
Designated Bridge = 32768.00A01211227A
RestrictedRoot = enabled
RestrictedTCN = enabled
MSTP Global Parameters Configuration

The following example shows how to configure MSTP global parameters.
1. Enable MSTP and set the forward-delay value to 5 seconds:
device-name(cfg protocol)#mstp enable
device-name(cfg protocol)#mstp forward-delay 5
2. Configure the following parameters: hello-time to 4 seconds, MaxAge time to 34 seconds, and
max-hop count to 23.
device-name(cfg protocol)#mstp hello-time 4
device-name(cfg protocol)#mstp max-age 34
device-name(cfg protocol)#mstp max-hops 23
Page 48
3. Display the MSTP configuration:

Priority = 32768
TopChanges = 8
CIST Root = 00001.00:A0:12:0F:2F:27
CICT External Path Cost = 200000
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 23
TxHoldCount = 3
FastRing = disabled
MST00
VLAN mapped = 2-4094
Priority = 32768
TopChanges = 8
Border Bridge = Disabled
====================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge | Prt
--------+---+--------+-----+-----+-------+------------------+-------
01/01/01 128 Designat frwrd 200000 200000 32768.00A01211227A 128.001
01/02/01 128 Root frwrd 200000 200000 00000.00A0120F2F27 128.006
MST01
VLAN mapped = 1
Priority = 32768
Regional Root = 32769.00:A0:12:11:07:08
TopChanges = 4
====================================================================
--------+---+--------+-----+------+------+------------------+-------
01/01/01 0 Root frwrd 200000 0 32768.00A01211227A 128.001
Page 49
01/02/01 128 Boundary frwrd 200000 0 32768.00A01211227A 128.010

Network Configuration
In the following example, four devices are connected via VLANs V100 and V200 that are mapped
to two MST instances on each device. The example shows the redundancy achieved with MSTP.
After configuring the network, use the show mstp command on each device to verify that the MST
instances are configured correctly.
Figure 5: Schematic MSTI Configuration
1. Create VLANs V100 and V200 and add the appropriate ports to each VLAN:
Device1(config)#vlan
Device1(config vlan)#config default
Device1(config-vlan default)# remove ports 1/2/1-1/2/3
Device1(config-vlan default)#exit
Device1(config vlan)#create v100 100
Device1(config vlan)#config v100
Device1(config-vlan v100)#add ports 1/2/1,1/2/3 tagged
Device1(config-vlan v100)#add ports 1/2/4 untagged
Device1(config-vlan v200)#exit
Device1(config vlan)#exit
2. Enable MSTP:
3. Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:

4. Enter the MSTP Protocol Configuration mode:

Device1(cfg protocol)#mstp
Page 50
5. Add the VLANs to MSTIs 0, 1, and 2:

Device1(cfg protocol mstp)#instance 0 vlan 1-99,101-199,201-4094
Device1(cfg protocol mstp)#instance 1 vlan 100
Device1(cfg protocol mstp)#end
Device2(config-vlan default)# remove ports 1/2/1-1/2/3
2. Enable MSTP:
3. Set priority 0 to MSTI 2 to force Device 2 to be MSTI2 root:


5. Add the VLANS to MSTIs 0, 1, and 2:

Page 51
Device3(config-vlan default)#remove ports 1/2/1,1/2/2,1/2/4
2. Enable MSTP:

4. Add the VLANS to MSTIs 0, 1, and 2:

1. Create VLAN V200 and add the appropriate ports to each VLAN:
Device4(config-vlan default)#remove ports 1/2/1,1/2/2
2. Enable MSTP:

Page 52
4. Add the VLANs to MSTIs 0, 1 and 2:


Device1#show mstp
Priority = 0
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
TopChanges = 6
No active ports are mapped to the msti
MST01
VLAN mapped = 100
Priority = 32768
TopChanges = 5
==========================================================================
Page 53
--------+---+--------+-----+---------+---------+------------------+-------
01/02/01 128 Designat frwrd 200000 0 00000.00A0122700C0 128.003
01/02/04 128 Designat frwrd 200000 0 00000.00A0120A0168 128.006
MST02
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/03 128 Root frwrd 200000 0 00000.00A012271420 128.005

Priority = 0
TopChanges = 4
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
TopChanges = 4
==========================================================================
Page 54

--------+---+--------+-----+---------+---------+------------------+-------
01/02/04 128 Designat frwrd 200000 0 32768.00A012271420 128.005
MST01
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 4
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/01 128 Alternat block 200000 200000 32768.00A012270080 128.004
01/02/03 128 Root frwrd 200000 200000 00000.00A0122700C0 128.005
MST02
VLAN mapped = 200
Priority = 32768
TopChanges = 4
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/02 128 Designat frwrd 200000 0 00000.00A012271420 128.002
01/02/03 128 Designat frwrd 200000 0 00000.00A012271420 128.003
01/02/04 128 Designat frwrd 200000 0 00000.00A012271420 128.005

Device3#show mstp
Priority = 0
TopChanges = 3
CIST Root = This bridge is the root
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
Page 55
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
TopChanges = 3
MST01
VLAN mapped = 100
Priority = 32768
Regional Root = 0001.00:A0:12:27:00:C0
TopChanges = 2
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/01 128 Root frwrd 200000 0 00000.00A012270080 128.003
01/02/02 128 Designat frwrd 200000 0 32768.00A012270080 128.004
01/02/04 128 Designat frwrd 200000 0 32768.00A012270080 128.006
MST02
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3
Page 56

Device4#show mstp
Priority = 0
TopChanges = 2
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
TopChanges = 2
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/01 128 Alternat frwrd 200000 0 32768.00A012271420 128.003
01/02/02 128 Root frwrd 200000 0 32768.00A0122700C0 128.004
01/02/04 128 Designat frwrd 200000 0 32768.00A012271420 128.006
MST01
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
TopChanges = 5
MST02
VLAN mapped = 200
Page 57
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 2
In this example if the direct link between Device 1 and Device 3 fails. MSTI01 is recalculated and
port 1/2/2 in Device 3 changes its role from alternate to root.
Figure 6: Link Failure between Two Devicees
In this case, the show mstp command displays the following:

Device1#show mstp
Priority = 0
TopChanges = 6
CIST Root = 32768.00:A0:12:27:00:80
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
Page 58
TopChanges = 6
MST01
VLAN mapped = 100
Priority = 32768
TopChanges = 5
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
MST02
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 7
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/03 128 Root frwrd 200000 0 00000.00A012271420 128.003

Device3#show mstp
Priority = 0
TopChanges = 3
CIST Root = This bridge is the root
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
MaxHopCount = 40
TxHoldCount = 3
Page 59
FastRing = disabled
MST00
VLAN mapped = 1-99,101-199,201-4094
Priority = 32768
TopChanges = 3
MST01
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:0A:01:68
TopChanges = 3
==========================================================================
--------+---+--------+-----+---------+---------+------------------+-------
01/02/02 128 Root frwrd 200000 400000 32768.00A00001090B 128.002
01/02/04 128 Designat frwrd 200000 400000 32768.00A012BBBBBB 128.006
MST02
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
TopChanges = 3
On Device 2 and Device 4:

This topology change does not affect Device 2 and Device 4 output.
Page 60
Fast Recovery Configuration

Following is a configuration example of a spanning tree IGMP fast recovery. The figure below
shows a network configuration with a triangle topology and the configuration steps of the three
devices. Device 1 is the MSTP Root for Instance 0 and there is one blocked port in the topology.
The multicast traffic flows from port 1/2/3 of Device 1 to port 1/2/3 of Device 3.
Figure 7: Spanning Tree IGMP Fast Recovery Configuration Example
1. Enable MSTP:
2. Configure the bridge priority for MST instance 0 to zero:

3. Enable spanning tree IGMP fast recovery:

Device1(cfg protocol)#spanning-tree igmp-fast-recovery enable
4. Configure port 1/2/3 as an edge port:

Device1(config-if 1/2/3)#mstp edge-port
Device1(config-if 1/2/3)#exit
5. Enable IGMP snooping and configure ports 1/1/1 and 1/1/2 as mrouter ports:
Device1(config)#ip igmp snooping
Device1(config)#ip igmp snooping vlan 1 mrouter interface 1/1/1
Page 61
1. Enable MSTP:
2. Enable MSTP fast ring for accelerating its operation in a ring topology:
Device2(cfg protocol)#mstp learn-mode temporary-disabled 2
3. Enable spanning tree IGMP fast recovery:

Device2(cfg protocol)#spanning-tree igmp-fast-recovery enable
4. Configure port 1/2/8 as an edge port:

1. Enable MSTP:
2. Enable MSTP fast ring for accelerating its operation in a ring topology:
Device3(cfg protocol)#mstp learn-mode temporary-disabled 2
3. Configure the port 1/2/3 as an edge port:

Page 62
MSTP BPDU Guard, Loop Guard, Restricted Root and

Restricted TCN Configuration
The figure below shows a network configuration with a triangle topology followed by the
configuration of the three devices. BPDU guard, restricted root and restricted TCN are enabled on
edge port 1/2/4 to protect the backbone network from unauthorized user intervention in MSTP.
Loop guard is enabled on Device 2 and Device 3 for the ports connected to root Device 1.
Figure 8: BPDU Guard, Loop Guard, Restricted Root and Restricted TCN
1. Enable MSTP:
2. Set MST instance 0 bridge priority to 0:

3. Configure port 1/2/4 as an edge port. Enable BPDU guard, restricted root and restricted
TCN on this port:
Device1(config-if 1/2/4)#mstp bpdu-rx discard
Device1(config-if 1/2/4)#mstp restrict-root enable
Device1(config-if 1/2/4)#mstp restrict-tcn enable
Page 63
1. Enable MSTP:
TCN on this port:
3. Enable loop guard on ports 1/2/1 and 1/2/2:

Device2(config-if 1/2/1)#mstp detect-bpdu-loss enable
1. Enable MSTP:
TCN on this port:
3. Enable loop guard on ports 1/2/1 and 1/2/2:

Page 64
Configuring a Fast Ring

The following example shows how to configure the devices in a fast ring so that traffic is
distributed correctly among client networks.
Figure 9: Fast Ring Topology
1. Enable MSTP, disable learning, and configure Device 1 to be the root device:
Device1(cfg protocol)#mstp learn-mode none
2. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device1(config-vlan default)#remove ports 1/1/1-1/2/2
Device1(config-vlan default)#config v10
Page 65
Device1(config-vlan v10)#config v20

Device1(config-vlan v30)#end
1. Enable MSTP, disable learning, and configure fast ring ports:
2. Configure an edge port and enable port security on the client port:
Device2(config-if 1/1/1)#port security
Device2(config-vlan v10)#add ports default 1/1/1
Page 66
Page 67
Page 68
Page 69
Supported Platforms
Multiple Spanning Tree Protocol (MSTP) + +

Multiple Spanning Tree IEEE 802.1d-1998 Private MIBs: RFC 2863, Interfaces
Protocol (MSTP) IEEE 802.1t-2001 • prvt_mst.mib Group MIB
IEEE 802.1w-2001 • prvt_switch.mib
IEEE 802.1s-2002
Page 70
Configuring Access Control Lists (ACLs)
Table of Figures ······················································································ 3
Overview ······························································································· 4
ACL Types ···························································································· 4
ACL Process Options················································································ 5
Access Control Groups (ACG) ····································································· 5
ACL Processing Rules··············································································· 6
Traffic Remarking ··················································································· 6
Traffic Rate Limit and Shaping ··································································· 6

Single Rate Three Color Marker (RFC 2697) ·················································· 7
Two Rate Three Color Marker (RFC 2698) ···················································· 7
Exceed Action ···················································································· 7
Color-Blind and Color-Aware ··································································· 7
The ACL Default Configuration··································································· 8
ACL Configuration Flow ··········································································· 9
ACL Configuration Commands ··································································10

Creating a Standard IP ACL ····································································12
Creating an Extended IP ACL··································································14
Creating an Extended MAC ACL ······························································16
Adding a Comment to an ACL·································································20
Assigning an IP ACG ···········································································21
Assigning a MAC ACG ·········································································22
Applying Rate Limiting by ACGs ······························································24
Adding a new VLAN Tag in Frames ··························································26
Applying QoS Settings on an ACG ····························································27
Changing the DSCP Value······································································27
Changing the VPT Value ·······································································28
Saving the ACG Configuration·································································29
Page 1
Configuring Access Control Lists (ACLs) (Rev. 09)
Enabling Match Statistics ·······································································29

Displaying the IP ACLs ·········································································30
Displaying the MAC ACLs ·····································································30
Displaying the IP ACG ·········································································32
Displaying the IP ACG Statistics·······························································33
Displaying the MAC ACG······································································34
Displaying Match Statistics for MAC ACGs ··················································34
Clearing the IP ACG Statistics ·································································35
Clearing the MAC ACG Statistics······························································36
Configuration Examples···········································································37
Configuring IP ACLs············································································37
Configuring MAC ACLs ········································································39
Creating ACLs per SAP ·········································································41
Configuring an ACG per Egress ·······························································42
Configuring Rate Limit with DSCP Mapping·················································42
Configuring Rate Limit with Priority Remarking ·············································44
Page 2
Configuring Access Control Lists (ACLs) (Rev 09)
Table of Figures
Figure 1: Configuration Flow for ACL ························································· 9
Figure 2: MAC ACG over Port Configuration Example·····································23
Figure 3: Creating Standard and Extended IP ACLs ·········································37
Figure 4: Rate Limit over Port Configuration·················································39
Page 3
Overview
Access Control Lists (ACLs) are sets of numbered rules that process packets going through the
device and provide the ability to control network traffic. Using ACLs, system administrators can
filter packets that pass through a port by defining different criteria, in order to ensure the network's
security, Quality of Service (QoS), traffic control, and traffic rate-limitation.
These rules are processed in a sequential order, either permitting or denying the traffic, based on the
specified ACL conditions. The hardware tests the packets’ parameters against the ACLs and acts
upon the first condition matched.
The main advantages in using ACLs are:
• Security—by forwarding or dropping ingress traffic, ACLs aid administrators in managing
network security policies.
• Traffic Control—by enforcing redirection rules, administrators can manipulate network traffic
flow, thus reducing bottlenecks and congestions.
• Traffic Rate Limitation—using ACLs, administrators can control traffic rate per port, or SAP
port according to user defined criteria.
• Quality of Service (QoS)—administrators can assign packet-handling priority to data flow,
sorting the flow into eight priority queues, based on the ACL criteria. You can also use ACLs
to re-mark ToS/DSCP values.
ACL Types
There are three basic ACL types, in predefined range of numbers. Each type matches specific fields
in the packets:
• Standard IP ACLs (#1–99, or #1000–2999): match the packets’ source IP address.
• Extended IP ACLs (#100–199, or #10000–11999): match both the source and destination IP
addresses. In addition, these ACLs can also match protocol types and optional DSCP values
for finer granularity of control.
• Extended MAC ACLs (#400–499, or #40000–41999): match both the source and
destination MAC addresses. In addition, these ACLs can also match VPT, ToS, and other
Layer 2 header fields for finer granularity of control.
Page 4
ACL Process Options

Systems administrators can apply ACLs to both ingress (inbound) traffic and egress (outbound)
traffic:
• Ingress ACLs process incoming packets, manipulating permitted packets and switching them
according to matched ACL conditions. Packets that do not match any of the ACLs are
discarded
• Egress ACLs are only used for traffic remarking
Egress ACLs do not filter packets originated by the device (such as outgoing Telnet
session packets, NTP service packets, and various broadcast packets).
Access Control Groups (ACG)

An ACG is a collection of ACLs applied to port(s) or aggregation of ports or SAP port determining
the process of ingress or egress traffic.
They manipulate permitted ingress packets before forwarding them and discard denied packets,
performing an action that is based on the ACL conditions matched. When configured on egress
traffic, they manipulate permitted outgoing packets.
Using ACGs you can:
• filter (drop) traffic
• limit rate of the traffic
• assign a priority to traffic
• remark 802.1p / DSCP bits only for egress ACLs
• redirect traffic to a specified VLAN
• statistics collections
You can apply multiple ACGs per port/aggregation/SAP
Page 5
ACL Processing Rules

In order to use ACLs effectively, it is essential to understand the ACL processing rules:
• Sequential processing: ACLs are processed sequentially, in the order they are entered
• Once created, users can add new rules to the end of the ACL
• Users cannot selectively add or remove ACL lines from a specific ACL
• The device tests the packets only until it finds the first match, defining whether to permit or
deny the packets
• If the packets do not match any of the ACLs:
in case of ingress ACL, they are denied. This is because the last rule is an implicit deny
statement
in case of egress ACL, they are permitted (unless the user configures a rule to implicitly
deny packets that do not match any of the rules)
• Ordered processing: when applying multiple ACLs, these ACLs are applied in the same order the
user applies them. For example, when applying ACL5 and ACL2 to a port, the device first
matches ACL5 rules. If the packets do not match any rules in ACL 5, the device then matches
ACL2 rules
Due to the above processing rules, the order of the rules within an ACL and the order the ACLs
are applied is critical.
The total number of conditions for a single ACL rule that can be applied to the ports is limited to
62.
Traffic Remarking
ACLs allow users to impact QoS and its various aspects such as, bandwidth limitation, latency,
traffic prioritization, and drop precedence.
Users can also use ACLs to remark the ToS field values by defining a new ToS/DSCP value, and to
perform rate control and priority assignment per flow.
Traffic Rate Limit and Shaping

Traffic congestion, caused by heavy network traffic, can cause incoming packet to drop.
To prevent congestion on provider networks, system administrators can use traffic rate limit and
traffic shaping by allocating a specific bandwidth per user port or traffic.
A traffic rate limiter monitors the incoming traffic by:
• forwarding conforming traffic (within the predefined rate)
• dropping non-conforming traffic or marking this traffic
Page 6
Single Rate Three Color Marker (RFC 2697)

The Single Rate Three Color Marker (srTCM) meters a traffic stream and marks it according to
three parameters:
• The Committed Information Rate (CIR) determines the long-term average transmission rate
• The Committed Burst Size (CBS) determines how large traffic bursts can be before some of
the traffic exceeds the rate limit
The traffic is then marked as follows:
• Traffic within CIR always conforms and is marked green
• Traffic that exceeds CBS is dropped or marked yellow
Two Rate Three Color Marker (RFC 2698)

The two rate Three Color Marker (trTCM) meters a traffic stream and marks it according to the
below parameters.
• The Committed Information Rate (CIR) determines the long-term average transmission rate
• The Committed Burst Size (CBS), associated with CIR, determines how large traffic bursts can
be before some of the traffic exceeds the rate limit
• The Peak Information Rate (PIR) determines the long-term delimiter between yellow packets
and red ones
• The Peak Burst Size (PBS), associated with PIR, determines the burst size before the traffic
exceeds PIR
The traffic is then marked as follows:
• Traffic within CIR and CBS always conforms and is marked green
• Traffic not conforming to CIR and CBS but conforming to PIR and PSB is marked yellow
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device:
• either drops the packet
• mark the packet with a yellow color and continue
Color-Blind and Color-Aware

Rate limiting operates in one of the below two modes:
• in a Color-Blind mode, assumes that the packet stream is uncolored
• in a Color-Aware mode, assumes that some preceding entity has pre-colored the incoming
packet stream so that each packet can be colored green or yellow.
Page 7
The ACL Default Configuration

Table 1: ACL Default Configuration
Access Control List (ACL) Not defined

Access Control Group (ACG) Not defined
Rate limit color awareness Color blind
Rate limit exceed action Drop
Page 8
ACL Configuration Flow

Start
Ingress Ingress or Egress Egress

ACL
• Filter by source IP address • Filter by FC and color

• Filter traffic by source/destination IP • Filter by FC, color and DSCP
and/or IP type protocol
• Filter by source/destination MAC
address
Apply an ACG per port
Apply an ACG per port/SAP

Select additional ACG options:
• Remark DSCP
Select additional ACG options: • Remark VPT
• Assign Traffic Priority
• Statistics
• VLAN redirect
• QoS Settings
End
Figure 1: Configuration Flow for ACL
Page 9
ACL Configuration Commands

Table 2: ACLs Configuration Commands
Command Description
access-list (standard ip) Defines standard IP ACLs (see Creating a Standard IP

ACL)
access-list (extended ip) Defines extended IP ACL (see Creating an Extended IP
ACL)
access-list (extended mac) Defines extended MAC ACL (see Creating an Extended
MAC ACL)
access-list remark Associates a remark to a specified IP ACL (see Adding a
Comment to an ACL)
Table 3: ACG Configuration Commands

Command Description
ip access-group Assigns an IP ACG to a port, LAG or SAP port (see

Assigning an IP ACG)
mac access-group Assigns a MAC ACG to a port, LAG or SAP port (see
Assigning a MAC ACG)
Table 4: Additional ACG Commands

Command Description
rate-limit single-rate Applies a single rate-limit (RFC 2697) on the ACG for the
specified port, LAG or SAP port (see Applying Rate
Limiting by ACGs)
rate-limit dual-rate Applies a dual rate-limit (RFC 2698) on the ACG for the
specified port, LAG or SAP port (see Applying Rate
Limiting by ACGs)
set vlan Changes the VLAN ID in the packet header (see Adding a
new VLAN Tag in Frames)
set txq Applies QoS on packets matching the ACG (see Applying
QoS Settings on an ACG)
set dscp Changes the DSCP field value of the packets on egress
interfaces (Changing the DSCP Value)
set vpt Changes the VPT field value of the packets on egress
interfaces (Changing the VPT Value)
apply Saves the ACG options and exits the ACG Configuration
mode (see Saving the ACG Configuration)
statistics Enables match statistics on a port, LAG or SAP port (see
Enabling Match Statistics)
Page 10
Table 5: ACL and ACG Display Commands

Command Description
show ip access-lists Displays the configured IP ACLs (see Displaying the IP

ACLs)
show mac access-lists Displays the configured MAC ACLs (see Displaying the
MAC ACLs)
show ip access-groups Displays the IP ACGs configured on ports, LAGs, and
VLANs (see Displaying the IP ACG)
show ip access-groups Displays how many packets match the applied IP ACG
statistics (see Displaying the IP ACG Statistics)
show mac access-groups Displays the MAC ACGs configured on ports, LAGs, and
VLANs (see Displaying the MAC ACG)
show mac access-groups Displays how many packets match the applied MAC ACG
statistics (see Displaying Match Statistics for MAC ACGs)
Table 6: Clear ACG Statistics Commands

Command Description
clear ip access-groups Clears the IP ACG statistics (see Clearing the IP ACG
statistics Statistics)
clear mac access-groups Clears the MAC ACG statistics (see Clearing the MAC
statistics ACG Statistics)
Page 11
Creating a Standard IP ACL

The access-list <acl-number> defines standard IP ACLs.
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} SOURCE [SOURCE-
MASK] [fc FC-TYPE drop-level {green | yellow}]
device-name(config)#no access-list <acl-number>
acl-number The standard IP ACL number is in the range of <1-99>, or
<1000-2999>
{deny | permit} Specifies whether this is a permit or deny rule
SOURCE The packet’s source-address (network or host) specified as:
• IP address in dotted-decimal notation (A.B.C.D)
• the keyword any as an abbreviation for a source of 0.0.0.0 and
source-mask of 255.255.255.255
• the keyword host source as an abbreviation for a source of 0.0.0.0
and source-mask of 0.0.0.0
SOURCE-MASK (Optional) mask bits applied to source, specified as:
• dotted-decimal notation (A.B.C.D). Place one in the bit positions
you want to ignore
• CIDR notation (/M)
Page 12
fc FC-TYPE Specifies a forwarding class traffic (FC) that match the ACL
(only for egress ACL)
FC Type Description
be Specifies that the forwarding class to be mapped is the

Best-Effort Forwarding Class
12 Specifies that the forwarding class to be mapped is the
Low-2 Forwarding Class
af Specifies that the forwarding class to be mapped is the
Assured Forwarding Class
l1 Specifies that the forwarding class to be mapped is the
h2 Specifies that the forwarding class to be mapped is the
High-2 Forwarding Class
ef Specifies that the forwarding class to be mapped is the
Expedited Forwarding Class
nc Specifies that the forwarding class to be mapped is the
Network Control Forwarding Class
drop-level Specifies the color of packets for which the following ACL takes effect
green Match specific FC with color green
yellow Match specific FC with color yellow
no Removes the specified ACL
Examples
1. The IP address 192.98.2.1 is permitted, subnet 192.98.0.0/16 except for this address is denied,
but the entire subnet 192.0.0.0/8 is permitted. All other traffic is denied:
device-name(config)#access-list 1 permit host 192.98.2.1
device-name(config)#access-list 1 deny 192.98.0.0/16
device-name(config)#access-list 1 permit 192.0.0.0/8
2. To apply this ACL to port 1/1/1, use the ip access-group command:

device-name(config-if 1/1/1)#ip access-group 1
Page 13
Creating an Extended IP ACL

The access-list <acl-number> command defines extended IP ACLs.

The extended IP ACL filters the traffic by the following parameters:
• Source IP address in the IP packet header
• Destination IP address in the IP packet header
• IP protocol in the IP packet header
• DSCP matches DSCP value in the packet
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} {ip | icmp | igmp
| tcp | udp | <protocol-number>} SOURCE [SOURCE-MASK] DESTINATION
[DESTINATION-MASK] [dscp <dscp>] [fc FC-TYPE drop-level {green |
yellow}]
device-name(config)#no access-list <acl-number>
acl-number The extended IP ACL number in the range of <100-199>, or
<10000-11999>.
protocol-number Specifies the name or number of an IP protocol:
• Valid IP protocol names are: tcp, udp, ip, igmp, icmp
• Valid IP protocol numbers are integers in the range of <0–255>
representing an IP protocol number
(http://www.iana.org/assignments/protocol-numbers (RFC5237))
• To match any Internet protocol, use the keyword ip
• Some protocols allow further qualifiers, as described below
SOURCE The packet’s source-address (network or host) specified as:
• the keyword any as an abbreviation for a source of 0.0.0.0 and
source-mask of 255.255.255.255.
• the keyword host source as an abbreviation for a source of 0.0.0.0
and source-mask of 0.0.0.0.
SOURCE-MASK (Optional) mask bits applied to source, specified as:
• dotted-decimal notation (A.B.C.D). Place one in the bit positions you
want to ignore
Page 14
DESTINATION The network or host’s number the packet is sent to:

• the keyword any as an abbreviation for a destination of 0.0.0.0 and
destination-mask of 255.255.255.255.
• the keyword host source as an abbreviation for a destination of
0.0.0.0 and destination-mask of 0.0.0.0.
DESTINATION- (Optional) the mask bits applied to the destination specified as:
MASK
• dotted-decimal notation (M.M.M.M). Place one in the bit positions you
want to ignore
dscp <dscp> (Optional) the number of packets filtered by DSCP value, in the valid range
of <0–63>.
FC Type Description
be Specifies that the forwarding class to be mapped is the

Best-Effort Forwarding Class
12 Specifies that the forwarding class to be mapped is the
af Specifies that the forwarding class to be mapped is the
Assured Forwarding Class
l1 Specifies that the forwarding class to be mapped is the
ef Specifies that the forwarding class to be mapped is the
Expedited Forwarding Class
nc Specifies that the forwarding class to be mapped is the
Network Control Forwarding Class
drop-level Specifies the color of packets for which the following ACL takes effect
green Match the traffic with the above FC value with color green.
yellow Match the traffic with the above FC value with color yellow.
Page 15
Creating an Extended MAC ACL

The access-list <acl-number> command defines extended MAC ACLs.
Command Syntax
device-name(config)#access-list <acl-number> {deny | permit} {SOURCE-MAC
SOURCE-MAC-MASK | host SOURCE-MAC | any} {DESTINATION-MAC DESTINATION-
MAC-MASK | host DESTINATION-MAC | any} {unicast | multicast | broadcast}
[vlan <vlan-id> <VLAN mask>] [vpt <priority>] [inner-vlan <vlan-id>
<VLAN mask>] [inner-vpt <priority>] [untagged] [ether-type <ether-type>]
[dscp <dscp>] [tos <tos>] [precedence <precedence>] [fc FC-TYPE drop-
level {green | yellow}]
device-name(config )#no access-list <acl-number>
acl-number The extended MAC ACL number in the range of <400-499>, or
<40000-41999>.
SOURCE-MAC The packet’s source MAC-address. Valid values are:
• HH:HH:HH:HH:HH:HH notation
• the keyword any representing all MAC addresses
• the keyword host representing an abbreviation for a source-
mask of 00:00:00:00:00:00
SOURCE-MAC-MASK The source MAC address mask in HH:HH:HH:HH:HH:HH notation.
Use 0 for meaningful bits (exact-match) and 1 for meaningless bits
(any).
Examples:
• permit 00:aa:bb:cc:dd:ee 00:00:00:00:00:00 equals
permit host 00:aa:bb:cc:dd:ee
• permit 00:aa:bb:cc:dd:ee FF:FF:FF:FF:FF:FF equals
permit any
• permit 00:aa:bb:cc:dd:ee 00:00:00:FF:FF:FF permits
the range <00:aa:bb:00:00:00–00:aa:bb:ff:ff:ff>
DESTINATION-MAC The destination MAC address the packet is sent to. Valid values are:
• HH:HH:HH:HH:HH:HH notation
• the keyword any representing all MAC addresses
• the keyword host representing as an abbreviation for a
destination-mask of 00:00:00:00:00:00
DESTINATION-MAC-MASK The destination MAC address mask in HH:HH:HH:HH:HH:HH
notation.
Use 0 for meaningful bits (exact-match), and 1 for meaningless bits
(any).
unicast (Optional) matches the unicast traffic
Page 16
multicast (Optional) matches the multicast traffic

broadcast (Optional) matches the broadcast traffic
vlan <vlan-id> (Optional) the VLAN ID in the outer VLAN tag header.
VLAN mask (Optional) matches the VLAN mask in hexadecimal format, 1 to 3
hexadecimal digits, prefixed with "0x".
Use 0 for meaningful bits (exact-match) and 1 for meaningless bits
(any).
vpt <priority> (Optional) the VPT in the outer VLAN tag header.
inner-vlan <vlan-id> (Optional) matches the VLAN ID number in the inner VLAN tag
header. The valid range is <1-4092>.
inner-vpt <priority> (Optional) matches packets by the VPT in the VLAN inner tag
header.
untagged (Optional) matches untagged packets only.
If you do not specify the untagged option, all tagged and untagged
frames are matched.
ether-type <ether- (Optional) the EtherType filed in the Ethernet header of a packet.
type> The field is matched for non-IP and non-ARP traffic only.
Table 9 lists the valid EtherType known values.
dscp <dscp> (Optional) the DiffServ Code Point (DSCP) value from IP header of a
packet. The valid range is <0–63>.
tos <tos> (Optional) matches packets by the service level type, in the range of
<0–7> or by any of the valid literal ToS values listed below (see
Table 8).
precedence (Optional) matches packets by the precedence level, in the range of
<precedence> <0–7> or by any of the valid literal precedence values listed below
(see Table 7).
Page 17
FC Type Description
be Specifies that the forwarding class to be mapped is

the Best-Effort Forwarding Class
12 Specifies that the forwarding class to be mapped is
the Low-2 Forwarding Class
af Specifies that the forwarding class to be mapped is
the Assured Forwarding Class
l1 Specifies that the forwarding class to be mapped is
the Low-1 Forwarding Class
h2 Specifies that the forwarding class to be mapped is
the High-2 Forwarding Class
ef Specifies that the forwarding class to be mapped is
the Expedited Forwarding Class
h1 Specifies that the forwarding class to be mapped is
the High-1 Forwarding Class
nc Specifies that the forwarding class to be mapped is
the Network Control Forwarding Class
drop-level Specifies the color of packets for which the following ACL takes
effect
green Match the traffic with the above FC value with color green.
yellow Match the traffic with the above FC value with color yellow.
Table 7: Valid Precedence Literal Values

Valid Literal Value Description Value
Critical precedence 5
critical
Flash precedence 3
flash
Flash override precedence 4
flash-override
Immediate precedence 2
immediate
Internetwork control precedence 6
internet
Network control precedence 7
network
Priority precedence 1
priority
Routine precedence 0
routine
Page 18
Table 8: Valid ToS Literal Values

Valid Literal Value Description Value
max-reliability Max reliable TOS 1

max-throughput Max throughput TOS 2
min-delay Min delay TOS 4
normal Min monetary cost TOS 0
Table 9: EtherType Known Values

Value Description
0x0000–0x05DC IEEE 802.3 length

0x0800 IP (Internet Protocol)
0x0806 ARP (Address Resolution Protocol)
0x8035 DRARP (Dynamic RARP)
RARP (Reverse Address Resolution Protocol)
0x80F3 AARP (AppleTalk Address Resolution Protocol)
0x8100 IPX (Internet Packet Exchange)
0x8137 IPv6 (Internet Protocol version 6)
0x86DD PPP (Point-to-Point Protocol)
0x880B GSMP (General Switch Management Protocol)
0x880C MPLS (Multi-Protocol Label Switching) unicast
0x8863 MPLS (Multi-Protocol Label Switching) multicast
0x8864 PPPoE (PPP Over Ethernet) Discovery Stage
0x88BB PPPoE (PPP Over Ethernet) PPP Session Stage
0x8E88 LWAPP (Light Weight Access Point Protocol)
0xFFFF EAPOL (EAP over LAN)
Examples
• Create extended MAC ACLs:
device-name(config)#access-list 404 permit host 00:00:0a:00:00:01 any
unicast
device-name(config)#access-list 405 permit host 00:00:09:00:00:01 any
unicast
device-name(config)#access-list 406 permit host 00:00:09:00:00:4e any
multicast
device-name(config)#access-list 407 permit host 00:00:0A:00:00:6e any
broadcast
• Here, any tagged traffic is denied. Only the untagged traffic that ingresses a port, with the
default VLAN 20, is accepted:
device-name(config)#access-list 433 permit any any vlan 20 0x000 untagged
Page 19
Adding a Comment to an ACL

The access-list remark command associates an explanatory remark to a specified standard,
extended or MAC extended ACLs.
Command Syntax
device-name(config)#access-list <acl-number> remark REMARK
device-name(config)#no access-list <acl-number> [remark REMARK]
acl-number The number of an existing ACL.
Valid values are:
• <1–99> or <1000-2999>—the ID for the standard ACL
• <100–199> or <10000-11999>—the ID for the extended ACL
• <400–499> or <40000-41999>—the ID for the MAC extended ACL
REMARK A string of up to 40 characters
no Removes the remark.
CAUTION
Using the no form of the command without specifying a remark
removes the ACL.
Example
Add the remark test-acl to the ACL with number 401:
device-name(config)#access-list 401 remark test-acl
device-name(config)#access-list 401 permit host 00:a0:12:02:43:32 any
Page 20
Assigning an IP ACG
The ip access-group command assigns an IP ACG to a port, LAG or SAP port.
CLI Mode: Interface Configuration, LAG Interface Configuration and SAP Service
Configuration
Command Syntax
device-name(config-if UU/SS/PP)#ip access-group [in | out] <acl-number>
[option]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#
device-name(config-if UU/SS/PP)#no ip access-group [in | out] <acl-number>
device-name(config-if AG0N)#ip access-group [in] <acl-number> [option]

device-name(config-if AG0N acg ACL-NUMBER)#
device-name(config-if AG0N)#no ip access-group [in] <acl-number>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#ip access-group [in] <acl-

number> [option]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no ip access-group [in] <acl-
number>
acl-number The number of an existing ACL. Valid values are:
in (Optional) applies the ACL on the ingress traffic. If no keyword is specified, the
ACL is applied only on incoming traffic.
out
(Optional) applies the ACL on the egress traffic.
option (Optional) defines an action applied on matching traffic and changes the CLI
mode to the specified ACG configuration mode
no Removes the specified IP ACG.
Example
device-name(config-tls-sap 1/1/1:10:)ip access-group 100 option
device-name(config-tls-sap 1/1/1:10: acg 100)#
Page 21
Assigning a MAC ACG

The mac access-group assigns a MAC ACG to a port, LAG or SAP port.
CLI Mode: Interface Configuration, LAG Interface Configuration, and SAP Service
Configuration
Command Syntax
device-name(config-if UU/SS/PP)#mac access-group [in | out] <acl-number>
[option]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#
device-name(config-if UU/SS/PP)#no mac access-group [in | out] <acl-number>
device-name(config-if AG0N)#mac access-group [in] <acl-number> [option]

device-name(config-if AG0N acg ACL-NUMBER)#
device-name(config-if AG0N)#no mac access-group <acl-number>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#mac access-group [in] <acl-

number> [option]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#no mac access-group [in] <acl-
number>
acl-number The number of an existing ACL. Valid values are in the range of <400–499>, or
<40000–41999>.
in (Optional) applies the ACL on the ingress traffic. If no keyword is specified, the
ACL is applied only on incoming traffic.
out (Optional) applies the ACL on the egress traffic.
option (Optional) defines an action applied on matching traffic and changes the CLI
mode to the specified ACG configuration mode
no Removes the specified MAC ACG
Page 22
Examples
In the following example:
1. Port 1/1/1 is connected to a group of users. ACL 400 permits access to the server only for
users with MAC addresses 00:00:5a:63:56:78 (PC1) and 00:00:54:67:f5:61 (PC2).
2. Port 1/1/2 is connected to a server.
Figure 2: MAC ACG over Port Configuration Example
device-name(config)#access-list 400 permit 00:00:5a:63:56:78
00:00:00:00:00:00 00:a0:cc:d6:b0:fa 00:00:00:00:00:00
device-name(config)#access-list 400 permit 00:00:54:67:f5:61
00:00:00:00:00:00 00:a0:cc:d6:b0:fa 00:00:00:00:00:00
device-name(config-if 1/1/1)#mac access-group 400 option
device-name(config-if 1/1/1 acg 400)#end
Page 23
Applying Rate Limiting by ACGs

The rate-limit command applies a rate-limit on the ACG for the specified port, LAG or SAP
port.
CLI Mode: Interface ACG Configuration, LAG Interface ACG Configuration, and SAP
Service ACG Configuration
This command takes affect only upon exiting the ACG Configuration mode.
By default, the color marking of the packet is ignored (color-blind).
NOTE
The real values for CIR, CBS, PIR, and PBS may be different than the configured
ones, due to granularity limitations. After configuring these values, a warning
message appears:
[Warning] Rate can be rounded to the next supported value!
NOTE
You cannot configure the dual-rate on uplink ports for the T-Marc 340.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#rate-limit single-rate <cir>
<cbs> [color-aware | [exceed-action mark-yellow] | [statistics]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#rate-limit dual-rate <cir>
<cbs> <pir> <pbs> [statistics]
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no rate-limit
device-name(config-if AG0N acg ACL-NUMBER)#rate-limit single-rate <cir> <cbs>

[color-aware | [exceed-action mark-yellow] | [statistics]
device-name(config-if AG0N acg ACL-NUMBER)#rate-limit dual-rate <cir> <cbs>
<pir> <pbs> [statistics]
device-name(config-if AG0N acg ACL-NUMBER)#no rate-limit
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#rate-limit

single-rate <cir> <cbs> [color-aware | [exceed-action mark-yellow] |
[statistics]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#rate-limit dual-
rate <cir> <cbs> <pir> <pbs> [statistics]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no rate-limit
single-rate The Single Rate Three Color Marker (RFC 2697).
dual-rate The Two Rate Three Color Marker (RFC 2698).
cir The CIR in K, M or G (in bps). The valid range is <64K–1G> with 64 kbps
granularity.
cbs The CBS in K, M or G (in bytes). The valid range is <4K–16384K>.
pir The PIR in K, M or G (in bytes). The valid range is <64K–1G> with 64 kbps
granularity.
Page 24
pbs The PBS in K, M or G (in bytes). The valid range is <4K–16384K>.

color-aware (Optional) the rate limit is color aware. If you do not specify the option, the rate
limit is color blind.
exceed- (Optional) The action performed once the packet is classified as exceeding the
action CIR. If you do not specify this option, the out-of-profile traffic is dropped.
mark-yellow Marks in yellow the packet classified as exceeding the CIR. If you do not
specify this option, the out-of-profile traffic is dropped.
statistics (Optional) specifies the Bind counter set to a traffic police, when specified. The
statistics data consists of counts of the in-profile (green) and out-of-profile
bytes (yellow or dropped). There are up to sixteen supported counters.
no Removes the rate limit from the configured ACG.
Example
• Configure the single rate limit:
device-name(config-if 1/1/1 acg 410)#rate-limit single-rate 100k 128k
exceed-action mark-yellow
device-name(config-if 1/1/1 acg 410)#apply
• Configure the dual rate limit:

device-name(config-if 1/1/2 acg 412)#rate-limit dual-rate 100k 128k 256k
64k
Page 25
Adding a new VLAN Tag in Frames

The set vlan command changes the VLAN ID in the packet header. The switching decision is
made based on the new VLAN ID.
This command takes affect only upon exiting the ACG Configuration mode.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set vlan {<vlan-id> | tls
<vlan-id>}
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set vlan [tls]
device-name(config-if AG0N acg ACL-NUMBER)#set vlan {<vlan-id> | tls <vlan-

id>}
device-name(config-if AG0N acg ACL-NUMBER)#no set vlan [tls]
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set vlan

{<vlan-id> | tls <vlan-id>}
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set vlan
[tls]
vlan-id The new VLAN ID in the range of <1–4094>.
tls The egress port treats the matching packets as untagged (like they are
received), regardless of whether packets are received tagged or not. If the
egress port is a tagged to VLAN port member, a new VLAN tag is added to the
packet based on the device VLAN ID assignment.
This parameter is optional for the no form of the command.
no Cancels this action for the configured ACG.
Example
Redirect traffic that matches ACL 410 on port 1/1/1 to VLAN ID 300:
device-name(config-if 1/1/1 acg 410)#set vlan tls 300
Page 26
Applying QoS Settings on an ACG

The set txq command applies QoS on packets matching the ACG. New values of txq and Drop
Precedence (DP) are assigned to a matching traffic.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set txq <txq> drop-level
{green | yellow}
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set txq
device-name(config-if AG0N acg ACL-NUMBER)#set txq <txq> drop-level {green |

yellow}
device-name(config-if AG0N acg ACL-NUMBER)#no set txq
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set txq <txq>

drop-level {green | yellow}
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set txq
txq Specifies to which txq matching traffic is mapped. The valid range is <0–7>
queues.
green The packet’s DP level is green.
yellow The packet’s DP level is yellow.
no Cancels this action for the configured ACG.
Changing the DSCP Value

The set dscp command changes the DSCP field value of packets on egress interfaces.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set dscp <0-63>
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set dscp
device-name(config-if AG0N acg ACL-NUMBER)#set dscp <0-63>
device-name(config-if AG0N acg ACL-NUMBER)#no set dscp
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set dscp <0-63>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set dscp
0-63 DSCP value, configured for the remarked traffic on egress interfaces.
no Cancels this action for the changing the DSCP value.
Page 27
Changing the VPT Value

The set vpt command changes the VPT field value of the packets on egress interfaces.
CLI Mode: Interface ACG Configuration, LAG Interface ACG Configuration and SAP
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#set vpt <0-7>
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no set vpt
device-name(config-if AG0N acg ACL-NUMBER)#set vpt <0-7>
device-name(config-if AG0N acg ACL-NUMBER)#no set vpt
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#set vpt <0-7>
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no set vpt
0-7 VPT value, configured for the remarked traffic on egress interfaces.
no Cancels this action for the changing the VPT value.
Examples:
• Egress remarking:
device-name(config)#access-list 400 permit any any fc h1 drop-level green
device-name(config-if 1/1/1)#mac access-group out 400 option
device-name(config-if 1/1/1 acg 400)#set dscp 4
• Egress VPT remarking:

device-name(config)#access-list 400 permit any any fc h1 drop level yellow
device-name(config-if 1/1/1)#mac access-group out 400 option
device-name(config-if 1/1/1 acg 400)#set vpt 3
• The color aware ACLs cannot be applied as ingress ACG Otherwise a warning message is
displayed:
device-name(config)#access-list 400 permit any any fc h1 drop-level green
device-name(config-if 1/1/1)#mac access-group in 400 option
[Error]Color aware access list can not be applied on ingress.
• The VPT and DSCP options are mutually exclusive. Otherwise a warning message is displayed:
device-name(config)#access-list 111 permit ip any any fc ef drop-level
green
device-name(config-if 1/1/1)#ip access-group out 111 option
device-name(config-if 1/1/1 acg 111)#set vpt 4
% only one remark type is allowed
Page 28
Saving the ACG Configuration

The apply command saves the ACG options and exits the ACG Configuration mode.
CLI Mode: Interface ACG Configuration, LAG Interface ACG Configuration and SAP
NOTE
The apply command has the same effect as the exit command or the <Ctrl+D>.
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#apply
device-name(config-if AG0N acg ACL-NUMBER)#apply
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#apply
Example
Enabling Match Statistics

The statistics command enables match statistics on a port, LAG or SAP port.
The match statistics data provides the dropped and non-dropped packets/bytes counts, useful for
traffic monitoring.
Interface ACG Configuration, LAG Interface ACG Configuration, and SAP
CLI Mode:
Command Syntax
device-name(config-if UU/SS/PP acg ACL-NUMBER)#statistics
device-name(config-if UU/SS/PP acg ACL-NUMBER)#no statistics
device-name(config-if AG0N acg ACL-NUMBER)#statistics

device-name(config-if AG0N acg ACL-NUMBER)#no statistics
device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#statistics

device-name(config-tls-sap UU/SS/PP:CVLAN-ID: acg ACL-NUMBER)#no statistics
no Disables collecting statistics on the ACG.
Page 29
Displaying the IP ACLs

The show ip access-lists command displays the configured IP ACLs. You can restrict the
output to a specified ACL by using the acl-number argument.
Command Syntax
device-name#show ip access-lists [<acl-number>]
acl-number (Optional) the ACL number displayed.
Valid values are:
Examples
device-name(config)#access-list 1 permit host 192.98.2.1
device-name(config)#access-list 1 deny 192.98.0.0/16
device-name(config)#access-list 1 permit 192.0.0.0/8
Standard IP access list 1
permit host 192.98.2.1
deny 192.98.0.0 0.0.255.255
permit 192.0.0.0 0.255.255.255
Displaying the MAC ACLs

The show mac access-lists command displays the configured MAC ACLs. You can restrict the
output to a specified ACL by using the acl-number argument.
Command Syntax
device-name#show mac access-lists [<acl-number>]
acl-number (Optional) the ACL number displayed, in the range of <400–499>, or <40000–
41999> (extended MAC ACLs).
Page 30
Examples
device-name(config)#access-list 400 permit any host 00:00:0a:00:00:4e ether-
type 0x8080
device-name(config)#access-list 401 permit 00:00:0A:00:00:65
00:00:00:00:00:03 any broadcast
The ACL matches BROADCAST layer 2 traffic.
device-name(config)#access-list 402 permit 00:00:0b:21:19:75

00:00:00:00:00:00 00:00:12:64:53:15 00:00:00:00:00:01
device-name(config)#access-list 403 permit host 00:00:0a:09:00:7F any vpt 4
00:00:00:00:00:00 any vlan 9 0x00FF
device-name(config)#access-list 405 permit any host 00:a0:12:02:43:32 dscp 20
device-name(config)#access-list 406 permit any host 00:a0:12:02:43:32 tos 2
precedence 4
device-name(config)#access-list 407 permit 00:00:09:00:00:01
00:00:00:00:00:00 any unicast
The ACL matches UNICAST layer 2 traffic.
device-name(config)#access-list 408 permit 00:00:0A:00:00:6E

00:00:00:00:00:03 any multicast
The ACL matches MULTICAST layer 2 traffic.
device-name(config)#access-list 409 permit any host 00:00:09:00:00:78 untagged
device-name(config)#access-list 410 permit 00:00:0A:00:00:65
00:00:00:00:00:03 any precedence priority
device-name#show mac access-lists
Extended MAC access-list 400
permit any host 00:00:0a:00:00:4e ether-type 0x8080
permit 00:00:0a:00:00:65 00:00:00:00:00:03 any broadcast
permit host 00:00:0b:21:19:75 00:00:12:64:53:15 00:00:00:00:00:01
permit host 00:00:0a:09:00:7f any vpt 4
permit host 00:00:0a:00:00:09 any vlan 9 0x00FF
permit any host 00:a0:12:02:43:32 dscp 20
permit any host 00:a0:12:02:43:32 tos max-throughput precedence flash-
override
permit host 00:00:09:00:00:01 any unicast
permit 00:00:0a:00:00:6e 00:00:00:00:00:03 any multicast
permit any host 00:00:09:00:00:78 untagged
permit 00:00:0a:00:00:65 00:00:00:00:00:03 any precedence priority
Page 31
Displaying the IP ACG

The show ip access-groups command displays the IP ACGs configured on ports, LAGs, and
VLANs.
Command Syntax
device-name#show ip access-groups [<acl-number>]
acl-number (Optional) the IP ACG number displayed.
Valid values are:
• <1–99> or <1000–2999>—the ID for the standard ACL
• <100–199> or <10000–11999>—the ID for the extended ACL
Examples
device-name#show ip access-groups
interface 1/1/1
ip access-group 100
ip access-group 101
interface 1/1/2
ip access-group 2
Page 32
Displaying the IP ACG Statistics

The show ip access-groups statistics command displays how many packets match the
applied IP ACG.
Command Syntax
device-name#show ip access-groups <acl-number> statistics [interface UU/SS/PP
| sap UU/SS/PP c-vlan <vlan-id>]
acl-number (Optional) the IP ACG number displayed.
Valid values are:
interface UU/SS/PP (Optional) the specified port
sap UU/SS/PP (Optional) the specified SAP port
vlan-id The C-VLAN ID, in the valid range of <1–4094>
Examples
device-name(config-if 1/1/1)#ip access-group 100 option
device-name(config-if 1/1/1 acg 100)#statistics
device-name#show ip access-groups 100 statistics
Access List 100 statistics:
interface 1/1/1
Match Statistics:
Classified packets: 926359
device-name(config-if 1/1/2 acg 102)#rate-limit single-rate 10M 128K
statistics
device-name#show ip access-groups 102 statistics
interface 1/1/2
Single rate limit:
Green bytes: 100500
Yellow bytes: NA
Drop bytes: 35080
Page 33
Displaying the MAC ACG

The show mac access-groups command displays the MAC ACGs configured on ports, LAGs,
and VLANs.
Command Syntax
device-name#show mac access-groups [<acl-number>]
acl-number (Optional) the MAC ACG number displayed, in the range of <400–499> or
<40000–41999>.
Example
device-name#show mac access-groups
interface 1/1/1
mac access-group 400 option
set vlan 4094
set txq 7 drop-level green
Displaying Match Statistics for MAC ACGs

The show mac access-groups statistics command displays how many packets match the
applied MAC ACG.
Command Syntax
device-name#show mac access-groups <acl-number> statistics [interface UU/SS/PP
acl-number The MAC ACG number displayed, in the range of <400–499> or
<40000–41999>.
Page 34
Example
statistics
device-name#show mac access-groups 402 statistics
interface 1/1/1
Single rate limit:
Green bytes: 100500
Yellow bytes: NA
Drop bytes: 35080
Clearing the IP ACG Statistics

The clear ip access-groups statistics command clears the IP ACG statistics.
Command Syntax
device-name#clear ip access-groups <acl-number> statistics [interface UU/SS/PP
acl-number (Optional) the IP ACG number cleared.
Valid values are:
Page 35
Clearing the MAC ACG Statistics

The clear mac access-groups statistics command clears the MAC ACG statistics.
Command Syntax
device-name#clear mac access-groups <acl-number> statistics [interface
UU/SS/PP | sap UU/SS/PP c-vlan <vlan-id>]
acl-number The MAC ACG number cleared, in the range of <400–499>, or
<40000–41999>.
Page 36
Configuring IP ACLs
In the example below:
• the inbound and outbound traffic for PC 1 is limited to 3 Mbps for each direction
• the inbound and outbound traffic for PC 2 is limited to 1 Mbps for each direction
• the rest of the traffic that passes through the device is not controlled
Figure 3: Creating Standard and Extended IP ACLs
1. Define an ACL for the traffic from PC1 to the server:

device-name(config)#access-list 100 permit ip 211.202.212.1/26 any
2. Define an ACL for the traffic from the server to PC1:

device-name(config)#access-list 101 permit ip any 211.202.212.3/26

device-name(config)#access-list 102 permit ip 211.202.212.2/26 any
4. Define an ACL for the traffic from the server to PC2:

device-name(config)#access-list 103 permit ip any 211.202.212.3/26
5. Define an ACL that permits the all traffic:

device-name(config)#access-list 1 permit any
Page 37
6. Define the rate limit on the server port: 3M to PC1 and 1M to PC2, and no rate limit to the
rest of the traffic on this port:
device-name(config-if 1/1/1 acg 101)#rate-limit single-rate 3m 256k
device-name(config-if 1/1/1 acg 101)#exit
7. Define the rate limit of 3M on PC1 connection to the server, and no rate limit to the rest of
the traffic on the port:
9. Display the configured ACLs:

Standard IP access list 1
permit any
Extended IP access list 100
permit ip 211.202.212.1 0.0.0.63 any
permit ip any 211.202.212.3 0.0.0.63
permit ip 211.202.212.2 0.0.0.63 any
permit ip any 211.202.212.3 0.0.0.63
Page 38
10. Display the configured ACGs:

device-name#show ip access-groups
interface 1/1/1
ip access-group 101 option
rate-limit single-rate 3000K 256K
ip access-group 1
interface 1/2/1
ip access-group 1
interface 1/2/2
ip access-group 1
Configuring MAC ACLs

The example below shows how to define MAC ACLs and to assign rate limits to them.
Figure 4: Rate Limit over Port Configuration

00:00:00:00:00:00 any

00:00:00:00:00:00 any
3. Define an ACL for the traffic from the server to PC1 and PC2:
device-name(config)#access-list 403 permit any 00:00:05:00:00:14
00:00:00:00:00:00
Page 39
4. Define the rate limit on the server port, 10M, and no rate limit to the rest of the traffic on this
port:
7. Display the configured ACLs:

device-name#show mac access-lists
permit host 00:00:00:05:00:11 any
permit host 00:00:05:00:00:08 any
permit host 00:00:05:00:00:14 any
8. Display the configured ACGs:

interface 1/1/1
interface 1/2/1
interface 1/2/2
Page 40
Creating ACLs per SAP

In the following example (based on Figure 2):
• Port 1/1/1 is connected to a group of users. ACL 400 allows access to the server only to the
users with MAC addresses 00:00:5a:63:56:78 (PC1) and 00:00:54:67:f5:61 (PC2).
• Port 1/1/2 is connected to a server.
1. Create the VLAN v20 with ID 20 and add to it the 1/1/2 port (SDP port) as tagged and
1/1/1 port (SAP port) as untagged:
device-name(config-vlan v20)#add ports default 1/1/1,1/1/2
device-name(config-vlan v20)#end
2. Create MAC ACLs:

00:00:00:00:00:00 any
device-name(config)#access-list 411 permit 00:00:54:67:f5:61
00:00:00:00:00:00 any
3. Create a TLS service:

device-name(config-tls serv)#sap 1/1/1 c-vlan 11
4. Apply the MAC ACL 410 per SAP port with a rate-limit:
device-name(config-tls serv)#sap 1/1/1 c-vlan 11 option
device-name(config-tls-sap 1/1/1:11:)#mac access-group 410 option
device-name(config-tls-sap 1/1/1:11: acg 410)#rate-limit single-rate 3m 1m
statistics
device-name(config-tls-sap 1/1/1:11: acg 410)#statistics
device-name(config-tls-sap 1/1/1:11: acg 410)#apply
5. Apply the MAC ACL 411 per SAP port with a rate-limit:
device-name(config-tls serv)#sap 1/1/1 c-vlan 11 option
device-name(config-tls-sap 1/1/1:11:)#mac access-group 411 option
device-name(config-tls-sap 1/1/1:11: acg 411)#rate-limit single-rate 3m 1m
statistics
device-name(config-tls-sap 1/1/1:11: acg 411)#statistics
device-name(config-tls-sap 1/1/1:11: acg 411)#apply
Page 41
Configuring an ACG per Egress

The following example shows how to use ACL per egress. Traffic flows towards the interface
where an ACG per egress is applied.
1. Define an ACL with VPT 6:
device-name(config)#access-list 101 permit ip any any
2. Define the ACG on the desired interface with VPT rate-limit:

device-name(config-if 1/1/2)#ip access-group out 101 option
device-name(config-if 1/1/2 acg 101)#rate-limit single-rate 3m 1m exceed-
action drop
3. Display the existing ACLs:

permit ip any any
Configuring Rate Limit with DSCP Mapping

Configure a device with a single rate limiter with the following configuration:
• traffic up to 1 Mbps with DSCP 0 is marked green and is remapped with priority 7 (according
to the given QoS policy rule)
• traffic above 1 Mbps is marked as yellow
4. Create a MAC ACL:

00:00:00:00:00:00 any
5. Define trust DSCP mode per ingress network-policy:

device-name(config)#qos
device-name(config qos)#network-policy trust
device-name(config qos-net trust)#ingress
device-name(config qos-net-in trust)#trust-dscp
device-name(config qos-net-in trust)#end
6. Define trust DSCP network-policy per ingress port 1/1/2:

device-name(config-if 1/1/2)#qos-network-policy trust
7. Change the DSCP mapping policy:

device-name(config qos)#map dscp 0 fc nc drop-level green
device-name(config qos)#map dscp 2 fc h1 drop-level yellow
device-name(config qos)#exit
Page 42
8. Define a rate limit on port 1/1/2:

device-name(config-if 1/1/2 acg 400)#rate-limit single-rate 1M 256K color-
aware exceed-action mark-yellow
9. Display the ACG configuration:

interface 1/1/2
rate-limit single-rate 1000K 256K color-aware exceed-action mark-yellow
10. Display network-policy per port and DSCP mapping:

device-name#show qos network-policy trust
Policy Name: trust
Description:
+---------------------------------+
| Ingress Policy Configuration |
+--------------+-----+------------+
| Trust Mode | FC | Drop Level |
+--------------+-----+------------+
| trust-dscp | | |
+--------------+-----+------------+
+------------------------------------------------------+
| Egress Policy Configuration |
+--------------------+---------------------------------+
| Scheduler Profile | Shaper Profile |
+---------+----------+-----------+----------+----------+
| ID | Type | Shaper ID | CIR | CBS |
+---------+----------+-----------+----------+----------+
| - | - | - | - | - |
+---------+----------+-----------+----------+----------+
+----------+-------------+----------+----------+
| Queue Id | Shaper Id | CIR | CBS |
+----------+-------------+----------+----------+
| | | | |
+----------+-------------+----------+----------+
Policy is applied on the following port(s):
1/1/2
device-name#show qos ingress dscp-map

+-----------+--------+-------------+
| DSCP | FC | Drop Level |
+-----------+--------+-------------+
| 0 | nc | green |
+-----------+--------+-------------+
| 1 | be | green |
+-----------+--------+-------------+
| 2 | h1 | yellow |
Page 43
+-----------+--------+-------------+
| 3 | be | green |
+-----------+--------+-------------+
| 4 | be | green |
+-----------+--------+-------------+
| 5 | be | green |
+-----------+--------+-------------+
| 6 | be | green |
+-----------+--------+-------------+
| 7 | be | green |
+-----------+--------+-------------+
| 8 | l2 | green |
+-----------+--------+-------------+
| 9 | l2 | green |
+-----------+--------+-------------++-
…
+-----------+--------+-------------+
| 61 | nc | green |
+-----------+--------+-------------+
| 62 | nc | green |
+-----------+--------+-------------+
| 63 | nc | green |
+-----------+--------+-------------+
Configuring Rate Limit with Priority Remarking

The following example configures a single rate limit on the device and remark the VPT on egress
packets. Any packet with source MAC 00:00:10:02:00:00 on port 1/1/2 is rate limited to 1
Mbps.
1. Create an ACL:
device-name(config)#access-list 401 permit host 00:00:10:02:00:00 any
2. Set the priority remarking policy:

device-name(config qos)#remark fc be drop-level green priority 5
3. Set the rate limit and apply statistics on port 1/1/2 :

device-name(config-if 1/1/2 acg 401)#statistics
Page 44
4. Display the priority remarking policy:

device-name#show qos egress remark
+---------------------+------------+
| QoS Parameters | Tx Remark |
+--------+------------+------------+
| FC | Drop Level | Priority |
+--------+------------+------------+
| be | green | 5 |
+--------+------------+------------+
| be | yellow | 0 |
+--------+------------+------------+
| l2 | green | 1 |
+--------+------------+------------+
| l2 | yellow | 1 |
+--------+------------+------------+
| af | green | 2 |
+--------+------------+------------+
| af | yellow | 2 |
+--------+------------+------------+
| l1 | green | 3 |
+--------+------------+------------+
| l1 | yellow | 3 |
+--------+------------+------------+
| h2 | green | 4 |
+--------+------------+------------+
| h2 | yellow | 4 |
+--------+------------+------------+
| ef | green | 5 |
+--------+------------+------------+
| ef | yellow | 5 |
+--------+------------+------------+
| h1 | green | 6 |
+--------+------------+------------+
| h1 | yellow | 6 |
+--------+------------+------------+
| nc | green | 7 |
+--------+------------+------------+
| nc | yellow | 7 |
+--------+------------+------------+
5. Display configured MAC ACG:

interface 1/1/2
6. Display configured MAC ACG statistics per port:

device-name#show mac access-groups 401 statistics interface 1/1/2
interface 1/1/2
Match Statistics:
Classified packets: 0
Page 45
Supported Platforms
Access Control Lists (ACLs) + +

Access Control Lists No standards are Private MIB, RFC 2697, A Single
(ACLs) supported by this prvt_switch_access_list.mib Rate Three Color
feature. Marker
RFC 2698, A Two
Rate Three Color
Marker
Page 46
DHCP Snooping
Table of Contents
Table of Figures ······················································································ 3
DHCP Snooping ····················································································· 4

Overview ·························································································· 4
The DHCP Snooping Command Hierarchy ···················································· 5

Enabling/Disabling DHCP Snooping ·························································· 7
Enabling DHCP Snooping on Ports···························································· 7
Enabling/Disabling DHCP Snooping on Trusted/Untrusted Ports ························ 8
Configuring DHCP Snooping ··································································· 9
Enabling/Disabling the DHCP-Snooping Binding Table ···································· 9
Adding Entries to the DHCP-Snooping Binding Table ·····································10
Defining the Number of DHCP-Snooping Binding Table Entries ·························10
Copying the DHCP-Snooping Binding Table ················································11
Immediately Copying the DHCP-Snooping Binding Table ·································11
Configuring the DHCP-Snooping Port Security··············································12
Enabling/Disabling the MAC-Address Match-Option ······································12
Enabling the DHCP-Snooping Chain Mode··················································13
Enabling the Option-82 on a Port ·····························································14
Defining the Option-82 Circuit-ID ····························································14
Defining the Option-82 Field’s Format ·······················································14
Filling the Relay Agent Field····································································15
Defining the DHCP Option-82 Tag ···························································16
Clearing the DHCP-Snooping Binding Table·················································16
Clearing DHCP-Snooping Binding Entries ···················································17
Displaying the DHCP-Snooping Binding Table ··············································17
Displaying the DHCP Snooping Configuration Information ·······························18
Displaying the DHCP Snooping Port Configuration Information ·························19
Displaying the DHCP-Snooping Option-82 Configuration ·································20
Page 1
Dhcp Snooping (Rev. 01)
Displaying the Giaddr Field Information ······················································20

Page 2
Table of Figures
Figure 1: DHCP Snooping in Action ··························································· 4
Figure 2: DHCP Snooping Configuration Example··········································21
Page 3
DHCP Snooping
Overview
DHCP Snooping provides network security by filtering untrusted DHCP messages, (received from
outside the network and causing traffic attacks), and by building and maintaining a DHCP-
snooping binding table (see Enabling/Disabling the DHCP-Snooping Binding Table).
DHCP Snooping works with information from a DHCP server to:
• Track the physical location of hosts (DHCP clients)
• Ensure that hosts only use the IP addresses assigned to them
• Ensure that only authorized DHCP servers are accessible
DHCP Snooping acts like a firewall between untrusted hosts (DHCP clients) and DHCP servers.
Figure 1: DHCP Snooping in Action
Page 4
The DHCP Snooping Command Hierarchy

+ enable
+ configure terminal
- ip dhcp snooping {enable | disable}
- [no] ip dhcp snooping interface-mode interface {PORT-LIST | PORT-
AG-LIST} [vlan VLAN-LIST]
- ip dhcp snooping interface {PORT-LIST | PORT-AG-LIST} {trusted |
untrusted}
- [no] ip dhcp snooping force-broadcast-request
- ip dhcp snooping binding-table {enable | disable}
- [no] ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH vlan
<vlan-id> interface UU/SS/PP
- ip dhcp snooping binding-table max-entries <binding-entries>
- [no] ip dhcp snooping binding-table tftp A.B.C.D file name FILE-
NAME write-delay <time period>
- ip dhcp snooping binding-table upload tftp A.B.C.D filename FILE-
NAME
- [no] ip dhcp snooping port-security interface PORT-LIST [vlan-id
<vlan-id>]
- ip dhcp snooping match-mac {enable | disable}
- ip dhcp snooping information option chain-mode
- [no] ip dhcp snooping information option circuit-id WORD port
UU/SS/PP vlan-id <vlan-id>
- ip dhcp snooping set-relay-agent-address
- ip dhcp snooping information option chain-mode set-relay-agent-
address
+ interface UU/SS/PP
- [no] ip dhcp snooping information option
- [no] ip dhcp snooping information option format binary
[remote-id]
- ip dhcp snooping information option tag <1-65535>
- no ip dhcp snooping information option tag
- ip dhcp snooping interface {trusted | untrusted}
- clear ip dhcp snooping binding-table [static | learned | all]
- clear ip dhcp snooping binding-table ip A.B.C.D vlan <vlan-id>
- clear ip dhcp snooping binding-table mac HH:HH:HH:HH:HH:HH vlan <vlan-
id>
- show ip dhcp snooping binding {interface UU/SS/PP | vlan <vlan-id>}
- show ip dhcp snooping configuration
- show ip dhcp snooping interface {UU/SS/PP | aggregations | all}
- show ip dhcp snooping option82
Page 5
- show ip dhcp snooping set-relay-agent-address
Page 6
Enabling/Disabling DHCP Snooping

Caution
Do not enable DHCP Snooping while DHCP Relay is enabled. DHCP Snooping
and DHCP Relay cannot operate concurrently on a device.
The ip dhcp snooping command enables/disables the DHCP Snooping globally.
NOTE
For DHCP Snooping to function properly, all DHCP servers must be connected to
the device through trusted interfaces.
Command Syntax
device-name(config)#ip dhcp snooping {enable | disable}
enable Enables DHCP Snooping
disable Disables DCHP Snooping
Disabled
Enabling DHCP Snooping on Ports

The ip dhcp snooping interface-mode command enables DHCP Snooping on ports and
optionally defines VLANs to which the ports belong.
Command Syntax
device-name(config)#ip dhcp snooping interface-mode interface {PORT-LIST |
PORT-AG-LIST} [vlan VLAN-LIST]
device-name(config)#no ip dhcp snooping interface-mode interface {PORT-LIST |
PORT-AG-LIST} [vlan VLAN-LIST]
PORT-LIST List of ports. Use commas as separators and hyphens to indicate sub-
ranges (for example: 1/2/1–1/2/8, 1/1/2)
PORT-AG-LIST LAG names’ list (for example, ag01, ag04–ag07), in the range of <1–7>
Page 7
VLAN-LIST (Optional) a list of VLAN IDs to which the ports belong, in the following
format:
• Several VLAN numbers and/or ranges, separated by commas (for
example: 2,4,8–32)
Enabling/Disabling DHCP Snooping on

Trusted/Untrusted Ports
The ip dhcp snooping interface command enables/disables DHCP Snooping on
trusted/untrusted ports.
CLI Mode: Global Configuration and Interface Configuration
Command Syntax
device-name(config)#ip dhcp snooping interface {PORT-LIST | PORT-AG-LIST}
{trusted | untrusted}
device-name(config-if UU/SS/PP)#ip dhcp snooping interface {trusted |
untrusted}
PORT-LIST List of ports. Use commas as separators and hyphens to indicate sub-
ranges (for example: 1/2/1–1/2/8, 1/1/2)
PORT-AG-LIST LAG names’ list (for example, ag01, ag04–ag07), in the range of <1–7>
trusted Enables DHCP Snooping on trusted port(s). Trusted ports receive only
packets from within the network, the outside-coming packets are simply
forwarded.
The trusted ports are used to reach a DHCP server or relay agent, and
DHCP information from them is not logged in the DHCP-snooping
binding table.
untrusted Enables DHCP Snooping on untrusted port(s). Untrusted ports receive
messages from outside the network.
Untrusted
Page 8
Configuring DHCP Snooping

The ip dhcp snooping force-broadcast-request command invokes DHCP Snooping when
intercepting a unicast RENEWING request. The renewing packet is rewritten with a full broadcast
destination address.
Command Syntax
device-name(config)#ip dhcp snooping force-broadcast-request
device-name(config)#no ip dhcp snooping force-broadcast-request
no Disables the force-broadcast-request option
Enabling/Disabling the DHCP-Snooping Binding Table

The ip dhcp snooping binding-table command enables/disables the DHCP-snooping
binding table.
The DHCP-snooping binding table contains the MAC address, the IP address, the lease time, the
binding type, the VLAN number, and the port’s information that corresponds to the local
untrusted ports.
The DHCP-snooping binding table does not contain information about hosts that are connected to
trusted ports.
Command Syntax
device-name(config)#ip dhcp snooping binding-table {enable | disable}
enable Enables the DHCP-snooping binding table.
disable Disables the DHCP-snooping binding table
Disabled
Page 9
Adding Entries to the DHCP-Snooping Binding Table

The ip dhcp snooping binding command adds static entries to the DHCP-snooping binding
table.
Command Syntax
device-name(config)#ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH vlan
<vlan-id> interface UU/SS/PP
device-name(config)#no ip dhcp snooping binding A.B.C.D HH:HH:HH:HH:HH:HH
vlan <vlan-id> interface UU/SS/PP
A.B.C.D The binding entry’s IP address
HH:HH:HH:HH:HH:HH The binding entry’s MAC address
vlan <vlan-id> The VLAN to which the port belongs, in the range of <1–4094>
UU/SS/PP An untrusted port for which to add/delete a binding entry
no Deletes entries from the binding table
Defining the Number of DHCP-Snooping Binding Table

Entries
The ip dhcp snooping binding-table max-entries command defines the maximum number
of entries of the DHCP-snooping binding table.
Command Syntax
device-name(config)#ip dhcp snooping binding-table max-entries <binding-
entries>
binding-entries The maximum number of the table entries, in the range of <100–10000>
Page 10
Copying the DHCP-Snooping Binding Table

The ip dhcp snooping binding-table tftp command periodically copies the DHCP-
snooping binding table to a TFTP server. Upon reload, the device reads the file to build the
database for the bindings.
Command Syntax
device-name(config)#ip dhcp snooping binding-table tftp A.B.C.D file name
FILE-NAME write-delay <time period>
device-name(config)#no ip dhcp snooping binding-table tftp
A.B.C.D The TFTP server’s IP address
FILE-NAME The name of the copied file
write-delay The time at which the file is uploaded to the TFTP server, in the range of
<time period> <60–86400> seconds
300 seconds
no Disables the coping
Immediately Copying the DHCP-Snooping Binding

Table
The ip dhcp snooping binding-table upload tftp command immediately copies the
DHCP-snooping binding table to a TFTP server.
Command Syntax
device-name(config)#ip dhcp snooping binding-table upload tftp A.B.C.D
filename FILE-NAME
A.B.C.D The TFTP server’s IP address
FILE-NAME The name of the copied file
Page 11
Configuring the DHCP-Snooping Port Security

The ip dhcp snooping port-security interface command enables DHCP-snooping port
security (see chapter Configuring Interfaces of this User Guide) on an untrusted port(s). This feature
blocks the network traffic to DHCP clients that have not obtained their IP addresses from DHCP
servers connected to trusted ports. To communicate, the DHCP clients have to renew their IP
addresses.
Each time, when the DHCP client is plugged into an untrusted port on which DHCP-snooping
port security option is enabled, the DHCP clients have to renew their IP addresses.
NOTE
When the DHCP client’s IP address is statically changed, the combination of Port
Security and Dynamic ARP Inspection features ensure blocking of the Layer-3 traffic
on untrusted ports of the DHCP-snooping-enabled device.
Command Syntax
device-name(config)#ip dhcp snooping port-security interface PORT-LIST [vlan-
id <vlan-id>]
device-name(config)#no ip dhcp snooping port-security interface PORT-LIST
[vlan-id <vlan-id>]
PORT-LIST List of ports. Use commas as separators and hyphens to indicate sub-ranges
(for example: 1/2/1–1/2/8, 1/1/2).
vlan-id (Optional) defines a VLAN ID in the range of <1–4094> to which the ports
<vlan-id> belong.
Disabled
Enabling/Disabling the MAC-Address Match-Option

The ip dhcp snooping match-mac command enables/disables the MAC-address match-option.
Command Syntax
device-name(config)#ip dhcp snooping match-mac {enable | disable}
Page 12
enable Enables the MAC address match-option: the source MAC address in the
Ethernet header is compared to the chaddr field in the DHCP payload (within
the DHCP packet):
• If the address does not match the chaddr field, the DHCP packet is
dropped
• If the address matches the chaddr field, the device—on which DHCP
Snooping is enabled—forwards the packet
This comparison procedure is not performed for trusted ports.
disable Disables the MAC address match-option
Disabled
Enabling the DHCP-Snooping Chain Mode

The ip dhcp snooping information option chain-mode command enables the DHCP-
snooping chain mode i.e. DHCP Snooping is enabled on more than one device on the provider’s
network. This feature allows DHCP packets to be exchanged between the DHCP client and
DHCP server without being dropped by the DHCP-snooping devices located between the DHCP
client and DHCP server.
Enabling the DHCP-snooping chain mode is also required when the DHCP server and the DHCP
client are located on different Layer-2 networks, and a DHCP-relay device exits between these
networks.
In the DHCP-snooping chain mode, DHCP Snooping requires all DHCP packets to contain
Option-82 data. Option 82 allows a DHCP-relay device to insert specific information into a request
forwarded to a DHCP server (see RFC 3046).
DHCP Snooping defines the DHCP packets destination by checking Option-82 fields. When a
DHCP-Snooping-enabled device receives a packet that is not destined for it, the device forwards
the packet to all trusted ports.
DHCP servers that do not support Option-82, strip the Option-82 field from the replies.
NOTE
Configure Option-82 on all devices in the ring topology.
Each device must have a unique Option-82 value. The unique Option-82 value
can be a remote-ID (MAC), a unique TAG, or a unique circuit-id.
In the ring topology, when the DHCP-snooping chain mode is enabled, all
Option-82-enabled devices and the DHCP servers must be in the same subnet.
Command Syntax
device-name(config)#[no] ip dhcp snooping information option chain-mode
no Disables the chain mode
Page 13
Defining the Option-82 Circuit-ID

The ip dhcp snooping information option circuit-id command defines the circuit-ID. The
circuit-ID describes the port originating the packet.
Command Syntax
device-name(config)#ip dhcp snooping information option circuit-id WORD port
device-name(config)#no ip dhcp snooping information option circuit-id port
WORD Circuit-ID, a text string of 256 characters. The circuit-ID string cannot be
configured to 8, 15, 18, or 20 characters. Otherwise, a warning message
appears:
[Warning] The specified circuit ID might not work properly
if combined with other configured information options.
More than one circuit-ID can be defined per port. If a port is a member of
several VLANs, only one circuit-id can be defined for a port-VLAN
combination.
UU/SS/PP The related port
vlan-id VLAN ID, in the range of <1–4094>
no Removes the defined circuit-ID: the information contained in the Option-82
field is used to define the packet retransmit path
Enabling the Option-82 on a Port

The ip dhcp snooping information option command enables the Option-82 on a port.
Command Syntax
device-name(config-if UU/SS/PP)#[no] ip dhcp snooping information option
no Disables the Option-82
Disabled
Page 14
Defining the Option-82 Field’s Format

The ip dhcp snooping information option format binary command determines the format
of Option-82 field contained in packets coming from the DHCP client.
Command Syntax
device-name(config-if UU/SS/PP)#ip dhcp snooping information option format
binary [remote-id]
device-name(config-if UU/SS/PP)#no ip dhcp snooping information option format
binary
remote-id (Optional) inserts the MAC address of the relay agent at the end of the Option-
82 field
ASCII format
Filling the Relay Agent Field

The ip dhcp snooping set-relay-agent-address and ip dhcp snooping information
option chain-mode set-relay-agent-address commands fill in the giaddr field (IP address of
a DHCP-relay device) of the DHCP client’s packet. As a result, the DHCP server includes Option-
82 when returns DHCP packets to the DHCP clients.
DHCP servers do not echo Option-82 when a DHCP packet with giaddr field of 0 is received.
NOTE
To fill in the giaddr field using the ip dhcp snooping set-relay-agent-address
command in chain mode, first execute the ip dhcp snooping information
option chain-mode set-relay-agent-address command.
Command Syntax
device-name(config)#ip dhcp snooping set-relay-agent-address
device-name(config)#ip dhcp snooping information option chain-mode set-relay-
agent-address
Page 15
Defining the DHCP Option-82 Tag

The ip dhcp snooping information option tag command defines the DHCP Option-82 tag
value.
Command Syntax
device-name(config-if UU/SS/PP)#ip dhcp snooping information option tag <1-
65535>
device-name(config-if UU/SS/PP)#no ip dhcp snooping information option tag
tag <1-65535> Option-82 tag value, in the range of <1–65535>
no Removes the Option-82 tag
Clearing the DHCP-Snooping Binding Table

The clear ip dhcp snooping binding-table command clears all entries from the DHCP-
snooping binding table.
Command Syntax
device-name#clear ip dhcp snooping binding-table [static | learned | all]
static (Optional) only static entries are cleared.
learned (Optional) only dynamically learned entries are cleared.
all (Optional) all entries are cleared.
Page 16
Clearing DHCP-Snooping Binding Entries

The clear ip dhcp snooping binding-table ip command clears a DHCP-snooping binding
entry specified by the DHCP client’s IP address.
The clear ip dhcp snooping binding-table mac command clears a DHCP-snooping binding
entry specified by the DHCP client’s MAC address.
Command Syntax
device-name#clear ip dhcp snooping binding-table ip A.B.C.D vlan <vlan-id>
device-name#clear ip dhcp snooping binding-table mac HH:HH:HH:HH:HH:HH vlan
<vlan-id>
A.B.C.D The DHCP client’s IP address
HH:HH:HH:HH:HH:HH The DHCP client’s MAC address
vlan <vlan-id> The VLAN ID, in the range of <1–4094>
Displaying the DHCP-Snooping Binding Table

The show ip dhcp snooping binding command displays DHCP-snooping binding table entries
learned from DHCP Snooping. If no argument is specified, all entries are displayed.
Command Syntax
device-name#show ip dhcp snooping binding {interface UU/SS/PP | vlan <vlan-
id>}
UU/SS/PP Displays table entries for the selected untrusted port
vlan <vlan-id> Displays table entries for the selected VLAN ID, in the range of <1–
4094>
Page 17
Example
Display the DHCP-snooping binding entries for a specified VLAN:
device-name#show ip dhcp snooping binding vlan 1
Flags : V - valid, P - perm. lease, I - incomplete, L - learned, S - static
+-----------------+------+-------------------+-----------+---------+----------+
| IP address | VLAN | MAC address | Interface | Flags | Lease |
+-----------------+------+-------------------+-----------+---------+----------+
| 1.1.1.2| 1| 00:FF:00:00:00:01 | 1/1/2| V L | 43187|
| 1.1.1.3| 1| 00:FF:00:00:00:02 | 1/1/2| V L | 43199|
| 1.1.1.1| 1| 00:FF:00:00:00:00 | 1/1/2| V L | 43175|
+-----------------+------+-------------------+-----------+---------+----------+
Table 1: Parameters Displayed by the show ip dhcp snooping binding Command

Field Description
IP Address DHCP client’s IP address

VLAN VLAN ID of the DHCP client’s port
MAC Address DHCP client’s MAC address
Interface Port connected to the DHCP client
Type Binding type; statically configured from CLI or dynamically learned
Lease (seconds) IP address lease time
Displaying the DHCP Snooping Configuration

Information
The show ip dhcp snooping configuration command displays DHCP Snooping
configuration.
Command Syntax
device-name#show ip dhcp snooping configuration
Example
device-name#show ip dhcp snooping configuration
=====================================================================
| DHCP SNOOPING - CONFIGURATION SUMMARY |
=====================================================================
DHCP Snooping module current state : ENABLE
Current Mode : RING MODE
Match MAC address : DISABLE
DHCP Snooping Database Use : ENABLE
DHCP Snooping Database Max Entries Value : 10000
TFTP Server IP address : 192.168.0.34
Page 18
The filename of Uploaded DB : snoop_db.4.134.txt

The interval of periodic uploads in seconds : 180
set-relay-agent-address option : configured
DHCP Snooping debug messages : DISABLE
===========================================================
| DHCP Snooping Interfaces States |
===========================================================
TRUSTED 1/2/2
UNTRUSTED 1/2/1 | 1/2/3 - 1/2/8
===========================================================
| DHCP Snooping Vlans - Interface mode |
===========================================================
VLAN ID | 1
===========================================================
| DHCP Snooping Aggregations - Interface mode |
===========================================================
AGGREGATION TRUSTED
AGGREGATION UNTRUSTED AG01
=====================================================================
| DHCP Snooping Option 82 Configuration |
| Interface | Option Format | Tag | Option Policy |
=====================================================================
on vlan: 1 ascii 00001 drop
Displaying the DHCP-Snooping Port Information

The show ip dhcp snooping interface command displays DHCP-snooping configuration
information for port(s).
Command Syntax
device-name#show ip dhcp snooping interface {UU/SS/PP | aggregations | all}
UU/SS/PP Displays information for a specific port
aggregations Displays information for all trusted and untrusted LAGs
all Displays information for all trusted and untrusted ports
Example
device-name#show ip dhcp snooping interface 1/1/1
| 1/1/1 | TRUSTED
Page 19
Displaying the DHCP-Snooping Option-82 Information

The show ip dhcp snooping option82 command displays the DHCP-snooping Option-82
configuration information.
Command Syntax
device-name#show ip dhcp snooping option82
Example
device-name#show ip dhcp snooping option82
ON PORT: 1/1/2
FORMAT: ASCII
TAG: 1
POLICY: DROP
Displaying the Giaddr Field Information

The show ip dhcp snooping set-relay-agent-address command displays whether the giaddr
field is inserted in the DHCP packet.
Command Syntax
device-name#show ip dhcp snooping set-relay-agent-address
Example
device-name#show ip dhcp snooping set-relay-agent-address
set-relay-agent-address is enabled
Page 20
The following example is based on Figure 2 and shows how to configure DHCP Snooping on the
devices.
Figure 2: DHCP Snooping Configuration Example
1. Enter the VLAN Configuration mode and select the default VLAN:
DeviceA(config)#vlan
DeviceA(config vlan)#config default
2. Remove ports 1/2/1 to 1/2/8 from the default VLAN:

DeviceA(config-vlan default)#remove ports 1/2/1―1/2/8
DeviceA(config-vlan default)#exit
3. Configure a VLAN named V9 with VLAN ID 9 and add to it a port list 1/2/1―1/2/8 as
untagged:
DeviceA(config vlan)#create v9 9
DeviceA(config vlan)#config v9
DeviceA(config-vlan v9)#add ports 1/2/1―1/2/8 untagged
DeviceA(config-vlan v9)#add ports default 1/2/1―1/2/8
DeviceA(config-vlan v9)#exit
DeviceA(config-vlan)#exit
4. Enable DHCP Snooping:

DeviceA(config)#ip dhcp snooping enable
5. Enable DHCP-snooping binding table:

DeviceA(config)#ip dhcp snooping binding-table enable
6. Enable DHCP-snooping on a port list 1/2/1―1/2/8:

DeviceA(config)#ip dhcp snooping interface-mode interface 1/2/1―1/2/8 vlan
9
7. Define port 1/2/3 as trusted:

DeviceA(config)#ip dhcp snooping interface 1/2/3 trusted
Page 21
Configuring DHCP server:

1. Define a subnet number:
DHCPS(config)#service dhcp
DHCPS(config-dhcp)#subnet 9.0.0.0/8
2. Define a IP address range for clients to 9.20.1.10 up to 9.20.1.100:

DHCPS(config-dhcp-subnet)#range 9.20.1.10 9.20.1.100
DHCPS(config-dhcp-subnet)#exit
3. Enable the DHCP server:

DHCPS(config)#service dhcp enable
Configuring Host1 as DHCP client:

Restart the DHCP client:
Host1(config)#ip address dhcp renew
Checking the DHCP-Snooping database:

DeviceA#show ip dhcp snooping binding interface 1/2/5
Flags : V - valid, P - perm. lease, I - incomplete, L - learned, S - static

+-----------------+------+-------------------+-----------+---------+----------+
| IP address | VLAN | MAC address | Interface | Flags | Lease |
+-----------------+------+-------------------+-----------+---------+----------+
| 9.20.1.99| 9| 00:0B:2B:01:56:86 | 1/2/5| V L | 120|
+-----------------+------+-------------------+-----------+---------+----------+
Display configuration information for all ports on Device A:

DeviceA#show ip dhcp snooping configuration
=====================================================================
| DHCP SNOOPING - CONFIGURATION SUMMARY |
=====================================================================
DHCP Snooping module current state : ENABLE
Current Mode : INTERFACE MODE
Match MAC address : DISABLE
DHCP Snooping Database Use : ENABLE
DHCP Snooping Database Max Entries Value : 10000
TFTP Server IP address : NOT CONFIGURED
The filename of Uploaded DB : NOT CONFIGURED
The interval of periodic uploads in seconds : 180
set-relay-agent-address option : configured
DHCP Snooping debug messages : DISABLE
===========================================================
| DHCP Snooping Interfaces States |
===========================================================
TRUSTED 1/2/3
UNTRUSTED 1/2/5
Page 22
===========================================================
| DHCP Snooping Vlans - Interface mode |
===========================================================
VLAN ID | 9
===========================================================
| DHCP Snooping Aggregations - Interface mode |
===========================================================
AGGREGATION TRUSTED
AGGREGATION UNTRUSTED AG01
=====================================================================
| DHCP Snooping Option 82 Configuration |
| Interface | Option Format | Tag | Option Policy |
=====================================================================
ip dhcp snooping information option not set
Page 23

DHCP Snooping No standards are Private MIB, • RFC 951, Bootstrap

supported by this prvt_dhcp.mib Protocol (BOOTP)
feature.
• RFC 1542, Clarifications
and Extensions for the
Bootstrap Protocol
• RFC 2131, Dynamic Host
Configuration Protocol
• RFC 2132, DHCP Options
and BOOTP Vendor
Extensions
• RFC 3046, DHCP Relay
Agent Information Option
Page 24
Configuring Quality of Service (QoS)
Table of Figures ······················································································ 4
Overview ······························································································· 5
Implementation ··················································································· 5
Traffic Analysis ··················································································· 5
Basic QoS Architecture ············································································· 7

The Packets’ QoS Attributes ···································································· 8
QoS Profile························································································ 8
Sorting Packets for QoS ········································································· 9
Traffic Scheduling ··················································································10

Strict Priority (SP) ···············································································10
Weighted Round Robin (WRR) ································································11
Hybrid Scheduling ···············································································12
Egress Traffic Shaping·············································································12
Storm Control ························································································12
QoS Default Configuration········································································13

QoS Mappings Default Configuration·························································14
Scheduler Profile Default Configuration ······················································16
Shaper Default Configuration ··································································16
Port Default Configuration ·····································································16
QoS Configuration Flow ···········································································17
QoS Configuration Commands···································································18

Configuring QoS·················································································22
Configuring the Network Policy ·······························································22
Applying the Network Policy per Port ························································23
Adding the Description for Network Policy ··················································23
Configuring the Network Ingress Policy ······················································24
Enabling/Disabling the Trusted Mode DSCP ················································24
Enabling/Disabling the Trusted Mode Priority···············································24
Page 1
Configuring Quality of Service (QoS) (Rev. 11)
Applying the QoS Default Mapping on Port ·················································25

Configuring the Network Egress Remarking ·················································25
Defining Tail-Drop Profiles ····································································26
Configuring the Network Egress Policy ·······················································27
Configuring the Queue on Egress Network ··················································27
Applying Tail-Drop Profiles ····································································28
Applying the Shaping Profile ···································································28
Applying Scheduling Profile on Egress Policy ················································29
Configuring the DSCP to FC and Color Mapping ···········································29
Configuring the Dot1p to FC and Color Mapping ···········································30
Configuring the Service Policy ·································································31
Adding the Description for the Service Policy················································31
Configuring the Service Ingress Policy ························································32
Configuring the Service Queues································································32
Applying Tail-Drop Profiles ····································································32
Applying the Service Policy Shaping Profile ··················································33
Applying the Service Scheduling Profile·······················································33
Binding the Service Policy on a TLS Service ··················································34
Applying the Service Policy on a SAP ·························································35
Configuring the Shaper Profile ·································································36
Configuring Scheduling SP Profile ·····························································37
Configuring the Scheduling WRR Profile ·····················································37
Configuring the Scheduling Hybrid-1 Profile ·················································38
Displaying the Network Policy Configuration ················································41
Displaying the QoS Port Configuration ·······················································43
Displaying the Scheduler Profile Configuration ··············································43
Displaying the Shaper Profile Configuration··················································44
Displaying the Tail-Drop Profile Information ················································45
Displaying the SAP Service Information ······················································46
Displaying the Service Policy Information ····················································47
Displaying the Dot1p to FC Mapping ·························································48
Page 2
Displaying the DSCP to FC Mapping ·························································48

Displaying the Egress Mapping and Remarking ··············································50
Configuring the Traffic Type ···································································51
Displaying the Storm Control Settings ························································52
Filtering Egress Broadcast Packets·····························································53
Filtering Egress Unknown-Unicast Packets ···················································53
Filtering Egress Multicast Packets······························································54
Mapping Priority ·················································································55
Configuring the DSCP-to-FC Mapping ·······················································56
Configuring the Traffic Shaping Per-port ·····················································57
Configuring QoS Service Policy ································································58
Page 3
Table of Figures
Figure 1: Basic QoS Architecture ······························································· 7
Figure 2: 802.1p Priority Header Fields························································· 9
Figure 3: Type of Service (ToS) Header Fields ················································ 9
Figure 4: Strict Priority Queuing ·······························································11
Figure 5: Weighted Round Robin Queuing ···················································12
Figure 6: QoS Configuration Flow·····························································17
Page 4
Overview
QoS refers to the mechanisms used for controlling and reserving network resources in order to
provide different priority to specific applications/data flows and to guarantee their level of
performance. This preferential treatment might be at the expense of other traffic flows.
Implementing QoS in a network makes its performance more predictable and bandwidth utilization
more effective.
QoS policies have little effect during periods of light traffic since packets are transmitted as soon as
they arrive. They are effective at times of congestion, when a port cannot transmit all packets
simultaneously and there is a need for defining the order in which the queued packets are
transmitted.
Implementation
The typical QoS model is based on the following:
• At the network edge (ingress), the packet is assigned to a QoS service. The service is assigned
based on the packet header information (if the packet is trusted) or on the ingress port
configuration (in cases where the packet is untrusted).
• The QoS service defines the packet internal QoS handling (Class of Service—CoS and drop
precedence—Color) and optionally the packet external QoS marking, through either the
802.1p User Priority and/or the IP header DSCP field.
• Subsequent devices within the network core provide consistent QoS treatment to traffic, based
on the packet 802.1p or DSCP marking. As a result, an end-to-end QoS solution is provided.
• A device may modify the assigned CoS if a packet stream exceeds the configured profile. In
this case, the packet may be dropped or reassigned to a lower CoS.
The device incorporates the required QoS features to implement network-edge as well as network-
core devices:
• The device provides flexible mechanisms to classify packets into as many as 128 different
services.
• Up to 256 Traffic Policers may be used to control the maximum rate of specific traffic flows,
each of them can be bound to a flow or a flow aggregate.
• The packet header may have its User Priority and/or DSCP set to reflect the CoS assignment.
• Service application mechanism is based on eight egress priority queues per port (including the
CPU port), on which congestion-avoidance and congestion-resolution policies are applied.
Traffic Analysis
To effectively configure QoS, analyze the types of traffic using the port and determine their relative
bandwidth demands. Also evaluate the supported applications’ sensitivity to:
• Delay/latency—the time a packet takes before it reaches its destination.
Page 5
• Jitter—the variation of delay/latency that can seriously affect the quality of streaming audio
and/or video.
• Packet loss—the routers may fail to deliver some packets if they arrive when their buffers are
already full. Some, none, or all of the packets may be dropped, depending on the state of the
network. The receiving application might ask for this information to be retransmitted, possibly
causing severe delays in the overall transmission.
The below table details general guidelines for classifying traffic types:
Table 1: Traffic Types
Traffic Type Description
Voice Demands small amounts of bandwidth. However, the bandwidth must be
constant and predictable because voice applications are sensitive to latency
(inter-packet delay) and jitter.
Video Similar to voice application but requires larger bandwidth, depending on the
encoding.
Some applications can transmit large amounts of data for multiple streams in
one spike or burst, causing the device to buffer significant amounts of sent
video-stream data. This might cause difficulties at the network infrastructure
level, since it must be able to buffer the transmitted spikes when they occur
especially where there are line rate differences (for example, going from
Gigabit Ethernet to Fast Ethernet).
Database Does not demand significant bandwidth and is tolerant to delay. Therefore it
requires minimum bandwidth and can be set to use lower priority than the
more delay-sensitive applications.
Web browsing Cannot be generalized into a single category. You can distinguish casual and
application-oriented traffic from each other by their server source and
destinations.
Most browser-based applications have an asymmetric dataflow (small
dataflow from the client’s browser and large dataflow from the server to the
client). An exception to this pattern might be created by some Java-based
applications.
Web-based applications are generally tolerant of latency, jitter, and some
packet loss. However even a small amount of packet-loss m might have a
large impact on perceived performance, due to the nature of TCP.
File server Has the greatest demand on bandwidth, although it is tolerant to latency,
jitter, and some packet loss, depending on the network operating system and
the use of TCP or UDP.
Page 6
Basic QoS Architecture

The following figure illustrates QoS processing, divided in ingress and egress pipe units.
Figure 1: Basic QoS Architecture
Table 2: Ingress & Egress Pipes

Ingress & Egress Pipes Description
(Ingress) QoS Initial QoS initial marking associates every packet classified as data with a
Marking set of QoS attributes that determine the QoS processing by
subsequent stages. The sequence of the markers is important and is
as shown in the above figure.
(Ingress) Traffic Policing If enabled on a policy-based traffic flow, and if the packet is
and QoS Remarking classified as data, the policer meters the given flow according to a
configurable rate profile and classifies packets as either in-profile or
out-of-profile. Out-of-profile packets may be discarded or have their
QoS attributes remarked.
(Egress) QoS QoS enforcement utilizes eight egress queue-priorities per port.
Enforcement Congestion avoidance and congestion resolution techniques are
used to provide the required service.
(Egress) QoS Initial QoS initial marking associates every packet with a set of QoS
Marking attributes that determine QoS processing by subsequent stages.
Potentially, all types of packets—data, control, and mirrored to
analyzer port—are subject to egress QoS initial marking.
(Egress) Setting the The packet header 802.1p User Priority and/or IP-DSCP is defined
Packet Header’s QoS or modified.
Fields
Page 7
The Packets’ QoS Attributes

Every packet classified as data has an assigned set of QoS attributes that can be modified by each
ingress pipeline engine.
Each of the ingress pipeline engines contains several Initial QoS Markers that assign the packet
initial QoS attribute, as described in the next section.
The ingress pipeline engine also contains a QoS Remarker that can modify the initial QoS
attributes, as described in next section. The packet QoS attributes are:
• QoS Precedence—the device incorporates multiple QoS markers operating in sequence. As a
result, a later marker overrides an earlier QoS attribute assignment. By setting the QoS
Precedence flag to HARD, a QoS marker can prevent modification of packet QoS attributes
by subsequent QoS markers.
• QoS Profile Index—is used as a direct index, ranging from 0 to 127, into the global QoS
Profile table.
• Modify DSCP—enables Packet DSCP field when the packet egresses the device.
0=Packet DSCP field is not modified when the packet egresses the device
1=Packet DSCP field is modified to the DSCP value of the QoS Profile entry for the
packet QoS Profile index.
• Modify User Priority—enables packet 802.1p-User Priority field modification.
0=Packet User Priority is preserved when the packet egresses the device
1=Packet User Priority field is modified to the <UP> value of the QoS Profile entry for
the packet QoS Profile index, when the packet egresses the device.
• Default User Priority—is assigned by the ingress port configuration, only when the <Modify
UP> is cleared and the packet are received untagged.
QoS Profile
The device supports up to 128 QoS Profiles (for default profile values, refer to Table 4).
Every packet classified as data has assigned the QoS attribute <QoS Profile index> that is used by
the egress pipeline to apply the QoS service.
The QoS Profile index is used as a direct index, ranging from 0 to 127, into the global QoS Profile
table.
Each entry in the QoS Profile table contains the set of attributes:
• TC—Traffic class queue assigned to the packet.
• DP—Drop precedence assigned to the packet.
• UP—If the packet QoS attribute <Modify UP> is set and the packet is received untagged, this
field is the value used in the packet 802.1p User Priority field and packet is transmitted tagged.
If receive the packet tagged, the existing User Priority is modified with this value.
• DSCP—If setting the packet QoS attribute <Modify DSCP>, and the packet is IPv4 or IPv6,
this field is the value used to modify the packet IP-DSCP field.
• QoS profiles 0–15 are used for all types of services. Indexes 0–15 are referred to as traffic
classes, where indexes 0–7 are duplicated to indexes 8–15 with DP being set to Yellow.
Page 8
Sorting Packets for QoS

Sorting Packets by 802.1p Priority Values
The devices support standard 802.1p priority bits (VLAN Priority Tag, VPT) that are part of tagged
Ethernet packets. The below figure illustrates the 802.1p priority header fields.
Figure 2: 802.1p Priority Header Fields
The device examines the 802.1p priority of ingressing packets. Based on this priority, it maps the
packets to various hardware queues of egress ports.
NOTE
The device does not change the VPT of switched packets with an 802.1Q tag,
assuming that the sender of the packet has already determined the VPT.
You can define the VPT of packets received without a tag using the map priority
command.
Sorting Packets by the IP Type of Service (ToS, DiffServ)

Each IP packet header contains a field for the IP ToS.
The below figure illustrates the ToS fields in the IP packet header.
Figure 3: Type of Service (ToS) Header Fields
Page 9
BiNOS can use ToS values for sorting packets into QoS queues. Individual ToS values, or ranges
of values, are mapped to 802.1p priority values. Based on 802.1p priority, the packets are sorted
into QoS queues.
When a packet arrives at the device on an ingress port, the device examines the first six of eight
ToS bits, called the code point. The device can assign the QoS priority to subsequently transmit the
packet based on the code point. The QoS priority controls a hardware queue used when
transmitting the packet out of the device, and determines the forwarding characteristics of a
particular code point. Each hardware queue represents a specific Class of Service (CoS). The Class
of Service is the priority level afforded each packet.
You can use one of the following traffic classes: be (Best-Effort), 12 (Low-2), af (Assured), 11
(Low-1), h2 (High-2), ef (Expedited), h1 (High-1), nc (Network Control).
To map the DSCP values to traffic classes you can use ACL. For more information using ACL for
implementing QoS, refer to the Configuring Access Control Lists (ACLs) chapter.
Traffic Scheduling
Traffic Scheduling allows you to control the packet transmission, based on priorities assigned to
packets and the queuing mechanism configured on the port.
Strict Priority (SP)

SP provides preferential treatment to high priority traffic, making sure that mission-critical traffic
gets priority treatment. It handles queues by their order: the highest ranking queue, txq8, is serviced
first until it is empty. Then the lower queue, txq7, is serviced and so on, down to txq1.
In addition, SP provides a faster response time for high priority traffic than other methods of
queuing.
Use the SP mechanism to guarantee a fixed portion of available bandwidth to an application (for
example, interactive multimedia applications), possibly at the expense of less critical traffic.
When selecting SP, consider that lower priority traffic is often denied in favor of higher priority
traffic. In the worst case, lower priority traffic is never transmitted. However, you can avoid these
scenarios by using rate-limit to control higher-priority traffic rate.
The below figure illustrates the SP process in a four-queue architecture.
Page 10
Figure 4: Strict Priority Queuing
Weighted Round Robin (WRR)

WRR is a scheduling mechanism that cycles through the queues. A weighting factor determines
how many bytes of data the system delivers from each queue before moving to the next queue.
Using this mechanism, packets in the queue are sent until the number of bytes transmitted exceeds
the bandwidth determined by the queue’s weighting factor, or until the queue is empty. Then WRR
moves to the next queue. If a queue is empty, the device sends packets from the next queue that
has packets to send.
If a packet’s length exceeds the queue’s allowed bandwidth, the packet is still transmitted during its
time slot, but its quota is overdrawn so next time it receives a smaller allocation. This mechanism
guarantees a minimum bandwidth for each queue, but allows the minimum to be exceeded if one
or more of the port’s other queues are idle. However, when loading all the queues, each is limited to
its maximum bandwidth according to its assigned weight.
Relative percentages are calculated by byte counts rather than by packets, thus providing a greater
degree of bandwidth fairness.
The below figure illustrates the WRR queuing in four-queue architecture:
Page 11
Figure 5: Weighted Round Robin Queuing
Hybrid Scheduling
This scheduling method combines SP and WRR scheduling. Queues with higher priority are
serviced with SP while the remaining queues are serviced in accordance with WRR, after the higher
priority queues are empty.
Hybrid queuing guarantees immediate delivery of packets from high-ranking queues while avoiding
lowest-ranking queues’ starvation.
Egress Traffic Shaping

When congestion occurs, the device transmits the packets on the outgoing port and the assigned
queues. Traffic shaping allows you to shape output traffic (egress traffic) on a per-port and per-
queue basis.
Storm Control
The storm control mechanism prevents broadcast, multicast, and unicast storms from
overwhelming a network. Traffic storm control (also called traffic suppression) occurs when
packets flood the LAN, creating excessive traffic and degrading network performance. The traffic
storm control feature prevents LAN ports from being disrupted by a broadcast, multicast, or
unicast traffic storm on physical ports. This mechanism regulates the rate at which devices forward
broadcast, multicast and unicast traffic.
Each port has a single traffic storm control level that is used for all types of traffic (broadcast,
multicast, and unicast).
With the storm control feature, you can configure the ingress line rate limit per port or group ports.
Page 12
QoS Default Configuration

Table 3: Default QoS Configuration
Priority-to-queue assignment 0
Priority remark 0
QoS scheduling algorithm Strict Priority
Port profile ID See Table 4
DSCP priority 0
DSCP-to-profile assignment See Table 5
Traffic shaping Disabled
Trust mode Untrusted
SP scheduling Applied for all ports
Table 4: QoS Profile Default Configuration

Profile ID TC DP UP DSCP
0 0 Green 0 0
1 1 Green 1 0
2 2 Green 2 0
3 3 Green 3 0
4 4 Green 4 0
5 5 Green 5 0
6 6 Green 6 0
7 7 Green 7 0
8 0 Yellow 0 0
9 1 Yellow 1 0
10 2 Yellow 2 0
11 3 Yellow 3 0
12 4 Yellow 4 0
13 5 Yellow 5 0
14 6 Yellow 6 0
15 7 Yellow 7 0
16–127 Not Used Not Used Not Used Not Used
Page 13
Table 5: DSCP-to-QoS Profile Index Mapping

0–7 0
8–15 1
16–23 2
24–31 3
32–39 4
40–47 5
48–55 6
56–63 7
Table 6: Default Storm Control Values

Traffic storm control Disabled
Table 7: Default Egress Filtering Values

Broadcast, unknown unicast, and multicast Disabled

packets
Table 8: Default Tail-drop Values

ID Yellow Thershold
1 50
2 25
QoS Mappings Default Configuration

Table 9: CoS to FC and Color Mapping
Priority Txq Drop Level
0 1 green
1 2 green
2 3 green
3 4 green
4 5 green
5 6 green
6 7 green
7 8 green
Page 14
Table 10: DSCP to FC and Color Mapping

DSCP Txq Drop Level
0–7 1 green
8–15 2 green
16–23 3 green
24–31 4 green
32–39 5 green
40–47 6 green
48–55 7 green
56–63 8 green
Table 11: Egress Remarking with Dot1p

Dot1p Drop Level Priority FC
0 green 0 be
1 green 1 l2
2 green 2 af
3 green 3 l1
4 green 4 h2
5 green 5 ef
6 green 6 h1
7 green 7 nc
0 yellow 0 be
1 yellow 1 l2
2 yellow 2 af
3 yellow 3 l1
4 yellow 4 h2
5 yellow 5 ef
6 yellow 6 h1
7 yellow 7 nc
Page 15
Scheduler Profile Default Configuration

All the ports in the system are bound to profile 1, which is SP scheduling.
Shaper Default Configuration

By default, per-port and per-queue shaper is disabled.
Port Default Configuration

All ports in the system are:
• Bound to a SP scheduling profile 1
• Untrusted (port default) with default policy
• Default mapping to TC=be and color green
Default port settings are applied in the following cases:
• Untrusted mode—all packets
• L2 trust mode—L2 packets only
• L2+L3 trust mode—DSCP mapping is used for all IP packets.
Page 16
QoS Configuration Flow

Start
Ingress Egress
Network
Policy
Configure priority remark
Configure trusted DSCP

Apply tail-drop
Configure trusted priority

Apply traffic shaping
Apply scheduling profile
Define remarking of dot1p field (FC, DP pair)
Configure DSCP mapping to profile index (FC, DP pair)
Configure priority mapping to profile index (FC, DP pair)
Create and configure the QoS service policy
Configure scheduling profile and shaper profile
End
Figure 6: QoS Configuration Flow
Page 17
QoS Configuration Commands

Table 12: Configuring Network Policy
Command Description
qos Configures the QoS configuration and enters QoS Configuration mode
(see Configuring QoS)
network-policy Creates a network QoS policy and enters QoS Network Configuration
mode (see Configuring the Network Policy)
qos-network-policy Applies per port the created network QoS policy (see Applying the
Network Policy per Port)
description Adds a description strings to the network policy (see Adding the
Description for Network Policy)
Table 13: Configuring QoS Ingress Classification

Command Description
ingress Configures the ingress network policy and enters QoS Ingress
Network Configuration mode (see Configuring the Network Ingress
Policy)
trust-dscp Enables/disables L3 trusted mode DSCP per ingress network policy
(see Enabling/Disabling the Trusted Mode DSCP)
trust-priority Enables/disables L2 trusted mode priority per ingress network policy
(see Enabling/Disabling the Trusted Mode Priority)
fc Defines default mapping of port to FC and color (see Applying the QoS
Default Mapping on Port)
Table 14: Configuring QoS Egress Classification

Command Description
remark fc priority Configures dot1p egress global remarking (see Configuring the
Network Egress Remarking)
congestion- Configures the profile parameters to be used in the tail-drop
avoidance-profile calculations (see Defining Tail-Drop Profile)
tail-drop
egress Configures service egress QOS policy and enters QoS Egress
Network Configuration mode (see Configuring the Network Egress
Policy)
queue Configures queue on egress network and enters QoS Egress Queue
Network Configuration mode (see Configuring the Queue on Egress
Network).
congestion- Applies the profile of the tail-drop congestion avoidance mechanism
avoidance-profile on a queue in an egress network policy or directly on the egress
tail-drop network policy (see Applying Tail-Drop Profile)
shaper-profile Applies the shaper profile on a queue in an egress network policy or
directly on the egress policy (see Applying the Shaping Profile)
Page 18
Command Description
scheduling-profile Applies scheduling profile on egress policy (see Applying Scheduling

Profile on Egress Policy)
Table 15: Configuring Service QoS Mapping Classification

Command Description
map dscp fc Defines a DSCP to forwarding class (FC) mapping and colors traffic to
a specified value (see Configuring the DSCP to FC and Color
Mapping)
map priority fc Defines a dot1p to FC mapping and colors traffic to a specified value
(see Configuring the Dot1p to FC and Color Mapping)
Table 16: Configuring QoS Service Policy

Command Description
service-policy Creates a QoS service policy (see Configuring the Service Policy)
description Adds a description string to the created QoS service policy (see
Adding the Description for the Service Policy)
ingress Configures the QoS service ingress policy (see Configuring the
Service Ingress Policy)
queue Creates a QoS service ingress queue (see Configuring the Service
Queues)
congestion- Applies a tail-drop profile on a service ingress queue (Applying Tail-
avoidance-profile Drop Profiles)
tail-drop
shaper-profile Applies the already created service shaper profile on the service policy
or on the queue (see Applying the Shaping Profile)
scheduling-profile Applies the already created service scheduling profile on the service
policy (see Applying the Service Scheduling Profile)
qos-service-policy Binds the already created QoS service policy on the TLS service (see
Binding the Service Policy on a TLS Service)
apply-qos-service- Applies the already created QoS service policy on the specified SAP
policy (see Applying the Service Policy on a SAP)
Table 17: Configuring Shaper Profile and Scheduling Profile

Command Description
shaper-profile Configures the shaper profile for network policy, service policy, and
queues (see Configuring the Shaper Profile)
scheduling-profile Configures SP (Strict Priority) scheduling (see Configuring Scheduling
sp SP Profile)
scheduling-profile Applies and configures Weighted Round-Robin (WRR) scheduling
wrr (see Configuring the Scheduling WRR Profile)
scheduling-profile Applies and configures the first hybrid QoS algorithm (see Configuring
hybrid-1 the Scheduling Hybrid-1 Profile)
Page 19
Command Description
scheduling-profile Applies and configures the second hybrid QoS algorithm (see
hybrid-2 Configuring the Scheduling Hybrid-2 Profile)
scheduling-profile Applies and configures the third hybrid QoS algorithm (see Configuring
scheduling-profile Applies and configures the forth hybrid QoS algorithm (see
scheduling-profile Applies and configures the fifth hybrid QoS algorithm (see Configuring
scheduling-profile Applies and configures the sixth hybrid QoS algorithm (see
Table 18: Display Commands

Command Description
show qos network- Displays the information for all configured network policies or for the
policy specified policy (see Displaying the Network Policy Configuration)
show qos Displays the configuration for all ports or for the specified port (see
interface Displaying the QoS Port Configuration)
show qos Displays the scheduler profile configuration for all profiles or for the
scheduler-profile specified scheduler profile ID (see Displaying the Scheduler Profile
Configuration)
show qos shaper- Displays the shaper profile configuration for all network and service
profile profiles or for the specified shaper profile ID (see Displaying the Shaper
Profile Configuration)
show qos Displays information for all configured tail-drop profiles or for the
congestion- specified tail-drop profile (see Displaying the Tail-Drop Profile
avoidance-profile Information)
tail-drop
show qos service Displays information for the SAP service (see Displaying the SAP
Service Information)
show qos service- Displays information for all configured service policies or for the
policy specified service policy (see Displaying the Service Policy Information)
show qos ingress Displays dot1p to FC Mapping (see Displaying the Dot1p to FC
priority-map Mapping)
show qos ingress Displays DSCP to FC mapping (see Displaying the DSCP to FC
dscp-map Mapping)
show qos egress Displays egress mapping and remarking (see Displaying the Egress
remark Mapping and Remarking)
Table 19: Storm Control Commands

Command Description
storm-control Configures the storm-control threshold rate of the incoming traffic and
blocks forwarding of unnecessary flooded traffic (see Configuring the
Traffic Type)
Page 20
Command Description
show storm-control Displays the storm control levels configured on a port or for all ports
(see Displaying the Storm Control Settings)
Table 20: Egress Filtering Commands

Command Description
tx-drop-broadcast Enables egress filtering of broadcast packets (see Filtering Egress

Broadcast Packets)
tx-drop-unknown Enables egress filtering of multicast packets (see Filtering Egress
Unknown-Unicast Packets)
tx-drop-multicast Enables egress filtering of unknown unicast packets (see Filtering
Egress Multicast Packets)
Page 21
Configuring QoS
The qos command configures the QoS configuration. The command enters the QoS Configuration
mode, see the Example below.
Command Syntax
Example
device-name(config qos)#
Configuring the Network Policy

The network-policy command creates a network QoS policy. The command enters the QoS
Network Configuration mode, see the Example below.
CLI Mode: QoS Configuration (see Configuring QoS)
Command Syntax
device-name(config qos)#network-policy <network-policy-name>
device-name(config qos-net policy_name)#
device-name(config qos)#no network-policy <network-policy-name>
network-policy- Sets the policy name up to 6 characters. The default is the name of
name the default policy.
no Removes the network policy
Example
device-name(config qos)#network-policy batm
device-name(config qos-net batm)#
Page 22
Applying the Network Policy per Port

The qos-network-policy command applies per port the created network QoS policy.
Command Syntax
device-name(config UU/SS/PP)#qos-network-policy <network-policy-name>
device-name(config UU/SS/PP)#no qos-network-policy
network-policy- The policy name to be applied on a port. The name has up to 6
name characters
no Removes the network policy from the port
Example
device-name(config 1/1/1)#qos-network-policy batm
Adding the Description for Network Policy

The description command adds a description string to the created network policy.
CLI Mode: QoS Network Configuration (see Configuring the Network Policy)
Command Syntax
device-name(config qos-net policy_name)#description <description-string>
device-name(config qos-net policy_name)#no description
description-string A string up to 30 characters
no Removes the description
Page 23
Configuring the Network Ingress Policy

The ingress command configures the ingress network policy. The command enters the QoS
Ingress Network Configuration mode, see the Example below.
Command Syntax
device-name(config qos-net policy_name)#ingress
device-name(config qos-net-in policy_name)#
Example
device-name(config qos-net batm)#ingress
device-name(config qos-net-in batm)#
Enabling/Disabling the Trusted Mode DSCP

The trust-dscp command enables L3 trusted mode DSCP per ingress network policy.
CLI Mode: QOS Ingress Network Configuration (see Configuring the Network Ingress Policy)
Command Syntax
device-name(config qos-net-in policy_name)#trust-dscp
device-name(config qos-net-in policy_name)#no trust-dscp
no Enables untrusted mode, or disables the trusted mode
Enabling/Disabling the Trusted Mode Priority

The trust-priority command enables L2 trusted mode priority per ingress network policy.
Command Syntax
device-name(config qos-net-in policy_name)#trust-priority [preserve-priority]
device-name(config qos-net-in policy_name)#no trust-priority
preserve-priority Disables L2 remarking
no Enables untrusted mode, or disables the trusted mode
Page 24
Applying the QoS Default Mapping on Port

The fc command defines default mapping of port to FC and color. Traffic that enters the port
applies these settings.
By default, the default mapping of the port is fc be green.
Command Syntax
device-name(config qos-net-in policy_name)#fc {be | l2 | af | 11 | h2 | ef |
h1 | nc} {green | yellow}
be The forwarding class to be mapped is the Best-Effort Forwarding Class
12 The forwarding class to be mapped is the Low-2 Forwarding Class
af The forwarding class to be mapped is the Assured Forwarding Class
11 The forwarding class to be mapped is the Low-1 Forwarding Class
h2 The forwarding class to be mapped is the High-2 Forwarding Class
ef The forwarding class to be mapped is the Expedited Forwarding Class
h1 The forwarding class to be mapped is the High-1 Forwarding Class
nc The forwarding class to be mapped is the Network Control Forwarding Class
green The traffic with the above VPT or DSCP value is marked as green
yellow The traffic with the above VPT or DSCP value is marked as yellow
Configuring the Network Egress Remarking

The remark fc priority command configures dot1p egress global remarking.
By default, the remark priority is 0.
Command Syntax
device-name(config qos)#remark fc {be | l2 | af | 11 | h2 | ef | h1 | nc} drop-
level (green | yellow) priority <0-7>
Page 25
be Refer to the Argument Description above.
12
af
11
h2
ef
h1
nc
drop-level The drop level.
green Refer to the Argument Description above.
yellow
priority The mapping of packets according to DSCP fields, in the valid range of <0–7>.
<0–7>
Defining Tail-Drop Profiles

The congestion-avoidance-profile tail-drop command defines a tail-drop profile for queue
congestion-avoidance.
Only egress network queues use the tail-drop congestion-avoidance mechanism.
Command Syntax
device-name(config qos)#congestion-avoidance-profile tail-drop
<tail_drop_profile_id> <yellow-threshold>
device-name(config qos)#no congestion-avoidance-profile tail-drop
<tail_drop_profile_id>
tail_drop_profile_id The tail-drop profile ID (corresponding to a specific threshold level),
in the range of <1–5>. Profile ID 1 and profile ID 2 are default and
cannot be modified.
By default:
• ID 1 uses 50% of the queue's memory (queuing up to 500
frames)
• ID 2 uses 25% of the queue's memory (queuing up to 250)
yellow-threshold The allocated memory threshold value for yellow packets, in the
range of <0-100> %.
Permitted values are: 25%, 50%, 75% and 100%.
The red threshold has to be less than or equal to the yellow
threshold.
Page 26
Example
device-name(config qos)#congestion-avoidance-profile tail-drop 4 75
device-name(config qos)#congestion-avoidance-profile tail-drop 3 100
Configuring the Network Egress Policy

The egress command configures service egress QoS policy. The command enters the QoS Egress
Network Configuration mode, see the Example below.
Command Syntax
device-name(config qos-net policy_name)#egress
device-name(config qos-net-eg policy_name)#
Example
device-name(config qos-net batm)#egress
device-name(config qos-net-eg batm)#
Configuring the Queue on Egress Network

The queue command configures the queue on the egress network. The command enters the QoS
Egress Queue Network Configuration mode, see the Example below.
CLI Mode: QoS Egress Network Configuration (see Configuring the Network Egress Policy)
Command Syntax
device-name(config qos-net-eg policy_name)#queue <queue_id>
device-name(config qos-net-queue queue_id)#
queue_id The queue ID, in the valid range of <1–8>
Example
device-name(config qos-net-eg batm)#queue 3
device-name(config qos-net-queue 3)#
Page 27
Applying Tail-Drop Profiles

The congestion-avoidance-profile tail-drop command applies a tail-drop profile on a queue
of the egress network policy or directly on an egress network policy.
CLI Mode: QoS Egress Queue Network Configuration (see Configuring the Queue on Egress
Network) and QoS Egress Network Configuration (see Configuring the Network Egress
Policy)
Command Syntax
device-name(config qos-net-queue queue_id)#congestion-avoidance-profile tail-
drop <tail_drop_profile_id>
device-name(config qos-net-queue queue_id)#no congestion-avoidance-profile
tail-drop
device-name(config qos-net-eg policy_name)#congestion-avoidance-profile tail-

device-nam(config qos-net-eg policy_name)#no congestion-avoidance-profile
tail-drop
tail_drop_profile_id The tail-drop profile ID, in the range of <1–5>.
Profile ID 1 and profile ID 2 are default (see Defining Tail-Drop
Profiles)
Applying the Shaping Profile

The shaper-profile command applies the shaper profile on queue in an egress network policy or
directly on the egress network policy.
CLI Mode: QoS Egress Queue Network Configuration (see Configuring the Queue on Egress
Network) and QoS Egress Network Configuration (see Configuring the Network Egress
Policy)
Command Syntax
device-name(config qos-net-queue queue_id)#shaper-profile <shaper_profile_id>
device-name(config qos-net-queue queue_id)#no shaper-profile
device-name(config qos-net-eg policy_name)#shaper-profile <shaper_profile_id>

device-name(config qos-net-eg policy_name)#no shaper-profile
Page 28
shaper_profile_id The shaper profile ID to be applied on the egress policy or queue. The
valid range is <1–8>.
no Removes the shaper profile from the configured egress policy or
queue.
Applying Scheduling Profile on Egress Policy

The scheduling-profile command applies the scheduler profile on the egress policy.
CLI Mode: QOS Egress Network Configuration (see Configuring the Network Egress Policy)
Command Syntax
device-name(config qos-net-eg policy_name)#scheduling-profile
<profile_number>
device-name(config qos-net-eg policy_name)#no scheduling-profile
profile_number The scheduling profile ID to be applied on the egress policy. The valid
range is <1–8>.
no Removes the scheduler profile.
Configuring the DSCP to FC and Color Mapping

The map dscp fc command defines a DSCP to FC mapping and colors traffic to a specified
value.
Command Syntax
device-name(config qos)#map dscp <0-63> fc {be | l2 | af | 11 | h2 | ef | h1 |
nc} drop-level {green | yellow}
dscp <0-63> The mapping of packets according to DSCP fields, in the valid range of <0–
63>.
12
af
11
h2
ef
Page 29
h1
nc
yellow
Example
device-name(config qos)#map dscp 1 fc nc drop-level green
Configuring the Dot1p to FC and Color Mapping

The map priority fc command defines a dot1p to FC mapping and colors traffic to a specified
value.

By default, 802.1p priority information is not replaced or manipulated, and the information
observed on ingress is preserved when the packet is transmitted. This behavior is not affected by
the switching or routing configuration of the device. However, the device is capable of inserting
and/or overwriting 802.1p priority information when it transmits an 802.1Q tagged frame. The
802.1p priority information that is transmitted is determined by the hardware queue used when
transmitting the packet.
Command Syntax
device-name(config qos)#map priority <0-7> fc {be | l2 | af | 11 | h2 | ef |
h1 | nc} drop-level {green | yellow}
priority The mapping of packets according to dot1p fields, in the valid range of <0–7>.
<0-7>
12
af
11
h2
ef
h1
nc
yellow
Page 30
Example
device-name(config qos)#map priority 2 fc l2 drop-level yellow
Configuring the Service Policy

The service-policy command creates a service QoS policy. The command enters the QoS
Service Configuration mode, see the Example below.
Command Syntax
device-name(config qos)#service-policy <qos-service-policy-name>
device-name(config qos)#no service-policy <qos-service-policy-name>
qos-service- The policy name up to 6 characters. The maximum number of network
policy-name policies is 64.
no Removes the service Policy
Example
device-name(config qos)#service-policy batm
device-name(config qos-serv batm)#
Adding the Description for the Service Policy

The description command adds a description string to the created QoS service policy.
CLI Mode: QoS Service Configuration (see Configuring the Service Policy)
Command Syntax
device-name(config qos-serv policy_name)#description <description_string>
device-name(config qos-serv policy_name)#no description
description_string Adds a description to the service policy. It is a string up to 30 characters.
no Removes the description
Page 31
Configuring the Service Ingress Policy

The ingress command configures the QoS service ingress policy. The command enters the QoS
Ingress Service Configuration mode, see the Example below.
CLI Mode: QoS Service Configuration (see Configuring the Service Policy)
Command Syntax
device-name(config qos-serv policy_name)#ingress
Example
device-name(config qos-serv batm)#ingress
device-name(config qos-serv-in batm)#
Configuring the Service Queues

The queue command creates the QoS service ingress queue. The command enters the QoS Ingress
Queue Service Configuration mode, see the Example below.
CLI Mode: QoS Ingress Service Configuration ( see Configuring the Service Ingress Policy)
Command Syntax
device-name(config qos-serv-in policy_name)#queue <queue_id>
queue_id Queue ID in the valid range of <1–8>
Example
device-name(config qos-serv-in batm)#queue 3
device-name(config qos-queue 3)
Applying Tail-Drop Profiles

The congestion-avoidance-profile tail-drop command applies a tail-drop profile on a
service ingress queue.
Command Syntax
device-name(config qos-serv-in policy_name)#congestion-avoidance-profile tail-
Page 32
device-name(config qos-serv-in policy_name)#no congestion-avoidance-profile

tail-drop
tail_drop_profile_id The tail-drop profile ID, in the range of <1–5>.
Profile ID 1 and profile ID 2 are default (see Defining Tail-Drop
Profiles)
Applying the Service Policy Shaping Profile

The shaper-profile command applies the already created service shaper profile on the service
policy or on the queue.
NOTE
Use the shaper-profile <service_shaper_profile_id> command to configure
the service shaper profile ID.
CLI Mode: QoS Ingress Service Configuration ( see Configuring the Service Ingress Policy) and
QoS Ingress Queue Service Configuration (see Configuring the Service Queues)
Command Syntax
device-name(config qos-serv-in policy_name)#shaper-profile
<service_shaper_profile_id>
device-name(config qos-serv-in policy_name)#no shaper-profile
device-name(config qos-queue queue_id)#shaper-profile

<service_shaper_profile_id>
device-name(config qos-queue queue_id)#no shaper-profile
service_shaper_profile_id The service shaper profile ID to be applied on the policy or on
the queue. The valid range is <9–57>.
no Removes the shaper profile.
Applying the Service Scheduling Profile

The scheduling-profile command applies the already created service scheduling profile on the
service policy.
NOTE
Use the scheduling-profile sp command to configure the service scheduling
profile ID.
Page 33
Command Syntax
device-name(config qos-serv-in policy_name)#scheduling-profile
<profile_number>
device-name(config qos-serv-in policy_name)#no scheduling-profile
profile_number The service scheduling profile ID to be applied on the policy. The valid range
is <1–8>.
no Removes the scheduling profiles
Binding the Service Policy on a TLS Service

The qos-service-policy command binds the already created QoS service policy on the TLS
service.

To enter the above mode, refer to the Configuring a TLS Service section of the Configuring Transparent
LAN Services (TLS) chapter.
NOTE
To execute this command (see Example below):
1. Create the QoS service policy with the service-policy command.
2. Create the TLS service with correct SDPs and SAPs. Configure the SDPs
before the SAPs.
3. Apply the created policy on the TLS service, and on desired SAP ports.
Command Syntax
device-name(config-tls SERVICE-NAME)#qos-service-policy <qos-service-policy-
name>
device-name(config-tls SERVICE-NAME)#no qos-service-policy <qos-service-
policy-name>
qos-service- The policy name up to 6 characters. The maximum number of network
policy-name policies is 64.
no Removes the service Policy.
Example
device-name(config qos)#shaper-profile 10 10m 1m
[Warning] Shaper CIR and CBS can be changed to the nearest supported value
device-name(config qos-serv-in batm)#shaper-profile 10
Page 34
device-name(config qos-serv-in batm)#exit

device-name(config-tls serv)#qos-service-policy batm
Applying the Service Policy on a SAP

The apply-qos-service-policy command applies the already created QoS service policy on the
specified SAP.
CLI Mode: SAP Service Configuration

To enter the above mode, refer to the Configuring TLS Service Access Point (SAP) section of the
Configuring Transparent LAN Services (TLS) chapter.
NOTE
To execute this command (see Example below):
1. Create the QoS service policy with the service-policy command.
2. Create the TLS service with correct SDPs and SAPs. Configure the SDPs
before the SAPs.
3. Apply the created policy on the TLS service, and on desired SAP ports.
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#apply-qos-service-policy
Example
device-name(config qos)#shaper-profile 10 10m 1m
device-name(config qos-serv-in batm)#shaper-profile 10
device-name(config qos-serv-in batm)#end
device-name(config-tls serv)#qos-service-policy batm
device-name(config-tls-sap 1/2/2:100:)#apply-qos-service-policy
Page 35
Configuring the Shaper Profile

The shaper-profile command configures shaper profile for network policy, service policy, and
queue.
Command Syntax
device-name(config qos)#shaper-profile {<shaper_profile_id> |
<service_shaper_profile_id>} <cir> <cbs>
device-name(config qos)#no shaper-profile {<shaper_profile_id> |
<service_shaper_profile_id>}
NOTE
If you specify cir or cbs without K, M or G, the CLI assumes a default of K.
NOTE
The real shaper values for CIR and CBS may be different than the configured ones, due
to granularity limitations. After configuring these values, a warning message appears:
[Warning] Shaper CIR and CBS can be changed to the nearest supported
value
shaper_profile_id The shaper profile ID for network policy and queue, in the
valid range of <1–8>.
service_shaper_profile_id The service shaper profile ID to be applied on the policy or on
the queue. The valid range is <9–57>.
cir The committed information rate (CIR) value, in the valid range
of <64 Kbps–1 Gbps> in K, M or G.
NOTE
The real shaper value may be different than the
configured one, due to granularity limitations.
cbs The committed burst size (CBS) value, in the valid range of
<12 K–16 M> in K or M (granularity of 4K).
no Removes the scheduler profile.
Page 36
Configuring Scheduling SP Profile

The scheduling-profile sp command configures SP (Strict Priority) scheduling.

By default, SP scheduling is applied for all ports.
Command Syntax
device-name(config qos)#scheduling-profile sp <profile_number>
device-name(config qos)#no scheduling-profile <profile_number>
sp The SP scheduling profile
profile_number The scheduling profile ID, in the range of <1–8>. The default SP scheduling
is with profile number 1.
no Clears the specified profile ID.
Configuring the Scheduling WRR Profile

The scheduling-profile wrr command applies and configures Weighted Round-Robin (WRR)
scheduling.

In WRR scheduling, bandwidth is allocated proportionally for each queue. Network resources are
shared among all of the applications the user services, each having the specific bandwidth
requirements that you can identify.
Command Syntax
device-name(config qos)#scheduling-profile wrr <profile_number> <txq1-weight>
<txq2-weight> <txq3-weight> <txq4-weight> <txq5-weight> <txq6-weight>
<txq7-weight> <txq8-weight>
wrr The WRR profile.
profile_number The scheduling profile ID, in the range of <1–8>.
<txq1-weight> The weight of queue <txq1–txq8>. The valid range is <1–255>.
…
<txq8-weight>
Page 37
no Clears the specified profile ID.

NOTE
When you use the no scheduling-profile command, the
range of profile_number is limited to <2–8> because
profile_number 1 is the default SP scheduling and, thus,
you cannot clear it.
Configuring the Scheduling Hybrid-1 Profile

The scheduling-profile hybrid-1 command applies and configures the first hybrid QoS
algorithm.

In the first hybrid algorithm, txq8 is assigned to strict priority scheduling, and the remaining queues
are assigned to Weighted Round Robin (WRR) scheduling.
Command Syntax
device-name(config qos)#scheduling-profile hybrid-1 <profile_number>
hybrid-1 Creates hybrid profile type 1 scheduling.
profile_number Refer to Argument Description above.
<txq1-weight> The weight of queue <txq1–txq7>.
… Weight value is in the range of <1–255>.
<txq7-weight>
no Refer to Argument Description above.

The scheduling-profile hybrid-2 command applies and configures the second hybrid QoS
algorithm.

In the second hybrid algorithm, txq7 and txq8 behave according to strict priority scheduling and the
rest of the queues behave according to Weighted Round Robin (WRR).
Command Syntax
<txq6-weight>
Page 38
<txq6-weight>

The scheduling-profile hybrid-3 command applies and configures the third hybrid QoS
algorithm.

In the third hybrid algorithm, txq6–txq8 behave according to strict priority scheduling and the rest
of the queues behave according to Weighted Round Robin (WRR).
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight> <txq4-weight> <txq5-weight
<txq5-weight>

The scheduling-profile hybrid-4 command applies and configures the forth hybrid QoS
algorithm.

In the forth hybrid algorithm, txq5–txq8 behave according to strict priority scheduling, and the rest
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight> <txq4-weight>
Page 39
<txq4-weight>

The scheduling-profile hybrid-5 command applies and configures the fifth hybrid QoS
algorithm.

In the fifth hybrid algorithm, txq4–txq8 behave according to strict priority scheduling, and the rest
Command Syntax
<txq1-weight> <txq2-weight> <txq3-weight>
<txq3-weight>

The scheduling-profile hybrid-6 command applies and configures the sixth hybrid QoS
algorithm.

In the sixth hybrid algorithm, txq3–txq8 behave according to strict priority scheduling, and the rest
of the queues behave according to Weighted Round Robin (WRR)
Command Syntax
Page 40
<txq1-weight> The weight of queue txq1 and txq2.
<txq2-weight> Weight value is in the range of <1–255>.
Displaying the Network Policy Configuration

The show qos network-policy command displays the information for all configured network
policies or for the specified network policy.
Command Syntax
device-name#show qos network-policy [<policy_name>]
policy_name (Optional) the name of the network policy to be displayed, up to 6 characters.
Example 1
Display the information for all configured network policies:
device-name#show qos network-policy
+---------------------------------------------------------+
| Network Policy |
+----------------+----------------------------------------+
| Policy Name | Description |
+----------------+----------------------------------------+
| DefPol | Default network policy |
+----------------+----------------------------------------+
| User | |
+----------------+----------------------------------------+
| Test | This is a test policy |
+----------------+----------------------------------------+
Page 41
Example 2
Display the information for Test network policy:
device-name#show qos network-policy Test
Policy Name: Test
Description: This is a test policy
+---------------------------------+
| Ingress Policy Configuration |
+--------------+-----+------------+
| Trust Mode | FC | Drop Level |
+--------------+-----+------------+
| untrust | be | green |
+--------------+-----+------------+
+--------------------------------------------+
| Egress Policy Configuration |
+----------------+---------------------------+
| Scheduler Prof | Shaper Profile |
+-----+----------+-----+----------+----------+
| ID | Type | ID | CIR | CBS |
+-----+----------+-----+----------+----------+
| - | - | - | - | - |
+-----+----------+-----+----------+----------+
Egress Congestion Avoidance Configuration
+---------------------+
| Tail-drop Prof |
+-----+-------+-------+
| ID | Yel T | Red T |
+-----+-------+-------+
| 1 | 50 | NA |
+-----+-------+-------+
+----------+-----------+----------+----------+-----------+
| Queue Id | Shaper Id | CIR | CBS | Tail-drop |
+----------+-----------+----------+----------+-----------+
| 2 | 2 | 1000 | 2048 | |
+----------+-----------+----------+----------+-----------+
Policy is applied on the following port(s):
1/2/7 1/2/8
Page 42
Displaying the QoS Port Configuration

The show qos interface command displays the configuration for all ports or for the specified
port.
Command Syntax
device-name#show qos interface [UU/SS/PP]
UU/SS/PP (Optional) the physical port (Unit/Slot/Port). If you do not specify the port, the
configuration of all ports is displayed.
Example
device-name#show qos interface 1/1/1
+-----------+-----------------+
| Interface | Network Policy |
+-----------+-----------------+
| 1/1/1 | DefPol |
+-----------+-----------------+
Displaying the Scheduler Profile Configuration

The show qos scheduler-profile command displays the scheduler profile configuration for all
profiles or for the specified scheduler profile ID.
Command Syntax
device-name#show qos scheduler-profile [<profile_number>]
profile_number (Optional) the scheduler profile ID, in the range <1–8>. If you do not
specify the scheduler profile ID, all scheduler profiles are displayed.
Page 43
Example 1
device-name#show qos scheduler-profile
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
| Id | Type | Q1 | Q2 | Q3 | Q4 | Q5 | Q6 | Q7 | Q8 |
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
| 1 | sp | - | - | - | - | - | - | - | - |
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
| 2 | hybrid-6 | 7 | 7 | - | - | - | - | - | - |
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
Example 2
device-name#show qos scheduler-profile 2
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
| Id | Type | Q1 | Q2 | Q3 | Q4 | Q5 | Q6 | Q7 | Q8 |
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
| 2 | hybrid-6 | 7 | 7 | - | - | - | - | - | - |
+------+----------+-----+-----+-----+-----+-----+-----+-----+-----+
Displaying the Shaper Profile Configuration

The show qos shaper-profile command displays the shaper profile configuration for all
network and service profiles or for the specified shaper profile ID.
Command Syntax
device-name#show qos shaper-profile [<shaper_profile_id> |
<service_shaper_profile_id>]
shaper_profile_id (Optional) the shaper profile ID, in the range of <1–8>. If you
do not specify the shaper profile ID, all shaper profiles are
displayed.
service_shaper_profile_id (Optional) the service shaper profile ID, in the valid range of
<9–57>. If you do not specify the service shaper profile ID, all
shaper profiles are displayed.
Page 44
Example 1
device-name#show qos shaper-profile
+------+----------+----------+
| Id | CIR | CBS |
+------+----------+----------+
| 1 | 500 | 100 |
+------+----------+----------+
| 2 | 100 | 100 |
+------+----------+----------+
| 50 | 1000 | 2048 |
+------+----------+----------+
Example 2
device-name#show qos shaper-profile 1
+------+----------+----------+
| Id | CIR | CBS |
+------+----------+----------+
| 1 | 500 | 100 |
+------+----------+----------+
Displaying the Tail-Drop Profile Information

The show qos congestion-avoidance–profile tail-drop command displays information for
all configured tail-drop profiles or for the specified tail-drop profile.
Command Syntax
device-name#show qos congestion-avoidance–profile tail-drop
[<tail_drop_profile_id>]
tail_drop_profile_id (Optional) the tail-drop profile ID for which information is displayed.
The valid range is <1–5>. ID 1 and ID 2 are default and cannot be
modified.
Page 45
Example
device-name#show qos congestion-avoidance-profile tail-drop
+------+--------+--------+
| Id | Yellow | Red |
+------+--------+--------+
| 1 | 50 %| NA |
+------+--------+--------+
| 2 | 25 %| NA |
+------+--------+--------+
| 3 | 75 %| NA |
+------+--------+--------+
device-name#show qos congestion-avoidance-profile tail-drop 1

+------+--------+--------+
| Id | Yellow | Red |
+------+--------+--------+
| 1 | 50 %| NA |
+------+--------+--------+
Displaying the SAP Service Information

The show qos service command displays information for the SAP service.
Command Syntax
device-name#show qos service
Example
Service: 4 Service policy: policy
Enabled on SAPs: 1/2/3:10:
Page 46
Displaying the Service Policy Information

The show qos service-policy command displays information for all configured service policies
or for the specified service policy.
Command Syntax
device-name#show qos service-policy [<qos-service-policy-name>]
qos-service-policy-name (Optional) the service policy name for which information is
displayed. It is up to 6 characters.
Example
device-name#show qos service-policy policy
Policy Name: policy
Description: this is the service policy
+----------------+----------+
| Shaper Profile |
+-----+----------+----------+
| ID | CIR | CBS |
+-----+----------+----------+
| 10 | 10000 | 200 |
+-----+----------+----------+
+----------------+
| Scheduler Prof |
+-----+----------+
| ID | Type |
+-----+----------+
| 1 | sp |
+-----+----------+
+----------+-----------+----------+----------+
+----------+-----------+----------+----------+
| 1 | 11 | 1000 | 200 |
+----------+-----------+----------+----------+
device-name#show qos service-policy

+---------------------------------------------------------+
| Service Policy |
+----------------+----------------------------------------+
| Policy Name | Description |
+----------------+----------------------------------------+
| policy |this is the service policy |
+----------------+----------------------------------------+
Page 47
Displaying the Dot1p to FC Mapping

The show qos ingress priority-map command displays the dot1p priority to FC mapping
(default mapping).
Command Syntax
device-name#show qos ingress priority-map
Example
+-----------+--------+-------------+
| Priority | FC | Drop Level |
+-----------+--------+-------------+
| 0 | be | green |
+-----------+--------+-------------+
| 1 | l2 | green |
+-----------+--------+-------------+
| 2 | af | green |
+-----------+--------+-------------+
| 3 | l1 | green |
+-----------+--------+-------------+
| 4 | h2 | green |
+-----------+--------+-------------+
| 5 | ef | green |
+-----------+--------+-------------+
| 6 | h1 | green |
+-----------+--------+-------------+
| 7 | nc | green |
+-----------+--------+-------------+
Displaying the DSCP to FC Mapping

The show qos ingress dscp-map command displays the DSCP to FC mapping (not default).
Command Syntax
Page 48
Example
+-----------+--------+-------------+
+-----------+--------+-------------+
| 0 | be | green |
…
+-----------+--------+-------------+
| 7 | be | green |
+-----------+--------+-------------+
| 8 | l2 | green |
+-----------+--------+-------------+
…
+-----------+--------+-------------+
| 15 | l2 | green |
+-----------+--------+-------------+
| 16 | af | green |
+-----------+--------+-------------+
…
| 23 | af | green |
+-----------+--------+-------------+
| 24 | l1 | green |
+-----------+--------+-------------+
…
+-----------+--------+-------------+
| 31 | l1 | green |
+-----------+--------+-------------+
| 32 | h2 | green |
+-----------+--------+-------------+
…
+-----------+--------+-------------+
| 39 | h2 | green |
+-----------+--------+-------------+
| 40 | ef | green |
+-----------+--------+-------------+
…
+-----------+--------+-------------+
| 47 | ef | green |
+-----------+--------+-------------+
| 48 | h1 | green |
+-----------+--------+-------------+
…
+-----------+--------+-------------+
| 55 | h1 | green |
+-----------+--------+-------------+
| 56 | nc | green |
…
| 63 | nc | green |
+-----------+--------+-------------+
Page 49
Displaying the Egress Mapping and Remarking

The show qos egress remark command displays the egress mapping and remarking.
Command Syntax
Example
+---------------------+------------+
| QoS Parameters | Tx Remark |
+--------+------------+------------+
| FC | Drop Level | Priority |
+--------+------------+------------+
| be | green | 0 |
+--------+------------+------------+
| be | yellow | 0 |
+--------+------------+------------+
| l2 | green | 1 |
+--------+------------+------------+
| l2 | yellow | 1 |
+--------+------------+------------+
| af | green | 2 |
+--------+------------+------------+
| af | yellow | 2 |
+--------+------------+------------+
| l1 | green | 3 |
+--------+------------+------------+
| l1 | yellow | 3 |
+--------+------------+------------+
| h2 | green | 4 |
+--------+------------+------------+
| h2 | yellow | 4 |
+--------+------------+------------+
| ef | green | 5 |
+--------+------------+------------+
| ef | yellow | 5 |
+--------+------------+------------+
| h1 | green | 6 |
+--------+------------+------------+
| h1 | yellow | 6 |
+--------+------------+------------+
| nc | green | 7 |
+--------+------------+------------+
| nc | yellow | 7 |
+--------+------------+------------+
Page 50
Configuring the Traffic Type

The storm-control command configures the storm-control threshold rate of the incoming traffic
and blocks forwarding of unnecessary flooded traffic. All traffic that exceeds that rate is dropped.
CLI Mode: Interface Configuration, Range Interface Configuration, LAG Interface
Per ports, the ingress rate limit granularity is as follows:

• from 64 Kbps to 1 Mbps in increments of 64 Kbps
• from 1 Mbps to 1 Gbps in increments of 62,5 Kbps
By default, traffic storm control is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#storm-control {broadcast | multicast |
unknown} <rate>
device-name(config-if UU/SS/PP)#no storm-control
device-name(config-if-group)#storm-control {broadcast | multicast | unknown}

<rate>
device-name(config-if-group)#no storm-control
device-name(config-if AG0N)#storm-control {broadcast | multicast | unknown}

<rate>
device-name(config-if AG0N)#no storm-control
device-name(config-ag-group)#storm-control {broadcast | multicast | unknown}

<rate>
device-name(config-ag-group)#no storm-control
broadcast Rate limits broadcast input traffic only.
multicast Rate limits known multicast traffic only.
unknown Rate limits unknown-unicast and unknown-multicast traffic only.
rate The desired ingress rate limit. Must be a number between 64 Kbps and 1 Gbps.
The number must be specified with K, M or G at the end.
NOTE
If the actual ingress line rate is different from your desired ingress
line rate, a relevant message appears, see the Example below.
no Disables storm control.
Page 51
Example
If you limit the ingress line rate to 250 Kbps, the actual rate is set to 256 Kbps. If you limit the
ingress line rate to 400 Kbps, the actual rate is set to 384 Kbps:
device-name(config-if 1/1/1)#storm-control broadcast 250K
Actual line rate was set to 256kbps due to granularity limitation
device-name(config-if 1/1/1)#interface ag01
device-name(config-if AG01)#storm-control unknown multicast 400K
Actual rate is set to 384Kbps due to granularity limitation.
Displaying the Storm Control Settings

The show storm-control command displays the storm control levels configured on a port or on
all ports.
Command Syntax
device-name#show storm-control {all | interface UU/SS/PP | interface ag0N}
all Displays the storm-control settings for all ports on the device.
interface Displays the storm-control settings for the specified port or aggregation port.
UU/SS/PP The desired port where you previously configured the ingress-rate limit.
ag0N The aggregation port where you previously configured the ingress-rate limit.
LAG ID is in the valid range of <1–7>.
Examples
• Display the storm control levels for port 1/1/1:
device-name#show storm-control interface 1/1/1
Traffic type = broadcast
Ingress line rate limit = 320Kbps
• Display the storm control levels configured for all ports:

device-name#show storm-control all
Interface 1/1/1
Traffic type = broadcast
Ingress rate limit = 256Kbps
Interface ag01
Traffic type = unknown, multicast
Ingress rate limit = 384Kbps
Page 52
Filtering Egress Broadcast Packets

The tx-drop-broadcast command filters egress broadcast packets on a specified port, blocking
unregistered broadcast traffic on the port.
By default, egress broadcast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-broadcast
device-name(config-if UU/SS/PP)#no tx-drop-broadcast
device-name(config-if-group)#tx-drop-broadcast
device-name(config-if-group)#no tx-drop-broadcast
no Disables egress broadcast packets filtering
Filtering Egress Unknown-Unicast Packets

The tx-drop-unknown command filters egress unknown-unicast packets on a specified port,
blocking unregistered unknown unicast traffic on the port.
By default, egress unknown-unicast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-unknown
device-name(config-if UU/SS/PP)#no tx-drop-unknown
device-name(config-if-group)#tx-drop-unknown
device-name(config-if-group)#no tx-drop-unknown
no Disables egress unknown-unicast packets filtering
Page 53
Filtering Egress Multicast Packets

The tx-drop-multicast command filters egress multicast packets on a specified port, blocking
unregistered multicast traffic on the port.
By default, egress multicast packets filtering is disabled.
Command Syntax
device-name(config-if UU/SS/PP)#tx-drop-multicast
device-name(config-if UU/SS/PP)#no tx-drop-multicast
device-name(config-if-group)#tx-drop-multicast
device-name(config-if-group)#no tx-drop-multicast
no Disables egress multicast packets filtering
Page 54
Mapping Priority
Change the mapping of the FC priority levels to the following:
• Priority 0 and 1—FC l2, drop-level green
• Priority 2 and 3—FC l1, drop-level yellow
• Priority 4 and 5—FC ef, drop-level green
• Priority 6 and 7—FC nc, drop-level yellow
1. Display the default priority of the FC levels:

+-----------+--------+-------------+
+-----------+--------+-------------+
| 0 | be | green |
+-----------+--------+-------------+
| 1 | l2 | green |
+-----------+--------+-------------+
| 2 | af | green |
+-----------+--------+-------------+
| 3 | l1 | green |
+-----------+--------+-------------+
| 4 | h2 | green |
+-----------+--------+-------------+
| 5 | ef | green |
+-----------+--------+-------------+
| 6 | h1 | green |
+-----------+--------+-------------+
| 7 | nc | green |
+-----------+--------+-------------+
2. Change the mapping of the FC priority levels:

device-name(config qos)#map priority 0 fc l2 drop-level green
device-name(config qos)#map priority 4 fc ef drop-level green
device-name(config qos)#map priority 6 fc nc drop-level yellow
device-name(config qos)#map priority 7 fc nc drop-level yellow
device-name(config qos)#end
Page 55
3. Display the new priority of the FC levels:

+-----------+--------+-------------+
+-----------+--------+-------------+
| 0 | l2 | green |
+-----------+--------+-------------+
| 1 | l2 | green |
+-----------+--------+-------------+
| 2 | l1 | yellow |
+-----------+--------+-------------+
| 3 | l1 | yellow |
+-----------+--------+-------------+
| 4 | ef | green |
+-----------+--------+-------------+
| 5 | ef | green |
+-----------+--------+-------------+
| 6 | nc | yellow |
+-----------+--------+-------------+
| 7 | nc | yellow |
+-----------+--------+-------------+
Configuring the DSCP-to-FC Mapping

Configure the mapping of DSCP 2 and 4 with FC priorities l1 and h2, respectively:
1. Configure DSCP 2 with FC priority l1 and mark it as green:
device-name(config qos)#map dscp 2 fc l1 drop-level green
2. Configure DSCP 4 with FC priority h2 and mark it as yellow:

device-name(config qos)#map dscp 4 fc h2 drop-level yellow
3. Display the DSCP-to-CoS configuration:

+-----------+--------+-------------+
+-----------+--------+-------------+
| 0 | be | green |
+-----------+--------+-------------+
| 1 | be | green |
+-----------+--------+-------------+
| 2 | l1 | green |
+-----------+--------+-------------+
| 3 | be | green |
+-----------+--------+-------------+
| 4 | h2 | yellow |
+-----------+--------+-------------+
Page 56
| 5 | be | green |
+-----------+--------+-------------+
| 5 | be | green |
+-----------+--------+-------------+
| 7 | be | green |
+-----------+--------+-------------+
| 8 | l2 | green |
+-----------+--------+-------------+
…
| 63 | nc | green |
+-----------+--------+-------------+
Configuring the Traffic Shaping Per-port

The shaper boundaries are:
Min Burst size 4KB Resolution: 4KB
Max Burst size 16MB Resolution: 4KB
Min shaper rate limit 64Kbps Using slow rate
Max shaper rate limit 1Gbps
To assign a transmission rate of 800K:

1. Configure the traffic shaping:
device-name(config qos)#shaper-profile 2 800k 1m
2. Display the traffic shaping configuration:

device-name#show qos shaper-profile
+------+----------+----------+
| Id | CIR | CBS |
+------+----------+----------+
| 2 | 800 | 1024 |
+------+----------+----------+
Page 57
Configuring QoS Service Policy

To configure the QoS service policy:
1. Configure the shaper profile:
device-name(config qos)#shaper-profile 10 10000K 200K
device-name(config qos)#shaper-profile 11 5000K 200K
2. Create the service QoS policy named policy:

device-name(config qos)#service-policy policy
3. Add description for the QoS policy:

device-name(config qos-serv policy)#description This is an ingress policy
4. Configure the QoS service ingress policy:

device-name(config qos-serv policy)#ingress
5. Apply the created shaper profile on the service policy:

device-name(config qos-serv-in policy)#shaper-profile 10
6. Create the QoS service ingress queue:

device-name(config qos-serv-in policy)#queue 3
7. Apply the created shaper profile on the queue.

device-name(config qos-serv-queue 3)#shaper-profile 11
device-name(config qos-serv-queue 3)#end
8. Create the VLAN vl10 with ID 10 and add to it port 1/2/1 (SDP port) as tagged and port
1/2/2 (SAP port) as untagged:
device-name(config vlan)#create vl10 10
device-name(config vlan)#config vl10
device-name(config-vlan vl10)#add ports 1/2/1 tagged
device-name(config-vlan vl10)#add ports 1/2/2 untagged
device-name(config-vlan vl10)#exit
Page 58
9. Configure the SDP and SAP for TLS service:

10. Apply the created QoS service policy on the TLS service:
device-name(config-tls serv)#qos-service-policy policy
11. Enable the QoS policy for the specified SAP:

device-name(config-tls-sap 1/2/2:100:)#apply-qos-service-policy
12. Display the QoS service policy:

device-name#show qos service-policy policy
Policy Name: policy
Description: This is an ingress policy
++----------------+----------+
| Shaper Profile |
+-----+----------+----------+
| ID | CIR | CBS |
+-----+----------+----------+
| 10 | 10000 | 200 |
+-----+----------+----------+
+----------+-----------+----------+----------+
+----------+-----------+----------+----------+
| 3 | 11 | 5000 | 200 |
+----------+-----------+----------+----------+
13. Display the SAP service policy:

Service: 5 Service policy: policy
Enabled on SAPs: 1/2/2:100:
Page 59
Supported Platforms
Quality of Service (QoS) + +

Quality of Service (QoS) IEEE 802.1p Private MIB, RFC 2474, Definition
Priority Queuing prvt_qos.mib of the Differentiated
IEEE 802.1ad— Services Field (DS
Field) in the IPv4 and
Describes port-
IPv6 Headers
based service
RFC 2475, An
Architecture for
Differentiated
Services
RFC 2597, Assured
Forwarding PHB
Group
RFC 2598, An
Expedited
Forwarding PHB
RFC 2697, A Single
Rate Three Color
Marker
RFC 2698, A Two
Rate Three Color
Marker
RFC 3140, Per Hop
Behavior
Identification Codes
Page 60
Operations, Administration & Maintenance (OAM)
Table of Figures ······················································································ 8
802.3ah Ethernet in the First Mile (EFM-OAM) ··············································10

Overview ·························································································10
Potential Applications ···········································································11
Installation Configurations······································································11
EFM-OAM Protocol Functionality ····························································12
Discovery ·························································································13
Timers ····························································································13
Flags·······························································································14
Process Overview················································································14
Rules for Active Mode ·····································································14
Rules for Passive Mode ····································································15
Link Monitoring Process········································································15
Remote Failure Indication ······································································16
Remote Loopback ···············································································16
EFM-OAM Configuration Flow ·······························································17
Configuring EFM-OAM ········································································18
Enabling/Disabling EFM-OAM··························································18
Specifying the Number of OAMPDUs ··················································19
Enabling/Disabling Sending of Local Event Notifications to Remote Device·······19
Enabling/Disabling Sending of Event Notifications to Local Syslog Daemon ······20
Defining OAMPDUs Priority·····························································20
Defining the Keep-Alive Interval ·························································21
Defining the Hello Interval································································22
Setting the EFM-OAM History limit ·····················································22
EFM-OAM Interface Configuration Commands·············································23
Enabling/Disabling the EFM-OAM State on the Specified Interface ················23
Forcing the EFM-OAM Local/Remote Loopback Configuration ····················24
Page 1
Operations, Administration & Maintenance (OAM) (Rev.13)
Enabling/Disabling the EFM-OAM Enhancements on the Specified Interface·····25

Defining the EFM-OAM Thresholds for Bit Error Monitoring on the Specified
Interface ·····················································································26
Defining the EFM-OAM Thresholds for Frame Error Monitoring on the Specified
Interface ·····················································································27
Defining Event Monitoring on a Specific Interface·····································28
Enabling Event Return ····································································29
EFM-OAM Monitoring and Network Testing Commands ·································30
Enabling EFM-OAM Non-intrusive Monitoring ·······································31
Enabling EFM-OAM Monitoring ························································32
Enabling/Disabling Loopback Commands' Processing ································35
Enabling EFM-OAM Get Variable·······················································35
Clearing EFM-OAM History······························································36
EFM-OAM Display Commands ·······························································37
Displaying EFM-OAM Status and Configuration·······································37
Displaying EFM-OAM History on a Specified Interface·······························39
Displaying the EFM-OAM History Count for a Specific Port·························40
Displaying EFM-OAM History ···························································41
Displaying EFM-OAM Local and Remote Interface Statistics·························41
Log Messages ····················································································43
EFM-OAM Configuration Example···························································45
802.1ag Connectivity Fault Management (CFM)··············································50

Overview ·························································································50
CFM-OAM Protocol Functionality·······················································50
CFM Purpose ···············································································50
Mechanisms of Ethernet 802.1ag OAM·······················································51
Discovery and Connectivity ····································································51
Fault Verification (Loopback Messages)·······················································53
Fault Isolation (Linktrace Messages) ···························································53
Fault Notification and Alarm Suppression (Fault Alarms)···································55
CFM-OAM Configuration Flow ·······························································56
Configuring 802.1ag CFM in Protocol Configuration Mode ································59
Enabling/Disabling the CFM Protocol ··················································59
Creating and Accessing a Maintenance Domains ·······································60
Page 2
Operations, Administration & Maintenance (OAM) (Rev. 13)
Restoring the Version 6.1··································································61

Displaying the Current Version ···························································61
The CFM Maintenance Domain Commands ·················································62
Creating Maintenance Associations·······················································62
Specifying MIP Creation Policy (in Maintenance Domain) ····························64
Defining the Identification Data Sent to the Remote MEPs ···························64
CFM Maintenance Association Commands···················································66
Defining the Hello Interval································································67
Adding/Removing MEPs ·································································68
Configuring CCM Priority ·································································69
Specifying MIP Creation Policy (in Maintenance Association) ························69
Defining the Identification Data Sent to the Remote MEPs ···························71
Defining the Defect Priority·······························································72
Updating the Remote MEPs List ·························································73
Defining the Fault Notification Reset Time ·············································74
Defining the Fault Notification Alarm Time ············································74
Enabling the AIS/LCK ····································································75
Configuring the AIS/LCK Level ·························································75
Configuring the AIS/LCK Priority ·······················································76
Configuring the AIS/LCK Sending Interval·············································77
Enabling a MEP in an Active State ·······················································77
Enabling a MEP to Send CCMs ··························································78
CFM Performance Monitoring Commands ···················································79
Performance Monitoring Profile Creation ···············································79
Configuring Two-way Monitoring Process ··············································80
Configuring Time between Performance Parameters Update··························81
CFM Profile Configuration ·····································································82
Specifying the 802.1p Class-of-Service Setting ··········································83
Specifying the Number of Loopback Request Packets ·································83
Specifying the Size of Loopback Request Packets ······································83
Specifying One-Way Jitter Error Monitoring ············································84
Specifying One-Way Jitter Warning Monitoring·········································84
Specifying Two-Way Jitter Error Monitoring············································84
Page 3
Specifying Two-Way Jitter Warning Monitoring ········································85

Specifying Two-Way Frame-Loss Error Monitoring····································85
Specifying Two-Way Frame-Loss Warning Monitoring ································86
Specifying Two-Way Latency Error Monitoring ········································86
Specifying Two-Way Latency Warning Monitoring ·····································87
Defining the CFM OAM Process Result Bucket Size ··································87
802.1ag CFM Monitoring and Statistics Commands ·········································88
Displaying the CFM Configuration·······················································88
Displaying Connectivity Statistics·························································92
Displaying Monitoring Parameters ·······················································94
Displaying Performance Statistics·························································95
Displaying the Update Interval····························································96
Sending Linktrace Messages ·······························································97
Sending Loopback Messages ······························································98
CFM Configuration Example································································· 100
Configuring two Devices in CFM Protocol············································ 100
Using the clear connectivity Command ·············································· 105
SAA Throughput Test ············································································ 109

Overview ······················································································· 109
Unidirectional Throughput Test ····························································· 109
Bi-Directional Throughput Test······························································ 110
The SAA Throughput Test Configuration Flow············································ 112
SAA Throughput Test Configuration Commands ········································· 113
Creating a Throughput Test ····························································· 114
Defining the Throughput Test Type ··················································· 115
Defining the Source for Throughput Test ············································· 116
Defining the C-VLAN ··································································· 117
Defining the Throughput Test Target·················································· 118
Defining the Maximum Test Rate ······················································ 119
Defining the Burst Size for the Unidirectional Test··································· 119
Defining the Test Duration ····························································· 120
Defining the Test Packet Pattern ······················································· 121
Defining the Frame Loss Ratio Threshold············································· 121
Page 4
Defining the Test's Data-Size List ······················································ 122

Defining the Test Timeout ······························································ 123
Defining the Result Acknowledge Timeout············································ 123
Defining the Loopback Type···························································· 124
Starting/Stoping the Throughput Test ················································· 124
Displaying the Throughput Test Results ··············································· 126
Throughput Test Configuration Example··················································· 127
Service Assurance Application (SAA) ··························································131

Overview ······················································································· 131
SAA Configuration Flow ····································································· 132
SAA Configuration Commands ······························································ 133
Creating an SAA Profile ································································· 135
Configuring the Near Delay Thresholds ··············································· 135
Configuring the Far Delay Thresholds ················································· 136
Configuring the Near Jitter Thresholds ················································ 137
Configuring the Far Jitter Thresholds ·················································· 137
Configuring the Near Frame-Loss Ratio Thresholds ································· 138
Configuring the Far Frame-Loss Ratio Thresholds ··································· 138
Defining the Maximum Number of Concurrent SAA Tests ························· 139
Creating an SAA Test ···································································· 139
Configuring the SAA Service Test Type ··············································· 140
Configuring the SAA VLAN Test Type················································ 141
Enabling/Disabling the Current SAA Test ············································ 142
Attaching a Threshold Profile and Enabling Alarms·································· 142
Configuring the Repeat Frequency ····················································· 143
Configuring Probe Statistics ····························································· 143
Configuring Probe Timeout ····························································· 144
Configuring the Test Sending Interval ················································· 144
Configuring the Monitored Interval ···················································· 145
Configuring the Test Priority···························································· 145
Configuring the Test's Metric Types···················································· 146
Configuring the Test Delay Calculation Method ······································ 147
Configuring the Test Jitter Calculation Method ······································· 148
Page 5
Defining the Current Service Loopback Functionality································ 148

Defining the Current VLAN Loopback Functionality································ 149
Displaying the SAA Tests Results ······················································ 150
Displaying the SAA Threshold Profile ················································· 151
Displaying the SAA Loopback Service ················································· 152
Displaying the SAA Loopback VLAN ················································· 152
SAA Configuration Example ································································· 153
ITU-T G.8031 Ethernet Protection Switching (EPS) ······································· 158

Overview ······················································································· 158
Switchover Options ··········································································· 158
EPS Configuration Flow ······································································ 159
EPS Configuration Commands ······························································ 160
Enabling/Disabling EPS ································································ 161
Selecting the CFM Level································································· 161
Selecting the Primary Path’s MEPs ····················································· 162
Selecting the Backup Link MEPs ······················································· 162
Activating EPS············································································ 163
Defining the Hold Off Timer ··························································· 163
Manual Traffic Switchover ······························································ 163
Locking the Active Path ································································· 164
Blocking the Service Protection························································· 164
Enabling/Disabling Revertive Protection·············································· 164
Defining Wait-to-Restore Timer ························································ 165
Configuring Signal Degrade Test ······················································· 165
Enabling/Disabling Signal Degrade Events ··········································· 166
Clearing Local Commands ······························································ 166
Displaying the EPS Service Status ······················································ 166
EPS Configuration Example ································································· 167
Event Propagation ················································································ 172

Event Propagation Configuration Flow ····················································· 173
Event Propagation Configuration Commands·············································· 174
Creating an Event Propagation Profile ················································· 174
Configuring Remote Fault Detection and Propagation ······························· 175
Page 6
Configuring Local Alarm Propagation ················································· 176

Applying a Profile to a SAP or a Port ·················································· 176
Displaying the Configured Event Propagation Profiles······························· 177
Displaying the Running Sessions ······················································· 178
Event Propagation Configuration Example················································· 180
Ethernet Local Management Interface (E-LMI, MEF 16) ······························· 183

E-LMI Configuration Flow ··································································· 184
E-LMI Configuration Commands ··························································· 185
Enabling/Disabling E-LMI on the Device ············································ 186
Enabling/Disabling E-LMI per Port ··················································· 186
Defining the E-LMI Mode ······························································ 186
Configuring the E-LMI Polling Timer ················································· 187
Configuring the E-LMI Polling Verification Timer ··································· 188
Configuring the E-LMI Polling Counters ·············································· 188
Configuring the E-LMI Status Counters ··············································· 189
Displaying the E-LMI Status ···························································· 189
Displaying the E-LMI VLAN ··························································· 190
Displaying the E-LMI Statistics ························································· 191
Clearing the E-LMI Port Statistics ······················································ 192
E-LMI Configuration Example ······························································ 193
Diagnosing Connectivity Problems···························································· 195

Ping ····························································································· 195
Trace Route ···················································································· 195
Supported Platforms ·············································································· 196
Supported Standards, MIBs and RFCs ······················································· 197
Page 7
Table of Figures
Figure 1: End-to-End OAM Configuration ···················································10
Figure 2: Managing Provider Devices using the EFM 802.3ah Standard···················11
Figure 3: Managing Customer Devices (passive) using the EFM 802.3ah Standard·······12
Figure 4: EFM-OAM Configuration Flow ····················································17
Figure 5: Example for Configuring Two Devices in EFM-OAM Protocol ················45
Figure 6: OAM Ethernet Tools ································································51
Figure 7: MEP1 and MEP3 Send a Multicast CC Frame ····································52
Figure 8: MEP4 and MEP2 Send a Multicast CC Frame ····································52
Figure 9: Loopback Operation ·································································53
Figure 10: Link Trace Operation ·······························································54
Figure 11: CFM-OAM Configuration Flow···················································56
Figure 12: CFM-OAM Performance Monitoring Flow ······································57
Figure 13: CFM-OAM on-demand Tools Flow ··············································58
Figure 14: Example for Configuring Two Devices in CFM Protocol ···················· 100
Figure 15: Example for using the clear connectivity Command··························· 105
Figure 16: Unidirectional Test ································································ 109
Figure 17: End-to-End Unicast Loopback Test ············································ 110
Figure 18: Configuring Two Devices in Throughput Test Configuration Mode ········ 127
Figure 19: Example for Configuring Two Devices in SAA Test Configuration Mode·· 153
Figure 20: Protecting Services Using EPS. ·················································· 158
Figure 21: EPF Configuration Flow ························································· 159
Figure 22: Event Propagation Configuration Flow········································· 173
Figure 23: E-LMI Configuration Flow ······················································ 184
Page 8

OAM is a family of standards providing reliable remotely-managed service-assurance (SA)
mechanisms for both the provider and customer networks, offering the ability to perform
automatic periodic network-wide service assurance and quality verifications.
This chapter includes the configuration instructions for the following OAM standards:
• 802.3ah Ethernet in the First Mile (EFM-OAM)
This standard specifies the protocols and Ethernet interfaces for using Ethernet over
access links as a first-mile technology and transforming it into a highly reliable
technology.
For more information, refer to 802.3ah Ethernet in the First Mile (EFM-OAM)
• 802.1ag Connectivity Fault Management (CFM)
This standard refers to the ability of a network to monitor the health of an end-to-end
service delivered to customers (as oppose to just links or individual bridges).
For more information, refer to 802.1ag Connectivity Fault Management (CFM)
• SAA Throughput Test
This section describes the steps for configuring and executing unidirectional and
bi-directional throughput tests.
For more information, refer to SAA Throughput Test
• Service Assurance Application (SAA)
SAA is a software feature that allows you to monitor the performance of network-hosted
applications by emulating the traffic of these applications.
For more information, refer to Service Assurance Application (SAA)
• ITU-T G.8031 Ethernet Protection Switching (EPS)
EPS is a method of protecting point-to-point Ethernet service connection over VLAN
transport networks, assuring traffic transport between the two service ends.
For more information, refer to ITU-T G.8031 Ethernet Protection Switching (EPS).
• Event Propagation
The Event Propagation feature allows users to configure automatic actions executed
upon the occurrence of specific events. For more information, refer to Event Propagation.
• Ethernet Local Management Interface (E-LMI)
E-LMI, an OAM protocol, enables the CE to auto-configure its support of Metro
Ethernet services.
For more information, refer to Ethernet Local Management Interface (E-LMI,
MEF 16).
Page 9
802.3ah Ethernet in the First Mile (EFM-OAM)
Overview
The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming it into a
highly reliable technology.
Using the Ethernet in the First Mile solution, you gain broadcast Internet access in addition to
services (such as Layer 2 transparent LAN services, Voice services over Ethernet Access networks,
Video, and multicast applications) reinforced by security and Quality of Service (QoS) control to
build a scalable network.
The in-band management specified by this standard defines the operations, administration, and
maintenance (OAM) mechanism needed for the advanced monitoring and maintenance of
Ethernet links in the first mile. The OAM capabilities facilitate network operation and
troubleshooting for both the provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link. The 802.3ah (Clause
57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units (OAMPDUs).
OAMPDUs are standard-size frames, including information such as the destination MAC address,
EtherType and subtype, sent at a predefined rate (a limitation necessary for reducing the impact on
the usable bandwidth).
EFM OAM is an optional and you can enable or disable it per physical port.
Figure 1: End-to-End OAM Configuration
Page 10
Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices (defined as passive
devices) without utilizing an IP layer. Instead they can utilize link-layer SNMP counters request and
reply, loopback testing, and other techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE passive device) using
802.3ah standard.
Figure 2: Managing Provider Devices using the EFM 802.3ah Standard
Page 11
The configuration below illustrates how to manage the customer devices using EFM 802.3ah.
Figure 3: Managing Customer Devices (passive) using the EFM 802.3ah Standard
EFM-OAM Protocol Functionality

EFM-OAM supports the following basis functionalities:
• Discovery: a local Data Terminating Entity's (DTE) ability to discover other EFM-OAM
enabled DTEs and exchanging information about OAM entities, capabilities, and
configuration.
• Link monitoring: this process is used to detect and indicate link faults to its peer.
• Remote failure detection: a mechanism for an OAM device to convey error conditions to its peer
via a flag in the OAMPDUs.
• Remote loopback: this mechanism is used to troubleshoot problematic segments by sending
Loopback Control OAMPDUs to the peer.
• MIB variable retrieval: used for retrieving information from a management information base.
• Organizing specific enhancements: provides vendor-specific enhancements to the protocol.
Page 12
Discovery
At the first phase EFM-OAM enabled DTEs identify other DTEs along with their OAM
capabilities using Information OAMPDUs, advertising the following information:
• OAM configuration (capabilities)—the local DTE's OAM capabilities. Using this information, a
peer can determine what functions are supported and accessible (for example, loopback
capability).
• OAM mode—the DTE's OAM mode, also used to determine the DTE's functionality:
Active mode: the DTE instigates OAM communications and can issue queries and
commands to the remote device.
Passive mode: the DTE generally waits for the peer DTE to instigate OAM
communications and responds to them. It does not instigate commands and queries.
For more information about the rules for active and passive mode DTEs, refer to Rules
for Active Mode and Rules for Passive Mode below.
The mode combinations are:
One active and one passive OAM DTE
Two active OAM DTEs
• OAMPDU configuration—including the maximum size of OAMPDUs delivered (This
information, in combination with a limited rate of ten frames per second, is used to limit the
bandwidth allocated to OAM traffic)
• Platform identity—the platform identity is a combination of an Organization Unique Identifier
(OUI, the first three bytes of the MAC address) and 32-bits of vendor-specific information.
OUI allocation is controlled by the IEEE.
Once OAM support is detected and the OAM expectations are met, both ends of the link
exchange the above information, enabling OAM on the link. However, the loss of a link or a failure
to receive OAMPDUs for a predefined interval causes the discovery process the start over again.
Timers
Two configurable timers control the protocol:
• The Hello timer, determining the rate for sending OAMPDUs
• The Keep-alive timer, determining the time interval for expecting OAMPDUs from the peer
An additional 1-second non-configurable timer is used for error aggregation necessary for the Link
Monitoring Process to generate link quality events.
Page 13
Flags
Each OAMPDU includes a Flags field that includes the discovery process status. There are three
possible status values:
• Discovering—the discovery process is in progress
• Stable—discovery is completed and the remote device can start sending any type of OAMPDU
• Unsatisfied—when there are mismatches in the OAM configuration that prevent OAM from
completing the discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect OAM on a remote
DTE. Once OAM support is detected, both ends of the link exchange state and configuration
information (such as mode, PDU size, loopback support, etc.). If both DTEs are satisfied with the
settings, OAM is enabled on the link. However, the loss of a link or a failure to receive OAMPDUs
for five seconds may cause the discovery process the start over again.
DTEs may either be in active or passive mode. Active mode DTEs instigate OAM
communications and can issue queries and commands to a remote device. Passive mode DTEs
generally wait for the peer device to instigate OAM communications and respond to, but do not
instigate, commands and queries. Rules of what DTEs in active or passive mode can do are
discussed in the following sections.
Rules for Active Mode

The Active mode DTE:
• initiates the OAM Discovery process
• sends Information PDUs
• can send Event Notification PDUs
• can send Variable Request/Response PDUs
• can send Loopback Control PDUs
• does not respond to Variable Request PDUs from devices in Passive mode
• does not react to Loopback Control PDUs from devices in Passive mode
Page 14
Rules for Passive Mode

The Passive mode DTE:
• waits for the remote device to initiate the Discovery process
• sends Information PDUs
• can send Event Notification PDUs
• can respond to Variable Request PDUs
• can react to received Loopback Control PDUs
• cannot send Variable Request or Loopback Control OAMPDUs
Link Monitoring Process

The Link Monitoring process is used for monitoring the link for occurrences where defined
thresholds are crossed and notifying the remote device by sending Event Notification OAMPDUs.
The events the Link Monitoring process indicates:
• Errored Symbol per second—if the number of symbol errors that occurred during a specified
period exceeded a threshold. These are coding symbol errors (for example, a violation of
4B/5B coding).
• Errored Frame per second—if the number of frame errors detected during a specified period
exceeded a threshold.
• Errored Frame per N frames—if the number of frame errors within the last N frames exceeded a
threshold.
• Errored Seconds Summary (errored seconds per M seconds)—if the number of errored seconds (one
second intervals with at least one frame error) per M seconds exceeded a threshold.
Since 802.3ah OAM does not guarantee the delivery of OAMPDUs, the Event Notification
OAMPDU can be sent multiple times to reduce the probability of losing these notifications using a
sequence number in order to recognize duplicate events.
The Link Monitoring process operates on all enabled EFM OAM links.
Page 15
Remote Failure Indication

Faults in Ethernet that are caused by slowly deteriorating quality are more difficult to detect than
completely disconnected links. A flag in the OAMPDU allows an OAM entity to send failure
conditions to its peer. The failure conditions are defined as follows:
• Link Fault—The Link Fault condition is detected when the receiver loses the signal. This
condition is sent once per second in the Information OAMPDU.
• Dying Gasp—This condition is detected when the receiver goes down. The Dying Gasp
condition is considered as unrecoverable. Conditions for dying gasp:
Management of the reload command
Device power down (incidental / deliberate).
• Critical Event—When a critical event occurs, the device is unavailable as a result of malfunction,
and it is to be restarted by you. The critical events can be sent immediately and continually.
Conditions for critical events:
Fatal error mess any task on the device (suspend)
When a link receives no signal from its peer at the physical layer (for example, if the peer’s laser is
malfunctioning), the local entity sets this flag to let the peer know that it’s transmit path is
inoperable.
Since these conditions are severe, the OAMPDUs updated with these flags are not subject to
normal rate limiting policy.
Remote Loopback
In order to verify the quality of links, estimating whether a network segment satisfies an SLA, and
when troubleshooting, the active device can enable the remote peer's loopback mode, using
Loopback Control OAMPDUs.
When in a loopback mode, the peer loops back all the traffic (except for OAMPDU traffic and
pause frames) without changing it. The remote peer acknowledges the loopback by responding
with an Information OAMPDU, indicating the loopback status in the State field.
CAUTION
Initiating this mode drops all traffic from the remote peer device.
There are two kinds of loopback tests:

• Loopback using multiple ping packets (1 to 200 packets). This tests and displays also the local
and remote peer's counters.
• Loopback using hardware-created frames at wire-speed, allowing the testing of the link under
extreme high-load conditions. (These frames are discarded on the active device when they get
back from the remote peer.) This tests and displays also the local and remote peer's counters.
Page 16
EFM-OAM Configuration Flow

Start
Enable protocol
Configure protocol parameters priority, hello-interval,

keepalive-interval, multiple-pdu-count, propagate-events.
Configure EFM-OAM per port
Built-in test tools
Non-intrusive Intrusive
Set network monitoring Configure EFM-OAM monitoring and
network testing
Start/Stop EFM-OAM local/remote
loopback configuration
End
Figure 4: EFM-OAM Configuration Flow
Page 17
Configuring EFM-OAM
Table 1: EFM-OAM Protocol Configuration Commands
Command Description
efm-oam Enables/disables the EFM-OAM protocol (see Enabling/Disabling

EFM-OAM)
efm-oam multiple-pdu- Specifies the number of OAMPDUs that are sent when the
count protocol sends multiple successive messages (Event Notification
OAMPDU) (see Specifying the Number of OAMPDUs).
efm-oam propagate- Enables the sending of local event notifications to the remote
events device (see Enabling/Disabling Sending of Local Event
Notifications to Remote Device)
efm-oam log-events Enables/disables sending of event notification OAMPDUs to the
local Syslog daemon (see Enabling/Disabling Sending of Event
Notifications to Local Syslog Daemon)
efm-oam priority Defines priority for the sent OAMPDUs (see Setting OAMPDUs
Priority)
efm-oam keepalive- Defines the aging interval in seconds for the neighboring device
interval that last sent packets (see Setting the Keep-Alive Interval)
efm-oam hello- Defines the time interval between two PDUs in milliseconds (see
interval Setting the Hello Interval)
efm-oam history limit Defines the EFM-OAM history limit (see Setting the EFM-OAM
History limit)
Enabling/Disabling EFM-OAM
The efm-oam command enables/disables the EFM-OAM protocol on the devices.
The efm-oam disable/enable command configures all EFM-OAM parameters to their default
values. To disable the protocol and keep the current configuration, disable the protocol on a
specified port or port range.
Command Syntax
device-name(cfg protocol)#efm-oam {enable | disable}
enable Enables EFM-OAM protocol.
Enabled
disable Disables EFM-OAM protocol.
Page 18
Example
device-name(cfg protocol)#efm-oam enable
Specifying the Number of OAMPDUs

The efm-oam multiple-pdu-count command specifies the number of OAMPDUs that are sent
when the protocol sends multiple successive messages (Event Notification OAMPDU).
Command Syntax
device-name(cfg protocol)#efm-oam multiple-pdu-count <pdu-count>
device-name(cfg protocol)#no efm-oam multiple-pdu-count
pdu-count Defines the number of identical PDUs, in the range of <1–10>. These
PDUs are sent when the local event occurs and requires propagation to
the remote device.
5 OAMPDU
Example
device-name(cfg protocol)#efm-oam multiple-pdu-count 3
Enabling/Disabling Sending of Local Event Notifications to

Remote Device
The efm-oam propagate-events command enables the sending of local event notifications to the
remote device.
Command Syntax
device-name(cfg protocol)#[no] efm-oam propagate-events
no Disables the event propagation.
the event propagation is enabled
Page 19
Example
device-name(cfg protocol)#efm-oam propagate-events
Enabling/Disabling Sending of Event Notifications to Local Syslog

Daemon
The efm-oam log-events command enables/disables sending of event notification OAM PDUs
to the local Syslog daemon. Thus, the logging of the local activity is disabled.
When you enable the event notification, all the EFM messages are logged. When you disable this
function, EFM threshold messages are not logged.
Command Syntax
device-name(cfg protocol)#[no] efm-oam log-events
no Disables the local Syslog daemon's event propagation.
the sending of the event notification OAMPDUs is enabled
Example
device-name(cfg protocol)#no efm-oam log-events
Defining OAMPDUs Priority

The efm-oam priority command sets priority for the sent OAMPDUs.
NOTE
This command takes affect only if the port is a tagged member of the default
VLAN.
Command Syntax
device-name(cfg protocol)#efm-oam priority <priority>
device-name(cfg protocol)#no efm-oam priority
Page 20
priority Defines 802.1p priority value for the outgoing and incoming EFM-OAM PDUs,
in the range of <0–7>.
the priority is undefined
Example
device-name(cfg protocol)#efm-oam priority 3
Defining the Keep-Alive Interval

The efm-oam keepalive-interval command sets the aging interval in seconds for the
neighboring device that last sent packets. When the neighboring device does not send a PDU
within the defined keep-alive interval, it is considered inoperative.
Command Syntax
device-name(cfg protocol)#efm-oam keepalive-interval <interval>
device-name(cfg protocol)#no efm-oam keepalive-interval
interval Defines the aging interval, in the range of <100–15000> milliseconds.
5000 milliseconds
Example
device-name(cfg protocol)#efm-oam keepalive-interval 3000
Page 21
Defining the Hello Interval

The efm-oam hello-interval command sets the time interval between two PDUs in
milliseconds. This mechanism is used to inform the neighboring device that the local device is
operative. When the local device receives no PDU within the defined keep-alive interval, the
neighboring device is considered inoperative.
NOTE
The standard hello interval is 1 second. However, to reduce overload in some
cases, it is possible to set the range to up to 5 seconds even though it violates the
standard.
NOTE
The keepalive-interval must be 2 times bigger than the hello-interval.
Command Syntax
device-name(cfg protocol)#efm-oam hello-interval <interval>
device-name(cfg protocol)#no efm-oam hello-interval
interval Defines the repetition interval of sending Hello packets. The range is <100–
5000> milliseconds.
1000 milliseconds
Setting the EFM-OAM History limit

The efm-oam history limit command sets the EFM-OAM history limit.
Command Syntax
device-name(cfg protocol)#efm-oam history limit <1000-10000>
device-name(cfg protocol)#no efm-oam history limit
1000-10000 Defines the maximum number of entries in the EFM-OAM history.
5000 entries
Page 22
EFM-OAM Interface Configuration Commands

Table 2: EFM-OAM Interface Configuration Commands
Command Description
efm-oam Enables/disables EFM-OAM on the specified interface and sets its

mode to active or passive (see Enabling/Disabling the EFM-OAM
State on the Specified Interface)
efm-oam force- Forces permanent loopback on the local or remote device (see
loopback Forcing the EFM-OAM Local/Remote Loopback Configuration)
efm-oam mode Enables/disables the organization-specific EFM-OAM
enhancements on the specified interface (see Enabling/Disabling
the EFM-OAM Enhancements on the Specified Interface)
efm-oam threshold Defines thresholds for bit error testing and reporting on the
bit-errors specified interface (see Setting the EFM-OAM Thresholds for Bit
Error Monitoring on the Specified Interface)
efm-oam threshold Defines a threshold for frame error testing and reporting on the
frame-errors specified interface (see Setting the EFM-OAM Thresholds for
Frame Error Monitoring on the Specified Interface)
efm-oam event-forward Defines an action that is performed when the link status of the
configured interface is changed (see Setting Event Monitoring on a
Specific Interface)
efm-oam event-return Enables the Event Return feature (see Enabling Event Return)
shutdown
Enabling/Disabling the EFM-OAM State on the Specified Interface

The efm-oam command enables/disables EFM-OAM on the specified interface and sets its mode
to active or passive.
When both peers are in passive mode (abnormal configuration) the information from 'Remote
Status' is not updated anymore and it may be inaccurate.
To execute this command, first enable EFM-OAM in the Protocol Configuration mode
(see Enabling/Disabling EFM-OAM), otherwise the %EFM-OAM is disabled error is generated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam {active | passive}
device-name(config-if UU/SS/PP)#no efm-oam
device-name(config-if-group)#efm-oam {active | passive}
device-name(config-if-group)#no efm-oam
Page 23
active When specifying the active mode, the device can send hello packets over this
port to initiate an EFM-OAM discovery process. To initiate the discovery
process, enable first the EFM-OAM protocol.
passive When specifying the passive mode, the device cannot use this port to send
hello packets.
port state is passive for uplink ports and disabled for user ports
no Disables 802.3ah EFM-OAM.
Example 1
device-name(config-if 1/1/1)#efm-oam passive
Example 2
device-name(config)#interface range 1/1/1
device-name(config-if-group)#efm-oam passive
Forcing the EFM-OAM Local/Remote Loopback Configuration

The efm-oam force-loopback command forces loopback on local or remote devices. This is
useful for long-term loopback traffic analysis.

For this command to take effect on a local device you do not have to enable EFM-OAM in the
Protocol Configuration mode.
If the port is in a loopback state and either EFM is disabled globally or per this port, or the port's
mode is changed to Passive mode, the force loopback state is removed from the port, generating
the remote loopback is removed from the device on port UU/SS/PP message. This message, along with an
error severity is sent to the Syslog server.
For this command to take effect on a remote device:
1. first enable EFM-OAM in the Protocol Configuration mode (see Enabling/Disabling EFM-
OAM), otherwise the %EFM-OAM is disabled error is generated.
2. configure this interface to be in an Active mode.
NOTE
The loopback is always forced on the remote port, when EFM is enabled on
the remote device.
CLI Mode: Interface Configuration and Interface Range Configuration
Page 24
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam force-loopback {local | remote}
device-name(config-if UU/SS/PP)#no efm-oam force-loopback
device-name(config-if-group)#efm-oam force-loopback {local | remote}
device-name(config-if-group)#no efm-oam force-loopback Argument Description
local Forces the port loopback on the local device.
Disabled
remote Forces the port loopback on the remote device.
Disabled
no Removes the forced loopback on local or remote devices.
Example
device-name(config-if 1/1/1)#efm-oam force-loopback remote
Enabling/Disabling the EFM-OAM Enhancements on the

Specified Interface
The efm-oam mode command enables/disables the organization-specific EFM-OAM
enhancements on the specified interface or interface range.
You can use this command with one of the below variables:
• Basic: do not use organization-specific extensions
• Enhanced: allows defining and retrieving all the SNMP variables on the remote device.
If the remote device is not an organization device, Basic mode is used, even if Enhanced
mode is configured.
Configure both devices with Enhanced mode for the devices to exchange their hostname.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam mode {enhanced | basic}
device-name(config-if UU/SS/PP)#no efm-oam mode
device-name(config-if-group)#efm-oam mode {enhanced | basic}
device-name(config-if-group)#no efm-oam mode
enhanced Enables enhanced mode.
Enhanced mode
basic Enables basic mode.
Page 25
no Disables the organization-specific EFM-OAM enhancements.
Example
device-name(config-if 1/1/1)#efm-oam mode enhanced
Defining the EFM-OAM Thresholds for Bit Error Monitoring on the

Specified Interface
The efm-oam threshold bit-errors command defines a threshold for bit error testing and
reporting for a specific interface or an interface range.
When the threshold is exceeded, the device generates an Errored Symbol Period Event message and
sends it to the remote peer. The message is written to the Syslog and in the feature history.
Additionally, the event counters are updated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam threshold bit-errors seconds <seconds>
error-count <error-count>
device-name(config-if UU/SS/PP)#no efm-oam threshold bit-errors
device-name(config-if-group)#efm-oam threshold bit-errors seconds <seconds>
device-name(config-if-group)#no efm-oam threshold bit-errors
seconds The number of seconds required for monitoring the bit error-count, in the
range of <1–60>.
error-count The errors bit errors threshold in the range of <1–1000000000>.
no Disables the bit errors monitoring.
bit errors threshold is disabled
Example
device-name(config-if 1/1/1)#efm-oam threshold bit-errors seconds 20 error-
count 100
In this example, the device generates the Errored Symbol Period Event message in case of 100 bit errors
in a 20 seconds time frame.
Page 26
Defining the EFM-OAM Thresholds for Frame Error Monitoring on

the Specified Interface
The efm-oam threshold frame-errors command defines a threshold for frame error testing and
reporting a specific interface or an interface range.
When the threshold is exceeded, the device generates an Errored Frame Event message and sends it to
the remote peer. The message is written to the Syslog and in the feature history. Additionally, the
event counters are updated.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam threshold frame-errors [seconds
<seconds> error-count <error-count>]
device-name(config-if UU/SS/PP)#no efm-oam threshold frame-errors
device-name(config-if-group)#efm-oam threshold frame-errors seconds <seconds>
device-name(config-if-group)#no efm-oam threshold frame-errors
seconds The number of seconds required to monitor the frame error-count, in the
range of <1–60>.
error-count The errors frame errors threshold in the range of <1–1488000>.
no Disables the frame errors monitoring.
256 errors during 20 seconds
Example
device-name(config-if 1/1/1)#efm-oam threshold frame-errors seconds 20 error-
count 100
In this example, the device generates the Errored Frame Event message in case of 100 frame errors in
a 20 seconds time frame.
Page 27
Defining Event Monitoring on a Specific Interface

Event monitoring is the ability to perform an action on a target interface whenever a source
interface's link status changes. There are two possible actions:
• shutdown the target interface
• send a Link Event Notification from the target interface to its EFM peer
The efm-oam event-forward command on the source port to enable and an Event Monitoring
action.
For this command to take effect on the local interface, first enable EFM-OAM in the Protocol
Configuration mode (see Enabling/Disabling EFM-OAM), otherwise the %EFM-OAM is disabled
error is generated. You do not have to enable this option on the remote peer.
Command Syntax
device-name(config-if UU/SS/PP)#efm-oam event-forward {shutdown | status}
UU/SS/PP
device-name(config-if UU/SS/PP)#no efm-oam event-forward
device-name(config-if-group)#efm-oam event-forward {shutdown | status}
UU/SS/PP
device-name(config-if-group)#no efm-oam event-forward
shutdown Shuts down the target interface.
status Forwards a Link Event Notification from the target interface.
UU/SS/PP The target interface (on which the action is performed).
no Disables event monitoring.
event monitoring is disabled
Example
device-name(config-if 1/1/1)#efm-oam event-forward status 1/2/3
Page 28
Enabling Event Return

The efm-oam event-return shutdown command is used to enable the Event Return feature. This
feature is used to determine the number of discovery attempts prior to administratively shutting
down the port.
You have to enable EFM-OAM on the port prior to enabling this command.
Command Syntax
device-name(config-if UU/SS/PP)#[no] efm-oam event-return shutdown <attempts>
attempts The number of discovery attempts before shutting down the port, in the range
of <1–10>.
5 discovery attempts when Event Return feature is enabled
no Disables this feature.
Event Return feature is disabled
Example
device-name(config-if 1/1/1)#efm-oam event-return shutdown 3
Page 29
EFM-OAM Monitoring and Network Testing

Commands
Table 3: EFM-OAM Monitoring and Network Testing Commands
Command Description
efm-oam ping Enables the EFM-OAM non-intrusive monitoring on the specific

interface (see Enabling EFM-OAM Non-intrusive Monitoring)
efm-oam loopback Enables the EFM-OAM monitoring on the specific interface, using
the loopback service (see Enabling EFM-OAM Monitoring)
efm-oam accept- Enables reaction to loopback control OAMPDUs from peers (see
remote-loopback Enabling/Disabling Loopback Commands' Processing)
efm-oam get Enables the EFM-OAM get variable operations for the interface
specific counters, as defined by the relevant standard (see
Enabling EFM-OAM Get Variable)
efm-oam history clear Clears the EFM-OAM buffer history contents (see Clearing EFM-
OAM History)
Page 30
Enabling EFM-OAM Non-intrusive Monitoring

The efm-oam ping command enables the EFM-OAM non-intrusive monitoring of a specific
interface.

By default, 5 requests are sent on the specified interface.
Command Syntax
device-name#efm-oam ping UU/SS/PP [number <number>] [delay <delay>] [timeout
<timeout>] [counter <branch> <leaf>] [extended]
UU/SS/PP The interface for EFM-OAM non-intrusive monitoring.
number <number> (Optional) defines the number of echo packets to send, in the range of
<1–10>
5 packets
delay <delay> (Optional) defines the delay between packets, in seconds, in the range
of <0–600>
there is no delay
timeout <timeout> (Optional) define the reply timeout in the range of <1–60> seconds
2 seconds
counter (Optional) defines a different counter for the ping-like operation, from
the options displayed in the below table
aFramesTransmittedOK, branch 7 leaf 2
branch (Optional) selects the branch (see table below).
leaf (Optional) selects the leaf (see table below).
extended (Optional) displays the replay time for every packet.
Table 4: Leaf Values

Branch Leaf Port Statistics
7 2 aFramesTransmittedOK
7 5 aFramesReceivedOK
7 8 aOctetsTransmittedOK
7 14 aOctetsReceivedOK
7 21 aMulticastFramesReceivedOK
7 22 aBroadcastFramesReceivedOK
Page 31
Enabling EFM-OAM Monitoring

The efm-oam loopback command enables EFM-OAM monitoring of a specific interface, by
setting the remote device into a loopback mode and generating test traffic.
CAUTION
Initiating this mode drops all traffic from the remote peer interface.
You can enable one of the two loopback versions available:
• Storm: sets the remote peer interface into a loopback mode, stops the local data flow to this
interface, and the local CPU generates a packet burst. When the remote peer sends the burst
back, the local device validates it and displays the burst statistics.
• Burst: sets the remote peer interface into a loopback mode, stops the local data flow on this
interface, and the local hardware generates a test packet burst (a single packet, generated by
local CPU, is repetitively sent by the hardware). When the remote peer sends the burst back,
the local device ignores it and displays only counters.
NOTE
The Burst option is only supported with external traffic generator.
You can perform this test only if both devices support EFM-OAM Loopback.
Command Syntax
device-name#efm-oam loopback UU/SS/PP storm [count <burst-count>] [delay
<delay>] [packet-size <packet-size>] [no-remote-loopback] [timeout
<timeout>]
device-name#efm-oam loopback UU/SS/PP burst [duration <duration>] [packet-
size <packet-size>] [no-remote-loopback]
UU/SS/PP The interface for EFM-OAM non-intrusive monitoring.
Storm Selects a Storm loopback.
count <burst- (Optional) defines the number of packets sent in the Storm loopback, in
the range of <1–2147483646>.
count>
100 packets
delay <delay> (Optional) defines the delay between packets, in seconds, in the range
of <1–600>
there is no delay
packet-size (Optional) defines the test-packets' size, in the range of <64–1512>
<packet-size> bytes
64 bytes
no-remote- (Optional) does not define a remote loopback for this operation (set the
loopback loopback manually).
timeout (Optional) the reply timeout, in the range of <1–600> seconds
<timeout> 2 seconds
Page 32
burst Selects a Burst loopback.

duration (Optional) defines the burst loopback duration, in the range of <1–600>
<duration> seconds
10 seconds
Example 1
device-name#efm-oam loopback 1/1/1 storm count 1000 packet-size 64
Setting Loopback ..... Started .... Completed
Generating Test Traffic ..... Started .... Completed
Sent: 1000 packets / 6400 octets
Received Successfully: 999 packets / 6336 octets
Local Remote
InOctets 636728 InOctets 1005096
OutOctets 613104 OutOctets 1136751
InUcastPkts 7500 InUcastPkts 7700
InNUcastPkts 2250 InNUcastPkts 7983
OutUcastPkts 7400
OutNUcastPkts 2176
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
device-name#efm-oam loopback 1/1/1 burst duration 10 packet-size 64

Setting Loopback ..... Started ..... Completed
Stopping loopback ..... Started ..... Completed

That output does not correspond to the loopback burst
Local Remote
OutUcastPkts 402271
OutNUcastPkts 290145
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
Page 33
Example 2
device-name#efm-oam loopback 1/2/1 burst no-remote-loopback

Setting Loopback ..... Started ..... Completed
Stopping loopback ..... Started ..... Completed

Maximum achieved rate: 94.12%
Local Remote
OutUcastPkts 10703329
OutNUcastPkts 434
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
device-name#efm-oam loopback 1/2/1 storm no-remote-loopback

Generating Test Traffic ..... Started ..... Completed

Local Remote
OutUcastPkts 10703531
OutNUcastPkts 528
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
Page 34
Enabling/Disabling Loopback Commands' Processing

The efm-oam accept-remote-loopback command enables the processing of loopback control
OAMPDUs from peers.
Command Syntax
device-name(config-if UU/SS/PP)#[no] efm-oam accept-remote-loopback
no Disables reaction to loopback control OAMPDUs.
Disabled
Example
device-name(config-if 1/1/1)#efm-oam accept-remote-loopback
Enabling EFM-OAM Get Variable

The efm-oam get command gets specified counter variables for a specific interface.
Using this command with no parameters displays the identical information as the show efm-oam
statistics command (for more information, refer to Displaying EFM-OAM Local and Remote
Interface Statistics).
Command Syntax
device-name#efm-oam get UU/SS/PP [counter <branch> <leaf>]
UU/SS/PP The interface to get counters from.
counter (Optional) performs a standard get variable operation, from the options
displayed in the below table.
branch (Optional) selects the branch for the get variable operation (see Table 4).
leaf (Optional) selects the leaf for the get variable operation (see Table 4).
Page 35
Example
device-name#efm-oam get 1/1/1
Waiting to receive remote statistics values
....................
Remote Interface Status Stable
Remote If Status Stable
Remote MAC 00:A0:12:27:14:23
InOctets 363254
OutOctets 181663
InUcastPkts 0
InNUcastPkts 2757
device-name#efm-oam get 1/1/1 counter 7 2

Waiting to receive
Press Esc for break
.........
aFramesTransmittedOK = 3007
Clearing EFM-OAM History

The efm-oam history clear command clears the EFM-OAM buffer history contents.

Command Syntax
device-name#efm-oam history clear
Page 36
EFM-OAM Display Commands

Table 5: EFM-OAM Display Commands
Command Description
show efm-oam Displays the current EFM-OAM configuration and status for a
specific interface or for all interfaces(see Displaying the EFM-
OAM Status and Configuration)
show efm-oam history Displays the history of the events from the remote device for a
specific interface or for all interfaces (see Displaying EFM-OAM
History on a Specified Interface)
show efm-oam history Displays the number of entries in EFM-OAM history for a specific
count port (see Displaying the EFM-OAM History Count for a Specific
Port)
efm-oam history show Displays EFM-OAM history contents (see Displaying EFM-OAM
History)
show efm-oam Displays the local and remote counters and accumulated statistics
statistics for EFM-OAM on a specified interface (see Displaying the EFM-
OAM Local and Remote Interface Statistics)
Displaying EFM-OAM Status and Configuration

The show efm-oam command displays the current EFM-OAM configuration and status for a
specific interface or for all interfaces.

Command Syntax
device-name#show efm-oam [extended | UU/SS/PP]
extended (Optional) displays additional details.
UU/SS/PP Selects the interface to display the EFM-OAM configuration and status.
Page 37
Example 1
device-name#show efm-oam extended
Events sending status: Logging Enabled, Propagation Enabled
Event Notification Duplication Count: 5
Intervals: Keep-Alive is 5000 miliseconds, Hello is 1000 milliseconds
History limit: 24 hours or 5000 entries
Local MAC: 00:A0:12:27:12:40
Efm-Oam Pkts counter : sent = 106680 , received = 377329
Port |Local |Remote MAC |Remote | Remote | Remote

|State | |State | Port | Hostname
------+---------+-----------------+---------+--------+---------
1/1/1 |Active |00:A0:12:27:14:23|Passive |1/1/1 |T-Marc 2
1/1/2 |Disabled |Unknown |Unknown |UU/SS/PP|Unknown
1/2/1 |Active |00:A0:12:27:01:29|Active |1/2/1 |T-Marc
1/2/2 |Disabled | Unknown |Unknown |UU/SS/PP|Unknown
Example 2
device-name#show efm-oam
Local MAC: 00:A0:12:27:12:40
Port |Local |Remote MAC |Remote |Remote |Local

|State | |State |Status |Status
------+---------+-----------------+---------+--------+--------
1/1/1 |Active |00:A0:12:27:14:23|Passive |Stable |Stable
1/1/2 |Disabled | Unknown |Unknown |Unknown |Unknown
1/2/4 |Active |00:A0:12:27:01:29|Active |Stable |Stable
Page 38
Example 3
device-name#show efm-oam 1/2/1
Interface Mode: Enhancements Enabled
Loopback Status: Local
Local State: Active
Remote State: Active
Remote MAC: 00:A0:12:27:14:23
Remote Hostname: T-Marc
Remote Status: Stable
Local Status: Loopback
Remote OID/Vendor Specific: 00:A0:12 / 0x00000000
OAM Version: 1.0
Loopback Capable? Yes Events Capable? Yes
Variables Retrieve Capable? Yes Uni-Directional Mode Capable? Yes
Private Extensions Capable?
Active Remote Flags: ( Local Stable, Remote Stable )
Active Local Flags : ( Local Stable, Remote Stable )
Local Thresholds:
Bit Errors: Disabled
Frame Errors: 256 Window: 20
Link down actions:

Shutdown: None.
Forward status to: None.
Displaying EFM-OAM History on a Specified Interface

The show efm-oam history command displays the Link Events' history for a specified interface
or for all interfaces.
You can view the last 24 hours' history—if the device is not reloaded. To get this history, enable the
Syslog.

To execute this command, first enable:
• EFM-OAM in the Protocol Configuration mode (see Enabling/Disabling EFM-OAM),
otherwise the %EFM-OAM is disabled error is generated
• Syslog (holds a log with the same detail level. For more information, refer to the Configuring
System Message Logging chapter of this User Guide)
Command Syntax
device-name#show efm-oam [UU/SS/PP] history
Page 39
UU/SS/PP (Optional) specifies the interface number for which the EFM-OAM history
is displayed.
Example
device-name#show efm-oam history
3/1/2008 19:20: Port 1/1/1: Remote Link Fault Bit Received
3/1/2008 19:21: Port 1/1/1: Remote Errored Frame Event Received
Timestamp: 12323445 Window: 30 sec
Threshold: 50 Errors: 55
Total Errors: 78654
Total Events: 9943
3/2/2008 19:21: Port 1/1/1: Remote Link Fault Bit Cleared
4/2/2008 22:30, Port 1/2/2: Remote Errored Frame Event Sent
Timestamp: 24523445 Window: 45 sec
Threshold: 10 Errors: 15
Total Errors: 32654
Total Events: 5943
3/4/2008 13:25, Port 1/1/1: Dying Gasp Received
3/4/2008 13:26, Port 1/1/1: Renegotiation Completed.
3/4/2008 13:27, Port 1/1/1: Unknown Organization Specific Event
Displaying the EFM-OAM History Count for a Specific Port

The show efm-oam history count command displays the number of entries in EFM-OAM
history for a specific port.
Command Syntax
device-name#show efm-oam history [count | count UU/SS/PP]]
count (Optional) counts EFM-OAM history
UU/SS/PP The interface to display EFM-OAM statistics for
Example
device-name#show efm-oam history count 1/1/1
Efm-oam history count on interface 1/1/1 is 1
Page 40
Displaying EFM-OAM History

The efm-oam history show command displays the EFM-OAM history contents.

Command Syntax
device-name#efm-oam history show count [UU/SS/PP]
count Counts EFM-OAM history.
UU/SS/PP (Optional) the port on which to display EFM-OAM history.
Example 1
device-name#efm-oam history show
%Efm-Oam history empty
Example 2
device-name#efm-oam history show count
Efm-oam history count is 1
Example 3
device-name#efm-oam history show count 1/1/1
Efm-oam history count on interface 1/1/1 is 1
Displaying EFM-OAM Local and Remote Interface Statistics

The show efm-oam statistics command displays the local and remote counters and all EFM-
OAM accumulated statistics for a specific interface.

To execute this command, first enable:
• EFM-OAM in the Protocol Configuration mode (see Enabling/Disabling EFM-OAM),
otherwise the %EFM-OAM is disabled error is generated.
• EFM-OAM for the specific interface (see Enabling/Disabling the EFM-OAM State on a
Specific Interface or Interface Range), otherwise the %EFM-OAM is disabled on port UU/SS/PP
error is generated.
Page 41
Command Syntax
device-name#show efm-oam UU/SS/PP statistics
UU/SS/PP The interface to display EFM-OAM statistics for.
Example
device-name#show efm-oam 1/1/1 statistics
Local Interface Status Stable Remote Interface Status Stable

Local State: Passive Remote State: Active
Local MAC 00:A0:12:22:5B:A0 Remote MAC 00:A0:12:22:13:36

OutUcastPkts 0
OutNUcastPkts 1351
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
Oam Pkts Sent 1285

Oam Pkts Received 1286
EFMOAMPDU max size : 1518
Page 42
Log Messages
The following table displays the log messages implemented by the EFM-OAM.
Table 6: Log messages implemented by the EFM-OAM

Message Severity Description
EFM-OAM-Remote- Error An event generated on interface UU/SS/PP

CriticalEvent
NOTE
This error requires special attention
EFM-OAM-Remote- Error A Dying Gasp event generated on interface
DyingGasp UU/SS/PP
EFM-OAM-Remote- Warning A fault event generated on interface UU/SS/PP
LinkFault
EFM-OAM-Remote- Notification An organization specific event generated on
SpecificEvent interface UU/SS/PP
EFM-OAM-Remote- Warning The PDU quantity exceeded the allowed rate on
RateExceeded interface UU/SS/PP
EFM-OAM-Remote- Warning Port UU/SS/PP: Remote Errored Frame Symbol
Errored-Symbol-Event Period Event Received:
• Timestamp: 0x24523445
• Window: 452341 bytes
• Threshold: 10
• Errors: 15
• Total Errors: 32654
• Total Events: 5943
EFM-OAM-Remote- Warning Port UU/SS/PP: Remote Errored Frame Frame
Errored-Frame-Event Event Received
• Window: 45.1 sec
• Threshold: 10
• Errors: 15
EFM-OAM-Remote- Warning Port UU/SS/PP: Remote Errored Frame Period
Errored-Period-Event Event Received:
• Window: 454341frames
• Threshold: 10
• Errors: 15
Page 43
Message Severity Description
EFM-OAM-Remote- Warning Port UU/SS/PP: Remote Errored Frame Seconds

Errored-Seconds- Event Received:
Event
• Window: 45.1 sec
• Threshold: 10
• Errors: 15
EFM-OAM-Local- Fatal EFM-OAM detected a local Dying Gasp event
DyingGasp
EFM-OAM-Local- Error Link Fault occurred on the local device, on interface
LinkFault UU/SS/PP
EFM-OAM-Local- Warning Port UU/SS/PP: Local Errored Frame Symbol Period
Errored-Symbol-Event Event sent:
• Window: 45 seconds
• Threshold: 10
• Errors: 15
EFM-OAM-Local- Warning Port UU/SS/PP: Local Errored Frame Frame Event
Errored-Frame-Event sent:
• Window: 45 sec
• Threshold: 10
• Errors: 15
EFM-OAM-Remote- Warning Port UU/SS/PP: Local Errored Frame Seconds
Errored-Seconds- Event sent:
Event
• Window: 45 sec
• Threshold: 10
• Errors: 15
Page 44
EFM-OAM Configuration Example

The following example is based on Figure 5 and shows how to configure an Ethernet network using
a EFM-OAM protocol.
Figure 5: Example for Configuring Two Devices in EFM-OAM Protocol
Configuring Device1:
1. Verify if the EFM-OAM protocol is enabled on the device:
Device1#show efm-oam
% EFM-OAM is disabled
2. If EFM-OAM protocol is disabled, enable it:

Device1(cfg protocol)#efm-oam enable
3. Specify the number of OAMPDU:

Device1(cfg protocol)#efm-oam multiple-pdu-count 3
4. Enable sending of local event notifications to remote device:

Device1(cfg protocol)#efm-oam propagate-events
5. Define the OAMPDUs Priority:

Device1(cfg protocol)#efm-oam priority 3
Page 45
6. Define the aging interval in seconds for the neighboring device that last sent packets:
Device1(cfg protocol)#efm-oam keepalive-interval 3000
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config-if 1/1/1)#efm-oam active
1. Verify if the EFM-OAM protocol is enabled on the device:
% EFM-OAM is disabled
2. If EFM-OAM protocol is disabled, enable it:

Device1(cfg protocol)#efm-oam enable
3. Specify the number of OAMPDU:

Device2(cfg protocol)#efm-oam multiple-pdu-count 5
4. Enable sending of local event notifications to remote device

Device2(cfg protocol)#efm-oam propagate-events
5. Set OAMPDUs Priority:

Device2(cfg protocol)#efm-oam priority 5
Forcing loopback on remote device (Device2):

Device1(config-if 1/1/1)#efm-oam force-loopback remote
Configuring the remote peer interface into a loopback mode:

Device2#efm-oam loopback 1/1/1 storm
Page 46
Displaying EFM-OAM Configuration on both Devices:

Local Priority is 3
Local MAC: 00:A0:12:22:41:60
=================================================================
------+---------+-----------------+---------+---------+----------
1/1/1 |Active |00:A0:12:4B:06:C3|Passive |Loopback |Stable
1/1/2 |Active |Unknown |Unknown |Unknown |Discovery
1/2/1 |Active |Unknown |Unknown |Unknown |Link-Down
…
Local Priority is 5
Local MAC: 00:A0:12:4B:06:C3
=================================================================
------+---------+-----------------+---------+---------+----------
1/1/1 |Passive |00:A0:12:22:41:60|Active |Stable |Loopback
1/2/1 |Disabled |Unknown |Unknown |Unknown |Unknown
…
1/2/8 |Disabled |Unknown |Unknown |Unknown |Unknown
Page 47
Displaying EFM-OAM Extended Configuration on both Devices:

Device1#show efm-oam extended
Local Priority is 3
Local MAC: 00:A0:12:22:41:60
=================================================================
------+---------+-----------------+---------+--------+-----------
1/1/1 |Active |00:A0:12:4B:06:C3|Passive |1/1/1 |Device2
1/1/2 |Active |Unknown |Unknown |UU/SS/PP|Unknown
…
Device2#show efm-oam extended

Local Priority is 5
Local MAC: 00:A0:12:4B:06:C3
=================================================================
------+---------+-----------------+---------+--------+-----------
1/1/1 |Passive |00:A0:12:22:41:60|Active |1/1/1 |Device2
…
Page 48
Displaying EFM-OAM Interface Statistics on Device1:

Device1#show efm-oam 1/1/1 statistics
Local Interface Status Stable Remote Interface Status Loopback

Local State: Active Remote State: Passive
Local MAC 00:A0:12:22:41:60 Remote MAC 00:A0:12:4B:06:C3

OutUcastPkts 0
OutNUcastPkts 647
InDiscards 0
OutDiscards 0
InErrors 0
OutErrors 0
Oam Pkts Sent 585

Oam Pkts Received 577
EFMOAMPDU max size : 1516
Page 49
802.1ag Connectivity Fault Management (CFM)
Overview
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a network to monitor
the health of an end-to-end service delivered to customers (as oppose to just links or individual
bridges). The pre-standard IEEE 802.1ag CFM feature, called MAC ping/trace route, defines the
end-to-end OAM capabilities that are intrinsic to Ethernet technology, enabling service providers to
monitor the Ethernet service that the customer receives.
The 802.1ag CFM standard specifies protocols, procedures, and managed objects to support
transport fault management. These allow:
• the discovery and verification of the frames' path addressed to and from specified network
users
• the detection and isolation of a connectivity fault to a specific bridge or LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for point-to-point and
multipoint Ethernet Virtual Connections (EVC) that span one or more links.
CFM-OAM Protocol Functionality

CFM-OAM supports the following basis functionalities:
• Discovery & Connectivity: the ability to discover other CFM-OAM enabled devices and verifying
the connectivity to these devices
• Fault Verification: the ability to verify and test the quality of the service delivered
• Fault Isolation: the ability to identify and isolate the point of fault within the service path
CFM Purpose
Bridges are increasingly used in networks operated by multiple independent organizations, each
with restricted management access to each other’s equipment.
CFM provides capabilities for detecting, verifying, and isolating connectivity failures in such
networks, where multiple organizations are involved in providing and using the Ethernet service
(such as customers, service providers, and operators).
Customers purchase Ethernet service from service providers. These service providers may utilize
their own networks or the networks of other operators to provide connectivity for the requested
service. Customers themselves may be service providers. For example, a customer may be an
Internet service provider that sells Internet connectivity.
Page 50
Figure 6: OAM Ethernet Tools
Operators need minimal Ethernet OAM as oppose to providers that need more comprehensive
Ethernet OAM for themselves and the ability to provide customers with better monitoring
functionality.
In order to validate the service quality and to perform fault verification on Maintenance End Points
(MEP) and Maintenance Intermediate Points (MIPs) that belong to the organization, each
organization defines its own maintenance domain. These MEPs and MIPs are then linked to the
relevant domain creating a Maintenance Association (MA).
Mechanisms of Ethernet 802.1ag OAM

The mechanisms supported by CFM include Connectivity Check Messages (CCM), loopback, link
trace and Alarm Indication Signal (AIS).
CFM allows for end-to-end fault management that is generally reactive (through loopback, link
trace messages, and Alarm Indication Signals) and connectivity verification that is proactive
(through Connectivity Check messages).
Discovery and Connectivity

To discover the devices in a domain, each MEP transmits a periodical CCM to the entire domain
MIPs and MEPs.
CCMs are periodic hello messages multicast by a MEP within the MA at a defined rate. The
receiving MEPs build a MEP database that catalogs a list of the various MAs, including their MEPs
and MIPs (indicating each entity's MAC address) as functional points.
Page 51
The database includes entities MEP Destination MAC Address (DA) and port (format: MEP DA,
Port).
Figure 7: MEP1 and MEP3 Send a Multicast CC Frame
Figure 8: MEP4 and MEP2 Send a Multicast CC Frame
A CCM timeout is used to detect connectivity faults (such as a software failure, memory corruption,
or miss-configuration). A CCM loss is assumed when a MEP does not receive the next CCM from
a remote MEP within the CCM timeout.
If a MEP on a local bridge (local MEP) stops receiving periodic CCMs from a peer MEP on a
remote bridge (remote MEP), it assumes that a failure in the remote bridge or in the continuity of
the path has occurred. If the MEP does not receive three consecutive CCMs, it declares a
connectivity loss.
In this case, the bridge can notify the network management application about the failure and initiate
the fault verification and fault isolation steps either automatically or through an operator command.
Since a short CCM interval rate is a key point in ensuring fast connection-failure detection, the
systems administrator can define a CCM interval rate of down to 3.3 milliseconds.
Page 52
In cases that the MEP is deliberately taken out of commission, the MEP indicates this status to
other peer MEPs to avoid triggering false fault detections.
CFM also provides an alarm suppression mechanism in cases where a network fault affects more
than one VLAN and to avoid a situation where different MEPs generate an alarm notifying of the
same common fault.
Fault Verification (Loopback Messages)

A unicast Loopback Message (LBM) is used for fault verification. To verify the connectivity
between MEP and its peer MEP or a MEP, the LBM is initiated by a MEP with a destination MAC
address set to the MAC address of either a Maintenance association Intermediate Point (MIP) or
the peer MEP. The receiving MIP or MEP responds to the LBM with a Loopback Reply (LBR).
A Loopback message helps a MEP identify the precise fault location along a given MA. A
Loopback message is issued by a MEP to a given MIP along an MA. The appropriate MIP in front
of the fault responds with a Loopback reply. The MIP behind the fault does not respond. For
Loopback to work, the MEP must know the MAC address of the MIP to ping.
Figure 9: Loopback Operation
In the Figure 9 two maintenance entities are shown: one comprising the yellow MEPs and MIPs,
the other comprising orange MEPs and MIPs.
Fault Isolation (Linktrace Messages)

In order to isolate the exact point of fault, a MEP initiates a Linktrace mechanism. This mechanism
is used to isolate faults at the Ethernet MAC layer.
To run this mechanism, the originating MEP sends a Linktrace Message (LTM, using the domain's
set of reserved multicast MAC addresses) that traverses hop-by-hop along the domain's trace path.
Each Maintenance Point (MP, whether a MEP or MIP) along the trace path intercepts this LTM,
processes it, and forwards it onto the next hop until it reaches the destination MEP.
Page 53
Each MP along the path returns a unicast Linktrace Reply (LTR) back to the originating MEP. The
MEP then sends a single LTM to the next hop along the trace path eventually determining the
MAC address of all MIPs along the MA and their precise location with respect to the originating
MEP.
Figure 10: Link Trace Operation
In case of Ethernet, fault isolation is more challenging due to MAC addresses aging out, erasing the
information needed for locating the fault.
The possible ways to address this issue are:
• Carrying out the Linktrace within the age-out time frame
• Maintaining information about the destination MEP at the MIPs along the path using CCMs
• Maintaining the path's visibility at the source MEPs through periodic LTMs (in intervals larger
than the CCM rate interval)
You can also use the Linktrace mechanism to discover normal data paths through the network,
during times where the network is fault-free. This can be helpful at a later stage, in cases where
Linktrace cannot provide the information needed to isolate a fault and by issuing LBMs to MPs
along the normal data paths to retrieve additional useful information.
Page 54
Fault Notification and Alarm Suppression (Fault

Alarms)
The Fault Alarm feature is a management operation that generates an SNMP notification to a
designated address when a MEP detects a fault.
When you enable the Fault Alarm, the MEP transmits an alarm upon detecting a defect that
occurred for more than a predefined threshold time. The MEP can transmit no further Fault
Alarms until a configured time period has passed during which no defect indication is present.
A MEP maintains a number of separate defects, for example, one for defects caused by the
accidental cross-connection of two different MAs and one for defects that are confined to a single
MA.
The defects are ranked by priority. If a higher priority defect occurs after a lower priority defect has
triggered a Fault Alarm, then the MEP transmits another Fault Alarm. This enables the operator to
reliably prioritize Fault Alarms. For example, cross-connect errors are typically of greater concern in
a Service Provider environment than connectivity loss errors. Only the highest-priority defect is
reported in the Fault Alarm.
In the order of their priority the defects are:
• DefRDICCM—the last CCM received by this MEP from a remote MEP contained the RDI
bit
• DefMACstatus—the last CCM received by this MEP from a remote MEP indicated that the
transmitting MEP’s associated MAC is reporting an error status
• DefRemoteCCM—this MEP is not receiving CCMs from one of the MEPs in its configured
list
• DefErrorCCM—this MEP is receiving invalid CCMs
• DefXconCCM—this MEP is receiving CCMs from a different MA
Page 55
CFM-OAM Configuration Flow
Start
Enable the CFM protocol
Create a CFM Domain
Create CFM Maintenance Associations (MA)
Create MEP
End
Figure 11: CFM-OAM Configuration Flow
Page 56
Start
Is dynamic
SLA No
assurance
required?
Yes
Point-to-Multi-Point
Connection
Create Yes
performance
monitoring
profile?
Create a Performance
Monitoring Profile
No
Start CFM Process
End
Figure 12: CFM-OAM Performance Monitoring Flow
Page 57
Start
CFM No
Connectivity
Problem?
Yes
Verify the Failure Isolate the Failure
Send Loopback Message Send Linktrace Message
End
Figure 13: CFM-OAM on-demand Tools Flow
Page 58
Configuring 802.1ag CFM in Protocol Configuration

Mode
Table 7: 802.1ag CFM Protocol Configuration Commands
Command Description
cfm Enables/disables the CFM protocol on the devices and enters the
CFM Protocol Configuration mode (see Enabling/Disabling the
CFM Protocol)
domain Creates a maintenance domain with a specified name and level
and enters that Maintenance Domain mode (see Creating and
Accessing a Maintenance Domain)
use-draft61 Enables the compatibility with the old IEEE 802.1ag protocol
version 6.1 (see Enabling the Compatibility with Version 6.1)
show cfm use-draft61 Displays if the compatibility with the old IEEE 802.1ag protocol
version 6.1 is enabled (see Showing the Compatibility with
Version 6.1)
Enabling/Disabling the CFM Protocol

The cfm command enables/disables the CFM protocol on the device and enters the CFM Protocol
Configuration mode.
Command Syntax
device-name(config)#cfm [enable | disable]
device-name(config)#no cfm
enable (Optional) enables the CFM protocol
disable (Optional) disables the CFM protocol
Disabled
no Disables the CFM protocol
Page 59
Examples:
• Enable CFM:
device-name(config)#cfm enable
device-name(config-cfm)#
• Enabling the CFM (using the cfm enable command) when CFM is already enabled, generates
the %CFM is already enabled error message, as displayed below:
[%Error] %CFM is already enabled
device-name(config)#cfm
device-name(config-cfm)#
Creating and Accessing a Maintenance Domains

The domain command creates a maintenance domain with a specified name and level. It also enters
the Maintenance Domain mode of that domain.
CLI Mode: CFM Protocol Configuration
Command Syntax
device-name(config-cfm)#domain name NAME level <level>
device-name(config-cfm)#domain name NAME format {none | string} level <level>
device-name(config-cfm-DONAME NAME)#
device-name(config-cfm)#no domain name NAME
NAME The domain name.
level The domain level in the range of <0–7>, according to the following rules:
• Operator’s MA levels: 0–2
• Provider’s MA levels: 3–4
• Customer’s MA levels: 5–7
NOTE
This argument is compulsory when creating a new domain.
Do not use this argument for re-entering an existing
domain.
format The way the name will appear in the MAID.
none The domain name does not appear in the MAID.
string The domain name appears as a string in the MAID.
string
no Removes the domain from the CFM protocol.
Page 60
Examples:
• Create a maintenance domain:

device-name(config-cfm)#domain name D5 level 3
device-name(config-cfm-D5)#exit
device-name(config-cfm)#domain name D6 format none level 4
device-name(config-cfm-D6)#
• When reentering an existing domain, using the level argument generates the
[%Error] 'level' is not recognized error message, as displayed below:
device-name(config-cfm-D5)#exit
[%Error] 'level' is not recognized
device-name(config-cfm)#domain name D5
device-name(config-cfm-D5)#
Restoring the Version 6.1

The use-draft61 command enables compatibility with the IEEE 802.1ag protocol version 6.1
PDU’s used for connectivity, loopback, and linktrace.
Command Syntax
device-name(config-cfm)#use-draft61
device-name(config-cfm)#no use-draft61
standard IEEE 802.1ag-2007 (draft 8.1)
Example
device-name(config-cfm)#use-draft61
Displaying the Current Version

The show cfm use-draft61 command shows if the compatibility with IEEE 802.1ag protocol
version 6.1 is enabled or disabled.
Command Syntax
device-name(config-cfm)#show cfm use-draft61
Page 61
The CFM Maintenance Domain Commands

Table 8: 802.1ag CFM Maintenance Domain Commands
Command Description
ma name Creates a maintenance association within the specified domain

(see Creating Maintenance Associations)
mip-policy Specifies the conditions in which MIPs are automatically created
on ports (see Specifying MIP Creation Policy)
senderid-content Configures the Sender ID Type Length Value content of the CFM
packets (see Defining the Identification Data Sent to the
Remote MEPs)
Creating Maintenance Associations

The ma name command creates a maintenance association within a specified domain. This
command changes the Maintenance Domain mode to the specific Maintenance Association mode.
NOTE
You have to define a VLAN ID or a TLS service ID prior to creating an MA.
CLI Mode: Maintenance Domain Configuration
Command Syntax
device-name(config-cfm-DONAME NAME)#ma name NAME {vlan-ID <vlan-id> | service
<SVCID>}
device-name(config-cfm-DONAME NAME)#ma name NAME format icc {vlan-ID <vlan-
id> | service <SVCID>}
device-name(config-cfm-DONAME NAME)#ma name NAME format ieee {vlan-ID <vlan-
id> | service <SVCID>}
device-name(config-cfm-DONAME NAME)#no ma name NAME
NAME The MA name up to 22 characters.
vlan-id The unique VLAN identifier of the MA in the range of <1–4094>.
service The unique service ID (SVCID) of a TLS service in the valid range of <1–
<SVCID> 4294967295>.
format The way the name will appear in the MAID.
icc This format is described in ITU-T Y.1731.
ieee This format is described in IEEE 802.1ag.
ieee
no Removes the created MA.
Page 62
The MAID is unique over the domain. If the MAID is globally unique, then that domain is global.
CFM can detect connectivity errors only for a list of MEPs with unique MAIDs.
Example 1
• First create the VLAN ID and then the MA:

device-name(config-cfm-D5)#ma name MA5 vlan-ID 3
device-name(config-cfm-D5-MA5)#exit
device-name(config-cfm-D5)#ma name MA6 format icc vlan-ID 4
• When reentering an existing MA, using the vlan argument generates the
[%Error] 'vlan-ID' is not recognized error message, as displayed below:
[%Error] 'vlan-ID' is not recognized
device-name(config-cfm-D5)#ma name MA5
device-name(config-cfm-D5-MA5)#
Example 2
First create the TLS service and then the MA:

device-name(config-tls serv)#exit
device-name(config-cfm-D5)#ma name MA5 service 5
device-name(config-cfm-D5-MA5)#
Page 63
Specifying MIP Creation Policy (in Maintenance Domain)

The mip-policy command defines the conditions in which MIPs are automatically created on
ports.
A MIP can be created on a port and a VLAN only when an explicit or default policy is defined for
them.
When no MEP was created for the specific port and VLAN, the MIP is created at the lowest level.
If a MEP was created, the MIP is created at the next-immediate level higher than the MEP's.
Command Syntax
device-name(config-cfm-DONAME NAME)#mip-policy {none | explicit | default}
device-name(config-cfm-DONAME NAME)#no mip-policy
none Does not create any MIPs for the specified MA
explicit Configures MIPs only if a MEP exists on a lower MD Level
default Always creates MIPs
MIPs are always created
For the MIP creation rules, see Table 10.
Example
device-name(config-cfm-D7)#mip-policy explicit
Defining the Identification Data Sent to the Remote MEPs

The senderid-content command configures the content of the Sender ID Type Length Value
(TLV) included in most of the CFM packets the MEPs send.
Command Syntax
device-name(config-cfm-DONAME NAME)#senderid-content {none | hostname |
management-address | all}
device-name(config-cfm-DONAME NAME)#no senderid-content
Page 64
none Does not send the Sender ID TLV to remote MEPs: the chassis ID and
management information are hidden from all remote sites.
hostname The Sender ID TLV includes only the device hostname: the local hostname is
visible to all remote sites on the MA but the local management address is
hidden.
management- The Sender ID TLV includes only the device's management address: the local
address management mechanism and management address are visible to all remote
sites on the MA but the local hostname is hidden.
all The Sender ID TLV includes both the hostname and the management address
of the device.
hostname and management address of the device
Example
device-name(config-cfm-D7)#senderid-content management-address
Page 65
CFM Maintenance Association Commands

Table 9: 802.1ag CFM Maintenance Association Commands
Command Description
hello-interval Defines the time interval between two successive CCMs

(see Defining the Hello Interval)
mep Adds/removes local ports or a group of ports as a MEP to/from an
MA (see Adding/Removing MEPs)
ccm-priority Define the VLAN priority assigned to CCM, LBM, and LTM packets
(see Configuring the Packets' VLAN Priority)
mip-policy Defines the MIPs creation conditions on ports
(see Defining the MIP Creation Policy on Ports)
senderid-content Defines the Sender ID TLV content in the CFM packets the MEPs
send (see Define the Identification Data Sent to the Remote
MEPs)
fault-alarms-level Defines the defect priority used to generate fault alarms for a
specified MEP (see Defining the Defect Priority)
clear connectivity Clears and updates the remote MEPs connectivity list
(see Updating the Remote MEPs List)
fng-reset-time Defines in which defects are absent before enabling a Fault Alarm
again (see Defining the Fault Notification Reset Time)
fng-alarm-time Define the time interval that defects must be present before a local
MEP generates a Fault Alarm (see Defining the Fault
Notification Alarm Time)
ais-lck Enables the Alarm Indication Signal (AIS) and Lock Signal (LCK)
functions of Y.1731 (see Enabling the AIS/LCK)
ais-lck level Configures the client's domain level in which AIS and LCK packets
are sent (see Configuring the AIS/LCK Level)
ais-lck priority Configures the sent AIS and LCK packets' priority
(see Configuring the AIS/LCK Priority)
ais-lck interval Configures the interval between two successive AIS or LCK
packets sent (see Configuring the AIS/LCK Sending Interval)
mep-state active Enables a MEP to operate in an active state for a specific MEP ID
(see Enabling a MEP in an Active State)
mep-ccm enabled Enables a MEP to send CCMs for a specific MEP ID
(see Enabling a MEP to Send CCMs)
Page 66
Defining the Hello Interval

The hello-interval command defines the time interval between two successive CCMs sent by a
MEP that is a member of this maintenance association.
CLI Mode: Maintenance Association Configuration
Command Syntax
device-name(config-cfm-DONAME NAME-MA NAME)#hello-interval {300 Hz | 10
milliseconds | 100 milliseconds | 1 second | 1 minute | 10 seconds | 10
minutes}
300 Hz Defines the time interval between two successive CCM packets to
3.3 milliseconds.
10 milliseconds Defines the time interval between two successive CCM packets to 10
milliseconds.
100 milliseconds Defines the time interval between two successive CCM packets to
100 milliseconds.
1 second Defines the time interval between two successive CCM packets to 1
second.
1 second
1 minute Defines the time interval between two successive CCM packets to 1
minute.
10 seconds Defines the time interval between two successive CCM packets to 10
seconds.
10 minutes Defines the time interval between two successive CCM packets to 10
minutes.
Example 1: When creating a domain

device-name(config-cfm-D1)#ma name MA1 vlan-id 3
device-name(config-cfm-D1-MA1)#hello-interval 10 seconds
Example 2: When the domain is already created

device-name(config-cfm)#domain name D1
device-name(config-cfm-D1-MA1)#hello-interval 10 minutes
Page 67
Adding/Removing MEPs
The mep command adds local ports or a group of ports as MEPs to a specific maintenance
association.
If the current MA is defined over the service and you are trying to create a MEP on a physical port
or a LAG, the [Error]MA is defined over service message is displayed.
When the MA is not defined over the service, and a MEP is created over VLAN, the [Error]MA
defined over VLAN message is displayed.
NOTE
MEP IDs have to be unique per MA.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep <mep-id> {port UU/SS/PP |
ag0N} {in | out}
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep <mep-id> sap SAPSTRING
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep <mep-id>
mep-id Defines the maintenance end point (MEP) ID, in the range of <1–8191>.
UU/SS/PP Specifies the target interface on which MEP is used.
ag0N Specifies the link aggregation ID (ag01, ag04–ag07) on which MEP is used.
The allowed ID is in the range of <1–7>.
in Defines the MEP Direction to in the bridge.
out Defines the MEP Direction to out the bridge.
sap Creates the MEP on a SAP (part of the service where MA was created on).
SAPSTRING
The SAPSTRING has the UU/SS/PP:CVLANID: format.
NOTE
To use this command, first create the MA on the service with
ma name NAME service <SVCID> command.
no Removes the MEP from the MA
Page 68
Examples:
• Define the MEP ID and direction:

device-name(config-cfm-D5-MA5)#mep 1 port 1/2/3 out
• Create the MEP on SAP port 1/2/1:

device-name(config-cfm-D2)#ma name MA2 service 3
device-name(config-cfm-D2-MA2)#mep 2 sap 1/2/1:10:
Configuring CCM Priority

The ccm-priority command defines the VLAN priority assigned to the CCM, LBM, and LTM
packets.
Command Syntax
device-name(config-cfm-DONAME NAME-MA NAME)#ccm-priority <0-7> [mep <mep-id>]
0-7 The VLAN priority.
6
mep-id (Optional) selects a MEP ID to assign the priority to, in the range of
<1–8191>.
Example
device-name(config-cfm-D5-MA5)#ccm-priority 5 mep 1
Specifying MIP Creation Policy (in Maintenance Association)

The mip-policy command defines the conditions in which MIPs are automatically created on
ports.

A MIP can be created on a port and a VLAN only when an explicit or default policy is defined for
them.
When no MEP was created for the specific port and VLAN, the MIP is created at the lowest level.
If a MEP was created, the MIP is created at the next-immediate level higher than the MEP's.
Page 69
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mip-policy {none | explicit |
default | defer}
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mip-policy
none Does not create any MIPs for the specified MA.
explicit Creates MIPs only if a MEP exists on a lower MD Level.
default Always creates MIPs.
defer The policy is inherited from the domain policy configuration.
no Restores to defaults.
If no MIP creation policy per MA is defined, the default policy is inherited
from the domain policy configuration
Table 10: MIP Creation Rules

Existing MIP at MIP Policy MEP at Higher MD MIP Half
MEP at lower MD Level Function
Higher Level (MHFs)
MD Level Created
True No
False True No
False False None No
False False Default the MIP Policy Yes
default always
creates MIPs
False False Explicit True Yes
False False The explicit MIP policy False No
depends on the presence of
MEPs at lower level.
All above All above Defer The decision
is taken
NOTE considering
You can define the the setting of
Defer policy only the enclosing
on the MA level domain.
(see Specifying
MIP Creation
Policy (in
Maintenance
Domain))
If you select the defer
argument, the MIP policy is
inherited from the enclosing
Domain.
The table above defines the Level of MIP on a given port and on a given VLAN.
Page 70
NOTE
Levels are set optionally by the administrator and depend on that part of the
network that is under monitoring or the place of the device in the network.
Therefore the MIPs appear on ports if there are any Domains and already defined MAs.
It is recommended the levels 7, 6 and 5 to be explored by the users. Levels 3 and 4 are distributed
for the Service Providers. Level 1 and 2 serve the Operators. Level 0 is intended to be closer to the
physical Level.
An Intermediate Service Access Point (ISAP) is a SAP, from a Maintenance Domain, through
which frames can pass in transit from DoSAP to DoSAP.
MIPs are supporting the discovery of paths among MEPs and the location of faults along those
paths.
Example
device-name(config-cfm-D7-MA7)#mip-policy explicit
Defining the Identification Data Sent to the Remote MEPs

The senderid-content command configures the content of the Sender ID Type Length Value
(TLV) included in most of the CFM packets the MEPs send.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#senderid-content {none | hostname
| management-address | all | defer}
device-name(config-cfm-DOMAIN NAME-MA NAME)#no senderid-content
none Does not send the Sender ID TLV to remote MEPs: the chassis ID and
management information are hidden from all remote sites.
hostname The Sender ID TLV includes only the device hostname: the local
hostname is visible to all remote sites on the MA but the local
management address is hidden.
management- The Sender ID TLV includes only the device's management address: the
address local management mechanism and management address are visible to
all remote sites on the MA but the local hostname is hidden.
all The Sender ID TLV includes both the hostname and the management
address of the device.hostname and management address of the device
defer The content of the Sender ID TLV is decided by the corresponding
setting on the enclosing domain. The values are inherited from the
domain configuration.
defer
Page 71
Example
device-name(config-cfm-D7-MA7)#senderid-content hostname
Defining the Defect Priority

The fault-alarms-level command defines the defect priority for generating fault alarms for a
specified MEP.
Defects are the loss of CCMs or a reception of cross connected CCMs.
For more information regarding Fault Alarms, refer to the Fault Notification and Alarm
Suppression (Fault Alarms) section.

The following table shows the relationship between the variables indicating the defects (the
highestDefect column), their priorities, and corresponding integer (the highestDefectPri column)
reported to the fault alarm.
The highestDefectPri is an integer value indicating the priority of the defect named in the variable
highestDefect.
The highestDefect variable is the highest-priority defect which is currently detected by the MEP.
Table 11: Defects and Priorities

Defect Priority
Variable HighestDefect HighestDefectPri Importance
Disable Disable 6
xconCCMdefect DefXconCCM 5 most
errorCCMdefect DefErrorCCM 4
someRMEPCCMdefect DefRemoteCCM 3
someMACstatusDefect DefMACstatus 2
someRDIdefect DefRDICCM 1 least
Page 72
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fault-alarms-level <priority>
[mep <MEPID>]
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fault-alarms-level [mep
<MEPID>]
priority The defect priority for the specified MEP, in the range of <1–6>.
Selecting priority 6 disables Alarm Reporting.
defect priority is 1 and alarms are generated for all defect conditions.
MEPID (Optional) defines the MEP ID, in the range of <1–8191>.
Example
In this example, the defect priority of the local MEP ID 10 is configured to 3. In this case, this
MEP reports all defect conditions with a priority equal to or higher than 3:
• It announces the lack of CCMs from a remote MEPs (configured in the local MEPs list)
• It ignores the MAC status defects and the reception of valid CCMs with RDI bit set
device-name(config-cfm-D7-MA7)#fault-alarms-level 3 mep 10
Updating the Remote MEPs List

The clear connectivity command clears and updates the remote MEPs' connectivity list for a
specific or all remote MEPs.
This command clears:
• the remote MEPs that did not send CCMs for some time and are in a down state
• the active remote MEPs' counters
When removing a local MEP, all the remotes MEPs that belong to the monitored MA are removed
from the CCM remote MEPs list.
NOTE
When you remove a local MEP, all the remote MEPs it has relations with are
removed from the MEP's connectivity list.
Command syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#clear connectivity [<MEPID>]
Page 73
MEPID (Optional) defines the remote MEP's ID, in the range of <1–8191>
NOTE
If you do not define a MEP ID, this command clears
all the MEPs in a down state.
Defining the Fault Notification Reset Time

The fng-reset-time command defines the time interval in which defects are absent before
enabling a Fault Alarm again.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fng-reset-time <250-1000> mep
<1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fng-reset-time mep <1-8191>
250-1000 Defines the reset interval time, in hundredths of a second.
1000 hundredths of a second
mep <1-8191> The MEP ID.
Example
device-name(config-cfm-D7-MA7)#fng-reset-time 850 mep 225
Defining the Fault Notification Alarm Time

The fng-alarm-time command defines the time interval that defects must be present before a
local MEP generates a Fault Alarm.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#fng-alarm-time <250-1000> mep
<1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no fng-alarm-time mep <1-8191>
Page 74
250-1000 Defines the alarm interval, in hundredths of a second.
250 hundredths of a second
mep <1-8191> The MEP ID.
Example
device-name(config-cfm-D7-MA7)#fng-reset-time 350 mep 225
Enabling the AIS/LCK

The ais-lck command enables Alarm Indication Signal (AIS) and Lock Signal (LCK) functions of
Y.1731. MEPs send AIS packets during signal failure detection and LCK packets during tests. The
MEPs, defined in the MA, react to the received AIS and LCK packets.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck {enable | disable}
Example
device-name(config-cfm-D5-MA5)#ais-lck enable
Configuring the AIS/LCK Level

The ais-lck level command configures the client domain level in which AIS and LCK packets
are sent.
This level has to be higher than the domain level. For example, if the domain level is 5, the
AIS/LCK level has to be 6 or 7. Therefore, the AIS/LCK feature does not send any packets when
it is enabled on domain level 7.

To configure the AIS/LCK level, first enable this feature using the ais-lck command
(see Enabling the AIS/LCK), otherwise the [%Error] AIS/LCK should be enabled first error is
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck level <1-7>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no ais-lck level
Page 75
level <1–7> The AIS/LCK level, in the range of <1–7>.
default level is one higher than the configured MA level.
Example 1
device-name(config-cfm-D5-MA5)#ais-lck level 4
Example 2
[%Error] AIS/LCK should be enabled first
Configuring the AIS/LCK Priority

The ais-lck priority command configures the sent AIS and LCK packets' priority.

To configure the AIS/LCK priority, first enable this feature using the ais-lck command
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck priority <0-7>
0-7 The AIS/LCK priority
6
Example 1
device-name(config-cfm-D5-MA5)#ais-lck priority 5
Example 2
Page 76
Configuring the AIS/LCK Sending Interval

The ais-lck interval command configures the interval between two successive AIS or LCK
packets sent (A MEP continuously sends AIS or LCK packets until the condition that triggered
them is cleared).

To configure the AIS/LCK interval, first enable this feature using the ais-lck command
generated.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#ais-lck interval {1 second | 1
minute}
1 second Defines a 1 second interval between two successive AIS or LCK packets
1 second
1 minute Defines a 1 minute interval between two successive AIS or LCK packets
Example
device-name(config-cfm-D5-MA5)#ais-lck interval 1 minute
device-name(config-cfm-D5-MA5)#ais-lck interval 1 minute
Enabling a MEP in an Active State

The mep-state active command enables a MEP to operate in an active state for a specific MEP
ID.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep-state active <1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep-state active
1-8191 Specifies the MEP ID.
MEP state is inactive
no Restores the default.
Page 77
Enabling a MEP to Send CCMs

The mep-ccm enabled command enables a MEP to send CCMs for a specific MEP ID.
Command Syntax
device-name(config-cfm-DOMAIN NAME-MA NAME)#mep-ccm enabled <1-8191>
device-name(config-cfm-DOMAIN NAME-MA NAME)#no mep-ccm enabled
1-8191 Specifies the MEP ID.
MEP is not able to send CCMs
no Restores the default.
Example
device-name(config-cfm-D1-MA1)#mep-ccm enabled 1
Page 78
CFM Performance Monitoring Commands

Table 12: 802.1ag Performance Monitoring Commands
Command Description
profile Creates a performance monitoring profile with a specified name

and enters Monitoring Profile Configuration mode (see Creating a
Performance Monitoring Profile)
process Enters the Monitoring Process Configuration mode and starts the
monitoring of an established CFM connectivity according to
thresholds defined on the specified profile (see Configuring a
Two-way Monitoring Process)
update-interval Defines the time interval between updates of performance
parameters (see Configuring the Time between Performance
Parameters Update)
Performance Monitoring Profile Creation

The profile command creates a CFM profile with a specified name or enters the Monitoring
Profile Configuration mode.
If you do not configure a monitoring profile, the default thresholds and default parameters values
(such as rate and frame size) are used.
Command Syntax
device-name(config-cfm)#[no] profile PROFNAME
PROFNAME Defines the monitoring profile name.
when CFM protocol is enabled, a default profile is created automatically
no Removes the configured profile.
Example
device-name(config-cfm)#profile p1
device-name(config-cfm-profile-p1)#exit
Page 79
Configuring Two-way Monitoring Process

The process command begins the monitoring of an established CFM connectivity on a specified
domain level and MA, according to thresholds defined on the specified profile. These results are
collected for performing the two-way jitter calculation.
Command Syntax
device-name(config-cfm)#[no] process PROCNAME domain DOMAIN NAME ma MA NAME
[repeat minutes <minutes> seconds <seconds>] [profile PROFNAME]
PROCNAME Defines the monitoring process name.
DOMAIN NAME The maintenance domain name used by the process.
MA NAME The maintenance association name that the process monitors.
repeat minutes (Optional) defines the repetition interval of the monitoring process.
<minutes>
seconds The valid range is:
<seconds> • <0–60> minutes
• <0–60> seconds
1 minute
profile PROFNAME (Optional) selects the monitoring profile name.
no Removes the existing configuration.
NOTE
The command is rejected if you add a process with an existing name but change the
repeat interval.
The command is accepted if you add a process with an existing name but change
the profile name and the repeat interval (even if the profile has the same
configuration as the previous).
Example
device-name(config-cfm)#process proc1 domain d7 ma ma7 profile p1 repeat
minutes 0 seconds 1
minutes 1 seconds 1
% Process proc1 is already using profile p1 for domain d7 and ma ma7

minutes 0 seconds 1
Page 80
Configuring Time between Performance Parameters Update

The update-interval command configures the time interval for updating the monitoring
parameters (one-way jitter, two-way jitter, latency, and frame loss).
Command Syntax
device-name(config-cfm)#update-interval <0-65535>
0–65535 Defines the time between monitoring parameters update, in seconds. A
value of 0 suspends the monitoring task and a value different from 0
resumes it.
20 seconds
Example
device-name#update-interval 60
Page 81
CFM Profile Configuration

Table 13: 802.1ag Monitoring Profile Commands
Command Description
priority Defines the 802.1p class-of-service (see Specifying the CFM

Class-of-Service)
rate Defines the number of the Loopback Request packets (see
Specifying the Number of Loopback Request Packets)
size Defines the Loopback Request packets' size (see Specifying the
Size of Loopback Request Packets)
1wJitter-error Defines the one-way jitter error monitoring threshold (see
Specifying the One-Way Jitter Error Monitoring Threshold)
1wJitter-warning Defines the one-way jitter warning monitoring threshold (see
Specifying the One-Way Jitter Warning Monitoring
Threshold)
jitter-error Defines the two-way jitter error monitoring threshold (see
Specifying the Two-Way Jitter Error Monitoring Threshold)
jitter-warning Defines the two-way jitter warning monitoring threshold (see
Specifying the Two-Way Jitter Warning Monitoring
Threshold)
frame-loss-error Defines the frame-loss error threshold (see Specifying the Two-
Way Frame-Loss Error Threshold)
frame-loss-warning Defines the frame-loss warning threshold (see Specifying the
Two-Way Frame-Loss Warning Threshold)
latency-error Defines the two-way latency error threshold (see Specifying the
Two-Way Latency Error Monitoring Threshold)
latency-warning Defines the two-way latency warning threshold (see Specifying
the Two-Way Latency Warning Monitoring Threshold)
results-bucket-size Defines the number of results saved for jitter calculation (see
Defining the CFM OAM Process Result Bucket Size)
Page 82
Specifying the 802.1p Class-of-Service Setting

The priority command defines the 802.1p class-of-service.
CLI Mode: Monitoring Profile Configuration
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#priority <priority>
priority The 802.1p class-of-service setting, in the range of <0–7>.
0
Specifying the Number of Loopback Request Packets

The rate command defines the number of the Loopback Request packets.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#rate <packet-rate>
packet-rate The number of Loopback Request packets sent each time, in the range
of <1–3>.
1
Specifying the Size of Loopback Request Packets

The size command defines the Loopback Request packets' size.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#size <0-1462>
0-1462 The Loopback Request data TLV payload, in the range of <0–1462>
bytes.
0 bytes
Page 83
Specifying One-Way Jitter Error Monitoring

The 1wJitter-error command defines the one-way jitter error monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#1wJitter-error <1wJitter-error>
1wJitter-error Defines the one-way jitter error value to monitor, in the range of
<1–10000> milliseconds.
350 milliseconds
Specifying One-Way Jitter Warning Monitoring

The 1wJitter-warning command defines the one-way jitter warning monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#1wJitter-warning <1wJitter-warning>
1wJitter-warning Defines the one-way jitter warning value to monitor, in the range of
<1–10000> milliseconds.
300 milliseconds
Specifying Two-Way Jitter Error Monitoring

The jitter-error command defines the two-way jitter error monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#jitter-error <jitter-error> [period
<jitter-error-time>]
Page 84
jitter-error The jitter error value to monitor, in the range of <1–10000>
milliseconds.
700 milliseconds
period <jitter- (Optional) defines the jitter duration, in the range of <1–3600> seconds.
error-time>
90 seconds
Specifying Two-Way Jitter Warning Monitoring

The jitter-warning command defines the two-way jitter warning monitoring.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#jitter-warning <jitter-warning> period
<jitter-warning-time>
jitter-warning The two-way jitter warning value to monitor, in the range of <1–10000>
milliseconds.
600 milliseconds
period <jitter- (Optional) defines the jitter duration, in the range of <1–3600> seconds.
warning-time>
180 seconds
Specifying Two-Way Frame-Loss Error Monitoring

The frame-loss-error command defines the two-way frame-loss error monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#frame-loss-error <frame-loss-error>
frame-loss-error The two-way frame-loss error value, in percents, in the range of
<0–99>.
10% frame loss
Page 85
Specifying Two-Way Frame-Loss Warning Monitoring

The frame-loss-warning command defines the two-way frame-loss warning monitoring
threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#frame-loss-warning <frame-loss-warning>
frame-loss- The two-way frame-loss warning value, in percents, in the range of
warning <0–99>. If you define a value greater than the frame-loss-error
value, the frame-loss-warning is disabled.
8% frame loss
Specifying Two-Way Latency Error Monitoring

The latency-error command defines the two-way latency error monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#latency-error <latency-error> [period
<latency-error-time>]
latency-error The two-way latency error threshold, in the range of <1–10000>
milliseconds.
2000 milliseconds
period <latency- (Optional) defines the latency increase duration, in the range of
error-time> <1–3600> seconds.
90 seconds
Page 86
Specifying Two-Way Latency Warning Monitoring

The latency-warning command defines the two-way latency warning monitoring threshold.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#latency-warning <latency-warning>
[period <latency-warning-time>]
latency-warning The two-way latency warning threshold, in the range of <1–10000>
milliseconds.
1600 milliseconds
period <latency- (Optional) defines the latency increase duration, in the range of
warning-time> <1–3600> seconds.
180 seconds
NOTE
If you define a threshold that is larger than the corresponding error threshold,
the warning threshold is disabled.
Defining the CFM OAM Process Result Bucket Size

The results-bucket-size command defines the number of results to save for jitter calculation.
Command Syntax
device-name(cfg-cfm-profile-PROFNAME)#results-bucket-size <bucket-size>
bucket-size The number of results saved for jitter calculation, in the range of
<2–255> results.
20 results
Page 87
802.1ag CFM Monitoring and Statistics Commands

Table 14: 802.1ag CFM Monitoring and Statistics Commands
Command Description
show cfm Displays the current CFM configuration and status (see
Displaying the CFM Configuration)
show cfm connectivity Displays connectivity statistics for all configured domains or for a
specified domain (see Displaying Connectivity Statistics)
show cfm profile Displays the monitoring parameters for a specified monitoring
profile or for all profiles (see Displaying Monitoring
Parameters)
show cfm process Displays performance statistics for a specified domain or all
domains (see Displaying Performance Statistics)
show cfm update- Displays the update interval value (see Displaying the Update
interval Interval)
cfm linktrace Sends a linktrace message to a specific MEP or MIP in a specified
domain (see Sending Linktrace Messages
cfm loopback Sends a loopback message to a specific MEP or MIP in a
specified domain (see Sending Loopback Messages)
Displaying the CFM Configuration

The show cfm command displays the local MEPs' current CFM configuration and status.

To execute this command, first enable CFM (see Enabling/Disabling the CFM Protocol);
otherwise the %CFM not active error is generated.
Command Syntax
device-name#show cfm [UU/SS/PP | ag0N | interfaces | domain level <0-7>]
UU/SS/PP (Optional) the port for which MEPs and MIPs details are displayed.
ag0N (Optional) the aggregated port for which MEPs and MIPs details are
displayed. The allowed LAG ID numbers are in the range of <1–7>.
interfaces (Optional) the current CFM entities (MIPs, MEPs).
domain level (Optional) the CFM entities (MIPs, MEPs) for a specific domain level.
<0-7>
Page 88
The command displays two state types per MEP: Administrative and Operative (as detailed in the
below table):
Table 15: The show cfm Command Parameters Displayed (for Local MEPs)
Adm State Indicates whether CFM packets are being sent or not. The
available states are:
• Up: the MEP is functioning normally and sends packets
• Down: the MEP is not functioning properly and is not able to
send packets
Oper state Displays the status of the port assigned to the MEP. The available
states are:
• Up: MEP functions normally and CFM PDUs are sent
• Down: at least one of the remote MEPs configured to this
MEP has failed and CFM PDUs are not sent.
• Block: the port is blocked by the xSTP protocol
• Test: a status that might be set as a result of an IEEE Std.
802.3ah OAM intrusive loopback operation
• NoDat: no data and no CFM Messages are received for an
excessive length of time
Example 1
device-name#show cfm
Domain: d1 (string)
Level: 1
Mip Policy: default
Sender ID Content: all
Maintenance association: ma1 (string)

Service ID: 33
CCM Priority: 6
Hello interval (ms): 1000
Mip Policy: defer
Sender ID Content: defer
AIS-LCK: enabled
AIS-LCK level: 5
AIS-LCK priority: 6
AIS-LCK interval: 1 minute
Local MEPs
======================================================
|MEP | SAP |Adm |Oper |Alarm|CCM |
| | |State|State|Level|Prio|
|----+------------------------+-----+-----+-----+----|
| 2|1/2/4:untagged: | Up |Up | 1 | 6 |
======================================================
Page 89
Local MIPs
=============================================================
| MP | SDP | Domain | MA | MD | SVC |
| Type | | name | name | Level | ID |
|------+------------+----------+----------+-------+----------|
| MIP |1/1/1:10 | 1| 1| 1 | 33|
=============================================================
Domain: d3 (string)
Level: 3
Mip Policy: default

VLAN ID: 10
CCM Priority: 6
Mip Policy: defer
AIS-LCK: disabled
Local MEPs
===================================================
| MEP | Port | Adm | Oper | Alarm | CCM |
| | | State | State | Level |Priority|
|-----+----------+-------+-------+-------+--------|
| 3 | 1/2/1 | Up |Down | 1 | 6 |
===================================================
Local MIPs
=======================================================
| MP | Port | Domain | MA | MD | VLAN |
|------+----------+----------+----------+-------+------|
| MIP | 1/2/2| 3| 3| 3 | 10 |
=======================================================
Example 2
device-name#show cfm 1/2/2
========================================
| MP | Direction | ID | MD | VLAN |
| Type | | | Level | ID |
|------+-----------+------+-------+------+
| MEP | IN | 226 | 5 | 5 |
| MIP | | | 6 | 10|
========================================
Page 90
Example 3
device-name#show cfm interfaces
Port 1/1/1
========================================
|------+-----------+------+-------+------+
| MIP | OUT | 0 | 1 | 10 |
==========================================
Port 1/2/2
==========================================
|------+-----------+------+-------+------+
| MEP | | 224 | 1 | 10 |
========================================
SDP 1/1/1:10
========================================
| MP | Direction | ID | MD | SVC |
|------+-----------+------+-------+------+
| MIP | | 0 | 1 | 33 |
========================================
SAP 1/2/2:untagged:
========================================
| MP | Direction | ID | MD | SVC |
|------+-----------+------+-------+------+
| MEP | IN | 2 | 1 | 33 |
==========================================
Page 91
Example 4
device-name#show cfm domain level 1
Domain: d5 (string)
Level: 5
Mip Policy: default
VLAN ID: 10
CCM Priority: 6
Mip Policy: defer
Local MIPs
=======================================================
| MP | Port | Domain | MA | MD | VLAN |
|------+----------+----------+----------+-------+------|
| MIP | 1/1/1 | d1| ma1| 1 | 10 |
| MIP | 1/1/2 | d1| ma1| 1 | 10 |
=========================================================
Example 5
device-name#show cfm ag01
Nothing defined on port
device-name#show cfm ag02
Local MEPs
==============================================================================
| MP | Direction | ID | Adm | Oper | Domain | MA | MD | VLAN|
| Type | | | State | State | name | name | Level ID |
|------+-----------+------+-------+-------+----------+----------+-------+------
| MEP | OUT | 1000 | Down | Down |Customer_L| MA10 | 7 | 10|
==============================================================================
Displaying Connectivity Statistics

The show cfm connectivity command displays connectivity statistics for all configured domains
or for a specified domain.

Command Syntax
device-name#show cfm connectivity [domain NAME] [ma MA NAME] [extended]
Page 92
domain NAME (Optional) the maintenance domain's name to display connectivity statistics
for.
the statistics for all defined domains are displayed
ma MA NAME (Optional) the maintenance association's name to display connectivity
statistics for.
the statistics for all domains (defined above) MAs are displayed
extended (Optional) displays information extracted from the Port ID TLV in CCMs
Example 1
device-name#show cfm connectivity
Domain: d5 (string)
Level: 5
VLAN ID: 11
Remote MEPs Discovered by Local MEP 2

===========================================================
MEP | MAC-address | Adm | Oper | Last State |
| |State | State | Change |
-----+-------------------+------+-------+-----------------|
10 | 00:A2:12:C2:00:02 | UP | UP | 1days 14:54:34|
15 | 00:A2:12:D2:01:04 | UP | UP | 2days 19:37:16|
16 | 00:A2:12:A6:30:23 | UP | UP | 1days 10:21:08|
=========================================================
Example 2
device-name#show cfm connectivity extended
Domain: D6 (string)
Level: 6
Maintenance Association: ma6 (string)

VLAN ID: 3

======================================================================
MEP | MAC-address | Adm | Oper | Chassis | Management |
| |State | State | ID | Address |
----+-------------------+------+-------+---------+---------------------|
10 | 00:A2:12:C2:00:02 | UP | UP | T-Marc 4| 193.254.12.1:23 |
15 | 00:A2:12:D2:01:04 | UP | UP | N/A | N/A |
16 | 00:A2:12:A6:30:03 | UP | UP | T-Marc 5| N/A |
======================================================================
Page 93
The command displays two state types per MEP: Administrative and Operative (as detailed in the
below table).
Table 16: The show cfm connectivity extended Command Parameters (Remote
MEP)
Adm State Indicates whether CFM packets are received or not. The available
states are:
• Up: the MEP is functioning normally and packets are received
• Fail: the MEP is not functioning properly and no packets were
received in the last 3.5 CCM lifetime intervals
Oper state Displays the status of the port assigned to the MEP. The available
states are:
• Up: MEP functions normally and CFM PDUs are received
• Down: at least one of the remote MEPs configured to this
MEP has failed and CFM PDUs are not recieved.
• Block: the remote port is blocked by the xSTP protocol
• Test: a status that might be set as a result of an IEEE Std.
802.3ah OAM intrusive loopback operation
• NA: the received CCMs do not contain the interface status
TLV or they contain an invalid interface status value.
• There are other available statuses defined by IEEE Std.
802.1ag: unknown, dormant, notPresent, lowerLayerDown
(the operating status displays these statuses only if some
other vendor transmits them, but the T-Marc does not
broadcast such states)
Displaying Monitoring Parameters

The show cfm profile command displays the monitoring parameters for a specified monitoring
profile or for all profiles.

Command Syntax
device-name#show cfm profile [PROFILE NAME]
PROFILE NAME (Optional) the profile name to display.
Page 94
Example
device-name#show cfm profile default
Process name: default
Priority: 3; Rate: 1; Payload size: 0; Bucket size: 20;
Thresholds (value<ms>/duration<s>):
1W Jitter error: 350 1W Jitter warning: 300
2W Jitter error: 700/90 2W Jitter warning: 600/180
Latency error: 2000/90 Latency warning: 1600/180
Frame loss error: 10.00% Frame loss warning: 8.00%
Displaying Performance Statistics

The show cfm process command displays performance statistics for a specified domain or all
domains.

Command Syntax
device-name#show cfm process [PROCNAME]
PROCNAME (Optional) the process name to display
all domains' performance statistics are displayed
Example 1
device-name#show cfm process Proc1
Process: Proc1
Monitoring profile: default
Domain: D1; Level: 3
Maintenance association: MA1; VLAN-ID: 3
Loopback interval: 10; Loopback- timeout: 4200 sec
Results- bucket- size: 120
====================================================
MAC-address |One-way|Two-way| Latency | Frame |
| jitter| jitter| | loss |
-------------------+-------+-------+---------+--------
00:A0:12:27:12:40| 100 | 98 | 10 | 10% |
00:A0:12:27:12:40| 80 | 99 | 5| 2% |
====================================================
Page 95
Example 2
If you configure the update interval to zero seconds (monitoring is suspended), this command
displays only the processes but not monitoring tables (see Configuring the Time between
Performance Parameters Update).
device-name(config-cfm)#update interval 0
device-name(config-cfm)#end
device-name#show cfm process
The Performance monitoring is disabled. The update interval is set to 0
Process: 1
Monitoring profile: default
Domain: d1; Level: 1
Maintenance Association: ma1; VLAN-ID: 10
Loopback interval: 60s; Loopback timeout: 1200s;
Results bucket size: 20
Displaying the Update Interval

The show cfm update-interval command displays the update interval value in seconds.

Command Syntax
device-name#show cfm update-interval
Example
device-name(config-cfm)#update interval 10
device-name(config-cfm)#end
device-name#show cfm update-interval
Update interval is set to: 10 seconds
Page 96
Sending Linktrace Messages

The cfm linktrace command sends a linktrace message to a specified MEP or MIP in the
domain.

Command Syntax
device-name#cfm linktrace domain NAME ma MA-NAME mep <mep-id> {target-mip
HH:HH:HH:HH:HH:HH | target-mep <mep-id>} [timeout <timeout>] [ttl
<TTL>]
domain NAME The maintenance domain.
ma MA-NAME The maintenance association.
mep <mep-id> The Source MEP ID, in the range of <1–8191>.
target-mip The MAC address of the linktrace destination MIP.
HH:HH:HH:HH:HH:HH
target-mep The linktrace destination MEP ID, in the range of <1–8191>.
<mep-id>
timeout <timeout> (Optional) the linktrace reply (LTR) timeout, in the range of <1–60>
seconds
2 seconds
ttl <TTL> (Optional) the initial TTL field value, in the range of <1–255>.
Example
device-name#cfm linktrace domain d5 ma ma5 mep 204 target-mep 201
Tracing link from mep 204 to mep-id 201 (00:A0:12:11:11:11)
Sending loopback message to refresh MAC address tables...
Loopback reply received
Sending Linktrace Message
Waiting to receive Linktrace Replies
Reply with ttl 63 transID 7674 from 00:A0:12:11:11:11 (5 ms)
Target MAC found
Done.
Page 97
Sending Loopback Messages

The cfm loopback domain command sends a loopback message to a specific MEP or MIP in a
specified domain.

Command Syntax
device-name#cfm loopback domain NAME ma MA NAME mep <mep-id> {target-mep
<mep-id> | target-mip HH:HH:HH:HH:HH:HH} [number <number> | infinite]
[delay <delay>] [timeout <timeout>] [payload-size <size>]
domain NAME The maintenance domain.
ma MA NAME The maintenance association.
mep <mep-id> The Source MEP ID, in the range of <1–8191>.
target-mep The loopback destination MEP ID, in the range of <1–8191>.
<mep-id>
target-mip The MAC address of the linktrace destination MIP.
HH:HH:HH:HH:HH:HH
number <number> (Optional) defines the number of loopback messages sent, in the
range of <1–1024>
3 messages
infinite (Optional) configure the loopback to run continuously until you press
<ESC>
NOTE
Using this argument changes the delay value to 1, in
case you previously defined the delay value to 0.
delay <delay> (Optional) the delay between 2 consecutive loopback messages, in
the range of <0–60> seconds
5 seconds
timeout <timeout> (Optional) the loopback reply (LBR) timeout, in the range of <1–60>
seconds
2 seconds
payload-size (Optional) the loopback message PDU size, in the range of <0–1462>
<size> bytes
0 bytes
Page 98
Example 1
device-name#cfm loopback domain D5 ma ma5 mep 17 target-mep 13 number 5 size
64
Sending 5 loopback message to mep-id 13 (00:A0:12:27:00:80)
.....
Done.
Sent 5. Received ok 5. Out of order 0. Bad 0. Success rate 100.0%
Time msec.(min/avg/max): 0.5/1/1.5
Example 2
device-name#cfm loopback domain d5 ma ma5 mep 17 target-mip 00:A0:12:22:5A:00
number 5 size 64
Sending 5 loopback message(s) to mip 00:A0:12:22:5A:00
..................................................
Done.
Sent 5. Received ok 5. Out of order 0. Bad 0. Success rate 100%
Time msec. (min/avg/max): 0.5/1/1.5
Table 17: Parameters Displayed by the cfm loopback domain Command

min The minimum time, in seconds, for receiving a loopback message.

avg The average time, in seconds, for receiving a loopback message.
max The maximum time, in seconds, for receiving a loopback message.
Page 99
CFM Configuration Example
Configuring two Devices in CFM Protocol

The following example is based on the following figure. The example shows how to configure an
Ethernet network using a CFM protocol.
Figure 14: Example for Configuring Two Devices in CFM Protocol
1. Create a VLAN with the specified name vl10 and ID 10:
Device1(config vlan)#create vl10 10
2. Change the configuration mode to a specified VLAN Configuration mode specified by name
in the command argument:
Device1(config vlan)#config vl10
3. Add port 1/2/1 as a tagged port:

Device1(config-vlan vl10)#add ports 1/2/1 tagged
Device1(config-vlan vl10)#end
4. Verify if the CFM protocol is enabled:

Device1(config)#cfm
Page 100
[%Error] %CFM is disabled, enable it to config
5. If CFM protocol is disabled, enable it:

Device1(config)#cfm enable
6. Create a maintenance domain with a specified name d7 and level 7 and create a maintenance
association within a specified domain:
Device1(config-cfm)#domain name d7 level 7
Device1(config-cfm-d7)#ma name ma7 vlan-ID 10
7. Specify the identification data sent to the remote MEPs creation policy on the specified MA:
Device1(config-cfm-d7-ma7)#senderid-content hostname
Device1(config-cfm-d7-ma7)#mip-policy explicit
8. Add port 1/2/1 as MEP to a specified MA:

Device1(config-cfm-d7-ma7)#mep 1 port 1/2/1 out
Device1(config-cfm-d7-ma7)#end
9. Create profile p1 and process proc1 for Device1:

Device1(config)#cfm
Device1(config-cfm)#profile p1
Device1(config-cfm-profile-p1)#rate 3
Device1(config-cfm-profile-p1)#exit
Device1(config-cfm)#process proc1 domain d7 ma ma7 profile p1 repeat
minutes 0 seconds 1
Device1(config-cfm)#end


Device2(config)#cfm

Page 101
7. Specify the identification data to be sent to the remote MEPs and the MIP creation policy on
the specified MA:
Device2(config-cfm-d7-ma7)#senderid-content hostname
Device2(config-cfm-d7-ma7)#mip-policy explicit
8. Add port 1/2/2 as MEP to the specified MA:

Displaying CFM Processes and Profiles on Device1:

Device1#show cfm profile
Profile name: default
Profile name: p1
Device1#show cfm profile p1

Profile name: p1
Page 102
Device1#show cfm process proc1

Process: proc1
Monitoring profile: p1
Domain: d7; Level: 7
Maintenance Association: ma7; VLAN-ID: 10
Loopback interval: 1s; Loopback timeout: 20s;
Results bucket size: 20
===========================================================
| MAC | One-way | Two-way | Latency | Frame |
| Address | jitter | jitter | | loss |
|-------------------+---------+---------+---------+-------|
| 00:A0:12:27:08:20 | 0.0 | 4.2 | 0 | 0.00%|
===========================================================
Displaying CFM Configuration and CFM Connectivity Statistics on

Device 1:
Device1#show cfm
Domain: d7 (string)
Level: 7
Mip Policy: default
VLAN ID: 10
CCM Priority: 6
Mip Policy: explicit
Sender ID Content: hostname
AIS-LCK: disabled
Local MEPs
===============================================================
| MEP | Port | Adm |CCM| Oper | Alarm | CCM | Sent |
| | | State|En |State | Level |Priority| CCM |
|-----+----------+------+---+-------+-------+--------+--------|
| 1| 1/2/1| Up |Yes| UP | 1 | 6 | 80|
===============================================================
Device1#show cfm connectivity

Domain: d7 (string)
Level: 7
VLAN ID: 10

========================================================
| MEP| MAC-address | Adm | Oper | Last State |
| | | State | State | Change |
|----+-----------------+-------+-------+-----------------|
| 2|00:A0:12:27:08:20| Up | Up | 2days 14:54:34|
========================================================
Page 103
Sending a loopback message to a specified MEP in a specified

domain:
Device1#cfm loopback domain d7 ma ma7 mep 1 target-mep 2 delay 0 number 10
Sending 10 loopback message(s) to mep-id 2 (00:A0:12:27:08:20)
..........
Done.
Sent 10. Received 10. Out of order 0. Bad 0. Success rate 100%
Time msec. (min/avg/max): 0.5/1/1.5
Sending a linktrace message to a specified MEP in a specified

domain:
Device1#cfm linktrace domain d7 ma ma7 mep 1 target-mep 2
Tracing link from mep 1 to mep-id 2 (00:A0:12:27:08:20)
Sending loopback message to refresh MAC address tables...
Loopback reply received
Sending Linktrace Message
Waiting to receive Linktrace Replies
Reply with ttl 63 transID 7674 from 00:A0:12:27:08:20 (5 ms)
Target MAC found
Done.
Page 104
Using the clear connectivity Command

This example is based on the following figure and describes the using of the clear connectivity
command.
Figure 15: Example for using the clear connectivity Command
3. Add ports 1/2/1 and 1/2/2 as tagged ports:

Device1(config-vlan vl10)#add ports 1/2/1-1/2/2 tagged

Device1(config)#cfm

Page 105




Device2(config)#cfm


Page 106


Device2(config)#cfm


Displaying the CFM Connectivity Statistics:

Domain: d7 (string)
Level: 7
VLAN ID: 10
===================================================
|MEP|MAC-address |Adm |Oper | Last State |
| | |State|State| Change |
|---+-----------------+-----+-----+-----------------|
|205|00:A0:12:27:08:20|Up |Up | 1days 14:54:34|
|203|00:A0:12:27:08:21|Up |Up | 1days 14:23:25|
===================================================
Page 107
Displaying the CFM Connectivity Statistics after the Connection

between Device 1 and Device3 is Removed:
Domain: d7 (string)
Level: 7
VLAN ID: 10
===================================================
|---+-----------------+-----+-----+-----------------|
|205|00:A0:12:27:08:20|Up |Up | 1days 14:54:34|
|203|00:A0:12:27:08:21|Down |Down | 1days 14:23:25|
===================================================
Clearing the Remote Inactive and Unused MEPs with the clear
connectivity Command:
Device1(config)#cfm
Device1(config-cfm)#domain name d7
Device1(config-cfm-d7)#ma name ma7
Device1(config-cfm-d7-ma7)#clear connectivity
Displaying CFM Connectivity Statistics after Using the clear

connectivity Command:

Domain: d7 (string)
Level: 7
VLAN ID: 10
===================================================
|---+-----------------+-----+-----+-----------------|
|205|00:A0:12:27:08:20|Up |Up | 1days 14:54:34|
===================================================
Page 108
SAA Throughput Test
Overview
CFM-OAM SAA Throughput tests are out-of-service applications that provide traffic
measurements between two network elements.
These tests are based on CFM domains, MEPs, and MAs (see 802.1ag Connectivity Fault Management
(CFM))
CAUTION
Initiating these tests stops all traffic on the test devices.
The T-Marc 300 Series support two types of throughput tests:

• Unidirectional throughput test
• Bi-directional throughout test
Unidirectional Throughput Test

Unidirectional throughput tests provide accurate measurements of different rates (such as duration,
maximum rate of test packets, maximum timeout, and list of data sizes) for both egress and ingress
traffic (see figure below).
The test measures the frame loss ratio between the test-head that sends the test packets and the
test-tail that receives them, comparing the results to a definable threshold.
Figure 16: Unidirectional Test
Page 109
To perform the unidirectional throughput test, the system administrator needs to define the
following parameters:
• The test-head (source) and test-tail (target) within an existing domain
• PDU sizes: since this test calculates performance for each PDU size (64, 128, 256, 512, 1024,
1280, 1518, 2000, 9000 bytes), displaying the test results per PDU size, the system
administrator has to select the relevant PDU sizes for the test.
• Maximum traffic rate, and the ratio between the constant and burst traffic rate: the test sends
two streams of traffic from the test-head, together concluding the test's maximum traffic rate:
Stream 1: The constant traffic rate (simulating the Committed Information Rate—CIR).
In default setting, this stream takes up 90% of the maximum traffic rate.
Stream 2: The burst traffic rate (simulating the Committed Burst Size—CBS). In default
setting, this stream takes up the remaining 10% of the maximum traffic rate.
• PDU burst size (in packets) for stream 2, which is CBS/PDU size
• The test length: the test duration per selected PDU size
When executing the test, the test-tail calculates the packet count for each test sequence, sending the
results to the test-head. Based on this message, the test-head reduces the test rate or continues to
the next PDU size.
To ensure the notification delivery, the test-tail keeps sending the results until the test-head sends a
reply to the test-tail or until it reaches the configured timeout.
If the test-head does not receive the message, it stops the test.
Bi-Directional Throughput Test

The bi-directional throughput test is based on the end-to-end unicast loopback test (as shown in the
below figure).
The test measures the frame loss ratio between the test-head (source) that sends the test packets
and test-loopback that receives them, comparing the results to a definable threshold.
Figure 17: End-to-End Unicast Loopback Test
The bi-directional throughput test generates test frames using 802.1ag LBM/LBR format.
Page 110
To perform the bi-directional throughput test, the system administrator needs to define the
following parameters:
• The test-head (source) and test loopback (target) within an existing domain
• PDU sizes: since this test calculates performance for each PDU size (64, 128, 256, 512, 1024,
1280, 1518, 2000, 9000 bytes), displaying the test results per PDU size, the system
administrator has to select the relevant PDU sizes for the test.
• Maximum traffic rate, and the ratio between the constant and burst traffic rate: the test sends
two streams of traffic from the test-head, together concluding the test's maximum traffic rate:
Stream 1: The constant traffic rate (simulating the Committed Information Rate—CIR).
In default setting, this stream takes up 90% of the maximum traffic rate.
Stream 2: The burst traffic rate (simulating the Committed Burst Size—CBS). In default
setting, this stream takes up the remaining 10% of the maximum traffic rate.
• PDU burst size (in packets) for stream 2, which is CBS/PDU size
• The test length: the test duration per selected PDU size
• Select one of the below the loopback types:
MAC SA/DA swap and LBM to LBR swap
MAC SA/DA swaps only
When performing a bi-directional throughput test:
• The test transmits PDUs in the defined CIR rate for a single test duration to determine
whether the frame-loss drops from a configurable threshold.
• After finishing the packets transmission, the test suspends for a period of time equal to the
maximum latency in which all the packets arrive.
• Each transmitted PDU has an ID (sequence number) and timestamp used for statistics
calculation.
• If the frame-loss is above the maximum frame-loss percentage, the source repeats the test in a
lower rate until frame loss is within the configured SLA range.
• Display the following results: Maximum successful throughput, frame-loss measured at that
throughput, and total packets sent.
Page 111
The SAA Throughput Test Configuration Flow

1. Create a throughput test and enter the Throughput Test Configuration mode. See Creating a
Throughput Test.
2. Define the test type. See Defining the Throughput Test Type.
3. Define the parameters of the generated traffic. See Defining the Source for Throughput Test.
4. Define the C-VLAN in the generated test packets. See Defining the C-VLAN.
5. Define the destination of the throughput test. See Defining the Throughput Test Target.
6. Define the maximum rate of the test packets. See Defining the Maximum Test Rate.
7. Define the committed burst size. See Defining the Burst Size for the Unidirectional Test.
8. Define the duration of a single test sequence. See Defining the Test Duration
9. Define the pattern of the test packet. See Defining the Test Packet Pattern.
10. Define the frame-loss ratio threshold. See Defining the Frame Loss Ratio Threshold.
11. Define the list of data-size for which the throughput test is executed. See Defining the Test's
Data-Size.
12. Define the maximum timeout for the test packets. See Defining the Test Timeout.
13. Define the time to wait for the test tail to send acknowledgment. See Defining the Result
Acknowledge Timeout.
14. Define the loopback type. See Defining the Loopback Type.
15. Start the throughput test. See Starting/Stoping the Throughput Test.
16. Display the results of the throughput test. See Displaying the Throughput Test Results.
Page 112
SAA Throughput Test Configuration Commands

Table 18: Throughput Tests commands
Command Description
saa throughput test Creates a throughput test and enters the Throughput Test
Configuration mode (see Creating a Throughput Test)
type Defines the throughput test type (see Defining the Source for
Throughput Test)
source Defines the parameters of the generated traffic (see Defining the
Source for Throughput Test)
c-vlan Defines the C-VLAN in the generated test packets (see Defining
the C-VLAN)
target Defines the throughput test destination (see Defining the
Throughput Test Target)
cir Defines the maximum committed information rate (CIR) of the test
packets (see Defining the Maximum Test Rate)
cbs Defines the committed burst size (CBS) and its ratio for the
second stream in the unidirectional testing (see Defining the Burst
Size for the Unidirectional Test)
duration Defines the duration of a single test sequence (see Defining the
Test Duration)
pattern Defines the pattern of the test packet (see Defining the Test
Packet Pattern)
frame-loss Defines the allowed frame-loss ratio threshold for throughput test
(see Defining the Frame Loss Ratio Threshold)
data-size Defines the list of data-sizes for which the throughput test is
executed (see Defining the Test's Data-Size)
timeout Defines the maximum timeout for the test packets (see Defining
the Test Timeout)
result-ack-timeout Defines the time to wait for the test-tail to send acknowledgement
(see Defining the Result Acknowledge Timeout)
loopback-type Defines the loopback type (see Defining the Loopback Type)
shutdown Stops/starts the throughput test (see Starting/Stoping the
Throughput Test)
show saa throughput Displays the results of the throughput test (see Displaying the
test Throughput Test Results)
Page 113
Creating a Throughput Test

The saa throughput test command creates a throughput test and enters the Throughput Test
Configuration mode. You can create and configure up to 32 multiple tests, but only one can run at
a time.
NOTE
You have to shutdown the test in order to change its configuration or remove it.
NOTE
If you try to create a throughput test with a name already used by the SAA test,
an error message is displayed; see Example 2 below.
Command Syntax
device-name(config)#saa throughput test NAME
device-name(config)#no saa throughput test NAME
NAME Specifies the test's name, a string of up to 10 characters.
no Removes the specified test.
Example 1
device-name(config)#saa throughput test t1
device-name(config-saa-throughput)#
Example 2
device-name(config)#saa test T1
device-name(config-saa-T1)#exit
device-name(config)#saa throughput test T1
[%Error] A saa test named T1 already exist
Example 3
Max number of throughput tests reached
Page 114
Defining the Throughput Test Type

The type command defines the throughput test type.
CLI Mode: Throughput Test Configuration
Command Syntax
device-name(config-saa-throughput)#type {uni-test-head | bi-test-head | uni-
test-tail | bi-test-loopback}
uni-test-head Defines a unidirectional throughput test.
bi-test-head Defines a bi-directional throughput test.
uni-test-tail Defines the test-tail functionality during a unidirectional throughput
test.
bi-test-loopback Defines the test-loopback functionality during a bi-directional test.
Examples:
• Configure the test to unidirectional throughput test:

device-name(config-saa-throughput)#type uni-test-head
device-name(config-saa-throughput-uth)#
• Configure the test to bi-directional throughput test:

device-name(config-saa-throughput)#type bi-test-head
device-name(config-saa-throughput-bth)#
• Configure the test-tail functionality during unidirectional throughput test:

device-name(config-saa-throughput)#type uni-test-tail
device-name(config-saa-throughput-tt)#
• Configure the test-loopback functionality during bi-directional throughput test:

device-name(config-saa-throughput)#type bi-test-loopback
device-name(config-saa-throughput-loopback)#
• Return a message that the test type is changed:

device-name(config-saa-throughput)#type bi-test-head
device-name(config-saa-throughput-bth)#exit
device-name(config-saa-throughput)#type bi-test-loopback
Resetting test type, discarding previous configuration
Page 115
Defining the Source for Throughput Test

The source command defines the generated traffic's parameters. This command is applicable for
all types of throughput tests.
NOTE
Configure the domain, MA, and MEP prior to running this command.
Configure this command immediately after the type command.
Command Syntax
device-name(config-saa-throughput-uth)#source cfm domain NAME ma NAME mep <ID>
[drop-eligible] [priority <0-7>]
device-name(config-saa-throughput-uth)#no source
device-name(config-saa-throughput-bth)#source cfm domain NAME ma NAME mep <ID>
[drop-eligible] [priority <0-7>]
device-name(config-saa-throughput-bth)#no source
device-name(config-saa-throughput-tt)#source cfm domain NAME ma NAME mep <ID>
device-name(config-saa-throughput-tt)#no source
device-name(config-saa-throughput-loopback)#source cfm domain NAME ma NAME mep
<ID>
device-name(config-saa-throughput-loopback)#no source
cfm Uses IEEE 802.1ag CFM protocol.
domain NAME Specifies the CFM domain.
ma NAME Specifies the CFM MA (defines the S-VLAN and priority).
mep <ID> Specifies the MEP ID, in the range of <1–8191>.
drop-eligible (Optional, valid only for unidirectional and bi-directional test-heads)
defines Data Exchange Interface (DEI) for S-TAG.
DEI is 0 (not drop-eligible)
priority <0-7> (Optional, valid only for unidirectional and bi-directional test-heads)
allows you to override default VPT bits for S-VLAN.
6
no Removes the previous configuration.
Page 116
Examples
• The domains, MA, and MEP must be configured prior to executing the source command.
device-name(config-saa-throughput-uth)#source cfm domain d7 ma ma7 mep 10
drop-eligible priority 5
• If the domains, MA, and MEP are not already configured, the below messages are displayed:
%Error.'d7' does not exist
%Error.'ma7' does not exist
%Error.'10' does not exist
Defining the C-VLAN

The c-vlan command defines the C-VLAN in the generated test packets. The command is
applicable for all types of throughput tests.
Command Syntax
device-name(config-saa-throughput-uth)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-uth)#no c-vlan
device-name(config-saa-throughput-bth)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-bth)#no c-vlan
device-name(config-saa-throughput-tt)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-tt)#no c-vlan
device-name(config-saa-throughput-loopback)#c-vlan <c-vlan-id> [drop-eligible]
[priority <0-7>]
device-name(config-saa-throughput-loopback)#no c-vlan
c-vlan <c-vlan-id> Defines the C-VLAN ID, in the range of <1–4094>.
drop-eligible (Optional) specifies the DEI bit.
0 (not drop-eligible)
priority <0-7> (Optional) defines the 802.1p priority bits.
0
no Restores to defaults.
packets are not tagged
Example
device-name(config-saa-throughput-uth)#c-vlan 10 drop-eligible priority 5
Page 117
Defining the Throughput Test Target

The target command defines the throughput test's destination. This command is applicable to
unidirectional and bi-directional test-heads.
NOTE
Configure the target after configuring the source and the target MEP.
Command Syntax
device-name(config-saa-throughput-uth)#target {mip HH:HH:HH:HH:HH:HH | mep
<mep-id>}
device-name(config-saa-throughput-uth)#no target
device-name(config-saa-throughput-bth)#target {mip HH:HH:HH:HH:HH:HH | mep
<mep-id>}
device-name(config-saa-throughput-bth)#no target
mip HH:HH:HH:HH:HH:HH Specifies the target MIP MAC address.
mep <mep-id> Defines the target MEP ID, in the range of <1–8191>.
no Removes the previous configuration.
Examples
• Define the throughput test's destination:

device-name(config-saa-throughput-uth)#target mip 00:11:22:33:44:55
• If the MEP is not already configured, the below message is displayed:

priority 5 drop-eligible
device-name(config-saa-throughput-uth)#target mep 10
% CFM MEP not found
• If the source is not already configured, the below message is displayed:

device-name(config-saa-throughput-uth)#target mep 10
%Source domain and MA must be specified first
Page 118
Defining the Maximum Test Rate

The cir command defines the maximum Committed Information Rate (CIR) of the test packets.
This command is applicable to unidirectional and bi-directional test-heads.
NOTE
The CBS value must be smaller than CIR x Duration value.
Command Syntax
device-name(config-saa-throughput-uth)#cir <rate>
device-name(config-saa-throughput-uth)#no cir
device-name(config-saa-throughput-bth)#cir <rate>
device-name(config-saa-throughput-bth)#no cir
rate Defines the test packets maximum rate, in the range of <64–1000000> kbps.
500 Mbps
Example
device-name(config-saa-throughput-uth)#cir 150
Defining the Burst Size for the Unidirectional Test

The cbs command defines the Committed Burst Size (CBS) for the second stream in the
unidirectional test. This command is applicable only for the unidirectional test-head.
NOTE
The CBS value must be smaller than the CIR x Duration value.
Command Syntax
device-name(config-saa-throughput-uth)#cbs <burst-size> percentage <0-100>
device-name(config-saa-throughput-uth)#no cbs
Page 119
burst-size Defines the burst size, in the range of <10–2048> KB.
1 MB
percentage <0-100> Defines the bursty stream's ratio in the unidirectional throughput
test.
Example
device-name(config-saa-throughput-uth)#cbs 64 percentage 55
Defining the Test Duration

The duration command defines the duration of a single-test sequence. This command is
applicable to unidirectional and bi-directional test-heads.
Command Syntax
device-name(config-saa-throughput-uth)#duration <time>
device-name(config-saa-throughput-uth)#no duration
device-name(config-saa-throughput-bth)#duration <time>
device-name(config-saa-throughput-bth)#no duration
time Defines the duration value, in the range of <1–10> seconds.
5 seconds
Examples:
• Define the duration of a single-test sequence:

device-name(config-saa-throughput-uth)#duration 4
• Here, the CBS value is larger than the CIR x Duration value (in the example: 150>2 x 64). An
error message appears. When changing the CIR value and fulfilling this condition, CIR accepts
the new value.
device-name(config-saa-throughput-uth)#duration 2
device-name(config-saa-throughput-uth)#cbs 150 percentage 30
%Value given for CIR is invalid (CBS must be smaller than CIR*Duration)
Page 120
Defining the Test Packet Pattern

The pattern command defines the test packet's pattern type. This command is applicable to
unidirectional and bi-directional test-heads.
Command Syntax
device-name(config-saa-throughput-uth)#pattern {NULL | NULL-CRC | PRBS |
PRBS-CRC | NONE}
device-name(config-saa-throughput-uth)#no pattern
device-name(config-saa-throughput-bth)#pattern {NULL | NULL-CRC | PRBS |
PRBS-CRC | NONE}
device-name(config-saa-throughput-bth)#no pattern
NULL Specifies a 0 pattern type for all the tests.
NULL-CRC Specifies a 0 pattern type with Cyclic Redundancy Check (CRC) for all the
tests.
PRBS Specifies Pseudo Random Bit Sequence (PRBS).
PRBS
PRBS-CRC Specifies PRBS with CRC.
NONE Specifies an arbitrary pattern.
Example
device-name(config-saa-throughput-uth)#pattern NULL
Defining the Frame Loss Ratio Threshold

The frame-loss command defines the allowed frame-loss ratio threshold for throughput tests.
Command Syntax
device-name(config-saa-throughput-uth)#frame-loss <frame-loss>
device-name(config-saa-throughput-uth)#no frame-loss
device-name(config-saa-throughput-bth)#frame-loss <frame-loss>
device-name(config-saa-throughput-bth)#no frame-loss
Page 121
frame-loss Defines the frame-loss ratio, in the range of <0–100000> percents (the
resolution is 0.001%).
0%
Example
device-name(config-saa-throughput-bth)#frame-loss 50
Defining the Test's Data-Size List

The data-size command defines the test's data-size list for which the throughput test is executed.
Command Syntax
device-name(config-saa-throughput-uth)#data-size <fpga_pkt_size-list>
device-name(config-saa-throughput-uth)#no data-size
device-name(config-saa-throughput-bth)#data-size <fpga_pkt_size-list>
device-name(config-saa-throughput-bth)#no data-size
fpga_pkt_size-list Defines the data-size list: 64, 128, 256, 512, 1024, 1280,
1518, 2000, and 9000 bytes.
Separate tokens by a comma (',') or a dash ('-').
the test is performed for data-size list specified in the current
document (see Unidirectional Throughput Test and Bi-Directional
Throughput Test)
Example 1
device-name(config-saa-throughput-uth)#data-size 64
Example 2
device-name(config-saa-throughput-bth)#data-size 64-128
Page 122
Defining the Test Timeout

The timeout command defines the maximum timeout for the test packets. This command is
applicable to bi-directional test-heads only.
Command Syntax
device-name(config-saa-throughput-bth)#timeout <timeout>
device-name(config-saa-throughput-bth)#no timeout
timeout Defines the timeout, in the range of <0–100> (in 0.1 of second increments).
1 second
Example
device-name(config-saa-throughput-bth)#timeout 10
Defining the Result Acknowledge Timeout

The result-ack-timeout command defines how long the test-head (source) waits for
acknowledgement from the test-tail (target). The test-head repeats the request 3 times before
stopping the test if no acknowledges are received.
This command is applicable to unidirectional test-heads only.
Command Syntax
device-name(config-saa-throughput-uth)#result-ack-timeout <timeout>
device-name(config-saa-throughput-uth)#no result-ack-timeout
timeout Defines the timeout, in the range of <1–60> seconds.
5 seconds
Page 123
Defining the Loopback Type

The loopback-type command defines the test's loopback type. This command is applicable to bi-
directional test-heads only.
Command Syntax
device-name(config-saa-throughput-bth)#loopback-type {OAM | MAC-SWAP}
device-name(config-saa-throughput-bth)#no loopback-type
OAM Specifies the MAC SA/DA swap and LBM to LBR swap.
OAM
MAC-SWAP Specifies the MAC SA/DA swap only.
Example
device-name(config-saa-throughput-bth)#loopback-type MAC-SWAP
Starting/Stoping the Throughput Test

The shutdown command stops the throughput test.
CAUTION
Initiating these tests stops all traffic on the test devices.
While performing a throughput test, CLI locks and a message informs you of each test iteration.
Pressing <ESC>, while the test is running, stops the test and the CLI unlocks.
NOTE
The device supports only one running throughput test at a time, although you can
create and configure up to 32 multiple tests. If you want to start other configured
test, first you have to stop the running throughput test.
NOTE
For correct results, first start the test on the test loopback device (in a Bi-directional
test) or the test-tail device (in a unidirectional test).
Command Syntax
device-name(config-saa-throughput)#[no] shutdown
Page 124
no Starts the throughput test
Example 1: a unidirectional test

device-name(config-saa-throughput)#no shutdown
Sending START message to Test Tail...
Acknowledge message received from Test Tail
Beginning test with 64B packets...
Trying with bitrate 500 Mbps
Sending GET message to Test Tail...
Received results from Test Tail: 3596551 packets
Test succeeded. Frameloss 0.000%
Example 2: a bi-directional test


Test finished.
Example 3: a loopback test

Beginning loopback test...
Example 4: a test tail test

Waiting for start message from Test Head
Start message received from Test Head. Sending back Aknowledge message
Beginning test with target rate 500000 Kbps
Received GET results request from Test Head.
Sending back result: 3596551 received packets.
Example 5: pressing <ESC> while the test is running

Stopping test...
Test stopped
Page 125
Displaying the Throughput Test Results

The show saa throughput test command displays the results of the throughput test.
If the throughput test is not completed yet, its status is displayed in the command output.
The output also displays the results of test sequences for completed data-sizes.
Command Syntax
device-name#show saa throughput test NAME
NAME The test name to display
Example 1: a unidirectional test

device-name#show saa throughput test t1
Out-of-service UTH test towards 00:A0:12:4B:07:A0 belonging to MEP 2
Test name: t1
Using source MEP 1 in domain d4 and MA ma4 on level 4
S-Vlan 10, priority 6, drop-eligible flag 0
CIR 500 Mbps CBS 1 MB, CIR percentage 10%
Test duration 5s, Pattern: PRBS
Maximum Frame loss 0.000%
Tested PDU sizes: 64,128,256,512,1024,1280,1518,2000,9000Out-of-service UTH
test towards 00:A0:12:27:09:60 belonging to MEP 222
Test name: t1
Tagging also with C-Vlan 0, priority 0, drop-eligible flag 0
CIR 140000 Kbps CBS 2 MB, CBS percentage 99%
Test duration 5s, Pattern: PRBS
Tested PDU sizes: 64,128,256,512,1024,1280,1518,2000,9000
Example 2: a loopback test

device-name#show saa throughput test t1
Out-of-service Loopback test from 00:A0:12:22:5B:A0 belonging to MEP 10
Test name: t1
Using domain d7 and MA ma7 on level 7
S-Vlan 10
Page 126
Throughput Test Configuration Example

The following example shows how to configure the test-head on two devices.
Figure 18: Configuring Two Devices in Throughput Test Configuration Mode
Configuring Device1 (Source):

1. Create a VLAN with the specified name and ID:


Device1(config)#cfm

Page 127
6. Create a maintenance domain with a specified name and level and create a maintenance
Device1(config)#domain name d7 level 7

Configuring Device2 (Target):

1. Create a VLAN with the specified name and ID:


Device2(config)#cfm

Device2(config)#domain name d7 level 7

8. Create a throughput test:

Device2(config)#saa throughput test t1
9. Set the throughput test type to test-loopback:

Device2(config-saa-throughput)#type bi-test-loopback
Device2(config-saa-throughput-loopback)#
Page 128
10. Set the throughput test source:

Device2(config-saa-throughput-loopback)#source cfm domain d7 ma ma7 mep 10
Device2(config-saa-throughput-loopback)#exit
Configuring Throughput test on Device1 (Source):

1. Create a throughput test:
Device1(config)#saa throughput test t1
2. Set the throughput test type to bi-directional:

Device1(config-saa-throughput)#type bi-test-head
3. Set the throughput test source:

Device1(config-saa-throughput-bth)#source cfm domain d7 ma ma7 mep 10
4. Set the throughput test target:

Device1(config-saa-throughput-bth)#target mep 20
5. Set the maximum test rate:

Device1(config-saa-throughput-bth)#cir 150
6. Set the test duration:

Device1(config-saa-throughput-bth)#duration 4
7. Set the test packet pattern:

Device1(config-saa-throughput-bth)#pattern PRBS-CRC
8. Set the frame loss ratio threshold:

Device1(config-saa-throughput-bth)#frame-loss 50
9. Set the list of test data-sizes:

Device1(config-saa-throughput-bth)#data-size 64,128
10. Set the timeout:0.

Device1(config-saa-throughput-bth)#timeout 100
Device1(config-saa-throughput-bth)#exit
Starting the throughput test on Device2 (Target):

Device2(config-saa-throughput)#no shutdown
Beginning loopback test...
Device2(config-saa-throughput)#end
Page 129
Starting the throughput test on Device1 (Source):

Device1(config-saa-throughput)#no shutdown
Device1(config-saa-throughput)#end
Displaying the throughput test results on Device1 (Source):

Device1#show saa throughput test t1
Out-of-service BTH test towards 00:A0:12:11:22:33 belonging to MEP 10
Test name: t1
CIR 150 Kbps
Test duration 4s, Pattern: PRBS-CRC
Tested PDU sizes: 64,128
Displaying the throughput test results on Device2 (Target):

Device2#show saa throughput test t1
Out-of-service Loopback test from 00:A0:12:22:5B:A0 belonging to MEP 10
Test name: t1
Using domain d7 and MA ma7 on level 7
S-Vlan 10
Page 130
Service Assurance Application (SAA)
Overview
SAA is an in-service software feature that allows you to monitor the performance of network-
hosted applications by emulating the traffic of these applications. It provides the capability for
controlling and provisioning various OAM tests and SAA monitoring.
Using SAA you can measure real world performance scenarios through the SAA operations'
configuration, executing them periodically in a definable frequency.
SAA is based on the CFM feature, using its infrastructure to create and run ping tests, calculate and
store test results, and define performance profiles that include rising and falling statistics' thresholds.
Each test definition includes thresholds for different SLA levels. SAA calculates SLA statistics
(jitter, delay, and frame loss) and compares them to predefined SLA thresholds. In cases that the
statistics' values cross a threshold, SAA sends a notification.
Page 131
SAA Configuration Flow

To define SAA, proceed as follows:
1. Create an SAA profile. See Creating an SAA Profile
2. Define the maximum number of concurrent active tests. See Defining the Maximum Number of
Concurrent SAA Tests
3. Create SAA tests. See Creating an SAA Test.
4. Configure the test type. See Configuring the SAA Test Type.
5. Configure general test parameters, such as:
Frequency. See Configuring the Repeat Frequency
Probe statistics. See Configuring Probe Statistics
Probe timeout. See Configuring Probe Timeout
Test sending interval. See Configuring the Test Sending Interval
Monitored interval. See Configuring the Monitored Interval
6. Enable/Disable the SAA tests. See Enabling/Disabling the Current SAA Test.
7. Attach a profile to the current test. See Attaching a Threshold Profile to an SAA Test and
Enabling Alarms.
8. Configure the test delay and jitter calculation methods. See Configuring the Test Delay Calculation
Method and Configuring the Test Jitter Calculation Method.
9. Define the SAA loopback. See Defining the Current Loopback Functionality.
10. Display test results. See Displaying the SAA Tests Results.
11. Display configured profiles. See Displaying the SAA Threshold Profile.
Page 132
SAA Configuration Commands

Table 19: SAA Performance Monitoring Profiles Commands
Command Description
saa profile Creates a monitoring SAA profile and enters SAA Profile mode
(see Creating an SAA Profile)
delay-near-end Configures the measured one way delay threshold from the test-
head to the test loopback device (see Configuring the Near Delay
Thresholds)
delay-far-end Configures the measured one way delay threshold from the test
loopback to the test-head device (see Configuring the Far Delay
Thresholds)
jitter-near-end Configures the measured one way jitter threshold from the test-
head to the test loopback device (see Configuring the Near Jitter
Thresholds)
jitter-far-end Configures the measured one way jitter threshold from the test
loopback to the test-head device (see Configuring the Far Jitter
Thresholds)
frameloss-near-end Configures the measured one way frame loss ratio from the test-
head to the test loopback device (see Configuring the Near
Frame-Loss Ratio Thresholds)
frameloss-far-end Configures the measured one way frame loss ratio from the test
loopback to the test-head device (see Configuring the Far Frame-
Loss Ratio Thresholds)
Table 20: SAA Tests Commands

saa max-concurrent- Defines the maximum number of concurrent active tests (see
requests Defining the Maximum Number of Concurrent SAA Tests)
saa test Creates a new SAA test and enters SAA Test Configuration mode
(see Creating an SAA Test)
type y1731-ptp Defines the type of the generated monitoring traffic for a specified
service TLS service (see Configuring the SAA Service Test Type)
type y1731-ptp vlan Defines the type of the generated monitoring traffic for a specified
VLAN (see Configuring the SAA VLAN Test Type)
shutdown Enables/Disables the SAA test (see Enabling/Disabling the
Current SAA Test)
profile Specifies the threshold profile attached to the current SAA test and
enables the alarm feature (see Attaching a Threshold Profile to an
SAA Test and Enabling Alarms)
frequency Defines the repeat frequency (see Configuring the Repeat
Frequency)
probe-statistics Defines the number of intervals for which the calculation results
are kept in the result history database (see Configuring Probe
Statistics)
Page 133
timeout Defines the probe timeout period for the packets to reply before
considering them lost (see Configuring Probe Timeout)
period Defines the time interval between the packets sent by the test (see
Configuring the Test Sending Interval)
interval Defines the time interval for a test to collect data before doing a
calculation (see Configuring the Monitored Interval)
priority Defines the priority of the packets sent by the test (see Configuring
the Test Priority)
supported-functions Defines the type of metrics used by the test (see Configuring the
Test's Metric Types)
delay-calculation Configures the way the test calculates the frame-loss ratio delay
threshold (see Configuring the Test Delay Calculation Method)
jitter-calculation Configures the way the test calculates the jitter delay threshold
(see Configuring the Test Jitter Calculation Method)
saa loopback service Defines the enabled loopback functionality for a specified TLS
service (see Defining the Current Service Loopback Functionality)
saa loopback service Defines the enabled loopback functionality for a specified VLAN
(see Defining the Current VLAN Loopback Functionality)
Table 21: SAA Display Commands

Command Description
show saa test Displays the configuration of the SAA tests and the results of the
calculations at the end of the monitored intervals (see Displaying
the SAA Tests Results)
show saa profile Displays the configuration of the defined SAA profile (see
Displaying the SAA Threshold Profile)
show saa loopback Displays what loopback functionality is enabled and for what
services (see Displaying the SAA Loopback Service)
show saa loopback Displays what loopback functionality is enabled and for what VLAN
ID (see Displaying the SAA Loopback VLAN)
Page 134
Creating an SAA Profile

The saa profile command creates a monitoring SAA profile (up to 100 profiles) and enters the
SAA Profile mode. You can attach a profile to an SAA test.
Command Syntax
device-name(config)#saa profile <profile_id> [PROFILENAME]
device-name(config)#no saa profile <profile_id>
profile_id Defines the ID of the new profile to be configured, in the range of
<1–2147483647>.
PROFILENAME (Optional). Defines the name of the SAA profile.
no Removes the configured SAA profile
NOTE
You cannot remove a profile associated with a running test.
Example
device-name(config)#saa profile 1 StrictProfile
device-name(config-saa-profile-1)#
Configuring the Near Delay Thresholds

The delay-near-end command configures the measured one way delay threshold from the test-
head to the test loopback device.
Enable the 1588v2 Precision Time Protocol (PTP), for this test to detect a high resolution deviation
of 100 microseconds delay (for more information, refer to the Device Administration chapter of this
User Guide).
CLI Mode: SAA Profile Configuration
Command Syntax
device-name(config-saa-profile-Profile_ID)#delay-near-end <delay_threshold>
device-name(config-saa-profile-Profile_ID)#no delay-near-end
<delay_threshold>
Page 135
delay_threshold Defines the one way delay threshold, in the range of <1–60000000>
microseconds.
1 second
Example
device-name(config-saa-profile-1)#delay-near-end 10000
Configuring the Far Delay Thresholds

The delay-far-end command configures the measured one way delay threshold from the test
loopback to the test-head device.
Enable the 1588v2 Precision Time Protocol (PTP), for this test to detect a high resolution deviation
of 100 microseconds delay (for more information, refer to the Device Administration chapter of this
User Guide).
Command Syntax
device-name(config-saa-profile-Profile_ID)#delay-far-end <delay_threshold>
device-name(config-saa-profile-Profile_ID)#no delay-far-end <delay_threshold>
delay_threshold Defines the one way delay threshold, in the range of <1–60000000>
microseconds.
1 second
Example
device-name(config-saa-profile-1)#delay-near-end 15000
Page 136
Configuring the Near Jitter Thresholds

The jitter-near-end command configures the measured one way jitter threshold from the test-
head to the test loopback device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#jitter-near-end <jitter_threshold>
device-name(config-saa-profile-Profile_ID)#no jitter-near-end
<jitter_threshold>
jitter_threshold Defines the one way jitter threshold, in the range of <1–60000000>
microseconds.
300 milliseconds
Example
device-name(config-saa-profile-1)#jitter-near-end 4500
Configuring the Far Jitter Thresholds

The jitter-far-end command configures the measured one way jitter threshold from the test
loopback to the test-head device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#jitter-far-end <jitter_threshold>
device-name(config-saa-profile-Profile_ID)#no jitter-far-end
<jitter_threshold>
jitter_threshold Defines the one way jitter threshold, in the range of <1–60000000>
microseconds.
300 milliseconds
Example
device-name(config-saa-profile-1)#jitter-near-end 5000
Page 137
Configuring the Near Frame-Loss Ratio Thresholds

The frameloss-near-end command configures the measured one way frame loss ratio from the
test-head to the test loopback device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#frameloss-near-end
<frame_loss_threshold>
device-name(config-saa-profile-Profile_ID)#no frameloss-near-end
frame_loss_threshold Defines the one way frame-loss ratio, in the range of <0–100000>
percents. The resolution is 0.001%.
8%
Example
device-name(config-saa-profile-1)#frameloss-near-end 100
Configuring the Far Frame-Loss Ratio Thresholds

The frameloss-far-end command configures the measured one way frame loss ratio from the
test loopback to the test-head device.
Command Syntax
device-name(config-saa-profile-Profile_ID)#frameloss-far-end
device-name(config-saa-profile-Profile_ID)#no frameloss-far-end
frame_loss_threshold Defines the one way frame-loss ratio, in the range of <0–100000>
percents. The resolution is 0.001%.
8%
Page 138
Defining the Maximum Number of Concurrent SAA Tests

The saa max-concurrent-requests command defines the maximum number of concurrent
active tests.
Command Syntax
device-name(config)#saa max-concurrent-requests <NUMBER>
device-name(config)#no saa max-concurrent-requests
NUMBER Defines the maximum concurrent active tests, in the range of <1–32>
10 concurrent active tests
Example
device-name(config)#saa max-concurrent-requests 5
Creating an SAA Test

The saa test command creates a new SAA test and enters the SAA Configuration mode.
NOTE
If you try to create an SAA test with a name already used by the throughput test,
an error message is displayed; see Example 2 below.
Command Syntax
device-name(config)#saa test TESTNAME [OWNERNAME]
device-name(config)#no saa test TESTNAME [OWNERNAME]
TESTNAME Defines the test name up to 32 characters.
OWNERNAME (Optional) defines the test-owner's name.
no Removes an existing test.
Page 139
Example 1
device-name(config-saa-T1)#
Example 2
device-name(config-saa-throughput)#exit
[%Error] A throughput test named T2 already exist
Configuring the SAA Service Test Type

The type y1731-ptp service command defines the type of the generated monitoring traffic for a
specified TLS service.
NOTE
Configure a TLS service prior to running this command.
Configure an MD, MA, and remote MEP prior to running this command.
Configure this command immediately after creating the test.
CLI Mode: SAA Test Configuration
Command Syntax
device-name(config-saa-TESTNAME)#type y1731-ptp service <1-4294967295>
oamdomain <LEVEL> HH:HH:HH:HH:HH:HH [clock-in-sync]
service <1-4294967295> The TLS service ID
oamdomain <LEVEL> The CFM domain level, in the range of <0–7>. When the
domain is already created, this argument is optional.
The levels are:
• Operator MA levels: 0–2
• Provider MA levels: 3–4
• Customer MA levels: 5–7
HH:HH:HH:HH:HH:HH The target MAC address.
clock-in-sync (Optional, only for PTP time synchronization with the peer)
synchronizes the internal clock of the device.
Example
device-name(config-saa-T1)#type y1731-ptp service 1 oamdomain 7
00:A0:12:11:22:33
Page 140
Configuring the SAA VLAN Test Type

The type y1731-ptp vlan command defines the type of the generated monitoring traffic for a
specified VLAN.
NOTE
Configure a VLAN prior to running this command.
Configure an MD, MA, and remote MEP prior to running this command.
Configure this command immediately after creating the test.
Command Syntax
device-name(config-saa-TESTNAME)#type y1731-ptp vlan <2-4094> uplink-port
{UU/SS/PP | ag0N} user-port {UU/SS/PP | ag0N} oamdomain <0-7>
HH:HH:HH:HH:HH:HH [clock-in-sync]
vlan <2-4094> The VLAN ID
uplink-port The core (uplink) port
UU/SS/PP The target interface on which VLAN is used
ag0N The link aggregation ID (ag01, ag04–ag07) on which VLAN is used.
The allowed ID is in the range of <1–7>
user-port The access (user) port
oamdomain <LEVEL> The CFM domain level, in the range of <0–7>. When the domain is
already created, this argument is optional.
The levels are:
• Operator MA levels: 0–2
• Provider MA levels: 3–4
• Customer MA levels: 5–7
HH:HH:HH:HH:HH:HH The target MAC address
clock-in-sync (Optional, only for PTP time synchronization with the peer)
synchronizes the internal clock of the device
Example
device-name(config-saa-T1)#type y1731-ptp vlan 10 uplink-port 1/1/1 user-port
1/2/2 oamdomain 6 00:A0:12:00:00:00
Page 141
Enabling/Disabling the Current SAA Test

The shutdown command disables the SAA test.
Tests that run for a single interval stop running at the end of the configured interval however you
can also stop tests by using this command.
Command Syntax
device-name(config-saa-TESTNAME)#shutdown
device-name(config-saa-TESTNAME)#no shutdown
no Enables the SAA test.
all tests are in a shutdown/disabled state
Example
device-name(config-saa-test)#no shutdown
Attaching a Threshold Profile and Enabling Alarms

The profile command specifies the threshold profile attached to the current SAA test and enables
the alarm feature.
After each interval, the calculated test results are compared to the profile thresholds, sending an
alarm when these thresholds are crossed.
Command Syntax
device-name(config-saa-TESTNAME)#profile <profile_id>
device-name(config-saa-TESTNAME)#no profile
profile_id Specifies an existing profile ID to attach to the current SAA test. The
values for the IDs are in the range of <1–2147483647>.
the calculations are done at the end of an interval and the results are
stored in the result history database
Example
device-name(config-saa-T1)#profile 1
Page 142
Configuring the Repeat Frequency

The frequency command defines the test's repeat frequency.
Command Syntax
device-name(config-saa-TESTNAME)#frequency <0-65535>
device-name(config-saa-TESTNAME)#no frequency
0-65535 Defines the test's repetition frequency, in seconds
0 seconds
Example
device-name(config-saa-T1)#frequency 20
Configuring Probe Statistics

The probe-statistics command defines the number of intervals for which the calculation results
are kept in the result history database.
Command Syntax
device-name(config-saa-TESTNAME)#probe-statistics <1-120>
device-name(config-saa-TESTNAME)#no probe-statistics
1-120 Defines the number of probes kept in the database
96. The last 24 hours results of a test running continuously with a default
interval of 15 minutes and a non-zero frequency are available
Exampl
device-name(config-saa-T1)#probe-statistics 10
Page 143
Configuring Probe Timeout

The timeout command defines the probe's timeout period for the packets to reply before
considering them lost.
Command Syntax
device-name(config-saa-TESTNAME)#timeout <1-60>
device-name(config-saa-TESTNAME)#no timeout
1-60 The timeout, in seconds.
3 seconds
Example
device-name(config-saa-T1)#timeout 5
Configuring the Test Sending Interval

The period command defines the time interval between the packets sent by the test.
If the interval is between 100 milliseconds and 1 second it is incremented with 100 milliseconds and
if it is above 1 second it is incremented with 1 second.
Command Syntax
device-name(config-saa-TESTNAME)#period <100-10000>
device-name(config-saa-TESTNAME)#no period
100-10000 Defines the time interval, in milliseconds, between the packets sent by the
test.
1 second
Example
device-name(config-saa-T1)#period 2000
Page 144
Configuring the Monitored Interval

The interval command defines the time interval for a test to collect data before calculating the
results. The results are calculated for each monitored interval and stored in the result-history
database.
Command Syntax
device-name(config-saa-TESTNAME)#interval <1-60>
device-name(config-saa-TESTNAME)#no interval
1-60 Defines the time interval, in minutes, for a test to collect data before
calculating the results.
15 minutes
Example
device-name(config-saa-T1)#monitored-interval 10
Configuring the Test Priority

The priority command defines the priority of the packets sent by the test.
NOTE
This is also the priority for which the service traffic is monitored.
Map the service traffic to this priority, by using the trust-priority command;
see Example 2. Use the trust-priority command, before configuring and
starting the SAA test (refer to the Configuring Quality of Service (QoS) chapter
of this User Guide).
Command Syntax
device-name(config-saa-TESTNAME)#priority <0-7>
device-name(config-saa-TESTNAME)#no priority
0-7 Defines the priority of the packets sent by the test.
6
Page 145
Example 1
device-name(config-saa-T1)#priority 3
Example 2
SAA measurements are performed for specific traffic class, provided by QoS configuration.
1. Assign a traffic class according to the customer VLAN priority on both SDP and SAP ports:
NOTE
Prior to assging the traffic, add port 1/1/1 as tagged and port 1/2/1 as
untagged to the same service VLAN. After, create the TLS service by attaching
these ports to SDP (port 1/1/1) and SAP (port 1/2/1). For an example, refer to
the SAA Configuration Example section.
device-name(config qos)#network-policy batm
device-name(config qos-net batm)#ingress
device-name(config qos-net-in batm)#trust-priority
device-name(config qos-net-in batm)#end
device-name(config-if 1/1/1)#qos-network-policy batm
device-name(config-if 1/2/1)#qos-network-policy batm
2. Start the SAA test after configuring its parameters:

device-name(config-saa-T1)#priority 3
device-name(config-saa-T1)#frequency 10
device-name(config-saa-T1)#timeout 5
device-name(config-saa-T1)#probe-statistics 10
device-name(config-saa-T1)#no shutdown
Configuring the Test's Metric Types

The supported-functions command defines the test's metrics type.
Command Syntax
device-name(config-saa-TESTNAME)#supported-functions {loss-measurements |
delay-measurements | both}
device-name(config-saa-TESTNAME)#no supported-functions
Page 146
loss-measurements Performs only loss measurements.
delay-measurements Performs only delay measurements.
both Performs loss measurements and delay measurements.
both loss and delay measurements are calculated
Example
device-name(config-saa-T1)#supported-functions loss-measurements
Configuring the Test Delay Calculation Method

The delay-calculation command configures the frame-loss ratio delay calculation method.
Command Syntax
device-name(config-saa-TESTNAME)#delay-calculation {average | p-percentile <1-
100>}
device-name(config-saa-TESTNAME)#no delay-calculation
average Performs a simple average of the delay, measured by all packets.
the delay calculation method uses a simple average of the delay, measured
by all packets
p-percentile Defines the OAM p-percentile method, in the range of <1–100>
<1-100>
50
Example
device-name(config-saa-T1)#delay-calculation p-percentile 85
Page 147
Configuring the Test Jitter Calculation Method

The jitter-calculation command configures the jitter threshold calculation method.
Command Syntax
device-name(config-saa-TESTNAME)#jitter-calculation {peak-to-peak | variance |
p-percentile <1-100>}
device-name(config-saa-TESTNAME)#no jitter-calculation
peak-to-peak Specifies the difference between the maximum and minimum frame delay
during the interval.
variance Specifies a simple variance of all packets' delays.
the jitter calculation method uses a simple variance of the delay, measured
by all packets
p-percentile Defines the OAM p-percentile method, in the range of <1–100>
<1-100>
50
Example
device-name(config-saa-T1)#jitter-calculation peak-to-peak
Defining the Current Service Loopback Functionality

The saa loopback service command defines the enabled loopback functionality for a specified
TLS service.
NOTE
Configure a TLS service prior to running this command.
Both delay and frame-loss measurements are enabled by default.
Command Syntax
device-name(config)#saa loopback service <1-4294967295> [frame-loss | delay-
measurement | both]
device-name(config)#no saa loopback service <1-4294967295> {frame-loss |
delay-measurement | both}
Page 148
service <1- The TLS service ID
4294967295>
frame-loss (Optional) the measured one way frame loss ratio from the test
loopback to the test-head device
delay-measurement (Optional) the measured one way delay threshold from the test
both (Optional) both types of thresholds: frame loss and delay thresholds
no Removes the specified loopback functionality from a service.
Example 1
device-name(config)#saa loopback service 1 both
Example 2
device-name(config)#saa loopback service 1
Both DM and LM loopback capabilities are enabled
Defining the Current VLAN Loopback Functionality

The saa loopback vlan command defines the enabled loopback functionality for a specified
VLAN.
NOTE
Configure a VLAN prior to running this command.
Both delay and frame-loss measurements are enabled by default.

Command Syntax
device-name(config)#saa loopback vlan <2-4094> uplink-port {UU/SS/PP | ag0N}
user-port {UU/SS/PP | ag0N} [frame-loss | delay-measurement | both]
device-name(config)#no saa loopback vlan <2-4094> {frame-loss | delay-
measurement | both}
vlan <2-4094> The VLAN ID
uplink-port The uplink port on which loopback is enabled
UU/SS/PP The target interface on which VLAN is used
ag0N The link aggregation ID (ag01, ag04–ag07) on which VLAN is used.
The allowed ID is in the range of <1–7>
user-port The user port on which loopback is enabled
Page 149
frame-loss (Optional) the measured one way frame loss ratio from the test
delay-measurement (Optional) the measured one way delay threshold from the test
both (Optional) both types of thresholds: frame loss and delay thresholds
no Removes the specified loopback functionality from a VLAN
Example
device-name(config)#saa loopback vlan 10 uplink-port 1/1/1 user-port 1/2/5
delay-measurement
Displaying the SAA Tests Results

The show saa test command displays the SAA tests' configuration and the calculations results at
the end of the monitored intervals.
Command Syntax
device-name#show saa test [TESTNAME [last-results <2-120>]]
TESTNAME (Optional) displays a specific test.
all configured tests are displayed
last-results <2-120> (Optional) specifies the number of results to display from the
test result history database.
Page 150
Example
device-name#show saa test T1
Test Name: T1
Test Owner: default
Test type: y1731-ptp
Administrative status: enabled
Remote Mep: 224, MAC: 00:A0:12:4B:06:C0
Profile Id: not set
Frequency of repetition: 1
Probe timeout: 3 seconds
Probe history count: 96
Clocks in sync NO
Supported functions: delay measurements & loss measurements
Delay Method: average
Jitter Method: variance
Interval Id : 115 Results gathered FRI JAN 01 02:31:46 1993
Timeouts: 0 Errors: 0 Sent Pkts: 120

Delay (NE): 19.97 us Delay (FE): 19.97 us
Jitter (NE): 0.18 us Jitter (FE): 0.18 us
FrameLoss (NE): 0.000 % FrameLoss (FE): 0.000 %
Sent Pkts (NE): 0 Sent Pkts (FE): 0
Rcvd Pkts (NE): 0 Rcvd Pkts (FE): 0
Displaying the SAA Threshold Profile

The show saa profile command displays a defined SAA profile's configuration.
Command Syntax
device-name#show saa profile [<1-2147483647>]
1-2147483647 (Optional) the profile ID.
Example
device-name#show saa profile 1
Profile Name: StrictProfile , index: 1
Delay (NE) 10000us Delay (FE) 15000us
Jitter (NE) 4500us Jitter (FE) 5000us
Frameloss (NE) 0.000% Frameloss (FE) 0.000%
Page 151
Displaying the SAA Loopback Service

The show saa loopback service command displays which loopback functionality is enabled and
for what services.
If you do not specify a service ID, the command displays the enabled loopback functionality for all
services. If you specify a service ID, the command displays the status for that service ID only.
Command Syntax
device-name#show saa loopback service [<1-4294967295>]
1-4294967295 (Optional) the TLS service ID
Example
device-name#show saa loopback service 1
Displaying the SAA Loopback VLAN

The show saa loopback vlan command displays which loopback functionality is enabled and for
what VLAN ID.
If you do not specify a VLAN ID, the command displays the enabled loopback functionality for all
VLANs. If you specify a VLAN ID, the command displays the status for that VLAN ID only.
Command Syntax
device-name#show saa loopback vlan [<2-4094>]
2-4094 (Optional) the VLAN ID
Example
device-name#show saa loopback vlan
Vlan 10:
Vlan 20:
Page 152
SAA Configuration Example

The following example shows how to configure the SAA tests on two devices.
Figure 19: Example for Configuring Two Devices in SAA Test Configuration Mode
2. Add 1/1/1 (SDP port) as tagged port and 1/2/1 (SAP port) as untagged port:
Device1(config-vlan vl10)#add ports 1/2/1 untagged
Device1(config-vlan vl10)#add ports default 1/2/1

Device1(config)#tls serv1 1
Device1(config-tls serv1)#sdp 1/1/1 s-vlan 10
Device1(config-tls serv1)#sap 1/2/1 c-vlans 100 untagged
Device1(config-tls serv1)#exit
Page 153

Device1(config)#cfm

association within the specified domain:
Device1(config-cfm-d4)#ma name ma4 service 1

Device1(config-cfm-d4-ma4)#mep 1 sap 1/2/1:100:
2. Add 1/1/2 (SDP port) as tagged port and 1/2/1 (SAP port) as untagged port:
Device2(config-vlan vl10)#add ports 1/2/1 untagged
Device2(config-vlan vl10)#add ports default 1/2/1

Device2(config)#tls serv1 1
Device2(config-tls serv1)#sdp 1/1/2 s-vlan 10
Device2(config-tls serv1)#sap 1/2/1 c-vlans 100 untagged
Device2(config-tls serv1)#exit

Device2(config)#cfm

association within the specified domain:
Device2(config-cfm-d4)#ma name ma4 service 1
Page 154

Device2(config-cfm-d4-ma4)#mep 2 sap 1/2/1:100:
Configuring SAA on Device1:

1. Create an SAA profile:
Device1(config)#saa profile 1 StrictProfile
2. Configure the Near and Far delay thresholds:

Device1(config-saa-profile-1)#delay-near-end 10000
Device1(config-saa-profile-1)#delay-far-end 15000
3. Configure the Near and Far jitter thresholds:

Device1(config-saa-profile-1)#jitter-near-end 4500
Device1(config-saa-profile-1)#jitter-far-end 5000
4. Configure the Near frame-loss ratio thresholds:

Device1(config-saa-profile-1)#frameloss-near-end 100
Device1(config-saa-profile-1)#frameloss-near-end 200
Device1(config-saa-profile-1)#exit
5. Create an SAA test:

Device1(config)#saa test T1
6. Configure the OAM for the SAA test:

Device1(config-saa-T1)#type y1731-ptp service 1 oamdomain 4
00:A0:12:11:22:33
7. Attach the specified threshold profile to the current SAA test:

Device1(config-saa-T1)#profile 1
8. Configure the test frequency:

Device1(config-saa-T1)#frequency 10
9. Configure the test timeout:

Device1(config-saa-T1)#timeout 5
10. Configure the probe statistics:

Device1(config-saa-T1)#probe-statistics 10
11. Configure the test sending interval:

Device1(config-saa-T1)#period 2000
12. Configure the monitored interval:

Device1(config-saa-T1)#interval 10
Page 155
13. Configure the test delay calculation method:

Device1(config-saa-T1)#delay-calculation p-percentile 85
14. Configure the test jitter calculation method:

Device1(config-saa-T1)#jitter-calculation peak-to-peak
Device1(config-saa-T1)#exit
15. Set the maximal number of concurrent SAA tests:

Device1(config)#saa max-concurrent-requests 5
16. Enable the SAA test:

Device1(config)#saa test T1
Device1(config-saa-T1)#no shutdown
Device1(config-saa-T1)#end
Configuring SAA on Device2:

1. Configure the SAA loopback:
Device2(config)#saa loopback service 1 both
Displaying the SAA Test Result and SAA Threshold Profile on

Device1:
1. Display the SAA test results:
Device1#show saa test T1
Test Name: T1
Test Owner: default
Test type: y1731-ptp
Administrative status: enabled
Remote Mep: 2, MAC: 00:A0:12:11:22:33
Profile Id: 1
Profile Name: StrictProfile
Frequency of repetition: 1
Probe timeout: 3 seconds
Probe history count: 50
Clocks in sync NO
SLA Profile Id: 1
Supported functions: delay measurements & loss measurements
Delay Method: p-percentile
Jitter Method: peak-to-peak
Interval Id 1, Results gathered FRI JAN 01 01:29:42 1993
Timeouts: 0 Errors: 0 Sent Pkts: 300

Sent Pkts (NE) 12345678 Sent Pkts (FE) 7654327
Rcvd Pkts (NE) 7654321 Rcvd Pkts (FE) 12345674
Page 156
2. Display the SAA threshold profile:

Device1#show saa profile 1
Profile Name: StrictProfile , index: 1
Page 157
ITU-T G.8031 Ethernet Protection Switching (EPS)
Overview
EPS is a method of protecting point-to-point Ethernet service connection over VLAN transport
networks, assuring traffic transport between the two service ends. This method is based on ITU-T
G.8031 standard.
This method defines two transport paths (entities), based on existing CFM-OAM MEPs:
• a primary (normally active) path: this is the path through which traffic is sent
• a backup (protection) path: this is the path EPS switches the traffic to, in case of a failure of
the primary path
Figure 20: Protecting Services Using EPS.
Once these paths are determined, EPS periodically sends CFM-OAM CCMs (see Discovery and
Connectivity) on both paths. The failure in receiving CCMs triggers a traffic switchover.
Switchover Options
EPS switches over the traffic from one path to another in the below cases:
1. When there is a signal failure (SF) in the active path
2. Upon a user request
3. A request from the remote device.
System administrators can lock the switchover, preventing traffic from switching over to the
backup path in any of the above cases.
In order to minimize unnecessary traffic, switchovers administrators can define a Hold off timer: This
timer postpones the switchover for a specified time. If the transport path does not recuperate by
the end of this time period, traffic is switched over.
Page 158
EPS Configuration Flow

Start
Create a TLS service

(refer to the Configuring Transparent
LAN Services (TLS) chapter)
CFM connectivity establishment

(refer to the CFM-OAM Configuration
Flow)
Enable EPS
Select the CFM Level
Select the Primary Link MEPs
Select the Backup Link MEPs
Enable the protection
End
Figure 21: EPF Configuration Flow
Page 159
EPS Configuration Commands

Table 22: EPS Commands
Command Description
eps Enables EPS for the TLS service and enters the EPS Configuration
mode.
cfm-config level Defines the CFM domain level used by EPS.
primary-link Defines the CFM pair of MEPs that monitor the primary path.
backup-link Defines the CFM pair of MEPs that monitor the backup path.
shutdown Activates/deactivates EPS for the current service.
hold-off-timer Defines the hold off timeout.
switchover Manually switches between the active and inactive transport paths.
lock Manually locks the active traffic path, preventing any switchover
from this path to the inactive path.
freeze Blocks all states change requests.
revertive Enables the revertive mode for the protection.
wait-restore-timer Defines the wait-to-restore timeout.
signal-degrade-test Configures the signal degrade test.
signal-degrade Controls whether the service should react to signal degrade events
from a test configured previously.
clear Clears the revertive mode, the forced and manual active traffic path,
the wait-to-restore timer and signal degrade state.
show tls eps Displays the status of the EPS service for all configured TLS
services.
Page 160
Enabling/Disabling EPS
The eps command enables EPS for the TLS service and enters the EPS Configuration mode.
The eps command is used in conjunction with SDP primary and SDP secondary (refer to the sdp
command of Configuring Transparent LAN Services chapter of this User Guide).
Command Syntax
device-name(config-tls SERVICE-NAME)#[no] eps
no Disables EPS.
disabled
Example
Enable EPS for the TLS service with serv name and service ID 2:
device-name(config-tls serv)#eps
device-name(config-eps-serv)#
Selecting the CFM Level

The cfm-config level command defines the CFM domain level used by EPS. For more
information about CFM levels, refer to the Creating and Accessing a Maintenance Domains.
CLI Mode: EPS Configuration
Command Syntax
device-name(config-eps-SERVICE-NAME)#cfm-config level <0-7>
device-name(config-eps-SERVICE-NAME)#no cfm-config level
0-7 Defines the CFM domain level
no CFM domain level is specified
Page 161
Selecting the Primary Path’s MEPs

The primary-link command defines the CFM pair of MEPs that monitor the primary path.
Command Syntax
device-name(config-eps-SERVICE-NAME)#primary-link local-mep <1-8191> remote-
mep <1-8191>
device-name(config-eps-SERVICE-NAME)#no primary-link local-mep
local-mep Specifies the service MEP ID of the local device
<1-8191>
remote-mep Specifies the discovered service MEP ID of the remote device
<1-8191>
no MEPs are specified
Selecting the Backup Link MEPs

The backup-link command defines the CFM pair of MEPs that monitor the backup path.
NOTE
If the CFM configuration uses in-MEPs or if it is defined over services, then
both the primary and backup links are monitored by the same pair of MEPs.
Command Syntax
device-name(config-eps-SERVICE-NAME)#backup-link local-mep <1-8191> remote-mep
<1-8191>
device-name(config-eps-SERVICE-NAME)#no backup-link local-mep
local-mep Specifies the service MEP ID of the local device
<1-8191>
remote-mep Specifies the discovered service MEP ID of the remote device
<1-8191>
no MEPs are specified
Page 162
Activating EPS
The shutdown command activates/deactivates EPS for the current service.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] shutdown
no Activates EPS for the service
Defining the Hold Off Timer

The hold-off-timer command defines the hold off timeout. This timer postpones the switchover
for a specified time. If the transport path does not recuperate by the end of this time period, traffic
is switched over.
Command Syntax
device-name(config-eps-SERVICE-NAME)#hold-off-timer <0-10000>
device-name(config-eps-SERVICE-NAME)#no hold-off-timer
0-10000 The hold-off timeout, in the range of <0–10000> ms, with 100 ms
increments
0 seconds
Manual Traffic Switchover

The switchover command manually switches between the active and inactive transport paths.

By default, switchovers are allowed.
Command Syntax
device-name(config-eps-SERVICE-NAME)#switchover
Page 163
Locking the Active Path

The lock command manually locks the active traffic path, preventing any switchover from this
path to the inactive path. The command is reverted by the clear command.
Command Syntax
device-name(config-eps-SERVICE-NAME)#lock
Blocking the Service Protection

The freeze command blocks all states change requests. The device enters the freeze state that
means no commands are accepted. This state can be cleared with clear command. Until the freeze
state is cleared, all local and remote EPS commands are ignored. After the freeze state is cleared, the
state of the services is recomputed.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] freeze
no Unblocks the states change requests
Enabling/Disabling Revertive Protection

The revertive command enables the revertive mode for the protection. In case of a signal failure
when the primary transport is repaired, the traffic is automatically moved to the primary transport
after the wait-to-restore timer expired.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] revertive
no Disables the revertive mode
Page 164
Defining Wait-to-Restore Timer

The wait-restore-timer command defines the wait-to-restore timeout. If the revertive mode is
disabled, this timer is also disabled.
Command Syntax
device-name(config-eps-SERVICE-NAME)#wait-restore-timer <value>
device-name(config-eps-SERVICE-NAME)#no wait-restore-timer
value The wait-to-restore timer in the range of <5–12>, or value 0, in minutes.
0 means revert immediately.
5 minutes
Example
device-name(config-eps-serv)#wait-restore-timer 7
Configuring Signal Degrade Test

The signal-degrade-test command configures the signal degrade test for EPS.
Command Syntax
device-name(config-eps-SERVICE-NAME)#signal-degrade-test cfm PROCNAME
PROCNAME The existing CFM monitoring process name
Example
device-name(config-eps-serv)#signal-degrade-test cfm PerfTest
Page 165
Enabling/Disabling Signal Degrade Events

The signal-degrade command controls whether the service should react to signal degrade events
from a test configured previously with the signal-degrade-test command.
Command Syntax
device-name(config-eps-SERVICE-NAME)#[no] signal-degrade
no Disables signal degrade events
Clearing Local Commands

The clear command clears the revertive mode, the forced and manual active traffic paths, the wait-
to-restore timer and signal degrade state.
Command Syntax
device-name(config-eps-SERVICE-NAME)#clear
Displaying the EPS Service Status

The show tls eps command displays the status of the EPS service for all configured TLS services.
Command Syntax
device-name#show tls eps [SERVICE-NAME]
SERVICE-NAME (Optional) displays the specified service name EPS status
Page 166
EPS Configuration Example

The below example details the steps to configure EPS on two back-to-back connected devices:
1. Configure VLAN v2 with VLAN ID 2:
device1#configure terminal
device1(config)#vlan
device1(config vlan)#create v2 2
device1(config vlan)#config v2
2. Assign port 1/1/2 (SDP port) as tagged to VLAN v2:

device1(config-vlan v2)#add port 1/1/2 tagged
3. Assign port 1/1/1 (SAP port) as untagged to VLAN v2:

device1(config-vlan v2)#add port 1/1/1 untagged
device1(config-vlan v2)#exit



device1(config-vlan v3)#end
7. Create a TLS service named serv with service ID 2:

device1(config)#tls serv 2
8. Configure the primary SDP for the TLS service on port 1/1/2 with S-VLAN ID 2:
device1(config-tls serv)#sdp 1/1/2 s-vlan 2 primary
9. Configure the secondary SDP for the TLS service on port 1/1/3 with S-VLAN ID 3:
device1(config-tls serv)#sdp 1/1/3 s-vlan 3 secondary
10. Configure SAP 1/1/1 with C-VLAN ID 5:

device1(config-tls serv)#sap 1/1/1 c-vlans 5
device1(config-tls serv)#exit

device1(config)#cfm
Page 167

device1(config)#cfm enable
13. Create maintenance domain a1 with domain level 1:

device1(config-cfm)#domain name a1 level 1
14. Create maintenance association ma1 for service ID 2:

device1(config-cfm-a1)#ma name ma1 service 2
15. Create MEP ID 1 on SAP 1/1/1 with C-VLAN ID 5:

device1(config-cfm-a1-ma1)#mep 1 sap 1/1/1:5:
device1(config-cfm-a1-ma1)#end
16. Enable EPS for the TLS service:

device1(config)#tls serv
device1(config-tls serv)#eps
17. Select CFM level 1 for the EPS service:

device1(config-eps-serv)#cfm-config level 1
18. Select local MEP ID 1 and remote MEP ID 2 for monitoring the primary link:
device1(config-eps-serv)#primary-link local-mep 1 remote-mep 2
19. Select local MEP ID 1 and remote MEP ID 2 for monitoring the secondary link:
device1(config-eps-serv)#backup-link local-mep 1 remote-mep 2
20. Activate EPS:

device1(config-eps-serv)#no shutdown
device1(config-eps-serv)#end
device2(config)#vlan


device2(config-vlan v2)#exit

Page 168
5. Assign port 1/1/3 (SDP port) as tagged to VLAN v3

6. Assign port 1/1/1 (SAP port) as untagged to this VLAN:

device2(config-vlan v3)#end
7. Create a TLS service names serv with service ID 2:

device2(config)#tls serv 2
8. Configure the primary SDP for the TLS service on port 1/1/2 with S-VLAN ID 2:
device2(config-tls serv)#sdp 1/1/2 s-vlan 2 primary
9. Configure the secondary SDP for the TLS service on port 1/1/3 with S-VLAN ID 3:
device2(config-tls serv)#sdp 1/1/3 s-vlan 3 secondary
10. Configure SAP 1/1/1 with C-VLAN 5:

device2(config-tls serv)#sap 1/1/1 c-vlans 5
device2(config-tls serv)#exit

device2(config)#cfm

device2(config)#cfm enable

device2(config-cfm)#domain name a1 level 1
14. Create the maintenance association ma1 for service ID 2:

device2(config-cfm-a1)#ma name ma1 service 2
15. Create MEP ID 2 on SAP 1/1/1 with C-VLAN 5:

device2(config-cfm-a1-ma1)#mep 2 sap 1/1/1:5:
device2(config-cfm-a1-ma1)#end
16. Enable EPS:

17. Select CFM level 1 for the EPS service:

device2(config-eps-serv)#cfm-config level 1
18. Select local MEP ID 2 and remote MEP ID 1 for monitoring the primary link:
device2(config-eps-serv)#primary-link local-mep 2 remote-mep 1
Page 169
19. Select local MEP ID 2 and remote MEP ID 1 for monitoring the secondary link:
device2(config-eps-serv)#backup-link local-mep 2 remote-mep 1
20. Activate EPS:

device2(config-eps-serv)#no shutdown
device2(config-eps-serv)#end
Configuring Signal Degrade on Device 1:

1. Enable EPS for the TLS service:
2. Configure the signal degrade test:

device1(config-eps-serv)#signal-degrade-test cfm TestEPS
device1(config-eps-serv)#signal-degrade
device1(config-eps-serv)#exit
device1(config-tls-serv)#exit
3. Create a CFM profile:

device1(config)#cfm
device1(config-cfm)#profile ProfileEPS
device1(config-cfm-profile-ProfileEPS)#latency-error 1500
device1(config-cfm-profile-ProfileEPS)#frame-loss-error 5
device1(config-cfm-profile-ProfileEPS)#exit
4. Define the monitoring process:

device1(config-cfm)#process TestEPS domain d1 ma ma1 repeat minutes 0
seconds 1 profile ProfileEPS
Page 170
Displaying the EPS Configuration on Device 1:

device1#show tls eps
Eps configuration for service 2
Protection: Enabled
Operational Status: Up
Defects present: None
CFM Level: 1
Primary link - Local Mep: 1, Remote Mep: 2 - Status: Up
Backup link - Local Mep: 1, Remote Mep: 2 - Status: Up
Hold off timer (ms): 0
Wait to restore timer (minutes): 5
SD events: Enabled, Test Ready: No
SD test name: TestEPS, SD test type: CFM
APS data LOCAL REMOTE
Active state: NoRequest NoRequest

Active transport: Primary Primary
APS channel requested: Up Up
APS connection type: Bidirectional Bidirectional
Protection Type: 1:1 1:1
Revertive mode: Disabled Disabled
Page 171
Event Propagation
The event propagation feature allows users to configure automatic actions executed upon the
occurrence of specific events.
The feature acts upon receiving events from the events provider. It matches the received events
with pre-configured pairs of event-action and then forwards the matched action to the related
action performer.
To configure this feature, the users have to define profiles grouping the event-action pairs. The
users can apply these profiles to various targets, such as SAPs or physical ports.
By enabling event propagation, the T-Marc 300 Series devices can:
• detect a remote link failure or a local port’s down status
• disconnect a link to a peer device
• restore the link to the peer device in case the event is reversed
To avoid flapping events, users can configure two timers per profile:
• Event timer: the interval from the time the event starts before the event propagation disconnects
a link.
• Revertive timer: the interval from the time the event is reversed before reversing the Event
Propagation action.
This feature is based on TLS and the CFM-OAM functionality. Therefore, it can function only on
devices where these features are enabled.
Page 172
Event Propagation Configuration Flow
Start
Create a TLS service

(refer to the Configuring Transparent
LAN Services (TLS) chapter)
CFM Configuration (refer to the

CFM-OAM Configuration Flow)
Define the event propagation profile
Configure the required and revertive

actions for the created profile
Attach the profile to a SAP or port
Stop
Figure 22: Event Propagation Configuration Flow
Page 173
Event Propagation Configuration Commands

Table 23: Event Propagation Commands
Command Description
event-propagation Creating an event propagation profile (see Creating an Event

profile Propagation Profile)
source rem-mep event Allocates a profile to receive events from a remote MEP (see
Configuring Remote Fault Detection and Propagation)
source local-port Allocates a profile to receive events from a local port (see
event Configuring Local Alarm Propagation)
event-propagation Applies an existing profile to a SAP or local port (see Applying a
profile Profile to a SAP or a Port)
show event- Displays the configured profile parameters(see Displaying the
propagation profile Configured Event Propagation Profiles)
show event- Displays the attached targets and running parameters per profile
propagation session (see Displaying the Running Sessions)
Creating an Event Propagation Profile

The event-propagation profile command creates an event propagation profile and enters the
Event Propagation Profile Configuration mode.
Command Syntax
device-name(config)#[no] event-propagation profile <id>
id The unique profile identifier, in the range of <1–10>.
there is no defined profile
no Removes an existing profile
Examples
• Create an event propagation profile:

device-name(config)#event-propagation profile 1
device-name(config-ep-profile 1)#
• Remove an event propagation profile:

device-name(config)#no event-propagation profile 1
Page 174
Configuring Remote Fault Detection and Propagation

The source rem-mep event command allocates an existing profile to receive events from a
specified remote MEP.
CLI Mode: Event Propagation Profile Configuration
Command Syntax
device-name(config-ep-profile ID)#source rem-mep <mep_id> event {con-lost |
status-down | recv-rdi} action link-drop [reverse link-restore]
rem-mep <id> The MEP ID the profile is allocated to, in the range of <1–8191>.
event {con-lost | The expected event type:
status-down | recv-
• connectivity loss: the connectivity is lost
rdi}
• port status down: the port is in down state
• received RDI: the RDI (Remote Defect Identification) bit is
received
action link-drop The action executed upon the event occurrence
reverse link-restore (Optional) reverses the action when the event is reversed
Examples
• Configure profile 1 to act upon a connectivity loss on remote MEP 200. This profile drops
the link to the remote peer and restores the link when the event reverts:
device-name(config-ep-profile 1)#source rem-mep 200 event con-lost action
link-drop reverse link-restore
• Configure profile 2 to act upon a down status event on remote MEP 200 and drop the link to
the remote peer without reversing this action:
device-name(config-ep-profile 2)#source rem-mep 200 event status-down
action link-drop
Page 175
Configuring Local Alarm Propagation

The source local-port event command allocates an existing profile to receive events from a
local port.
CLI Mode: Event Propagation Profile Configuration
Command Syntax
device-name(config-ep-profile ID)#source local-port UU/SS/PP event status-down
action link-drop [reverse link-restore]
local-port The local port the profile is allocated to
UU/SS/PP
event status-down A port down status event
action link-drop The profile drops the link upon this event
reverse link- (Optional) reverses the action when the event is reversed
restore
Example
Configure profile 2 to act when port 1/1/1 is down and restore the link when the event is
reversed:
device-name(config-ep-profile 1)#source local-port 1/1/1 event staus-down
action link-drop reverse link-restore
Applying a Profile to a SAP or a Port

The event-propagation profile command applies an existing profile to a SAP or local port.
When applying the profile to a:

• SAP, you have to first allocate it to a remote MEP
• port, you have to first allocate it to a port
CLI Mode: SAP Service Configuration, Interface Configuration, and Range Interface
Configuration
Command Syntax
device-name(config-tls-sap UU/SS/PP:CVLAN-ID:)#[no] event-propagation profile
<id>
device-name(config-if UU/SS/PP)#[no] event-propagation profile <id>
device-name(config-if-group)#[no] event-propagation profile <id>
Page 176
profile <id> The existing profile ID applied to the SAP or port
no Removes the applied profile
Example
• Apply profile 1 to SAP:

device-name(config-tls-sap 1/2/2:3:)#event-propagation profile 1
• Apply profile 2 to port 1/2/1:

device-name(config-if 1/2/1)#event-propagation profile 2
Displaying the Configured Event Propagation Profiles

The show event-propagation profile command displays the configured parameters for all
profiles or for a specified one.
Command Syntax
device-name#show event-propagation profile [<id>]
profile <id> (Optional) displays the configuration for the specified profile.
Examples
• Display information for all configured profiles:

device-name#show event-propagation profile
===============================================================================
|profile |source type |source id |event |action |reverse action|
+--------+--------------+------------+------------+------------+--------------+
| 1|rem-mep | 1|con-lost |link-drop |link-restore |
| 2|local-port | 1/1/1|status-down |link-drop |link-restore |
| 3|rem-mep | 2|recv-rdi |link-drop |link-restore |
===============================================================================
• Display information for the specified profile:

device-name#show event-propagation profile 1
===============================================================================
|profile |source type |source id |event |action |reverse action|
+--------+--------------+------------+------------+------------+--------------+
===============================================================================
Page 177
• If no profiles are defined or the specified profile does not exist, the command generates No
entry error message:

No entry
Displaying the Running Sessions

The show event-propagation session command displays the source each profile is allocated to
and its running parameters.
Command Syntax
device-name#show event-propagation session [profile <id>]
profile <id> (Optional) displays the configuration for the specified profile
Examples
• Display information for all existing sessions:

device-name#show event-propagation session
profile 1
source type: rem-mep
source id : 200
event : con-lost
action : link-drop
reverse : link-restore
targets:
=============================================================
|Type |ID |State |Actions |Revertives|
+--------+----------------+-----------+----------+----------+
|SAP |1/1/1:untagged: |default | 0| 0|
=============================================================
profile 2
source type: local-port
source id : 1/1/1
event : status-down
action : link-drop
targets:
==============================================================
|Type |ID |State | Actions |Revertives|
+--------+----------------+-----------+-----------+----------+
|Port |1/1/2 |link-drop | 2| 1|
==============================================================
Page 178
profile 3
source id : 2
event : recv-rdi
action : link-drop
targets:
=============================================================
|Type |ID |State |Actions |Revertives|
+--------+----------------+-----------+----------+----------+
|SAP |1/1/1:untagged: |default | 0| 0|
=============================================================
• Display information for the specified profile session:

device-name#show event-propagation session profile 2
profile 2
source id : 1/1/1
event : status-down
action : link-drop
targets:
==============================================================
|Type |ID |State | Actions |Revertives|
+--------+----------------+-----------+-----------+----------+
|Port |1/1/2 |link-drop | 2| 1|
==============================================================
• If no profiles are defined or the specified profile does not exist, the command generates No
entry error message:

No entry
Page 179
Event Propagation Configuration Example
TLS Configuration:
1. Create a TLS service named serv with service ID 2:
2. Attach to the TLS service the SAP port 1/2/1 with C-VLAN ID 2::
device-name(config-tls serv)#exit
CFM Configuration:
device-name(config)#cfm
2. Enable CFM (if it is not enabled):


device-name(config-cfm)#domain name a6 level 6
4. Create maintenance association ma6 for service ID 2:

device-name(config-cfm-a6)#ma name ma6 service 2
5. Creates MEP 200 on SAP port 1/2/1 with C-VLAN 2::

device-name(config-cfm-a6-ma6)#mep 200 sap 1/2/1:2:
device-name(config-cfm-a6-ma6)#end
Page 180
Event Propagation Configuration:

1. Define event propagation profile 1:
2. Define profile 1 to receive events from local port 1/1/1:

device-name(config-ep-profile 1)#source local-port 1/1/1 event status-down
action link-drop reverse link-restore
device-name(config-ep-profile 1)#exit
3. Define event propagation profile 2:

4. Define profile 2 to receive events from remote MEP 200:

device-name(config-ep-profile 2)#source rem-mep 200 event con-lost action
link-drop reverse link-restore
device-name(config-ep-profile 2)#exit
5. Attach profile 1 to port 1/1/1:

device-name(config-if 1/1/1)#event-propagation profile 1
6. Attach profile 2 to SAP port 1/2/1:

device-name(config)#tls serv
device-name(config-tls-sap 1/2/1:2:)#event-propagation profile 2
7. Display information for all configured profiles:

=========================================================================
|profile|source type|source id|event |action |reverse action|
+-------+-----------+---------+-----------+--------------+--------------+
| 1|local-port | 1/1/1|status-down|link-drop |link-restore |
=========================================================================
Page 181
8. Display information for all existing sessions:

Profile 1
source id : 1/1/1
event : status-down
action : link-drop
Sessions:
================================================================
|Target |ID |State |Actions |Revertives|
+--------+----------------+--------------+----------+----------+
|Port |1/1/1 |none | 0| 0|
================================================================
Profile 2
source id : 200
event : con-lost
action : link-drop
Sessions:
================================================================
|Target |ID |State |Actions |Revertives|
+--------+----------------+--------------+----------+----------+
|SAP |1/2/1:2: |none | 0| 0|
================================================================
Page 182
Ethernet Local Management Interface (E-LMI,

MEF 16)
E-LMI, an OAM protocol, enables the CE to auto-configure its support of Metro Ethernet
services.
E-LMI notifies the CE on the Ethernet Virtual Connection’s (EVC) operating state and the time
when an EVC is added or deleted. E-LMI also communicates the attributes of the EVC and the
User-Network Interface (UNI) to the CE.
The UNI is physically implemented over a bi-directional Ethernet link that provides data, control
and management plane capabilities.
The UNI functionality is split between:
• UNI-C: is acting as Customer Edge device and is executed on a non-service device
• UNI-N: is acting as a Provider Edge device and is the underlying physical port of a configured
SAP belonging to a service.
UNI-C and UNI-N exchange information about EVC configuration and EVC status (service) and
thus, the UNI-C may auto-configure itself according to the reported EVC status from the UNI-N.
E-LMI protocol defines two types of messages:
• status: is sent by the UNI-N to the UNI-C in response to a status enquiry message. It indicates
the status of EVCs or for the exchange of sequence numbers.
• status enquiry: is sent by the UNI-C to request status or to verify sequence numbers. The UNI-C
must send a status message in response to a status enquiry message.
Page 183
E-LMI Configuration Flow

Start
Enable E-LMI globally
Select the E-LMI mode
Enable E-LMI per port
Configure the polling timers
Configure the polling counters
Stop
Figure 23: E-LMI Configuration Flow
Page 184
E-LMI Configuration Commands

Table 24: E-LMI Commands
Command Description
e-lmi Enables or disables the E-LMI protocol on the device

(see Enabling/Disabling E-LMI)
Enables or disables E-LMI protocol on a specified port
(see Enabling/Disabling E-LMI per Port)
e-lmi mode Defines the E-LMI mode (see Defining the E-LMI Mode)
e-lmi polling-timer Configures the E-LMI polling timer
(see Configuring the E-LMI Polling Timer)
e-lmi polling- Configures the E-LMI polling-verification timer
verification-timer (see Configuring the E-LMI Polling Verification Timer)
e-lmi polling-counter Configures the E-LMI polling counter
(see Configuring the E-LMI Polling Counters)
e-lmi status-counter Configures the E-LMI status counter
(see Configuring the E-LMI Status Counters)
show e-lmi Displays the E-LMI status information for a specific port
(see Displaying the E-LMI Status)
show e-lmi vlan-map Displays the CE-VLAN ID/EVC map for a specific port
(see Displaying the E-LMI VLAN)
show e-lmi statistics Displays the E-LMI statistics for a specific port
(see Displaying the E-LMI Statistics)
clear e-lmi statistics Clears the E-LMI statistics for a specific port
(see Clearing the E-LMI Port Statistics)
e-lmi clear statistics
Page 185
Enabling/Disabling E-LMI on the Device

The e-lmi command enables or disables E-LMI protocol globally.
Command Syntax
device-name(cfg protocol)#e-lmi {enable | disable}
enable Enables E-LMI
disable Disables E-LMI
disabled
Enabling/Disabling E-LMI per Port

The e-lmi command enables or disables E-LMI protocol on a specified port.
Command Syntax
device-name(config if UU/SS/PP)#e-lmi {enable | disable}
enable Enables E-LMI on the specified port
disable Disables E-LMI on the specified port
disabled per port
Defining the E-LMI Mode

The e-lmi mode command defines the E-LMI mode.
NOTE
Disable E-LMI on the port prior to changing its mode.
Changing the E-LMI mode restarts the E-LMI protocol per port and clears all
statistics and information per port.
Page 186
Command Syntax
device-name(config if UU/SS/PP)#e-lmi mode {uni-c | uni-n}
uni-c Customer mode. UNI-C statically retrieves the needed configuration
information from the UNI-N.
uni-n Network mode
uni-n
Example
device-name(config if 1/1/1)#e-lmi mode uni-c
[%Error] Disable E-lmi on this port before changing E-lmi mode
device-name(config-if 1/1/1)#e-lmi disable
device-name(config-if 1/1/1)#e-lmi mode uni-c
Configuring the E-LMI Polling Timer

The e-lmi polling-timer command configures the E-LMI polling timer.
Polling timer controls the interval at which status enquiry messages are transmitted. These messages
are sent by the UNI-C to request status or to verify sequence numbers.
NOTE
Valid only for customer mode, otherwise this command returns an error.
Command Syntax
device-name(config if UU/SS/PP)#e-lmi polling-timer <5-30>
device-name(config if UU/SS/PP)#no e-lmi polling-timer
5-30 The polling timer value, in seconds
10 seconds
Example
device-name(config-if 1/1/1)#e-lmi polling-timer 7
[%Error] This command is valid only for customer mode
Page 187
Configuring the E-LMI Polling Verification Timer

The e-lmi polling-verification-timer command configures the E-LMI polling verification
timer.
Polling verification timer controls the interval during which information sent to the UNI-C, in a
status message, is considered valid.
NOTE
Valid only for network mode, otherwise the command returns an error.
The polling verification timer has to be grater than polling timer.
Command Syntax
device-name(config if UU/SS/PP)#e-lmi polling-verification-timer {<5-30> |
disable}
device-name(config if UU/SS/PP)#no e-lmi polling-verification-timer
5-30 The polling verification timer value, in seconds
15 seconds
disable Disables the polling verification timer
Configuring the E-LMI Polling Counters

The e-lmi polling-counter command configures the E-LMI polling counter.
Polling counter controls the number of polling cycles between Full Status (status of UNI and all
EVCs) exchanges.
NOTE
Valid only for customer mode, otherwise the command returns an error.
Command Syntax
device-name(config if UU/SS/PP)#[no] e-lmi polling-counter <1-65000>
1-65000 The polling counter value
360
Page 188
Configuring the E-LMI Status Counters

The e-lmi status-counter command configures the E-LMI status counter.
Status counter controls the number of consecutive errors that occurs before E-LMI is declared not
operational.
Command Syntax
device-name(config if UU/SS/PP)#[no] e-lmi status-counter <2-10>
2-10 The status counter value
4
Displaying the E-LMI Status

The show e-lmi command displays the E-LMI status information for a specific port or for all
ports.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all}
device-name(config-if UU/SS/PP)#show e-lmi
UU/SS/PP The port for which the E-LMI status information is displayed
all Displays the E-LMI status information for all ports
Page 189
Example
device-name#show e-lmi 1/1/1
E-LMI administrative status : Disabled

E-LMI administrative status : Enabled
E-LMI mode : UNI-N
E-LMI operational status : Up
Polling verification timer : 15
Status counter : 5
device-name(config-if 1/2/1)#show e-lmi
E-LMI mode : UNI-C
Polling timer : 10
Polling counter : 200
Status counter : 5
Displaying the E-LMI VLAN

The show e-lmi vlan-map command displays the CE-VLAN ID/EVC map for a specific port
or for all ports.
The maximum number of bytes needed to carry CE-VLAN ID/EVC map information depends
on the number of CE-VLAN IDs mapped to an EVC.
CE-VLAN ID/EVC map contains the configured SAPs and the services (EVCs) they belong to,
along with the configured CE-VLAN IDs (inner VLAN tags) that classify the incoming customer
traffic as belonging to the EVC.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all} vlan-map
device-name(config-if UU/SS/PP)#show e-lmi vlan-map
UU/SS/PP The port for which the CE-VLAN ID/EVC map information is displayed
all Displays the CE-VLAN ID/EVC map for all ports
Page 190
Example
device-name#show e-lmi 1/1/2 vlan-map
E-LMI mode : UNI-N
Last full-status report : HH:MM DD/MM/YYYY
EVC Id: 123

State: Active
CE-VLANs: 100, 200, 201
EVC Id: 200

State: Partially Active
CE-VLANs: 10, 11, 12
EVC Id: 300

State: Inactive
CE-VLANs: 300
Displaying the E-LMI Statistics

The show e-lmi vlan-map command displays the E-LMI statistics for a specific port or for all
ports.
Command Syntax
device-name#show e-lmi {UU/SS/PP | all} statistics
device-name(config-if UU/SS/PP)#show e-lmi statistics
UU/SS/PP The port for which the E-LMI statistics information are displayed
all Displays the E-LMI statistics for all ports
Page 191
Example
device-name#show e-lmi 1/1/1 statistics
E-LMI administrative status : Disabled
device-name(config if 1/2/1)#show e-lmi statistics

E-LMI mode : UNI-N
Last full-status report : HH:MM DD/MM/YYYY
Reliability errors
Status Timeouts : 20
Messages with Invalid Sequence Number : 1023
Protocol errors
Invalid Protocol Version : 0
Invalid EVC Reference Id : 0
Invalid Message Type : 0
Out of Sequence IE : 1
Duplicated IE : 0
Mandatory IE Missing : 0
Invalid Mandatory IE : 2
Invalid non-Mandatory IE : 0
Unrecognized IE : 0
Unexpected IE : 1
Short Message : 0
Clearing the E-LMI Port Statistics

The commands below clear the E-LMI statistics for a specific port or for all ports:
• clear e-lmi statistics command

• e-lmi clear statistics command
Command Syntax
device-name#clear e-lmi {UU/SS/PP | all} statistics
device-name(config-if UU/SS/PP)#e-lmi clear statistics
UU/SS/PP The port for which the E-LMI statistics information are cleared
all Clears the E-LMI statistics for all ports
Page 192
E-LMI Configuration Example

1. Enable E-LMI globally:
device-name(cfg protocol)#e-lmi enable
2. Enable E-LMI on port 1/1/1:

device-name(config-if 1/1/1)#e-lmi enable
3. Configure the E-LMI polling verification timer:

device-name(config-if 1/1/1)#e-lmi polling-verification-timer 10
4. Configure the E-LMI status counter:

device-name(config-if 1/1/1)#e-lmi status-counter 3
5. Change the mode to customer:

device-name(config-if 1/1/2)#e-lmi mode uni-c
6. Enable E-LMI on port 1/1/2:

device-name(config-if 1/1/2)#e-lmi enable
7. Configure the E-LMI polling timer:

device-name(config-if 1/1/2)#e-lmi polling-timer 7
8. Configure the E-LMI polling counter:

device-name(config-if 1/1/2)#e-lmi polling-counter 50
9. Configure the E-LMI status counter:

device-name(config-if 1/1/2)#e-lmi status-counter 5
10. Display the E-LMI status information:

E-LMI mode : UNI-N
E-LMI operational status : UP
Polling verification timer : 10
Status counter : 3
E-LMI mode : UNI-C
Polling timer : 7
Polling counter : 50
Status counter : 5
Page 193
11. Display the E-LMI VLAN information:

E-LMI mode : UNI-N
E-LMI operational status : DOWN
Last full-status report : N/A

E-LMI mode : UNI-C
E-LMI operational status : DOWN
12. Display the E-LMI statistics information for port 1/1/1:

device-name#show e-lmi 1/1/1 statistics
E-LMI mode : UNI-N
Reliability errors
Status Timeouts : 3
Messages with Invalid Sequence Number : 0
Protocol errors
Invalid Protocol Version : 0
Invalid EVC Reference Id : 0
Invalid Message Type : 0
Out of Sequence IE : 0
Duplicated IE : 0
Mandatory IE Missing : 0
Invalid Mandatory IE : 0
Invalid non-Mandatory IE : 0
Unrecognized IE : 0
Unexpected IE : 0
Short Message : 0
Page 194
Diagnosing Connectivity Problems

In cases where you are supplied with the correct IP address, but there is no network connectivity,
the Packet Internet Groper (PING) and Trace Route tools allow you to explore the Internet and
the connectivity problems.
Ping
PING is a tool that helps you to verify the Internet connectivity at the IP level. The ping
command sends an Internet Control Message Protocol (ICMP) echo request to the IP address or
selected hostname.
Trace Route
The Trace route tool works by sending by sending ICMP echo packets with varying IP Time-to-
Live (TTL) values to the destination. On the screen, each device that is crossed between the source
computer and the destination IP address is displayed
For more details, refer to the Troubleshooting and Monitoring chapter of this User Guide.
Page 195
Supported Platforms
Intermediate 802.3ah EFM-OAM + +

Intermediate 802.1ag CFM + +
SAA Throughput Test + +
Service Assurance Application (SAA) + +
ITU-T G.8031 Ethernet Protection Switching (EPS) + +
Event Propagation + +
E-LMI + +
Diagnostic Connectivity Problems + +
Page 196

Intermediate 802.3ah IEEE Std 802.3ah- Public MIB: No RFCs are supported
EFM-OAM 2004 dot3_oam.mib by this feature
Private MIB:
prvt_switch_efm_oa
m.mib
Intermediate 802.1ag • IEEE 802.1ag- Public MIB, RFC 2544,
CFM 2007 ieee8021_cfm.mib Benchmarking
(Connectivity Methodology for
Private MIB,
Fault Network Interconnect
prvt_cfm.mib
Management) Devices
• ITU-T Y.1731
SAA Throughput Test No Standards are No MIBs are RFC2544,
supported by this supported by this Benchmarking
feature feature. Methodology for
Network Interconnect
Devices
SAA • SOAM (Service Public MIB, ping.mib RFC 2925 allows
OAM) based on functionality for creating
Private MIB,
the IEEE of ping and traceroute
saa.mib
802.1ag-2007 tests that can be carried
(draft 8.1) out periodically on the
remote host.
• ITU-T
Recommendation
Y.1731
ITU-T G.8031 EPS ITU-T G.8031 Private MIB, No RFCs are supported
standard prvt_eps.mib by this feature
Event Propagation IEEE 802.1ag-2007 Private MIB, No RFCs are supported
(Connectivity Fault prvt_status_propag by this feature
Management) ation.mib
E-LMI No Standards are Private MIB, No RFCs are supported
supported by this prvt_elmi.mib by this feature
feature
Diagnosing No standards are No MIBs are RFC 791, Internet
Connectivity supported by this supported by this Protocol DARPA
Problems feature feature. Internet Program
Protocol Specifications
Page 197
Configuring Link Layer Discovery Protocol (LLDP)
Table of Figures ······················································································ 2
Overview ······························································································· 3
LLDP Data Unit (LLDPDU)···································································· 3
TLV Format······················································································· 3
LLDP Default Configuration ······································································ 5
LLDP Configuration Flow ········································································· 6
LLDP Configuration Commands ································································· 7

Configuring the LLDP ··········································································· 8
Configuring the Port Reinitialization ··························································· 8
Specifying the Transmit Delay Interval ························································· 9
Specifying the Transmit Hold Interval·························································· 9
Specifying the Transmit Interval ································································ 9
Specifying the LLDP Port Behavior ···························································10
Advertising the Management Address ·························································10
Advertising the Port Description·······························································11
Advertising the System Capabilities Information ·············································11
Advertising the System Description ···························································12
Advertising the System Name ··································································12
Displaying Global LLDP Settings······························································12
Displaying LLDP Statistics ·····································································13
Displaying the Local System Data ·····························································13
Displaying the Remote System Data ···························································13
Configuration Example ············································································14
Page 1
Configuring Link Layer Discovery Protocol (LLDP) (Rev. 02)
Table of Figures
Figure 1: LLDPDU Frame Structure ··························································· 4
Figure 2: LLDP Configuration Flow···························································· 6
Figure 3: Example for Configuring LLDP ····················································14
Page 2
Overview
The Link Layer Discovery Protocol (LLDP) is a discovery Layer 2 protocol used by network
devices for advertising their identity, capabilities, interconnections, and store information about the
network. LLDP is a “one hop” protocol; the LLDP information can only be sent to and received
by devices that are directly connected to each other (neighbors) by the same link. It allows a device
to learn higher layer management reachability and connection endpoint information from adjacent
devices.
LLDP Data Unit (LLDPDU)

The LLDP frame contains a Link Layer Discovery Protocol Data Unit (LLDPDU) which is a set of
type-length-value (TLV) structures. The LLDPDU is enclosed into an Ethernet frame in which
the destination MAC address is set to multicast address 01:80:c2:00:00:0e and the Ethernet type is
set to 0x88cc.
The device sends LLDP frames on each of its ports at a fixed frequency. It also sends LLDPDUs
when the local configuration changes to inform the neighboring devices. In any of the two cases, an
interval exists between two successive operations of sending LLDPDUs. This prevents the network
from being overwhelmed by LLDPDUs. The receiving of LLDP packets is implemented by
capturing the packet in hardware, using the L2 destination ACL and forwarding it to the CPU.
LLDP information received from neighbor LLDP-enabled devices is accessible including via
Simple Network Management Protocol (SNMP) through objects defined in a standard IEEE
LLDP Management Information Base (MIB). Received LLDP information is valid for a period of
time defined by the value of the LLDP Time to Live (TLV) that is contained within the received
packet.
The information about a neighboring device maintained locally ages out when the corresponding
TTL expires. Only valid LLDP information is stored in the network devices.
TLV Format
In an LLDPDU, the chassis ID, port ID, and TTL TLV are the first three TLVs. The optional
TLVs are placed after the TTL TLV. The end of LLDPDU TLV is placed last. There is no
restriction regarding the length of LLDPDUs. The restriction comes from the transport layer, for
example in 802.3 MAC environments the maximum size of the PDU is 1500 bytes.
The figure below provides the LLDPDU structure and the mandatory LLDPDU TLV structure
details:
Page 3
Figure 1: LLDPDU Frame Structure
The mandatory TLVs contained in a LLDPDU are:

• Chassis ID TLV—The MAC address associated with the local system
• PortID TLV—Identifies the port from which the LLDPDU is transmitted
• TTL TLV—Indicates how long (in seconds) the LAN device's information received in the
LLDPDU is to be treated as valid information
• End of LLDPDU TLV—Indicates the end of TLVs of the LLDPDU frame
The optional TLVs defined as part of LLDP are grouped into the following three sets:
• Basic Management TLV Set—Port description, System name, System description, System
capabilities, Management address
• IEEE 802.1 Organizationally Specific TLV Set— currently not supported
IEEE 802.3 Organizationally Specific TLV Set— currently not supported
Page 4
LLDP Default Configuration

Table 1: LLDP Default Configuration
Command Description
LLDP Disabled
LLDP reinitialize-delay 2 seconds
LLDP transmit-delay 2 seconds
LLDP transmit-hold 4 seconds
LLDP transmit-interval 30 seconds
LLDP basic management-address no-advertise
LLDP basic port-description no-advertise
LLDP basic system-capabilities no-advertise
LLDP basic system-description no-advertise
LLDP basic system-name no-advertise
Page 5
LLDP Configuration Flow

Start
Enable LLDP
Set the LLDP Timers (reinitialize-delay, transmit-delay,

transmit-hold, transmit-interval)
Optional LLDP Port Commands
Display LLDP Configuration
End
Figure 2: LLDP Configuration Flow
Page 6
LLDP Configuration Commands

Table 2: LLDP Global Configuration Commands
Command Description
lldp Configures the LLDP (see Configuring the LLDP)

lldp reinit-delay Specifies the minimum time an LLDP port waits before reinitializing
LLDP transmission (see Configuring the Port Reinitialization)
lldp transmit-delay Specifies the delay between successive LLDP frame transmissions
initiated by value/status changes in the LLDP local systems MIB
(see Specifying the Transmit Delay Interval)
lldp transmit-hold Specifies the amount of time the receiving device should hold the
LLDP remote information before being marked as old and deleted
(see Specifying the Transmit Hold Interval)
lldp transmit- Specifies the amount of time (in seconds) the device waits before
interval sending LLDP packets (see Specifying the Transmit Interval)
Table 3: Optional Basic Information Commands

Command Description
lldp Enables LLDP transmit, receive, or transmit and receive mode on

the specified port, or group of ports (see Specifying the LLDP Port
Behavior)
lldp basic Configures an LLDP-enabled port to advertise the management
management-address address for this device (see Advertising the Management Address)
lldp basic port- Configures an LLDP-enabled port to advertise its port description
description (see Advertising the Port Description)
lldp basic system- Configures an LLDP-enabled port to advertise its system capabilities
capabilities (see Advertising the System Capabilities Information)
lldp basic system- Configures an LLDP-enabled port to advertise the system
description description (see Advertising the System Description)
lldp basic system- Configures an LLDP-enabled port to advertise the system name
name (see Advertising the System Name)
Page 7
Table 4: LLDP Display Commands

Command Description
show lldp Displays LLDP configuration settings (see Displaying Global LLDP)
configuration
show lldp Displays statistical counters for all LLDP-enabled ports (see
statistics Displaying LLDP Statistics)
show lldp local- Displays LLDP global and port-specific configuration settings for this
system-data device (see Displaying the Local System Data)
show lldp remote- Displays LLDP global and port-specific configuration settings for
system-data remote devices attached to an LLDP-enabled port (see Displaying
the Remote System Data)
Configuring the LLDP

The lldp command configures the LLDP.
NOTE
If you do not enable first LLDP, the LLDP commands and their outputs are not
valid.
Command Syntax
device-name(config)#lldp {enable | disable}
enable Enables the LLDP.
disable Disables the LLDP.
Configuring the Port Reinitialization

The lldp reinit-delay command specifies the minimum time an LLDP port waits before
reinitializing LLDP transmission.
Command Syntax
device-name(config)#lldp reinit-delay <1-10>
1-10 The time interval, in seconds. The default value is 2 seconds.
Page 8
Specifying the Transmit Delay Interval

The lldp transmit-delay command specifies the delay between successive LLDP frame
transmissions initiated by value/status changes in the LLDP local systems MIB.
NOTE
Transmit-delay can be set only to values smaller than (0.25 * transmit-interval).
Command Syntax
device-name(config)#lldp transmit-delay <1-8192>
1-8192 The transmit delay interval, in seconds. The default value is 2 seconds.
Specifying the Transmit Hold Interval

The lldp transmit-hold command specifies the amount of time the receiving device should hold
a LLDP remote information before being marked as old and deleted. The device information on
the neighboring devices ages out and it discarded when its corresponding TTL expires.
NOTE
The TTL value is to multiply the TTL transmit hold value by the LLDP packets
transmitting interval.
Command Syntax
device-name(config)#lldp transmit-hold <2-10>
2-10 The transmit hold interval, in seconds. The default value is 4 seconds.
Specifying the Transmit Interval

The lldp transmit-interval command specifies the interval (in seconds) the device waits before
sending LLDP packets.
Page 9
NOTE
Transmit-interval can be set only to values bigger than (4 * transmit-delay).
The values of transmit-interval and transmit-delay are mutually dependent on each
other:
transmit-interval is from 5 to 32768 (5 can be set when
transmit-delay is set to its minimum value of 1)
transmit-delay is from 1 to 8192 (8192 can be set when transmit-
interval is set to its maximum value of 32768)
Command Syntax
device-name(config)#lldp transmit-interval <5-32768>
5-32768 The transmit interval, in seconds. The default value is 30 seconds.
Specifying the LLDP Port Behavior

The lldp command enables LLDP transmit, receive, or transmit and receive mode on the specified
port, or a group of ports.
Command Syntax
device-name(config-if UU/SS/PP)#lldp {tx-only | rx-only | tx-rx | disabled |
basic}
device-name(config-if-group)#lldp {tx-only | rx-only | tx-rx | disabled |
basic}
basic Basic management set TLVs.
disabled The port neither receives nor transmits LLDP packets.
rx-only The port only receives LLDP packets.
tx-only The port only transmits LLDP packets.
tx-rx The port both transmits and receives LLDP packets.
The tx-rx option is used by default.
Advertising the Management Address

The lldp basic management-address command configures an LLDP-enabled port to advertise
the management address for this device.
Page 10
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic management-address {advertise | no-
advertise}
device-name(config-if-group)#lldp basic management-address {advertise | no-
advertise}
advertise The management address is advertised by LLDP.
no-advertise The management address is not advertised by LLDP.
The no-advertise option is used by default.
Advertising the Port Description

The lldp basic port-description command configures an LLDP-enabled port to advertise its
port description.
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic port-description {advertise |
no-advertise}
device-name(config-if-group)#lldp basic port-description {advertise |
no-advertise}
advertise The description of the configured port is advertised by LLDP.
no-advertise The description of the configured port is not advertised by LLDP.
Advertising the System Capabilities Information

The lldp basic system-capabilities command configures an LLDP-enabled port to
advertise its system capabilities.
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-capabilities {advertise |
no-advertise}
device-name(config-if-group)#lldp basic system-capabilities {advertise | no-
advertise}
advertise The system capabilities information is advertised by LLDP.
Page 11
no-advertise The system capabilities information is not advertised by LLDP.

Advertising the System Description

The lldp basic system-description command configures an LLDP-enabled port to advertise
the system description.
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-description {advertise | no-
advertise}
device-name(config-if-group)#lldp basic system-description {advertise | no-
advertise}
advertise The system description is advertised by LLDP.
no-advertise The system description is not advertised by LLDP.
Advertising the System Name

The lldp basic system-name command configures an LLDP-enabled port to advertise the
system name.
Command Syntax
device-name(config-if UU/SS/PP)#lldp basic system-name {advertise |
no-advertise}
device-name(config-if-group)#lldp basic system-name {advertise | no-advertise}
advertise The system name is advertised by LLDP.
no-advertise The system name is not advertised by LLDP.
Displaying Global LLDP Settings

The show lldp configuration command displays LLDP configuration settings.
CLI Modes: Privileged (Enable) and Interface Configuration
Page 12
Command Syntax
device-name#show lldp configuration
device-name(config-if UU/SS/PP)#show lldp configuration
Displaying LLDP Statistics

The show lldp statistics command displays statistical counters for all LLDP-enabled ports.
CLI Mode: Privileged (Enable) and Interface Configuration
Command Syntax
device-name#show lldp statistics
device-name(config-if UU/SS/PP)#show lldp statistics
Displaying the Local System Data

The show lldp local-system-data command displays LLDP global and port-specific
configuration settings for this device.
Command Syntax
device-name#show lldp local-system-data
device-name(config-if UU/SS/PP)#show lldp local-system-data
Displaying the Remote System Data

The show lldp remote-system-data command displays LLDP global and port-specific
configuration settings for remote devices attached to an LLDP-enabled port.
Command Syntax
device-name#show lldp remote-system-data
device-name(config-if UU/SS/PP)#show lldp remote-system-data
Page 13
The following example shows how to configure LLDP on two devices.
Figure 3: Example for Configuring LLDP
Device1 Configuration:
1. Enable the LLDP engine on the device:
Device1(config)#lldp enable
2. Specify the time interval at which it is checked if the port is enabled again so that the port can
be reinitialized:
Device1(config)#lldp reinit-delay 4
3. Specify the minimum interval at which notifications of changes in LLDP-monitored

parameters (variables) are sent:
Device1(config)#lldp transmit-delay 4
4. Specify the transmit-hold parameter:

Device1(config)#lldp transmit-hold 5
5. Specify the interval at which information about the LLDP-monitored parameters is divulged
(made public) by the device:
Device1(config)#lldp transmit-interval 500
Page 14
6. Specify the LLDP behavior on port 1/1/1:

Device1(config-if 1/1/1)#lldp tx-only
7. Specify that LLDP advertises the management address:

Device1(config-if 1/1/1)#lldp basic management-address advertise
Device2 Configuration:
1. Enable the LLDP engine on the device:
Device2(config)#lldp enable
2. Specify the time interval at which it is checked if the port is enabled again so that the port can
be reinitialized:
Device2(config)#lldp reinit-delay 4
3. Specify the minimum interval at which notifications of changes in LLDP-monitored

parameters (variables) are sent:
Device2(config)#lldp transmit-delay 4
4. Specify the transmit-hold parameter:

Device2(config)#lldp transmit-hold 5
5. Specify the interval at which information about the LLDP-monitored parameters is divulged
(made public) by the device:
Device2(config)#lldp transmit-interval 500

Device2(config-if 1/2/1)#lldp rx-only
7. Specify if LLDP advertises the management address:

Device2(config-if 1/2/1)#lldp basic management-address advertise
Page 15
Display information about all LLDP-configurable parameters:

Device1(config-if 1/1/1)#show lldp configuration
lldp tx-only
lldp snmp-notification disable
lldp basic management-address advertise
lldp basic port-description no-advertise
lldp basic system-name no-advertise
lldp basic system-description no-advertise
lldp basic system-capabilities no-advertise

Device2(config-if 1/2/1)#show lldp configuration
lldp rx-only
lldp snmp-notification disable
lldp basic management-address advertise
lldp basic port-description no-advertise
lldp basic system-name no-advertise
lldp basic system-description no-advertise
lldp basic system-capabilities no-advertise
Display information about the local device that is sent as LLDPDUs

to remote devices:
Device1(config-if 1/1/1)#show lldp local-system-data
LLDP Local System Data on port 1/1/1
======================================================================
Port ID subtype : MacAddress
Port ID : 00:a0:12:4b:06:c3
Port Description : Interface 1/1/1

Device2(config-if 1/2/1)#show lldp local-system-data
LLDP Local System Data on port 1/2/1
======================================================================
Port ID subtype : MacAddress
Port ID : 00:a0:12:23:06:03
Port Description : Interface 1/2/1
Page 16
Supported Platforms
Link Layer Discovery Protocol (LLDP) + +

Link Layer IEEE 802.1AB Public MIB, 802.1AB No RFCs are

Discovery Protocol Section 12 (LLDP supported by this
(LLDP) MIB Definitions) feature.
Page 17
Configuring Device Authentication Features
Table of Contents
Table of Figures ······················································································ 3
Features Included in This Chapter ······························································· 4
User Privilege-Levels on the Local Database ··················································· 5

Users and Privilege-Level Configuration Flow················································· 6
Users and Privilege-Level Configuration Commands ········································· 6
Creating a Username and Defining Its Privilege Level in the Local Database········· 7
Defining the Authentication Method······················································ 8
Displaying the User’s Privilege Level ······················································ 9
Remote Authentication Dial in User Service (RADIUS) ····································10

The RADIUS Negotiation Procedure ·························································10
The RADIUS Configuration Flow ·····························································11
Defining User Privileges on the RADIUS Server·············································12
RADIUS Configuration Commands···························································13
Selecting a RADIUS Server ·······························································13
Defining the Shared Secret Key···························································14
Defining the Number of RADIUS Request Retransmissions··························14
Defining the RADIUS Server Timeout ··················································15
Defining the RADIUS-Server Dead Time ···············································15
Terminal Access Controller Access-Control System Plus (TACACS+) ···················19

The TACACS+ Negotiation Procedure ·······················································19
Comparing TACACS+ and RADIUS ·························································20
TACACS+ Configuration Flow ································································21
Defining User Privileges on the TACACS+ Server ··········································22
TACACS+ Configuration Commands ························································23
Selecting a TACACS+ Server ·····························································23
Page 1
Configuring Device Authentication Features (Rev. 07)
Defining the TACACS+ Shared Encryption Key ·······································24

Defining the TACACS+ Timeout ························································24
Secure Shell Server (SSH)··········································································28

SSH Vs. Telnet···················································································28
Security Considerations ·········································································29
Supported Clients················································································29
The SSH Server Configuration Flow ··························································30
SSH Configuration Commands ································································30
Generating the Initial DSA Public-Parameters ··········································31
Initializing the SSH Server·································································31
Stopping the SSH Server···································································31
Secure File Transfer Protocol (SFTP) Client···················································34

The SFTP Client Configuration Commands ··················································34
Downloading a File to the Device ························································35
Uploading a File to the SFTP Server ·····················································37
Listing Files in the SFTP-Server Directory ··············································38
Renaming a File on the SFTP Server ·····················································39
Deleting a File from the SFTP Server ····················································39
Page 2
Table of Figures
Figure 1: User Privilege Levels Configuration Flow··········································· 6
Figure 4: A RADIUS Communication Example ·············································10
Figure 5: RADIUS Configuration Flow ·······················································11
Figure 6: RADIUS Configuration Example ···················································16
Figure 7: TACACS+ Configuration Flow ·····················································21
Figure 2: Security Alert Message Issued by the SSH Client ··································29
Figure 3: SSH Configuration Flow ···························································30
Page 3
Features Included in This Chapter

This chapter provides information on the variety of security features incorporated in the T-Marc
300 Series software to protect it from unauthorized access.
This chapter includes the following features:
• User Privilege-Levels
You can control users’ access to the device and the functions they can perform by
maintaining a local list of authorized users, assigning them to appropriate privilege levels.
• Remote Authentication Dial in User Service (RADIUS)
RADIUS is an authentication, authorization, and accounting protocol for securing
networks against unauthorized access.
• Terminal Access Controller Access-Control System Plus (TACACS+)
TACACS+ is a security protocol for remote authentication, authorization, and accounting
that communicates between network devices and an authentication database.
• Secure Shell Server (SSH)
SSH is a protocol used for securely managing a remote device over an insecure network.
The protocol secures the management sessions using standard cryptographic mechanisms
and ensures data protection as well as password-theft prevention.
• Secure File Transfer Protocol (SFTP) Client
SFTP is a secured file-transfer protocol, provided as a part of SSH. This protocol
encrypts both the commands and the data transferred, providing a secure and
authenticated method for copying router configuration or router image files.
Page 4
User Privilege-Levels on the Local Database

The T-Marc 300 Series CLI is protected by several privilege-levels, preventing unauthorized access
to the different CLI modes.
The local database includes 16 privilege levels, in the range of <0-15>, where users assigned to level
0 have unrestricted privileges over the CLI (highest privilege) and users assigned to level 15 are the
most restricted users (lowest privilege).
Each CLI command is associated to a privilege level. Only users with privilege levels equal or
higher than this privilege level can execute the command.
You can configure any one of the below supported features for authenticating users accessing the
device:
• Local database
• RADIUS
• TACACS+
Table 1: Local Users’ Privilege-Levels

Privilege Description
Administrators (level 0) Full read/write privileges (with no restrictions) for Layer 2 and
Layer 3.
Network-Admins (level 4) Read/write privileges for Layer 2 and Layer 3, without access
to security (usernames and passwords), debug commands,
and other administrative settings (such as license
management, software upgrade, device reload, and script FS).
Technicians (level 8) Read/write privileges for Layer 2 and read-only privileges for
Layer 3.
Users (level 12) Read-only privileges for Layer 2 and Layer 3. Users with this
privilege level have access to all the show commands and
general commands (such as exit, quit, ping, and traceroute
commands).
Guests (level 15) Read-only privileges in View mode. Users in this level cannot
access the Privileged (Enabled) mode.
Page 5
Users and Privilege-Level Configuration Flow
Start
Create a local username and password, and assign it to a

privilege group
Specify the default login authentication method
Display the privilege level assigned to the current user
End
Figure 1: User Privilege Levels Configuration Flow
Users and Privilege-Level Configuration Commands

Table 2: User Privilege Commands
Command Description
username Creates a new username and assigns it to a privilege group (see

Creating a Username and Defining Its Privilege Level)
aaa authentication Defines the default login-authentication method (see Defining the
login default Authentication Method)
show privilege Displays the privilege level assigned to the current user (see
Displaying the User’s Privilege Level)
Page 6
Creating a Username and Defining Its Privilege Level in the Local

Database
The username command creates a new username and password in the local database, and assigns
the username to a privilege group.
Command Syntax
device-name(config)#username NAME password PASSWORD CONFIRM-PASSWORD [group
{administrators | net-admins | technicians | users | guests}]
device-name(config)#no username NAME
NAME The new username, a case-sensitive string of up to 32 characters that
can consist of any character except for blank spaces and question
marks.
password Specifies a password
PASSWORD The password, a case-sensitive string of up to 64 characters that can
consist of any character except for blank spaces
group (Optional) defines the user’s privilege group
administrators Assigns the user to Administrators
net-admins Assigns the user to Network-Admins
technicians Assigns the user to Technicians
users Assigns the user to Users
guests Assigns the user to Guests
no Removes the specified username and its associated password from the
local authentication database.
Page 7
Defining the Authentication Method

The aaa authentication login default command defines the device login-authentication
method. You can define both a primary and secondary authentication method. In case the device is
not able to connect the primary method, it attempts to authenticate the username with the
secondary method.
Command Syntax
device-name(config)#aaa authentication login default [tacacs+ radius | radius
tacacs+ | tacacs+ local | radius local | local radius | local tacac+]
device-name(config)#no aaa authentication login default
tacacs+ radius (Optional) configures TACACS+ as primary and RADIUS as secondary
methods.
radius tacacs+ (Optional) configures RADIUS as primary and TACACS+ as secondary
methods.
tacacs+ local (Optional) configures TACACS+ as primary and local authentication as
secondary methods.
radius local (Optional) configures RADIUS as primary and local authentication as
secondary methods.
local radius (Optional) configures local and RADIUS authentication as primary and
secondary login authentication methods respectively
local tacacs+ (Optional) configures local and TACACS+ authentication as primary and
secondary login authentication methods respectively.
no Disables the username authentication; users need to type the device
password only (refer to the password command in the Device Setup
and Maintenance chapter of the user guide).
Example
Create a user, assign a privilege level to this user and define an authentication method:
device-name(config)#username admin password admin admin group technicians
device-name(config)#aaa authentication login default local local
Page 8
Displaying the User’s Privilege Level

The show privilege command displays the privilege level assigned to the current logged-in user.
Command Syntax
device-name>show privilege
device-name#show privilege
Example
device-name#show privilege
Current user privilege is Technician.
Page 9
Remote Authentication Dial in User Service

(RADIUS)
RADIUS is a client-server protocol for controlling remote users’ access to the device. The protocol
provides the following services, also known as the AAA services:
• Authentication: determining who a user (or entity) is.
• Authorization: determining what a user is allowed to do.
• Accounting: keeping track of each user’s network activity.
The RADIUS client (typically a Network Access Server, NAS), exchanges UDPs with the RADIUS
server (usually a UNIX or Windows NT daemon process) to authenticate user-connection requests.
The NAS sends user-connection requests to the designated RADIUS servers. The RADIUS server
responds by returning configuration information necessary for the NAS to provide access to the
user. All user passwords exchanged between the NAS and the RADIUS server are encrypted using
the RSA MD5 algorithm.
The NAS and the RADIUS server use a shared secret-key to authenticate transactions between
them. This secret is never sent over the network.
The RADIUS Negotiation Procedure

The below figure demonstrates a typical RADIUS negotiation procedure. In this example:
1. The user sends a Telnet request to connect to a T-Marc 300 Series device (the NAS).
2. The device sends an Access Request packet to the RADIUS server. The Access Request packet
includes the username, encrypted password, NAS IP address, and port. The request also
provides information about the type of session the user wants to initiate.
Figure 2: A RADIUS Communication Example
3. The RADIUS server first validates the NAS (based on the shared secret-key). Then it validates
the user request against a local database, matching the user’s password (and in some cases,
other parameters, such as the port number). The RADIUS server then responds with:
an accept reply, if the user information is validated
a reject reply if the user is not found in the database or its information is not matched.
The reject reply might include the rejection reason.
Based on this reply, the NAS accepts or rejects the user’s request.
Page 10
The accept reply includes a list of attributes that should be used in the session. An important
parameter is the authenticated user’s privilege level.
The RADIUS Configuration Flow
Start
Define user privileges on the RADIUS server
Select the RADIUS server(s)
Define the shared secret key
Configure users in the local database in case

RADIUS is not responding
(see Configuring User Privilege Levels)
Define RADIUS as the primary authentication

method
Configure the RADIUS timers
End
Figure 3: RADIUS Configuration Flow
Page 11
Defining User Privileges on the RADIUS Server

Follow the below steps on the RADIUS server to ensure correct user privilegs. The example refers
only to a FreeRADIUS server authentication.
1. Complete the RADIUS configuration (as described in the FreeRADIUS README file) on
the RADIUS server.
2. Copy an additional dictionary.batm file (with the below information) to the folder containing
the RADIUS configuration files.
# BATM vendor specific dictionary
# Copyright (C) 2003 BATM
#
# BATM Attributes
#
# example freeradius user entry:
#
# test Auth-Type := Local, User-Password == "test"
# Reply-Message = "Welcome, %u",
# BATM-privilege-group = Network-admins
#
VENDOR BATM 738
ATTRIBUTE BATM-privilege-group 1 integer BATM
VALUE BATM-privilege-group Administrators 0

VALUE BATM-privilege-group Network-admins 4
VALUE BATM-privilege-group Technicians 8
VALUE BATM-privilege-group Users 12
VALUE BATM-privilege-group Guests 15
3. Assign a privilege level to all other users; in the users configuraiton file, as shown in the below
example:
admin Auth-Type = Local, Password = "admin_password123"
BATM-privilege-group = Administrators
4. Add the following line to the dictionary file (in the RADIUS-configuration folder):
$INCLUDE dictionary.batm
5. Add the subnetwork address from which NAS is connected to the clients.conf:
client 10.2.200.200/16 {
secret = batm
shortname = n10
}
Page 12
RADIUS Configuration Commands

Table 3: RADIUS Configuration Commands
Command Description
radius-server host Selects the RADIUS server(s) (see Selecting a RADIUS Server).
radius-server key Defines the shared secret key between the device and the
RADIUS server (see Defining the Shared Secret Key).
Table 4: RADIUS Timers Configuration Commands

Command Description
radius-server Sets the number of times the device transmits each RADIUS
retransmit request (see Defining the Number of RADIUS Request
Retransmissions).
radius-server timeout Sets the time interval an access server waits for the RADIUS
server to reply before retransmitting (see Defining the RADIUS
Server Timeout).
radius-server Sets the number of minutes the access server marks a RADIUS
deadtime server as unavailable (see Defining the RADIUS-Server Dead
Time).
Selecting a RADIUS Server

The radius-server host command selects the RADIUS server(s) used for authenticating users
on the device.
You can select up to five RADIUS servers (repeat the command for each server). When you select
more than one RADIUS server, the device attempts to connect these servers in the same order you
inserted them into the CLI.
Command Syntax
device-name(config)#radius-server host A.B.C.D [<port–number>]
device-name(config)#no radius-server host A.B.C.D
A.B.C.D The RADIUS server IP-address
port–number (Optional) the UDP-authentication port number, in the range of <1024–65535>
1812
no Removes the specified RADIUS server from the database
Page 13
Defining the Shared Secret Key

The radius-server key command defines the shared secret key used between the device and the
RADIUS server.
Command Syntax
device-name(config)#radius-server key STRING
device-name(config)#no radius-server key
STRING The shared secret
no Removes the secret key
Defining the Number of RADIUS Request Retransmissions

The radius-server retransmit command defines the number of times the device sends an
authentication request to the RADIUS server, in case the server does not respond.
Command Syntax
device-name(config)#radius-server retransmit <count>
device-name(config)#no radius-server retransmit
count The number of retransmissions, in the range of <1–30>
3 retransmissions
Page 14
Defining the RADIUS Server Timeout

The radius-server timeout command defines the number of seconds the device waits for the
RADIUS server reply before retransmitting.
Command Syntax
device-name(config)#radius-server timeout <seconds>
device-name(config)#no radius-server timeout
seconds The timeout in the range of <1–60> seconds
3 seconds
Defining the RADIUS-Server Dead Time

The radius-server deadtime command defines the number of minutes the device waits for a
reply before presuming that the RADIUS server is dead and skips to the next RADIUS server.
NOTE
A RADIUS server is presumed dead, if the timeout is reached in three authentication
sessions (requests) and RADIUS is defined as the primary authentication method.
In this case the device attempts authentication based on the secondary method.
Command Syntax
device-name(config)#radius-server deadtime <minutes>
device-name(config)#no radius-server timeout
minutes The dead-time interval, in the range of <0–1440> minutes
no Sets the dead-time to zero (non-responding servers are not declared dead)
Page 15
RADIUS Server Configuration:
1. Install and configure the RADIUS server.
Figure 4: RADIUS Configuration Example
2. Add the following lines to the clients.conf file on the RADIUS server:
client 10.2.200.200/16 {
secret = batm
shortname = n10
}
3. Edit the RADIUS server’s users file. Add users:

user Auth-Type := Local, password := "user123"
Reply-Message = "user is in"
BATM-privilege-group = Users
tech Auth-Type := Local, password := “tech”
Reply-Message := “tech is in”
BATM-privilege-group := Technicians
admin Auth-Type := Local, password := “admin”
Reply-Message := “admin is in”
BATM-privilege-group := Administrators
richy auth-type = reject
reply-message = “Pay the bill first!”
T-Marc 300 Series Configuration:

1. Select the RADIUS server and define the shared secret key (defined in the clients.conf file, as
shown above):
device-name(config)#radius-server host 10.2.42.137
device-name(config)#radius-server key batm
Page 16
2. Create local user localuser and password mypass:

device-name(config)#username localuser password mypass mypass
NOTE
The local authentication database is used if the configured RADIUS server
does not respond.
3. Define RADIUS as the primary authentication method and local authentication as the
secondary method:
device-name(config)#aaa authentication login default radius local
4. Configure the RADIUS timers:

device-name(config)#radius-server retransmit 3
device-name(config)#radius-server timeout 10
device-name(config)#radius-server deadtime 3
5. Display the RADIUS configuration:

! Current Configuration:
!
! T-Marc 340
!
ip address 10.2.4.208
interface sw0
radius-server host 10.2.42.137

radius-server key batm
radius-server timeout 10
radius-server deadtime 3
username localuser password
ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39
700a1e045222
aaa authentication login default radius local
...
Page 17
Configuration Results:
1. When accessing the device using username richy, the RADIUS server sends a REJECT reply:
Username: richy
Pay the bill first!
Password:
Username:
2. When accessing the device using username user and password looser, the RADIUS server sends
an ACCEPT reply, authenticating the user:
Username: user
Password: user123
device-name>
user is in
3. When accessing the device using username localuser password mypass, the user is rejected by the
RADIUS server .
In case the RADIUS server is shut down or disconnected from the device, the device retransmits
the request for three times. After the retransmission timeout, the device attempts to authenticate
the user with the local database (defined as the secondary method), accepting the user.
Page 18
Terminal Access Controller Access-Control System

Plus (TACACS+)
TACACS+ is a security protocol for remote authentication, authorization, and accounting that
communicates between network devices and an authentication database. This protocol is based on
the communication between a NAS (T-Marc 300 Series device) and the TACACS+ authentication
server.
The TACACS+ is based on TCP communication, what is considered to be a more reliable protocol
than UDP (used in RADIUS).
The TACACS+ Negotiation Procedure

A user’s attempt to connect to the device triggers the following procedure:
1. The NAS mediates between the user and the TACACS+ server requesting and obtaining a
username prompt.
2. When the user types a username at the prompt, the NAS requests and obtains a password
prompt.
3. When the user types a password, the NAS sends the username and password to the
TACACS+ server.
4. Besides a username and password, the TACACS+ server may also request other required
identifying items to authenticate the user.
5. After typing the required information, the TACACS+ server responds with one of the below
options:
Table 5: TACACS+ Server Responses
Response Description
ACCEPT The user is authenticated. Based on configuration, the NAS might need to
start the authorization phase.
REJECT The user is not authenticated. Depending on the TACACS+ server
configuration, the user is either prompted to retry login or denied from
accessing the network.
ERROR An error occurred during the authentication procedure (such as a network
connection issue). In this case the NAS typically tries to authenticate the
user by an alternative method.
CONTINUE The TACACS+ server prompts the user for further authentication
information.
Page 19
Comparing TACACS+ and RADIUS

Table 6: A comparison between TACACS+ and RADIUS
Feature RADIUS TACACS+
Communication UDP TCP

Protocol
Authentication and Combined AAA processes AAA architecture—three separate
Authorization processes: Authentication,
Authorization, and Accounting
Packet Encryption Encrypts only the password sent by Encrypts the entire packet body but
the user to the server leaves a standard TACACS+
header
Router Sends the device a privilege level Controls the command authorization
Management used for command authorization on a per-user or per-group basis by
assigning privilege levels to
commands
Multiprotocol Does not support some protocols, Offers multiprotocol support
Support such as:
• AppleTalk Remote Access
(ARA)
• NetBIOS Frame Protocol
Control
• Novell Asynchronous Services
Interface (NASI)
• X.25 PAD connection
Page 20
TACACS+ Configuration Flow
Start
Define user privileges on the TACACS+ server
Select the TACACS+ server(s)
Define the shared encryption key
Configure users in the local database in case

TACACS+ is not responding
(see Configuring User Privilege Levels)
Define TACACS+ as the primary authentication

method
Configure the TACACS+ timeout
End
Figure 5: TACACS+ Configuration Flow
Page 21
Defining User Privileges on the TACACS+ Server

The TACACS+ usernames and privilege levels are defined in the TACACS+ configuration file.
The TACACS+ privilege levels are arranged in an ascending order where:
• privilege level 0 is the lowest level (Guest level)
• privilege level 15 is the highest levle (Administrators)
The following example displays the contents of a TACACS+ server configuration file:
# The shared secret key
key = TacacsPlus
# Use /etc/shadow file to do authentication

default authentication = file /etc/shadow
# Where the accounting records should go to

accounting file = /var/log/tac_acc.log
#The default user. If absent, each user must have “service=exec” statement
# in order to be granted authorization for shell login request.
user = DEFAULT {
default service = permit
}
# Profiles for user accounts

# user ivo – priv. level 3 converted internally by the device
# to 12 (privilege group Users)
user = ivo {
login = cleartext ivo123
service=exec {
priv-lvl = 3
}
}
# user “root” – priv. level 15 converted internally by the device
# to 0 (privilege group Administrators)
user = root {
login = cleartext rtpsw
service=exec {
priv-lvl = 15
}
}
Page 22
TACACS+ Configuration Commands

Table 7: TACACS+ Configuration Commands
Command Description
tacacs-server host Selects the TACACS+ server(s) (see Selecting a TACACS+

Server)
tacacs-server key Defines the shared encryption key between the NAS and the
TACACS+ server (see Defining the TACACS+ Shared
Encryption Key)
tacacs-server timeout Defines the time the NAS waits for a response from the
TACACS+ server before it times out and declares an error (see
Defining the TACACS+ Timeout)
Selecting a TACACS+ Server

The tacacs-server host command selects the TACACS+ server(s), by defining their IP address
and port.
You can select up to five different TACACS+ servers (repeat the command for each server). When
you select more than one server, the device attempts to connect these servers in a predefined order.
The first server to successfully connect (responding with either a PASS or a FAIL reply) accepts or
rejects the request.
Command Syntax
device-name(config)#tacacs-server host A.B.C.D [<port>]
device-name(config)#no tacacs-server host A.B.C.D
A.B.C.D The TACACS+ server IP address
port (Optional) the TACACS+ server port, in the range of <1024–65535>
49
no Removes the specified TACACS+ server from the device
Page 23
Defining the TACACS+ Shared Encryption Key

The tacacs-server key command defines the shared encryption key used for all the traffic
between the device and the TACACS+ server.
NOTE
Defining an encryption key is not mandatory. However, if you configure one on the
device, you must configure the same key on the TACACS+ server.
We recommend defining an encryption key (unencrypted packets are intended for
testing).
Command Syntax
device-name(config)#tacacs-server key ENCRYPTION-KEY
device-name(config)#no tacacs-server key
ENCRYPTION-KEY The shared encryption key, a string of up to 64 characters. This key is also
encrypted in the running configuration
no Removes the encryption key
Defining the TACACS+ Timeout

The tacacs-server timeout command defines the amount of time the device waits for a
response from the TACACS+ server before it times out and declares an error.
Command Syntax
device-name(config)#tacacs-server timeout <timeout>
timeout The timeout, in the range of <1–60> seconds
15 seconds
Page 24
The following example displays the contents of the TACACS+ server configuration file.
In this example we demonstrate the following setup:
• Shared encryption key= batm
• Usernames and privilege levels:
Username TACACS+ Configuration Internal Privilege Group

File Privilege Level Privilege level
guest 0 15 Guest
ivo 3 12 User
tech 7 8 Technician
netadmin 11 4 Network-Admin
admintac 15 0 Administrator
key = batm
#All services are allowed..
user = DEFAULT {
default service = permit
}
#Profiles for user accounts
user = guest {
login = cleartext guest
service=exec {
priv-lvl = 0
}
}
# When user “guest” is authenticated and device-name#show privilege is
# entered from CLI, the device will display the following line:
# "Current user privilege is Guest"
#
# In this case the device changes automatically the privilege
# level to 15 to map the specified value of 0 to the internal privileged
# scheme of the device (see "User Privilege Levels" chapter).
user = ivo {
login = cleartext ivo
service=exec {
priv-lvl = 3
}
}
# device-name#show privilege
# "Current user privilege is User"
# (Changes automatically to 12, see "User Privilege Levels" chapter)
Page 25
user = tech {
login = cleartext tech
service = exec {
priv-lvl = 7
}
}
# "Current user privilege is Technician"
user = netadmin {
login = cleartext netadmin
service = exec {
priv-lvl = 11
}
}
# "Current user privilege is Network-Admin"
user = admintac {
login = cleartext admintac
service = exec {
priv-lvl = 15
}
}
# "Current user privilege is Administrator"
Device Configuration:
1. Select the TACACS+ server and define the shared encryption key:
device-name(config)#tacacs-server host 10.2.42.137
device-name(config)#tacacs-server key TacacsPlus
2. Create username ivo and password ivo123 in the local database:

device-name(config)#username ivo password ivo123 ivo123 group users
3. Create username root and password rtpsw in the local database:

device-name(config)#username root password rtpsw rtpsw group
administrators
Page 26
4. Define TACACS+ as the primary authentication method and local authentication as the
secondary method:
device-name(config)#aaa authentication login default tacacs+ local
5. Display the TACACS+ configuration:

! T-Marc 340
!
interface sw0
radius-server host 10.2.42.137

radius-server key batm
radius-server timeout 10
radius-server deadtime 3
tacacs-server host 10.2.42.137
tacacs-server key tacacsplus
username localuser password
ea71c25a7a602246b4c39824b855678894a96f43bb9b71319c39
700a1e045222
username ivo password
ac6ab2a87e30f78f589a668c4ef3651e0345b5dab8c20fd03de6327d86
4d9a4d group users
username root password
b85de4c6ef68e8ae1b7e6e398817f315b47286b68f0f74ca5a3ccf267
0f81507
aaa authentication login default tacacs+ local
Configuration Results:
1. When accessing the device using username tech, the result is ACCEPT:
Username: tech
Password:
device-name>show privilege
Current user privilege is Technician
2. When accessing the device using username richy, the result is REJECT:
Username: richy
Password:
Username:
3. When accessing the device using local username root and password rtpsw, when the TACACS+
server is absent, the result is ACCEPT:
Username: root
Password:
device-name>
Page 27
Secure Shell Server (SSH)

SSH is a protocol used for securely managing a remote device over an insecure network. The
protocol secures the management sessions using standard cryptographic mechanisms and ensures
data protection as well as password-theft prevention.
The T-Marc 300 Series supports SSH version 2 (SSH-2). This version supports multiple public-key
algorithms, including Digital Signature Algorithm (DSA).
When initiating an SSH session, the encryption algorithm and the key are negotiated between the
server (on the T-Marc 300 Series) and the client. The SSH server has an authentication timeout,
disconnecting it in case no authentication is accepted. Additionally, system administrators can limit
the number of failed authentication-attempts to the server in a single session before the server
disconnects.
You can use any of the supported authentication methods (RADIUS, TACACS+, or local
database) when connecting to the device via SSH.
SSH Vs. Telnet

Since SSH is an encrypted channel for accessing the device, you can disable the Telnet access,
forcing all administrative sessions to run over an encrypted channel. To disable a Telnet access, use
the telnet stop command (for more information, refer to the Enabling/Disabling the Device’s Telnet
Servers section of the Device Setup and Maintenance chapter.)
In addition, when you connect to the device using SSH, avoid using a Telnet client from that device
to another host. This precaution is required to prevent the connection from being vulnerable to
anyone who may spy on both network connections.
Page 28
Security Considerations
Upon the first access to an SSH server, the SSH client usually issues a security-alert message as
shown in the below figure:
Figure 6: Security Alert Message Issued by the SSH Client
If you receive this message when accessing the SSH server again:
• you are either exposed to a malicious intrusion
• or the SSH keys were reconfigured
Supported Clients
You can access the SSH server using the following SSH clients:
• SSH Communications Security Corp’s client
• OpenSSH secure shell client
• PuTTY terminal program
• F-Secure SSH client
• SecureRT
• Other clients supporting SSH (version 2)
Page 29
The SSH Server Configuration Flow
Start
Create a username and password on the local

database
Define the login-authentication method
Define usernames and user-privileges for the

selected authentication method
Generate the initial DSA public-parameters
Start the SSH server
End
Figure 7: SSH Configuration Flow
SSH Configuration Commands

Table 8: SSH Commands
Command Description
ssh generate-key dsa Generates the initial DSA public-parameters (see Generating the
Initial DSA Public-Parameters)
ssh start Initializes the SSH server (see Initializing the SSH Server)
ssh stop Stops the SSH server (see Stopping the SSH Server)
Page 30
Generating the Initial DSA Public-Parameters

The ssh generate-key dsa command generates the initial DSA public-parameters used during
the key-exchange phase.
NOTES
Apply this command before starting the SSH server for the first time.
This command is not displayed in the configuration file but is saved when
rebooting the device after saving the running configuration to the NVRAM.
Command Syntax
device-name(config)#ssh generate-key dsa
Initializing the SSH Server

The ssh start command initializes the SSH server. Users can access the device with an SSH client
only after executing this command.
NOTES
Apply the ssh generate-key dsa command prior to executing this command for
the first time.

The SSH server is disabled by default.
Command Syntax
device-name(config)#ssh start
Stopping the SSH Server

The ssh stop command stops the SSH server.
NOTE
Stopping the SSH server closes all open SSH connections to the device.
Page 31
Authenticating the Local Database Usernames and Passwords with SSH
1. Create username abc with password klm:
device-name(config)#username abc password klm klm
2. Define local authentication as the primary authentication method:

device-name(config)#aaa authentication login default local local
3. Generate the initial DSA public-parameters:

DSA parameters will be stored only after writing configuration in memory!!!
4. Write the SSH configuration to the device’s memory:

device-name#write memory
5. Initialize the SSH Server:

6. Stop the Telnet Server:

device-name(config)#telnet stop
Page 32
Authenticating RADIUS Usernames and Passwords with SSH

1. Select a RADIUS server and define the shared secret key:
device-name(config)#radius-server host 10.2.42.137
device-name(config)#radius-server key 123456
2. Create username abc with password klm in the local database (in case the RADIUS server does
not respond):
device-name(config)#username abc password klm klm
3. Define RADIUS as the primary authentication method:

device-name(config)#aaa authentication login default radius local
4. Generate the initial DSA public-parameters:

DSA parameters will be stored only after writing configuration in memory!!!
5. Write the SSH configuration to the device’s memory:

device-name#write memory
6. Start the SSH Server:

7. Stop the Telnet Server:

device-name(config)#telnet stop
Page 33
Secure File Transfer Protocol (SFTP) Client

SFTP is a secured file-transfer protocol, provided as a part of SSH. This protocol encrypts both the
commands and the data transferred, providing a secure and authenticated method for copying
router-configuration or router-image files.
The SFTP Client Configuration Commands

Table 9: SFTP Client Commands
Command Description
copy sftp Downloads a file from a remote SFTP server (see Downloading a
File to the Device)
copy localfile sftp Uploads a file to a remote SFTP server (see Uploading a File)
dir sftp Lists files in remote directory of a remote SFTP server (see Listing
Files)
rename sftp Renames a file located on a remote SFTP server (see Renaming a
File)
del sftp Removes a file located on a remote SFTP server (see Deleting a
File)
Page 34
Downloading a File to the Device

The copy sftp command downloads a file from a remote SFTP server.
Upon the file transfer, the CLI displays the number of received bytes. You can terminate the
command execution by pressing Ctrl+C.
Command Syntax
device-name#copy sftp://[ username[ :password]@] hostname[ :port]/ srcfile
[localfile]
Arguments Description
username (Optional) the SFTP-server username
password (Optional) the password authenticating the username
hostname The SFTP server IP Address, in an A.B.C.D format
port (Optional) the SFTP port number
srcfile The source file including path
localfile (Optional) the local filename, including path.
If you do not specify this argument, the file is saved with the source
filename into the current working directory.
NOTE
If you do not the username and password arguments within the command line, the
CLI prompts for them, as shown in the below examples.
Examples
Username and password specified in the command line:
device-name#copy sftp://batm:batm@10.20.30.40:1002/File_Image.Z
Connecting to 10.20.30.40
Remote directory is /home/batm
Downloading file /home/batm/File_Image.Z
SFTP receiving file flash:/File_Image.Z : 1249612
Download completed successfully...
Page 35
Only a username is specified in the command line:

device-name#copy sftp://batm@10.20.30.40:1002/File_Image.Z
Username: batm
Password:
Neither the username nor the password is specified in the command line:
device-name#copy sftp://10.20.30.40:1002/File_Image.Z
Username: batm
password:
The destination filename is specified:

device-name#copy sftp://batm:batm@10.20.30.40:1002/File_Image.Z
New_File_Image.Z
SFTP receiving file flash:/New_File_Image.Z : 1249612
Page 36
Uploading a File to the SFTP Server

The copy localfile sftp command uploads a file to the SFTP server.
Upon the file transfer, the CLI displays the number of received bytes. You can terminate the
command execution by pressing Ctrl+C.
Command Syntax
device-name#copy localfile
sftp://[username[:password]@]hostname[:port][/dstfile]
localfile The local file including path
dstfile (Optional) specifies the destination filename including path.
If you do not specify:
• a path, the file is saved in the current working directory
• a filename, the file is stored with the local filename
NOTE
If you do not the username and password arguments within the command line, the
CLI prompts for them.
Example
device-name#copy File_Image.Z sftp://batm:batm@10.20.30.40:1002/File_Image.Z
Uploading file /home/batm/File_Image.Z
SFTP sending file flash:/BiNOS-T-Marc3X0.Z : 123456
Upload completed successfully...
Page 37
Listing Files in the SFTP-Server Directory

The dir sftp command lists the existing files in the SFTP-server directory.
The command displays the filenames, size, directory or file, modification date, and permissions.
You can terminate the command execution by pressing Ctrl+C.
Command Syntax
device-name#dir sftp://[username[:password]@]hostname[:port][/dirname]
dirname (Optional) the path to the relevant directory, relative to the root directory
(usually the home directory).
Example
device-name#dir sftp://batm:batm@10.20.30.40/usr/temp
Remote directory is /home/batm/usr/temp
-rw-r--r-- 1 batm batm 515 Aug 31 2008 .emacs

-rw-r--r-- 1 batm root 1177800 Jun 25 09:28 proba.c
-rw-r--r-- 1 batm batm 24 Aug 31 2008 .bash_logout
-rw------- 1 batm batm 644 Jul 2 12:34 .bash_history
-rw-r--r-- 1 batm batm 124 Aug 31 2008 .bashrc
drwxr-xr-x 5 batm batm 4096 Jul 2 12:37 .
-rw-r--r-- 1 batm batm 191 Aug 31 2008 .bash_profile
-rw-rw-r-- 1 batm batm 44 Jun 5 21:17 boot.ini1
drwxr-xr-x 5 root root 4096 Jun 26 00:50 ..
-rw-r--r-- 1 batm batm 120 Aug 31 2008 .gtkrc
-rw-r--r-- 1 batm batm 658 Aug 31 2008 .zshrc
-rw-rw-r-- 1 batm batm 118407968 Jun 20 18:07 bigfile
drwxr-xr-x 3 batm batm 4096 Apr 27 2008 .kde
total 13
Page 38
Renaming a File on the SFTP Server

The rename sftp command renames a file located on the remote SFTP server.
Command Syntax
device-name#rename sftp://[username[:password]@]hostname[:port]/old_filename
new_filename
old_filename The current filename including the path (relative to the root directory, usually
home directory).
new_filename The new filename (without the path). This name cannot contain directory
separators and cannot be the same as the old one.
Deleting a File from the SFTP Server

The del sftp command deletes a file from the SFTP server.
Command Syntax
device-name#del sftp://[username[:password]@]hostname[:port]/filename
filename The filename including path (relative to the root directory, usually the home
directory).
Page 39
Supported Platforms
CLI User-Privilege Levels + +

RADIUS + +
TACACS+ + +
SSH + +
SFTP Client + +

CLI User- No Standards are supported No MIBs are No RFCs are supported by this
Privilege by this feature. supported by feature.
Levels this feature.
RADIUS No standards are supported No MIBs are • RFC 2865, Remote
by this feature. supported by Authentication Dial In User
this feature. Service (RADIUS)
• RFC 2869, Remote
Authentication Dial In User
Service (RADIUS)
Extensions
TACACS+ No Standards are supported No MIBs are draft-grant-tacacs-02—tac-
by this feature. supported by rfc.1.78.txt draft
this feature.
SSH • draft-ietf-secsh- No MIBs are • RFC 1851, The ESP Triple
architecture-07 supported by DES Transform
this feature.
• draft-ietf-secsh- • RFC 2792, DSA and RSA
transport-09 Key and Signature Encoding
• draft-ietf-secsh-connect- for the KeyNote Trust
09 Management System
• draft-ietf-secsh-userauth-
09
• FIPS 186 (Digital
Signature Standard)
• FIPS 180-1 (Secure
Hash Algorithm)
• HMAC-SHA1 MAC
algorithm
Page 40
SFTP No standards are supported No MIBs are • RFC 4251, The Secure Shell
Client by this feature. supported by (SSH) Protocol Architecture
this feature.
• RFC 4252, The Secure Shell
(SSH) Authentication
Protocol
(SSH) Transport Layer
Protocol
(SSH) Connection Protocol
Page 41
Configuring Internet Group Multicast
Protocol (IGMP) Snooping
Table of Contents
Table of Figures ······················································································ 3
Internet Group Multicast Protocol (IGMP) Snooping ········································ 4

Overview ·························································································· 4
Multicast Address ··········································································· 4
IGMP Version 1············································································· 4
IGMP Version 2············································································· 5
Device without IGMP Snooping ·························································· 6
Joining a Multicast Group ·································································· 6
Leaving a Multicast Group ································································· 8
Immediate Leave ············································································ 9
Aging a Multicast Group ··································································· 9
Multicast Routers and Multicast Servers ·················································· 9
IGMP Configuration Flow ·····································································10
IGMP Snooping Command Hierarchy ························································11
Enabling/Disabling the IGMP Snooping················································13
Enabling/Disabling the IGMP Snooping on a VLAN ·································13
Specifying IGMP Snooping Timers ······················································14
Defining a Device as Querier ·····························································15
Specifying the Immediate Leave ··························································16
Adding Static Reports······································································17
Specifying Forbidden Ports································································17
Processing the Unregistered Multicast Traffic ···········································18
Specifying the Multicast Router Port ·····················································18
Specifying the Static IP Multicast Address ···············································19
Page 1
Error! No text of specified style in document. (Rev. 01)
Specifying Maximum IGMP Groups ·····················································19

Specifying Maximum IGMP Reports·····················································19
Enabling the Transparent Mode ··························································20
Enabling the Proxy Mode ·································································20
Enabling the Source Tracking·····························································21
Enabling the Report Suppression Mode ·················································21
Setting the Query Source IP Addresses to Zeroes ······································22
Specifying Maximum IGMP Reports per Port ··········································22
Enabling the Router Alert Option Ignore················································23
Specifying the Maximum IGMP Group Number ·······································23
Specifying the Maximum IGMP Report Number ·······································24
Specifying the Multicast VLAN ···························································24
Displaying the IGMP Snooping VLAN Information···································25
Displaying Multicast Router Ports ························································26
Displaying IGMP Router Timers ·························································26
Displaying All IGMP Snooping Entries··················································26
Displaying Information for All Ports·····················································28
Displaying IGMP Snooping Limits·······················································29
Displaying IGMP Snooping Current Limits ·············································29
Displaying IGMP Snooping Queriers by VLAN ········································30
Displaying IGMP Snooping Statistics ····················································30
Clearing IGMP Snooping Statistics ·······················································31
Debug the IGMP Snooping ·······························································31
Debug IGMP Snooping Packets ··························································32
Displaying the Multicast Database ························································32
Enabling/Disabling Debug of MFIB·····················································34
Page 2
Configuring Internet Group Multicast Protocol (IGMP) Snooping (Rev. 01)
Table of Figures
Figure 1: IGMP Version 1 Message Fields ····················································· 4
Figure 2: IGMP Version 2 Message Fields ····················································· 5
Figure 3: Initial IGMP Join Message···························································· 7
Figure 4: Second Host Joining a Multicast Group············································· 8
Figure 5: IGMP Configuration Flow···························································10
Figure 6: IGMP Snooping Configuration Example ··········································35
Page 3
Internet Group Multicast Protocol (IGMP) Snooping

Overview
IGMP is a session-layer protocol used to establish membership in a multicast group, registering a
device to receive specific multicast traffic.
A device that supports IGMP Snooping can passively snoop on IGMP Query, Report and Leave
(IGMP version 2) packets transferred between IP multicast routers/devices and IP multicast hosts
to learn the IP multicast group membership. It checks IGMP packets that pass through it, picks out
the group registration information, and configures multicasting accordingly.
Without IGMP Snooping, multicast traffic is forwarded to all ports, the same as broadcast traffic.
With IGMP Snooping, multicast traffic is only forwarded to ports that are members of the specific
multicast group. IGMP Snooping generates no additional network traffic, allowing you to
significantly reduce multicast traffic passing through the device.
Multicast Address
Multicast IP addresses range is from 224.0.0.0 to 239.255.255.255. They are also referred to as
Group Destination Address (GDA). A MAC address is associated to each GDA. This GDA MAC
address is formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the GDA multicast IP
address in hex.
IGMP Version 1
The IGMP version 1 message is 8 bytes long and contains the following fields (see Figure 1):
• Version (bits 0 to 3)—is 1
• Type (bits 4 to 7)—there are 2 types of IGMP messages:
1=Host Membership Query
2=Host Membership Report
• GDA (bits 32 to 63)—Group Destination Address
IGMP Version 1 Format
Version Type Unused Checksum
0 3 4 7 8 15 16 31
GDA
32 63
Figure 1: IGMP Version 1 Message Fields
Page 4
A host membership report is issued by a host that wants to join a specific multicast group (GDA).
When the IGMP multicast router receives the host membership report, it adds the GDA to the
multicast forwarding table and starts forwarding the IGMP traffic to this group. Host membership
queries are issued by the IGMP multicast router at regular intervals to check whether there is still a
host interested in the GDA in that segment. Host membership reports are sent either when the
host wants to receive GDA traffic or in response to a host membership query from the IGMP
multicast router.
IGMP version 1 does not have a Leave mechanism. When a host does not want to receive the
IGMP traffic any more, it just quits silently. IGMP multicast routers periodically send host
membership query messages (hereinafter called queries) to discover which host groups have
members on their attached local networks. If no reports are received for a particular group after a
certain number of queries, the routers assume that that group has no local members and that they
need not forward remotely-originated multicasts for that group onto the local network.
The host membership report messages are transmitted with the following datagram:
• Layer 2 information:
Source MAC address—is the MAC address of the host
Destination MAC address—is the MAC address for the GDA (01:00:5E:XX:XX:XX)
• Layer 3 information:
Source IP address—is the IP address of the host
Destination IP address—is the GDA (from 224.0.0.0 to 239.255.255.255)
IGMP Version 2
The IGMP version 2 message fields, as Figure 2, are as follows:
• Type (bits 0 to 7)—there are 3 types of IGMP messages:
0x11=Membership Query
0x16=Version 2 Membership Report
0x17=Leave Group
Also, there is an additional type of message for backwards-compatibility with IGMPv1:
0x12=Version 1 Membership Report.
• Maximal Response Time (MRT) (bits 8 to 15)—this field is meaningful only in
membership query messages, and specifies the maximum allowed time before sending a
responding report in units of 1/10 second. In all other messages, it is set to zero by the sender
and ignored by receivers.
• GDA (bits 32 to 63)—Group Destination Address
IGMP Version 2 Format
Type MRT Checksum
0 7 8 15 16 31
GDA
32 63
Figure 2: IGMP Version 2 Message Fields
Page 5
Report group message is a membership report issued by a host that wants to join a specific
multicast group (GDA). When the IGMP multicast router receives the membership report, it adds
the GDA to the multicast forwarding table and starts forwarding the IGMP traffic to this group.
Membership queries are issued by the IGMP multicast router at regular intervals to check whether
there is still a host interested in the GDA in that segment. Host membership reports are sent either
when the host wants to receive GDA traffic or responds to a membership query from IGMP
multicast router.
If a host does not want to receive the IGMP traffic any more, it sends a Leave Group message.
When the IGMP multicast router receives this Leave Group message, it removes the GDA from
the multicast routing table. In addition, IGMP multicast routers periodically send host membership
query messages (hereafter called queries) to discover which host groups have members on their
attached local networks. If no reports are received for a particular group after a certain number of
queries, the routers assume that that group has no local members and that they need not forward
remotely-originated multicasts for that group onto the local network.
NOTE
According to RFC 2236, all IGMP Version 2 messages have to contain a Router
Alert option in their IP header. IGMP drops any IGMP Version 2 message that
does not contain Router Alert option in its IP header.
Device without IGMP Snooping

By default, the device floods multicast traffic within the broadcast domain. This can consume a lot
of bandwidth if many multicast servers are sending streams to the segment. IGMP Snooping
restrains the flooding process only to ports where IGMP reports have to be received, thus traffic is
sent only when needed.
Joining a Multicast Group

When a host wants to join a multicast group, it sends to the device an IGMP Report message
specifying the multicast group (GDA) he wants to join. The IGMP Snooping device recognizes the
IGMP Report message sent by the host and adds the corresponding port to the forwarding list for
the multicast group (GDA). Subsequently, the device forwards all multicast traffic arriving from this
host only to the ports associated with this GDA.
In Figure 3, host A wants to join multicast group 224.1.2.3 and multicasts an unsolicited IGMP
membership report (IGMP join message) to the group with the equivalent MAC destination
address 01:00:5E:01:02:03. The device recognizes IGMP packets and forwards them to the CPU.
When the CPU receives the IGMP report multicast by host A, it uses the information to set up a
multicast forwarding table entry as shown in Table 1. This information includes the port numbers
of host A and the router.
Page 6
Figure 3: Initial IGMP Join Message
Table 1: IP Multicast Forwarding Table Destination Address

MAC Address Type of Packet Ports
01:00:5e:01:02:03 IGMP 1/1/1
The device architecture allows the CPU to distinguish IGMP information packets from other
packets for the multicast group. The device recognizes the IGMP packets through its filter engine.
This prevents the CPU from becoming overloaded with multicast frames.
The entry in the multicast forwarding table tells the switching engine to send frames addressed to
the 01:00:5E:01:02:03 multicast MAC address that are not IGMP packets to the host that has joined
the group.
If another host (for example, host D) sends an IGMP join message for the same group (Figure 4),
the CPU receives that message and adds the port number of host D to the multicast forwarding
table as shown in Table 2.
Page 7
Figure 4: Second Host Joining a Multicast Group
Table 2: Updated Multicast Forwarding Table Destination Address

MAC Address Type of Packet Ports
01:00:5e:01:02:03 IGMP 1/1/1,1/2/2
NOTE
The number of multicast groups is 1000.
When Link Aggregation is configured, all the multicast traffic is passed on the master port. For
more information about Link Aggregation, refer to the Configuring Interfaces chapter of this User
Guide.
Leaving a Multicast Group

In IGMP version 1, if a host does not want to receive the IGMP traffic, it just silently quits the
group. IGMP multicast routers periodically send host membership query messages to discover if
any member is still interested in the specific multicast group traffic. As long as the IGMP Snooping
device receives this Query Group message, it forwards the message to the associated port included
in the multicast group. If the router does not receive a Report Group message after three
consecutive queries, it deletes the GDA MAC of the associated port in the MAC Filtering
Database.
In IGMP version 2, if a host does not want to receive the IGMP traffic any more, it sends a Leave
Group message. When the IGMP Snooping device receives this Leave Group message, it sends an
IGMP group specified query message to determine if any device behind that port is interested in
the specific multicast group traffic. If the device does not receive any IGMP Report message, it
removes the GDA MAC address from the associated port in the MAC Filtering Database.
Page 8
Immediate Leave
IGMP Snooping Immediate Leave processing allows the device to remove an interface that sends a
Leave message from the forwarding table without first sending out group-specific queries to the
interface. The port is pruned from the multicast tree for the multicast group specified in the original
Leave message. Immediate Leave processing ensures optimal bandwidth management for all hosts
on a switched network, even when multiple multicast groups are in use simultaneously.
NOTE
IGMP Snooping Immediate Leave is suitable only if after connecting one receiver
on the port.
Aging a Multicast Group

When a report is received (unsolicited or in response to a query), the IGMP snooping sets the age
timer to this entry. If the report is received and the multicast group already exists, the IGMP
snooping just updates the age timer.
Once the age timer expires, the report is removed from the IGMP snooping table and the entry in
Multicast Forwarding Table is updated.
The calculation of the age timer of a report is as follows:
Report Age = robustness * query-interval + response-time
Multicast Routers and Multicast Servers

A Multicast router (mrouter) is a router that runs a multicast routing protocol (such as PIM) and
participates in the multicast tree. On the edge of the network, a multicast router might be
connected to an IGMP Snooping device. The port on which the multicast router is connected is
called an mrouter port. The multicast router sends periodic General IGMP queries.
The snooping device identifies an mrouter port by either receiving an IGMP query on that port or
by explicit configuration of the port as an mrouter port (by using the ip igmp snooping vlan
mrouter command).
A Multicast server may be any stream server sending multicast traffic (such as a UDP stream destined
to multicast address). As a rule, a multicast server does not send IGMP queries. The snooping
devices connected to a multicast server (which does not send queries) require additional
configuration (see the example). Multicast traffic is forwarded to group members regardless of the
configuration of the incoming port.
Page 9
IGMP Configuration Flow
Start
Enable IGMP snooping
Disable IGMP snooping per VLAN where it is not needed
Synchronize IGMP timers with other IGMP devices
Yes Is there a
multicast/IGMP router?
No
Configure uplink ports as m-router ports
Configure query sender on user ports
Set immediate-leave on VLANs with single host per port
Create a static report on particular VLAN and port
Apply static configuration on some special

ports-forbidden, for-all, static MACs, etc.
End
Figure 5: IGMP Configuration Flow
Page 10
IGMP Snooping Command Hierarchy

+ enable
+ configure terminal
- [no] ip igmp snooping
- [no] ip igmp snooping vlan <vlan-id>
- [no] ip igmp snooping router-timers {last-member <last-member-
interval> | query <query-interval> | responses <responses-time>
| robustness <robustness>}
- [no] ip igmp snooping send-query vlan <vlan-id> interface
{PORT-LIST | PORT-AG-LIST} {query-interval <query-interval-
value> | response-time <response-time-value> | group <M.G.R.P>}
- [no] ip igmp snooping vlan <vlan-id> immediate-leave

- [no] ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports <number> | static report M.G.R.P}
- [no] ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}
- [no] ip igmp snooping vlan <vlan-id> mrouter interface {AG0N |
UU/SS/PP}
- [no] ip igmp snooping vlan <vlan-id> static A.B.C.D interface

{PORT-LIST | PORT-AG-LIST}
- [no] ip igmp snooping vlan <vlan-id> max-groups <number>
- [no] ip igmp snooping vlan <vlan-id> max-reports <number>
- ip igmp snooping vlan <vlan-id> transparent
- ip igmp snooping vlan <vlan-id> proxy
- [no] ip igmp snooping vlan <vlan-id> source-tracking
- ip igmp snooping vlan <vlan-id> report-suppression
- [no] ip igmp snooping query-source-ip-zero
- [no] ip igmp snooping interface UU/PP/SS max-reports <number>
- [no] ip igmp snooping ignore router-alert-option
- [no] ip igmp snooping max-groups <number>
- [no] ip igmp snooping max-reports <number>
- [no] multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH interface
- show ip igmp snooping [vlan <vlan-id>]
- show ip igmp snooping mrouter [vlan <vlan-id>]
- show ip igmp snooping router-timers
- show ip igmp snooping all [count]
- show ip igmp snooping interfaces
- show ip igmp snooping limits [interface UU/SS/PP | vlan <vlan-id> |
vlan <vlan-id> interface UU/SS/PP]
- show ip igmp snooping limits current [vlan <vlan-id> | interface
UU/SS/PP | vlan <vlan-id> interface UU/SS/PP]
Page 11
- show ip igmp snooping querier [vlan <vlan-id>]

- show ip igmp snooping statistics
- show multicast table {l2mac | l2g | l2sg | l3 | nbr | all}
- clear ip igmp snooping statistics [max-groups | leaves | queries |
reports]
- [no] debug igmp snooping {mvr | hw | database | timers | events |
all}
- [no] debug igmp snooping packet {send | recv} [detail]
- [no] debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers
| events | hw]
Page 12
Enabling/Disabling the IGMP Snooping

The ip igmp snooping command enables IGMP Snooping on all existing VLANs.
When you enable IGMP Snooping, the device automatically learns the ports to which multicast
routers are connected. When you disable IGMP Snooping, the entire configuration is erased.
NOTE
When you enable IGMP Snooping, all multicast data packets are filtered out before
receiving reports, except for well known multicast groups in the range
<01:00:5E:00:00:00–01:00:5E:00:00:FF>.

When globally enabling or disabling IGMP Snooping, this feature is also enabled or disabled on all
existing VLANs.
Command Syntax
device-name(config)#ip igmp snooping
device-name(config)#no ip igmp snooping
no Disables IGMP Snooping on all existing VLANs.
Disabled
Enabling/Disabling the IGMP Snooping on a VLAN

The ip igmp snooping vlan command enables IGMP Snooping on the specified VLAN.
You can enable IGMP snooping for each VLAN only after you have enable the global IGMP
snooping, using the ip igmp snooping command.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id>
device-name(config)#no ip igmp snooping vlan <vlan-id>
no Disables IGMP Snooping for a VLAN.
Enabled
vlan-id Enables IGMP snooping for the specified VLAN in the range of <1–4094>.
Page 13
Specifying IGMP Snooping Timers

The ip igmp snooping router-timers command specifies the query packet intervals sent to the
host port when performing leave snooping. The command sets the multicast router timer variables
to synchronize the IGMP Snooping.

By default, when the device receives a Leave packet from a host that is a member of a certain
group. It performs the following steps repeatedly Robustness times:
1. The device sends a specific query for that group, with the response time field set to 1 second
(last-member interval).
2. The device waits 1 second (last-member interval).
3. If the device receives a join request, it refreshes the group membership aging, and stops the
procedure.
NOTE
This procedure is not performed when Immediate Leave is enabled.
NOTE
To calculate the Group Membership Interval and Other Querier Present Interval
(see RFC 2236) use the IGMP Snooping timers.
Command Syntax
device-name(config)#ip igmp snooping router-timers {last-member <last-member-
interval> | query <query-interval> | responses <responses-time> | robustness
<robustness>}
device-name(config)#no ip igmp snooping router-timers {last-member | query |
responses | robustness}
last-member Specifies the expected response time, in seconds, for answering a specific
<last-member- query. The valid range is <0.1–125.0>.
interval> 1 second
The response time must be less than the query interval.
This value is inserted in the response-time field of the specific query
packet generated by the device. Increasing the response time makes the
traffic less bursty, by spreading out host responses over a larger interval.
query <query- Specifies the maximum time interval that the multicast router waits after
interval> sending a group-specific query to determine if hosts are still interested in a
specific multicast group. The valid range is <11.0–32762.0>.
125 seconds
responses Specifies the expected response time, in seconds, for answering a general
<responses- query. The valid range is <0.1–125.0>.
time> 10 seconds
This value is inserted in the response-time field of the general query
packet generated by the device. Increasing the response time makes the
traffic less bursty, by spreading out host responses over a larger interval.
Page 14
robustness Specifies the number of specific query packets sent by the device. The
<robustness> valid range is <2–254>.
2 packets
The robustness variable allows tuning for the expected packet loss. If a
subnet is expected to be lost, the robustness variable may be increased.
Example
In the following example four specific queries are sent every 30 seconds with response time set to
15 seconds. If the device does not receive any join request after 60 seconds, it sends the Leave
packet to the multicast router port.
device-name(config)#ip igmp snooping router-timers last-member 30
device-name(config)#ip igmp snooping router-timers responses 15
device-name(config)#ip igmp snooping router-timers robustness 4
Defining a Device as Querier

The ip igmp snooping send-query command starts sending general queries on a specified
VLAN and port.
The query generator can be implemented only when IGMP Snooping is enabled. It generates
queries at the configured rate (query-interval).
Command Syntax
device-name(config)#ip igmp snooping send-query vlan <vlan-id> interface {PORT-
LIST | PORT-AG-LIST} {query-interval <query-interval-value> | response-time
<response-time-value> | group <M.G.R.P>}
device-name(config)#no ip igmp snooping send-query vlan <vlan-id> interface
vlan-id Specifies the VLAN ID number in range <1–4094>.
PORT-LIST Specifies the query port list distribution. Use commas as
separators and hyphens to indicate sub-ranges (e.g. 1/1/1–
1/2/5, 1/2/7).
PORT-AG-LIST Specifies the Query link aggregation port list, of the form:
ag01, ag02–ag05, ag07. The valid range is <ag01–ag07>.
query-interval <query- Specifies the interval between queries in seconds, in the
interval-value> range <1–300>.
125 seconds
response-time <response- Specifies the host response timeout, in seconds, to be set in
time-value> the query frame, in the range <1–25>.
10 seconds
group <M.G.R.P> Multicast group to query for.
no Removes the query generator.
Page 15
Example
NOTE
The configured response timeout value is specified in seconds, but the value that is
actually inserted in the packet is in 1/10 second units.
Configure the general query packet every 50 seconds in VLAN 5 on port 1/1/1 with response
timeout of 15 seconds:
device-name(config)#ip igmp snooping send-query vlan 5 interface 1/1/1 query-
interval 50 response-time 15
Specifying the Immediate Leave

The ip igmp snooping vlan immediate-leave command enables IGMP immediate-leave
processing.

When you enable IGMP Immediate Leave processing, the device immediately removes a port from
the IP multicast group when it detects an IGMP version 2 Leave message on that port. Immediate
Leave processing allows the device to remove a port that sends a Leave message from the
forwarding table without first sending out group-specific queries to the port. You can use the
Immediate-Leave only when there is only a single receiver present on every port in the VLAN.
NOTE
IGMP Snooping Immediate Leave is suitable only if one receiver is connected on
the port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> immediate-leave
device-name(config)#no ip igmp snooping vlan <vlan-id> immediate-leave
vlan-id Refer to the Argument Description.
Disabled
Example
device-name(config)#ip igmp snooping vlan 1 immediate-leave
Page 16
Adding Static Reports

The ip igmp snooping vlan interface command creates a static report on particular VLAN
and port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports <number> | static report M.G.R.P}
device-name(config)#no ip igmp snooping vlan <vlan-id> interface UU/SS/PP {max-
reports | static report M.G.R.P}
interface UU/SS/PP Specifies the operating port.
max-reports <number> Specifies the maximum number of IGMP reports that the port can
join, in the range <0–2000>.
2000
static Adds a static entry.
report Adds a report entry.
M.G.R.P Specifies the IP multicast address.
no Removes the static report.
Example
device-name(config)#ip igmp snooping vlan 1 interface 1/2/8 static report
228.1.23.4
Specifying Forbidden Ports

The ip igmp snooping forbidden command forbids forwarding of the entire multicast traffic
via the specified ports.
Command Syntax
device-name(config)#ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}
device-name(config)#no ip igmp snooping forbidden {PORT-LIST | PORT-AG-LIST}
Page 17
hyphens to indicate sub-ranges (e.g. 1/2/1–1/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02–ag05,
ag07. The valid range is <ag01–ag07>.
Enabled
Processing the Unregistered Multicast Traffic

The multicast traffic sent to groups for which do not receive any membership reports, is regarded
as unregistered traffic.
NOTE
Ports on which IGMP queries are received or configured as mrouter ports receive
all multicast traffic in the VLAN.
IGMP does not process membership reports for groups in the local-link IP multicast range
<224.0.0.0–224.0.0.255>, since many hosts do not join multicast groups in this range. Thus, the
traffic in the range <01:00:5E:00:00:00–01:00:5E:00:00:FF> is always unregistered and forwarded
to all ports in the VLAN.
Specifying the Multicast Router Port

The ip igmp snooping vlan mrouter command configures a static connection to a multicast
router. The port to the router must be in the selected VLAN.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> mrouter interface {ag0N |
UU/SS/PP}
device-name(config)#no ip igmp snooping vlan <vlan-id> mrouter interface {ag0N
| UU/SS/PP}
vlan-id Specifies the multicast router VLAN ID value, in the range <1–4094>.
ag0N Specifies the aggregation port to the multicast router. N is in the range <1–7>.
UU/SS/PP Specifies the multicast router port.
no Removes the multicast router port definition on the specific VLAN.
Example
device-name(config)#ip igmp snooping vlan 200 mrouter interface 1/1/1
Page 18
Specifying the Static IP Multicast Address

The ip igmp snooping vlan static command configures a Layer 2 port of a VLAN as a
member of a multicast group.
Hosts or physical ports normally join multicast groups dynamically, but you can also statically
configure a host on a port.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> static M.G.R.P interface
device-name(config)#no ip igmp snooping vlan <vlan-id> [static M.G.R.P]
[interface {PORT-LIST | PORT-AG-LIST}]
M.G.R.P Specifies the multicast address.
PORT-LIST Specifies one or more port numbers. Use commas as separators
and hyphens to indicate sub-ranges (e.g. 1/1/1–1/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02–
ag05, ag07. The valid range is <ag01–ag07>.
no Removes the static multicast definition.
Specifying Maximum IGMP Groups

The ip igmp snooping vlan max-groups command defines the number of multicast groups
which can be registered for IGMP snooping of each VLAN.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> max-groups <number>
device-name(config)#no ip igmp snooping vlan <vlan-id> max-groups
max-groups <number> Specifies the maximum number of IGMP groups that VLAN can
2000
no Restores the number of maximum groups to the default value.
Specifying Maximum IGMP Reports

The ip igmp snooping vlan max-reports command specifies the maximum number of IGMP
reports that the VLAN can join.
Page 19
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> max-reports <number>
device-name(config)#no ip igmp snooping vlan <vlan-id>> max-reports
max-reports <number> Specifies the maximum number of IGMP reports that VLAN can
2000
no Restores the number of maximum reports to the default value
Enabling the Transparent Mode

The ip igmp snooping vlan transparent command enables the Transparent mode. The
snooping device does not generate packets, only listens and builds its database and forwards the
rules quietly. In this mode of operation the multicast router receives all IGMP messages generated
in the VLAN. These can overhead the router with reports or sending specific queries.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> transparent
transparent Specifies the transparent mode.
Enabling the Proxy Mode

The ip igmp snooping vlan proxy command enables the Proxy mode. The number of
processing done on the multicast router is reduced, because the device acts as Proxy. Some of
multicast router ports act as IGMP hosts and other ports as IGMP routers. Since the device acts as
a multicast router, but it is not a multicast router, the generated IGMP messages have the IP source
address of the IP interface sw0.
Page 20
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> proxy
proxy Specifies the proxy mode.
Enabling the Source Tracking

The ip igmp snooping vlan source-tracking command tracks IGMP membership reports
from individual hosts for each port on a per-VLAN basis.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> source-tracking
device-name(config)#no ip igmp snooping source-tracking
no Disables source tracking.
Enabled
Enabling the Report Suppression Mode

The ip igmp snooping vlan report-suppression command enables the Report Suppression
mode (the default mode). The device uses IGMP report suppression mode to forward only one
IGMP report per multicast router query to multicast devices. When IGMP router suppression is
enabled, the device sends the first IGMP report from all hosts for a group to all the multicast
routers. The device does not send the remaining IGMP reports for the group to the multicast
routers. This feature prevents duplicate reports from being sent to the multicast devices.
Command Syntax
device-name(config)#ip igmp snooping vlan <vlan-id> report-suppression
Page 21
Setting the Query Source IP Addresses to Zeroes

The ip igmp snooping query-source-ip-zero command enables generating queries (on Leave
and on xSTP change) with source IP address that is all zeros (i.e. 0.0.0.0) according to the draft-ietf-
magma-snoop-11.txt draft.
NOTE
Windows clients do not accept queries with source IP address 0.0.0.0.
Command Syntax
device-name(config)#ip igmp snooping query-source-ip-zero
device-name(config)#no ip igmp snooping query-source-ip-zero
The source IP address of the queries is the IP address of the IP
interface sw0.
Specifying Maximum IGMP Reports per Port

The ip igmp snooping interface max-reports command specifies the maximum number of
IGMP reports that the port can join
Command Syntax
device-name(config)#ip igmp snooping interface UU/PP/SS max-reports <number>
device-name(config)#no ip igmp snooping interface UU/PP/SS max-reports
UU/SS/PP Specifies the port of the multicast device.
max-reports <number> Specifies the maximum number of IGMP reports that port can join,
in the range <0–2000>.
2000
no Restores the maximum number of IGMP reports that specified port
can join to default value.
Page 22
Enabling the Router Alert Option Ignore

The ip igmp snooping ignore command enables the processing of IGMP packets without
router alert option.
Command Syntax
device-name(config)#ip igmp snooping ignore router-alert-option
device-name(config)#no ip igmp snooping ignore router-alert-option
router-alert-option IGMP packets are not checked for the router alert option.
no IGMP packets are checked for the router alert option.
Example
Specifying the Maximum IGMP Group Number

The ip igmp snooping max-groups command defines the number of multicast groups which
can be registered for IGMP snooping.
Command Syntax
device-name(config)#ip igmp snooping max-groups <number>
device-name(config)#no ip igmp snooping max-groups
number Specifies the maximum number of IGMP groups, in the range <0–2000>.
2000
no Restores the number of maximum groups to the default value.
Page 23
Specifying the Maximum IGMP Report Number

The ip igmp snooping max-reports command specifies the maximum number of IGMP
reports.
Command Syntax
device-name(config)#ip igmp snooping max-reports <number>
device-name(config)#no ip igmp snooping max-reports
number Specifies the maximum number of IGMP reports in the range <0–2000>.
2000
no Restores the number of maximum reports to the default value.
Specifying the Multicast VLAN

The multicast vlan command specifies the VLAN ID on a specified port, with a static MAC
address, on which multicast data is received.
Command Syntax
device-name(config)#multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH interface
device-name(config)#no multicast vlan <vlan-id> static HH:HH:HH:HH:HH:HH
vlan-id Specifies the VLAN ID value, in the range <1–4094>.
static Specifies the static multicast MAC address.
HH:HH:HH:HH:HH:HH
hyphens to indicate sub-ranges (e.g. 1/1/1–1/2/5, 1/2/7).
PORT-AG-LIST Specifies the link aggregation port list, of the form: ag01, ag02–
ag05, ag07. The valid range is <ag01–ag07>.
no Removes the previously configured static multicast entry.
Page 24
Displaying the IGMP Snooping VLAN Information

The show ip igmp snooping command displays the IGMP Snooping information on the
VLANs.
Command Syntax
device-name#show ip igmp snooping [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all IGMP Snooping information for a specified VLAN ID
value, in the range <1–4094>.
Example
device-name#show ip igmp snooping
vlan 1
=======
IGMP snooping is enabled on this VLAN.
IGMP Snooping Mode: Suppress Reports
IGMP Snooping Source-Tracking: Enabled
IGMP Snooping Immediate-leave: Disabled
Report Table
=============================================================
Group Address | Interface | Age | Type
-----------------+-----------+-----+-------------------------
224.2.2.2 | 1/1/2 | 208.0| REPORTv2
224.2.1.1 | 1/1/2 | 258.1| REPORTv2
-------------------------------------------------------------
Mrouter Interfaces Table

=============================================================
Interface | Source Address | Age | Type
-----------+-----------------+-----+-------------------------
1/1/1 | 1.1.1.1 | 82.4| MROUTER, DYNAMIC
-------------------------------------------------------------
Group Entries Table

=============================================================
Group Address | Ports
-----------------+-------------------------------------------
224.2.2.2 | 1/1/2 1/1/1
224.2.1.1 | 1/1/2 1/1/1
-------------------------------------------------------------
Page 25
Displaying Multicast Router Ports

The show ip igmp snooping mrouter command displays the multicast router ports.
Command Syntax
device-name#show ip igmp snooping mrouter [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all multicast router ports for a specified VLAN ID value,
in the range <1–4094>. If you do not specify this argument, the information
for all VLANs is displayed.
Example
Display static and dynamic multicast router ports for all VLANs:
device-name#show ip igmp snooping mrouter
=============================================================
Vlan | Interface | Source Address | Age | Type
------+-----------+-----------------+-----+------------------
1 | 1/1/1 | 1.1.1.1 | 254.1| MROUTER, DYNAMIC
-------------------------------------------------------------
Displaying IGMP Router Timers

The show ip igmp snooping router-timers command displays the multicast router timer to
synchronize IGMP Snooping.
Command Syntax
device-name#show ip igmp snooping router-timers
Example
Display the multicast router timers:
Last member query interval : 1.0 sec
Responses interval : 10.0 sec
Query interval : 125.0 sec
Robustness : 2 packets
Displaying All IGMP Snooping Entries

The show ip igmp snooping all command displays all IGMP Snooping entries form the
database.
Page 26
Command Syntax
device-name#show ip igmp snooping all [count]
count (Optional) counts all IGMP Snooping entries form the database.
Example 1
device-name#show ip igmp snooping all
Vlan 1
Ingress TABLE
Ing GrIp 224.2.2.2, Iface 1/1/2, Type 1, Timer 1448, PendQueue 0
Source Ip = 2.2.2.2
Ing GrIp 224.2.1.1, Iface 1/1/2, Type 1, Timer 1949, PendQueue 0
Source Ip = 2.2.2.2
Ingress count 2
Mrouter TABLE
Mrt IfIdx 1/1/1, SrcIp 1.1.1.1, Type 0, Timer 192,
Mrouter count 1
Egress TABLE
Egr GrIp 224.2.2.2, IfCount 2 - 1/1/2 1/1/1
Egr GrIp 224.2.1.1, IfCount 2 - 1/1/2 1/1/1
Egress count 2
Querier TABLE
Queries count 0
Vlan 10
Ingress TABLE
Ingress count 0
Mrouter TABLE
Mrouter count 0
Egress TABLE
Egress count 0
Querier TABLE
Queries count 0
Page 27
Example 2
device-name#show ip igmp snooping all count
Vlan 1
Ingress TABLE
Ingress count 0
Mrouter TABLE
Mrouter count 1
Egress TABLE
Egress count 2
Querier TABLE
Querier Interface 1/2/3, GrpIp 224.0.0.1, QueryInterval 125 Resp
onseInterval 10
Querier Interface 1/1/1, GrpIp 224.0.0.1, QueryInterval 300 Resp
onseInterval 25
Queries count 2
Displaying Information for All Ports

The show ip igmp snooping interfaces command displays IGMP Snooping information for
all ports.
Command Syntax
device-name#show ip igmp snooping interfaces
Example
device-name(config)#ip igmp snooping forbidden 1/1/1,1/1/2
=========================================
Interface | State | Forbidden |
------------+---------------+-----------+
1/1/1 | Operational | Yes |
1/1/2 | Operational | Yes |
1/2/1 | Operational | No |
…
ag01 | Operational | No |
…
-----------------------------------------
Page 28
Displaying IGMP Snooping Limits

The show ip igmp snooping limits command displays IGMP Snooping limits for a specified
port and VLAN.
Command Syntax
device-name#show ip igmp snooping limits [interface UU/SS/PP | vlan <vlan-id> |
vlan <vlan-id> interface UU/SS/PP]
interface UU/SS/PP (Optional) displays all IGMP Snooping limits for a specified port of the
multicast router.
vlan <vlan-id> (Optional) displays all IGMP Snooping limits for a specified VLAN ID
value, in the range <1–4094>.
Example
device-name#show ip igmp snooping limits
Number of max Reports for application : 2000
Number of max Reports for Default VSI : 30
Number of max Groups for application : 2000

Number of max Groups for Default VSI : 200
Displaying IGMP Snooping Current Limits

The show ip igmp snooping limits current command displays all IGMP Snooping current
limits for a specified port and VLAN.
Command Syntax
device-name#show ip igmp snooping limits current [vlan <vlan-id> | interface
UU/SS/PP | vlan <vlan-id> interface UU/SS/PP]
current Displays all IGMP Snooping reports and groups currently
present in IGMP database.
interface UU/SS/PP (Optional) refer to the Argument Description above.
vlan <vlan-id>
Page 29
Example
device-name#show ip igmp snooping limits current
Number of current Reports for application : 5
Number of current Reports for Default VSI : 5
Number of current Groups for application : 2

Number of current Groups for Default VSI : 2
Displaying IGMP Snooping Queriers by VLAN

The show ip igmp snooping querier command displays IGMP snooping queriers by VLAN..
Command Syntax
device-name#show ip igmp snooping querier [vlan <vlan-id>]
vlan <vlan-id> (Optional) displays all IGMP Snooping queriers sending for a
specified VLAN ID value, in the range <1–4094>.
Example
device-name#show ip igmp snooping querier
============================================================================
Vlan|Source Address|Multicast Grp |Type|Query Int|Rsp Time| Interface | Age
----+--------------+--------------+----+---------+--------+-----------+-----
1 | 200.1.1.1 | 224.0.0.1 | D | 125 | 10 | 1/2/8 | 88.5
1 | 200.1.1.1 | 224.0.0.1 | D | 125 | 10 | 1/2/7 | 88.5
Displaying IGMP Snooping Statistics

The show ip igmp statistics command displays the current settings of various IGMP statistics
counters.
Command Syntax
device-name#show ip igmp snooping statistics
Page 30
Example
device-name#show ip igmp snooping statistics
Total Queries Received : 8
Total Reports Received : 43
Total Leaves Received : 0
Current Groups : 2
Max Simultaneously Groups : 2
Clearing IGMP Snooping Statistics

The clear ip igmp snooping statistics command clears all counters (if no parameter is
configured) or the specified IGMP counter.
Command Syntax
device-name#clear ip igmp snooping statistics [max-groups | leaves | queries |
reports]
max-groups (Optional) clears the maximum simultaneous groups counter.
leaves (Optional) clears the Leave packets received counter.
queries (Optional) clears the query packets received counter.
reports (Optional) clears the report packets received counter.
Example
device-name#clear ip igmp snooping statistics
Debug the IGMP Snooping

The debug igmp snooping command debugs IGMP Snooping.
Command Syntax
device-name#debug igmp snooping {mvr | hw | database | timers | events | all}
device-name#no debug igmp snooping {mvr | hw | database | timers | events |
all}
Page 31
mvr Debugs IGMP Snooping MVR (Multicast VLAN Registration).
hw Debugs IGMP Snooping hardware calls.
database Debugs IGMP Snooping database.
timers Debugs IGMP Snooping timers.
events Debugs IGMP Snooping events.
all Debugs all IGMP Snooping.
no Stops the IGMP Snooping debug.
Debug IGMP Snooping Packets

The debug igmp snooping packet command debugs IGMP Snooping PDUs.
Command Syntax
device-name#debug igmp snooping packet {send | recv} [detail]
device-name#no debug igmp snooping packet {send | recv} [detail]
send Debugs all IGMP Snooping sent PDU.
recv Debugs all IGMP Snooping received PDU.
detail (Optional) debugs all IGMP Snooping PDU details.
no Stops the IGMP Snooping PDUs debug.
Displaying the Multicast Database

The show multicast table command displays the multicast database information.
Command Syntax
device-name#show multicast table {l2mac | l2g | l2sg | l3 | nbr | all}
l2mac Displays L2 MAC address entries.
l2g Displays multicast L2 group entries.
l2sg Displays multicast L2 source group table entries.
l3 Displays L3 entries.
nbr Displays neighbors.
Page 32
all Displays all entries.
Example
device-name#show multicast table all
Layer 2 Vlan, MAC Multicast Table
===============================================================================
Vlan| MAC | Interfaces
----+-------------------+------------------------------------------------------
1 | 01:00:5E:02:02:02 | 1/1/1
1 | 01:00:5E:03:04:01 | 1/1/1, 1/1/2
1 | 01:00:5E:02:01:01 | 1/1/1, 1/1/2
10 | 01:00:5E:01:01:01 |
===============================================================================
Layer 2 Ip Multicast Vlan,G,S Table

===============================================================================
Vlan| Group Ip | Source Ip |CPU| SPort |L3|TA|ExpTime|Ports
----+-----------------+-----------------+---+-------+--+--+-------+------------
--
1 | 224.2.2.2 | 1.1.1.1 | 0 | 1/1/1 |0 |0 | 209 |1/1/1
===============================================================================
Total Count 1
Layer 2 Ip Multicast *,G Table

===============================================================================
Vlan | Group Ip | Interfaces
------+-----------------+------------------------------------------------------
1 | 224.3.4.1 | 1/1/1, 1/1/2
1 | 224.2.1.1 | 1/1/1, 1/1/2
===============================================================================
Total Count 2
Layer 3 Ip Multicast S,G

===============================================================================
Group Ip | Source Ip | RP |SrcV|AgVl|B|N|R|DVlans
-----------------+-----------------+-----------------+----+----+-+-+-+---------
===============================================================================
Total Count 0
Multicast Routers Table

==============================================================================
Vlan | Interfaces
------+-----------------------------------------------------------------------
10 |
1 | 1/1/1
===============================================================================
Total Count 2
Page 33
Enabling/Disabling Debug of MFIB

The debug mfib command enables debugging information regarding the multicast database.
Command Syntax
device-name#debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers |
events | hw]
device-name#no debug mfib [l2mac | l2g | l2sg | l3 | unknown | igmp | timers |
events | hw]
l2mac (Optional) debugs multicast MAC table.
l2g (Optional) debugs multicast L2 group table.
l2sg (Optional) debugs multicast L2 source group table.
l3 (Optional) debugs multicast L3 table.
unknown (Optional) debugs multicast unknown packets.
igmp (Optional) debugs multicast events from IGMP snooping.
timers (Optional) debugs multicast timers.
events (Optional) debugs multicast events.
hw (Optional) debugs multicast hardware.
no Disables debugging information regarding multicast database.
Page 34
The following figure shows an example of IGMP configuration. The multicast server is the source
of the multicast traffic. Switch 3 is configured as IGMP General Query sender. multicast receivers
(clients) are connected to Switch 1 and Switch 2.
Figure 6: IGMP Snooping Configuration Example
Configuring Switches 1, 2:
Enable IGMP Snooping:
Configuring Switch 3:
1. Enable IGMP Snooping:
2. Set port 1/2/8 as multicast-router (mrouter) port:

device-name(config)#ip igmp snooping vlan 1 mrouter interface 1/2/8
3. Set the maximum number of IGMP groups that the VLAN can join:
device-name(config)#ip igmp snooping vlan 1 max-groups 20
Page 35
4. Set the maximum number of IGMP reports that the VLAN can join:
device-name(config)#ip igmp snooping vlan 1 max-reports 30
5. Set a static multicast IP address on port 1/2/8:

device-name(config)#ip igmp snooping vlan 1 static 228.1.23.4 interface
1/2/8
6. Add static report on port 1/2/1:

device-name(config)#ip igmp snooping vlan 1 interface 1/2/1 static report
228.1.23.5
7. Enable transparent mode:

device-name(config)#ip igmp snooping vlan 1 transparent
8. Send every 30 seconds specific queries with response time set to 15 seconds:
device-name(config)#ip igmp snooping router-timers query 30.0
device-name(config)#ip igmp snooping router-timers responses 15.0
device-name(config)#ip igmp snooping router-timers robustness 4
9. Set the maximum number of IGMP groups:

device-name(config)#ip igmp snooping max-groups 30
10. Set the maximum number of IGMP reports:

device-name(config)#ip igmp snooping max-reports 50
11. Add port 1/2/8 to the multicast group:

device-name(config)#ip igmp snooping interface 1/2/8 max-reports 30
12. Disable router alert option check:

13. Set Query-sender on the client ports 1/2/1 and 1/2/2:

device-name(config)#ip igmp snooping send-query vlan 1 interface 1/2/1-
1/2/2 query-interval 10 response-time 15
Display the IGMP Snooping configuration and statistics for Switch3

1. Display the IGMP Snooping information:
device-name#show ip igmp snooping
vlan 1
=======
IGMP snooping is enabled on this VLAN.
IGMP Snooping Mode: Transparent
IGMP Snooping Source-Tracking: Enabled
IGMP Snooping Immediate-leave: Disabled
Report Table
=============================================================
Group Address | Interface | Age | Type
-----------------+-----------+-----+-------------------------
228.1.23.5 | 1/2/1 | 0.0 | REPORTv2, STATIC
Page 36
-------------------------------------------------------------
Mrouter Interfaces Table

=============================================================
Interface | Source Address | Age | Type
-----------+-----------------+-----+-------------------------
1/2/8 | 1.0.0.1 | 0.0 | MROUTER, STATIC
-------------------------------------------------------------
Group Entries Table

=============================================================
Group Address | Ports
-----------------+-------------------------------------------
228.1.23.5 | 1/2/1 1/2/8
228.1.23.4 | 1/2/8
-------------------------------------------------------------
2. Display the multicast router ports:

device-name#show ip igmp snooping mrouter
=============================================================
Vlan | Interface | Source Address | Age | Type
------+-----------+-----------------+-----+------------------
1 | 1/2/8 | 1.0.0.1 | 10 | MROUTER, STATIC
-------------------------------------------------------------
3. Display all IGMP Snooping entries form the database:

device-name#show ip igmp snooping all
Vlan 1
Ingress TABLE
Ing GrIp 228.1.23.5, Iface 1/2/1, Type 3, Timer 0,
PendQueue 0
Source Ip = 1.0.0.1
Ingress count 1
Mrouter TABLE
Mrt IfIdx 1/2/8, SrcIp 0.0.0.0, Type 1, Timer 0,
Mrouter count 1
Egress TABLE
Egr GrIp 228.1.23.5, IfCount 2 - 1/2/1 1/2/8
Egr GrIp 228.1.23.4, IfCount 1 - 1/2/8
Egress count 2
Querier TABLE
Querier Interface 1/2/2, GrpIp 224.0.0.1, QueryInterval 10
Respo
nseInterval 15
Respo
nseInterval 15
Queries count 2
device-name#show ip igmp snooping all count

Vlan 1
Ingress TABLE
Ingress count 1
Mrouter TABLE
Mrouter count 1
Egress TABLE
Egress count 2
Page 37
Querier TABLE
Respo
nseInterval 15
Respo
nseInterval 15
Queries count 2
4. Display IGMP Snooping information for all ports:

=========================================
Interface | State | Forbidden |
------------+---------------+-----------+
…
…
-----------------------------------------
5. Display IGMP Snooping limits:

device-name#show ip igmp snooping limits
Number of max Reports for application : 2000
Number of max Reports for Default VSI : 50
Number of max Groups for application : 2000

Number of max Groups for Default VSI : 30
6. Display all IGMP Snooping query sending:

device-name#show ip igmp snooping querier
===============================================================================
Vlan| Source Address | Multicast Grp | Query Int | Rsp Time | Interface | Age
----+----------------+----------------+-----------+----------+-----------+-----
1 | 1.0.0.1 | 224.0.0.1 | 10 | 15 | 1/2/2 | 5.2
1 | 1.0.0.1 | 224.0.0.1 | 10 | 15 | 1/2/1 | 5.3
-------------------------------------------------------------------------------
7. Display the multicast router timer to synchronize IGMP Snooping:

Last member query interval : 1.0 sec
Responses interval : 15.0 sec
Query interval : 30.0 sec
Robustness : 4 packets
Page 38
Supported Platforms
IGMP Snooping + +

IGMP Snooping No standards are No MIBs are RFC 1112, Host

supported by this supported by this Extensions for IP
feature. feature. Multicasting
RFC 2236, Internet Group
Management Protocol,
Version 2
draft-ietf-magma-snoop-
11.txt
Page 39
Configuring Simple Network Management
Protocol (SNMP)
Table of Figures ······················································································ 3
Overview ······························································································· 4
SNMP Entity······················································································ 4
SNMP Agent ······················································································ 5
Structure of Management Information (SMI)·················································· 5
SNMP Manager ··················································································· 5
Management Information Base (MIB)·························································· 5
SNMP Engine ID················································································· 5
SNMP View Records············································································· 6
SNMP Notifications·············································································· 6
The Discovery Mechanism ······································································ 8
Versions of SNMP ··············································································10
SNMP Default Configuration·····································································12
SNMP Configuration Flow········································································13
SNMP Configuration Commands ·······························································14

Configuring the Agent Engine ID ·····························································16
Enabling the SNMP Server ·····································································17
Defining SNMPv3 Views ·······································································17
Defining SNMP Groups ········································································19
Defining an SNMP User ········································································21
Assigning an Access List to a User·····························································22
Defining SNMP Notification···································································23
Configuring the SNMP Notification Log ·····················································32
Configuring SNMP Logging of Sent Notifications ···········································33
Clearing the SNMP Notification Log··························································34
Defining the Notification Target Parameter ··················································34
Defining the Notification Target Address·····················································35
Enabling the Sending of snmpSetExecuted Notifications ···································36
Page 1
Configuring Simple Network Management Protocol (SNMP) (Rev. 08)
Enabling the Sending of authenticationFailure Notifications ·······························36

Defining a Notification Target Profile·························································37
Defining the Retry Inform Operation Value··················································37
Defining the Timeout Inform Operation Value ··············································38
Defining the System Contact String····························································39
Defining the System Name ·····································································39
Defining the System Location ··································································40
Displaying the Status of the SNMP Server ····················································40
Displaying the Engine ID·······································································41
Displaying the SNMP Groups··································································41
Displaying the SNMP Users ····································································42
Displaying All Configured Views ······························································42
Displaying the Notification Target Parameters ···············································43
Displaying the Notification Target Profiles ···················································44
Displaying the SNMPv3 Notification Type ···················································44
Displaying the Notification Log································································45
Displaying the Notification Target Address···················································45
Displaying the Pending Informs ·······························································46
Using SNMPv1 ··················································································48
SNMP Notification for Users ··································································48
Group Definition ················································································49
Defining Users and Assigning Users to Groups ··············································50
Using SNMPv3 ··················································································51
Configuring a Target Address to Receive Informs and Traps ·······························52
Configuring Notification Logs ·································································53
Page 2
Table of Figures
Figure 1: SNMP Agent and Manager Communications······································· 4
Figure 2: Trap Sent to SNMP Manager Successfully ·········································· 6
Figure 3: Inform Request Sent to SNMP Manager Successfully ····························· 7
Figure 4: Trap Unsuccessfully Sent to SNMP Manager ······································· 7
Figure 5: Inform Request Successfully Resent to SNMP Manager··························· 8
Figure 6: Obtaining the snmpEngineID························································ 9
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime·························· 9
Page 3
Overview
The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates
the exchange of management information between network devices.
An SNMP-managed network consists of three key components:
• managed device—is a network node that contains an SNMP Agent and resides on a managed
network
• agent—is a network-management software module that resides in a managed device. An agent
has local knowledge of management information and translates that information into a form
compatible with SNMP
• network-management system—executes applications that monitor and control managed
devices.
SNMP enables network administrators to manage network performance, find and solve network
problems and extend the network.
The SNMP system consists of SNMP Manager, SNMP Agent and Management Information Base
(MIB). SNMP provides a message format for communication between SNMP Managers and
Agents.
Figure 1 displays the communication between an SNMP Agent and Manager.
Figure 1: SNMP Agent and Manager Communications
SNMP Entity
An SNMP Entity is an implementation of the SNMP architecture. Each entity consists of an
SNMP Engine and one or more associated applications. An SNMP Engine provides services for
sending and receiving messages, authenticating and encrypting messages, and controlling access to
managed objects. The SNMP Engine is identified by the SNMP Engine ID. The applications use
the services of an SNMP Engine to accomplish specific tasks. They coordinate the processing of
management information operations, and may use SNMP messages to communicate with other
SNMP Entities.
Page 4
SNMP Agent
An Agent is a network-management software module that resides in a managed device and is
responsible for maintaining local management information and delivering that information to a
Manager via SNMP. A management information exchange can be initiated by the Manager or by
the Agent. The SNMP Agent contains MIB variables and these values can be requested or
changed by the SNMP Manager. The Agent and MIB reside on the device. The Agent gathers data
from the MIB and responds to a Manager’s request to get or set data.
Structure of Management Information (SMI)

Management information is a collection of managed objects, residing in a virtual information store,
termed the Management Information Base (MIB). Collections of related objects are defined in MIB
modules. Each type of object has a name, syntax, and an encoding. The name is represented
uniquely as an Object Identifier (OID). An OID is an administratively assigned name for
identifying one object, regardless of the semantics associated with the object. The encoding of an
object type is the way the instances of that object type are represented using the object’s type
syntax. The names are used to identify managed objects.
SNMP Manager
An SNMP Manager is a software module in a management network responsible for managing part
or the entire configuration on behalf of network management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB values.
Communication among protocol entities is accomplished by the exchange of messages; each of
them is entirely and independently represented within a single UDP datagram. A message consists
of a version identifier, an SNMP community name, and a protocol data unit (PDU). PDUs are the
packets that are exchanged in the SNMP communication.
Management Information Base (MIB)

A Management Information Base (MIB) consists of a collection of objects organized into groups.
Objects have values that represent managed resources. All managed objects in the SNMP
environment are arranged in a hierarchical or tree structure. A MIB is the repository for
information about device’s parameters and network data.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier of a participant in
SNMP communication within a single management domain. The SNMP Manager and SNMP
Agent must be configured by an administrator to have unique SNMP Engine IDs.
Page 5
SNMP View Records

With the community-based authentication defined in SNMPv1, an authorized user is granted access
to the whole MIB tree for reading or for reading/writing. With SNMPv1, it is not possible to allow
diverse authorized users access to different portions of the MIB database.
This deficiency is overcome in SNMPv3 with the introduction of views. A view is a set of rules that
define what portion of the MIB database can be visible to a specific user. The rules are defined by
the OID of a node in the MIB tree, and the type of rule: included or excluded. The OID
defines a view family—a set of object identifiers that have a common prefix. A single rule (included
or excluded) in the view is applied to view family, not only to a single OID.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages to the SNMP
Managers. Devices can send notifications to SNMP Managers when particular events occur. For
example, an Agent might send a message to a Manager when the Agent experiences an error
condition.
NOTE
All traps, except the ones sent with SNMPv1, have a request ID as part of the PDU.
SNMP notifications can be sent as traps or Inform requests. Traps are unreliable because the
receiver does not send any acknowledgment when it receives a trap. However, an SNMP Manager
that receives an Inform request acknowledges the message with an SNMP response PDU. If the
Manager does not receive an Inform request, it does not send a response. If the sender does not
receive a response after a particular time interval, the Inform request can be sent again.
Because they are more reliable, Informs consume more resources in the device and in the network.
Unlike a trap, which is discarded as soon as it is sent, an Inform request must be held in memory
until a response is received or the request times out. Also, traps are sent only once, while an Inform
may be retried several times. The retries increase traffic and contribute to a higher overhead on the
network. Thus, traps and Inform requests provide a trade-off between reliability and resources. If it
is important that the SNMP Manager receives every notification, use Inform requests. On the other
hand, if you are concerned about traffic on your network or memory in the device and you do not
need to receive every notification, use traps.
Figure 2 through Figure 5 illustrate the differences between traps and Inform requests.
In Figure 2, the Agent successfully sends a trap to the SNMP Manager. Although the Manager
receives the trap, it does not send any acknowledgment to the Agent. The Agent has no way of
knowing whether the trap reached its destination.
Figure 2: Trap Sent to SNMP Manager Successfully
Page 6
In Figure 3, the Agent successfully sends an Inform request to the Manager. When the Manager
receives the Inform request, it sends a response back to the Agent. Thus, the Agent knows that the
Inform request successfully reached its destination. In this example, twice traffic is generated as in
Figure 2; however, the Agent is sure that the Manager received the notification.
Figure 3: Inform Request Sent to SNMP Manager Successfully
In Figure 4, the Agent sends a trap to the Manager, but the trap does not reach the Manager. Since
the Agent has no way of knowing whether the trap reached its destination, the trap is not sent
again. The Manager never receives the trap.
Figure 4: Trap Unsuccessfully Sent to SNMP Manager
In Figure 5, the Agent sends an Inform request to the Manager, but the Inform request does not
reach the Manager. Since the Manager did not receive the Inform request, it does not send a
response. After a period of time, the Agent resends the Inform request. This time, the Manager
receives the Inform request and replies with a response. In this example, there is more traffic than
in Figure 4; however, the notification reaches the SNMP Manager.
Page 7
Figure 5: Inform Request Successfully Resent to SNMP Manager
The Discovery Mechanism

To protect the user network against message reply, delay and redirection, one of the SNMP engines
involved in each communication is designated to be the authoritative SNMP engine. When an
SNMP message contains a payload that expects a response, the receiver of such a message is
authoritative. When Inform PDUs are sent, the notification receiver is an authoritative
snmpEngineID (the Manager). This implies that the PDUs that are involved in an
authenticated/encrypted session between the Agent and the Manager are encoded with keys that
are localized with the Manager’s snmpEngineID and not with the local application software Agent’s
snmpEngineID.
To match the described requirements, you need an additional configuration of users, on whose
behalf Inform PDUs can be sent. User keys are required to be localized with the snmpEngineID of
the Manager (the authoritative side). The keys of these users are localized for the remote side and
the Agent cannot process configuration of SNMP requests on their behalf. GET, GET-NEXT,
GET-BULK, SET requests from users with a snmpEngineID that is different from the Agent
snmpEngineID cannot be processed. The application software defines as remote those users
created with a snmpEngineID different from the Agent’s snmpEngineID. Remote users can
participate just by sending Inform PDUs.
To create a remote user, specify the snmpEngineID of the notification recipient, where this user is
correctly defined. The proper calculation of authentication/encryption keys requires a valid remote
user.
To send the Inform PDU to the authoritative side, the Agent needs information for the
snmpEngineID of the target-address of the recipient.
To reduce a configuration complexity, the application software Agent implements an auto
discovery procedure for obtaining the snmpEngineIDs of different Inform recipients.
Page 8
When an event occurs, for example LinkUp, the Agent sends an Inform PDU to all valid targets for
this Inform. The very first Inform PDU actually is not valid as the Agent still does not know the
parameters of the Receiver Engine ID—snmpEngineId, snmpEngineBoots and snmpEngineTime.
In Figure 6, the Manager reports the PDU with its Engine ID to the Agent.
Figure 6: Obtaining the snmpEngineID
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is received as shown
in Figure 6), but with incorrect snmpEngineBoots and snmpEngineTime. These parameters are still
unknown to the Agent. The discovery process ends when no authentication/encryption exists for
the target address. If authentication/encryption exists, the packet is with the corresponding
authentication / encryption—MD5, SHA or DES.
In Figure 7, the Manager returns an authenticated REPORT PDU (notInTimeWindow) that
consists of valid snmpEngineBoots and snmpEngineTime parameters.
Figure 7: Obtaining the snmpEngineBoots and snmpEngineTime
Finally, when the discovery process is completed, the Agent and the Manager are synchronized and
following packets do not discover the Engine ID of the Manager.
Page 9
Versions of SNMP
The application software supports the following versions of SNMP:
Table 1: SNMP Versions
SNMPv1 SNMPv1 is version 1 of the Simple Network Management Protocol. It

enables the user to get and set MIB objects, traverse the MIB tree using
the getNext operation and enable the management device to receive
asynchronous messages from the Agent using the trap mechanism.
SNMPv1 bases its security on community strings.
SNMPv2c SNMPv2c is the community-string based Administrative Framework for
SNMPv2 (the C stands for community). SNMPv2c includes the following
improvements over SNMPv1:
• Improved performance for getting data using getBulk. The bulk
retrieval mechanism supports the retrieval of tables and large
quantities of information in one PDU, thus minimizing the number of
round-trips required.
• Improved error handling. SNMPv2 adds many error codes to the
five originally defined in SNMPv1. Management devices are
provided with more detailed information about the cause of the
error. Also, three kinds of exceptions are reported with SNMPv2c:
no such object exceptions, no such instance exceptions, and
end of MIB view exceptions.
• Extended asynchronous reporting. SNMPv2 allows the Agent to
send SNMP notifications by inform request, as well as by trap
messages that are available in SNMPv1. Whereas traps do not
provide the Agent with an indication that the message is received,
the inform request requires the Manager to confirm reception and
is therefore more reliable. As for the trap message, its format is
changed to match the PDU format of a regular get/set PDU, in order
to simplify the protocol. The SNMPv2 protocol requires adding more
details to every trap in order to supply the Manager with more
information.
Generally, MIBs written for Agents that use SNMPv2c or higher versions
use SMIv2 instead of version 1 of the SMI. This version adds some new
variables types.
Both SNMPv1 and SNMPv2c use a community-based form of security.
Page 10
SNMPv3 SNMPv3 is version 3 of the Simple Network Management Protocol. It is

an interoperable standards-based protocol. It provides secure
communication using the USM (User-based Security Model) and access
control using the VACM (View-based Access Control).
The USM model provides an answer to the following threats:
• Replay, interception and retransmission of messages—prevented
by using time-stamp.
• Masquerading—prevented by authenticating the message sender.
• Integrity, interception, changing data, and retransmission of
messages—prevented by authenticating the message sender and
encryption of the message data.
• Disclosure—prevented by encryption of the message data.
The SNMPv3 USM allows three levels of security (see Table 2):
• No Authentication and No Privacy (noAuthNoPriv)
• Authentication and No Privacy (AuthNoPriv)
• Authentication and Privacy (authPriv)
Table 2: Security Levels Available in the SNMPv3 Security Models

Level Authentication Encryption Explanation
noAuthNoPriv Username No All PDUs are sent unencrypted and

not authenticated in the network.
authNoPriv HMAC-MD5 or No The PDUs are authenticated with
HMAC-SHA HMAC (keyed-Hashing for Message
Authentication Codes). They cannot
be altered by an attacker, but can be
read.
authPriv HMAC-MD5 or Cipher Block The PDUs are authenticated and
HMAC-SHA Chaining—Data encrypted (with CBC-DES Symmetric
Encryption Encryption Protocol).
Standard
(CBC-DES)
You must configure the SNMP Agent to use the version of SNMP supported by the management
device. An Agent can communicate with multiple users. For this reason, you can configure the
application software to support communications with many users: some users can use the SNMPv1
protocol, some can use the SNMPv2c protocol, and the rest can use SMNPv3.
NOTE
You can participate in different groups, with a different security model in each
group. You cannot participate in more than one group with the same security model.
Page 11
SNMP Default Configuration

Table 3: SNMP Default Configuration
SNMP Engine ID 00 00 02 DB 03 [MAC ADDR] 00 00.

SNMP contact Empty (null).
System name The default value is the device’s model
name
Location Empty (null)
SNMP Agent Disabled
UDP port 161
SNMP user Not configured
Retry inform operation 3 times
Inform operation timeout 30 seconds
SNMP notification log Disabled
Page 12
SNMP Configuration Flow

To activate the SNMP Agent and make a communication inside the
SNMP entity (from the Manager to the Agent), follow the steps:
1. Change the SNMP engine ID if the scheme for the engine ID used in the network requires it
(see Configuring the Agent Engine ID)
2. Enable the SNMP Agent (see Enabling the SNMP Server).
3. Create views (see Defining SNMPv3 Views
4. Create groups (see Defining SNMP Groups)
5. Create the users (see Defining an SNMP User)
6. If you need to limit the managed communication for users according to access list criteria (see
Assigning an Access List to a User)
7. Display SNMP (see SNMP Display Commands)
To send notifications to the management device, follow the steps:

1. Enable the SNMP Agent (if it is disabled) (see Enabling the SNMP Server)
2. Create views, groups and users that include the notification variables with notify access right
(see Defining SNMPv3 Views)
3. Create a tag that includes all required notifications (see Defining SNMP Notification).
4. Create a target parameter that links a parameter name to the user (see Defining the Notification
Target Parameter)
5. Create a target address that links the parameter to a specific IP address (see Defining the
Notification Target Address)
6. Display SNMP (see SNMP Display Commands)
Page 13
SNMP Configuration Commands

Table 4: SNMPv3 Agent Configuration Commands
Command Description
snmp-server engineID Configures a new value for the Agent’s SNMP Engine ID
(see Configuring the Agent Engine ID)
snmp-server enable Enables the SNMP Server (see Enabling the SNMP
Server)
snmp-server view Defines the subset of all MIB objects accessible to the
given view (see Defining SNMPv3 Views)
snmp-server group Creates an SNMP group with a specified security model
(v1, v2c or v3) and defines the access-right for this
group by associating views to this group (see Defining
SNMP Groups)
snmp-server user Creates an SNMP local or remote user and associates it
to a group (see Defining an SNMP User)
snmp-server access-list Assigns an access list to the specified user (see
Assigning an Access List to a User)
Table 5: Agent Notification Configuration Commands

Command Description
snmp-server notify Defines a notification and specifies the type (trap/inform)

(see Defining SNMP Notification)
snmp-server log-notify Enables the SNMP notification log (see Configuring the
SNMP Notification Log)
snmp-server log-sent-notify Enables the logging only for notifications that are sent to
management devices (see Configuring SNMP Logging
of Sent Notifications)
clear snmp-server log-notify Clears the SNMP notification log (see Clearing the
SNMP Notification Log)
snmp-server target-param Defines the notification target parameter (see Defining
the Notification Target Parameter)
snmp-server target-addr Defines the notification target address (see Defining the
Notification Target Address)
snmp-server set-execute-trap Enables the sending of snmpSetExecuted notifications
(see Sending snmpSetExecuted Notifications)
snmp-server authentication- Enables the sending of authenticationFailure
failure-trap notifications (see Sending authenticationFailure
Notifications)
snmp-server target-profile Includes or excludes a branch of the MIB tree in a
notification profile (see Defining a Notification Target
Profile).
Page 14
Command Description
snmp-server inform retry Sets an option related to resending unacknowledged

Inform requests and specifies the number of retries for
resending Inform PDUs (see Defining the Retry Inform
Operation Value)
snmp-server inform timeout Sets the time to wait for an acknowledgement before
resending an unacknowledged Inform PDU (see
Defining the Timeout Inform Operation Value)
Table 6: SNMP MIB-II System Group Elements Configuration Commands

Command Description
snmp-server contact Sets the MIB-II system contact string (see Defining the
System Contact String)
snmp-server system-name Sets the MIB-II system name (see Defining the System
Name)
snmp-server location Sets the MIB-II system location string (see Defining the
System Location)
Table 7: SNMPv3 Agent Display Commands

Command Description
show snmp-server Displays the status of the SNMP server—enabled or

disabled, and the UDP port on which the SNMP server
is enabled (see Displaying the Status of the SNMP
Server)
show snmp-server engineID Displays the current SNMP Agent engine ID and all
remote Engine IDs that are known to the Agent (see
Displaying the Engine ID)
show snmp-server group Displays all configured groups for the SNMP Agent (see
Displaying the SNMP Groups)
show snmp-server user Displays the users and their associated engine ID (see
Displaying the SNMP Users)
show snmp-server view Displays all configured views for the SNMP Agent (see
Displaying All Configured Views)
show snmp-server target-param Displays the target parameters (see Displaying the
Notification Target Parameters)
show snmp-server target- Displays the notification target profiles (see Displaying
profiles the Notification Target Profiles)
show snmp-server notify Displays information for the notify type (Inform or trap)
(see Displaying the SNMPv3 Notification Type)
show snmp-server log-notify Displays the NVRAM notification log of the SNMP
server. (see Displaying the Notification Log).
show snmp-server target-addr Displays the notification target address (see Displaying
the Notification Target Address)
show snmp-server informs Displays information about the pending informs (see
Displaying the Pending Informs)
Page 15
Command Description
show snmp-server access-list Displays the access list assigned to a user (see
Displaying the Access List Applied to a User)
Configuring the Agent Engine ID

The snmp-server engineID command configures a new value for the Agent’s SNMP Engine ID.
NOTE
• Configure the Engine ID before adding any users.
• Do not perform changes for the Engine ID once users are configured.
• If you use third part MIB SNMP Managers, check the Engine ID configuration.
• You cannot create two SNMP entities in the management domain with the same
Engine ID.
Mode: Global Configuration

By default, the Engine ID is 00 00 02 DB 03 [MAC-ADDR] 00 00, where [MAC-ADDR]
represents the device’s MAC address.
Command Syntax
device-name(config)#snmp-server engineID ENGINE-ID
device-name(config)#no snmp-server engineID
ENGINE-ID Specifies a string of 10 to 64 characters (represented internally by 5 to 32 bytes)
This ID represents the Agent’s Engine ID as a hexadecimal number. Use an
even number of characters in the valid range <0–9> and <a–f> (case-
insensitive).
Type an even number of hexadecimal digits. Otherwise, as a result an extra zero
is inserted before the last digit. For example, if you type the string 11223344556
(an odd number of characters), the Agent’s parser interprets it as
0x112233445506.
The changing of the Engine ID while there are users that use SNMPv3
authentication or use privacy and authentication, invalidates the keys and
requires recalculation.
no Returns the ID to its default value.
Example
Set the local engineID to be 1234567890ABCD:
device-name(config)#snmp-server engineID 1234567890ABCD
Page 16
Enabling the SNMP Server

The snmp-server enable command enables the SNMP server.
By default, the SNMP server is disabled and the SNMP UDP port is 161.
NOTE
If the SNMP server is disabled, it can still be configured from the CLI, but it cannot
respond to SNMP PDUs and cannot send traps.
Command Syntax
device-name(config)#snmp-server enable [<udp-port>]
device-name(config)#no snmp-server enable
udp-port (Optional) specifies the number of the UDP port on which the SNMP server
listens for messages. The valid range is <1–65535>.
If you do not specify the UDP port, the SNMP server listens for incoming
messages on its default UDP port—161.
If you specify the UDP port number, the Agent listens for incoming SNMP
messages on this port.
no Disables the SNMP server.
Example
Enable the SNMP server on port 1021:
device-name(config)#snmp-server enable 1021
Defining SNMPv3 Views

The snmp-server view command defines the subset of all MIB objects accessible to the given
view. This command includes or excludes a branch of the MIB tree in a view.
The MIB definition represents a tree architecture where each node in the tree is identified by a
number. To identify a branch in the tree, the usual convention is to use a series of numbers
separated by dots, where each number represents a node in the tree (OID-TREE).
Command Syntax
device-name(config)#snmp-server view VIEWNAME OID-TREE {included | excluded}
[MASK]
device-name(config)#no snmp-server view VIEWNAME [OID-TREE]
Page 17
VIEWNAME Specifies the name of the view. It is limited to 32 characters.
OID-TREE Specifies the starting point inside the MIB tree given in dot-notation.
If the view definition exists, the defined subtree is added to the list of view families.
If the Object ID (OID) already exists, it is replaced by the new data (type of rule
and mask).
This parameter is optional for the no form of the command.
included Specifies that Object ID is included in the view.
excluded Specifies that Object ID is excluded from the view.
MASK (Optional) specifies the bit-mask defining OID wildcard. The mask is typed as a
hexadecimal value, and is interpreted as a binary value.
A binary 1 in the mask states that the Object ID at the corresponding position has
to match, a binary 0 states that the Object ID at the corresponding position is
irrelevant—no match is required.
no Removes the defined view.
Example 1
Create the view MyView and add two rules to it.
1. The first rule enables access to all Object IDs under the MIB-2 tree (all object identifiers that
start with 1.3.6.1.2.1).
2. The second rule disables access to the sysUpTime Object ID.
Grant or denial of access is determined by the most specific rule that matches the object ID. After
the Agent decides whether to grant access to the Object ID 1.3.6.1.2.1.1.3 both typed rules of
MyView match the object. The second rule has a longer match to the view family and the result is
that access is denied (by the excluded keyword).
device-name(config)#snmp-server view MyView 1.3.6.1.2.1 included
device-name(config)#snmp-server view MyView 1.3.6.1.2.1.1.3 excluded
Example 2
Grant access to all conceptual rows in ipCidrRouteTable that have next-hop 192.168.5.1. The
destination, mask and the TOS typed in the OID have no match (the bits of the mask are 0 at these
OIDs).
If an Object ID does not match any rule in a view, its access is denied.
device-name(config)#snmp-server view v1
1.3.6.1.2.1.4.24.4.1.1.0.0.0.0.0.0.0.0.0.192.168.5.1 included FFC01E
Page 18
Example 3
Remove the specified view data. If the Object ID is not supplied, all the data of the view
VIEWNAME is removed:
device-name(config)#no snmp-server view VIEWNAME
Example 4
Remove the rule for the sysUpTime (1.3.6.1.2.1.1.3) view family (all other data of MyView is
preserved):
device-name(config)#no snmp-server view MyView 1.3.6.1.2.1.1.3
Example 5
Remove all data for the view with name MyView:
device-name(config)#no snmp-server view MyView
Defining SNMP Groups

The snmp-server group command creates an SNMP group with a specified security model (v1,
v2c or v3) and defines the access-right for this group by associating views to this group.
Command Syntax
device-name(config)#snmp-server group NAME {v1 | v2c} read READ-VIEW write
WRITE-VIEW notify NOTIFY-VIEW
device-name(config)#no snmp-server group NAME [v1 | v2c]
device-name(config)#snmp-server group NAME v3 {auth | noauth | priv} read

READ-VIEW write WRITE-VIEW notify NOTIFY-VIEW
device-name(config)#no snmp-server group NAME [v3 {auth | noauth | priv}]
NAME Configures a new SNMP group on the device. The name of the group is
limited to 32 characters.
v1 Specifies version 1 of the SNMP protocol.
v2c Specifies version 2 of the SNMP protocol.
v3 Specifies version 3 of the SNMP protocol. This requires you to select an
authentication level—noAuth, Auth or AuthPriv.
In SNMPv3, you can participate in more than one group provided and
each group has a different security model.
auth Enables the Message Digest 5 (HMAC-MD5) or the Secure Hash
Algorithm (HMAC-SHA) packet authentication.
noauth Enables the security level that implies no authentication and no encryption
of the PDUs. This is the default if no keyword is specified.
Page 19
priv Enables Data Encryption Standard (DES) packet encryption. In this case
authentication is mandatory and is based on HMAC-MD5 or HMAC-SHA
and CBC-DES encryption.
read READ- Specifies a string (not to exceed 32 characters) that is the name of the
VIEW view in which you can only view the contents of the Agent’s MIB.
write WRITE- Specifies a string (not to exceed 32 characters) that is the name of the
VIEW view in which you can type data and configure the contents of the Agent’s
MIB.
notify Specifies a string (not to exceed 32 characters) that is the name of the
NOTIFY-VIEW view, and specify what portion of the MIB database is accessible for
notifications.
no Removes the SNMP group data.
If you specify only the group name, all groups with that name are removed,
regardless of their security model and security level. If you specify the
security model and security level (if the model is v3), only the group
matching all conditions is removed.
Example 1
Create an SNMP v3 group named GR1 with security level Authenticated:
device-name(config)#snmp-server group GR1 v3 auth read v3_read write v3_write
notify v3_read
Example 2
Remove the group named MyGroup:
device-name(config)#no snmp-server group MyGroup
Example 3
Remove only the group that is named MyGroup2 with security model v3 and security level AuthPriv:
device-name(config)#no snmp-server group MyGroup2 v3 priv
Page 20
Defining an SNMP User

The snmp-server user command creates an SNMP local or remote user and associates it to a
group.
NOTE
The generation of the key is considerably slow. During this generation, the CLI
stops responding for several seconds (depending on the device model).
Users with security level AuthNoPriv and AuthPriv are stored in NVRAM when the write
command is executed. The configured users are not seen in the configuration file.
Command Syntax
device-name(config)#snmp-server user USER-NAME group GROUP-NAME {v1 | v2c |
v3}
device-name(config)#snmp-server user USER-NAME group GROUP-NAME v3 [priv
ENCRYPTION_PASSWORD] [auth {md5 | sha} AUTHENTICATION_PASSWORD] [remote
ENGINE-ID]
device-name(config)#no snmp-server user USER-NAME [group GROUP-NAME {v1 | v2c

| v3}]
device-name(config)#no snmp-server user USER-NAME group GROUP-NAME v3 [remote
ENGINE-ID]
USER-NAME Specifies the name of the user on the host that connects to the
Agent. The user name is limited to 32 characters.
GROUP-NAME Specifies the name of the group to which the user is associated.
v1, v2c, v3 Specifies the SNMP version number (v1, v2c, or v3).
If the security model is v3, type the security level for the user.
For v3 users, if no security level is specified, noAuthNoPriv
security level is assumed.
priv (Optional) specifies that the PDUs sent to or received by this
ENCRYPTION_PASSWORD user should be encrypted, with the key generated from the
encryption password.
auth (Optional) specifies the authentication level setting session.
Specifying this argument requires either md5 or sha to be
specified, as well as a password string.
md5 Specifies theHMAC-MD5 authentication.
sha Specifies the HMAC-SHA authentication.
AUTHENTICATION_PASSWORD Specifies the authentication password string. Do not exceed 32
characters for the password.
remote ENGINE-ID (Optional) creates a remote user by its engine ID.
Page 21
no Removes the defined user and the user from its associated
group.
Example 1
Create a user named TOM that uses SNMP v1:
device-name(config)#snmp-server user TOM group g_all_v1 v1
Example 2
Create a user named TOM that uses SNMP v3 with authentication and privacy. The privacy
password is privPass and the authentication password is authPass:
device-name(config)#snmp-server user TOM group g_all_v3 v3 priv privPass auth
md5 authPass
Example 3
Remove a defined v3 user named IVAN from an associated group ACC:
device-name(config)#no snmp-server user IVAN group ACC v3
Assigning an Access List to a User

The snmp-server access-list command assigns an access list to the specified user.
The access list can permit or deny access to a user according to the access list rules. The rules
contain a permit or deny action and a source IP address. To define the named access list use the
snmp-server access-list and access-list commands. The defined access lists can be viewed
by the show access-lists and/or show snmp-server access-list commands.
For more information regarding ACL commands, refer to the Device Setup and Maintenance chapter of
this User Guide.
NOTE
SNMPv3 time synchronization may double the authenticationFailure notifications.
This can happen when applying user access lists on SNMPv3 users. In this case, the
SNMP requests contain engineBoots or engineTime equaled to zero (0) as time
synchronization. The request cannot take place because of the access list. Therefore,
if notInTimeWindow occurs, it generates an additional authenticationFailure
notification.
Command Syntax
device-name(config)#snmp-server access-list USER-NAME ACL-NAME
device-name(config)#no snmp-server access-list USER-NAME
Page 22
USER-NAME Specifies the user name.
ACL-NAME Specifies the existing access list name.
no Removes the access list assigned to the specified user.
Examples:
• Create and assign an access list to a user named IVAN.
device-name(config)#access-list MyLyst permit 220.132.0.0/16
device-name(config)#snmp-server access-list IVAN MyLyst
• Remove the upper access list from user IVAN:

device-name(config)#no snmp-server access-list IVAN
Defining SNMP Notification

The snmp-server notify command defines the notification and specifies the type (trap/inform).
NOTE
The notification name is the same as specified in the MIB (case-sensitive). You can
add a notification with only one tag name.
Command Syntax
device-name(config)#snmp-server notify NAME TAG-NAME [inform]
device-name(config)#snmp-server notify all TAG-NAME [inform]
device-name(config)#no snmp-server notify NAME
NAME Specifies the notification name, a reserved literal string. The available names are
available in Table 8.
all Enables all notifications. If you specify this parameter, all the available notifications
under the specified tag name are included.
TAG-NAME Specifies the notification tag name.
inform (Optional) creates the notification as Inform. If you omit this parameter, the
notification is created as trap.
no Disables the specified notification.
Example
device-name(config)#snmp-server notify linkUp tag1
Page 23
Table 8: Notification Argument Values

Argument Value Description
authenticationFailure This notification indicates that the SNMP entity,

acting as an Agent, has received a protocol
message that is not properly authenticated. The
authentication method depends on the version of
SNMP that is used. For SNMPv1 or SNMPv2c,
authentication failure occurs for packets with an
incorrect community string. For SNMPv3,
authentication failure occurs for packets with an
incorrect SHA/MD5 authentication key or for a
packet that is outside of the authoritative SNMP
engine’s time window.
The generation of authentication failure notification
is also controlled by the snmp-server
authentication-failure-trap command.
cliConfigurationChanged This notification informs you if a change of
configuration is performed through the CLI (telnet,
SSH session) and logged in NVRAM. This
notification does not contain any variable bindings
because the application software does not have
SNMP support for configuration history. The
cliconfigurationChanged notification is generated
whenever the user exits the Global Configuration
mode.
This notification is generated when:
• Configuration-history recording is enabled (use
the record configuration-history
nvram command)
• A configuration-history session is added to the
configuration history
coldStart This notification indicates that the SNMP entity,
acting as an Agent, is reinitializing itself and that its
configuration may be altered.
configurationLoadFailed This notification indicates that the download or
upload of the configuration file failed.
For more information, refer to the Device
Administration chapter of this User Guide.
cpuTemperatureExceeded This notification indicates that the sending Agent
senses that the internal temperature has exceeded
the program threshold.
cpuUtilizationExceeded This notification indicates that the sending Agent
sensed that the CPU utilization has passed the
programmed threshold.
For more information, refer to the Troubleshooting
and Monitoring chapter of this User Guide.
dot1agCfmFaultAlarm If a MEP has a persistent defect condition, this
notification (fault alarm) is sent to the management
entity with the OID of the MEP that has detected the
fault.
Page 24
dot3OamEventNonThresholdEvent This notification is sent when a local or remote non-

threshold crossing event is detected. This
notification should not be sent more than once per
second. For more information, refer to the
dot3EventOamThresholdEvent notification
below.
dot3OamEventThresholdEvent This notification is sent when a local or remote
threshold crossing event is detected. A local
threshold crossing event is detected by the local
entity, while a remote threshold crossing event is
detected by the reception of an Ethernet OAM Event
Notification OAMPDU that indicates a threshold
event. This notification should not be sent more than
once per second. The OAM entity can be derived
from extracting the ifIndex from the variable
bindings. The objects in the notification correspond
to the values in a row instance in the
dot3OamEventLogTable. The management entity
should periodically check dot3OamEventLogTable
to detect any missed events.
fallingAlarm This notification indicates the RMON alarm
generated when a value falls below its pre-
For more information, refer to the Configuring
Remote Monitoring (RMON) chapter of this User
Guide.
fanStatusChange This notification indicates that the sending agent
senses that one of the fans changed its status.
imageCrcCheckFailed This notification indicates that the software image
CRC check failed.
lagMemberAdd This notification is generated when a new port is
added to a LAG link. The first ifIndex indicates the
ID of the trunk interface. The second one displays
the added port member.
lagMemberLinkDown This notification is generated when the LAG link
becomes down. The first ifIndex indicates the ID of
the trunk interface. The second one shows the port
member with link status change.
lagMemberLinkUp This notification is generated when the LAG link
becomes up. The first ifIndex indicates the ID of the
trunk interface. The second one displays the port
member with a link status change.
lagMemberRemove This notification is generated when a port is
removed from a LAG. The first ifIndex indicates the
ID of the trunk interface. The second one shows the
removed port member.
Page 25
laserTempThresholdCrossed This notification is generated when

laserTemperature rises above
laserHighTemperatureThreshold or falls below
laserTemperatureLowThresholds.
Also the notification is generated when
laserTemperature returns to the normal range
between laserHighTemperatureThreshold and
laserTemperatureLowThresholds.
laserTxPowerThresholdCrossed This notification is generated when laserTxPower
rises above laserHighTxPowerThreshold or falls
below laserTxPowerLowThresholds.
laserTxPower returns to the normal range between
laserHighTxPowerThreshold and
laserTxPowerLowThresholds.
laserRxPowerThresholdCrossed This notification is generated when laserRxPower
rises above laserHighRxPowerThreshold or falls
below laserRxPowerLowThresholds.
laserRxPower returns to the normal range between
laserHighRxPowerThreshold and
laserRxPowerLowThresholds.
linkup This notification indicates that the SNMP entity,
acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links left the down state and transitioned into
another state (but not into the notPresent state).
The other state is indicated by the included value of
ifOperStatus.
linkDown This notification indicates that the SNMP entity,
acting as an Agent, has detected that the
ifOperStatus object for one of its communication
links is about to enter the down state from some
other state (but not from the notPresent state). This
other state is indicated by the included value of
ifOperStatus.
lldpRemTablesChange This notification is sent when the value of
lldpStatsRemTablesLastChangeTime changes. It
can be used by an NMS to trigger LLDP remote
systems table maintenance polls.
For more information, refer to the Configuring Link
Layer Discovery Protocol (LLDP) chapter of this
User Guide.
Page 26
mstpNewRoot This notification indicates that a new root is elected

by the Multiple Spanning Tree algorithm.
Multiple Spanning Tree Protocol (MSTP, IEEE
802.1s) chapter of this User Guide.
mstpTopologyChange This notification indicates that the topology change
is detected by the Multiple Spanning Tree algorithm.
Multiple Spanning Tree Protocol (MSTP, IEEE
802.1s) chapter of this User Guide.
newRoot This notification indicates that a new root is elected
by the Spanning Tree algorithm.
Spanning Tree Protocol (STP) and the Configuring
Rapid Spanning Tree Protocol (RSTP) chapters.
pingProbeFailed This notification indicates a detected probe failure if
the corresponding pingCtlTrapGeneration object is
set to probeFailure.
For more information, refer to the Operation
Administration and Maintenance (OAM) chapter of
this User Guide.
pingTestCompleted This notification is generated at the completion of a
ping test when the corresponding
pingCtlNotificationGeneration object is set to
testCompletion.
this User Guide.
pingTestFailed This notification indicates that a ping test is
determined to have failed when the corresponding
pingCtlTrapGeneration object is set to testFailure.
this User Guide.
portErrorsExceeded This notification indicates that the sending Agent
sensed that the number of errors has passed the
program threshold for one of the interfaces.
portRedundantLinkChange This notification indicates that the status of a
redundant link has changed.
portSecurityViolation This notification indicates that a security violation is
done on a port defined as a secure port.
VLANs and Super VLANs chapter of this User
Guide.
Page 27
portsBroadcastExceeded This notification indicates that the sending Agent

sensed that the number of broadcasts packets has
passed the programmed threshold on one of the
interfaces.
portsCRCErrExceeded This notification indicates that the level of CRC
errors passed the threshold.
portsOverSizeExceeded This notification indicates that rate of oversize
packets (packets larger than MaxFrameSize bytes)
has passed the threshold.
portsRuntsExceeded This trap indicates that the rate of runt packets
(packets smaller than 64 bytes) has passed the
threshold.
powerSupplyStatusChange This notification indicates that the sending agent
senses that one of the power supplies changed its
status.
prvtCfm1wJitterThreshold This notification is sent when CFM one way jitter
threshold crossed.
this User Guide.
prvtCfmFrameLossThreshold This notification is sent when CFM frame loss
threshold crossed.
this User Guide.
prvtCfmJitterThreshold This notification is sent when CFM two way jitter
threshold crossed.
this User Guide.
prvtCfmLatencyThreshold This notification is sent when CFM latency threshold
crossed.
this User Guide.
Page 28
prvtConfigChangeAlarm This notification is generated when the value of

configurable attribute is changed. Use the
notification to trigger maintenance polling of the
running configuration on the device. One of the
variables points either to entry of the modified table
or the OID of the modified scalar object.
prvtDuplicatedMACAddressAlarm This notification is a duplicated MAC notification.
This is sent when the MAC address is duplicated on
more than one port, in a particular VLAN.
The notification includes information about the MAC
address. The original port has the specified MAC
and VLAN.
prvtCustCreated This notification is generated when an entry in
custInfoTable is created.
prvtCustDeleted This notification is generated when an entry in
custInfoTable is deleted.
prvtELMIChangeEVC This notification is sent when an EVC status
changed. Can be a change in CE-VLAN ID/EVC
map or EVC status.
this User Guide.
prvtELMIStatus This notification is sent when an E-LMI status
changed.
this User Guide.
prvtEpsDefectAlarm This notification is sent when EPS service
operational status changed or protocol defect
occurred.
this User Guide.
prvtEpsLostCommunication This notification is sent when EPS communication
failed.
this User Guide.
prvtEpsRestoredCommunication This notification is sent when EPS communication
restored.
this User Guide.
prvtEpsSignalDegradeDetected This notification is sent when monitored error
threshold is crossed.
this User Guide.
Page 29
prvtEpsSignalFailDetected This notification is sent when three consecutive

CCMs are not received.
this User Guide.
prvtEpsSwitchoverAlarm This notification is sent when EPS service active link
changed.
this User Guide.
prvtOamDyingGasp Generates a dying-gasp alarm.
In order for dying-gasp trap to be functional, also
configure warmStart and coldStart notifications.
Dying-gasp is sent only to one server (last one
used).
this User Guide.
prvtOamLoopBackState This notification is changed when DOT3-OAM
Loopback state has changed.
this User Guide.
prvtPortSECViolation This notification is sent when port security is
enabled on a port, and security violation is detected.
The notification contains the following information:
the port on which the event occurred
the MAC Address causing the violation
the VLAN ID of the VLAN on which the address is
about to be learned
the administrative status of the port after the
violation that allows you to determine if the port is
shut down
VLANs and Super VLANs chapter of this User
Guide.
prvtSaaFrameLossThresholdCrossed This notification is generated when the SAA frame-
loss threshold is crossed the preconfigured
threshold in any direction, raising or falling. For
more information, refer to the Operations,
Administration & Maintenance (OAM) chapter of this
User Guide.
prvtSaaJitterThresholdCrossed This notification is generated when the SAA jitter
threshold crossed the preconfigured threshold in
any direction, raising or falling. For more
information, refer to the Operations, Administration
& Maintenance (OAM) chapter of this User Guide.
Page 30
prvtSaaDelayThresholdCrossed This notification is generated when the SAA delay

threshold crossed the preconfigured threshold in
any direction, raising or falling. For more
information, refer to the Operations, Administration
& Maintenance (OAM) chapter of this User Guide.
prvtSaaTestFinished This notification is sent for each completed SAA
test.
prvtSaaProbeSuccess This notification is sent for each successfully
completed ping.
prvtSaaProbeFailed This notification is sent for each failed probe ping
packet.
prvtSapCreated This trap is sent when a new row is created in the
sapBaseInfoTable.
prvtSapDeleted This trap is sent when an existing row is deleted
from the sapBaseInfoTable.
prvtSapStatusChanged This trap is generated when there is a change in the
administrative or operating status of an SAP.
prvtSdpCreated This trap is sent when a new row is created in the
sdpInfoTable.
prvtSdpDeleted This trap is sent when an existing row is deleted
from the sdpInfoTable.
prvtSdpStatusChanged This trap is generated when there is a change in the
administrative or operating status of an SDP.
prvtSvcCreated This trap is sent when a new row is created in the
svcBaseInfoTable.
prvtSvcDeleted This trap is sent when an existing row is deleted
from the svcBaseInfoTable.
prvtSvcStatusChanged This trap is generated when there is a change in the
administrative or operating status of a service.
ramFreeSpaceExceeded This notification indicates that the sending Agent
sensed that the internal amount of free RAMs is
lower than a program threshold.
resilientLinkStatusChange This notification indicates that the resilient link
status changed, identified by the resilientLinkIndex.
risingAlarm This notification indicates the RMON alarm
generated when a value rises above its pre-
Remote Monitoring (RMON) chapter of this User
Guide.
sfpMonStatusChanged This notification shows the status of the SFP
extracted/inserted.
snmpServerStatusChange This notification is sent when SNMP server status
has changed.
Page 31
snmpSetExecuted This notification informs you when a successful

SNMP SET request is executed. The notification
provides information about the security parameters
of the packet containing the SET request. The
snmpSetExecuted notification is sent directly by the
SNMP Agent.
The generation of the snmpSetExecute notification
is also controlled by the snmp-server set-
execute-trap command.
taskSuspended This notification indicates that a task is suspended.
For more information, refer to the Device Setup and
Maintenance chapter of this User Guide.
topologyChange This notification indicates that the topology change
is detected by the Spanning Tree algorithm.
Spanning Tree Protocol (STP) and the Configuring
Rapid Spanning Tree Protocol (RSTP) chapters.
unauthorizedAccessViaCLI This notification indicates that an unauthorized
access attempt via CLI occurred.
Device Authentication Features chapter of this User
Guide.
warmStart This notification indicates that the sending device is
reinitializing itself so that neither the Agent
configuration nor the protocol entity implementation
is altered.
Configuring the SNMP Notification Log

The snmp-server log-notify command enables the SNMP notification log.
A log entry is created for each notification as it occurs, regardless if a notification is sent or not.

By default, the SNMP notification log is disabled.
Command Syntax
device-name(config)#snmp-server log-notify [TAG-NAME]
device-name(config)#no snmp-server log-notify [TAG-NAME]
Page 32
TAG-NAME (Optional). Specifies the name of the tag associated with the notifications to be
logged. If the parameter is not supplied, the logging of all notifications is
enabled/disabled. The available names of notifications are specified in Table 8.
no Disables the SNMP notification log and clear its contents.
If you disable notifications associated with a specific tag name, by specifying
the tag name in the no command, the general snmp-server log-notify
command (without the specific tag name) is not enabling these notifications. In
this case, you have to explicitly enable these notifications.
Example
If you use no snmp-server log-notify Tag1, then snmp-server log-notify enables all
notifications except for those associated with Tag1.
device-name(config)#no snmp-server log-notify Tag1
device-name(config)#snmp-server log-notify
To enable the notifications that are associated with Tag1, use snmp-server log-notify Tag1.
device-name(config)#snmp-server log-notify Tag1
Configuring SNMP Logging of Sent Notifications

The snmp-server log-sent-notify command enables the logging only for notifications that are
sent to management devices.
The command causes the addition of a trap sequence ID based on the request ID field of the
SNMP trap packet. The addition of the sequence ID changes the behavior of the SNMP
notification log by logging the notifications in the order at which they are sent. Every notification
that is sent through the network is logged. The log entry includes the target addresses to which it is
sent.
When applying this command, one entry per notification is added for each IP address that the
notification is destined to, including the sequence ID for each of the IP addresses.
NOTE
The notifications that are not sent to a management device due to a configuration
error are not logged.
Command Syntax
device-name(config)#snmp-server log-sent-notify
device-name(config)#no snmp-server log-sent-notify
no Disables the SNMP sent-notification logging.
Page 33
Clearing the SNMP Notification Log

The clear snmp-server log-notify command clears the SNMP notification log.
Command Syntax
device-name#clear snmp-server log-notify
Defining the Notification Target Parameter

The snmp-server target-param command defines the notification target parameter.
The SNMP server target parameter sets the trap security parameters and specifies the user that
sends the trap to the target address. The user data contains the keys for the trap PDU encryption.
Command Syntax
device-name(config)#snmp-server target-param NAME USER-NAME v1 [PROFILE-NAME]
device-name(config)#snmp-server target-param NAME USER-NAME v2c [PROFILE-
NAME]
device-name(config)#snmp-server target-param NAME USER-NAME v3 {auth | noauth
| priv} [PROFILE-NAME]
device-name(config)#no snmp-server target-param NAME
NAME Specifies the name of the target parameter.
USER-NAME Specifies the name of the user on the host that connects to the Agent.
v1, v2c, v3 Specifies the security model of the target-parameter. It specifies the
version of the protocol in which the traps would be sent (v1, with TRAP-V1
PDU type, v2c with TRAP-V2 PDU type OR v3, with TRAP-V2 PDU type).
noauth Specifies the security level that implies no authentication and no
encryption of the PDUs.
auth Specifies the authentication of the PDUs based on HMAC-MD5 or HMAC-
SHA. No encryption is used.
priv Specifies the authentication based on HMAC-MD5 or HMAC-SHA and
CBC-DES encryption for the message data.
PROFILE-NAME (Optional) specifies the profile name, defined by the snmp-server
target-profile command. The target profile represents a set of filters
that restrict the access to the MIB tree for trap sending.
no Removes the notification target parameter.
Example
device-name(config)#snmp-server target-param param1 ABC v3 auth
Page 34
Defining the Notification Target Address

The snmp-server target-addr command defines the notification target address.
Command Syntax
device-name(config)#snmp-server target-addr NAME A.B.C.D <udp-port> PAR-NAME
[<TAG1> ... <TAGN>]
device-name(config)#snmp-server target-addr NAME {addtag | deltag} TAG-NAME
device-name(config)#no snmp-server target-addr NAME
NOTE
Use the command with addtag and deltag arguments only if the notification tag
address is already defined.
NAME Specifies the name of the notification target address.
A.B.C.D Specifies the IP address of the target.
udp-port Specifies the UDP port number of the target address in the range of
<1–65535>.
PAR-NAME Specifies the parameter name.
<TAG1> ... <TAGN> (Optional) specifies a list of tags. You can add one or more tags.
addtag Adds the specified tag to the list.
deltag Removes the specified tag from the list.
TAG-NAME Specifies the name of the added/removed tag.
no Removes the notification target address.
Example 1
device-name(config)#snmp-server target-addr XYZ 192.168.0.121 162 param1 tag1
Example 2
device-name(config)#snmp-server target-addr XYZ addtag tag2
Page 35
Sending snmpSetExecuted Notifications

The snmp-server set-execute-trap command sends snmpSetExecuted notifications.
Command Syntax
device-name(config)#snmp-server set-execute-trap
device-name(config)#no snmp-server set-execute-trap
no Disables the sending of snmpSetExecuted notifications.
Sending authenticationFailure Notifications

The snmp-server authentication-failure-trap command sends authenticationFailure
notifications.
This command controls the value of MIB-II mib-2.snmp.snmpEnableAuthTraps.
Command Syntax
device-name(config)#snmp-server authentication-failure-trap
device-name(config)#no snmp-server authentication-failure-trap
no Disables the sending of authenticationFailure notifications.
Page 36
Defining a Notification Target Profile

The snmp-server target-profile command includes or excludes a branch of the MIB tree in a
notification profile.
Use this command only if you need to supply filters that do not match the user’s definition.
NOTE
First define the Notification Target Parameter (target-param) and Target Address
(target-addr) and then the Target Profile. Otherwise, you receive an error message.
NOTE
Before you use this command, read RFC 3413 section 6.
When you create target profiles, include snmpTrapOID.0 in the profile.
Command Syntax
device-name(config)#snmp-server target-profile PROFILE-NAME OBJECT-ID
{included | excluded} [MASK]
device-name(config)#no snmp-server target-profile PROFILE-NAME OBJECT-ID
{included | excluded}
PROFILE-NAME Specifies the name of the profile.
OBJECT-ID Specifies the starting point inside the MIB tree given in dot-notation or as
an object name.
included Specifies the Object ID is included in the profile.
excluded Specifies the Object ID is excluded from the profile.
MASK (Optional) specifies the bit-mask that defines Object ID wildcard
characters.
no Removes the notification target profile.
Defining the Retry Inform Operation Value

The snmp-server inform retry command sets an option related to resending unacknowledged
Inform requests and specifies the number of retries for resending Inform PDUs.

By default, the number of retries is 3 times.
Command Syntax
device-name(config)#snmp-server inform retry <number>
device-name(config)#no snmp-server inform retry
Page 37
number Specifies the number of retries for resending Inform PDUs. The valid range is
<1–2147483647>.
no Configures the number of retries to its default value.
Example 1
Set the number of inform PDU retries to 5:
device-name(config)#snmp-server inform retry 5
Example 2
Disable snmp-server inform retry option and set the number of retries to 3 (default value):
device-name(config)#no snmp-server inform retry
Defining the Timeout Inform Operation Value

The snmp-server inform timeout command sets the time to wait for an acknowledgement
before resending an unacknowledged inform PDU.

By default, the time to wait for an acknowledgement before resending an unacknowledged inform
PDU is 30 seconds.
Command Syntax
device-name(config)#snmp-server inform timeout <time>
device-name(config)#no snmp-server inform timeout
time Specifies the time, in seconds, to wait for an acknowledgement before resending an
unacknowledged Inform PDU. The valid range is <1–2147483647>.
no Configures the timeout to its default value.
Example
Set the inform PDU time to 10 seconds:
device-name(config)#snmp-server inform timeout 10
Page 38
Defining the System Contact String

The snmp-server contact command sets the MIB-II system contact string.
Command Syntax
device-name(config)#snmp-server contact .LINE-TEXT
device-name(config)#no snmp-server contact
.LINE-TEXT Descriptive system contact string, up to 80 characters long.
Use the system contact string for the textual identification of the contact
person for this managed node, together with information on how to contact
this person. If no contact information is known, the value is a zero-length
string.
no Removes the SNMP system contact string.
Example
device-name(config)#snmp-server contact tom@comp.com
Defining the System Name

The snmp-server system-name command sets the MIB-II system name.
Command Syntax
device-name(config)#snmp-server system-name .LINE-TEXT
device-name(config)#no snmp-server system-name
.LINE-TEXT Descriptive system name string, up to 80 characters long.
The system name is an administratively-assigned name for this managed
node. If the name is unknown, the value is a zero-length string. If the name
is unknown, the value is a zero-length string.
no Removes the SNMP system name.
Example
device-name(config)#snmp-server system-name T-Marc
Page 39
Defining the System Location

The snmp-server location command sets the MIB-II system location string.
Command Syntax
device-name(config)#snmp-server location .LINE-TEXT
device-name(config)#no snmp-server location
.LINE-TEXT Descriptive system location string, up to 80 characters long.
Use the system location string for describing the physical location of this
node (e.g., telephone closet, 3rd floor). If the location is unknown, the value
is a zero-length string.
no Removes the SNMP system location string.
Example
device-name(config)#snmp-server location ROOM 256
Displaying the Status of the SNMP Server

The show snmp-server command displays the status of the SNMP server—enabled or disabled, and
the UDP port on which the SNMP is enabled.
Also, it can display some other options such as: set-execute-trap, system-name, contact, status of
authentication failure trap and set-execute-trap, inform retry and timeout.
Command Syntax
device-name#show snmp-server
Example
device-name#show snmp-server
snmp-server enable
authentication-failure trap disable
Inform retries 10
Inform timeout 2 secs
Page 40
Displaying the Engine ID

The show snmp-server engineID command displays the local SNMP Engine ID of the SNMP
Agent, all Engine IDs that are known to the Agent, and information about the inform operation
values that are different from their default values.
Command Syntax
device-name#show snmp-server engineID
Example
device-name#show snmp-server engineID
Local snmpEngineID: 000002DB0300A01211259A0000
snmpEngineBoots: 3, snmpEngineTime: 2394
Remote snmpEngineID: 80000523010A000001

snmpEngineBoots: 273, snmpEngineTime: 978
IP address: 10.0.0.1
Displaying the SNMP Groups

The show snmp-server group command displays the configured groups, their associated views,
and the security model. If the security model is USM (v3), the command displays the security level.
Command Syntax
device-name#show snmp-server group
Example
group name: GR1 security model: v3 auth
read view: READ write view: WRITE
notify view: NOTIFY row status: active
Page 41
Displaying the SNMP Users

The show snmp-server user command displays the users and their associated engine ID.
Command Syntax
device-name#show snmp-server users
Example
User name: MAG
Engine ID:1234567890
Group: GR1 model:v3 Auth
Displaying All Configured Views

The show snmp-server view command displays all configured views and the viewmask of a
particular view (if configured).
A view is displayed in symbolic format, when some portions of the view family OID match the
OID, stored in file batm_oid_table. The symbol with the longest match of the OID is assigned and
concatenated with the unmatched OIDs.
Command Syntax
device-name#show snmp-server view [VIEWNAME]
VIEWNAME (Optional) specifies the name of the view. The view name is limited to 32
characters.
If you specify the view name, only data for the views with the specified name is
displayed on the screen. If you do not specify the view name, all views are
displayed on the screen.
Page 42
Example
Display a view family in symbolic format, the view family has the following long OID:
1.3.6.1.2.1.4.24.4.1.192.168.0.0.255.255.0.0.0.192.168.4.1
The view is displayed in the following format:

ipCidrRouteEntry.192.168.0.0.255.255.0.0.0.192.168.4.1
device-name#show snmp-server view

View name: MyView
OID: 1.3.6 included
Row status: Active
Storage type: Volatile
View name: MyView

OID: 1.3.6 excluded
Row status: Active
Storage type Volatile
If you load the file batm_oid_table in the flash file system, the OIDs are displayed with symbolic
names.
The row status can be Active (the row is operable) or notInService (the row is administratively
disabled).
The storage type can be Volatile (the data is in volatile memory, and after reboot it is lost) or Non
Volatile (the data is in non volatile memory—it can restore after reboot).
Displaying the Notification Target Parameters

The show snmp-server target-param command displays the notification target parameters.
Command Syntax
device-name#show snmp-server target-param
Example
device-name#show snmp-server target-param
Target Parameter: param1
Security Name : GHJ
Security Model: v3
Security Level: auth
Profile name : PROFILE
Page 43
Displaying the Notification Target Profiles

The show snmp-server target-profiles command displays the notification target profiles.
Command Syntax
device-name#show snmp-server target-profiles
Example
device-name#show snmp-server target-profiles
Profile name: profile
OID: 1.3.6 included
Profile name: profile

OID: 1.3.6.1.2.1 excluded
Displaying the SNMPv3 Notification Type

The show snmp-server notify command displays the SNMPv3 notification parameters.
Command Syntax
device-name#show snmp-server notify
Example
device-name#show snmp-server notify
Notify Name: fanStatusChangelinkDown
Notify type: inform
Tag: tag1
Notify Name: linkUp

Notify type: inform
Tag: tag1
Notify Name: resilientLinkStatusChange

Notify type: trap
Tag: tag
Page 44
Displaying the Notification Log

The show snmp-server log-notify command displays the NVRAM notification log of the
SNMP server.
Command Syntax
device-name#show snmp-server log-notify {first NUMBER | last NUMBER}
first NUMBER Specifies the number of first records to be displayed, in the valid range of <1-
65535> records.
last NUMBER Specifies the number of last records to be displayed, in the valid range of <1-
65535> records.
Example 1
If only the snmp-server log-notify command is present in the SNMP running configuration,
the device displays the following output:
device-name#show snmp-server log-notify
2009/01/01 00:04:11 linkDown notification sent: interface 1/1/1
If both snmp-server log-notify and snmp-server log-sent-notify commands are present in

the SNMP running configuration, the device displays the following output:
2009/01/01 04:07:13 10.0.0.33/162 13 linkDown ifIndex.1102 1102
ifAdminStatus.11
02 2 ifOperStatus.1102 1
Example 2
device-name#show snmp-server log-notify last 78
% No records stored in notification log.
Displaying the Notification Target Address

The show snmp-server target-addr command displays the notification target address.
Command Syntax
device-name#show snmp-server target-addr
Page 45
Example
device-name#show snmp-server target-addr
Target Address: YOU
IP address: 192.168.0.39
UDP port: 162
Target Parameter: param
Tag list: tag1
Displaying the Pending Informs

The show snmp-server informs command displays information about the unacknowledged
informs.
The information displayed by this command includes the Status that can have one of the following
values:
• SENDING_PROBE, indicating that the Agent does not have knowledge of the notification
recipient’s snmpEngineID and SNMP engine ID discovery procedure is under its way.
• WAITING_RETRANSMISSION, indicating that the Agent knows the snmpEngineID of
the notification recipient (and is already time-synchronized with it), and sends correct inform
PDUs to it, but the Manager has not acknowledged it yet.
• WAITING_RETRANSMISSION, indicating a lack of communication between the Agent
and the Manager.
Command Syntax
device-name#show snmp-server informs
Example
device-name#show snmp-server informs
Inform ID 5 about to be sent to 10.0.0.1
Retries left: 9, elapsed: 0, timeout: 2
Status: SENDING_PROBE


Page 46
Displaying the Access List Applied to a User

The show snmp-server access-list displays the access list assigned to a user.
Command Syntax
device-name#show snmp-server access-list [USER]
USER (Optional) specifies the user name. If specified, only the access list of this user is
displayed on the screen. If not specified, all the access lists of this user are displayed
on the screen.
Example 1
device-name#show snmp-server access-list
User name : restricted_user
Access list: aclRestrict
User name : all_users

Access list: aclAll
Example 2
Display the SNMP server users and their assigned access-lists:
device-name#show snmp-server access-list
User name: IVAN
Access List: MyLyst
device-name#show access-lists
Standard routing-protocol access-list MyLyst
permit 220.132.0.0/16
Page 47
Using SNMPv1
In this example two SNMP users are added to the device. Both users use SNMPv1. The first user
uses the public community with read-only permission and the second uses the private community
with read-write access. The SNMPv1 community is parsed by the SNMP Agent as the user name.
1. Enable SNMP:
2. Create a view that includes the entire MIB tree from root:
3. Create a group with read-only access to the view:

device-name(config)#snmp-server group groupAllReadOnly v1 read viewAll
write none notify none
4. Create a group with read-write access to the viewAll view:

device-name(config)#snmp-server group groupAllReadWrite v1 read viewAll
write viewAll notify none
5. Create user name public that uses the read-only access:

device-name(config)#snmp-server user public group groupAllReadOnly v1
6. Create user name private that uses the group with read-write access:
device-name(config)#snmp-server user private group groupAllReadWrite v1
SNMP Notification for Users

A user with IP address 20.0.0.5 is added and receives SNMPv1 notifications: linkUp, linkDown and
coldStart, using the community trap_v1.
1. Enable SNMP:
2. Create a view that includes the entire MIB tree from root:
3. Create a group named gall that supports only notification view:

device-name(config)#snmp-server group gall v1 read viewAll write viewAll
notify viewAll
4. Create a user named trap_v1 with group gall for SNMPv1:

device-name(config)#snmp-server user trap_v1 group gall v1
Page 48
5. Add a target parameter named MyParam that uses trap_v1:

device-name(config)#snmp-server target-param MyParam trap_v1 v1
6. Create the target address TargetAddress1 for IP address 20.0.0.5, port 162 that uses the
target parameter MyParam and sends all the packets to tag1:
device-name(config)#snmp-server target-addr TargetAddress1 20.0.0.5 162
MyParam tag1
7. Add to tag1 the coldStart notification:

device-name(config)#snmp-server notify coldStart tag1
8. Add to tag1 the linkDown notification:

device-name(config)#snmp-server notify linkDown tag1
9. Add to tag1 the linkUp notification:

device-name(config)#snmp-server notify linkUp tag1
The following commands change the device configuration to send the same notification in
SNMPv3 format without authentication and privacy to the same target, as well as SNMPv1
notifications.
1. Create a user named trap_v3 with group gall for SNMPv3:
device-name(config)#snmp-server user trap_v3 group gall v3
2. Add a target parameter named MyParam1 that uses the user trap_v3:
device-name(config)#snmp-server target-param MyParam1 trap_v3 v3 noauth
3. Create the target address TargetAddress_v3 for IP address 20.0.0.5, port 162 that uses the
target parameter MyParam1 and sends all the packets to tag1:
device-name(config)#snmp-server target-addr TargetAddress_v3 20.0.0.5 162
MyParam1 tag1
Group Definition
The following example shows how to create a group with name public_grp.1.
1. Enable the SNMP server:
2. Create SNMP view, starting from the 1.3.6 Object ID in the MIB tree:
device-name(config)#snmp-server view MyView 1.3.6 included
3. Create group public_grp with SNMP v1 security level and define the access rights for the
group:
device-name(config)#snmp-server group public_grp v1 read MyView write
MyView notify none
Page 49
4. Define group public_grp with SNMP v2 security level and define the access rights for the
group:
device-name(config)#snmp-server group public_grp v2 read MyView write
MyView notify none
5. Define group public_grp with SNMP v3 authenticated and encrypted model and define the
access rights of the group:
device-name(config)#snmp-server group public_grp v3 priv read MyView
write MyView notify none
6. Display the created groups and access rights that are assigned above:
group name: public_grp security model:v1
read view: MyView write view: MyView
notify view: none row status: active
group name: public_grp security model:v2c

group name: public_grp security model:v3 priv

Defining Users and Assigning Users to Groups

The following example shows how to create users and join them to groups for the v3 security
models.
2. Create a user with name public and connect it to the group public_grp for the user security
model v1:
device-name(config)#snmp-server user public group public_grp v1
3. Connect the user public to the group public_grp for the security model v2 :
device-name(config)#snmp-server user public group public_grp v2
4. Connect the user public to the group public_grp for the security model v3. The restrictions
of the v3_read and v3_write views are applied on the SNMPv3 PDUs received with the user
name public for security level AuthPriv. The PDU has to conform to the DES and MD5
security checks.
device-name(config)#snmp-server user public group public_grp v3 priv
pass1 auth md5 pass2
Page 50
5. Display the created user and above assigned rights:

User name: public
Engine ID:1234567890ABCD
Group: public_grp model:v1
Group: public_grp model:v2c
Group: public_grp model:v3 Priv
Using SNMPv3
2. Configure the engine ID of the Agent:

device-name(config)#snmp-server engineID 1234567890
3. Create SNMP view, starting from the 1.3.6 Object ID in the MIB tree:
device-name(config)#snmp-server view MyView 1.3.6 included
4. Configure a group with name GR1 with security model v3. Specify this group to use
authentication, read view name READ, write view for the group WRITE and notify view with
name NOTIFY for this group GR1:
device-name(config)#snmp-server group GR1 v3 auth read READ write WRITE
notify NOTIFY
5. Configure a user MAG and assign this user to group GR1 with security model v3. Specify the
packet authentication SHA authentication and the authentication password MAG:
device-name(config)#snmp-server user MAG group GR1 v3 auth sha MAG
6. Specify the notification target parameter param1:

device-name(config)#snmp-server target-param param1 MAG v3 auth PROFILE
7. Specify the notification target address 192.168.0.39. Assign a UDP port, parameter name
and tag list to the target address:
device-name(config)#snmp-server target-addr YOU 192.168.0.39 162 param1
tag1
Page 51
Configuring a Target Address to Receive Informs and

Traps
The following example shows how to configure RMON risingAlarm as an inform notification and
RMON fallingAlarm as a trap. It also shows how to deliver RMON risingAlarm and RMON
fallingAlarm to a specified IP address (192.168.0.30). The receiver of the Inform has snmpEngineID:
123456789abcd.
2. Define the notification with name risingAlarm, tag tagRmonInform, and create the
notification as an inform:
device-name(config)#snmp-server notify risingAlarm tagRmonInform inform
3. Define the notification with name fallingAlarm and tag tagRmonTrap. Since the parameter
inform is omitted, this notification is created as a trap:
device-name(config)#snmp-server notify fallingAlarm tagRmonTrap
4. Define a notification target address with name informPC and IP address 192.168.0.30.
Specify the default UDP port (162), the parameter name parInform, and a tag
tagRmonInform.
device-name(config)#snmp-server target-addr informPC 192.168.0.30 162
parInform tagRmonInform
5. Define a notification target address with name trapPC and IP address 192.168.0.30. Specify
the default UDP port (162), the parameter name parTrap, and a tag tagRmonTrap.
device-name(config)#snmp-server target-addr trapPC 192.168.0.30 162
parTrap tagRmonTrap
6. Define a notification target parameter with name parInform and security name usrRemote,
security model v3 and Authentication of the PDUs based on HMAC-MD5 or HMAC-SHA:
device-name(config)#snmp-server target-param parInform usrRemote v3 auth
7. Define a notification target parameter with name parTrap and security name usrLocal,
security model v3 and Authentication of the PDUs based on HMAC-MD5 or HMAC-SHA:
device-name(config)#snmp-server target-param parTrap usrLocal v3 auth
8. Create a user with name usrRemote and assign this user to group grpRemote. Specify the
SNMP v3, authentication level auth with HMAC-SHA authentication, and authentication
password string. Create a remote user with engine ID 123456789abcd.:
device-name(config)#snmp-server user usrRemote group grpRemote v3 auth sha
auth_password remote 123456789abcd
Page 52
9. Create a user with name usrLocal and assign this user to group grpLocal. Specify the SNMP
v3, authentication level auth with HMAC-MD5 authentication, and authentication password
string:
device-name(config)#snmp-server user usrLocal group grpLocal v3 auth md5
another_password
10. Configure a group with name grpLocal, SNMP v 3, authentication level auth. Specify the
read view all, the write view all and the notify view all:
device-name(config)#snmp-server group grpLocal v3 auth read all write all
notify all
11. Configure a group with name grpRemote, SNMP v 3, authentication level auth. Specify the
read view all, the write view all and the notify view all:
device-name(config)#snmp-server group grpRemote v3 auth read all write all
notify all
12. Create a view with name all. Specify the OID-TREE ID in the view:
device-name(config)#snmp-server view all 1.3.6 included
Configuring Notification Logs

The following example shows how to configure notification events and logs. It also shows how to
display the notification logs.
2. Define the following notification events: linkUp (tag NotifyTag1), linkDown (tag
NotifyTag2), coldStart and warmStart (tag NotifyTag3):
device-name(config)#snmp-server notify linkUp NotifyTag1
device-name(config)#snmp-server notify linkDown NotifyTag2
device-name(config)#snmp-server notify coldStart NotifyTag3
device-name(config)#snmp-server notify warmStart NotifyTag3
3. Configure the notification log so that only the notifications included in NotifyTag1 and
NotifyTag2 notify tags are logged:
device-name(config)#snmp-server log-notify NotifyTag1
device-name(config)#snmp-server log-notify NotifyTag2
4. Display the notification log.

% No records stored in notification log
5. After a linkDown event occurs on port 1/1/1, the notification log is displayed as follows:
Page 53
6. Reload the device with option save. Display the notification log. The warmStart notification
is not logged, because its tag NotifyTag3 was not defined earlier:
…
7. After a linkUp event occurs on port 1/1/1, the notification log is displayed as follows:
2009/01/01 00:02:26 linkUp notification sent: interface 1/1/1
8. Prevent the notifications grouped in tag NotifyTag2 (linkDown in this particular case) from
further inclusion in the notification log:
device-name(config)#no snmp-server log-notify NotifyTag2
9. After linkDown and linkUp events occur on port 1/1/1, the notification log is displayed as
follows:
10. Include all notification tags in the notify log:

device-name(config)#snmp-server log-notify
11. Reload the device with save option and display the notification log:
…

2009/01/01 00:00:25 linkUp notification sent: interface 1/1/1.
2009/01/01 00:00:17 warmStart notification sent.

12. Clear the notification log:

device-name#clear snmp-server log notify
13. Display the notification log:

device-name#show snmp-server log notify
% No records stored in notification log
Page 54
Supported Platforms
Simple Network Management Protocol (SNMP) + +

Simple Network • STD0015, Simple Public MIBs: • RFC 1157, SNMPv1—

Management Network • SNMPV1-MIB The Simple Network
Protocol (SNMP) Management Management Protocol:
Protocol • MIB-II A full Internet Standard
(RFC1213-
• STD0016, MIB) • RFC 1213,
Structure of Management
Management • SNMP- Information Base for
Information COMMUNITY- Network Management
MIB of TCP/IP-based
• STD0017, (RFC2576)
Management internets: MIB-II
Information Base • SNMPv2-MIB • RFC 2579, Textual
• STD0058, • SNMP-VIEW- Conventions for SMIv2
Structure of BASED-ACM- • RFC 2580,
Management MIB Conformance
Information • SNMP-USER- Statements for SMIv2
Version 2 (SMIv2) BASED-SM- • RFC 3410,
• STD0062, Simple MIB Introduction and
Network Applicability
Management Statements for Internet
Protocol Version 3 Standard Management
(SNMPv3) Framework
• RFC 3411, An
Architecture for
Describing Simple
Network Management
Protocol (SNMP)
Management
Frameworks
• RFC 3412, Message
Processing and
Dispatching for the
Simple Network
Management Protocol
(SNMP)
• RFC 3413, Simple
Network Management
Protocol (SNMP)
Applications
• RFC 3414, User-based
Security Model (USM)
Page 55

for version 3 of the
Simple Network
Management Protocol
(SNMPv3)
• RFC 3415, View-
based Access Control
Model (VACM) for the
Simple Network
Management Protocol
(SNMP)
• RFC 3416, Version 2
of the Protocol
Operations for the
Simple Network
Management Protocol
(SNMP)
• RFC 3417, Transport
Mappings for the
Simple Network
Management Protocol
(SNMP)
• RFC 3418,
Management
Information Base (MIB)
for the Simple Network
Management Protocol
(SNMP)
• RFC 1901,
Introduction to
Community-based
SNMPv2.
• RFC1902, Structure of
Management
Information for Version
2 of the Simple
Network Management
Protocol (SNMPv2).
• RFC1905, Protocol
Operations for Version
2 of the Simple
Network Management
Protocol (SNMPv2).
• RFC3584,
Coexistence between
Version 1, Version 2,
and Version 3 of the
Internet-standard
Network Management
Framework
Page 56
SNMP Reference Guide
Table of Contents
Configuring Fast Ethernet and Giga Ethernet Port via SNMP ····························· 6
MIB Architecture: PRVT-SWITCH-MIB ······················································ 6
Fast Ethernet and Giga Ethernet Port Configuration Examples····························· 9
Configuration via CLI······································································· 9
Configuration via SNMP ··································································10
Configuring Link Aggregation Groups (LAGs) via SNMP ································· 11

MIB Architecture: PRVT-PORTS-AGGREGATION-MIB································11
Notifications ·····················································································12
LAG Configuration Examples ·································································13
Configuration via CLI······································································13
Configuring Resilient Links via SNMP ·························································15

MIB Architecture: PRVT-RESILIENT-LINK-MIB·········································15
Notifications ·····················································································16
Resilient Links Configuration Examples ······················································16
Configuring Virtual LANs (VLANs) via SNMP···············································17

MIB Architecture: Q-BRIDGE-MIB··························································17
VLANs Configuration Examples ······························································20
Configuring Transparent LAN Services (TLS) via SNMP ··································21

MIB Architecture ················································································21
Page 1
SNMP Reference Guide (Rev. 04)
PRVT-SERV-MIB ·········································································21
PRVT-L2TUNNELING-MIB····························································24
Notifications ·····················································································27
TLS Configuration Examples ··································································29
TLS Tunneling Configuration Example ·······················································30
Configuring Spanning Tree Protocol (STP) via SNMP······································32

BRIDGE-MIB··············································································32
RSTP-MIB ··················································································35
PRVT-SWITCH-MIB ·····································································37
Notifications ·····················································································37
STP via SNMP Configuration Example ·······················································38
Configuring Rapid STP (RSTP) via SNMP ····················································40

BRIDGE-MIB··············································································40
RSTP-MIB ··················································································40
PRVT-SWITCH-MIB ·····································································40
RSTP via SNMP Configuration Example ·····················································41
Configuring Multiple STP (MSTP) via SNMP ················································43

PRVT-MST-MIB ···········································································43
PRVT-SWITCH-MIB ·····································································46
Notifications ·····················································································46
MSTP via SNMP Configuration Examples ···················································47
Pending Configuration·····································································47
MSTP Global Parameters Configuration·················································47
Configuring Quality of Service (QoS) via SNMP ·············································48

MIB Architecture: PRVT-QoS-MIB···························································48
QoS via SNMP Configuration Examples······················································50
Page 2
Mapping Priority to Queue ································································50

Configuring the DSCP-to-FC Mapping ··················································52
Configuring QoS Service Policy···························································53
Configuring 802.3ah Ethernet in the First Mile (EFM) via SNMP ························56
PRVT-SWITCH-EFM-OAM-MIB·······················································56
DOT3-OAM-MIB ·········································································57
Notifications ·····················································································59
EFM-OAM via SNMP Configuration Example ··············································60
Configuring 802.1ag Connectivity Fault Management (CFM) via SNMP················62

Architecture ······················································································62
IEEE8021-CFM-MIB ·····································································62
PRVT-CFM-MIB···········································································65
Notifications ·····················································································66
CFM via SNMP Configuration Examples·····················································66
Configuring Two Devices in CFM Protocol·············································68
Using the Clear Connectivity Command ·················································74
Configuring Ethernet Protection Switching (EPS) via SNMP ·····························79

MIB Architecture: PRVT-EPS-MIB ···························································79
Notifications ·····················································································81
EPS via SNMP Configuration Example·······················································82
Configuring Link Layer Discovery Protocol (LLDP) via SNMP···························84

MIB Architecture: LLDP-MIB ·································································84
Notifications ·····················································································87
LLDP via SNMP Configuration Example ····················································88
Configuring Remote Monitoring (RMON) via SNMP ······································89

MIB Architecture: RMON-MIB ·······························································89
Notifications ·····················································································91
RMON via SNMP Configuration Example ···················································92
Page 3

This chapter contains the following sections:
1. Configuring Fast Ethernet and Giga Ethernet Port via SNMP
T-Marc 300 Series devices allow service providers to deliver multiple services on separate
user interfaces. Multiple application flows are supported over a single customer interface,
with each flow being mapped to a different traffic class.
2. Configuring Link Aggregation Groups (LAGs) via SNMP
Link Aggregation Groups (LAGs), also known as trunks, provide increased bandwidth
and high reliability while saving the cost of upgrading the hardware.
3. Configuring Resilient Links via SNMP
Using resilient links feature, you can protect critical links and prevent a device failure by
providing a secondary backup link that is inactive until it is needed.
4. Configuring Virtual LANs (VLANs) via SNMP
VLANs are used to group users’ traffic with common requirements, as if they were on the
same LAN although they may be in separate physical locations. The key benefit of
VLANs is its flexibility in allowing any logical LAN to be implemented on any physical
infrastructure.
5. Configuring Transparent LAN Services (TLS) via SNMP
Deploying the TLS requires network operators to transport a large number of customers’
virtual LANs (VLANs) while keeping traffic in each VLAN secured.
6. Configuring Spanning Tree Protocol (STP) via SNMP
Spanning Tree Protocol (STP, IEEE 802.1d) is a Layer 2 protocol that provides path
redundancy, ensuring a loop-free topology for bridged LANs.
7. Configuring Rapid STP (RSTP) via SNMP
Rapid Spanning Tree Protocol (RSTP) is an evolution of STP providing faster
convergence (less than one second) upon a network topology change.
8. Configuring Multiple STP (MSTP) via SNMP
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI) while
mapping each VLAN or VLAN group to the most appropriate instance.
9. Configuring Quality of Service (QoS) via SNMP
Quality of Service (QoS) allows you to specify different service levels for traffic that
traverses the device and provides preferential treatment to that traffic, possibly at the
expense of other traffic.
10. Configuring 802.3ah Ethernet in the First Mile (EFM) via SNMP
IEEE 802.3ah Ethernet in the First Mile (EFM) specifies the protocols and Ethernet
interfaces for using Ethernet over access links as a first-mile technology and transforming
it into a highly reliable technology.
11. Configuring 802.1ag Connectivity Fault Management (CFM) via SNMP
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a network to
monitor the health of an end-to-end service delivered to customers as opposed to just
links or individual bridges.
Page 4
12. Configuring Ethernet Protection Switching (EPS) via SNMP

ITU-T G.8031 Ethernet Protection Switching (EPS) is a method of protecting point-to-
point Ethernet service connection over VLAN transport networks, assuring traffic
transport between the two service ends.
13. Configuring Link Layer Discovery Protocol (LLDP) via SNMP
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral Layer 2 protocol that
allows a network device to advertise its identity and capabilities on the local network.
14. Configuring Remote Monitoring (RMON) via SNMP
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between
RMON-compliant console systems and network probes.
Page 5
Configuring Fast Ethernet and Giga Ethernet Port

via SNMP
For additional information about this feature, refer to the Fast Ethernet and Giga Ethernet Port section
of the Configuring Interfaces chapter of this User Guide.
MIB Architecture: PRVT-SWITCH-MIB

The Switch MIB is a private MIB used for managing the internal device parameters.
RFC 2863 supported: the Interfaces Group MIB (configL2IfaceTable and interface table). This
RFC specifies an Internet standards track protocol for the Internet community, and requests
discussion and suggestions for improvements.
NOTE
For the configuration via SNMP, only the configL2IfaceTable is used.
This table contains the objects:

Object Entry Field Name Description
configL2IfaceTable This table contains a list of Interfaces and their

properties. This table contains the following
objects
configL2IfaceUnit The index that uniquely identifies a unit in the
interface table.
configL2IfaceSlot The index that uniquely identifies a slot within the
unit in the interface table.
configL2IfacePort The index that uniquely identifies a port within the
slot in the interface table.
configL2IfaceName The textual name of this interface.
configL2IfaceEnable Enables(1) or disables(2) the control used for the

interface. This is the only way to enable or
disable the interface. The ifAdminStatus, in
RFC1213, and dot1dStpPortEnable, in RFC1493,
are both implemented as read-only.
configL2IfaceSTPEnable Enables(1) or disables(2) Spanning Tree
operation used for this interface.
configL2IfaceDuplexSpeedSet The desired speed and duplex mode for the
interface. If the selected control is not available
for the interface, a value of illegal(99) is returned.
If the port type does not support the default of
autonegotiate(1), then the application initializes
the port to a valid value (for example,
1000full(6)).
Not all controls are available for all interfaces. For
example, only full-1000(6) is available for Gigabit
Ethernet interfaces.
Page 6
configL2IfaceFlow The desired flow mode for the interface. If the

selected control is not available on the interface,
a value of illegal(99) is returned. If the port type
does not support the default value of
the port to a valid value (for example,
1000full(6)).
example, only full-1000(6) is available for Gigabit
configL2IfaceBackpressure The desired back-pressure mode for the
on the interface, a value of illegal(99) is returned.
configL2IfaceResetCounters Resets the statistics counters selected for this
port.
configL2IfaceDefaultVID Sets the default VLAN ID according to 802.1Q.
configL2IfaceSnifferIfIndex Connects this port to a sniffer port indexed by the

specified ifIndex. Setting this value to 0
disconnects this port from the sniffer.
configL2TopologyChangeDetection Controls the STP topology change detection for
this interface.
configL2IfaceDuplexModeSet The duplex mode for the interface. If the port type
does not support the default of autonegotiate(1),
then the application initializes the port to a valid
value (for example, full (2)).
configL2IfaceSpeedSet The desired speed and duplex mode for the
for the interface, a value of illegal (99) is returned.
If the port type does not support the default of
the port to a valid value (for example, 1000(3)).
example, only 1000(4) is available for Gigabit
configL2IfaceBroadcastRateLimit The rate limit broadcast traffic. Must be a number
between 64 Kbps and 1 Gbps, specified in Kbps.
configL2IfaceMulticastRateLimit The rate limit multicast traffic. Must be a number
configL2IfaceUnknownRateLimit The rate limit unknown traffic. Must be a number
configL2IfaceBroadcastBurstSize The burst size broadcast traffic. Must be a
number between 12 Kbps and 1 Mbps, specified
in Kbps.
configL2IfaceMulticastBurstSize The burst size multicast traffic. Must be a number
between 12 Kbps and 1 Mbps, specified in Kbps.
configL2IfaceUnknownBurstSize The burst size unknown traffic. Must be a number
between 12 Kbps and 1 Mbps, specified in Kbps.
configL2IfaceMtu The Maximum Transmission Unit (MTU), in
octets, of the interface.
Page 7
configL2IfaceAdminCrossOver The administrative MDI/MDI-X cable connection

status of ports, as specified in IEEE 803.2.
The MDI-x mode (crossover) is configured(3), the
port works in MDI-X mode.
The MDI mode(2) defines port to work in
standard MDI mode.
The auto(1) defines automatic crossover
detection, and any type of MDI/MDI-X cabling can
be used on the port.
NOTE
This attribute can be configured only
on ports that support that option.
configL2IfaceRemoteFaultDetect Controls the remote fault detection on interfaces,
connected to 100Base Fiber pair.
Once enabled(1), the device will indicate link-
down event on the interface, once remote peer
detects link down.
NOTE
Relevant only on 100Base Fiber ports.
Page 8
Fast Ethernet and Giga Ethernet Port Configuration

Examples
Configuration via CLI
1. Configure a description on port 1/1/1:
device-name(config-if 1/1/1)#name port1
2. Configure default VLAN on port 1/1/1:

device-name(config-if 1/1/1)#default vlan 12
3. Configure desired speed on port 1/1/1:

device-name(config-if 1/1/1)#speed 1000
4. Configure desired duplex-mode on port 1/1/1:

device-name(config-if 1/1/1)#duplex full
5. Enable flow-control in full duplex-mode:

device-name(config-if 1/1/1)#flow-control enable
6. Configure broadcast-limit:
device-name(config-if 1/1/1)#storm-control broadcast 10M
7. Configure multicast-limit:
device-name(config-if 1/1/1)#storm-control multicast 20M
8. Configure unknown-limit:
device-name(config-if 1/1/1)#storm-control unknown 30M
9. Enable the port:

device-name(config-if 1/1/1)#no shutdown
Page 9
Configuration via SNMP

1. Configure a description on port 1/1/1:
***** SNMP SET-RESPONSE START *****
snmpset configL2IfaceName.1.1.1 string port1
***** SNMP SET-RESPONSE END *******
2. Configure Default VLAN on port 1/1/1:

snmpset configL2IfaceDefaultVID.1.1.1 integer 12
3. Configure desired speed on port 1/1/1:

snmpset configL2IfaceSpeedSet.1.1.1 integer 4 (1000 mbps)
4. Configure desired duplex-mode on port 1/1/1:

snmpset configL2IfaceDuplexModeSet.1.1.1 integer 2 (full)
5. Enable flow-control in full duplex-mode:

snmpset configL2IfaceFlow.1.1.1 integer 2 (on)
6. Configure broadcast-limit:
snmpset configL2IfaceBroadcastRateLimit.1.1.1 integer 100
7. Configure multicast-limit:
snmpset configL2IfaceMulticastRateLimit.1.1.1 integer 200
8. Configure unknown-limit:
snmpset configL2IfaceUnknownRateLimit.1.1.1 integer 300
9. Enable the port:

snmpset configL2IfaceEnable.1.1.1 integer 1 (enable)
Page 10
Configuring Link Aggregation Groups (LAGs) via

SNMP
For additional information about this feature, refer to the Link Aggregation Groups (LAGs) section of
the Configuring Interfaces chapter of this User Guide.
MIB Architecture: PRVT-PORTS-AGGREGATION-MIB

The Ports Aggregation MIB is used for managing BiNOS devices or ipSwitch static and dynamic
port aggregation.
NOTE
For the configuration via SNMP, only the portsAggregationConfigTable is used.
This table contains the objects:

portsAggregationConfigTable This table contains only the static (created by

management) port trunk configuration. This
table contains the following objects:
staticAggregationID Specifies a number representing the
aggregation group that this port belongs to.
The value 0 means that this port does not
belong to any static group.
dynamicAggregationID Specifies a number representing the
aggregation group that this port belongs to.
The value 0 means that this port does not
belong to any dynamic group.
aggregationType Specifies the aggregation type of the interface:
• disable(1) if the port does not belong to a
group
• static(2) if the port belongs to a static
group
• protocol-802-1adAcive(3) or protocol-802-
1adPassive (4) if the interface is part of a
dynamic group.
aggregationLacpPortPriority Specifies the LACP priority for a port.
aggregationLacpPortKey Specifies the LACP identification key for a port.
Page 11
Notifications
The PRVT-PORTS-AGGREGATION-MIB contains the following notifications:
• lagMemberLinkUp—is generated when the LAG link becomes up. It has two indexes. The
first ifIndex indicates the ID of the trunk interface. The second one shows the port member
with link status change.
OID: 1.3.6.1.4.1.738.1.5.106.3.1
• lagMemberLinkDown—is generated when the LAG link becomes down. It has two
indexes. The first ifIndex indicates the ID of the trunk interface. The second one shows the
port member with link status change.
OID: 1.3.6.1.4.1.738.1.5.106.3.2
• lagMemberAdd—is generated when a new port is added to a LAG link. It has two indexes.
The first ifIndex indicates the ID of the trunk interface. The second one shows the added port
member.
OID: 1.3.6.1.4.1.738.1.5.106.3.3
• lagMemberRemove—is generated when a port is removed from a LAG link. It has two
indexes. The first ifIndex indicates the ID of the trunk interface. The second one shows the
removed port member.
OID: 1.3.6.1.4.1.738.1.5.106.3.4
For more information regarding traps definition, refer to the Configuring Simple Network Management
Protocol (SNMP) chapter of this User Guide.
Page 12
LAG Configuration Examples

Static Link-Aggregation via SNMP Configuration Example

1. Configure static link aggregation:
2. Remove the port from aggregation:

device-name(config-if 1/2/1)#no link-aggregation
Dynamic Link-Aggregation via SNMP Configuration Example

1. Enable LACP globally
device-name(cfg protocol)#link-aggregation lacp enable
2. Enable LACP in Active mode on port 1/2/4:

device-name(config-if 1/2/4)#link-aggregation lacp active
3. Configure LACP priority

device-name(config-if 1/2/4)#link-aggregation lacp port-priority 40000
4. Configure LACP key

device-name(config-if 1/2/4)#link-aggregation lacp key 4
5. Disable aggregation on port 1/2/4:

device-name(config-if 1/2/4)#no link-aggregation
Page 13
Static Link-Aggregation via SNMP Configuration Example

1. Configure static link aggregation:
snmpset staticAggregationID.1.2.1 integer 3
2. Remove the port from aggregation:

snmpset aggregationType.1.2.1 integer 1 (disabled)
Dynamic Link-Aggregation via SNMP Configuration Example

1. Enable LACP globally:
snmpset aggregationLacpSystemEnable.0 integer 1
2. Enable LACP in Active mode on port 1/2/4:

snmpset aggregationType.1.2.4 integer 3 (active)
3. Configure LACP priority:

snmpset aggregationLacpPortPriority.1.2.4 integer 40000
4. Configure LACP key:

snmpset aggregationLacpPortKey.1.2.4 integer 4
5. Disable aggregation on port 1/2/4:

snmpset aggregationType.1.2.4 integer 1 (disabled)
Page 14
Configuring Resilient Links via SNMP

For additional information about this feature, refer to the Resilient Links section of the Configuring
Interfaces chapter of this User Guide.
MIB Architecture: PRVT-RESILIENT-LINK-MIB

The Resilient link MIB is used for managing BiNOS devices or ipSwitch resilient link.
This MIB contains the following tables and objects:
resilientLinkConfigTable This table contains the resilient link

configuration and contains the following
objects:
resilientLinkIndex This object identifies the resilient link.
resilientLinkEnable This object enables or disables the resilient

link.
resilientLinkPort1ifIndex This object identifies the first port belonging to
this resilient link; the value 0 means that no
port is selected.
resilientLinkPort2ifIndex This object identifies the second port belonging
to this resilient link; the value 0 means that no
port is selected.
resilientLinkPreferredPort This object identifies the preferred port (1 or 2)
in this resilient link; the value 0 means that no
port is selected.
resilientLinkActivePort This object identifies the active port (1 or 2) in
this resilient link. Only ports with link up can be
configured as active ports.
resilientLinkStatusTable This table contains the resilient link status and
contains the following objects:
resilientLinkConnectedPort This object shows the connected ports in the
resilient link.
resilientLinkCurrentActivePort This object identifies the active port (1 or 2) in
this resilient link. Only ports with link up can be
configured as active ports.
Page 15
Notifications
The PRVT-RESILIENT-LINK-MIB contains the resilientLinkStatusChange notification. It
indicates that the resilient link status was changed; it is identified by the resilientLinkIndex (OID:
1.3.6.1.4.1.738.1.5.102.0.1).
Resilient Links Configuration Examples

1. Configure resilient-link 5 on ports 1/2/3 and 1/2/4:
device-name(config-resil-link 5)#ports 1/2/3 1/2/4
2. Configure the preferred port:

device-name(config-resil-link 5)#prefer port 1/2/3
3. Check the currently active port:

device-name(config-resil-link 5)#active port 1/2/3
device-name(config-resil-link 5)#exit
4. Remove the resilient-link:

device-name(config)#no resilient-link 5

1. Enable resilient-link:
snmpset resilientLinkEnable.5 (integer) enable(1)
2. Configure resilient-link 5 on ports 1/2/3 and 1/2/4:

snmpset resilientLinkPort1ifIndex.5 integer 1203
snmpset resilientLinkPort2ifIndex.5 integer 1204
3. Configure the preferred port:

snmpset resilientLinkPreferredPort.5 integer 1
4. Check the currently active port:

snmpget resilientLinkCurrentActivePort.5
5. Remove the resilient-link:

snmpset resilientLinkEnable.5 integer 2 (disabled)
Page 16
Configuring Virtual LANs (VLANs) via SNMP

For additional information about VLANs, refer to the Virtual LANs section of the Configuring
VLANs and Super VLANs chapter of this User Guide.
MIB Architecture: Q-BRIDGE-MIB

The VLAN Bridge MIB is used for managing Virtual Bridged Local Area Networks, as defined by
IEEE 802.1Q-1998. This MIB is managing the MAC Address Table and is also referred to as
8021Q_d6.mib.
dot1qBase
dot1qVlanVersionNumber Contains the version number of IEEE 802.1Q that this

device supports.
dot1qMaxVlanId Contains the maximum IEEE 802.1Q VLAN ID that this
device supports.
dot1qMaxSupportedVlans Contains the maximum number of IEEE 802.1Q VLANs that
this device supports.
dot1qNumVlans Contains the current number of IEEE 802.1Q VLANs that
are configured in this device.
dot1qGvrpStatus Contains the administrative status requested by
management for GVRP. The value enabled(1) indicates that
GVRP should be enabled on this device, on all ports for
which it has not been specifically disabled. When
disabled(2), GVRP is disabled on all ports and all GVRP
packets will be forwarded transparently. This object affects
all GVRP Applicant and Registrar state machines. A
transition from disabled(2) to enabled(1) will cause a reset of
all GVRP state machines on all ports.
dot1qTp
dot1qFdbTable Contains the configuration and control information for each

Filtering Database currently operating on this device. Entries
in this table appear automatically when VLANs are assigned
FDB IDs in the dot1qVlanCurrentTable.
dot1qTpFdbTable Contains information about unicast entries for which the
device has forwarding and/or filtering information. This
information is used by the transparent bridging function in
determining how to propagate a received frame.
dot1qTpGroupTable Contains filtering information for VLANs configured into the
bridge by (local or network) management, or learnt
dynamically, specifying the set of ports to which frames
received on a VLAN for this FDB and containing a specific
Group destination address are allowed to be forwarded.
Page 17
dot1qForwardAllTable Contains forwarding information for each VLAN, specifying

the set of ports to which forwarding of all multicasts applies,
configured statically by management or dynamically by
GMRP. An entry appears in this table for all VLANs that are
currently instantiated.
dot1qForwardUnregister Contains forwarding information for each VLAN, specifying
edTable the set of ports to which forwarding of multicast group-
addressed frames for which there is no more specific
forwarding information applies. This is configured statically
by management and determined dynamically by GMRP. An
entry appears in this table for all VLANs that are currently
instantiated.
dot1qStatic
dot1qStaticUnicastTabl Contains filtering information for Unicast MAC addresses for

e each Filtering Database, configured into the device by (local
or network) management specifying the set of ports to which
frames received from specific ports and containing specific
unicast destination addresses are allowed to be forwarded.
A value of zero in this table, as the port number from which
frames with a specific destination address are received, is
used to specify all ports for which there is no specific entry
in this table for that particular destination address. Entries
are valid for unicast addresses only.
dot1qStaticMulticastTa Contains filtering information for Multicast and Broadcast
ble MAC addresses for each VLAN, configured into the device
by (local or network) management specifying the set of ports
to which frames received from specific ports and containing
specific Multicast and Broadcast destination addresses are
allowed to be forwarded. A value of zero in this table, as the
port number from which frames with a specific destination
address are received, is used to specify all ports for which
there is no specific entry in this table for that particular
destination address. Entries are valid for Multicast and
Broadcast addresses only.
dot1qVlan
dot1qVlanNumDeletes Contains the number of times a VLAN entry has been

deleted from the dot1qVlanCurrentTable (for any reason). If
an entry is deleted, then inserted, and then deleted, this
counter will be incremented by 2.
dot1qVlanCurrentTable Contains current configuration information for each VLAN
currently configured into the device by (local or network)
management, or dynamically created as a result of GVRP
requests received.
dot1qVlanStaticTable Contains static configuration information for each VLAN
configured into the device by (local or network)
management. All entries are permanent and will be restored
after the device is reset.
Page 18
dot1qNextFreeLocalVlan Contains the next available value for dot1qVlanIndex of a

Index local VLAN entry in dot1qVlanStaticTable. This will report
values >=4096 if a new Local VLAN may be created or else
the value 0 if this is not possible. A row creation operation in
this table for an entry with a local VlanIndex value may fail if
the current value of this object is not used as the index.
Even if the value read is used, there is no guarantee that it
will still be the valid index when the create operation is
attempted—another manager may have already got in
during the intervening time interval. In this case,
dot1qNextFreeLocalVlanIndex should be re-read and the
creation re-tried with the new value. This value will
automatically change when the current value is used to
create a new row.
dot1qPortVlanTable Contains per port control and status information for VLAN
configuration in the device.
dot1qPortVlanStatistic Contains per-port, per-VLAN statistics for traffic received.
sTable Separate objects are provided for both the most-significant
and least-significant bits of statistics counters for ports that
are associated with this transparent bridge. The most-
significant bit objects are only required on high capacity
interfaces, as defined in the conformance clauses for these
objects. This mechanism is provided as a way to read 64-bit
counters for agents which support only SNMPv1. Note that
the reporting of most-significant and least- significant
counter bits separately runs the risk of missing an overflow
of the lower bits in the interval between sampling. The
manager must be aware of this possibility, even within the
same varbindlist, when interpreting the results of a request
or asynchronous notification.
dot1qPortVlanHCStatist Contains per port, per VLAN statistics for traffic on high
icsTable capacity interfaces.
dot1qLearningConstrain Contains learning constraints for sets of Shared and

tsTable Independendent VLANs.
dot1qConstraintSetDefa Contains the identity of the constraint set to which a VLAN

ult belongs, if there is not an explicit entry for that VLAN in
dot1qLearningConstraintsTable.
dot1qConstraintType Contains the type of constraint set to which a VLAN
Default belongs, if there is not an explicit entry for that VLAN in
dot1qLearningConstraintsTable. The types are as defined
for dot1qConstraintType.
Page 19
VLANs Configuration Examples

1. Create a VLAN:
2. Add port 1/2/1 tagged and port 1/2/2 untagged:

3. Delete the created VLAN:

device-name(config vlan)#delete v1000

1. Create a VLAN:
set dot1qVlanStaticRowStatus.1000 integer 5 (createAndWait)
set dot1qVlanStaticName.1000 string v1000
2. Add port 1/2/1 tagged and port 1/2/2 untagged:

set dot1qVlanStaticEgressPorts.1000 (octet string) 30.00.00.00 (hex)
set dot1qVlanStaticUntaggedPorts.1000 (octet string) 10.00.00.00 (hex)
set configL2IfaceDefaultVID.1.2.2 (integer) 1000
set dot1qVlanStaticRowStatus.1000 (integer) 1 (active)
3. Remove the created VLAN:

set dot1qVlanStaticRowStatus.1000 integer 6 (destroy)
Page 20
Configuring Transparent LAN Services (TLS) via

SNMP
For additional information about the TLS feature, refer to the Configuring Transparent LAN Services
(TLS) chapter of this User Guide.
MIB Architecture
To configure TLS via SNMP, use the following MIBs:
• PRVT-SERV-MIB
• PRVT-L2TUNNELING-MIB
PRVT-SERV-MIB
The PRVT-SERV-MIB has 4 basic modules:
• prvtTMSvcObjs: This module contains objects which allow configuration the individual
service instances
• prvtTMSapObjs: This module contains information about the Service Access Ports (SAPs)
• prvtTMSdpObjs: The objects for configuring Service Distribution Paths (SDPs)
• prvtTMCustObjs (Currently not supported)
svcBaseInfoTable This is the table used to create and configure a

service instance in general. This table is indexed by
service instance number, and contains all instance-
specific service parameters.
svcId The service ID.
svcVpnId The object is not supported.
svcRowStatus This object is used to create entries in

svcBaseInfoTable.
svcType This object represents the type of service being
created. In this version it is read-only and
configured to tls(3) because only supports VPLS
services. Currently supported as read-only.
svcDescription The filed is not supported.
svcMtu The filed is not supported.
svcAdminStatus The filed is not supported.
svcOperStatus This object contains the operating state of the

service.
Page 21
svcNumSaps The filed is not supported.
svcNumSdps The filed is not supported.
svcLastMgmtChange The filed is not supported.
svcLastStatusChange The filed is not supported.
svcEnableSecureSaps This object is used to configure forwarding of traffic

from the uplink ports only.
svcCustName The name of the customer this service belongs to.
svcRevertTimer This object contains the revert timer of the service.
sapBaseInfoTable This is the table responsible for configuring and

displaying the Service Access Ports. This table is
indexed by the name of the service to which a SAP
is bound, the unique SAP id, which in this case is
the ifIndex of the port, and the object
sapEncapValue, which have the value of a valid
VLAN ID.
sapPortId This object contains the ifIndex of the port and part
of the index of sapBaseInfoTable.
sapEncapValue This object contains the VLAN ID. Part of the index
of sapBaseInfoTable.
sapRowStatus This object is used to create entries in
sapBaseInfoTable. Entries can be created only for
existing service instances.
sapType The filed is not supported.
sapDescription The filed is not supported.
sapAdminStatus The filed is not supported.
sapOperStatus This object contains the operational status of this

SAP. Currently supported as read-only.
sapLastMgmtChange The filed is not supported.
sapOperFlags The filed is not supported.
sapCustMultSvcSiteName The filed is not supported.
sapIngressQosPolicyId The filed is not supported.
sapEgressQosPolicyId The filed is not supported.
sapIngressQosSchedulerPolicy The filed is not supported.
sapEgressQosSchedulerPolicy The filed is not supported.
sapLearnMode The filed is not supported.
sdpInfoTable This table contains one entry for each SDP

configured. It is indexed by svcName and sdpId.
Maximum two SDPs can be configured per service:
one main and one backup.
Page 22
sdpId This is the SdpId, index of the table along with the
svcId.
sdpRowStatus This object is used to create new SDPs.
sdpDelivery This field is not supported.
sdpFarEndIpAddress This field is not supported.
sdpDescription This field is not supported.
sdpLabelSignaling This field is not supported.
sdpAdminStatus This field is not supported.
sdpOperStatus This object contains the operational status of the

SDP. Currently supported as read-only.
sdpLastMgmtChange This field is not supported.
sdpLdpEnabled This field is not supported.
sdpOperFlags This object specifies all the conditions that affect the
operating status of this SDP. If the SDP is up, the
value of this object is ignored.
This field is not supported.
sdpLastStatusChange This field is not supported.
sdpAdminIngressLabel This field is not supported.
sdpAdminEgressLabel This field is not supported.
sdpOperIngressLabel This field is not supported.
sdpOperEgressLabel This field is not supported.
sdpAdminIsBackup This field is not supported.
sdpOperIsBackup This field is not supported.
sdpOutInterface This object contains the desired outbound interface

for this SDP.
sdpGroupIdentifier This field is not supported.
sdpTransportTunnelName This field is not supported.
sdpVCType This field is not supported.
sdpType This field is not supported.
sdpMtu This field is not supported.
sdpBindVlanTag Outgoing VLAN.
sdpIsPwStatusSignalingEnable Specifies if PW-status signaling is enabled per

given SDP.
sdpEpsAdminIsPrimary This object specifies the CFM pair of MEPs that
monitor the primary path.
Page 23
sdpEpsAdminIsSecondary This object specifies the CFM pair of MEPs that

monitor the secondary path.
PRVT-L2TUNNELING-MIB
In BiNOS version 10.1.Rx and above, the configuration of TLS tunneling via SNMP support has
been added.
PRVT-L2TUNNELING-MIB provides configuration abilities and statistical information about L2
protocols tunneling via SNMP.
prvtL2TunnEnable Enables/disables the Layer 2 protocol tunneling
prvtL2TunnProfileTable Contains a read-create object used to create a new

profile. After it is created, the profile can not be
modified so NotInService state is not relevant for
prvtL2TunnProfile table
prvtL2TunnProfileName TLS profile name. There are three profiles that

represent the predefined policies:
• discard-all: a policy of discarding only L2 PDUs
• tunnel-all: a policy of tunneling only L2 PDUs
• tunnel-bpdu: a policy of tunneling only xSTP
packets. When the tunneling of xSTP protocols
is enabled, it allows tunneling the BPDUs
between the TLS access (user) ports over the
TLS core (uplink) ports. The tunneling is done
for packets with Multicast DA of 01-80-c2-00-
00-00 (STP)
prvtL2TunnProfileRowStatus TLS profile row status. It is not possible to modify
the predefined profiles:
• active(1): the object is active
• notInService(2): the object is not in service
• notReady(3): the object is in not ready state
• createAndGo(4): creates entries
• createAndWait(5): creates entries
• destroy(6): removes entries
prvtL2TunnProtocolsTable Contains read-crated objects used to create new
protocols
Page 24
prvtL2ProtocolName Specifies one of the allowed Layer 2 protocol PDUs

to be tunneled or discarded:
• all-bridges: the PDUs intended for the MAC
address that is reserved for the exclusive use
by the All Bridges are tunneled
• bridge: the PDUs intended for the MAC
addresses from the bridge block but are not
PDUs of any of the specified protocols are
tunneled
• dot1x: IEEE 802.1x standard
• efm-oam: Ethernet in the First Mile-Operations,
Administration and Maintenance standard
• elmi: Enhanced Local Management Interface
• garp: Generic Attribute Registration Protocol
• lacp: Link Aggregation Protocol
• lldp: Link Layer Discovery Protocol
• pvst: Per-VLAN Spanning Tree (PVST)
maintains a spanning tree instance for each
VLAN configured in the network. Since PVST
treats each VLAN as a separate network, it has
the ability to load balance traffic (at layer-2) by
forwarding some VLANs on one link and other
VLANs on another link without causing a
spanning tree loop
• pb-stp: Provider Bridge Spanning Tree
Protocol
• stp: Spanning Tree Protocol
prvtL2ProtocolEthertype The EtherType value: a hexadecimal VLAN
EtherType value (for example 0x9000)
prvtL2ProtocolMAC The multicast MAC address used for PDU
distribution
prvtL2ReplaceMAC A MAC address that is used to replace the original
destination MAC address in the encapsulated PDU
prvtL2ProtocolRowStatus TLS protocol row status. It is not possible to modify
the predefined protocols
prvtL2TunnProfMapProtTable Displays information about which protocol are
discarded and which protocol are tunneled per each
profile. An entry in this table contains only profiles
and protocols that are in active state
prvtL2TunnAction Specifies that one of the allowed Layer 2 Protocol
PDUs is tunneled or discarded
prvtL2TunnSAPPointsTable The tunneling service access point table. It has a
single object needed to configure a tunneling point.
You cannot create entries in it. This table always
contains the maximum number of SAPs
profileSAP The profile ID associated to a SAP. Setting this
object with an empty string disables the profile
Page 25
prvtL2TunnSDPPointsTable The tunneling service distribution point table. It has

a single object needed to configure a tunneling
point. You cannot create entries in it. This table
always contains the maximum number of SDPs
profileSDP The profile ID associated to an SDP. Setting this
object with an empty string disables the profile
prvtL2TunnClearStatistics Clears the L2 tunneling statistics for each tunneling
SAP or SDP:
• none(0)
• clear(1)
prvtL2TunnSapStatisticsTable Provides statistics for each tunneling SAP per
protocol
l2TunnSapRxPackets The number of SAP Rx L2 tunneling packets
l2TunnSapTxPackets The number of SAP Tx L2 tunneling packets
prvtL2TunnSdpStatisticsTable Provides statistics for each tunneling SDP per

protocol
l2TunnSdpRxPackets The number of SDP Rx L2 tunneling packets
l2TunnSdpTxPackets The number of SDP Tx L2 tunneling packets
Page 26
Notifications
The PRVT-SERVICES-MIB contains the following notifications:
• svcCreated—is sent when a new row is created in the svcBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.1
The object included in the svcCreated notification is svcName.
• svcDeleted—is sent when an existing row is deleted from the svcBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.2
The object included in the svcDeleted notification is svcName.
• svcStatusChanged—is generated when there is a change in the administrative or operating
status of a service.
OID: 1.3.6.1.4.1.738.1.7.2.2.2.0.3
The objects included in the svcStatusChanged notification are:
svcName
svcVCId
svcAdminStatus
svcOperStatus
• sapCreated—is sent when a new row is created in the sapBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.1
The objects included in the sapCreated notification are:
sapName
sapPortId
sapEncapValue
• sapDeleted—is sent when an existing row is deleted from the sapBaseInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.2
The objects included in the sapDeleted notification are:
sapName
sapPortId
sapEncapValue
• sapStatusChanged—is generated when there is a change in the administrative or operating
status of an SAP.
OID: 1.3.6.1.4.1.738.1.7.2.2.3.0.3
The objects included in the sapStatusChanged notification are:
sapName
sapPortId
sapEncapValue
sapAdminStatus
sapOperStatus
Page 27
• sdpCreated—is sent when a new row is created in the sdpInfoTable.

OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.1
The object included in the sdpCreated notification is sdpId.
• sdpDeleted—is sent when an existing row is deleted from the sdpInfoTable.
OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.2
The object included in the sdpDeleted notification is sdpId.
• sdpStatusChanged—is generated when there is a change in the administrative or operating
status of an SDP.
OID: 1.3.6.1.4.1.738.1.7.2.2.4.0.3
The objects included in the sdpStatusChanged notification are:
sdpId
sdpAdminStatus
sdpOperStatus
Page 28
TLS Configuration Examples

1. Configure a new TLS service withID 7 and name serv:
device-name(config-tls serv)#
2. Configure the SDP on port 1/2/1:

device-name(config-tls serv)#sdp 1/2/1 s-vlan 12 4096
3. Add wildcard VLAN for SAP on port 1/2/2:

device-name(config-tls serv)#sap 1/2/2 c-vlan-wildcard all

1. Configure a new TLS service with ID 7 and name serv
1: svcRowStatus.7 (integer) createAndGo(4)
2. Configure the SDP:

2.1 Configure the SDP with ID 7 and VLAN ID3:
1: sdpRowStatus.7.4096 (integer) createAndGo(4)
2.2. Configure the outgoing VLAN ID:

1: sdpBindVlanTag.7.4096 (gauge) 12
2.3. Assign port 1/2/1 to the SDP:

1: sdpOutInterface.7.4096 (integer) 1201
3. Add wildcard VLAN for SAP on port 1/2/2

1: sapRowStatus.7.1202.0 (integer) createAndGo(4)
Page 29
TLS Tunneling Configuration Example

1. Enable TLS tunneling:
2. Create a tunneling profile:

device-name(config)#tls tunnel-profile lacp
3. Create a new L2 tunneling protocol:

device-name(config)#tls tunneled-ieee-pdu add newp 01:80:c2:22:22:22
01:a0:12:22:22:22 0x8281
4. Specify an action for a profile per a protocol:

device-name(config)#tls tunnel-profile lacp
device-name(tls-profile lacp)#tls tunnel stp

1. Set value of the object "prvtL2ProtocolRowStatus":
1: prvtL2ProtocolRowStatus.4.110.101.119.112 (integer) createAndWait(5)
***** SNMP SET-RESPONSE END *****
2. Set the MAC address:

1: prvtL2ProtocolMAC.4.110.101.119.112 (octet string) 01.80.C2.22.22.22
(hex)
3. Set the tunneling MAC address:

1: prvtL2ReplaceMAC.4.110.101.119.112 (octet string) 01.A0.12.22.22.22
(hex)
4. Set the ether-type value:

1: prvtL2ProtocolEthertype.4.110.101.119.112 (integer) 33409
5. Activate new custom protocol:

1: prvtL2ProtocolRowStatus.4.110.101.119.112 (integer) active(1)
Page 30
6. Specify an action for a profile per a protocol (profil LACP to tunnel STP BPDUs):
1: prvtL2TunnAction.4.108.97.99.112.3.115.116.112 (integer) tunnel(1)
Page 31
Configuring Spanning Tree Protocol (STP) via

SNMP
For information regarding STP feature, refer to the Configuring Spanning Tree Protocol (STP) chapter of
this User Guide.
MIB Architecture
To configure STP via SNMP, use the following MIBs:
• BRIDGE-MIB
• RSTP-MIB
• PRVT-SWITCH-MIB
BRIDGE-MIB
The BRIDGE-MIB provides information about the STP module management. This MIB defines
objects for managing MAC bridges based on the IEEE 802.1D-1990 standard between Local Area
Network (LAN) segments.
Standard supported: IEEE 802.1D-1990.
The RFC supported: RFC 1493. This RFC specifies an IAB standards track protocol for the
Internet community, and requests discussion and suggestions for improvements.
dot1dBase
dot1dBaseBridgeAddress This object is the MAC address used by this bridge. This is
the numerically smallest MAC address of all ports that
belong to this bridge. However, it is required to be unique.
When concatenated with dot1dStpPriority a unique bridge
Identifier is formed and is used in the STP.
dot1dBaseNumPorts This object specifies the number of ports controlled by this
bridging entity.
dot1dBaseType This object indicates what type of bridging this bridge can
perform. If a bridge is actually performing a certain type of
bridging, this is indicated by entries in the port table for the
given type.
dot1dBasePortTable This table contains generic information about every port that
is associated with this bridge.
Transparent, source-route, and SRT ports are included.
Page 32
dot1dStp
dot1dStpProtocol This object represents an indication of what version of the

Specification Spanning Tree Protocol is being run. The value
'decLb100(2)' indicates the DEC LANbridge 100 Spanning
Tree protocol. IEEE 802.1d implementations will return
ieee8021d(3).
dot1dStpPriority This object represents the value of the write-able portion of

the bridge ID, for example, the first two octets of the (8
octets long) Bridge ID. The other (last) 6 octets of the Bridge
ID are given by the value of dot1dBaseBridgeAddress.
dot1dStpTimeSinceTopolo This object represents the time (in hundredths of a second)
gyChange since the last time a topology change was detected by the
bridge entity.
dot1dStpTopChanges This object represents the total number of topology changes
detected by this bridge since the management entity was
last reset or initialized.
dot1dStpDesignatedRoot This object represents the bridge identifier of the root of the
spanning tree as determined by the STP as executed by this
node. This value is used as the root Identifier parameter in
all Configuration BPDUs originated by this node.
dot1dStpRootCost This object represents the cost of the path to the root as
seen from this bridge.
dot1dStpRootPort This object represents the port number of the port that offers
the lowest cost path from this bridge to the root bridge.
dot1dStpMaxAge This object represents the maximum age of STP information

learned from the network on any port before it is discarded,
in units of hundredths of a second. This is the actual value
that this bridge is currently using.
dot1dStpHelloTime This object represents the amount of time between the
transmission of Configuration BPDUs by this node on any
port when it is the root of the spanning tree or trying to
become so, in units of hundredths of a second. This is the
actual value that this bridge is currently using.
dot1dStpHoldTime This time value determines the interval length during which
no more than two BPDUs are transmitted by this node, in
units of hundredths of a second.
dot1dStpForwardDelay This time value, measured in units of hundredths of a
second, controls how fast a port changes its spanning state
when moving towards the forwarding state. The value
determines how long the port stays in each of the listening
and learning states, which precede the forwarding state.
This value is also used, when a topology change is detected
and is underway, to age all dynamic entries in the
forwarding database.
This value is the one that this bridge is currently using, in
contrast to dot1dStpBridgeForwardDelay. Is the value that
this bridge and all others start using if/when this bridge
becomes the root.
Page 33
dot1dStpBridgeMaxAge This object represents the value that all bridges use for
MaxAge, when this bridge is acting as the root.
802.1D-1990 specifies that the range for this parameter is
related to the value of dot1dStpBridgeHelloTime.
The granularity of this timer is specified by 802.1D-1990 to
be 1 second. An agent may return a badValue error if a set
is attempted to a value which is not a whole number of
seconds.
dot1dStpBridgeHelloTime This object represents the value that all bridges use for
hello-time, when this bridge is acting as the root. The
granularity of this timer is specified by 802.1D-1990 to be 1
second. An agent may return a badValue error if a set is
attempted to a value which is not a whole number of
seconds
dot1dStpBridgeForward This object represents the value all bridges use for forward-
Delay delay, when this bridge is acting as the root.
related to the value of dot1dStpBridgeMaxAge.
The granularity of this timer is specified by 802.1D-1990 to
be 1 second. An agent may return a badValue error if a set
is attempted to a value which is not a whole number of
seconds.
dot1dStpPortTable This is a table that contains port-specific information for the
STP.
dot1dTp
dot1dTpLearnedEntry This object specifies the total number of forwarding

Discards database entries that are learnt, but discarded due to a lack
of space to store them in the forwarding database. If this
counter is increasing, it indicates that the forwarding
database is regularly becoming full (a condition that has
unpleasant performance effects on the subnetwork). If this
counter has a significant value but is not presently
increasing, it indicates that the problem occurs but is not
persistent.
dot1dTpAgingTime This object specifies the timeout period in seconds for aging
out dynamically learned forwarding information.
802.1D-1990 recommends a default of 300 seconds.
dot1dTpFdbTable This table contains information about unicast entries for
which the bridge has forwarding and/or filtering information.
This information is used by the transparent bridging function
in determining how to propagate a received frame.
dot1dTpPortTable This table contains information about every port that is
associated with this transparent bridge.
Page 34
dot1dStatic
dot1dStaticTable This table contains filtering information configured into the

bridge by (local or network) the management specifying the
set of ports to which frames are received from specific ports.
The specific destination addresses are allowed to be
forwarded. The value of zero in this table as the port
number, from which frames with a specific destination
address are received, is used to specify all ports for which
there is no specific entry in this table for that particular
destination address. Entries are valid for unicast and for
group/broadcast addresses.
RSTP-MIB
This MIB is an extension of Bridge MIB used for managing devices that support the Rapid
Spanning Tree Protocol defined by IEEE 802.1w.
dot1dStpPortTable This table contains port-specific information for the

STP.
dot1dStpVersion This object specifies the version of STP the bridge is
currently running. The value stpCompatible(0)
indicates the STP specified in IEEE 802.1D and
rstp(2) indicates the RSTP specified in IEEE
802.1w.
dot1dStpPathCostDefault This object specifies the version of the STP default
path cost used by this bridge. A value of
8021d1998(1) uses the 16 bits default path cost from
IEEE Std. 802.1D-1998.
A value of stp8021t2001(2) uses the 32 bits default
path cost from IEEE Std.802.1t.
dot1dStpExtPortTable
dot1dStpPortProtocolMigration When operating in RSTP (version 2) mode, writing

true(1) to this object forces this port to transmit
RSTP BPDUs.
Any other operation on this object has no effect and
it always returns false(2) when read.
dot1dStpPortAdminEdgePort This object specifies the administrative value of the
edge-port parameter. A value of true(1) indicates
that this port should be assumed as an edge-port
and a value of false(2) indicates that this port is
assumed as a non-edge-port.
dot1dStpPortOperEdgePort This object specifies the operational value of the
edge-port parameter. The object is initialized to the
value of dot1dStpPortAdminEdgePort and is
configured to false(2) on reception of a BPDU.
Page 35
dot1dStpPortAdminPointToPoint This object specifies the administrative point-to-point

status of the LAN segment attached to this port. A
value of forceTrue(0) indicates that this port is
always treated as if it is connected to a point-to-point
link. A value of forceFalse(1) indicates that this port
is treated as having a shared media connection. A
value of auto(2) indicates that this port is considered
to have a point-to-point link if it is an Aggregator and
all of its members can be aggregated, or if the MAC
entity is configured for full duplex operation, either
through auto-negotiation or by management means.
dot1dStpPortOperPointToPoint This object specifies the operational point-to-point
status of the LAN segment attached to this port. It
indicates whether a port is considered to have a
point-to-point connection or not.
The value is determined by management or by auto-
detection, as described in the
dot1dStpPortAdminPointToPoint object.
dot1dStpPortAdminPathCost This object specifies the STP port path cost. Each
bridge port has an assigned path cost, a user-
definable parameter that determines the port’s
preference to be included in the active spanning tree
topology.
Page 36
PRVT-SWITCH-MIB
The Switch MIB (1.3.6.1.4.1.738.1.5.100) is a private MIB used for managing Telco Systems internal
device parameters.
The RFC supported: RFC 2863 The Interfaces Group MIB (configL2IfaceTable and interface
table)..
NOTE
For the configuration via SNMP, only the configL2SpanOnOff object is used.
This object is used to enable or disable MSTP.
configL2SpanOnOff (1.3.6.1.4.1.738.1.5.100.2.2.1)
This object enables/disables Spanning Tree protocols. When Spanning Tree is disabled, the device's
ports are placed in forwarding mode, regardless of the current Spanning Tree state. When enabled
again, the normal state transitions take place.
To enable STP, select enableSTP(1) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)
Notifications
The BRIDGE-MIB contains the following notifications:
• newRoot—indicates that a new root is elected by the Spanning Tree algorithm.
OID: 1.3.6.1.2.1.17.1
• topologyChange—indicates that the topology change is detected by the Spanning Tree
algorithm.
OID: 1.3.6.1.2.1.17.2
Page 37
STP via SNMP Configuration Example

The following example is based on the STP Configuration Example (refer to the Configuring Spanning
Tree Protocol (STP) chapter of this User Guide) and it details the steps to configure an Ethernet
network using STP via SNMP.
NOTE
To configure the path cost, set dot1dStpPortPathCost object as follows:
• for port 1/1/1, select value 1
• for ports 1/2/1–1/2/8, select values from 3 to 10
1. Enable STP:
1: configL2SpanOnOff.0 (integer) enableSTP(1)
2. Configure the STP bridge priority to 4096, to make device A the bridge root.
1: dot1dStpPriority.0 (integer) 4096
3. Configure the STP MaxAge time to 10. Do this calculation according to the following formula:
Max_age = (4 x hello) + (2 x dia) - 2, when the hello-time is 2 and the diameter is 2:
(The aging time value, from this example, is in milliseconds.)
1: dot1dStpBridgeMaxAge.0 (integer) 1000
4. Configure the STP forward-delay timer to 7. Do this calculation according to the following
formula: Forward_delay = ((4 x hello) + (3 x dia)) / 2, when the hello-time is 2 and the diameter
is 2:
(The delay timer value, from this example, is in milliseconds.)
1: dot1dStpBridgeForwardDelay.0 (integer) 700
Page 38
1. Enable STP:
2. Configure port 1/2/1 with path cost 1:

1: dot1dStpPortPathCost.3 (integer) 1
Enable STP:
1. Enable STP:

Enable STP:
Page 39
Configuring Rapid STP (RSTP) via SNMP

For information regarding the RSTP feature, refer to the Configuring Rapid Spanning Tree Protocol
(RSTP) chapter of this User Guide.
MIB Architecture
To configure RSTP via SNMP, use the following MIBs:
• BRIDGE-MIB
• RSTP-MIB
• PRVT-SWITCH-MIB
BRIDGE-MIB
Refer to the BRIDGE-MIB section.
RSTP-MIB
Refer to the RSTP-MIB section.
PRVT-SWITCH-MIB
Refer to the PRVT-SWITCH-MIB section.
To enable RSTP, select enableRSTP(3) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)
Page 40
RSTP via SNMP Configuration Example

The following example is based on the RSTP Configuration Example (refer to the Configuring Rapid
Spanning Tree Protocol (RSTP) chapter of this User Guide) and it details the steps to configure an
Ethernet network using RSTP via SNMP.
NOTE
To configure the port priority, path cost, and edge ports:
• for ports 1/2/1–1/2/8, select values from 3 to 10
1. Enable RSTP:
1: configL2SpanOnOff.0 (integer) enableRSTP(3)
2. Configure the RSTP bridge priority to 4096, to make device A the root bridge:
1: dot1dStpPriority.0 (integer) 4096
3. Configure the RSTP MaxAge time to 10. Do this calculation according to the following
formula: Max_age = (4 x hello) + (2 x dia) - 2, where the hello-time is 2 and the diameter is 2:
(The aging time value, from this example, is in milliseconds.)
1: dot1dStpBridgeMaxAge.0 (integer) 1000
4. Configure the RSTP forwarding delay timer to 7. Do this calculation according to the
following formula: Forward_delay = ((4 x hello) + (3 x dia)) / 2, where the hello-time is 2 and the
diameter is 2:
(The delay time value, from this example, is in milliseconds.)
1: dot1dStpBridgeForwardDelay.0 (integer) 700
Enable RSTP:
Page 41
1. Enable RSTP:
2. Configure port 1/1/1 priority to 64 to cause it to be the forwarding port of device D:

1: dot1dStpPortPriority.1 (integer) 64
1. Enable RSTP:

3. Configure ports 1/2/3 and 1/2/4 on device D as edge ports, since they are attached to PCs:
1: dot1dStpPortAdminEdgePort.5 (integer) true(1)
1. Enable RSTP:
2. Configure ports 1/2/3 and 1/2/4 on device E as edge ports, since they are attached to PCs:
Page 42
Configuring Multiple STP (MSTP) via SNMP

For information regarding MSTP feature, refer to the Configuring Multiple Spanning Tree Protocol
(MSTP, IEEE 802.1s) chapter of this User Guide.
MIB Architecture
To configure MSTP via SNMP, use the following MIBs:
• PRVT-MST-MIB
• PRVT-SWITCH-MIB
PRVT-MST-MIB
This MIB is used for managing 802.1s Multiple Spanning Tree Protocol (MSTP).
MSTP carries the concept of the IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) a leap
forward by allowing you to group and associate VLANs to multiple spanning tree instances
(forwarding paths). Used in a VLAN environment, this added capability affords rapid convergence
as well as load balancing.
Standards supported:
• IEEE 802.1d-1998
• IEEE 802.1t-2001
• IEEE 802.1w-2001
• IEEE 802.1s-2002
mSTRegion
mSTRegionEditControl mSTRegionEditBufferStatu Indicates the current

s ownership status of the
unique Region Config Edit
Buffer.
mSTRegionEditBufferOpera Indicates the operation that
tion is performed on the Region
Config Edit Buffer.
This object always returns
other(1) when it is read.
mSTRegionParameters mSTRegionName Indicates the operational
MST region name.
Page 43
mSTRegionEditName Indicates the MST region

name in the Edit Buffer.
This object is only
instantiated when
themSTRegionEditBufferSt
atus object has the value of
acquiredBySnmp(2).
mSTRegionRevision Indicates the operational
MST region version.
mSTRegionEditRevision Indicates the MST region
version in the Edit Buffer.
This object is only
instantiated when the
mSTRegionEditBufferStatu
s object has the value of
acquiredBySnmp(2).
mSTInstanceVlanTable Contains MST instance
information with one entry
for each MST instance
numbered from 0 to
mSTMaxInstanceNumber.
mSTInstanceVlanEditTable Contains MST instance
information in the Edit
Buffer with one entry for
each MST instance
numbered from 0 to
This table is only
instantiated when the
mSTRegionEditBufferStatu
s object has the value of
acquiredBySnmp(2).
mSTBridgeParams mSTMaxHopCount Indicates the maximum
number of hops for the
MST region
mSTMaxInstanceNumber Indicates the maximum
MST (Multiple Spanning
Tree) instance IDs that are
supported by the device for
the MST Protocol.
mSTInstanceTable Contains MST instance
information with one entry
for each MST instance
numbered from 0 to
mSTTimers
mSTMigrationTimer This object indicates the MST migration timer.

Determines timeout migration in seconds.
mSTTxHoldCount This object indicates the MST Tx Hold Counter.
Page 44
mSTMaxAge This object indicates the maximum age of Multiple Spanning

Tree Protocol information learned from the network on any
port before it is discarded, in units of hundredths of a second.
This is the actual value that this bridge is currently using.
mSTHelloTime This object indicates the time between the transmissions of
Configuration bridge PDUs by this node on any port when the
port is the root of the spanning tree or trying to become so, in
units of hundredths of a second. This is the actual value that
this bridge is currently using.
mSTForwardDelay This time value, measured in units of hundredths of a second,
controls how fast a port changes its spanning state when
moving toward the Forwarding state. The value determines
how long the port stays in each of the Listening and Learning
states, which precede the Forwarding state. This value is also
used, when a topology change has been detected and is
underway, to age all dynamic entries in the Forwarding
Database. Note that this value is the one that this bridge is
currently using, in contrast to mSTBridgeForwardDelay which
is the value that this bridge and all others would start using
if/when this bridge were to become the root.
mSTBridgeMaxAge This object indicates the value that all bridges use for MaxAge
when this bridge is acting as the root. Note that 802.1D-1990
specifies that the range for this parameter is related to the
value of mSTBridgeHelloTime. The granularity of this timer is
specified by 802.1D-1990 to be 1 second. An agent may
return a badValue error if a set operation is attempted with a
value that is not a whole number of seconds.
mSTBridgeHelloTime This object indicates the value that all bridges use for
HelloTime when this bridge is acting as the root. The
granularity of this timer is specified by 802.1D-1990 to be 1
second. An agent may return a badValue error if a set
operation is attempted with a value that is not a whole number
of seconds.
mSTBridgeForwardDelay This object indicates the value that all bridges use for
ForwardDelay when this bridge is acting as the root. Note that
related to the value of mSTBridgeMaxAge. The granularity of
this timer is specified by 802.1D-1990 to be 1 second. An
agent may return a badValue error if a set operation is
attempted with a value that is not a whole number of seconds.
mSTPort
mSTPortTable It is a table containing port information for the MST Protocol

on all the bridge ports existing on the system.
mSTPortPerMstTable It is a table containing a list of the bridge ports for a particular
MST instance.
Page 45
PRVT-SWITCH-MIB
Refer to PRVT-SWITCH-MIB section.
To enable MSTP, select enableMST(5) value from the following list:
1. enableSTP(1)
2. disable(2)
3. enableRSTP(3)
4. enablePVST(4)
5. enableMST(5)
Notifications
The PRVT-MST-MIB contains the following notifications:
• MSTPNewRoot—indicates that a new root is selected by the Multiple Spanning Tree
algorithm.
OID: 1.3.6.1.4.1.738.1.5.107.0.1
• MSTPTopologyChange—indicates that the topology change is detected by the Multiple
Spanning Tree algorithm.
OID: 1.3.6.1.4.1.738.1.5.107.0.2
Page 46
MSTP via SNMP Configuration Examples

The following example is based on the MSTP Configuration Example (refer to the Configuring Multiple
Spanning Tree Protocol (MSTP, IEEE 802.1s) chapter of this User Guide) and it details the steps to
configure an Ethernet network using MSTP via SNMP.
Pending Configuration
1. Enter MSTP Protocol Configuration mode and map the VLANs ranging from 1 to 10 to MST
instance 1:
1: mSTInstanceEditVlansMap.1 (octet string) 1-10
2. Assign to the MSTP region the name region1 and the revision number 1:
1: mSTRegionEditName.0 (octet string) region1 [72.65.67.69.6F.6E.31
(hex)]
1: mSTRegionEditRevision.0 (integer) 1
MSTP Global Parameters Configuration

1. Enable MSTP and configure the forward-delay value to 10 seconds:
(The value for forward-delay, from this example, is in milliseconds.)
1: configL2SpanOnOff.0 (integer) enableMST(5)
1: mSTBridgeForwardDelay.0 (integer) 1000
2. Configure the following parameters: hello-time to 5 seconds, MaxAge time to 14 seconds and
max-hop count to 23:
(The values for hello-time and aging time, from this example, are in milliseconds.)
1: mSTBridgeHelloTime.0 (integer) 500
1: mSTBridgeMaxAge.0 (integer) 1400
1: mSTMaxHopCount.0 (integer) 23
Page 47
Configuring Quality of Service (QoS) via SNMP

In BiNOS version 9.3.Rx and above, the configuration of QoS via SNMP support has been added.
In the sections below, you can find explanations for the new PRVT-QoS-MIB and its architecture
used for configuring QoS via SNMP.
For detailed information about QoS and the CLI commands related to this feature, refer to the
Configuring Quality of Service (QoS) chapter of this User Guide.
MIB Architecture: PRVT-QoS-MIB

This is a private MIB that defines the full SNMP support functionality for the QoS feature.
The MIB defines all the attributes, needed to create, manage and destroy QoS configuration.
tCongestionAvoidanceProfileObjects
qosTailDropProfileTable The tail-drop profile table. Each entry in this table

defines a set of tail-drop parameters that may be
enforced on a queue or a policy.
qosSredProfileTable The SRED profile configuration table. Each entry in
this table defines a set of SRED parameters that
may be enforced on a queue or a policy.
qosSchedulingProfileObjects
qosSchedulingProfileTable The information about the scheduling profiles.
qosServicePolicyObjects
qosServicePolicyTable The QoS service policy table. It contains common

information for the QoS service policy.
qosServiceIngressPolicyTable The information about all QoS service ingress
policies configuration.
qosServiceIngressQueueTable The information about all QoS service ingress
queues configuration.
qosNetworkPolicyObjects
qosNetworkPolicyTable The QoS network policy table. It keeps common

information for the QoS network policy.
qosNetworkIngressTable The information about the QoS network ingress
policy.
qosNetworkEgressTable The information about the QoS network egress
policy.
qosNetworkEgressQueueTable The information about the QoS network queues.
Page 48
qosGlobalObjects
qosGlobalIngressMapTable The global QoS ingress configuration table.
qosGlobalEgressMapTable The global QoS egress configuration table.
qosServiceObjects
qosServiceTable Is responsible for managing QoS service

configuration.
qosServiceSapTable Is responsible for managing QoS SAP service
configuration.
qosInterfaceObjects
qosInterfaceTable Is responsible for managing QoS interface

configuration.
Page 49
QoS via SNMP Configuration Examples

The following example is based on the Configuration Example (refer to the Configuring Quality of Service
(QoS) chapter of this User Guide) and it details the steps to configure an Ethernet network using
QoS via SNMP.
Mapping Priority to Queue

Change the mapping of the FC priority levels to the following:
• Priority 0 and 1—FC l2, drop-level green
• Priority 2 and 3—FC l1, drop-level yellow
• Priority 4 and 5—FC ef, drop-level green
• Priority 6 and 7—FC nc, drop-level yellow
To change the mapping, use the following objects from qosGlobalIngressMapTable:
• qosIngressMapType—is the type of the configuration entry for this mapping:

1: dot1p(1)—selects priority mapping
2: dscp(2)—selects DSCP mapping
• qosIngressMapValue—specifies DSCP or Dot1p value to be mapped to a FC:
1: range is <0–63> (for DSCP)
2: range is <0–7> (for priority)
• qosIngressRowStatus—creates or removes entries in this table:
active(1): the object is active
notInService(2): the object is not in service
notReady(3): the object is in not ready state
createAndGo(4): creates entries
createAndWait(5): creates entries
destroy(6): removes entries
• qosIngressFC—selects FC to which the traffic will flow, see the example
• qosIngressFCConformance—selects the conformance level: green or yellow, see the example
Page 50
1. Change the mapping of the FC priority levels:

1: qosIngressFC.1.0 (integer) l2(2)
1: qosIngressFCConformance.1.0 (integer) green(1)
1: qosIngressFCConformance.1.2 (integer) yellow(2)
1: qosIngressFC.1.4 (integer) ef(6)
1: qosIngressFC.1.6 (integer) nc(8)
2. Display the new priority of the FC levels:

Page 51
3. Display the new color of the FC levels:

Configuring the DSCP-to-FC Mapping

Configure the mapping of DSCP 2 and 4 with FC priorities l1 and h2, respectively.
1. Configure the DSCP 2 with FC priority l1 and mark it as green:
2. Configure the DSCP 4 with FC priority h2 and mark it as yellow:

1: qosIngressFC.2.4 (integer) h2(5)
Page 52
Configuring QoS Service Policy

To configure the QoS service policy and apply it on a SAP, use the following tables and objects:
• from qosServicePolicyTable use:
qosServicePolicyRowStatus—creates or removes entries in this table:
♦ active(1): the object is active
♦ notInService(2): the object is not in service
♦ notReady(3): the object is in not ready state
♦ createAndGo(4): creates entries
♦ createAndWait(5): creates entries
♦ destroy(6): removes entries
qosServicePolicyDescription—adds a description to the service policy. It is a string
up to 30 characters
• from qosServiceIngressPolicyTable use qosServicePolicyShaperProfile object—the
ID of the shaper profile to be configured on the service policy; valid range is <9–57>
• from qosServiceIngressQueueTable use qosServInQueueShaperProfile object—the ID
of the shaper profile to be configured on a queue; valid range is <9–57>
• from qosServiceIngressQueueTable use:
qosServInQueueQueue—the service ingress queue ID; valid range is <1–8>
qosServInQueueRowStatus—creates or removes entries in this table; see allowed values
qosServInQueueShaperProfile—the service ingress shaper profile ID; valid range is
<9–57>
• from qosServiceTable use:
qosServiceRowStatus—creates or removes entries in this table; see allowed values
qosServicePolicyOnServ—the policy name to be configured on a service
• from qosServiceSapTable use:
qosServiceSapIndex—the index of the SAP
qosServiceSapRowStatus—creates or removes entries in this table for SAP; see allowed
values
qosServiceSapPolicyEnable—enables the service policy for this SAP
Page 53
Creating/Removing the Service Policy

1. Create a service policy named service:
1: qosServicePolicyRowStatus.1 (integer) createAndWait(5)
1: qosServicePolicyDescription.1.2 (octet string) service
1: qosServicePolicyRowStatus.1.2 (integer) active(1)
2. Remove the created service policy:

1: qosServicePolicyRowStatus.1.2 (integer) destroy(6)
Applying the Shaper for the Service Policy

1. Apply the shaper (with ID 2) per service policy:
1: qosServicePolicyRowStatus.1 (integer) createAndWait(5)
1: qosServPolicyShaperProfile.1.2 (integer) 2
2. Apply the shaper (with ID 3) per service ingress queue:

1: qosServInQueueRowStatus.1.2.3 (integer) createAndWait(5)
1: qosServInQueueShaperProfile.1.2.3 (integer) 3
1: qosServInQueueRowStatus.1.2.3 (integer) active(1)
1: qosServicePolicyRowStatus.1.2. (integer) active(1)
Page 54
Configuring the Service Ingress Queue

1. Create a service ingress queue with ID 5:
1: qosServInQueueRowStatus.1.2.3 (integer) createAndWait(5)
2. Apply the created shaper profile (with ID 9) on this queue:

1: qosServInQueueShaperProfile.1.2.3 (integer) 9
1: qosServInQueueRowStatus.1.2.3 (integer) active(1)
Applying the QoS Service Policy per SAP
NOTE
Before this configuration, first create the QoS service policy, and then SDP and
SAP for the TLS service (see the TLS Configuration Examples).
1. Apply the created policy (named service) per SAP:

Set qosServiceRowStatus to CreateAndWait(5)
Set qosServicePolicyOnServ to service
Set qosServiceSapRowStatus to CreateAndWait(5)
2. Specify the ID of the SAP:

Set qosServiceSapIndex to 1
3. Enable the service policy for this SAP:

Set qosServiceSapPolicyEnable to enable
Set qosServiceRowStatus to Active(1)
Page 55
Configuring 802.3ah Ethernet in the First Mile

(EFM) via SNMP
For additional information about EFM-OAM feature, refer to the Intermediate 802.3ah Ethernet in the
First Mile (EFM) section of the Operation Administration and Maintenance (OAM) chapter of this User
Guide.
MIB Architecture
To configure EFM-OAM via SNMP, use the following MIBs:
• PRVT-SWITCH-EFM-OAM-MIB
• DOT3-OAM-MIB
PRVT-SWITCH-EFM-OAM-MIB
This private MIB is used for managing the IEEE 802.3ah EFM-OAM module.
prvtEfmOamEnable Enables/disables the EFM OAM protocol on the device.
prvtEfmOamMultiPduCount Specifies the number of OAM PDUs sent when the

protocol asks to send multiple subsequent messages.
prvtEfmOamRemoteEvent Enables or disables sending the local event notifications
to the remote device.
prvtEfmOamLocalSysLog Enables/disables the sending of Event Notification OAM
PDU to the local Syslog daemon.
prvtEfmOamPriority Specifies the priority of the sent OAM PDUs.
prvtEfmOamKeepAlive Specifies the aging interval (in milliseconds) of the last

heard neighboring device.
prvtEfmOamHelloInterval Specifies the maximal interval between a pair of PDUs in
milliseconds.
prvtEfmOamPktsSent Specifies the number of sent EFM-OAM packets
prvtEfmOamPktsReceived Specifies the number of received EFM-OAM packets
prvtEfmOamHistorySize Number of entries in EFM_OAM history.
prvtEfmOamTable This table contains an entry per physical port, indexed by

the corresponding ifIndex from IF-MIB and each row in
the table contains a single column.
prvtEfmOamPingTable This table lets the EFM-OAM non-intrusive monitoring on
the specific port by querying a number of time
aFramesTransmittedOK parameter, ping requests, using
the variable retrieval EFM OAM PDU.
Page 56
prvtEfmOamPingResultTable Displays the ping results.
prvtEfmOamLoopbackTable This table permits to perform EFM-OAM intrusive

monitoring on the specific port by setting the remote
device into loopback state and generating test traffic.
It should support storm operation, an operation that sets
remote loopback, stops local data flow to the remote
device and generates a packet burst by CPU. When the
burst is received back it is validated and statistics are
displayed. Burst operation, an operation that sets remote
loopback, stops local data flow to the remote device and
generates a packet test burst by the hardware (when
available).
It means a single packet generated by CPU is repetitively
sent by the hardware. When the burst is received back, it
is ignored and only counters are displayed.
prvtEfmOamLoopbackResultTable Displays the loopback results.
prvtEfmOamPeerTable This table holds the peer extended information available

only when the local port is configured in Enhanced mode
and the remote is detected as T-Marc 300 Series device.
This table contains an entry per physical port, indexed by
the corresponding ifIndex from IF-MIB.
DOT3-OAM-MIB
This public MIB is used for managing the IEEE 802.3ah EFM-OAM module.
This MIB contains the following tables:
dot3OamTable This table contains the primary controls and status for the OAM
capabilities of an Ethernet port. There is one row in this table for
each Ethernet port in the system that supports the OAM functions
defined in 802.3ah standard.
dot3OamPeerTable This table contains information about the OAM peer for a
particular Ethernet port. OAM entities communicate with a single
OAM peer entity on Ethernet links on which OAM is enabled and
operating properly. There is one entry in this table for each entry
in the dot3OamTable for which information on the OAM peer
entity is available.
dot3OamLoopbackTable This table contains controls for the loopback state of the local link
as well as indicates the status of the loopback function. There is
one entry in this table for each entry in dot3OamTable that
supports loopback functionality (where
dot3OamFunctionsSupported includes the loopbackSupport bit
set).
Loopback can be used to place the remote OAM entity in a state
where every received frame (except OAMPDUs) is echoed back
over the same port on which they were received. In this state, at
the remote entity, normal traffic is disabled as only the looped
back frames are transmitted on the port.
Page 57
dot3OamStatsTable This table contains statistics for the OAM function on a particular
Ethernet port. There is an entry in the table for every entry in the
dot3OamTable.
The counters in this table are defined as 32-bit entries to match
the counter size as defined in 802.3ah standard. Given that the
OAM protocol is a slow protocol, the counters increment at a slow
rate.
dot3OamEventConfigTable Ethernet OAM includes the ability to generate and receive Event
Notification OAMPDUs to indicate various link problems.
This table contains the mechanisms to enable Event Notifications
and configure the thresholds to generate the standard Ethernet
OAM events. There is one entry in the table for every entry in
dot3OamTable that supports OAM events (where
dot3OamFunctionsSupported includes the eventSupport bit set).
The values in the table are maintained across changes to
dot3OamOperStatus.
The standard threshold crossing events are:
• Errored Symbol Period Event—generated when the number
of symbol errors exceeds a threshold within a given window
defined by a number of symbols (for example, 1,000 symbols
out of 1,000,000 had errors).
• Errored Frame Period Event—generated when the number
of frame errors exceeds a threshold within a given window
defined by a number of frames (for example, 10 frames out
of 1000 had errors).
• Errored Frame Event—generated when the number of frame
errors exceeds a threshold within a given window defined by
a period of time (for example, 10 frames in 1 second had
errors).
• Errored Frame Seconds Summary Event—generated when
the number of errored frame seconds exceeds a threshold
within a given time period (for example, 10 errored frame
seconds within the last 100 seconds). An errored frame
second is defined as a 1 second interval which had more
than 0 frame errors.
There are other events (dying gasp, critical events) that are not
threshold crossing events but which can be enabled/disabled via
this table.
Page 58
dot3OamEventLogTable This table records a history of the events that occurred at the
Ethernet OAM level. These events can include locally detected
events, which may result in locally generated OAMPDUs, and
remotely detected events, which are detected by the OAM peer
entity and signaled to the local entity via Ethernet OAM. Ethernet
OAM events can be signaled by Event Notification OAMPDUs or
by the flags field in any OAMPDU.
This table contains both threshold crossing events and non-
threshold crossing events. The parameters for the threshold
window, threshold value, and actual value
(dot3OamEventLogWindowXX, dot3OamEventLogThresholdXX,
dot3OamEventLogValue) are only applicable to threshold
crossing events.
Entries in the table are automatically created when such events
are detected. The size of the table is implementation dependent.
When the table reaches its maximum size, older entries are
automatically deleted to allow newer entries.
Notifications
PRVT-SWITCH-EFM-OAM-MIB contains the following notifications:
• prvtOamLoopBackState: is sent whenever the loopback state changes from remote; when
dot3OamMode is passive or dot3OamAdminState is disabled, the interface cannot be on
remoteLoopback state and this trap is sent.
OID: 1.3.6.1.4.1.738.1.5.133.0.1
• prvtOamDyingGasp: generates a dying-gasp alarm. In order for dying-gasp trap to be
functional, also configure warmStart and coldStart notifications. Dying-gasp is sent only to
one server (last one used).
OID: 1.3.6.1.4.1.738.1.5.133.0.2
DOT3-OAM-MIB contains the following notifications:
• dot3OamThresholdEvent: is sent when a local or remote threshold crossing event is
detected. A local threshold crossing event is detected by the local entity, while a remote
threshold crossing event is detected by the reception of an Ethernet OAM Event Notification
OAMPDU that indicates a threshold event. This notification should not be sent more than
once per second. The OAM entity can be derived from extracting the ifIndex from the
variable bindings. The objects in the notification correspond to the values in a row instance in
the dot3OamEventLogTable. The management entity should periodically check
dot3OamEventLogTable to detect any missed events.
OID: 1.3.6.1.2.1.158.0.1
• dot3OamNonThresholdEvent: is sent when a local or remote non-threshold crossing event
is detected. This notification should not be sent more than once per second. For more
information, refer to the dot3OamNonThresholdEvent notification above.
OID: 1.3.6.1.2.1.158.0.2
Page 59
EFM-OAM via SNMP Configuration Example

The following example is based on the EFM-OAM Configuration Example (refer to the Operation
Administration and Maintenance (OAM) chapter of this User Guide) and it details the steps to
configure an Ethernet network using EFM-OAM via SNMP.
1. Enable EFM-OAM if necessary:
1: prvtEfmOamEnable.0 (integer) true(1)
2. Define the number of OAMPDUs:

1: prvtEfmOamMultiPduCount.0 (gauge) 3
3. Enable the sending of local event notifications to the remote peer:

1: prvtEfmOamRemoteEvent.0 (integer) true(1)
4. Define the OAMPDUs' priority:

1: prvtEfmOamPriority.0 (gauge) 3
5. Define the expected time interval between two consecutive OAMPDUs received from the
peer (the keep-alive interval value, from the example, is in milliseconds):
1: prvtEfmOamKeepAlive.0 (gauge) 3000
1: prvtEfmOamHelloInterval.0 (gauge) 200
6. Enable EFM-OAM on the specified port and define its mode to Active:
1: dot3OamMode.1101 (integer) active(2)
7. Force permanent loopback configuration on the remote side:

1: prvtEfmOamForceLoopbackRemote.1101 (integer) true(1)
8. Define the EFM-OAM thresholds for bit error monitoring:

Page 60
1: dot3OamErrSymPeriodWindowLo.1101 (gauge) 20
1: dot3OamErrSymPeriodThresholdLo.1101 (gauge) 100
9. Define the EFM-OAM thresholds for frame error monitoring:

1: dot3OamErrFrameWindow.1101 (gauge) 30
1: dot3OamErrFrameThreshold.1101 (gauge) 120
1. Enable EFM-OAM if necessary:
1: prvtEfmOamEnable.0 (integer) true(1)
2. Define the number of OAMPDUs:

1: prvtEfmOamMultiPduCount.0 (gauge) 5
3. Enable the sending of local event notifications to the remote peer:

1: prvtEfmOamRemoteEvent.0 (integer) true(1)
4. Define the OAMPDUs' priority:

1: prvtEfmOamPriority.0 (gauge) 5
5. Define the expected time interval between two consecutive OAMPDUs received from the
peer (the keep-alive interval value, from the example, is in milliseconds):
1: prvtEfmOamKeepAlive.0 (gauge) 3000
1: prvtEfmOamHelloInterval.0 (gauge) 200
6. Enable EFM-OAM on the specified interface and define its mode to Active:
1: dot3OamMode.1102 (integer) active(2)
Page 61
Configuring 802.1ag Connectivity Fault

Management (CFM) via SNMP
For additional information about CFM feature, refer to the 802.1ag Connectivity Fault Management
(CFM) section of the Operation Administration and Maintenance (OAM) chapter of this User Guide.
Architecture
To configure CFM via SNMP, use the following MIBs:
• IEEE8021-CFM-MIB
• PRVT-CFM-MIB
IEEE8021-CFM-MIB
This public MIB is used for managing the IEEE 802.1ag CFM module.
dot1agCfmStack
dot1agCfmStackTable There is one CFM Stack table per bridge. Use this
table to retrieve information about the Maintenance
Points configured on any given interface.
dot1agCfmDefaultMd
dot1agCfmDefaultMdDefLevel Represents a value indicating the MD Level and

Sender ID TLV transmission for each
dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdLevel object contains the
value -1.
After this initialization, this object needs to be
persistent during the reboot or restart of a device.
dot1agCfmDefaultMdDefMhf Represents a value indicating if the management
Creation entity can create MHFs (MIP Half Functions) for the
VID, for each dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdMhfCreation object contains
the value defMHFdefer.
Since, in this variable, there is no encompassing
MD, the value defMHFdefer is not allowed.
Page 62
dot1agCfmDefaultMdDefId Represents the numeric value indicating the

Permission parameters included in the Sender ID TLV
transmitted by MHFs and created by the default
Maintenance Domain, for each
dot1agCfmDefaultMdEntry whose
dot1agCfmDefaultMdIdPermission object contains
the value sendIdDefer.
Since, in this variable, there is no encompassing
Maintenance Domain, the value sendIdDefer is not
allowed.
dot1agCfmDefaultMdTable The default MD Level Managed Object controls the
MHF creation for VIDs that are not attached to a
specific Maintenance Association Managed Object
and Sender ID TLV transmission by those MHFs.
When first initialized, this table is created
automatically with entries for all VLAN IDs and with
the default values specified for each object.
After this initialization, the writable objects in this
table need to be persistent during the reboot or
restart of a device.
dot1agCfmVlan
dot1agCfmVlanTable Defines the VIDs associated into VLANs.

This table includes one entry per VID that:
• belongs to a VLAN associated with more than
one VID and
• is not the Primary VLAN of that VID. The table
entry's contains the VLAN's primary VID.
By default, this table is empty (by default every VID
is the primary VID of a single VID VLAN and the
VLANs associated with only one VID do not have
an entry in this table).
The writable objects in this table need to be
dot1agCfmConfigErrorList
dot1agCfmConfigErrorList Provides a list of Interfaces and VIDs that are not

Table configured correctly.
dot1agCfmMd
dot1agCfmMdTableNextIndex Contains an unused value for dot1agCfmMdIndex

in the dot1agCfmMdTable, or a zero to indicate that
doesn’t exist.
dot1agCfmMdTable The Maintenance Domain table, each row
representing a different MD.
Page 63
dot1agCfmMa
dot1agCfmMaNetTable The Maintenance Association table.

This table uses two indexes:
• the Maintenance Domain table index
• the same index as the
dot1agCfmMaCompEntry index for the same
MA
dot1agCfmMaCompTable This table uses three indexes:
• the Dot1agCfmPbbComponentIdentifier that
identifies the component (within the Bridge)
the dot1agCfmMaCompEntry information
applies to
• the Maintenance Domain table index
• the same index as the dot1agCfmMaNetEntry
index for the same MA
dot1agCfmMaMepListTable Represents the MEP IDs' list that belongs to this
Maintenance Association.
dot1agCfmMep
dot1agCfmMepTable The MEPs table, each row representing a different

one.
This table uses the following indexes:
• the MD table index
• the MA table index
This table also stores all the managed objects for
sending LBMs and LTMs.
dot1agCfmLtrTable Extends the MEP table. This table contains a list of
the Linktrace replies received by specific MEPs, in
response to linktrace messages.
dot1agCfmMepDbTable The MEPs database, maintained by every MEP that
received information about other MEPs in the MD.
Page 64
PRVT-CFM-MIB
This private MIB also uses the dot1agCfmMd, dot1agCfmMa and dot1agCfmMep modules from
IEEE8021-CFM-MIB and is an extension to the CFM for managing IEEE 802.1ag.
prvtCfmUpdateInterval Specifies the time, in seconds, between the

monitoring parameters update (the default value is
20 seconds).
A 0 value suspends the monitoring task and any
different value resumes it.
prvtCfmStatus Enables/disables the CFM protocol.
prvtCfmProfile
prvtCfmProfileTableNextIndex Contains an unused value for prvtCfmProfileIndex

in the prvtCfmProfileTable, or a zero to indicate that
none exist.
prvtCfmProfileTable Contains the loopback results from all remote
MEPs in the MA.
prvtCfmProcess
prvtCfmProcessTableNextIndex Contains an unused value for prvtCfmProcessIndex

in the prvtCfmProcessTable, or a zero to indicate
that none exists.
prvtCfmProcessTable The private extension of dot1agCfmMaNetTable,
controlling the two-way monitoring process for
MEPs in the MA.
prvtCfmProcessResult
prvtCfmProcessResultTable Contains the process results.
prvtCfmMa Includes extra variables needed for Y.1731 support

and service awareness.
prvtCfmMaTable Includes extra variables needed for Y.1731 support
and service awareness.
prvtCfmMep
prvtCfmMepTable Represents the MEPs table.
prvtCfmLbrTable Contains the last loopback operation results.
prvtCfmLtrTable Enables the functionality to measure the response

time of a linktrace request.
Page 65
Notifications
IEEE8021-CFM-MIB contains the following dot1agCfmFaultAlarm notification. If a MEP has a
persistent defect condition, this notification (fault alarm) is sent to the management entity with the
OID of the MEP that detected the fault (OID: 1.3.111.2.802.1.1.8.0.1).
PRVT-CFM-MIB contains the following notifications:
• prvtCfm1wJitterThreshold—is sent when CFM one way jitter threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.1
• prvtCfmJitterThreshold—is sent when CFM two way jitter threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.2
• prvtCfmFrameLossThreshold—is sent when CFM frame loss threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.3
• prvtCfmLatencyThreshold—is sent when CFM latency threshold crossed.
OID: 1.3.6.1.4.1.738.1.5.131.0.4
CFM via SNMP Configuration Examples

To configure CFM via SNMP, follow the steps:
1. Create the Maintenance Domain (MD) in the dot1agCfmMdTable:
dot1agCfmMdRowStatus: you have to deactivate the row to be able to change the
writable columns. To activate the row, make sure that all columns have a valid value.
dot1agCfmMdMdLevel: defines the MD level.
dot1agCfmMdName: defines a unique MD name.
The type/format of this object is determined by the value of the
dot1agCfmMdNameType object.
2. Create a Maintenance Association (MA) in the dot1agCfmMaNetTable:
dot1agCfmMaNetRowStatus: you have to deactivate the row to be able to change the
dot1agCfmMaNetName: defines a unique MA name within the MA.
The type/format of this object is determined by the value of the
dot1agCfmMaNetNameType object.
3. Define the primary VLAN ID in the dot1agCfmMaCompTable. The
dot1agCfmMaCompPrimaryVlanId object defines the primary VLAN ID the MA is
associated to (or 0 if the MA is not attached to any VLAN ID). If the MA is associated with
more than one VLAN ID, list them in the dot1agCfmVlanTable.
Page 66
4. Define the identification data sent to the remote MEPs creation policy in the
dot1agCfmMaCompTable:
dot1agCfmMaCompIdPermission: defines the numeric value indicating the contents of
the Sender ID TLV transmitted by MPs configured in this MA.
dot1agCfmMaCompMhfCreation: defines whether the management entity can create
MHFs (MIP Half Function) for this MA.
dot1agCfmMaCompRowStatus: you have to deactivate the row to be able to change the
5. Add a port as MEP to the MA in the dot1agCfmMepTable:
dot1agCfmMepRowStatus: you have to deactivate the row to be able to change the
dot1agCfmMepIfIndex: this object is the interface index of the interface of either a bridge
port or an aggregated IEEE 802.1 link within a bridge port, to which the MEP is
attached. Upon reboot, the system (if necessary) changes the value of this variable. It
indexes the entry in the interface table with the same value of ifAlias that it indexed before
the system reboot. If no such entry exists, the system sets this variable to 0.
dot1agCfmMepDirection: defines the direction the MEP faces on the Bridge port.
dot1agCfmMepActive: defines the MEP's administrative state (a Boolean):
♦ true indicates that the MEP functions normally
♦ false indicates that the MEP ceased functioning
6. Create a profile in the prvtCfmProfileTable:
prvtCfmProfileRowStatus: defines the row's status. You have to deactivate the row to be
able to change the writable columns. To activate the row, make sure that all columns have
a valid value.
prvtCfmProfileName: defines the profile name.
prvtCfmProfileRate: defines the number of request packets to send each time.
7. Create a process in the prvtCfmProcessTable:
prvtCfmProcessRowStatus: defines row's status. You have to deactivate the row to be
able to change the writable columns. To activate the row, make sure that all columns have
a valid value.
prvtCfmProcessName: defines a unique process name per domain/MA.
prvtCfmProcessProfileIndex: define the monitoring profile index used.
prvtCfmProcessStatus: enables/disables the two-way monitoring process for MEPs in the
MA.
prvtCfmProcessRepeatInterval: defines the repeating frequency of the monitoring
process.
Page 67
8. To send a loopback message to a specified MEP in a specified domain, define the below
objects in dot1agCfmMepTable:
dot1agCfmMepTransmitLbmDestMepId: defines the MEP ID for sending LBMs within
the same domain.
This address is used if the dot1agCfmMepTransmitLbmDestIsMepId column's value is
true.
dot1agCfmMepTransmitLbmDestIsMepId: selects the loopback transmission target:
♦ True to use a MEPID
♦ False to use a unicast destination MAC address
dot1agCfmMepTransmitLbmMessages: defines the number of transmitted loopback
messages.
9. To send a linktrace message to a specified MEP in a specified domain, define the following
objects in dot1agCfmMepTable:
dot1agCfmMepTransmitLtmTargetMepId: defines the target MAC address transmitted.
This address is used if the dot1agCfmMepTransmitLtmTargetIsMepId column's value is
true.
dot1agCfmMepTransmitLtmTargetIsMepId: selects the linktrace transmission target:
♦ True to use a MEPID
♦ False to use a unicast destination MAC address
10. To clear the inactive remote MEPs from the local MEP's connectivity list, define the following
object in prvtCfmMaTable:
prvtCfmMaCompClearConnectivity: define the MEP ID (or 0 for all MEPs).
Configuring Two Devices in CFM Protocol

The following example is based on the CFM Configuration Example (refer to the Operation
configure an Ethernet network using CFM via SNMP.
1. Create a VLAN where the VLAN name is vl10 and the VLAN ID is 10:
1: dot1qVlanStaticRowStatus.10 (integer) createAndWait(5)
1: dot1qVlanStaticName.10 (octet string) vl10 [76.6C.31.30 (hex)]

1: dot1qVlanStaticEgressPorts.10 (octet string) 20 00 00 00
Page 68
3. Enable the CFM protocol:

1: prvtCfmStatus.0 (integer) enable(1)
4. Create an MD with named d7 and level 7; create an MA within the domain:

1: dot1agCfmMdRowStatus.1 (integer) createAndWait(5)
1: dot1agCfmMdMdLevel.1 (integer) 7 [7]
1: dot1agCfmMdName.1 (octet string) d7
1: dot1agCfmMdRowStatus.1 (integer) active(1)
1: dot1agCfmMaNetRowStatus.1.1 (integer) createAndWait(5)
1: dot1agCfmMaNetName.1.1 (octet string) ma7
1: dot1agCfmMaNetRowStatus.1.1 (integer) active(1)
1: dot1agCfmMaCompRowStatus.1.1.1 (integer) createAndWait(5)
1: dot1agCfmMaCompPrimaryVlanId.1.1.1 (integer) 10
1: dot1agCfmMaCompRowStatus.1.1.1 (integer) active(1)
5. Define the identification data sent to the remote MEPs creation policy on the specified MA:
1: dot1agCfmMaCompIdPermission.1.1.1 (integer) sendIdChassis(2)
1: dot1agCfmMaCompMhfCreation.1.1.1 (integer) defMHFexplicit(3)
Page 69
6. Add port 1/2/1 as a MEP to the MA:

1: dot1agCfmMepRowStatus.1.1.1 (integer) createAndWait(5)
1: dot1agCfmMepIfIndex.1.1.1 (integer) 1201 [1201]
1: dot1agCfmMepDirection.1.1.1 (integer) down(1)
1: dot1agCfmMepActive.1.1.1 (integer) true(1)
1: dot1agCfmMepRowStatus.1.1.1 (integer) active(1)
7. Create profile p1 and process proc1 for Device1:

1: prvtCfmProfileRowStatus.2 (integer) createAndWait(5)
1: prvtCfmProfileName.2 (octet string) p1 [70.31 (hex)]
1: prvtCfmProfileRate.2 (gauge) 3
1: prvtCfmProfileRowStatus.2 (integer) active(1)
1: prvtCfmProcessRowStatus.1.1.1 (integer) createAndWait(5)
1: prvtCfmProcessName.1.1.1 (octet string) proc1
1: prvtCfmProcessProfileIndex.1.1.1 (gauge) 2
1: prvtCfmProcessStatus.1.1.1 (integer) true(1)
1: prvtCfmProcessRepeatInterval.1.1.1 (gauge) 1
1: prvtCfmProcessRowStatus.1.1.1 (integer) active(1)
Page 70



Page 71
5. Define the identification data sent to the remote MEPs creation policy on the specified MA:
1: dot1agCfmMaCompIdPermission.1.1.1 (integer) sendIdChassis(2)
1: dot1agCfmMaCompMhfCreation.1.1.1 (integer) defMHFexplicit(3)

Sending a loopback message to a specified MEP in a specified

domain:
1: dot1agCfmMepTransmitLbmDestMepId.1.1.1 (gauge) 2
1: dot1agCfmMepTransmitLbmDestIsMepId.1.1.1 (integer) true(1)
1: dot1agCfmMepTransmitLbmMessages.1.1.1 (integer) 10
Page 72
Sending a loopback message to a specified MIP in a specified

domain:
1: dot1agCfmMepTransmitLbmDestMacAddress.1.1.1 (gauge) 2
(octet string) 00:A0:12:22:E1:40 [00.A0.12.22.E1.40 (hex)]
1: dot1agCfmMepTransmitLbmMessages.1.1.1 (integer) 10
Sending a linktrace message to a specified MEP in a specified

domain:
1: dot1agCfmMepTransmitLtmTargetMepId.1.1.1 (gauge) 2
1: dot1agCfmMepTransmitLtmTargetIsMepId.1.1.1 (integer) true(1)
Sending a linktrace message to a specified MIP in a specified

domain:
1: dot1agCfmMepTransmitLtmTargetMacAddress.1.1.1
(octet string) 00:A0:12:22:E1:40 [00.A0.12.22.E1.40 (hex)]
Page 73
Using the Clear Connectivity Command

This example is describing the usage of the clear connectivity command; refer to the CFM
Configuration Example of the Operation Administration and Maintenance (OAM) chapter of this User
Guide.
2. Add ports 1/2/1 and 1/2/2 as tagged ports:



Page 74



Page 75



Page 76




Page 77


6. Clear the remote inactive and unused MEPs using the clear connectivity command:
1: prvtCfmMaCompClearConnectivity.1.1.1 (gauge) 0
Page 78
Configuring Ethernet Protection Switching (EPS) via

SNMP
In BiNOS version 9.4.Rx and above, the configuration of EPS via SNMP support has been added.
In the sections below, you can find explanations for the new PRVT-EPS-MIB and its architecture
used for configuring EPS via SNMP.
For additional information about EPS feature, refer to the ITU-T G.8031 Ethernet Protection Switching
(EPS) section of the Operation Administration and Maintenance (OAM) chapter of this User Guide.
MIB Architecture: PRVT-EPS-MIB

This is a private MIB supporting Linear Ethernet Protection Switching (ITU-T G.8031).
prvtEpsServiceTable
prvtEpsSvcId The service ID (SVCID), a unique service

identifier, in the range of <1–4294967295>.
prvtEpsServiceCfmMdLevel The value of the CFM MD level where the
protected domain is situated. The valid
range is <0–7>.
prvtEpsServicePrimaryLocalCfmMep Defines the CFM pair of MEPs that monitor
the primary path. Specifies the service
MEP ID of the local device.
prvtEpsServicePrimaryRemoteCfmMep Defines the CFM pair of MEPs that monitor
the primary path. Specifies the discovered
service MEP ID of the remote device.
prvtEpsServiceSecondaryLocalCfmMep Defines the CFM pair of MEPs that monitor
the backup path. Specifies the service MEP
ID of the local device.
prvtEpsServiceSecondaryRemoteCfmMep Defines the CFM pair of MEPs that monitor
the backup path. Specifies the discovered
service MEP ID of the remote device.
prvtEpsServiceLocalState The protection state of the local side.
prvtEpsServiceHoldOffTimer Defines the hold off timeout. This timer

postpones the switchover for a specified
time. The valid range is <0–10000>
milliseconds, with 100 ms increments.
prvtEpsServiceWaitToRestoreTimer Defines the wait-to-restore timeout. If the
revertive mode is disabled, this timer will
also be disabled. To configure the timer,
select one of the values: 0 or <5–12>
minutes; 0 means revert immediately.
prvtEpsServiceApsChannel Active APS communication.
Page 79
prvtEpsServiceProtection Type of protection (1+1 or 1:1).
prvtEpsServiceDirection Type of direction (unidirectional or

bidirectional).
prvtEpsServiceRevertive The revertive mode for the protection. In
case of a signal failure when the primary
transport is repaired, the traffic is
automatically moved to the primary
transport after the wait-to-restore timer
expired.
prvtEpsServiceActivePath The EPS active path.
prvtEpsServiceDegradeTestType The type of test used for monitoring signal-

degrade.
prvtEpsServiceDegradeTestOwner The owner of the SAA test used for
monitoring.
prvtEpsServiceDegradeTestName The name of test used for monitoring
signal-degrade.
prvtEpsServiceDegradeTestEnable Starts/stops CFM test for performance
monitoring.
prvtEpsServiceDefectFop Defects noticed by APS protocol.
prvtEpsServiceOperationalStatus The purpose of this status is to identify to

the User whether this service is ready for
running. The operational status can be up
or down. When creating the service the
operational status will be down. Receiving
CCMs from both transport entities and
establishment of APS on the protection
transport entity will bring the operational
status to up.
prvtEpsServicePrimaryStatus Primary EPS path state.
prvtEpsServiceSecondaryStatus Secondary EPS path state.
prvtEpsServiceRemoteState The protection state of the remote side.
prvtEpsServiceRemoteApsChannel Active APS communication reported by the

remote.
prvtEpsServiceRemoteProtection Type of protection (1+1 or 1:1) reported by
the remote.
prvtEpsServiceRemoteDirection Direction of protection (unidirectional or
bidirectional) reported by the remote.
prvtEpsServiceRemoteRevertive Protection type (revertive or non-revertive)
reported by the remote.
prvtEpsServiceAdminFreeze Used to freeze the state of the protection
service. Until the freeze is cleared, all local
and remote commands are ignored. After
the freeze is cleared, the state of the
services is recomputed using the ignored
commands.
Page 80
prvtEpsServiceAdminStatus Administrative status of the protection.
prvtEpsServiceRowStatus The status of the row. The writable columns

in a row can not be changed if the row is
active. All columns must have a valid value
before a row can be activated.
Notifications
Following notifications are supported:
• prvtEpsDefectAlarm—is sent when EPS service operational status changed or protocol
defect occurred.
OID: 1.3.6.1.4.1.738.1.5.132.0.1
• prvtEpsSwitchoverAlarm—is sent when EPS service active link changed.
OID: 1.3.6.1.4.1.738.1.5.132.0.2
• prvtEpsLostCommunication—is sent when APS communication failed.
OID: 1.3.6.1.4.1.738.1.5.132.0.3
• prvtEpsRestoredCommunication—is sent when APS communication restored.
OID: 1.3.6.1.4.1.738.1.5.132.0.4
• prvtEpsSignalFailDetected—is sent when three consecutive CCMs are not received.
OID: 1.3.6.1.4.1.738.1.5.132.0.5
• prvtEpsSignalDegradeDetected—is sent when monitored error threshold is crossed.
OID: 1.3.6.1.4.1.738.1.5.132.0.6
Page 81
EPS via SNMP Configuration Example

The following example is based on the EPS Configuration Example (refer to the Operation
configure an Ethernet network using EPS via SNMP.
1. Create a TLS service; refer to the TLS Configuration Examples section.
2. Activate the primary status for the specified SDP:
set prvtEpsSvcSdpAdminIsPrimary to true(1)
3. Activate the secondary status for the specified SDP:

set prvtEpsSvcSdpAdminIsSecondary to true(1)
4. Activate TLS service; refer to the TLS Configuration Examples section.

5. Configure the MD, MA, and MEP ID; refer to the Configuring Two Devices in CFM Protocol
section.
6. Set EPS parameters:
set prvtEpsServiceRowStatus to createAndWait(5)
set prvtEpsServiceCfmMdLevel to 1
set prvtEpsServicePrimaryLocalCfmMep to 1
set prvtEpsServicePrimaryRemoteCfmMep to 2
set prvtEpsServiceSecondaryLocalCfmMep to 1
set prvtEpsServiceSecondaryRemoteCfmMep to 2
set prvtEpsServiceRowStatus to active(1)
set prvtEpsServiceAdminStatus to active(1)
1. Create a TLS service; refer to the TLS Configuration Examples section.
2. Activate the primary status for the specified SDP:
set prvtEpsSvcSdpAdminIsPrimary to true(1)
3. Activate the secondary status for the specified SDP:

set prvtEpsSvcSdpAdminIsSecondary to true(1)
4. Activate the TLS service; refer to the TLS Configuration Examples section.
5. Configure the MD, MA, and MEP ID; refer to the Configuring Two Devices in CFM Protocol
section.
Page 82
6. Set EPS parameters:

set prvtEpsServiceRowStatus to createAndWait(5)
set prvtEpsServiceCfmMdLevel to 1
set prvtEpsServicePrimaryLocalCfmMep to 2
set prvtEpsServicePrimaryRemoteCfmMep to 1
set prvtEpsServiceSecondaryLocalCfmMep to 2
set prvtEpsServiceSecondaryRemoteCfmMep to 1
set prvtEpsServiceRowStatus to active(1)
set prvtEpsServiceAdminStatus to active(1)
Page 83
Configuring Link Layer Discovery Protocol (LLDP)

via SNMP
In BiNOS version 9.4.Rx and above, the configuration of LLDP via SNMP support has been
added.
In the sections below, you can find explanations for the LLDP-MIB and its architecture used for
configuring LLDP via SNMP.
For additional information about LLDP feature, refer to the Configuring Link Layer Discovery Protocol
(LLDP) chapter of this User Guide.
MIB Architecture: LLDP-MIB

The LLDP-MIB is used for configuring LLDP statistics, local system data and remote system data
components.
lldpConfiguration
lldpMessageTxInterval The interval at which LLDP frames are

transmitted on behalf of this LLDP agent.
Transmit-interval is from 5 to 32768 (5 can
be set when transmit-delay is set to its
minimum value of 1)
lldpMessageTxHoldMultiplier The time-to-live value expressed as a
multiple of the lldpMessageTxInterval object.
The valid range is <2–10> seconds.
The TTL value is the smaller value between
65535 and (LLDP transmit interval *
transmit-hold).
The TTL value is calculated by the following
formula: TTL=(lldpMessageTxInterval *
lldpMessageTxHoldMultiplier).
lldpReinitDelay Indicates the delay, in seconds, from when

lldpPortConfigAdminStatus object of a
particular port becomes 'disabled' until re-
initialization is attempted. The valid range is
<1–10> seconds.
Page 84
lldpTxDelay Indicates the delay, in seconds, between

successive LLDP frame transmissions
initiated by value/status changes in the
LLDP local systems MIB. Transmit-delay is
from 1 to 8192 (8192 can be set when
transmit-interval is set to its maximum value
of 32768).
Transmit-delay can be set only to values
smaller than (0.25 *
lldpMessageTxInterval)
lldpNotificationInterval Controls the transmission of LLDP

notifications.
lldpPortConfigTable Controls LLDP frame transmission on
individual ports.
lldpConfigManAddrTable The table that controls selection of LLDP
management address and TLV instances to
be transmitted on individual ports.
lldpStatistics
lldpStatsRemTablesLastChangeTime The value of sysUpTime object (defined in

IETF RFC 3418) at the time an entry is
created, modified, or deleted in the tables
associated with the lldpRemoteSystemsData
objects and all LLDP extension objects
associated with remote systems.
lldpStatsRemTablesInserts The number of times the complete set of
information advertised by a particular MSAP
has been inserted into tables contained in
lldpRemoteSystemsData and lldpExtensions
objects.
lldpStatsRemTablesDeletes The number of times the complete set of
has been deleted from tables contained in
objects
lldpStatsRemTablesDrops The number of times the complete set of
could not be entered into tables contained in
objects because of insufficient resources
lldpStatsRemTablesAgeouts The number of times the complete set of
has been deleted from tables contained in
objects because the information timeliness
interval has expired.
lldpStatsTxPortTable A table containing LLDP transmission
statistics for individual ports. Entries are not
required to exist in this table while the
lldpPortConfigEntry object is equal to
disabled(4).
Page 85
lldpStatsRxPortTable A table containing LLDP reception statistics

for individual ports. Entries are not required
to exist in this table while the
lldpPortConfigEntry object is equal to
disabled(4)
lldpLocalSystemData
lldpLocChassisIdSubtype The type of encoding used to identify the

chassis associated with the local system.
lldpLocChassisId The string value used to identify the chassis
component associated with the local system.
lldpLocSysName The string value used to identify the system
name of the local system.
lldpLocSysDesc The string value used to identify the system
description of the local system.
lldpLocSysCapSupported The bitmap value used to identify which
system capabilities are supported on the
local system.
lldpLocSysCapEnabled The bitmap value used to identify which
system capabilities are enabled on the local
system
lldpLocPortTable This table contains one or more rows per
port information associated with the local
system known to this agent.
lldpLocManAddrTable This table contains management address
information on the local system known to
this agent.
lldpRemoteSystemsData
lldpRemTable This table contains one or more rows per

physical network connection known to the
agent
lldpRemManAddrTable This table contains one or more rows per
management address information on the
remote system learned on a particular port
contained in the local chassis known to this
agent.
lldpRemUnknownTLVTable This table contains information about an
incoming TLV which is not recognized by the
receiving LLDP agent
lldpRemOrgDefInfoTable This table contains one or more rows per
physical network connection which
advertises the organizationally defined
information.
Page 86
Notifications
The LLDP-MIB contains the lldpRemTablesChange notification. This notification is sent when
the value of lldpStatsRemTablesLastChangeTime changes. It can be used by an NMS to trigger
LLDP remote systems table maintenance polls (OID: 1.0.8802.1.1.2.0.0.1).
Page 87
LLDP via SNMP Configuration Example

The following example is based on the Configuration Example (refer to the Configuring Link Layer
Discovery Protocol (LLDP) chapter of this User Guide) and it details the steps to configure an
Ethernet network using LLDP via SNMP.
This example uses the lldpPortConfigAdminStatus object to set the desired status of the LLDP.
You can select one of the values:
• txOnly(1)—the port will only transmit LLDP packets
• rxOnly(2)—the port will only receive LLDP packets
• txAndRx(3)—the port will both transmit and receive LLDP packets
• disabled(4)—the port will neither receive nor transmit LLDP packets
Configuring Device 1 and Device 2:

1. Enable the LLDP on the device:
set prvtLldpEnable to true(1)
2. Define the reinitialized-delay value:

set lldpReinitDelay to 4
3. Define the transmit-delay value:

set lldpTxDelay to 4
4. Define the transmit-hold value:

set lldpMessageTxHoldMultiplier to 5
5. Define the transmit-interval value:

set lldpMessageTxInterval to 500

set lldpPortConfigAdminStatus to txAndRx(3)
7. Configure what to be advertised (one or more) on the selected port:

set lldpPortConfigTLVsTxEnable (portDesc, sysName, sysDesc or sysCap)
Page 88
Configuring Remote Monitoring (RMON) via SNMP

For additional information about RMON feature, refer to the Configuring Remote Monitoring (RMON)
MIB Architecture: RMON-MIB

Remote Monitoring MIB (RMON-MIB) is a standard monitoring specification that enables various
network monitors and console systems to exchange network-monitoring data. RMON-MIB
provides network administrators with more freedom in selecting network-monitoring probes and
consoles with features that meet their particular networking needs.
The RFCs supported: RFC 2863, Interfaces Group MIB (configL2IfaceTable and interface table).
This RFC specifies an Internet standards track protocol for the Internet community, and requests
discussion and suggestions for improvements.
• RFC 1271, Remote Network Monitoring Management Information Base
• Standards supported:
• IEEE 802.3 Ethernet
• IEEE 802.3u Fast Ethernet
• IEEE 802.3x Flow Control
• IEEE 802.3z Gigabit Ethernet

statistics
etherStatsTable Contains a list of Ethernet statistics entries.
tokenRingMLStatsTable Contains a list of MAC-layer token ring statistics

entries.
tokenRingPStatsTable Contains a list of promiscuous token ring statistics
entries.
etherStats2Table Contains the RMON-2 augmentations to RMON-1.
tokenRingMLStats2Table Contains the RMON-2 augmentations to RMON-1.
tokenRingPStats2Table Contains the RMON-2 augmentations to RMON-1.
etherStatsHighCapacityTable Contains the high capacity RMON extensions to

the RMON-1 etherStatsTable
history
historyControlTable Contains a list of history control entries.
etherHistoryTable Contains a list of Ethernet history entries.
Page 89
tokenRingMLHistoryTable Contains a list of MAC-layer token ring statistics

entries.
tokenRingPHistoryTable Contains a list of promiscuous token ring
statistics entries
historyControl2Table Contains the RMON-2 augmentations to RMON-1.
etherHistoryHighCapacityTable Contains the high capacity RMON extensions to

the RMON-1 etherHistoryTable.
alarm
alarmTable Contains a list of alarm entries.
hosts
hostControlTable Contains a list of host table control entries.
hostTable Contains a list of host entries.
hostTimeTable Contains a list of time-ordered host table entries.
hostControl2Table Contains the RMON-2 augmentations to RMON-1.
hostHighCapacityTable Contains the high capacity RMON extensions to

the RMON-1 hostTable.
hostTimeHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 hostTimeTable.
hostTopN
hostTopNControlTable Contains a list of top N host control entries
hostTopNTable Contains a list of top N host entries.
hostTopNHighCapacityTable Contains the high capacity RMON extensions to

the RMON-1 hostTopNTable when
hostTopNRateBase specifies a high capacity top
N report
matrix
matrixControlTable Contains a list of information entries for the traffic

matrix on each interface.
matrixSDTable Contains a list of traffic matrix entries indexed by
source and destination MAC address.
matrixDSTable Contains a list of traffic matrix entries indexed by
destination and source MAC address.
matrixControl2Table Contains the RMON-2 augmentations to RMON-1
matrixSDHighCapacityTable Contains the high capacity RMON extensions to

the RMON-1 matrixSDTable
matrixDSHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 matrixDSTable.
filter
filterTable Contains a list of packet filter entries.
Page 90
channelTable Contains a list of packet channel entries.
channel2Table Contains the RMON-2 augmentations to RMON-1.
filter2Table Provides a variable-length packet filter feature to

the RMON-1 filter table.
capture
bufferControlTable Contains a list of buffers control entries.
captureBufferTable Contains a list of packets captured off of a

channel.
captureBufferHighCapacityTable Contains the high capacity RMON extensions to
the RMON-1 captureBufferTable.
event
eventTable Contains a list of events to be generated.
logTable Contains a list of events that have been logged.
Notifications
The RMON-MIB contains the following notifications:
• risingAlarm—is generated when a value rises above its pre-programmed threshold.
OID: 1.3.6.1.2.1.16.0.2
• fallingAlarm—is generated when a value falls below its pre-programmed threshold.
OID: 1.3.6.1.2.1.16.0.2
Page 91
RMON via SNMP Configuration Example

The following example is based on the RMON Configuration Example (refer to the Configuring Remote
Monitoring (RMON) chapter of this User Guide) and it details the steps to configure an Ethernet
network using RMON via SNMP.
1. To define an RMON event description, select:

The event index to be 1
The event description to be the_tank_is_full
The event notification to be snmp-trap
The community string, as defined previously, to be PUBLIC
The event owner to be STN1

1: eventStatus.1 (integer) createRequest(2)
1: eventDescription.1 (octet string) the_tank_is_full
1: eventType.1 (integer) snmp-trap(3)
1: eventCommunity.1 (octet string) PUBLIC
1: eventOwner.1 (octet string) STN1
1: eventStatus.1 (integer) valid(1)
Page 92
2. Define RMON alarm conditions. The threshold type is absolute, so the falling event is
insignificant. The index has an arbitrary value of zero. If the threshold type is delta, the index
has the number of the event of the falling value:
1: alarmStatus.1 (integer) createRequest(2)
1: alarmVariable.1 (object identifier) etherStatsOctets.5
1: alarmSampleType.1 (integer) absoluteValue(1)
1: alarmStartupAlarm.1 (integer) risingAlarm(1)
1: alarmRisingThreshold.1 (integer) 20000
1: alarmFallingThreshold.1 (integer) 0
1: alarmRisingEventIndex.1 (integer) 1
1: alarmFallingEventIndex.1 (integer) 0
1: alarmOwner.1 (octet string) STN1
1: alarmStatus.1 (integer) valid(1)
Page 93
Supported Platforms
Fast Ethernet and Giga Ethernet Port via SNMP + +

LAGs via SNMP + +
Resilient Links via SNMP + +
VLANs via SNMP + +
TLS via SNMP + +
STP via SNMP + +
RSTP via SNMP + +
MSTP via SNMP + +
QoS via SNMP + +
EFM-OAM via SNMP + +
CFM-OAM via SNMP + +
EPS via SNMP + +
LLDP via SNMP + +
RMON via SNMP + +

Fast Ethernet • IEEE 802.3 Public MIBs: RFC 2863 The Interfaces
and Giga Ethernet • RFC 1213, Group MIB
Ethernet Port via (configL2IfaceTable and
SNMP
• IEEE 802.3u Management
interface table)
Fast Ethernet Information Base for
Network
• IEEE 802.3x
Management of
Flow Control
TCP/IP-based
• IEEE 802.3z internets: MIB-II
Gigabit Ethernet (qwerinterface table
and
onfigL2IfaceTable)
• RMON MIB
Private MIB,
prvt_switch.mib
LAGs via SNMP IEEE 802.3ad Private MIB, No RFCs are supported
prvt_Ports_Aggregation. by this feature.
mib
Resilient Links No standards are Private MIB, No RFCs are supported
via SNMP supported by this prvt_resilient_link.mib by this feature.
feature.
Page 94
VLANs via SNMP • IEEE 802.1Q- IEEE 802.1Q No RFCs are supported
1998 by this feature.
• IEEE 802.1Q-
2003
• IEEE 802.1P
• IEEE 802.1u-
2001
TLS via SNMP No standards are Private MIBs: No RFCs are supported
supported by this • prvt_serv.mib by this feature.
feature.
• prvt_L2tunneling.mib
STP via SNMP IEEE 802.1d-1998 Public MIBs: • RFC 1493,
• bridge.mib Definitions of
Managed Objects for
Private MIB, • RFC 2863,
prvt_switch.mib Interfaces Group
MIB
RSTP via SNMP • IEEE 802.1d- Public MIBs: • RFC 1493,
1998 • bridge.mib Definitions of
• IEEE 802.1t- Managed Objects for
2001
• IEEE 802.1w-
Private MIB, • RFC 2863,
prvt_switch.mib Interfaces Group
2001
MIB
MSTP via SNMP • IEEE 802.1d- Private MIBs: RFC 2863, Interfaces
1998 • prvt_mst.mib Group MIB
• IEEE 802.1t-
• prvt_switch.mib
2001
• IEEE 802.1w-
2001
• IEEE 802.1s-
2002
QoS via SNMP • IEEE 802.1p Private MIB, prvt_qos.mib • RFC 2474, Definition
Priority Queuing of the Differentiated
• IEEE 802.1ad— Services Field (DS
Describes port- Field) in the IPv4
based service and IPv6 Headers
• RFC 2475, An
Architecture for
Differentiated
Services
• RFC 2597, Assured
Forwarding PHB
Group
• RFC 2598, An
Expedited
Page 95

Forwarding PHB
• RFC 2697, A Single
Rate Three Color
Marker
• RFC 2698, A Two
Rate Three Color
Marker
• RFC 3140, Per Hop
Behavior
Identification Codes
EFM-OAM via IEEE Draft P 802.3ah Public MIB, No RFCs are supported
SNMP /D3.3 Clause 57 dot3_oam.mib by this feature.
Private MIB,
prvt_switch_efm_oam.mi
b
CFM-OAM via • IEEE 802.1ag- Public MIB, RFC 2544, Benchmarking
SNMP 2007 (draft ieee8021_cfm.mib Methodology for Network
8.1)—Virtual Private MIB, prvt_cfm.mib Interconnect Devices
Bridged Local
Area Networks
(Amendment 5:
Connectivity
Fault
Management).
• Connectivity
Fault
Management—
An Update on
Bridging
Technologies
(IEEE Tutorial,
July 18, 2005).
EPS via SNMP • ITUT-G.8031 Private MIB, prvt_eps.mib No RFCs are supported
by this feature.
• IEEE 802.1ag-
2007 (draft 8.1)
• ITUT-Y.1731
LLDP via SNMP IEEE 802.1AB Public MIB, lldp.mib No RFCs are supported
by this feature.
RMON via SNMP No standards are Public MIBs: • RFC 1271, Remote
supported by this • rmon.mib Network Monitoring
feature. Management
• hc_rmon.mib Information Base
• RFC 3273, Remote
Network Monitoring
Management
Information Base for
High Capacity
Networks
Page 96
Configuring Remote Monitoring (RMON)
Table of Figures ······················································································ 2
Overview ······························································································· 3
RMON Groups ······················································································· 4
RMON Alarms and Events Default Configuration ············································ 5
RMON Alarms and Events Commands ························································· 5

Configuring RMON Alarms ····································································· 6
Configuring RMON Events ····································································· 9
Displaying RMON Alarms ·····································································10
Displaying RMON Events······································································11
Displaying RMON Statistics····································································11
Displaying High-Capacity Counters····························································14
Configuration Example ············································································17
Page 1
Configuring Remote Monitoring (RMON) (Rev. 07)
Table of Figures
Figure 1: RMON Monitoring Example························································· 3
Page 2
Overview
Remote Monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring
specification that defines a set of statistics and functions that can be exchanged between RMON-
compliant console systems and network probes.
RMON provides you with comprehensive network-fault diagnosis, planning, and performance-
tuning information.
You can use the RMON feature with the Simple Network Management Protocol (SNMP) agent in
the device to monitor all the traffic flowing among devices on all connected LAN segments.
Figure 1: RMON Monitoring Example
Page 3
RMON Groups
The T-Marc 300 Series devices support the following four RMON groups:
• Statistics (group 1)
The Ethernet statistics group collects Fast Ethernet and Gigabit Ethernet statistics on an
interface.
Use the information from the Statistics group to detect changes in traffic and error
patterns in critical areas of the network.
• History (group 3)
The History group provides historical views of network performance by taking periodic
samples of the counters supplied by the Statistics group.
The group is useful for analyzing traffic patterns and trends on an Ethernet interface on
the device and for establishing baseline information indicating normal operating
parameters.
• Alarms (group 4)
The Alarms group provides a general mechanism for setting threshold and sampling
intervals to generate events on any RMON variable. This group monitors a specific
management information base (MIB) object for a specified interval, triggers an alarm at a
specified value (rising threshold), and resets the alarm at another value (falling threshold).
You can use alarms with RMON events to generate a log entry and/or an SNMP
notification when the RMON alarm triggers.
• Events (group 10)
The Events group creates entries in an event log and/or sends SNMP traps. An event is
triggered by an RMON alarm. The action taken can be configured to ignore it, to log the
event, to send an SNMP trap to the receivers listed in the trap receiver table, or to both
log and send a trap.
Page 4
RMON Alarms and Events Default Configuration

Table 1: RMON Default Configuration
RMON Disabled (no events or alarms are configured)
RMON Alarms and Events Commands

Table 2: RMON Alarms and Events Commands
Command Description
rmon alarm counter Configures RMON alarms (see Configuring RMON Alarm)
rmon event Configures RMON events (see Configuring RMON Events)
Table 3: RMON Display Commands

NOTE
You must first configure RMON alarms and events to display collection
information.
Command Description
show rmon alarm Displays information about RMON alarms (see Displaying
RMON Alarms)
show rmon event Displays information about RMON events (see Displaying
RMON Events)
show rmon statistics Displays counter statistics of the specified port or all available
ports on the device (see Displaying RMON Statistics)
show rmon statistics Displays the high capacity of RMON statistics for a specified
high-capacity port or for all ports (see Displaying High-Capacity Counters)
Page 5
Configuring RMON Alarms

The rmon alarm counter command configures RMON alarms.
Command Syntax
device-name(config)#rmon alarm <alarm-index> counter <index> UU/SS/PP
<polling-interval> {absolute | delta} <rising-threshold> <falling-
threshold> <rising-index> <falling-index> OWNER
device-name(config)#no rmon alarm [<alarm-index>]
alarm-index Specifies the alarm index, in the range <1–65535>.
If it is a new index, the alarm is created. If the index already exists, the
alarm is updated.
counter <index> Specifies the counter number of the statistics kept for a particular
Ethernet interface. The counter number is in the range <1-25>. For
more information about the RMON counters, see Table 4.
UU/SS/PP Specifies the Ethernet interface on which to collect statistics.
polling-interval Specifies the time in seconds the alarm monitors the counters. The
range is <1–2147483647> seconds.
absolute Use absolute threshold values.
The trap is sent only once when the rising threshold value is met.
delta Use threshold value differences.
The agent sends the trap whenever the difference between the last
and the current value reaches the rising or falling value.
The delta keyword requires you to define two events—one for the
case when the rising value is met and one for the case when the
falling value is met.
rising-threshold Specifies the rising-threshold, in the range <0–2147483647>.
falling-threshold Specifies the falling-threshold, in the range <0–2147483647>.
Insignificant if absolute is specified.
rising-index Specifies the rising-event index, in the range <0–65535>.
falling-index Specifies the falling-event index, in the range <0–65535>.
OWNER The owner name can be any alphanumeric string (without spaces).
no Removes all defined RMON alarms. When the alarm index is
specified, only the selected RMON alarm is removed.
Page 6
Table 4: Counter Statistics Kept for a Particular Ethernet Interface

Counter Counter Name Description
Number
1 DropEvents The total number of events in which, packets are

dropped by the probe due to lack of resources. Note
that this number is not necessarily the number of
packets dropped; it is just the number of times this
condition is detected.
2 Octets The total number of octets of data, including those in
bad packets, received on the network (excluding
framing bits but including FCS octets).
3 Pkts The total number of packets received, including bad
packets, broadcast packets, and multicast packets.
4 BroadcastPkts The total number of good packets received that are
directed to the broadcast address. Note that this does
not include multicast packets.
5 MulticastPkts The total number of good packets received that are
directed to a multicast address. Note that this number
does not include packets directed to the broadcast
address.
6 CRCAlignErrors The total number of packets received that had
lengths between 64 and 1518 octets inclusive
(excluding framing bits, but including FCS octets) but
had either a bad Frame Check Sequence (FCS) with
an integral number of octets (FCS Error) or a bad
FCS with a non-integral number of octets (Alignment
Error).
7 UndersizePkts The total number of packets received that are less
than 64 octets long (excluding framing bits, but
including FCS octets) and are otherwise well formed.
8 OversizePkts The total number of packets received that are longer
than 1518 octets (excluding framing bits, but
including FCS octets) and are otherwise well formed.
9 Fragments The total number of packets received that are less
than 64 octets in length (excluding framing bits but
including FCS octets) and had either a bad Frame
Check Sequence (FCS) with an integral number of
octets (FCS Error) or a bad FCS with a non-integral
number of octets (Alignment Error).
10 Jabbers The total number of packets received that are longer
than 1518 octets (excluding framing bits, but
including FCS octets), and had either a bad Frame
Check Sequence (FCS) with an integral number of
octets (FCS Error) or a bad FCS with a non-integral
number of octets (Alignment Error).
Jabber is defined as the condition where any packet
exceeds 20 ms. The allowed range to detect jabber is
between 20 ms and 150 ms.
11 Collisions The best estimate of the total number of collisions on
this Ethernet segment.
Page 7
Counter Counter Name Description

Number
12 Pkts64Octets The total number of packets (including bad packets)

received that are 64 octets in length (excluding
framing bits but including FCS octets).
13 Pkts65to127Octets The total number of packets, including bad packets,
received with lengths between 65 and 127 octets
inclusive (excluding framing bits but including FCS
octets).
octets).
octets).
octets).
octets).
18 High Capacity Pkts For more information, refer to Pkts counter from this
table. This high capacity counter has 64bits.
19 High Capacity Octets For more information, refer to Octets counter from
this table. This high capacity counter has 64bits.
20 High Capacity For more information, refer to Pkts64Octets counter
Pkts64Octets from this table. This high capacity counter has 64bits.
21 High Capacity For more information, refer to Pkts65to127Octets
Pkts65to127Octets counter from this table. This high capacity counter
has 64bits.
has 64bits.
has 64bits.
has 64bits.
25 High Capacity For more information, refer to
Pkts1024to1518Octets Pkts1024to1518Octets counter from this table. This
high capacity counter has 64bits.
Page 8
Example 1
In the following example, the threshold type is absolute, so the falling event is insignificant. The
index has an arbitrary value of zero.
If the threshold type is delta, the index has the number of the event of the falling value.
device-name(config)#rmon alarm 1 counter 2 1/2/3 5 absolute 20000 0 1 0 STN1
Example 2
To remove all defined RMON alarms, perform the following command:
device-name(config)#no rmon alarm
remove all defined RMON alarms ? [y/n] : y
Example 3
To remove a specific RMON alarm, perform the following command:
device-name(config)#no rmon alarm 1
Configuring RMON Events

The rmon event command configures RMON events.
Command Syntax
device-name(config)#rmon event <event-index> DESCRIPTION {none | log |
snmp-trap | trap-and-log} COMM OWNER
device-name(config)#no rmon event [<event-index>]
event-index Specifies the event index, in the range <1–65535>.
If it is a new index, the event is created. If the index already exists, the event is
updated.
DESCRIPTION The event description can be any alphanumeric string (without spaces).
none No notification.
log Generates an RMON log entry when the event is triggered.
snmp-trap Generates an SNMP trap entry when the event is triggered.
trap-and-log Generates an SNMP trap and RMON log entries when the event is triggered.
COMM Specifies the trap community (alphanumeric string without blank spaces).
OWNER The owner name can be any alphanumeric string.
no Removes all existing RMON events. When the event index is specified, only
the selected RMON event is removed.
Page 9
Example 1
To define an RMON event description, select:
• The event index to be 1
• The event description to be the_tank_is_full

• The event notification to be snmp-trap
• The community string, as defined previously, to be PUBLIC

• The event owner to be STN1
device-name(config)#rmon event 1 the_tank_is_full snmp-trap PUBLIC STN1
Example 2
To remove all defined RMON events, perform the following command:
device-name(config)#no rmon event
remove all defined RMON events ? [y/n] : y
Displaying RMON Alarms

The show rmon alarm command displays information about RMON alarms.
Command Syntax
device-name#show rmon alarm [<alarm-index>]
alarm-index (Optional). Displays information about the specified RMON alarm in the
range <1–65535>.
Example
device-name#show rmon alarm
Alarm 1, status active, owned by STN1
Counter Octets, interface 1/2/3
Sampling interval (h:m:s) 00:00:05, SampleType absolute
Current value 5986918 Startup : rising
RisingThreshold 20000 FallingThreshold 0
RisingEventIndex 1 FallingEventIndex 0
Page 10
Displaying RMON Events

The show rmon event command displays information about RMON events.
Command Syntax
device-name#show rmon event [<event-index>]
event-index (Optional). Displays information for the specified RMON event, in the
range <1–65535>.
Example 1
device-name#show rmon event
Event 1, status active, owned by STN1
Description : the_tank_is_full
Type : snmp-trap, LastTimeSent: 01:36:29
Community : PUBLIC
Description : the_tank_is_empty
Community : PUBLIC2
Example 2
device-name#show rmon event 1
Community : PUBLIC
Displaying RMON Statistics

The show rmon statistics command displays counter statistics of the specified port or all
available ports on the device.
Command Syntax
device-name#show rmon statistics [UU/SS/PP]
UU/SS/PP (Optional). Displays counter statistics on the specified port.
Page 11
Example
device-name#show rmon statistics 1/2/3
Undersize 0 In/OutPkts 1024-MaxFrameSize 3915499
Jabbers 0 Down Count 0
DropEvents 0
Table 5: Counters Displayed by the show rmon statistics Command

Counter Description
Octets This counter is incremented once for every data octet of all received
packets. This includes data octets of rejected and local packets that
are not forwarded to the switching core for transmission. This
counter reflects all the data octets received on the line.
For oversized packets, when they exceed the allocated buffer-size,
only buffer-size bytes are counted and all the rest of the bytes are
not.
Collisions This counter is incremented once for every received packet when
detecting a Collision Event.
Broadcast This counter is incremented once for every good Broadcast packet
received.
Multicast This counter is incremented once for every good Multicast packet
received.
CRCalignErrors This counter is incremented once for every received packet that
meets all the following conditions:
• Packet data length is between 64 and MaxFrameSize bytes
(=1518) inclusive
• Packet has invalid CRC
• Collision Event is not detected
• Late Collision Event is not detected
Undersize This counter is incremented once for every received packet that
• Packet data length is less than 64 bytes
• Packet has valid CRC
Page 12
Counter Description
Oversize This counter is incremented once for every received packet that
• Packet data length is greater than MaxFrameSize bytes
(=1518)
• Packet has valid CRC
Fragments This counter is incremented once for every received packet that
• The packet’s data length is less than 64 bytes, or the packet is
without SFD (Start Frame Delimiter) and is less than 64 bytes
in length
Jabbers This counter is incremented once for every received packet that
• Packet data length is greater than MaxFrameSize bytes
(=1518)
DropEvents Not supported.
Last5secInPkts Counts the number of packets received on the device during the five
Last1minInPkts Counts the number of packets received on the device during the
minute before executing the command.
Last5minInPkts Counts the number of packets received on the device during the five
Last5secOutPkts Counts the number of packets transmitted to the device during the
five seconds after executing the command.
Last1minOutPkts Counts the number of packets transmitted to the device during the
minute after executing the command.
Last5minOutPkts Counts the number of packets transmitted to the device during the
five minutes after executing the command.
In/OutPkts 65-127 This counter is incremented once for every received and transmitted
packet that is 65 to 127 bytes in size. This counter includes rejected,
received, and transmitted packets.
packet that is 128 to 255 bytes in size. This counter includes
In/OutPkts 1024- This counter is incremented once for every received and transmitted
MaxFrameSize packet that is 1024 to MaxFrameSize bytes (1518) in size. This
counter includes rejected, received, and transmitted packets.
Page 13
Counter Description
TotalInPkts This counter is incremented once for every received packet. This
includes rejected and local packets that are not forwarded to the
switching core for transmission. This counter reflects all packets
received on the line.
TotalIn/OutPkts This counter is incremented once for every received and transmitted
packet that is 64 to MaxFrameSize bytes (1518) in size. This
counter includes rejected, received, and transmitted packets.
Down Count This counter is incremented once for every disconnection of the
port. The counter is initialized in any of the following cases:
• When the device starts running (provided that the link to the
port is attached), the counter is initialized to zero.
• When inserting the module at run-time (hot-swapped), the
counter is initialized to one.
• If attaching the link to the port for the first time during run-time,
the counter is initialized to one.
Last5secInBps Counts the number of Bps received on the device during the five
Last1minInBps Counts the number of Bps received on the device during the minute
Last5minInBps Counts the number of Bps received on the device during the five
Last5secOutBps Counts the number of Bps transmitted to the device during the five
seconds after executing the command.
Last1minOutBps Counts the number of Bps transmitted to the device during the
minute after executing the command.
Last5minOutBps Counts the number of Bps transmitted to the device during the five
minutes after executing the command.
Displaying High-Capacity Counters

The show rmon statistics high-capacity command displays the high capacity of RMON
statistics for a specified port or for all ports.
Command Syntax
device-name#show rmon statistics [UU/SS/PP] high-capacity
UU/SS/PP (Optional). Displays RMON statistics for the specified port.
Page 14
Example 1
The following example shows interface statistics for port 1/1/1:
device-name#show rmon statistics 1/1/1 high-capacity
interface 1/1/1 High Capacity
Overflow Octets N/A Octets 1
Overflow Packets N/A Packets 6
Overflow 64 N/A In/OutPkts 64 1
Overflow 65-127 N/A In/OutPkts 65-127 1
Overflow 1024-MaxSize N/A In/OutPkts 1024-MaxSize 1
Example 2
The following example shows interface statistics for all supported ports: 1/1/1, 1/1/2, 1/2/1–
1/2/8:
device-name#show interface statistics high-capacity


…………
Page 15

Page 16
1. To define an RMON event description, select:
The event index to be 1
The event description to be the_tank_is_full
The event notification to be snmp-trap
The community string, as defined previously, to be PUBLIC
The event owner to be STN1
device-name(config)#rmon event 1 the_tank_is_full snmp-trap PUBLIC STN1
2. Define RMON alarm conditions. The threshold type is absolute, so the falling event is
insignificant. The index has an arbitrary value of zero. If the threshold type is delta, the index
has the number of the event of the falling value.
device-name(config)#rmon alarm 1 counter 2 1/2/2 5 absolute 20000 0 1 0
STN1
3. Display the configured RMON events:

device-name#show rmon event
Community : PUBLIC
4. Display the configured RMON alarms:

device-name#show rmon alarm
Alarm 1, status active, owned by STN1
Counter Octets, interface 1/2/2
Sampling interval (h:m:s) 00:00:05, SampleType absolute
Current value 0 Startup : rising
RisingThreshold 20000 FallingThreshold 0
RisingEventIndex 1 FallingEventIndex 0
Page 17
Supported Platforms
Remote Monitoring (RMON) + +

Remote Monitoring No standards are Public MIBs: RFC 1271, Remote

(RMON) supported by this • RMON-MIB Network Monitoring
feature. Management Information
• HC-RMON-MIB Base
RFC 3273, Remote
Network Monitoring
Management Information
Base for High Capacity
Networks
Page 18
Configuring System Message Logging
System Log Messages Overview ·································································· 3
System Log Message Format ···································································· 3
NVRAM-based Configuration History Logging··············································· 4
Settings and Values ··············································································· 4
Trap Levels··················································································· 4
Syslog Facility ················································································ 5
Log Modules ················································································· 6
The System Message Logging Default Configuration ········································ 7
The System Message Logging Step by Step Configuration ·································· 8
The System Message Logging Commands ····················································· 9

Local Console Logging··········································································11
Telnet Console Logging·········································································11
Configuring the Console Log to a Syslog Server ·············································12
Configuring Message Logging to Memory Buffer ············································13
Resizing Memory Buffer ········································································13
Enabling the Privilege-limited Logging ························································14
Including the PRIORITY Field or SEQUENCE NUMBER ·······························14
Synchronizing System Log Messages ··························································15
Adding Timestamps ·············································································15
Storing Message Logging to NVRAM ·························································16
Displaying the NVRAM Trap Log·····························································17
Clearing the NVRAM Trap Log································································17
Displaying the Logging Configuration·························································18
Uploading the Log Buffer to a TFTP Server··················································19
Recording Configuration Commands to NVRAM ···········································19
Clearing the Configuration History Log ·······················································20
Displaying the Configuration History for a Specific Session ································20
Enabling Log Messages ·········································································22
Page 1
Configuring System Message Logging (Rev. 07)
Enabling Configuration History································································22
Page 2
System Log Messages Overview

The application software provides system log messages that are useful to the system administrator
for troubleshooting problems in the network:
• The console log routes system messages to a local or remote console, to a Syslog server, to the
NVRAM history table, or to the system memory buffer
• A configuration history log records configuration commands submitted to the device in non-
volatile memory (NVRAM)
• Message logging is configurable (for example, what is included, what trap levels, and where the
log is sent)
System Log Message Format

The logging subsystem takes messages initiated by various software processes within the application
software, formats the messages, and writes them to the appropriate log files. These messages and
come from a local facility or module (a hardware device, protocol, or module within the system
software). The logging subsystem:
• provides logging information for monitoring and troubleshooting
• allows configuration of the types of logging information to be captured and the destination
(log file or other devices)
• supports monitoring of messages remotely (via Telnet or the console port) or on a Syslog
server, and allows privilege-limited viewing
• includes system log messages, configuration history, and trap logging
The system message is stored and displayed based on the following format:
[SEQUENCE_NUMBER:] [DATE TIME:] SOURCE-TASK: [PRIORITY:] MESSAGE-TEXT
Table 1: System Message Fields

Field Description
SOURCE-TASK The name of a system task that generated the message.

MESSAGE-TEXT The textual content of the message.
DATE and TIME (Optional). Indicates when the message is issued.
NOTE
The date and time are displayed in System Time. Specify
either DayTime or NTP protocol to receive the correct
date and time in the log message body (refer the Device
Administration chapter of this User Guide)
PRIORITY (Optional). The literal message’s priority level
SEQUENCE NUMBER (Optional). The sequence number included in the message
Page 3
NOTE
The PRIORITY, SEQUENCE NUMBER and DATE TIME fields are optional. By
default, these fields are not included in any message. To force inclusion of the
PRIORITY and SEQUENCE NUMBER fields in trap-messages, use the log
include command.
The log timestamp datetime localtime timezone msecs command displays the date and
time.
Example
3180:1993-01-03 22:59:25:tTelnetd:informational:Access from 10.3.127.102
granted !
NVRAM-based Configuration History Logging

The Configuration History log is an integral function of the CLI (command line interface). It
records all configuration commands (that is, commands that change the configuration) that are
entered into the device. These commands are recorded into NVRAM, even if the device
configuration is not saved with the write command in Privileged (Enable) mode (refer to the Device
Setup and Maintenance of this User Guide). The configuration-session history is generated and stored
into NVRAM in script-like format, which can be re-executed later. The format is:
!
! time_stamp :: user_id :: device{console | telnet | ssh}
!
! configuration session number start
!
command 1
command 2
….
!
! configuration session number end
!
Settings and Values

Trap Levels
Trap level for logging should be configured per device (NVRAM history, buffer, CLI console, VTY
terminal, and Telnet console) and per facility.
You can configure the device to store messages from the Error level up. Lower level trap messages
are never stored.
By default, only Emergency-level messages are stored in NVRAM. All lower-level trap messages are
filtered out.
To change the level of the trap message logging filter, use the log nvram-history command. The
setting will take effect on the next startup.
Page 4
Table 2: Log Message Severity Levels

Severity Level Keyword Description
0 emergency Internal error occurred. The device reached a crash state and
cannot continue to operate.
1 alert Immediate action needed. The device might operate
incorrectly.
2 critical Internal error or non-supported event occurred.
3 error Error condition (for example, error messages about software or
hardware malfunctions).
4 warning Warning condition.
5 notification Normal but significant condition (for example, interface
up/down transitions and system restart messages).
6 information Informational message only (for example, reload requests and
low-process stack messages).
7 debugging Appears during debugging only.
Syslog Facility
A Syslog facility is a setting for the remote Syslog server and is represented by a number between 0
and 23.
Table 3: Syslog Message Facilities
Numerical Code Facility
0 Kernel messages
1 User-level messages
2 Mail system
3 System daemons
4 Security/authorization messages (0)
5 Messages generated internally by Syslog
6 Line printer subsystem
7 Network news subsystem
8 UUCP subsystem
9 Clock daemon (0)
10 Security/authorization messages (1)
11 FTP daemon
12 NTP subsystem
13 Log audit
14 Log alert
15 Clock daemon (1)
16 Local use 0 (local0)
Page 5
Numerical Code Facility

NOTE
1. Some operating systems use Facilities 4, 10, 13 and 14 for security/authorization
and audit/alert messages.
2. Some operating systems use both Facilities 9 and 15 for clock (clockd0/clockd1)
messages.
Log Modules
The module that generates the message and sends it to the log daemon is represented by a keyword.
NOTE
When a module is configured explicitly, all system log messages from that module
are logged according to the module configuration, and the default configuration is
ignored.
When a module is not configured, the log output contains system log messages from
all system modules.
Table 4: Log Modules

Module Name Keyword Description
DHCP dhcp Dynamic Host Configuration Protocol

FDB fdb MAC-address table module
TIME time Time synchronization clients
KERNEL kernel Router Manager module
IGMP igmp Internet Group Management Protocol
RMON rmon Remote Monitoring module
SNMP snmp Simple Network Management Protocol
STP stp Spanning Tree Protocol
RSTP rstp Rapid Spanning Tree Protocol
MSTP mstp Multiple Spanning Tree Protocol
LACP lacp Link Aggregation Control Protocol
System System General System Messages
MSTP-tx mstp-tx Multiple Spanning Tree Protocol Transmitter
GARP garp Generic Attribute Registration Protocol
Page 6
Module Name Keyword Description
Default default Enables the configurations of all modules, which are not
explicitly configured.
The System Message Logging Default

Configuration
Table 5: Message Logging Default Configuration
NVRAM history Logging Only Emergency Level trap messages are logged.
The PRIORITY field is not recorded.
NVRAM-based Configuration History Disabled
Logging buffer size 1000 messages
Syslog server IP address None configured
Logging to buffer log module default buffer trap debugging
Page 7
The System Message Logging Step by Step

Configuration
To configure the system message logging, proceed as follows:
1. Enable displaying of system log messages:
Display log messages on the CLI console that is attached to the COM port (see Local
Console Logging)
or
Display the system log messages on a Telnet console (see Telnet Console Logging)
or
Display the system log messages on a Syslog server (remote device) (see Configuring the
Console Log to a Syslog Server)
or
Enable storing message logging in the NVRAM history table (see Storing Message Logging to
NVRAM)
or
Copy system log messages to an internal buffer (see Configuring Message Logging to Memory
Buffer)
Uploads the log buffer to a TFTP server, using the specified file-name (see Uploading the
Log Buffer to a TFTP Server)
Copies system log messages to an internal buffer instead of writing them to the console
(see Configuring Message Logging to Memory Buffer)
Enable resizing and displaying the memory buffer (see Resizing Memory Buffer)
Enable privilege-limited logging (see Enabling the Privilege-limited Logging)
Include the PRIORITY field or the sequence number in the logged trap messages (see
Including the PRIORITY Field or SEQUENCE NUMBER)
Synchronize system log messages with a solicited command output (see Synchronizing
System Log Messages)
Add timestamps to the system log messages (see Adding Timestamps )
3. Clear all the memory buffer contents or all System trap-messages from NVRAM (see Clearing
the NVRAM Trap Log)
4. Display the logging configuration (see Displaying the Logging Configuration) and the contents of
the stored system message history (see Displaying the NVRAM Trap Log)
NOTE
When the module MODULE-NAME argument is not specified, the default module is
assumed.
By default, log [module MODULE-NAME] buffer trap debugging and log
[module MODULE-NAME] nvram-history trap emergencies commands do not
appear in the running configuration for any module.
Page 8
The System Message Logging Commands

Table 6: Commands for System Message Logging
Command Description
log cli-console Displays system log messages on the CLI console that is
attached to the COM port (see Local Console Logging)
log telnet-console Display the system log messages on a Telnet console (see
Telnet Console Logging)
log server syslog-facility Display the system log messages on a Syslog server
(remote device) (see Configuring the Console Log to a
Syslog Server)
log nvram-history Enables storing message logging in the NVRAM history
table (see Storing Message Logging to NVRAM)
Table 7: Commands for Optional System Message Logging Configurations

Command Description
log buffer upload-to Uploads the log buffer to a TFTP server, using the specified
file-name (see Uploading the Log Buffer to a TFTP Server)
log buffer trap Copies system log messages to an internal buffer instead of
writing them to the console (see Configuring Message
Logging to Memory Buffer)
log buffer resize-to Enables resizing and displaying the memory buffer (see
Resizing Memory Buffer)
log group users-limit Enables privilege-limited logging (see Enabling the
Privilege-limited Logging)
log include Causes displayed and logged trap-messages to include the
optional PRIORITY field or sequence number (see Including
the PRIORITY Field or SEQUENCE NUMBER)
log synchronous Synchronizes system log messages with a command output
on the CLI console or Telnet session (see Synchronizing
System Log Messages)
log timestamp Adds a timestamp with Uptime or DateTime format (see
Adding Timestamps )
Table 8: Commands for Clearing System Log Messages

Command Description
clear log Clears all the memory buffer contents or all System trap-
messages from NVRAM (see Clearing the NVRAM Trap
Log)
Page 9
Table 9: Commands for Displaying System Log Messages

Command Description
show log Displays the logging configuration (see Displaying the

Logging Configuration)
show log nvram-history Displays the contents of the stored system message history
(see Displaying the NVRAM Trap Log)
Table 10: History Configuration Commands

Command Description
record configuration-history Enables recording the configured commands in

nvram NVRAM (see Recording Configuration Commands to
NVRAM).
clear configuration-history Clears the history of configuration commands (see
nvram Clearing the Configuration History Log).
show configuration-history Displays all configuration commands stored in NVRAM
(see Displaying the Configuration History for a Specific
Session).
Page 10
Local Console Logging

The log cli-console command displays system log messages on the CLI console that is attached
to the COM port
Command Syntax
device-name(config)#log [module MODULE-NAME] cli-console trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] cli-console
module MODULE- (Optional). Specifies the name of the module for which log output to a
NAME local console is enabled.
See Table 4 for the module name keyword.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed
in Table 2.
no Stops log output to the CLI console.
Example
The following example enables local console logging for the whole system and configures a
message log filter to the severity level 6.
device-name(config)#log cli-console trap informational
Telnet Console Logging

The log telnet-console command displays the system log messages on a Telnet console if you
are connected through a Telnet client.
NOTE
When applied in a Telnet session, the log telnet-console command is effective
only in the current Telnet session. Therefore, the command is not added to the
configuration file.
Command Syntax
device-name(config)#log [module MODULE-NAME] telnet-console trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] telnet-console
Page 11
NAME local console is enabled. See Table 4 for the module name keyword.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed in
Table 2.
no Stops log output to the Telnet console.
Example
The following example enables Telnet console logging for the whole system and configures a
message log filter to the severity level 7.
device-name(config)#log telnet-console trap debugging
Configuring the Console Log to a Syslog Server

The log server syslog-facility command displays the system log messages on a Syslog server
(remote device).
To enable console logging to a Syslog server:

1. Configure the Syslog server to accept and log messages.
2. Apply the log server syslog-facility command.
Command Syntax
device-name(config)#log [module MODULE-NAME] server A.B.C.D syslog-facility
<syslog-facility> trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] server [A.B.C.D]
A.B.C.D IP address of the Syslog server.
NAME local console is enabled.
See Table 4 for the module name keyword.
syslog-facility Syslog facility valid entries are all values from 0 to 23 according to RFC
<syslog-facility> 3164. Recommended values are local6 and local7 (22, 23). The Syslog
message facilities are listed in Table 3.
trap TRAP-LEVEL Specifies trap value for severity. Log message severity levels are listed
in Table 2.
no Disables the remote logging.
Page 12
Configuring Message Logging to Memory Buffer

The log buffer trap command copies system log messages to an internal buffer instead of
writing them to the console.

The buffer is circular in nature, so newer messages overwrite older messages.
Command Syntax
device-name(config)#log [module MODULE-NAME] buffer trap TRAP-LEVEL
device-name(config)#no log [module MODULE-NAME] buffer trap TRAP-LEVEL
NAME local console is enabled. See Table 4 for the module name keyword.
Table 2.
no Disables the memory buffer logging.
Resizing Memory Buffer

The log buffer resize-to command enables resizing and displaying the memory buffer.

By default, the memory buffer size is 1000.
Command Syntax
device-name(config)#log buffer resize-to <buffer-size>
device-name(config)#no log buffer resize-to <buffer-size>
no Sets the default value of the memory buffer.
resize-to <buffer- Resizes the number of messages in the memory buffer, in the range
size> <2–1000>.
Page 13
Enabling the Privilege-limited Logging

The log group users-limit command enables privilege-limited logging; that is, limits the system
log messages that are displayed to the specified trap level when you are not an authorized admin or
net-admin user.

This command is only relevant for serial consoles.
Command Syntax
device-name(config)#log group users-limit trap TRAP-LEVEL
device-name(config)#no log group users-limit
Table 2.
no Disables privilege-limited logging and all users can see all console
messages.
Including the PRIORITY Field or SEQUENCE

NUMBER
The log include command includes the PRIORITY field or SEQUENCE NUMBER in
displayed and logged trap messages.

By default, the PRIORITY field and the SEQUENCE NUMBER are excluded.
Command Syntax
device-name(config)#log include {priority | sequence-number | syslog-prefix }
device-name(config)#no log include {priority | sequence-number}
priority Sets the PRIORITY field in the messages to be displayed and logged.
sequence-number Includes the SEQUENCE NUMBER in the log messages.
syslog-prefix Includes prefix in the syslog message.
no Causes displayed and logged trap messages to exclude the optional
PRIORITY field or the SEQUENCE NUMBER.
Page 14
Synchronizing System Log Messages

The log synchronous command synchronizes system log messages with a command output on
the CLI console or Telnet session.

By default, the synchronous logging feature is disabled.
Command Syntax
device-name(config)#log synchronous {cli-console | telnet-console}
device-name(config)#no log synchronous {cli-console | telnet-console}
cli-console Enables the log synchronous feature on the CLI console.
telnet-console Enables the log synchronous feature on the Telnet console.
no Disables the log synchronous feature.
Example
This example shows how to prevent displaying system log messages on the CLI console until the
command output finishes or is interrupted if press <Ctrl+Z>. Logging to the console session
resumes after displaying all the requested output.
device-name(config)#log synchronous cli-console
Adding Timestamps
The log timestamp command adds a timestamp with Uptime or DateTime format.
NOTE
This command does not affect system log messages sent to the Syslog server.
Command Syntax
device-name(config)#log timestamp {uptime | datetime [<localtime> | <timezone>
| <msec>]}
device-name(config)#no log timestamp {uptime | datetime [<localtime> |
<timezone> | <msec>]}
Page 15
uptime The Uptime format: Days hh:mm:ss.
datetime The DateTime format: is MM/dd hh:mm:ss[.msec].
localtime (Optional). Displays the local time-zone offset relative to GMT.
timezone (Optional). Displays the time zone name.
msec (Optional). Adds milliseconds to the format.
no Disables timestamps in the system log messages.
Storing Message Logging to NVRAM

The log nvram-history command enables storing message logging in the NVRAM history table.
NOTE
This feature logs only the most important system log messages of the system and
cannot be turned off by design.
All trap-messages of the specified level and higher levels (lower severity level
numbers) are stored.
The default trap value set to 0 (emergency).
Command Syntax
device-name(config)#log [module MODULE-NAME] nvram-history trap {alerts |
critical | emergencies | errors}
device-name(config)#no log [module MODULE-NAME] nvram-history
module (Optional). Specifies the name of the module for which console logging to a
MODULE-NAME Syslog server is enabled. See Table 4 for the module name keyword.
alerts Log messages in the event of an internal error that requires immediate
action. Severity level is one.
critical Log messages in the event of an internal error or a non-supported event.
Severity level is two.
emergencies Log messages in the event of an internal error that causes the System to be
unusable. Severity level is zero.
errors Log messages if error conditions exist. Severity level is three.
no Disables the recording, but does not clear existing command records.
Page 16
Displaying the NVRAM Trap Log

The show log nvram-history command displays the contents of the stored system message
history.

You can select output of the first (oldest) specified number of messages, the last (latest) specified
number of messages, or the size of the stored history (number of records).
If no arguments are specified, the entire history is displayed. Stop the output by pressing
<Ctrl+C>.
NOTE
This command determines the severity level that limits trap messages currently
stored, but does not indicate the minimal severity level of previously stored system
log messages that exist in NVRAM.
Command Syntax
device-name#show log nvram-history [first <number-of-records> | last <number-
of-records> | size | status]
first <number-of- (Optional). Displays the specified number of stored trap-messages,

starting at the oldest existing record. The range is <1–65535>.
records>
last <number-of- (Optional). Displays the latest specified number of stored trap-
messages. The range is <1–65535>.
records>
size (Optional). Displays the number of records in the system-message
history.
status (Optional). Displays the status of recording.
Clearing the NVRAM Trap Log

The clear log command clears all memory buffer contents or all system trap-messages from
NVRAM.
Command Syntax
device-name#clear log [buffer | nvram-history]
buffer (Optional). Clears the memory buffer contents.
nvram-history (Optional). Clears the system trap-messages from NVRAM.
Page 17
Displaying the Logging Configuration

The show log command displays the detailed logging configuration.
Command Syntax
device-name#show log {buffer | module MODULE-NAME | nvram-history}
buffer (Optional). Displays the contents of the log memory buffer.
module MODULE-NAME (Optional). Displays the logging configuration for the specified
module. See Table 4 for the module name keyword.
nvram-history Log history in NVRAM.
NOTE
After each reload of the device there are some logs in the log buffer. Even if you clear
the log buffer after reload (no matter reload to defaults or reload save) the buffer has
logs!
Example
This example shows that the buffer size is reduced to 20 messages and log messages are directed to
the CLI and Telnet consoles and to the memory buffer:
device-name#show log module default
Module default configuration:
buffer size:1000 trap: debugging
nvram-history trap: emergencies
Synchronous logging terminals:
device-name(config)#log buffer resize-to 20
device-name#show log module all

Module default configuration:
buffer size:20 trap: debugging
nvram-history trap: emergencies
cli-console trap: notifications
telnet-console trap: warnings
Synchronous logging terminals:
Page 18
Uploading the Log Buffer to a TFTP Server

The log buffer upload-to command uploads the log buffer to a TFTP server, using a specified
file-name.
Command Syntax
device-name#log buffer upload-to A.B.C.D FILE-NAME
A.B.C.D The IP address of the TFTP server.
FILE-NAME (Optional). The name of the uploaded buffer for storing.
Example
device-name#log buffer upload-to 192.168.0.56 buf
Recording Configuration Commands to NVRAM

The record configuration-history nvram command enables recording the configuration
commands in NVRAM.

If you enable configuration recording, you must exit the Global configuration mode for the
command to take effect. Actual recording of configuration commands—not commands in the
View and Privileged (Enable) modes—starts the next time Global Configuration mode is entered
and continues as long as that mode or any mode under it is active. In subsequent configuration
sessions, as long as configuration-history recording is enabled, configuration commands accumulate
in NVRAM by session.
If configuration-history recording is disabled, recording stops immediately (that is, it is not
necessary to exit Global Configuration mode for the command to take effect).
Command Syntax
device-name(config)#record configuration-history nvram
device-name(config)#no record configuration-history
no Disables the recording, but does not clear existing command records.
Page 19
Clearing the Configuration History Log

The clear configuration-history nvram command removes all the recorded configuration
commands from NVRAM.
Command Syntax
device-name#clear configuration-history nvram
Displaying the Configuration History for a Specific

Session
The show configuration-history command displays all configuration commands stored in
NVRAM during the specified session.
Command Syntax
device-name#show configuration-history [<session-number> | all | size | status]
session- (Optional). Number of session displayed in the range <1–65535>. If no
number session number is specified, the command displays all configuration
commands stored in NVRAM during the last session.
all Displays all configuration commands stored in NVRAM during all recorded
sessions.
size Displays the number of sessions currently stored in NVRAM.
status Displays the current recording state of configuration history (as set by the
record configuration-history nvram command).
Example 1
The following example displays the last configuration-session (two sessions were recorded):
device-name#show configuration-history
! Configuration session 2 start
configure terminal
interface 1/1/1
mac access-group 400
! Configuration session 2 end
Page 20
Example 2
The following example displays the specified configuration-session (session number 1):
device-name#show configuration-history 1
configure terminal
access-list 400 permit host 00:00:11:22:33:45 any
Example 3
The following example displays all recorded configuration-sessions:
device-name#show configuration-history all
configure terminal
access-list 400 permit host 00:00:11:22:33:45 any
configure terminal
interface 1/1/1
no mac access-group 400
Example 4
device-name#show configuration-history size
Configuration history consists of 2 sessions (num. 1 - 2).
Example 5
device-name#show configuration-history status
Configuration history recording enabled
Page 21
Enabling Log Messages
The following example shows how to enable log messages for the notification level that is displayed
by the console port, on Telnet session and on remote Syslog server with IP address 220.119.10.1.
1. Enable logging to the console port:
device-name(config)#log cli-console trap notifications
2. Enable logging to Telnet:

device-name(config)#log telnet-console trap notifications
3. Enable logging to a Syslog server with the IP address 220.119.10.1:

device-name(config)#log server 220.119.10.1 syslog-facility user trap
notifications
Enabling Configuration History

1. Enable configuration recording:
device-name(config)#record configuration-history nvram
Exit this configuration session for this setting to take effect
and re-enter configuration mode.
2. Exit from Global Configuration mode:

3. Make the device configuration, for example:

device-name(config-if 1/1/2)#show
Name =
Link = down
Page 22
Multicast limit = unlimited

Unknown limit = unlimited
Default VLAN = 1
4. Display the configuration recording:

configure terminal
interface 1/1/1
link-aggregation static id 2
interface 1/1/2
link-aggregation static id 2
show
5. Clear the configuration recording:

device-name#clear configuration-history nvram
6. Display the configuration recording after clearing:

% No commands stored in configuration history.
Page 23
Supported Platforms
System Message Logging + +

System Message No standards are No MIBs are RFC 3164, The

Logging supported by this feature. supported by this BSD syslog
feature. Protocol (client
mode)
Page 24
Troubleshooting and Monitoring
Table of Figures ······················································································ 5
Chapter Overview ···················································································· 6

Layer 1 Tools—Troubleshooting Hardware Issues ··········································· 6
Layer 2 Tools—Troubleshooting Traffic Issues ··············································· 6
Layer 3 Tools—Troubleshooting Network Issues ············································ 7
General Troubleshooting Tools ································································· 7
Built-in Self Test (BiST) ············································································ 8

Startup BiST······················································································· 8
BiST Commands·················································································· 9
Invoking BiST ··············································································· 9
Clearing the Power Supply Alert ··························································10
Displaying BiST Results ···································································10
CPU Utilization ····················································································· 11

CPU Utilization Default Configuration························································11
Enabling CPU Utilization Monitoring ·························································11
Hardware and Environment Monitoring ·······················································12

Displaying the CPU Utilization ···························································12
Displaying the CPU Temperature ························································13
Displaying the Power Supply Status ······················································13
Displaying the Fan Status··································································14
Periodic Monitoring ················································································15

Periodic-Monitoring Indicator Types ··························································15
Alert Types ·······················································································16
Monitoring Limited Values ·····································································16
Periodic Monitoring Default Configuration···················································17
Periodic Monitoring Configuration Flow······················································18
Periodic Monitoring Configuration-Commands ··············································19
Configuring Periodic Monitoring for All the Indicators ································21
Page 1
Troubleshooting and Monitoring (Rev. 10)
Enabling CPU Monitoring and Entering the CPU Monitoring Mode ················21
Enabling Flash-Usage Monitoring and Entering the Flash Monitoring Mode ·······22
Enabling Fan Monitoring and Entering the Fan Monitoring Mode ···················22
Enabling Power Monitoring and Entering the Power Monitoring Mode ·············23
Enabling RAM Monitoring and Entering the RAM Monitoring Mode ···············23
Enabling Temperature Monitoring and Entering the Temperature Monitoring Mode
·······························································································24
Enabling Laser Management Monitoring and Entering the Laser Monitoring Mode25
Enabling Port Monitoring and Entering the Port Monitoring Mode··················26
Enabling Periodic Monitoring for a Specific Indicator ·································27
Disabling Periodic Monitoring for a Specific Indicator·································27
Restoring Default Settings for a Specific Indicator······································27
Enabling Log-Alert Notification for a Specific Indicator·······························28
Enabling LED-Alert Notification for a Specific Indicator ·····························28
Enabling SNMP Trap Notifications for a Specific Indicator···························29
Defining the Monitoring Interval for a Specific Indicator······························29
Defining a Limit Value for a Specific Indicator ·········································30
Defining a Scale for Triggering New Alerts··············································31
Displaying the Periodic Monitoring Settings·············································32
Displaying a Specific Indicator’s Monitoring Settings ··································34
CPU Usage Monitoring ····································································35
RAM Usage Monitoring ···································································36
Flash Usage Monitoring ···································································37
Laser Management ·················································································39

Laser Management Default Configuration ····················································39
Laser Management Configuration Flow ·······················································40
Laser Management Commands·································································41
Enabling Laser Management and Entering the Laser Monitoring Mode ·············42
Enabling Periodic Laser Management ····················································42
Disabling the Periodic Laser Management ···············································42
Restoring the Default Laser Management Configuration·······························43
Defining the Laser Management Polling Intervals ······································43
Page 2
Enabling Laser Management Log-Alert Notification ···································44

Enables Laser Management LED-Alert Notification ···································44
Enabling Laser Management SNMP Trap Notification ································45
Defining the Port(s) Temperature Threshold············································45
Defining the Port(s) Tx Power Threshold ···············································46
Defining the Port(s) Rx Power Threshold ···············································47
Displaying the Laser Management Settings ··············································48
Displaying the Port(s) Laser Settings ·····················································48
Virtual Cable Testing (VCT)······································································51

Possible Test Results ············································································51
Initiating VCT on a Port ········································································51
Port Mirroring (Port Monitoring) ································································54

Source Port Characteristics ·····································································55
Destination Port Characteristics································································55
Port Monitoring Defaults ·······································································55
Port Monitoring Commands ···································································55
Initiating a Monitor Session ·······························································56
Displaying a Monitor Session ·····························································56
Iometrix Loopback and Logical Services Loopback (LSL) ·································58

Iometrix Loopback ··············································································58
LSL································································································58
Iometrix Loopback and LSL Default Configuration ·········································59
Iometrix Loopback and LSL Commands ·····················································59
Enabling Iometrix Loopback on a Port/LAG···········································60
Displaying a Port/LAG Iometrix Configuration ········································60
Enabling LSL on a Port/LAG ····························································61
Configuring the LSL Destination MAC Address········································62
Displaying the LSL Configuration ························································62
Network Loopback Tester ········································································64

Network Loopback Tester Commands························································64
Configuring Network Loopback Tester on a Port/LAG·······························64
Displaying Network Loopback Tester·························································65
Page 3
Watchdog Features ·················································································67

Watchdog Default Configuration ······························································67
Watchdog Commands···········································································67
Entering the Watchdog Configuration Mode············································68
Configuring Reset-Loop Detection·······················································68
Configuring SNMP Request Failure Detection··········································69
Configuring CPU Task Suspension Detection···········································69
Displaying the Watchdog Configuration ·················································70
Diagnosing Connectivity Issues··································································71

Packet Internet Groper (PING)································································71
Traceroute ························································································72
Connectivity-Troubleshooting Defaults ·······················································73
Connectivity-Troubleshooting Commands ···················································73
Pinging a Device············································································74
Executing Traceroute ······································································75
Technical Support Information···································································76

Technical Support Commands ·································································76
Selecting the Extracted Technical Support Information································76
Displaying Technical Support Information ··············································79
Uploading the Tech-Support File ·························································80
Page 4
Table of Figures
Figure 1: Periodic Monitoring Configuration Flow···········································18
Figure 2: Laser Management Configuration Flow ············································40
Figure 3: Local Port Mirroring ·································································54
Figure 4: Remote Port Mirroring·······························································54
Figure 5: Monitor-Session Configuration Example ··········································57
Page 5
Chapter Overview
Telco Systems provides a set of powerful tools for troubleshooting and resolving technical issues
with T-Marc 300 Series devices. This chapter details these tools.
Layer 1 Tools—Troubleshooting Hardware Issues

• Built-in Self Test (BiST)
BiST is a set of basic and configuration validity tests that report hardware failures.
• CPU Utilization
The CPU utilization tool provides a clear picture of how the device CPU handles the
load.
• Hardware and Environment Monitoring
This section lists the show commands for monitoring the current hardware and
environmental parameters of the device.
• Periodic Monitoring
Periodic monitoring is a method for monitoring hardware conditions in order to identify
problematic hardware and deteriorated environmental conditions.
• Laser Management
Laser management is used for monitoring optical SFP transceivers’ operational-
parameters.
• Virtual Cable Testing (VCT)
VCT is a feature that utilizes time domain reflectometry to diagnose cable and link
problems.
Layer 2 Tools—Troubleshooting Traffic Issues

• Port Mirroring (Port Monitoring)
Port Mirroring is a method for monitoring network traffic by sending copies of all
incoming and outgoing packets from one port to a monitoring port, where these packets
are diagnosed.
• Iometrix Loopback and Logical Services Loopback (LSL)
Both of these features perform loopback quality-of-service measurements over IP and
Carrier Ethernet networks to ensure service level agreements.
• Network Loopback Tester
Network Loopback is a network troubleshooting mechanism for diagnosting network
failures, available on all Ethernet ports with line-rate response and based on specified
ACGs.
• Watchdog Features
This is a feature used to monitor the performance of a set of tasks to ensure their proper
functionality.
Page 6
Layer 3 Tools—Troubleshooting Network Issues

• Diagnosing Connectivity
This section provides information about the Ping and Traceroute utilities used for
diagnosing connectivity problems.
• SNMP Notifications
A management tool for monitoring events on the device. For more information, refer to
the Configuring SNMP and SNMP Reference Guide chapters of this user guide.
General Troubleshooting Tools

• Show commands, debug commands, and Logs
The T-Marc 300 Series’ CLI includes sets of show and debug commands per feature. You
can use these commands to extract relevant information on the features’ configuration
and performance.
For the detailed list of show and debug commands, refer to the relevant feature’s chapter
of this user guide.
In addition, refer to the Configuring System Message Logging chapter for detailed information
about the device’s system logs.
• Technical Support Information
This section lists commands that retrieve the devices' technical information. The system
administrators can forward the commands output to Telco Systems’ technical support
team to assist them in the troubleshooting task.
Page 7
Built-in Self Test (BiST)

The BiST is a set of basic hardware and configuration validity tests. It is performed automatically on
startup (Startup BiST) and its results are summarized on the terminal before the switch banner. In
addition, you can invoke the BiST at any time during the T-Marc 300 Series operation.
The BiST results are grouped as shown in the following table:
Table 1: BiST Result Groups
Test Group Description
CPU Core Test Checks the validity of the packet processor

Power Supply Test Checks the voltage output of internal PSU
Fan Test Checks the device fans’ status
Temperature Test Validates that the temperature is within the configured range
CPU Resources test Checks the CPU utilization percentage
Laser Management Test Checks the Rx/Tx optical power (to enable this test, refer to Enabling
Laser Management Monitoring and Entering the Laser Monitoring
Mode)
Port Statistics Tests Checks CRC and malformed packets on port
RAM Resources Test Checks the RAM utilization percentage
Flash Resources Test Checks the Flash utilization percentage
Startup BiST
The Startup BiST reports a summary of the results by BiST group, stating whether the group tests
passed or failed.
• When all the BiST tests pass, the device Status LED (STS) turns steady green.
• When one or more tests fail, the device STS LED starts blinking.
Below is the console-port screen example of a Startup BIST:
BUILT-IN SELF TEST
------------------
Power Supply Test : Passed
Fan Test : Passed
Page 8
BiST Commands
Table 2: BiST Commands
Command Description
self-test Invokes BiST (see Invoking BiST)

clear power-supply- Clears the BiST external power supply alert or clears the second
alarms power feed alert (see Clearing the Power Supply Alert)
show self-test Displays the results of last BiST (see Displaying BiST Results)
Invoking BiST
The self-test command runs a BiST test.
Caution
This command does not execute the RAM Resource Test since this test clears
the RAM memory. This test is executed during the startup BiST.
Command Syntax
device-name#self-test
Example
device-name#self-test
Processing BIST by request...
CPU Core Test :

CPU Validation - Passed
Power Supply Test :

Power Supply-I - Passed
Fan Test :
Fan 1 - Passed
Fan 2 - Passed
Fan 3 - Passed
Temperature Test :
Temperature - Passed
Page 9
Clearing the Power Supply Alert

The clear power-supply-alarms command clears the BiST external power-supply alert (PS-I or
PS-E LEDs).
Command Syntax
device-name#clear power-supply-alarms
Displaying BiST Results

The show self-test command displays the tests that failed during the last BiST.
NOTE
The report that is displayed by the show self-test command is based on the
periodic monitoring on operational indicators (see Periodic Monitoring).
Command Syntax
device-name#show self-test [full]
full (Optional) the command displays the full details of the last BiST, including
additional tests (that are not usually displayed), stating each test’s results.
If you do not use this argument, the command displays:
• a notification, stating whether the BiST encountered any problems
• only failed items and their status
Example 1
Below is an example of BiST results when all tests pass:
device-name#show self-test
No problem encountered by BIST
Example 2
Below is an example of BiST results when the fan test failed:
device-name#show self-test
Problem encountered by BIST
FLASH Resources Test :
FLASH Usage - Failed
Page 10
CPU Utilization
CPU utilization provides a picture of how the device CPU handles the load. The higher the
percentage of the CPU used by data transfer, the less power the CPU can devote to other tasks. A
device is diagnosed underpowered or has depleted resources, if it utilizes 80-85% of its CPU for an
extended period of time.
CPU Utilization Default Configuration

Table 3: CPU Utilization Default Configuration
CPU utilization monitoring Enabled
Enabling CPU Utilization Monitoring

The cpu monitoring command enables CPU utilization monitoring. (To display the CPU
utilization, refer to the Hardware and Environment Monitoring section below).

CPU utilization monitoring is enabled by default.
Command Syntax
device-name(config)#[no] cpu monitoring
no Disables CPU utilization monitoring
Page 11
Hardware and Environment Monitoring

The T-Marc 300 Series’ CLI provides a sets of show commands to monitor the current hardware
and environmental parameters of the device.
Table 4: Periodic Monitoring Display Commands

Command Description
show cpu utilization Displays real-time CPU usage (see Displaying the CPU Utilization)
show temperature Displays the current temperature at the CPU area (see Displaying
the CPU Temperature)
show power supply Displays the power supply status (see Displaying the Power
Supply Status)
show fan Displays the fan status (see
Displaying the Fan Status)
Displaying the CPU Utilization

The show cpu utilization command displays the device’s real-time CPU usage. You have to
enable CPU utilization monitoring prior to executing this command.
Command Syntax
device-name#show cpu utilization
Example
device-name#show cpu utilization
CPU usage 6%
Page 12
Displaying the CPU Temperature

The show temperature command displays the current temperature at the CPU area in both
Celsius and Fahrenheit.
Command Syntax
device-name#show temperature [high-limit]
high-limit (Optional) displays the defined CPU temperature limit-value
Example 1
device-name#show temperature
CPU Temperature = 30C (86F)
Example 2
device-name#show temperature high-limit
CPU temperature high limit = 55C (131F)
Displaying the Power Supply Status

The show power supply command displays the power supply status.
Command Syntax
device-name#show power-supply
Example
device-name#show power-supply
Power Supply-I: Power OK - 12V
Power Supply-E: No Power
Page 13
Displaying the Fan Status

The show fan command displays the fan status. The fan status can have one of two values: OK or
Failed.
Command Syntax
device-name#show fan
Example
device-name#show fan
Fan tray:
Fan 1 : OK
Fan 2 : OK
Fan 3 : OK
Page 14
Periodic Monitoring
Periodic monitoring is a method used for monitoring different hardware conditions before they
become critical. This method generates SNMP traps notifying of the device status.
You can use periodic monitoring:
• to ensure a more reliable day-to-day operation. You can periodically monitor crucial device
functions in the background, receiving alerts when the monitored indicators vary from
operating norms.
• as a troubleshooting tool, monitoring transient conditions and tracking irregular behaviors.
You can use this method for triggering diagnostic data-polling based on the device operational
status.
Periodic-Monitoring Indicator Types

There are two types of monitored indicators:
• Pass/Fail conditions—the monitor function returns a simple Pass or Fail operational status for
the monitored indicator (for example, whether the fans are working or not, or is the power
supply working or not).
• Measured values—the monitor function returns a measured value of the monitored indicator (for
example, the device temperature or the number of packet errors).
Below is the list of the operational indicators that are periodically monitored.
Table 5: Periodic Monitored Operational Indicators
Indicator Monitored As
Power supply Pass/Fail

Fan Pass/Fail
Laser Management Pass/Fail
CPU usage Measured value
Flash usage Measured value
RAM usage Measured value
Temperature Measured value
Page 15
Alert Types
You can assign any or all of the actions below to monitor an alert status:
• log—the alert status is written to the CLI history and error message log files
• led status—the STS LED flashes on the device front panel
• trap—generate an SNMP trap
You can define an alert behavior globally (for all monitored indicators) or individually (for each
specific indicator).
Monitoring Limited Values

In order to monitor measured values, you can define limit values that generate alerts when they are
crossed.
You can configure the following conditions:
• the measured value rises above the limit value
• the measured value drops below the limit value
• the measured value crosses the limit value in either direction
Page 16
Periodic Monitoring Default Configuration

Table 6: Periodic Monitoring Default Configuration
Temperature Enabled
Temperature monitoring scale Celsius
Fan Enabled
Power supply Enabled
CPU usage Enabled
Flash usage Enabled
RAM (memory) usage Enabled
Laser Management Disabled
Port Disabled
Log message alert Enabled
LED alert Enabled
Trap alert Enabled
Limit values for monitoring alert See Table 11
Delta value for monitoring alert Disabled
Monitoring interval See Table 7
Table 7: Monitoring-Interval Default Configuration

Power supply 60 seconds

Fans 60 seconds
Temperature 20 seconds
Port statistics 10 seconds
CPU usage 10 seconds
RAM usage 30 seconds
Flash usage 60 seconds
Laser Management 20 seconds
Page 17
Periodic Monitoring Configuration Flow
Start
Enable periodic monitoring for a specific

indicator (see Table 8)
Select the alert type(s):

log alert, LED alert, or SNMP Trap
Define the indicators' monitoring interval
Define the indicators' limit value
Define a scale for triggering new alerts
End
Figure 1: Periodic Monitoring Configuration Flow
Page 18
Periodic Monitoring Configuration-Commands

Table 8: Global Monitoring Configuration Commands
Command Description
monitor all Configures periodic monitoring for all indicators (see Configuring
Periodic Monitoring)
monitor cpu-usage Enables CPU Monitoring (see Enabling CPU Monitoring and
Entering the CPU Monitoring Mode)
monitor flash-usage Enables Flash-usage monitoring (see Enabling Flash-Usage
Monitoring and Entering the Flash Monitoring Mode)
monitor fan Enables fan monitoring (see Enabling Fan Monitoring and Entering
the Fan Monitoring Mode)
monitor power Enables power monitoring (see Enabling Power Monitoring and
Entering the Power Monitoring Mode)
monitor ram-usage Enables RAM monitoring (see Enabling RAM Monitoring and
Entering the RAM Monitoring Mode)
monitor temperature Enables temperature monitoring (see Enabling Temperature
Monitoring and Entering the Temperature Monitoring Mode)
monitor laser Enables Laser Management monitoring (see Enabling Laser
Management Monitoring and Entering the Laser Monitoring Mode)
monitor ports Enables port monitoring (see Enabling Port Monitoring and
Entering the Port Monitoring Mode)
Page 19
Table 9: Specific Monitoring Configuration Commands

NOTE
You must enter the specific-indicator’s Monitoring Configuration mode to use these
commands (refer to Table 8 )
Command Description
enable Enables periodic monitoring for a specific indicator (see Enabling

Periodic Monitoring for a Specific Indicator)
disable Disables periodic monitoring for a specific indicator (see Disabling
Periodic Monitoring for a Specific Indicator)
default Restores the default settings for a specific indicator (see Restoring
Default Settings for a Specific Indicator)
log Enables alert-notification logging for a specific indicator (see
Enabling Log-Alert Notification for a Specific Indicator)
status-led Enables LED-alert notification for a specific indicator (see Enabling
LED-Alert Notification for a Specific Indicator)
trap Enables SNMP trap notification for a specific indicator.(see
Enabling SNMP Trap Notifications for a Specific Indicator)
period Defines the interval at which an indicator is polled (see Defining
the Monitoring Interval for a Specific Indicator)
limit Defines a limit value for a specific indicator (see Defining a Limit
Value for a Specific Indicator)
delta Defines the scale for triggering new alerts as the measured value
changes (see Defining a Scale for Triggering New Alerts)
Table 10: Periodic Monitoring Display Commands

Command Description
show monitor Displays the periodic monitoring settings for enabled indicators
(see Displaying the Periodic Monitoring Settings)
show Displays the monitoring settings of a specific indicator (see
Displaying a Specific Indicator’s Monitoring Settings)
Page 20
Configuring Periodic Monitoring for All the Indicators

The monitor all command configures periodic monitoring for all the indicators.

All alert options are enabled by default. If you use this command without specifying any of the
three optional arguments (log, status-led, or trap), the command enables all alert options.
Command Syntax
device-name(config)#monitor all [log | status-led | trap] {enable | disable}
device-name(config)#no monitor all [log | status-led | trap]
log (Optional) writes alert messages to the log history
status-led (Optional) triggers the STS LED to blink in case of a failure
trap (Optional) sends SNMP traps
enable Enables periodical monitoring
disable Disables periodical monitoring
Enabling CPU Monitoring and Entering the CPU Monitoring Mode

The monitor cpu-usage command enables CPU monitoring. Use this command without
arguments to enter the CPU Monitoring Configuration mode.
The CPU monitoring periodically samples the CPU usage and calculates their average value. If the
calculated value exceeds a configured limit value, the monitor triggers an alert.

CPU usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor cpu-usage [enable | disable]
device-name(config)#no monitor cpu-usage
device-name(config)#monitor cpu-usage
device-name(config monitor cpu-usage)#
enable (Optional) enables CPU usage monitoring
disable (Optional) disables CPU usage monitoring
Page 21
Enabling Flash-Usage Monitoring and Entering the Flash

Monitoring Mode
The monitor flash-usage command enables Flash-usage monitoring. Use this command without
arguments to enter the Flash Monitoring Configuration mode.
The Flash-usage monitoring periodically samples the remaining Flash space available for allocation.
If the calculated value drops from a configured limit value, the monitor triggers an alert.

Flash usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor flash-usage [enable | disable]
device-name(config)#no monitor flash-usage
device-name(config)#monitor flash-usage
device-name(config monitor flash-usage)#
enable (Optional) enables Flash usage monitoring
disable (Optional) disables Flash usage monitoring
Enabling Fan Monitoring and Entering the Fan Monitoring Mode

The monitor fan command enables fan monitoring. Use this command without arguments to
enter the Fan Monitoring Configuration mode.

Fan monitoring is enabled by default.
Command Syntax
device-name(config)#monitor fan [enable | disable]
device-name(config)#no monitor fan
device-name(config)#monitor fan
device-name(config monitor fan)#
enable (Optional) enables fan monitoring
disable (Optional) disables fan monitoring
Page 22
Enabling Power Monitoring and Entering the Power Monitoring

Mode
The monitor power command enables power monitoring. Use this command without arguments
to enter the Power Monitoring Configuration mode.

Power monitoring is enabled by default.
Command Syntax
device-name(config)#monitor power [enable | disable]
device-name(config)#no monitor power
device-name(config)#monitor power
device-name(config monitor power)#
enable (Optional) enables power monitoring
disable (Optional) disables power monitoring
Enabling RAM Monitoring and Entering the RAM Monitoring Mode

The monitor ram-usage command enables RAM Monitoring, Use this commands without
arguments to enter the RAM Monitoring Configuration mode.
The RAM usage monitoring periodically checks the remaining RAM that is available for allocation.
If this amount is less than a configured limit value, the monitor triggers an alert.

RAM usage monitoring is enabled by default.
Command Syntax
device-name(config)#monitor ram-usage [enable | disable]
device-name(config)#no monitor ram-usage
device-name(config)#monitor ram-usage
device-name(config monitor ram-usage)#
enable (Optional) enables RAM usage monitoring
disable (Optional) disables RAM usage monitoring
Page 23
Enabling Temperature Monitoring and Entering the Temperature

Monitoring Mode
The monitor temperature command enables temperature monitoring and defines the
temperature scale. Use this commands without arguments to enter the Temperature Monitoring
Configuration mode.
The Temperature Monitoring Configuration mode indicates the temperature scale settings,
displaying C for Celsius or F for Fahrenheit.

Temperature monitoring is enabled by default.
Command Syntax
device-name(config)#monitor temperature [enable | disable | celsius |
fahrenheit]
device-name(config)#no monitor temperature
device-name(config)#monitor temperature
device-name(config monitor temperature C)#
device-name(config monitor temperature F)#
enable (Optional) enables temperature monitoring
disable (Optional) disables temperature monitoring
celsius (Optional) configures the temperature scale to Celsius.
Celsius
fahrenheit (Optional) configures the temperature scale to Fahrenheit
Example
device-name(config)#monitor temperature fahrenheit
device-name(config monitor temperature F)#
Page 24
Enabling Laser Management Monitoring and Entering the Laser

Monitoring Mode
The monitor laser command enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode.
For more information, refer to the Laser Management section of this document.

Laser Management monitoring is disabled by default.
Command Syntax
device-name(config)#monitor laser [enable | disable]
device-name(config monitor laser)#
enable (Optional) enables Laser Management monitoring
disable (Optional) disables Laser Management monitoring
Page 25
Enabling Port Monitoring and Entering the Port Monitoring Mode

The monitor ports command enables port monitoring. Use this commands without arguments to
enter the Port Monitoring Configuration mode.
Port monitoring includes the following counters:
• Runts—this counter is incremented by one for each received and transmitted packet that is
less than 64 bytes in size. This counter includes rejected, received, and transmitted packets.
• Over Size—this counter is incremented by one for each received and transmitted packet that
is more than the configured MaxFrameSize (for more information, refer to the Configuring
Interfaces chapter of this user guide). This counter includes rejected, received, and transmitted
packets
• CRCAlignErrors—this counter is incremented by one for every received packet that meets all
the following conditions:
The packet data length is between 64 and MaxFrameSize bytes inclusive
The packet has an invalid CRC
No collision event is detected
No late collision event is detected
NOTE
In order to avoid excessive load on the server, a trap notification is sent only when
the number of errors on a port increases. However, you can configure a trap
notification to also indicate a decrease in the number of errors on a port.

Port monitoring is disabled by default.
Command Syntax
device-name(config)#monitor ports [enable | disable]
device-name(config)#no monitor ports
device-name(config)#monitor ports
device-name(config monitor ports)#
enable (Optional) enables port monitoring
disable (Optional) disables port monitoring
Page 26
Enabling Periodic Monitoring for a Specific Indicator

The enable command enables periodic monitoring for a specific indicator.
CLI Mode: Specific Monitoring Configuration
Command Syntax
device-name(config monitor INDICATOR)#enable
Example
The following example enables temperature monitoring:
device-name(config monitor temperature)#enable
Disabling Periodic Monitoring for a Specific Indicator

The disable command disables periodic monitoring for a specific indicator.
Command Syntax
device-name(config monitor INDICATOR)#disable
Example
The following example disables temperature monitoring:
device-name(config monitor temperature)#disable
Restoring Default Settings for a Specific Indicator

The default command restores the default settings for a specific indicator.
Command Syntax
device-name(config monitor INDICATOR)#default
Page 27
Enabling Log-Alert Notification for a Specific Indicator

The log command enables alert-notification logging for a specific indicator. When you enable this
option, an alert message is written to the log and history files when one of the following conditions
occurs:
• the indicator status is fail
• the indicator’s measured value exceeds its configured limit value
• the indicator’s measured value crosses a configured delta point
To use the Syslog server, refer to the Configuring System Message Logging chapter of this user guide.

Log-alert notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#log {enable | disable}
enable Enables log-alert notification
disable Disables log-alert notification
Enabling LED-Alert Notification for a Specific Indicator

The status-led command enables LED-alert notification for a specific indicator. When you
enable this option, the STS LED starts blinking when one of the following conditions occurs:
• the indicator’s measured value exceeds its configured limit

LED-alert notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#status-led {enable | disable}
enable Enables LED-alert notification
disable Disables LED-alert notification
Page 28
Enabling SNMP Trap Notifications for a Specific Indicator

The trap command enables SNMP trap notification for a specific indicator. When you enable this
option, an SNMP trap is issued when one of the following conditions occurs:
• the indicator’s measured value exceeds its configured limit
For more information, refer to the Configuring Simple Network Management Protocol (SNMP) chapter of
this user guide.

SNMP trap notification is enabled by default.
Command Syntax
device-name(config monitor INDICATOR)#trap {enable | disable}
enable Enables SNMP trap notification
disable Disables SNMP trap notification
Defining the Monitoring Interval for a Specific Indicator

The period command defines the intervals at which an indicator is polled.

Table 7 lists the default monitoring intervals.
Command Syntax
device-name(config monitor INDICATOR)#period {hour | minutes | seconds}
<value>
device-name(config monitor INDICATOR)#no period
hour Sets the monitoring interval in hour units
minutes Sets the monitoring interval in minute units
seconds Sets the monitoring interval in second units
value The monitoring interval. Valid values are:
• <1–24> hours
• <1–1440> minutes
• <1–86400> seconds
Page 29
Defining a Limit Value for a Specific Indicator

The limit command defines a limit value for a specific indicator.

The below table list the default and allowed limit values.
Command Syntax
device-name(config monitor INDICATOR)#limit <value>
device-name(config monitor INDICATOR)#no limit
value The limit value. Defining a zero (00 value disables limit-based alerts and
erases the limit
Table 11: Allowed Limit Values

Indicator Units of Allowed Limit Values Default Value
Measurement
monitor Degrees Celsius 0°–60° C 55°C

temperature
Degrees Fahrenheit 32°–140° F 131°F
monitor cpu-usage % 0–100 75%
monitor flash- KB 0–Flash size KB 3047 KB
usage
monitor ram-usage KB 0–Installed RAM 1000 KB
monitor laser see Laser Management Commands
NOTE
When a monitored value exceeds the specified limit value, alert notification is
triggered. An exception is the RAM usage value: when this value is lower than the
specified limit value, an alert notification is triggered.
Page 30
Defining a Scale for Triggering New Alerts

The delta command defines the scale for triggering new alerts as the measured value changes.
Command Syntax
device-name(config monitor INDICATOR)#delta <difference> [always | greater |
less]
device-name(config monitor INDICATOR)#no delta
This command defines delta points that are whole multiples of the <difference> argument, in which a
new alert is generated. For example, if the limit value is 55 and <difference> is 3, new alerts are
generated when the value crosses each of the values: 55, 58, 61, 64, and so on.
difference The delta between the current monitored value and previous measurement
that should trigger an alert.
For temperature monitoring, the configured unit is in Fahrenheit or Celsius
degrees, depending on the selected temperature scale.
always (Optional) triggers an alert when the measured value rises above or drops
below the value limit by a multiple of the <difference>
greater (Optional) triggers an alert when the measured value rises above the limit
by a multiple of the <difference>
less (Optional) triggers an alert when the measured value drops below the limit
by a multiple of the <difference>
no Restores to defaults. Specifying a zero value disables delta alerts.
Example
In this example an alert is generated when the measured temperature rises above the limit by 5º,
10º, 15º, and so on. No alert is generated when the temperature drops below the limit..
device-name(config monitor temperature C)#delta 5 greater
Page 31
Displaying the Periodic Monitoring Settings

The show monitor command displays the periodic monitoring settings for enabled indicators,
including Laser Management monitoring (see also Displaying BiST Results).
Command Syntax
device-name#show monitor [INDICATOR] [brief]
INDICATOR (Optional) displays periodic monitoring settings for a specific indicator. The
valid options are:
• power
• fan
• temperature
• port
• cpu-usage
• ram-usage
• flash-usage
• laser
brief (Optional) displays a summary of all monitored indicators
Example 1
Use the command without any options to display the status of all enabled indicators:
device-name#show monitor
Power Supply Test
Period : 60 sec.
Status LED : Enabled
Traps : Enabled
Log : Enabled
Fan Test
Period : 60 sec.
Traps : Enabled
Log : Enabled
Temperature Test
Page 32
Period : 20 sec.
Traps : Enabled
Log : Enabled
Temperature limit : 55C
Port Statistics Test
Period : 10 sec.
Traps : Enabled
Log : Enabled
Limit value : 1%
CPU Resources Test
Period : 10 sec.
Traps : Enabled
Log : Enabled
Limit value : 75%
RAM Resources Test
Period : 30 sec.
Traps : Enabled
Log : Enabled
Limit value : 1000KB
FLASH Resources Test
Period : 60 sec.
Log : Enabled
Laser Management Test

: Disabled
Page 33
Example 2
Display a summary of enabled indicators:
device-name #show monitor brief
Power Supply Test : Period 60 sec.
Fan Test : Period 60 sec.
Temperature Test : Period 20 sec.
Port Statistics Test : Period 10 sec.
CPU Resources Test : Period 10 sec.
RAM Resources Test : Period 30 sec.
FLASH Resources Test : Period 60 sec.
Laser Management Test : Disabled
Example 3
Display the temperature indicator: settings:
device-name#show monitor temperature
Period : 20 sec.
Traps : Enabled
Log : Enabled
Temperature limit : 55C
Displaying a Specific Indicator’s Monitoring Settings

The show command displays the monitoring settings of a specific indicator (see also the
show monitor command above).
CLI Mode: Monitoring Configuration
Command Syntax
device-name(config monitor INDICATOR)#show
Example:
device-name(config monitor cpu-usage)#show
Period : 10 sec.
Traps : Enabled
Log : Enabled
Limit value : 75%
Page 34
CPU Usage Monitoring
In the following example, CPU usage monitoring is enabled and configured with both limit and
delta commands.
1. Enable CPU usage monitoring:
device-name(config)#monitor cpu-usage enable
2. Enter the CPU Monitoring Configuration mode:

device-name(config)#monitor cpu-usage
3. Display the CPU usage monitoring settings:

device-name(config cpu-usage)#show
Period : 10 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
Limit value : 75%
4. Define the CPU usage limit value to 5%:

device-name(config monitor cpu-usage)#limit 5
5. Define the delta to 1%:

device-name(config monitor cpu-usage)#delta 1 greater
device-name(config monitor cpu-usage)#end
6. Display the CPU usage monitoring settings:

device-name#show monitor cpu-usage
Period : 10 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
Limit value : 5%
Delta value : 1%
Notify on delta if criteria greater than limit
7. Display the CPU usage monitoring on the CLI console and store the information in the
NVRAM history table:
device-name(config)#log cli-console trap debugging
device-name(config)#log nvram-history trap errors
Page 35
The traps are displayed on the CLI console:

tHiSwMonitr: CPU Usage BIST fail: 7(limit 5)
tHiSwMonitr: CPU usage delta: current 7
tHiSwMonitr: CPU Usage BIST OK: 5(max 7)
tHiSwMonitr: CPU Usage BIST fail: 6(limit 5)
tHiSwMonitr: CPU Usage BIST OK: 5(max 7)
RAM Usage Monitoring

In the following example, RAM usage monitoring is enabled and configured with period, limit,
and delta commands.
8. Enable RAM usage monitoring:
device-name(config)#monitor ram-usage enable
9. Enter the RAM Monitoring Configuration mode:

device-name(config)#monitor ram-usage
10. Display the RAM usage monitoring settings:

device-name(config monitor ram-usage)#show
Period : 30 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
Limit value : 1000Kb
11. Define the RAM usage limit value to 10:

device-name(config monitor ram-usage)#limit 10
12. Define the delta to 3 KB:

device-name(config monitor ram-usage)#delta 3 less
13. Define the monitoring interval to 5 seconds:

device-name(config monitor ram-usage)#period seconds 5
device-name(config monitor ram-usage)#end
14. Display the RAM usage monitoring settings:

device-name#show monitor ram-usage
Period : 5 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
Limit value : 10Kb
Delta value : 3Kb
Notify on delta if criteria less than limit
Page 36
15. Display the RAM usage monitoring on the CLI console and store the information in the

tHiSwMonitr: RAM Usage BIST fail: 166424Kb (limit 170450Kb)
tHiSwMonitr: RAM Usage BIST OK: 196424Kb (min 196424Kb)
Flash Usage Monitoring

In the following example, Flash usage monitoring is enabled and configured with period, limit,
and delta commands.
16. Enable Flash usage monitoring:
device-name(config)#monitor flash-usage enable
17. Enter the Flash Monitoring Configuration mode:

device-name(config)#monitor flash-usage
18. Display the Flash usage monitoring settings:

device-name(config monitor flash-usage)#show
Period : 60 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
19. Define the Flash usage limit:

device-name(config monitor flash-usage)#limit 15669824
20. Define the delta to 3 KB:

device-name(config monitor flash-usage)#delta 3 less
21. Define the monitoring interval to 5 seconds:

device-name(config monitor flash-usage)#period seconds 5
device-name(config monitor flash-usage)#end
22. Display the Flash usage monitoring settings:

device-name#show monitor flash-usage
Period : 5 sec.
Log : Enabled
Limit value : 10Kb
Delta value : 3Kb
Notify on delta if criteria less than limit
Page 37
23. Display the Flash usage monitoring on the CLI console and store the information in the

tTMSApp:FLASH Usage BIST fail: 14326KB 47% (limit 15669824KB 51420%)
device-name(config monitor flash-usage)#no limit
device-name(config monitor flash-usage)#
tTMSApp:FLASH Usage BIST OK: 14326KB 47% (min 14326KB 47%)
Page 38
Laser Management
Laser Management is a feature used for monitoring optical SFP transceivers’ operational-
parameters. This feature is based on the enhanced digital-diagnostic interface, described in SFF-
8472 specification.
Using this method you can monitor parameters such as received optical power, transmitter (Tx) and
receiver (Rx) output power, and transceiver temperature. In addition you can configure high/low
monitoring thresholds and receive notification in case these thresholds are crossed.
Laser Management Default Configuration

Table 12: Laser Management Default Configuration
Periodic Laser Management monitoring Disabled

Polling period 20 seconds
LED alert Enabled
Trap alert Enabled
Logging alert messages Enabled
High temperature threshold 85 C
Low temperature threshold -45 C
High Rx power threshold -7 dBm
Low Rx power threshold -32 dBm
High Tx power threshold -5 dBm
Low Tx power threshold -16 dBm
Page 39
Laser Management Configuration Flow
Start
Enable Laser Management monitoring
(Optional) define the polling interval
(optional) Select the alert type(s):

log alert, LED alert, or SNMP Trap
(Optional) Define the port temperature threshold
(Optional) Define the port Tx Power threshold
(Optional) Define the port Rx Power threshold
End
Figure 2: Laser Management Configuration Flow
Page 40
Laser Management Commands

Table 13: Laser Management Configuration Commands
Command Description
monitor laser Enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode (see Enabling Laser Management
and Entering the Laser Monitoring Mode)
enable Enables periodic Laser Management monitoring (see Enabling
Periodic Laser Management)
disable Disables periodic Laser Management monitoring (see Disabling
the Periodic Laser Management)
Table 14: Laser Management Optional Commands

Command Description
default Restores the Laser Management monitoring configuration to its

default settings (see Restoring the Default Laser Management
Configuration)
period Defines the Laser Management monitoring polling intervals (see
Defining the Laser Management Polling Intervals)
log Enables alert notification logging for Laser Management
monitoring (see Enabling Laser Management Log-Alert
Notification)
status-led Enables LED-alert notifications for Laser Management monitoring
(see Enables Laser Management LED-Alert Notification)
trap Enables SNMP trap notifications for Laser Management monitoring
(see Enabling Laser Management SNMP Trap Notification)
temperature-threshold Defines a specified port(s) temperature threshold (see Defining the
Port(s) Temperature Threshold)
tx-power-threshold Defines a specified port(s) Tx power threshold (see Defining the
Port(s) Tx Power Threshold)
rx-power-threshold Defines a specified port(s) Rx power threshold (see Defining the
Port(s) Rx Power Threshold)
Table 15: Laser Management Display Commands

Command Description
show monitor Displays the Laser Management monitoring settings (refer to

Displaying the Laser Management Settings)
show laser Displays current values of laser-related metrics (see Displaying the
Port(s) Laser Settings)
Page 41
Enabling Laser Management and Entering the Laser Monitoring

Mode
The monitor laser command enables Laser Management monitoring and enters the Laser
Monitoring Configuration mode.

Laser monitoring is disabled by default.
Command Syntax
device-name(config)#monitor laser {enable | disable}
device-name(config monitor laser)#
enable Enables laser monitoring
disable Disables laser monitoring
Enabling Periodic Laser Management

The enable command enables periodic Laser Management monitoring.
Command Syntax
device-name(config monitor laser)#enable
Disabling the Periodic Laser Management

The disable command disables periodic Laser Management monitoring.
Command Syntax
device-name(config monitor laser)#disable
Page 42
Restoring the Default Laser Management Configuration

The default command restores the Laser Management monitoring configuration to its default
settings.
Command Syntax
device-name(config monitor laser)#default
Defining the Laser Management Polling Intervals

The period command defines the Laser Management polling intervals.

The default Laser Management polling interval is 20 seconds.
Command Syntax
device-name(config monitor laser)#period {hour | minutes | seconds} <value>
device-name(config monitor laser)#no period
hour Sets the interval in hour units
minutes Sets the interval in minute units
seconds Sets the interval in second units
value The interval value. The valid values are:
• <1–24> hours
• <1–1440> minutes
• <1–86400> seconds
Example
device-name(config monitor laser)#period minutes 100
Page 43
Enabling Laser Management Log-Alert Notification

The log command enables alert notification logging for Laser Management. When this option is
enabled, an alert message is written to the log and history files when a measured value crosses the
configured limit value.

Log-alert notification is enabled by default
Command Syntax
device-name(config monitor laser)#log {enable | disable}
enable Enables alert notification logging
disable Disables alert notification logging
Enables Laser Management LED-Alert Notification

The status-led command enables LED-alert notifications for Laser Management. When this
option is enabled, the device STS LED starts blinking when a measured value crosses the
configured limit value.

LED alert notification is enabled by default.
Command Syntax
device-name(config monitor laser)#status-led {enable | disable}
enable Enables LED-alert notification
disable Disables LED-alert notification
Page 44
Enabling Laser Management SNMP Trap Notification

The trap command enables SNMP trap notifications for Laser Management. When this option is
enabled, an SNMP trap is generated when a measured value crosses the configured limit value.

SNMP trap notification is enabled by default.
Command Syntax
device-name(config monitor laser)#trap {enable | disable}
enable Enables SNMP trap notification
disable Disables SNMP trap notification
Defining the Port(s) Temperature Threshold

The temperature-threshold command defines a specified port(s) temperature threshold.
Command Syntax
device-name(config monitor laser)#temperature-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no temperature-threshold {high | low} [PORT-
LIST]
high Defines the high temperature threshold
85 C
low Defines the low temperature threshold
-40 C
VALUE The temperature threshold value, with an accuracy range of 1 C
• UU—all ports on a specified unit
• UU/SS—all ports on a specified slot
• A hyphenated range of ports (for example: 1/2/1–1/2/2 or 1/1–1/2)
• Several port numbers and/or ranges, separated by commas
(for example: 1/1/1, 1/2/1–1/2/2, 1/3/1)
NOTE
Do not leave blank spaces before or after the comma
separating sequential lists.
Page 45
Defining the Port(s) Tx Power Threshold

The tx-power-threshold command defines a specified port(s) Tx power threshold.
Command Syntax
device-name(config monitor laser)#tx-power-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no tx-power-threshold {high | low} [PORT-
LIST]
high Defines the Tx power high threshold
-5 dBm
low Defines the Tx power low threshold
-16 dBm
VALUE The Tx power threshold value
(for example: 1/1/1, 1/2/1–1/2/2, 1/3/1)
NOTE
Page 46
Defining the Port(s) Rx Power Threshold

The rx-power-threshold command defines a specified port(s) Rx power threshold.
Command Syntax
device-name(config monitor laser)#rx-power-threshold {high | low} <VALUE>
[PORT-LIST]
device-name(config monitor laser)#no rx-power-threshold {high | low} [PORT-
LIST]
high Defines the Rx power high threshold
-7 dBm
low Defines the Rx power low threshold
-32 dBm
VALUE The Rx power threshold value
(for example: 1/2/1–1/2/2 or 1/1–1/2)
• Several port numbers and/or ranges, separated by commas (for
example: 1/1/1, 1/2/1–1/2/2, 1/3/1).
NOTE
Page 47
Displaying the Laser Management Settings

The show monitor laser command displays the Laser Management settings.
Command Syntax
device-name#show monitor laser
Example
device-name#show monitor laser
Laser Management Test
Period : 20 sec.
Fault LED : Enabled
Traps : Enabled
Log : Enabled
Temperature Limit :
Default: -45C..85C
1/2/2: -35C..90C
Tx-Power Limit :
Default: -16dBm..-5dBm
1/2/4: -13dBm..-5dBm
Rx-Power Limit :
Default: -32dBm..-7dBm
1/2/4: -13dBm..-7dBm
Displaying the Port(s) Laser Settings

The show laser command displays the defined laser-related settings.
Command Syntax
device-name#show laser [PORT-LIST]
Page 48
(for example: 1/1/1, 1/2/1–1/2/2, 1/3/1).
NOTE
Page 49
Example 1
device-name#show laser
Port 1/2/1
Temperature : 30C
Tx-Power : -10dBm
Rx-Power : -9dBm
Port 1/2/2
Temperature : 30C
Tx-Power : -10dBm
Rx-Power : -9dBm
Example 2
device-name#show laser 1/2/1
Port 1/2/1
Temperature : 30C
Tx-Power : -10dBm
Rx-Power : -9dBm
Page 50
Virtual Cable Testing (VCT)

VCT is a transceiver feature that utilizes time domain reflectometry to diagnose cable and link
problems.
For proper VCT results, you must use the following physical attachments:
Cable Pair Attaches to Pin Pair
Pin 1, 2 (1, 2) or (2, 1) or (3, 6) or (6, 3)

Pin 3, 6 (3, 6) or (6, 3) or (1, 2) or (2, 1)
For example, you cannot attach pin pair (1, 2) to pins (3, 4).
Possible Test Results

The possible command outputs are:
• Normal—no problems are detected along the cable
• Impedance Mismatch—different types of cables are attached to one another
• Open at X meters—the pair is open
• Short at Y meters—a short circuit is detected on the pair
• Test failed—the test failed for the specific pair
• Test not supported on specific port—the port does not support VCT
Initiating VCT on a Port

The vct-run command initiates VCT on a specific port.
Command Syntax
device-name#vct-run {UU/SS/PP | full-device}
UU/SS/PP The port on which VCT is performed
full-device Performs VCT on all ports
Example 1
device-name#vct-run 1/1/1
Port will be disabled during the test. Are you sure?(y/n):y
%This port does not support VCT.
Page 51
Example 2
VCT test running. Please wait to gather available data ...
Test result (Distance accuracy 2m):

Pins 1,2: Normal - Cable Length is unknown.
Example 3

Pins 1,2: Open at 1m.
Example 4
device-name#vct-run full-device
The test will disable all ports on device. Are you sure?(y/n):y

Port: 1/1/1
Port: 1/1/2
Port: 1/2/1
Port: 1/2/2
Port: 1/2/3
Page 52

Port: 1/2/4
Port: 1/2/5
Port: 1/2/6
Port: 1/2/7
Port: 1/2/8
Page 53
Port Mirroring (Port Monitoring)

Port Mirroring is a method for monitoring network traffic. Port mirroring forwards all the data
transmitted and received by a port to a different location where it can be examined. The port
monitoring the traffic has to be connected to a Network Analyzer or RMON probe for packet
analysis.
There are two methods of Port Mirroring:
• Local Port Mirroring copies packets passing through one or more ports (source ports) of a device to
the monitor port (destination port). In this case, both the source ports and destination port are
located on the same device.
Figure 3: Local Port Mirroring
• Remote Port Mirroring copies packets passing through the source port(s) to a destination port on
a different device.
Figure 4: Remote Port Mirroring
A monitor session includes the following traffic types:

• Receive (Rx, ingress monitoring)—the destination port receives a copy of the packets transmitted to
the source port, before the source device modifies or processes them.
• Transmit (Tx, egress monitoring)—the destination port receives a copy of the packets transmitted
by the source port, after the source device modifies and processes them.
NOTE
In egress monitoring, the packets are forwarded to the destination port before
the source port changes the packets’ 802.1q header. Therefore, the packets
transmitted to the destination port may differ from the packets sent out by the
source port.
Page 54
Source Port Characteristics

The T-Marc 300 Series device can monitor egress traffic, ingress traffic, or both simultaneously.
• The device supports up to eight source ports, when monitoring egress traffic.
• The device can monitor any port type such as Fast Ethernet, Gigabit Ethernet, and link-
aggregation group.
• The source port cannot be a destination port.
• Source ports can be in the same or different VLANs.
Destination Port Characteristics

The destination port:
• must reside on the same device as the source port (for a local monitor session)
• can be any physical Ethernet port
• cannot be a source port
• can participate in only one monitor session at a time (it cannot be a destination port for a
second monitor session)
• does not transmit any traffic except the traffic required for the monitoring session
• is limited to its capacity: any traffic exceeding the port’s capacity is dropped
Port Monitoring Defaults

Table 16: Port Monitoring Default Configuration
Monitor session Disabled
Port Monitoring Commands

Table 17: Monitor Session Commands
Command Description
monitor session Initiates a monitor session (see Initiating a Monitor Session)

show monitor session Displays the monitor session configuration (see Displaying a
Monitor Session)
Page 55
Initiating a Monitor Session

The monitor session command initiates a new monitor session.
Command Syntax
device-name(config)#monitor session {tx | rx} {destination interface UU/SS/PP
| source interface PORT_LIST}
device-name(config)#no monitor session {tx | rx}
tx The session monitors egress traffic
rx The session monitors ingress traffic
destination The destination port (monitoring port)
interface UU/SS/PP
source interface Configures the source port(s)
PORT_LIST List of source ports, separated by commas. Use hyphens to indicate
a port range (for example, 1/1/1–1/1/2, 1/2/2)
no Removes the monitor session
Displaying a Monitor Session

The show monitor session command displays the monitor session information
Command Syntax
device-name(config)#show monitor session
Example
device-name(config)#monitor session tx destination interface 1/1/1
device-name(config)#monitor session tx source interface 1/1/2
device-name#show monitor session
====================================================
Monitor |Destination | Source | Monitored Source
----------+------------+---------+------------------
Transmit | port 1/1/1 | ports | 1/1/2
Receive |
Page 56
In the following example port 1/2/1 mirrors the traffic on ports 1/1/1 and 1/1/2. The port
monitors both Rx and Tx traffic.
Figure 5: Monitor-Session Configuration Example
24. Define the destination port for both Rx and Tx:

device-name(config)#monitor session rx destination interface 1/2/1
device-name(config)#monitor session tx destination interface 1/2/1
25. Define the source ports:

device-name(config)#monitor session rx source interface 1/1/1
device-name(config)#monitor session tx source interface 1/1/2
26. Display the monitor session configuration:

device-name#show monitor session
====================================================
Monitor |Destination | Source | Monitored Source
----------+------------+---------+------------------
Transmit | port 1/2/1 | ports | 1/1/2
Receive | port 1/2/1 | ports | 1/1/1
Page 57
Iometrix Loopback and Logical Services Loopback

(LSL)
Iometrix Loopback
The Iometrix loopback feature performs quality-of-service measurements over IP and Carrier
Ethernet networks by looping measurement packets back to the sending device.
This feature works with specific Iometrix MAC addresses (it does not process packets containing
multicast or broadcast source MAC addresses).
The Iometrix measurement packet is dropped if:
• the source MAC address is non-unicast or equal to the default MAC address
(00:30:79:FF:FF:FF)
• the source MAC address does not begin with 00:30:79
• an Iometrix measurement packet arrives on a port on which Iometrix loopback is disabled
The device can continue receiving and transmitting normal data frames while Iometrix loopback is
enabled.
LSL
LSL provides end-to-end service-level verification across multiple providers to support individual
service level agreements. LSL extracts the source MAC address from the incoming loopback frame
and modifies the incoming frame by using the extracted source address as the destination address.
The device can continue receiving and transmitting normal data frames while LSL is enabled.
BiNOS utilizes hardware-based Iometrix loopback and LSL, ensuring wire-speed reply from these
tests.
Page 58
Iometrix Loopback and LSL Default Configuration

Table 18: Iometrix and LSL Loopbacks Default Configuration
Iometrix Loopback Disabled

Iometrix measurement packets Not captured
Iometrix destination MAC address 00:30:79:FF:FF:FF
LSL Disabled
LSL destination MAC address The device MAC address+ 12.
12 is added only to the last byte of the MAC address.
For example if the device MAC is 00:a0:12:b0:b0:b0,
the default LSL destination MAC address is
00:a0:12:b0:b0:bc.
Iometrix Loopback and LSL Commands

Table 19: Iometrix Loopback commands
Command Description
iometrix Enables the process of sending of Iometrix loopback packets on a

port/LAG (see Enabling Iometrix Loopback)
show iometrix Displays the Iometrix status configuration (see Displaying a
Port/LAG Iometrix )
Table 20: LSL commands

Command Description
lsl Configures the process of sending LSL measurement packets (see

Enabling LSL on a Port/LAG)
lsl loopback Specifies a destination MAC address used to verify if the
destination-mac processed packets should be looped back to their origin port after
MAC swapping (see Configuring the LSL Destination MAC
Address)
show lsl Displays the LSL status configuration (see Displaying the LSL
Configuration)
Page 59
Enabling Iometrix Loopback on a Port/LAG

The iometrix command enables the Iometrix loopback feature on a specific port or LAG. Once
enabled, the port/LAG is able to loopback Iometrix packets received.
CLI Mode: Interface Configuration, LAG Interface Configuration

The Iometrix loopback feature is disabled by default.
Command Syntax
device-name(config–if UU/SS/PP)#iometrix {enable | disable}
device-name(config–if AG0N)#iometrix {enable | disable}
enable Enables Iometrix loopback
disable Disables Iometrix loopback
Example
device-name(config–if 1/1/1)#iometrix enable
device-name(config-if AG01)#iometrix disable
Displaying a Port/LAG Iometrix Configuration

The show iometrix command displays the Iometrix configuration on a specified port or LAG.
NOTE
Do not remove the CPU from the VLAN used by Iometrix and LSL. The port should
participate as a tagged/untagged member of the default VLAN that is configured on
that port. The looped back packets egress the port with/without tag (depending on
the port configuration: tagged in case the port is a tagged member of the default
VLAN or untagged in case the port is an untagged member of the default VLAN).
Command Syntax
device-name#show iometrix {UU/SS/PP | ag0N}
UU/SS/PP (Optional) the port number
agON (Optional) the LAG ID, in the of range <1–7>
Page 60
Example 1
device-name#show iometrix
======================
|Interface | Status |
======================
|1/1/1 | Enabled |
|1/1/2 | Disabled |
|1/2/1 | Disabled |
...
|1/2/8 | Disabled |
|AG01 | Disabled |
|...
|AG07 | Disabled |
Example 2
device-name#show iometrix 1/1/1
======================
======================
|1/1/1 | Enabled |
Enabling LSL on a Port/LAG

The lsl command enables LSL on a specific port or LAG. Once enabled, the port/LAG is able to
loopback LSL packets.
CLI Mode: Interface Configuration, LAG Interface Configuration

LSL is disabled on the ports and the device does not loopback LSL packets by default.
Command Syntax
device-name(config–if UU/SS/PP)#lsl {enable | disable}
device-name(config–if AG0N)#lsl {enable | disable}
enable Enables LSL
disable Disables LSL
Example
device-name(config–if 1/1/1)#lsl enable
device-name(config-if AG01)#lsl disable
Page 61
Configuring the LSL Destination MAC Address

The lsl loopback destination-mac command configures a destination MAC address used for
LSL packets.
Command Syntax
device-name(config)#lsl loopback destination-mac {MM:MM:MM:MM:MM:MM | default}
MM:MM:MM:MM:MM:MM The destination multicast MAC address
default The device MAC address+ 12.
12 is added only to the last byte of the MAC address. For example if
the device MAC is 00:a0:12:b0:b0:b0, the default LSL destination
MAC address is 00:a0:12:b0:b0:bc.
Example
device-name(config)#lsl loopback destination-mac 01:00:11:22:33:44
Displaying the LSL Configuration

The show lsl command displays the LSL configuration on a specified port or LAG.
Command Syntax
device-name#show lsl {UU/SS/PP | ag0N}
ag0N (Optional) the LAG ID, in the of range <1–7>
Page 62
Example 1
device-name#show lsl
Destination MAC: 01:00:11:22:33:44
======================
======================
|1/1/1 | Enabled |
|1/1/2 | Disabled |
|1/2/1 | Disabled |
...
|1/2/8 | Disabled |
|AG01 | Disabled |
...
|AG07 | Disabled |
Example 2
device-name#show lsl 1/1/1
Destination MAC: 01:00:11:22:33:44
======================
======================
|1/1/1 | Enabled |
Page 63
Network Loopback Tester

Network Loopback Tester is a network troubleshooting mechanism for diagnosing network
failures. This mechanism loops back traffic permitted by a specified ACG. By comparing the
transmitted packets to the looped back packets you can evaluate the integrity of the equipment or
transmission path.
NOTE
You can enable this mechanism only on ports or LAGs with an already configured
ACG.
Network Loopback Tester Commands

Table 21: Network Loopback Tester Commands
Command Description
network-loopback- Configures Network Loopback Tester on a specified port or LAG

tester (see Configuring Network Loopback Tester on a Port/LAG)
show network- Displays the Network Loopback Tester configuration for the
loopback-tester specified port or LAG (see Displaying Network Loopback Tester)
Configuring Network Loopback Tester on a Port/LAG

The network-loopback-tester command configures Network Loopback Tester on a specified
port or LAG.
Command Syntax
device-name(config)#network-loopback-tester {UU/SS/PP | ag0N} access-group
<acl-number> [time <seconds>]
device-name(config)#no network-loopback-tester {UU/SS/PP | ag0N} access-group
<acl-number>
UU/SS/PP The port number
ag0N The LAG ID, in the of range <1–7>
access-group The ACL number (for detailed information, refer to the Configuring Access
<acl-number> Control Lists (ACLs) chapter).
Traffic permitted by this condition is looped back through the port/LAG.
time (Optional) the period of time the tests is enabled, in the range of <1–100000>
<seconds> seconds
Page 64
Displaying Network Loopback Tester

The show network-loopback-tester command displays the Network Loopback Tester
configuration for a specified port or LAG.
Command Syntax
device-name#show network-loopback-tester [UU/SS/PP | ag0N]
ag0N (Optional) the LAG ID, in the of range <1–7>
Example
device-name#show network-loopback-tester
Network Loopback Tester:
interface 1/2/1
Access Control Group: 401
Test Duration: 12s
Start Duration: 15:11:12
End Duration: 15:11:24
Page 65
device-name(config-if 1/1/1 acg 400)#rate-limit single-rate 100k 128k exceed-
action mark-yellow
device-name(config-if 1/1/1 acg 402)#rate-limit single-rate 512K 8K
device-name(config)#network-loopback-tester 1/1/1 access-group 400 time 20

interface 1/1/1
rate-limit single-rate 100K 128K exceed-action mark-yellow
device-name#show network-loopback-tester
Network Loopback Tester:
interface 1/1/1
Access Control Group: 400
Test Duration: 20s
Start Duration: 12:25:37
End Duration: 12:25:57
Page 66
Watchdog Features
Watchdog is a feature used to monitor the performance of a set of tasks/processes to ensure their
proper functionality.
The Watchdog feature also triggers several automated actions in order to correct malfunctioning
monitored tasks/processes.
Watchdog integrates three features:
• Reset-Loop Detection—detects and stops a reset-loop. A reset-loop is a condition where the
software causes the device to reset. However since this software is configured to start
automatically upon the device startup, it causes the device to reset again.
• SNMP Request Failure Detection—monitors the timing and validity of SNMP requests,
resetting the device when detecting a failure in receiving SNMP requests.
• CPU Task Suspension Detection—monitors suspended (interrupted) CPU tasks and issues
log notifications whenever a CPU task is suspended.
Watchdog Default Configuration

Table 22: Watchdog Default Configuration
Reset-Loop Detection Disabled

SNMP Request Failure Detection Disabled
CPU Task Suspension Detection Disabled
Watchdog Commands
Table 23: Watchdog Configuration Commands
Command Description
service sw-watchdog Enters the Watchdog Configuration mode (see Entering the
Watchdog Configuration Mode)
sw-watchdog system Configures Reset-Loop Detection (see Configuring Reset-Loop
reset-loop Detection)
sw-watchdog system Configures SNMP Request Failure Detection (see Configuring
snmp-request-reset SNMP Request Failure Detection)
sw-watchdog task- Configures CPU Task Suspension Detection (see Configuring
suspension CPU Task Suspension Detection)
Page 67
Table 24: Watchdog Display Command

Command Description
show sw-watchdog Displays the Watchdog configuration (see Displaying the

Watchdog Configuration)
Entering the Watchdog Configuration Mode

The service sw-watchdog command enters the Watchdog Configuration mode.
Command Syntax
device-name(config)#service sw-watchdog
device-name(sw-watchdog)#
Configuring Reset-Loop Detection

The sw-watchdog system reset-loop command configures the Reset-Loop Detection feature.
When the Watchdog detects a reset-loop, it disables the device LAN ports except for the one
configured as the maintenance port. In addition it logs a notification in the NVRAM.
The Watchdog identifies a reset-loop when the device resets more than 3 times within a specified
time period.
CLI Mode: Watchdog Configuration

Reset-Loop Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#sw-watchdog system reset-loop <time> interface
UU/SS/PP
device-name(sw-watchdog)#no sw-watchdog system reset-loop
time The Reset-Loop Detection time period, in the range of <30–1500>
seconds.
interface The selected maintenance port
UU/SS/PP
no Disables Reset-Loop Detection
Example
The following command configures port 1/1/1 as the maintenance port and the Reset-Loop
Detection time to 30 seconds:
device-name(sw-watchdog)#sw-watchdog system reset-loop 30 interface 1/1/1
Page 68
Configuring SNMP Request Failure Detection

The sw-watchdog system snmp-request-reset command enables and configures SNMP
Request Failure Detection.
NOTE
Enable this feature only if the SNMP server is configured to send periodic requests.
Otherwise, the Watchdog interprets the lack of SNMP requests as an SNMP request
failure and resets the device repeatedly (thus causing a reset-loop).

SNMP Request Failure Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#sw-watchdog system snmp-request-reset <time>
device-name(sw-watchdog)#no sw-watchdog system snmp-request-reset
time The SNMP request failure timeout, in the range of <5–360> minutes, after which
the device is reset if no valid SNMP request is received.
no Disables SNMP Request Failure Detection
Configuring CPU Task Suspension Detection

The sw-watchdog task-suspension command enables the monitoring of suspended CPU tasks
and logs notifications to the NVRAM upon detecting a suspended task.

CPU Task Suspension Detection is disabled by default.
Command Syntax
device-name(sw-watchdog)#[no] sw-watchdog task-suspension {all | TASK-NAME}
all All CPU tasks are monitored.
TASK-NAME A specified CPU task name (see the table below for the list of tasks)
NOTE
You can loop up the list of task-names by using the task
command in the Show System mode.
no Disables CPU Task Suspension Detection
Page 69
Table 25: CPU Tasks

all intSched0 mTrAging tAlarmTask
tAppUpgradeMgmt tCPUIdleCapt tCfmMaster tCfmMonitor
tCliUart tDYINGGASPTMP tDelayReload tDhcpcd
tDot3ahMain tEPAppd tElmiMain tEps
tExcTask tFPGA_app tFdb tGARPRecv
tGARPTimer tGARPTx tHiSwMonitr tHistoryF
tIgSnoop tIomxTask tKernel tL2TunTask
tLacTimer tLacp tLldpTask tLogCatch
tLogNew tMefoamMain tMfib tMfibTimer
tMonCPUIdle tMstPIM tMstPRT tMstPRX
tMstPTX tNVDB tNetTask tNvlTask
tPLDTest tPTP_app tPortPoll tQoSTask
tRmon tRmonAlrm tRmonHist tRmonTimer
tRtrd tSFPManTask tSecTask tSendArpTask
tServiceManager tSnmpd tSnoop tSpanPIM
tSpanPPM tSpanPRS tSpanPRT tSpanPST
tSpanPTX tSpanRecv tSpanTCM tSpanTimer
tTMSApp tTelnetd tTffsPTask tTimesync
tTmsOemTrap tTxTask tWdbTask tpssEvents
Example
To configure monitoring of the tRmon task:
device-name(sw-watchdog)#sw-watchdog task-suspension tRmon
tRmon_Susp added to watchdog
Displaying the Watchdog Configuration

The show sw-watchdog command displays the watchdog configuration.
Command Syntax
device-name#show sw-watchdog
Example
device-name#show sw-watchdog
Watch Dog Objects status
===========================================
| No | Object | STATUS |
===========================================
|1 | Memory| OK|
|1 | tRmon_Susp| FAILED|
Page 70
Diagnosing Connectivity Issues

The T-Marc 300 Series offers the below utilities for troubleshooting network-connectivity issues:
• PING
• Traceroute
Packet Internet Groper (PING)

PING verifies Internet connectivity at the IP level. It sends an Internet Control Message Protocol
(ICMP) echo request to a specified IP address and waits for one of the below ICMP responses:
• Normal response—the device is alive and replies within 1–10 seconds, depending on the network
traffic.
• Destination does not respond—if the device does not respond in the above interval, a no-answer
message is returned.
Example: Reachable Device

device-name#ping 11.0.91.201
Sending 5, 100-byte ICMP Echoes to 11.0.91.201, timeout 2 sec, delay 0 sec:
Press Esc for break
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/5 ms
Example: Unreachable Device

device-name#ping 11.0.91.209
Press Esc for break
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 ms
Page 71
Traceroute
Traceroute sends ICMP echo packets with increasing Time-to-Live (TTL) values to the destination.
When a device receives an ICMP echo packet with TTL value of 1 or 0, it drops the packet and
sends a time-to-live-exceeded message to the sender. Traceroute uses this mechanism for determining
the route to the destination:
It starts by sending an ICMP echo (PING) to the destination device, setting its TTL value to 1,
receiving a time-to-live-exceeded message from the next hop.
To identify the next hop, Traceroute sends another PING, setting its TTL value to 2. The first
device reached decreases the TTL field by 1 and sends the PING to the next device. This device
discards the PING (identifying a TTL value of 1) and returns a time-to-live-exceeded message to the
source.
This process continues until the TTL is incremented to a value large enough for the PING to reach
the destination device (or until reaching the maximum TTL). When the PING reaches the
destination device, it returns an ICMP Echo Reply back to the sender.
Page 72
Connectivity-Troubleshooting Defaults
Table 26: Connectivity-Troubleshooting Default Configuration
Traceroute TTL 64
Traceroute timeout 2 seconds
Ping delay Immediately
Ping packet length 100
Ping number of echo packets to send 5
Ping timeout 2 seconds
Connectivity-Troubleshooting Commands
Table 27: Connectivity Diagnostics Commands
Command Description
ping Pings a remote device (see Pinging a Device)

traceroute Traces the data-packets’ route to their destination IP address (see
Executing Traceroute)
Page 73
Pinging a Device
The ping command pings a remote device.
Command Syntax
device-name#ping A.B.C.D [delay <delay>] [length <length>] [number <number>]
[timeout <timeout>]
A.B.C.D The destination IP address
number <number> (Optional) the number of echo packets sent, in the range of
<1–2147483646>
5
timeout <timeout> (Optional) the timeout for receiving a response, in the range of
<1–600> seconds
2 seconds
delay <delay> (Optional) the delay between packets, in the range of <1–600>
seconds
immediately
length <length> (Optional) the size of the ICMP echo packets in the range of
<1–65535>
100
The command has two possible output characters:

• !—Each exclamation point indicates receiving a reply
• .—Each period indicates that the network-server timed out while waiting for a reply
Example
To send 5 pings of 80 bytes with a 30-second timeout for reply and a 20-second delay between
pings, type the following command:
device-name#ping 212.29.220.136 number 5 timeout 30 delay 20 length 80
Press Esc for break
!!!!!
Page 74
Executing Traceroute
The traceroute command traces the data-packets’ route to their destination IP address. The
command displays each device the packets go through until reaching the destination.
To stop the command's execution, press <ESC>.
Command Syntax
device-name#traceroute A.B.C.D [ttl <ttl>] [timeout <timeout>]
A.B.C.D The destination IP address
ttl <ttl> (Optional) the maximum number of devices the traceroute command
passes, in the range of <1–255>
64
timeout (Optional) the timeout for receiving responses, in the range of <1–600>
<timeout> seconds
2 seconds
Example
device-name#traceroute 192.118.82.140
1 : 10ms. 20ms. 10ms. – Hop [212.29.220.193]
2 : 50ms. 40ms. 40ms. – Hop [10.96.96.1]
3 : 60ms. 95ms. 95ms. – Hop [212.29.196.109]
4 : 60ms. 60ms. 100ms. – Hop [206.49.94.116]
5 : 225ms. 100ms. 220ms. – Hop [212.29.206.214]
6 : 60ms. 60ms. 55ms. – Hop [212.29.206.66]
7 : 60ms. 60ms. 60ms. – Hop [212.29.206.210]
8 : 60ms. 60ms. 65ms. – Hop [212.150.63.186]
9 : 80ms. 85ms. 80ms. – Hop [192.118.68.17]
10 : 65ms. 70ms. 70ms. – Target [192.118.82.140]
Page 75
Technical Support Information

Telco Systems provides special-purpose CLI commands in order to retrieve the devices' technical
information. You can then forward this information to Telco Systems technical support in order to
aid them in tracking and resolving issues that cause system failures.
These commands dump the required information on the screen. In addition, you can save the
commands output on a specified remote server.
Technical Support Commands

Table 28: Technical Support Commands
Command Description
tech-support Enters the Technical Support Configuration mode. This mode

includes a list of commands for displaying and extracting specific
technical support information (see Selecting the Extracted
Technical Support )
show tech-support Displays the selected technical-support parameters’ information
(see Displaying Technical Support Information)
copy tech-support Saves the tech-support file on a remote server (see Uploading the
upload-to Tech-Support File)
Selecting the Extracted Technical Support Information

The tech-support command enters the Technical Support Configuration mode. In this mode you
can select specific technical-support parameters that should be extracted when using this feature
(see the show tech-support command).
Command Syntax
device-name(config)#tech-support
device-name(tech-support)#
The parameters extraced by default are:

• task
• pend
• memory
• network stack system
• network arp
• cpu task
• flash
Page 76
Table 29: Available Technical-Support Parameters

Command Description
alias Creates a command alias (a short form of a command; for more

information, refer to the Using the Command Line Interface
chapter)
cpu CPU usage
cpu-cache The addresses in the CPU cache
no cpu-cache Disables CPU cache display
cpu task monitoring CPU monitoring for existing tasks
no cpu task Disables the display of CPU monitoring of existing tasks
monitoring
cpu task report Detailed CPU information for every task
no cpu task report Disables the display of detailed CPU information
flash The content of the Flash memory file system
network routing table Network routing-information
no network routing Disables network routing-information display
table
network connections The list of all active Internet protocol sockets in the application-
software kernel
no network Disables the display of the active Internet protocol sockets in the
connections application-software kernel
network arp The ARP table
no network arp Disables ARP table display
network stack system The application-software kernel network stack system pool
statistics
no network stack Disables the display of the application-software kernel network
system stack system pool statistics
network stack data Usage statistics of blocks and clusters in the application-software
kernel network data pool
no network stack data Disables the display of usage statistics of blocks and clusters in
the application-software kernel network data pool
memory The system-memory pool information, including the number of
blocks, and the size of free and allocated memory
no memory Disables the system-memory pool information display
pend Pending tasks detailed status
no pend Disables the display of pending tasks
task Running tasks’ information
no task Disables the running tasks display
quit Quits the Telnet session
reset Restores to technical support defaults values
show The current tech-support configuration
show mstp The MSTP configuration
Page 77
Command Description
show mstp disable Disables the MSTP configuration display

show rapid-spanning- The RSTP configuration and RSTP topology of all ports
tree
show rapid-spanning- Disables the RSTP configuration display
tree disable
show spanning-tree The STP configuration and STP topology of all ports
show spanning-tree Disables the STP configuration display
disable
show self-test The last BiST results
show self-test Disables the BiST display
disable
show configuration- The stored configuration history
history all
show configuration- Disables the stored configuration history display
history all disable
show log nvram- The stored log history
history
show log nvram- Disables the stored log history display
history disable
show ip route The IP routing table information
show ip route disable Disables the IP routing table information display
show ip arp The ARP table
show ip arp disable Disables the ARP table display
show interface link- The LAG configuration
aggregation
show interface link- Disables the LAG configuration display
aggregation disable
show interface The physical and aggregated interfaces statistics
statistics
show interface The physical and aggregated interfaces’ packet counters
statistics extended
show interface Disables the physical and aggregated interfaces’ packet counters
statistics extended display
disable
show interface Disables physical and aggregated interfaces statistics display
statistics disable
show mac-address- The MAC-address table contents
table
show mac-address- The user-configured and/or dynamically learned multicast MAC
table multicast addresses
show mac-address- Disables the multicast MAC address table display
table multicast
disable
show mac-address- Disables the MAC-address table contents display
table disable
Page 78
Command Description
show manufacturing- The device hardware information

details
show manufacturing- Disables the device hardware information display
details disable
show vlan The device VLAN configuration
show vlan disable Disables the device VLAN configuration display
show running-config The device running-configuration
show running-config Disables the device running-configuration display
disable
show startup-config The device startup-configuration
show startup-config Disables the device startup-configuration display
disable
no tech-support Disables the display of all configured technical support parameters
commands
Displaying Technical Support Information

The show tech-support command displays the selected technical-support parameters’
information.
Command Syntax
device-name#show tech-support
Example
device-name#show tech-support
It could take several minutes to complete the task. Please wait ...
Executing command cpu-cache
Output from cpu-cache :
Static MAC cache
Mcache
0 00:00:00:00:00:00 P=0, Vid=0, Age=00000000

1 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
2 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
3 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
4 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
5 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
Page 79
6 00:00:00:00:00:00 P=0, Vid=0, Age=00000000

7 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
8 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
9 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
10 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
11 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
12 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
13 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
14 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
15 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
16 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
17 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
18 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
19 00:00:00:00:00:00 P=0, Vid=0, Age=00000000
Done
Uploading the Tech-Support File

The copy tech-support upload-to command saves the tech-support output file on a remote
server.
Command Syntax
device-name#copy tech-support upload-to A.B.C.D FILE-NAME
A.B.C.D The TFTP-server IP address
FILE-NAME The tech-support filename (located on the TFTP server)
Example
The following command uploads the tech-support output file to a new file named TECHSUP on
device-name#copy tech-support upload-to 192.168.30.1 TECHSUP
Page 80
Supported Platforms
BiST + +
CPU Utilization Commands + +
Periodic Monitoring + +
Laser Management + +
Port Mirroring + +
LSL and Iometrix Loopback + +
Network Loopback Tester + +
Watchdog + +
Diagnosing Connectivity Problems + +
Technical Support Information + +

BiST No standards are Private MIB, RFC 791, Internet Protocol

supported by this prvt_bist.mib DARPA Internet Program Protocol
feature. Specifications
CPU Utilization No standards are Private MIB, RFC 791, Internet Protocol
supported by this prvt_sys_mon.mib DARPA Internet Program Protocol
feature. Specifications
Periodic No standards are No MIBs are No RFCs are supported by this
Monitoring supported by this supported by this feature.
feature. feature
Laser No standards are Private MIB, RFC 791, Internet Protocol
Management supported by this prvt_sys_mon.mib DARPA Internet Program Protocol
feature Specifications
Port Mirroring No standards are No MIBs are No RFCs are supported by this
supported by this supported by this feature.
feature feature
LSL and No standards are No MIBs are No RFCs are supported by this
Iometrix supported by this supported by this feature.
Loopback feature feature
Network No standards are No MIBs are No RFCs are supported by this
Loopback supported by this supported by this feature.
Tester feature feature
Watchdog No standards are No MIBs are RFC 791, Internet Protocol
supported by this supported by this DARPA Internet Program Protocol
feature. feature Specifications
Page 81
Diagnosing No standards are Public MIB, RFC 791, Internet Protocol

Connectivity supported by this disman_ping.mib DARPA Internet Program Protocol
Problems feature. Specifications
Technical No standards are No MIBs are RFC 791, Internet Protocol
Support supported by this supported by this DARPA Internet Program Protocol
Information feature. feature Specifications
Page 82
Appendix B: Products Capabilities
Overview ······························································································· 2
Key Features ······················································································ 2
Main Features ····················································································· 3
Product Applications ················································································ 5
Technical Summary ················································································· 6
Page 1
Appendix B: Products Capabilities (Rev. 07)
Overview
The T-Marc 300 Series are comprised of the T-Marc 340 and T-Marc 380. These products are
compact, cost-effective, single/multi user Ethernet Demarcation Devices with full OAM
capabilities and support for MPLS Pseudowire LER.
The device operates using an internal AC or DC power supply, offering various power source
redundancy capabilities and may be installed as a table-top, wall, or rack mount.
Key Features
The T-Marc 300 Series devices offer the following features:
• One RJ45 connector for CLI configuration & device management
• 2 GE/FE Network Uplink Ports (1/1/1, 1/1/2)—two WAN uplink ports
• 4 GE/FE Access Ports (1/2/1–1/2/4)—four LAN access ports
• 4 GE/FE Access Ports (1/2/5–1/2/8)—four LAN access ports supported on T-Marc 380
only
• one internal AC or DC (-48V) power supply unit (PSU)
• Ethernet Transport & OAM for remote fault isolation and for end-to-end SLA monitoring
and verification:
Resiliency and link protection
Remote management and control
Fault isolation and diagnostics of network infrastructure and services
Ethernet services network demarcation unit
Advanced QoS with 802.1p and DSCP filtering/marking/re-marking 8 output queues per
port
Flexible 10/100/1000 Mbps Ethernet or 100BaseFX (via SFP) LAN/WAN interface
selection
• Ethernet Switching Support:
802.1Q support with full range of VLAN ID support
Port based VLAN
4K VLANs per IEEE 802.1q
MAC address table
Transparent LAN services (TLS) (VLAN stacking Q-in-Q)
802.3x (pause) flow control and backpressure
IEEE 802.3ad Link Aggregation
Page 2
Main Features
T-Marc 340 and T-Marc 380 features include:
• Ethernet Capabilities—For the delivery of enhanced Ethernet services, the devices support:
4K VLAN tags per IEEE 802.1q, VLAN stacking, IEEE 802.3x flow control, super
VLAN, and IEEE 802.3ad link aggregation.
IEEE 802.1ad formalizes the definition of Ethernet frames with multiple VLAN
tags. It also formally labels Customer VLANs (C-VLANs) and Service VLAN (S-
VLANs).
802.1ad Provider Bridging that adds a second 802.1Q VLAN tag into the Ethernet
packet. The customer’s IEEE 802.1Q VLAN tag is enveloped by the provider tag. A
service provider can then ignore the customer’s VLAN tag and only switch traffic based
upon the outer provider tag. Since the provider is tunneling the customer’s VLAN tag,
each customer is free to use its own bank of 4K VLAN IDs to separate traffic types and
classes within their network.
• OAM Tools—OAM is a family of standards providing reliable remotely-managed service-
assurance (SA) mechanisms for both the provider and customer networks, offering the ability
to perform automatic periodic network-wide service assurance and quality verifications. The
following OAM standards are supported:
802.3ah support (EFM-OAM): specifies the protocols and Ethernet interfaces for using
Ethernet over access links as a first-mile technology and transforming it into a highly
reliable technology.
802.1ag support (CFM-OAM): refers to the ability of a network to monitor the health of
an end-to-end service delivered to customers (as oppose to just links or individual
bridges).
SAA Throughput Test: describes the steps for configuring and executing unidirectional
and bi-directional throughput tests.
SAA: allows you to monitor the performance of network-hosted applications by
emulating the traffic of these applications.
EPS: is a method of protecting point-to-point Ethernet service connection over VLAN
transport networks, assuring traffic transport between the two service ends.
Event Propagation: allows users to configure automatic actions executed upon the
occurrence of specific events.
E-LMI application: is an OAM protocol enabling the CE to auto configure its support of
Metro Ethernet services
• Access Control Lists—allow network operators to define large numbers of QoS and security
policies without compromising wire-speed performance. The ACLs enhance service levels
through high-performance differentiated services (DiffServ) marking, Denial of Service (DoS)
and Distributed Denial of Service (DDoS) attack mitigation, and by enforcing service access
rights across the service infrastructure. The ability to classify traffic according to C-VLAN
and/or S-VLAN provides full QinQ ACL support.
Page 3
• Troubleshooting—describes troubleshooting and monitoring tools used to detect and

resolve device related problems. The laser management extends the SFP (System File
Protection) manager by providing ability to monitor optical transceiver operational parameters,
such as received optical power, TX output power and transceiver temperature. You can set
high and low thresholds.
• QoS—allows you to specify different service levels for traffic that traverses the device and
provides preferential treatment to the traffic, possibly at the expense of other traffic.
Without QoS, the device offers best-effort service to each packet and transmits packets
without any assurance of reliability, delay bounds (latency), or throughput (bandwidth).
Implementing QoS in a network makes performance more predictable and bandwidth
utilization more effective.
Page 4
Product Applications
T-Marc 300 Series can be used in the following applications:
1. Aggregation node in campus environments
2. Laser Management
3. Test-Head
Page 5
Technical Summary
Interfaces • One RJ45 connector for CLI configuration & device management
• 2 GE/FE Network Uplink Ports (1/1/1, 1/1/2)
• 4 GE/FE Access Ports (1/2/1–1/2/4)
• 4 GE/FE Access Ports (1/2/5–
1/2/8)
QoS • Advanced QoS with 802.1p and DSCP filtering/marking/re-marking
8 output queues per port
• Packet and byte counter statistics (ingress and egress)
• Rate-limiting for bandwidth allocation
ACLs • ACL support with 2 VLAN tags for QinQ/802.1ad services (based
on customer VLAN IDs
• Remarking/forwarding/policing/filtering/etc support per ACL
Ethernet VLAN Stacking • TLS (QinQ)
Switching
Bridging • IEEE 802.1d Spanning Tree Algorithm
• IEEE 802.1w Rapid Spanning Tree Algorithm
• IEEE 802.1s Multiple Spanning Tree Algorithm
VLANS • 4K VLANs per IEEE 802.1q
Resiliency • Fast ring Ethernet restoration (<50ms)
• Resilient Link
MAC Table • 16K
Size
Forwarding • 148,000 pps per 100 Mb/s port
Rate
• 1,488,000 pps per 1 Gb/s port
Flow Control • IEEE 802.3x for full duplex back pressure for half duplex
transmission
Port Trunking • IEEE 802.3ad Link Aggregation
OAM Ethernet OAM • IEEE 802.1ag (CFM-OAM)
Protocols
• IEEE 802.3ah (EFM-OAM)
• SAA Test-Head
• SAA Throughput Test
• EPS
• Event Propagation
• E-LMI
Troubleshooting • Laser Management
Page 6
Appendix A: Default Configuration
Access List Default Configuration ······························································ 3
ACL Default Configuration ····································································· 3
Boot Loader Default Configuration ···························································· 3
CFM-OAM Default Configuration ····························································· 4
Connectivity Diagnosing Default Configuration ·············································· 6
CPU Resource Control Default Configuration ················································ 6
CPU Utilization Settings Default Configuration··············································· 6
DNS Resolver Default Configuration ·························································· 6
EFM-OAM Default Configuration ····························································· 7
E-LMI Default Configuration ··································································· 7
EPS Default Configuration ······································································ 8
Fast and Giga Ethernet Ports Default Configuration ········································· 8
File System Default Configuration ······························································ 9
IGMP Snooping Default Configuration························································ 9
Laser Management Default Configuration ····················································10
Link Aggregation Default Configuration ······················································10
LLDP Default Configuration···································································11
Loader Configuration Default Configuration ·················································11
LSL and Iometrix Loopback Default Configuration ·········································11
MAC Address Table Default Configuration ··················································12
Message Logging Default Configuration ······················································12
MSTP Configuration Default Configuration··················································12
NTP Default Configuration ····································································14
Passwords Default Configuration ······························································14
Packet Size Limit Default ·······································································14
Passwords Default Configuration ······························································14
Periodic Monitoring Default Configuration···················································15
Port Security Default Configuration ···························································16
QoS Default Configuration ·····································································16
QoS Mapping Default Configuration··························································18
Scheduler Profile Default Configuration ······················································19
Page 1
Appendix A: Default Configuration (Rev. 09)
Shaper Default Configuration ··································································19

Port Default Configuration ·····································································19
RADIUS Default Configuration ·······························································20
Resilient Link Default Configuration ··························································20
RSTP Default Configuration ···································································20
SAA Default Configuration·····································································22
SAA Throughput Test Default Configuration ················································23
Script File System Default Configuration ·····················································23
SFTP Client Default Configuration ····························································24
SNMP Default Configuration ··································································24
SSH Default Configuration ·····································································24
STP Configuration Default Configuration ····················································25
Super VLAN Default Configuration···························································25
TACACS+ Default Configuration ·····························································25
Telnet Default Configuration···································································26
TLS Default Configuration ·····································································26
Traffic Monitoring Default Configuration ····················································26
User Privilege Levels Default Configuration ··················································26
VLAN Default Configuration ··································································27
VTY Default Configuration ····································································27
Zero-touch Default Configuration ·····························································27
1588v2 PTP Default Configuration····························································28
Page 2
Access List Default Configuration

Table 1: Access List Default Configuration
Named access list Not created

Exact match Disabled
ACL Default Configuration

Table 2: ACL Default Configuration
Access Control List (ACL) Not defined

Access Control Group (ACG) Not defined
Rate limit color awareness Color blind
Boot Loader Default Configuration

Table 3: Boot Loader Default Configuration
Password batm
Block length 256
Line-card module operation mode line-module
Page 3
CFM-OAM Default Configuration

Table 4: CFM-OAM Default Configuration
CFM-OAM Disabled
The domain name Appears as a string in the MAID
Compatibility with the IEEE 802.1ag protocol Standard IEEE 802.1ag-2007 (draft 8.1)
version 6.1
CFM Maintenance Domain
The way the name will appear in the MAID ieee
MIPs Are always created
Content of the Sender ID TLV All (hostname and management address of
the device)
CFM Maintenance Association
Hello-interval 1 second
CCM Priority 6
The decision regarding the MIPs If no MIP creation policy per MA is defined,
the default policy is inherited from the
domain policy configuration
Content of the Sender ID TLV All (hostname and management address of
the device)
Defect priority 1 (Alarms are reported for all conditions)
FNG reset interval time 1000 hundredths of a second
FNG alarm interval 250 hundredths of a second
AIS/LCK level One higher than the configured MA level
AIS/LCK priority 6
Interval between two successive AIS or LCK 1 second
packets
MEP state Inactive
MEP Is not able to send CCMs
CFM Performance Monitoring
Profile When CFM protocol is enabled, a default
profile is created automatically
Repetition interval of the monitoring process 1 minute
Update-interval 20 seconds
CFM Profile Monitoring
Priority 0
Number of the Loopback Request packets 1
Loopback Request packets' size 0 bytes
Page 4
One-way Jitter Enabled

One-way jitter error 350 milliseconds
One-way jitter warning 300 milliseconds
Round-trip jitter error value 700 milliseconds
Round-trip jitter error duration 90 seconds
Round-trip jitter warning value 600 milliseconds
Round-trip jitter warning duration 180 seconds
Round-trip frame-loss error value 10 %
Round-trip frame-loss warning value 8%
Round-trip latency error value 2000 milliseconds
Round-trip latency error duration 90 seconds
Round-trip latency-warning value 1600 milliseconds
Round-trip latency-warning duration 180 seconds
Results-bucket-size 20 results
Bucket-size 20 PDUs
Display CFM
The statistics information for all defined domains. Are displayed
All MAs, defined in DOMAIN NAME Are displayed
All defined domains Are displayed
Sending Linktrace and Loopback
Number of sent loopback request packets 3
Loopback message PDU size 0 bytes
Timeout used to wait for linktrace reply 2 seconds
Number of loopback messages to be sent 3 messages
Loopback interval of the CFM process Configured
Delay between 2 consecutive loopback 5 seconds
messages
Page 5
Connectivity Diagnosing Default Configuration

Table 5: Connectivity Diagnosing Default Configuration
Traceroute TTL 64
Traceroute timeout 2 seconds
Ping delay Immediately
Ping packet length 100
Ping number of echo packets to send 5
Ping timeout 2 seconds
CPU Resource Control Default Configuration

Table 6: CPU Resource Control Default Configuration
Rate limit for learning new addresses for the 1500 PPS
entire device
Rate limit to the CPU for the entire device 1500 PPS
CPU Utilization Settings Default Configuration

Table 7: CPU Utilization Default Configuration
CPU Utilization Monitoring Enabled
DNS Resolver Default Configuration

Table 8: DNS Resolver Default Configuration
DNS servers None specified
Page 6
EFM-OAM Default Configuration

Table 9: EFM-OAM Default Configuration
EFM-OAM Enabled
Number of OAMPDUs 5 OAMPDUs
Event propagation Enabled
Sending of the event notification OAMPDUs Enabled
Priority Undefined
Aging interval 5 seconds
Hello Interval 1000 milliseconds
Port state uplink ports Passive
Port state for user ports Disabled
Local loopback Disabled
Remote loopback Disabled
EFM-OAM Is using enhanced mode
Bit-errors threshold Disabled
Frame-errors threshold monitoring Enabled and it is defined as “256 errors
during 20 seconds”
Event monitoring Disabled
Requests sent on the specified interface 5
Accept remote loopback Disabled
E-LMI Default Configuration

Table 10: E-LMI Default Configuration
E-LMI Disabled
E-LMI mode uni-n (network mode)
Polling timer 10
Polling verification timer 15
Polling counter 360
Polling status counter 4
Page 7
EPS Default Configuration

Table 11: EPS Default Configuration
EPS Disabled
Hold Off Timer 0 seconds
Switchovers Are allowed
wait-to-restore timer 5 minutes
Fast and Giga Ethernet Ports Default Configuration

Table 12: Fast Ethernet and Giga Ethernet Ports Default Configuration
Interface state Enabled

Port name None
Backpressure mode Disabled
Duplex speed Autonegotiation
Duplex mode Autonegotiation
Duplex status Unknown
Flow Control mode Disabled
Flow Control status Disabled
VLAN 1
Super VLAN port No
Broadcast rate limit Unlimited
Multicast rate limit Unlimited
Unknown rate limit Unlimited
Packet size limit 1632
Remote fault detect Disabled
Crossover detection Automatic
Learning new address Enabled
Page 8
File System Default Configuration

Table 13: System Directories Default Configuration
Directory Default Value
\Boot\ Contains all executable applications and firmware images

\Java\ Contains all stored Java images
\Log\ Stores all logs of the system operation
\Usr\ Contains all configuration scripts of the system
\Etc\ Contains default startup configuration
\Hidden\ Internal settings storage
Table 14: System File Names and Settings Default Configuration

Image name Image.Z

Auto-boot timeout 5 seconds
Startup configuration name dflt_startup.cfg
Application software System Loader password batm
IGMP Snooping Default Configuration

Table 15: IGMP Snooping Default Configuration
IGMP Snooping Disabled

IGMP Snooping per VLAN Enabled if IGMP Snooping is enabled
Immediate Leave Disabled
Report suppression Enabled if IGMP Snooping is enabled
Source tracking Enabled if IGMP Snooping is enabled
Query Interval 125 seconds
Query response time 10 seconds
Robustness 2 packets
Maximum IGMP Groups per port and VLAN 2000
Maximum IGMP Reports per port and VLAN 2000
Query source IP address IP address of the IP interface (swN)
IGMP snooping behavior Drop packets without setting the Router Alert flag
Page 9
Laser Management Default Configuration

Table 16: Laser Management Default Configuration
Periodic laser monitoring Disabled

Polling period 20 seconds
Logging alert messages Enabled
Trap alert Enabled
LED alert Enabled
High temperature threshold 85 C
Low temperature threshold -45 C
High RX power threshold -7 dBm
Low RX power threshold -32 dBm
High TX power threshold -5 dBm
Low TX power threshold -16 dBm
Link Aggregation Default Configuration

Table 17: Link Aggregation Default Configuration
Static Link Aggregation Disabled

Global Link Aggregation Control Protocol (LACP) Disabled
Per port Link Aggregation Control Protocol Disabled
(LACP)
LACP system priority 32768
LACP port mode Active
LACP port priority 32768
LACP administrative key 1
LAG distribution MAC address
The marker PDU responder per port Disabled
Page 10
LLDP Default Configuration

Table 18: LLDP Default Configuration
LLDP Disabled
LLDP reinitialize-delay 2 seconds
LLDP transmit-delay 2 seconds
LLDP transmit-hold 4 seconds
LLDP transmit-interval 30 seconds
LLDP basic management-address no-advertise
LLDP basic port-description no-advertise
LLDP basic system-capabilities no-advertise
LLDP basic system-description no-advertise
LLDP basic system-name no-advertise
Loader Configuration Default Configuration

Table 19: Boot Loader Default Configuration
Password batm
Block length 256
Line-card module operation mode line-module
LSL and Iometrix Loopback Default Configuration

Table 20: LSL and Iometrix Loopback Default Configuration
LSL Disabled
Iometrix Loopback Disabled
Iometrix measurement packets Are not captured
Iometrix MAC address 00:30:79:FF:FF:FF
Page 11
LSL destination MAC address Device’s MAC + 12

where 12 is added only to the last byte of
the MAC, for example if the device MAC is
00:A0:12:b0:b0:b0, then LSL default
destination MAC is 00:A0:12:b0:b0:bc.
MAC Address Table Default Configuration

Table 21: MAC Address Table Default Configuration
MAC Address aging time 300 seconds

New MAC address learning Enabled
Displaying the learned MAC addresses Enabled
Message Logging Default Configuration

Table 22: Message Logging Default Configuration
NVRAM history Logging Only emergency level trap messages are

logged.
The PRIORITY field is not recorded.
NVRAM-based Configuration History Disabled
Logging buffer size 1000 messages
Logging to buffer log module default buffer trap debugging
Syslog server IP address None configured
MSTP Configuration Default Configuration

Table 23: MSTP Default Configuration
Multiple Spanning tree mode (MSTP) Disabled

Protocol Specification ieee802.1s
Spanning tree port priority 128
Hello time 2 seconds
Forward delay time 15 seconds
Maximum aging time 20 seconds
Page 12
Maximum hop count 40 hops

Span IGMP Fast Recovery Disabled
Revision number 1
Default MTS Instance 0
Bridge priority 32768
Path cost See Table 24
Edge Port Disabled
Flush Edge Port Disabled
Link Type Auto
MSTP Link Flapping feature Disabled
Cisco MSTP compliance Disabled (IEEE 802.1s-2002 compliance is
enabled)
Fast Ring mode Disabled
Fast Ring Border Bridge mode Disabled
Learn mode Standard
BPDU guard Disabled
Loop guard Disabled
Restricted Root Disabled
Restricted TCN Disabled
MSTP debug Disabled
Table 24: Default Path Cost Values (IEEE802.1s)

<=100 Kbps 200,000,000 20,000,000–200,000,000 1–200,000,000

1 Mbps 20,000,000 2,000,000–20,000,000 1–200,000,000
10 Mbps 2,000,000 200,000–2,000,000 1–200,000,000
100 Mbps 200,000 20,000–-200,000 1–200,000,000
1 Gbps 20,000 2,000–200,000 1–200,000,000
10 Gbps 2,000 200–20,000 1–200,000,000
100 Gbps 200 20–2,000 1–200,000,000
1 Tbps 20 2–200 1–200,000,000
10 Tbps 2 1–20 1–200,000,000
Page 13
NTP Default Configuration

Table 25: NTP Default Configuration
NTP authentication Disabled

Summer time (Daylight Saving Time) Disabled
Passwords Default Configuration

Table 26: Passwords Default Configuration
Device login password batm

Privileged (Enable) password Not set
Loader password batm
Caps Lock warning Enabled
Packet Size Limit Default

The default packet size limit for jumbo frames is 1632 bytes.
Passwords Default Configuration

Table 27: Passwords Default Configuration
Device login password batm

Privileged (Enable) password Not set
Loader password batm
Caps Lock warning Enabled
Page 14
Periodic Monitoring Default Configuration

Table 28: Periodic Monitoring Default Configuration
Temperature monitoring Enabled

Temperature monitoring scale Celsius
Fan monitoring Enabled
Power supply monitoring Enabled
CPU usage Enabled
RAM (memory) usage Enabled
Periodic laser monitoring Disabled
Port monitoring Disabled
Log message alert Enabled
Led alert Enabled
Trap alert Enabled
Limit values for monitoring alert See Table 29
Delta value for monitoring alert Disabled
Monitoring period See Table 30
Table 29: Limit Values for Monitoring Alert Default Configuration

Limit value for temperature monitoring alert 55°C / 131°F

Limit value for CPU usage monitoring alert 75%
Limit value for RAM usage monitoring alert 1000 KB
Limit value for port monitoring alert 1%
Limit value for FLASH resources test 3047 KB
Table 30: Monitoring Period Default Configuration

Monitoring period for Fan 60 seconds

Monitoring period for power supply 60 seconds
Monitoring period for temperature 20 seconds
Monitoring period for CPU usage 10 seconds
Monitoring period for RAM usage 30 seconds
Monitoring period for port statistics 10 seconds
Monitoring period for FLASH Resources Test 60 seconds
Page 15
Port Security Default Configuration

Table 31: Port Security Default Configuration
Port security Disabled

Port limit Disabled
Port security action Trap
Disable MAC filtered learning Disabled
QoS Default Configuration

Table 32: QoS Default Configuration
Priority-to-queue assignment 0
Priority remark 0
Port profile index 0 (see Table 36)
DSCP priority 0
DSCP-to-profile assignment See Table 33
Traffic shaping Disabled
Trust mode Untrusted
SP scheduling Is applied
Table 33: DSCP-to-QoS Profile Index Mapping

DSCP Profile Index
0–7 0
8–15 1
16–23 2
24–31 3
32–39 4
40–47 5
48–55 6
56–63 7
Page 16
Table 34: Default Storm Control Values

Traffic storm control Disabled
Table 35: Default Egress Filtering Values

Egress broadcast, unknown-unicast, and multicast Disabled

packets filtering
Table 36: QoS Profile Default Configuration

Profile Index TC DP UP DSCP
0 0 Green 0 0
1 1 Green 1 0
2 2 Green 2 0
3 3 Green 3 0
4 4 Green 4 0
5 5 Green 5 0
6 6 Green 6 0
7 7 Green 7 0
8 0 Yellow 0 0
9 1 Yellow 1 0
10 2 Yellow 2 0
11 3 Yellow 3 0
12 4 Yellow 4 0
13 5 Yellow 5 0
14 6 Yellow 6 0
15 7 Yellow 7 0
#16–127 Not Used Not Used Not Used Not Used
Page 17
QoS Mapping Default Configuration

Table 37: CoS to FC and Color Mapping
Priority Txq Drop Level
0 1 green
1 2 green
2 3 green
3 4 green
4 5 green
5 6 green
6 7 green
7 8 green
Table 38: DSCP to FC and Color Mapping

DSCP Txq Drop Level
0–7 1 green
8–15 2 green
16–23 3 green
24–31 4 green
32–39 5 green
40–47 6 green
48–55 7 green
56–63 8 green
Table 39: Egress Remarking with Dot1p

0 green 0 be
1 green 1 l2
2 green 2 af
3 green 3 l1
4 green 4 h2
5 green 5 ef
6 green 6 h1
7 green 7 nc
0 yellow 0 be
1 yellow 1 l2
2 yellow 2 af
Page 18
3 yellow 3 l1
4 yellow 4 h2
5 yellow 5 ef
6 yellow 6 h1
7 yellow 7 nc
Scheduler Profile Default Configuration

All the ports in the system are bound to profile-1, which is SP scheduling.
Shaper Default Configuration

By default, per-port and per-queue shaper is disabled.
Port Default Configuration

All ports in the system are:
• Bound to a SP scheduling profile 1
• Untrusted (port default) with default policy
• Default mapping to TC=be and color green
Default port settings are applied in the following cases:
• Untrusted mode—all packets
• L2+L3 trust mode—DSCP mapping is used for all IP packets.
Page 19
RADIUS Default Configuration

Table 40: RADIUS Default Configuration
UDP authentication port number 1812

Number of retransmits 3
RADIUS Server timeout 3 seconds
RADIUS Server dead time 3 authentication sessions
IP stack Selects the source IP address
Resilient Link Default Configuration

Table 41: Resilient Link Default Configuration
Preferred port The port with the higher bandwidth

Active port The port with the higher bandwidth. If both
ports have the same bandwidth, the active
port is the port with the lower port number.
For example, for ports 1/2/1 and 1/2/4 the
active port is 1/2/3, and for ports 1/1/1 and
1/2/1 the active port is 1/1/1.
Backup port status Power-on enabled
RSTP Default Configuration

Table 42: RSTP Default Configuration
Rapid Spanning Tree Protocol Disabled

Protocol specification ieee8021w
RSTP Bridge Priority 32768
RSTP Hello-time 2 seconds
RSTP Forward-delay 15 seconds
RSTP Maximum Aging Time 20 seconds
Span IGMP Fast Recovery Disabled
RSTP Edge Port Enabled
Page 20
RSTP Link Type Auto

RSTP Interface Path-cost See Table 43
RSTP Interface Priority 128
Time Since Topology Changed 0 seconds
Line flapping detection Disabled
RSTP debug Disabled
Table 43: Default Path Cost Values (IEEE802.1s)

<=100 Kbps 200,000,000 20,000,000–200,000,000 1–200,000,000

1 Mbps 20,000,000 2,000,000–20,000,000 1–200,000,000
10 Mbps 2,000,000 200,000–2,000,000 1–200,000,000
100 Mbps 200,000 20,000–200,000 1–200,000,000
1 Gbps 20,000 2,000–200,000 1–200,000,000
10 Gbps 2,000 200–20,000 1–200,000,000
100 Gbps 200 20–2,000 1–200,000,000
1 Tbps 20 2–200 1–200,000,000
10 Tbps 2 1–20 1–200,000,000
Page 21
SAA Default Configuration

Table 44: SAA Default Configuration
1 way delay threshold 1 second

1 way jitter threshold 300 milliseconds
1 way frame-loss threshold 8%
all the configured SAA profiles Are displayed
test state Disabled
the calculations Are done at the end of an interval and the
results are stored in the result history
database.
maximum number of concurrent active tests 10
repeat frequency 0 seconds
number of probe statistics 96
probe timeout 3 seconds
time interval 1 second
monitored interval 15 minutes
priority 6
the delay calculation method Average (Uses a simple average of the delay,
measured by all packets)
the jitter calculation method Variance (Uses a simple variance of the
delay, measured by all packets)
p-percentile 50
traps Not generated
Page 22
SAA Throughput Test Default Configuration

Table 45: OAM Data Path Acceleration Default Configuration
priority (for source command) 6

priority (for c-vlan command) 0
drop-eligible 0 (no drop-eligible)
packet Not tagged
CIR (Committed Information Rate) 500 Mbps
CBS (Committed Burst Size) 1MB
duration 5 seconds
pattern of the test packet PRBS (Pseudo Random Bit Sequence)
frame-loss ratio 0%
test Performed for all data-sizes specified in this
document (64, 128, 256, 512, 1024, 1280,
1518, 2000, 9000)
maximum timeout 1 second
result acknowledge timeout 5 seconds
loopback type OAM loopback
Script File System Default Configuration

Table 46: Script File System Default Configuration
Startup configuration name startup_config

Running configuration name running_config
Page 23
SFTP Client Default Configuration

Table 47: SFTP Client Default Configuration
SFTP Client Enabled

Port number 22
SNMP Default Configuration

Table 48: SNMP Default Configuration
SNMP Engine ID 00 00 02 DB 03 [MAC ADDR] 00 00.

SNMP contact Empty (null).
System name The default value is the device’s model name
Location Empty (null)
SNMP agent Disabled
UDP port 161
SNMP user Not configured
Retry inform operation 3 times
Inform operation timeout 30 seconds
SNMP notification log Disabled
SSH Default Configuration

Table 49: SSH Default Configuration
SSH Disabled
Page 24
STP Configuration Default Configuration

Table 50: STP Default Configuration
Spanning Tree protocol Disabled

Protocol specification ieee8021d
STP Bridge Priority 32768
STP Hello-time 2 seconds
STP Forward-delay 15 seconds
STP Maximum Aging Time 20 seconds
STP Interface Path-cost 10
STP Interface Priority 128
STP Topology Change Detection on Interface Enabled
STP IGMP Fast Recovery Disabled
Debug Spanning Tree Protocol (STP) Disabled
Super VLAN Default Configuration

Table 51: Super VLAN Default Configuration
Super VLAN Disabled

Residential user Disabled
TACACS+ Default Configuration

Table 52: TACACS+ Default Configuration
TACACS+ Disabled
TCP port 49
TACACS+ server timeout 15 seconds
IP stack Selects the source IP address
Page 25
Telnet Default Configuration

Table 53: Telnet Default Configuration
Telnet server Enabled

TCP Telnet session port number 23
Timeout value 10 minutes
TLS Default Configuration

Table 54: TLS Default Configuration
Transparent LAN Services (TLS) Disabled

TLS port Residential port
EtherType 0x8100
IEEE control packets tunneling Disabled
Traffic Monitoring Default Configuration

Table 55: Traffic Monitoring Default Configuration
Monitor Session Disabled
User Privilege Levels Default Configuration

Table 56: User Privilege Level Default Configuration
User privilege level for local users Administrator (0)

User privilege level for RADIUS users Guest (15)
Page 26
VLAN Default Configuration

Table 57: VLAN Default Configuration
All ports’ VLAN VLAN 1

PVID of all ports VLAN 1
VLAN management Enabled
Filter transmitted ARP Disabled
VTY Default Configuration

Table 58: VTY Default Configuration
Terminal length 25 lines.

The MOTD and login banners Not configured
Default host-name T-Marc
Advanced VTY mode Disabled
Zero-touch Default Configuration

Table 59: Zero-touch Configuration Default Configuration
Zero Touch Configuration Disabled

TFTP IP address 0.0.0.0
Configuration file Not saved to NVRAM
Number of retries 3 times
The time interval between each retry 64 seconds
Page 27
1588v2 PTP Default Configuration

Table 60: 1588v2 PTP Default Configuration
PTP Disabled
PTP mode Slave
PTP primary priority (priority1) 255
PTP secondary priority (priority2) 255
Domain number 0
Announce interval 16 seconds
Synchronization interval 4 seconds
Static master address (none)
PTP per interface Disabled
Announce-receipt timeout intervals 3
Synchronization-receipt timeout intervals 3
Page 28
Appendix C: Acronyms Glossary
This appendix provides a detailed list of the acronyms used in the T-Marc 300 Series User Guide
and their meaning.
Acronym Meaning
AAA Authentication, Authorization and Accounting

ACL Access Control List
ACG Access Control Group
ARP Address Resolution Protocol
BID Bridge ID
BiST Built-in Self Test
BP Boundary Port
BPDU Bridge Protocol Data Units
CBS Committed Burst Size
CCM Continuity Check Message
CCS Common Channel Signaling
CFM Connectivity Fault Management
CIR Committed Information Rate
CIST Common and Internal Spanning Tree
CLI Command Line Interface
CPE Customer Premise Equipment
CPU Central Processing Unit
CoS Class of Service
CRC Cyclical Redundancy Checking
CST Common Spanning Tree
C-VLAN Customer VLAN
DEI Data Exchange Interface
DLC Data-Link Control
DNS Domain Name System
DoS Denial of Service
DoSAP Domain Service Access Point
DRARP Dynamic RARP
DSA Digital Signature Algorithm
DSCP Differentiated Services Code Point
Page 1
Appendix C: Acronyms Glossary (Rev. 03)
Acronym Meaning
DSS Digital Signature Standard

DST Daylight Saving Time
DTE Data Terminating Entity
EAP Extensible Authentication Protocol
EAPOL EAP encapsulation over LAN
EBS Excess Burst Size
ECN Explicit Congestion Notification
EFM-OAM Ethernet in the First Mile-Operations, Administration, and
Maintenance standards as defined by IEEE 802.3ah/D3.0.
EVC Ethernet Virtual Connection
FC Forwarding Class
FS File System
IP Internet Protocol
IST Internal Spanning Tree
ISAP Intermediate Service Access Point
LACP Link Aggregation Control Protocol
LAG Link Aggregation Group
LAN Local Area Network
LBM Loopback message
LBR Loopback Reply
LLDP Link Layer Discovery Protocol
LLDPDU LLDP Data Units
LSL Logical Service Loopback
LTM Linktrace Message
LTR Linktrace Reply
MA Maintenance Association
MAID Maintenance Association Identifier
MAC Media Access Control
MCID MST Configuration Identifier
MDI Medium-Dependant Interface
MEP Maintenance Association End Points
MEPID Maintenance association End Point Identifier
MIB Management information Base
MIP Maintenance Intermediate Points
MOTD Message-of-the-day
MSTI Multiple Spanning Tree Instance
NAS Network Access Server
Page 2
Acronym Meaning
NTP Network Time Protocol

OAM Operations, Administration and Maintenance
OAMPDU OAM protocol data units.
PDU Protocol Data Unit
PING Packet Internet Groper
PRBS Pseudo Random Bit Sequence
PVID Port VLAN Identifier
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
RARP Reverse Address Resolution Protocol
RFC Request For Comments
RMON Remote Monitoring.
RSTP Rapid STP
RTR Response Time Reporter
SAA Service Assurance Agent
SAP Service Access Point
SDP Service Distribution Point
SFD Start of Frame Delimiter.
SFP Small Form-factor Pluggable
SLA Service Level Agreement
SLO Service Level Objectives
SNMP Simple Network Management Protocol
SSH Secure Shell
SST Bridge Single Spanning Tree Bridge
STP Spanning Tree Protocol
TACACS+ Terminal Access Controller Access Control System Plus
TC Topology Change
TCP Transmission Control Protocol
TCN TC Notification
TIME Time synchronization clients
TLS Transparent LAN Service
TLV Type Length Value
TTL Time-to-Live
UDP User Datagram Protocol
USM User-based Security Model
VACM View-based Access Control Model
VID VLAN Identifier
Page 3
Acronym Meaning
VLAN Virtual LAN

VPT VLAN Priority Tag
VTP VLAN Priority Tag
VTY Virtual Telnet Type
WAN World Area Network
WRED Weighted Random Early Detection
WRR Weighted Round Robin
Page 4

Docslide - Us - T Marc 300 Series v101rx User Guide PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Docslide - Us - T Marc 300 Series v101rx User Guide PDF

Caricato da

Copyright:

Formati disponibili

T-Marc 300 Series

(T-Marc 340 and T-Marc 380)

Copyright © Telco Systems 2010. All rights reserved.

Using This Document

Installation Guide Contains information about installing the hardware and

commands CLI and SNMP commands

Chapter Name Description

Chapter Name Description

Configuring Link Layer Configuring the IEEE 802.1AB standard.

Getting Documentation Updates

Accessing the CLI ··················································································· 2

The CLI Modes······················································································· 3

Using the CLI························································································· 5

Accessing the CLI

The CLI Modes

The View mode is password protected (the default password is batm)

Privileged (Enable) Mode

Table 1: Configuration Sub-Modes Summary

VTY Controlling the Virtual Telnet Type device-name(config-VTY)#

Interface range configuration device-name(config-if-group)#

Link Aggregation Groups (LAG) device-name(config-if AG0N)#

ACG Interface Access Control Groups device-name(config-if UU/SS/PP

Virtual LAN (VLAN) ACG device-name(config-vlan VLAN-

LAG interface ACG configuration device-name(config-if AG0N acg

Specific VLAN configuration device-name(config vlan VLAN-

Monitor Monitoring parameters settings device-name(config monitor N)#

MSTP MSTP configuration device-name(cfg protocol mstp)

CFM CFM-OAM protocol configuration device-name(config-cfm)

SAA SAA throughput test configuration device-name(config-saa-

TLS TLS service configuration device-name(config-tls SERVICE-

Using the CLI

• the CLI mode is Config VLAN

• NAME <vlan-id> are command arguments

Table 2: CLI Syntax Conventions in the User Guide

<Italic, small A numerical argument:

UU/SS/PP A physical port number in a unit/slot/port format:

HH:HH:HH:HH:HH:HH A MAC address in a hexadecimal format:

{} A mandatory argument or keyword:

| An or between two arguments or keywords, the user should select from:

Dynamic Completion of Commands

. Matches any character

help Provides a brief description of the help system in any command

If nothing matches, the help list will be empty and

abbreviated- To display a command’s possible completions, type the partial

command? (Leave no space between the command and ?) Provides a list of

? Lists all commands available in the particular command mode:

command ? (Leave a space between command and ?) Lists the keywords or

! T-Marc 300 Version 9.4

CLI Keyboard Sequences

Backspace Deletes the character preceding the cursor

Using the Command History

no Negates the command or resets the command to its default value.

To disable privilege-limited logging, type:

alias Associates a contiguous character string as an alias to a command that

To assign an alias to the command show interface 1/1/1

quit Logs out and disconnects from the device:

% is not recognized Displayed when the entry is not a command.

Methods of Managing a Device ··································································· 5

Login and Password ················································································· 8

The Device IP Commands ········································································12

Telnet Commands ··················································································16

Enabling/Disabling the Device’s Telnet Server ·········································17

Virtual Terminal (VTY) ············································································20