Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Version 2.3.R1
User Manual
492006-2414-023-A00
AS9206 User Manual
V2.3.R1
Catalog No: X38694
1st Edition, February 2012
Overview
The AS9206 is a wire speed, cost-effective 24 port standalone Layer 3
Manageable Switch. The AS9206 is purposely built for Carrier Ethernet and
Small-Medium Enterprise (SME) applications.
AS9206 is ideal for triple-play service aggregation and business Ethernet
services. This cost-effective, advanced access device includes extensive
multilayer Ethernet OAM, an array of network resiliency protocols, and
advanced QoS features.
The AS9206 device supports industry-standards OAM tools: IEEE 802.3ah
Ethernet First Mile (EFM-OAM) and IEEE 802.1ag Connectivity Fault
Management (CFM). With these protocols, the service provider can remotely
identify connectivity issues, isolate problems, as well as monitor end-to-end
services to ensure that service level agreements are met.
A wide set of QoS features give the service provider granular control over the
behavior of traffic and services in the network.
To ensure non-stop networking, the AS9206 boasts a wide variety of resiliency
protocols offering link-level mechanisms such as Resilient-link and LAG with
LACP as well as network-wide mechanisms such as MSTP and Fast-Ring.
Key Features
The AS9206 device offers the following features:
Wirespeed, non-blocking Carrier Ethernet access device
IEEE, ITU-T and IETF standards compliance for multi-vendor
interoperability
Enhanced Quality-of-service (QoS) and service granularity support
Highly available carrier class resiliency:
Fast Ring for sub 50ms switch over
Industry standard MSTP
Link aggregation (802.3ad & LACP)
Resilient-Link for 1+1 link redundancy
Comprehensive set of security features for authentication, connectivity and
access control
Following are some of the AS9206 hardware characteristics:
24 x 10/100 Mbps 100BASE-TX ports
4x-Combo port 1000BASE-T 1000BASE-X
Operating temperature range : 0°–50°C
Both AC and DC models available
Intended Audience
This user guide is intended for network administrators responsible for installing
and configuring network equipment.
To use this guide, you must already be familiar with Ethernet and local area
networking (LAN) concepts and terminology.
Documentation Suite
This document is just one part of the full documentation suite provided with
this product.
Organization
The AS9206 User Guide includes the following chapters, each focusing on a
different feature or set of features. Each chapter begins with a brief overview of
the feature/s, followed by the configuration flow, and concluding with the
configuration details for the corresponding commands.
Document Conventions
When applicable, this manual uses the following conventions.
The table below explains the conventions used within the document text:
Conventions Description
commands CLI and SNMP commands
command example CLI and SNMP examples
<Variable> user-defined variables
[Optional Command Parameters] CLI syntax and coded examples
Obtaining Technical
Documentation
To obtain technical documentation related to ECI Telecom products, please
contact:
ECI Telecom Ltd.
Documentation Department
30 Hasivim St.
Petach Tikva 49130
Israel
Fax: +972-3-9268060
Email: mailto:techdoc.feedback@ecitele.com
Technical Assistance
The configuration, installation, and operation of ECI Telecom products in a
network are highly specialized processes. Due to the different nature of each
installation, some planning aspects may not be covered in this manual.
If you have questions or concerns about your network design or if you require
installation personnel to perform the actual installation process, ECI Telecom
maintains a staff of design engineers and highly trained field service personnel.
The services of this group are available to customers at any time.
If you are interested in obtaining design assistance or a network installation
plan from ECI Telecom's Customer Support team, contact your ECI Telecom
sales representative. With any support related issues, technical or logistic,
please contact the ECI Telecom Customer Support center at your location. If
you are not familiar with that location, please contact our central customer
support center action line at:
Telephone +972-3-9266000
Telefax +972-3-9266370
Email mailto:on.support@ecitele.com
Files System
This section describes some fundamental tasks you perform to maintain the
configuration files and system images used by AS9206 devices.
Overview
The MAC (Media Access Control) address is the unique hardware number that
identifies the computer on a local area network (LAN) or other network.
MAC addresses are 12-digit hexadecimal numbers (48 bits in length) in the
following format:
MM:MM:MM:SS:SS:SS
Whereas MAC addressing works at the data link layer (layer 2), IP addressing
functions at the network layer (layer 3). MAC addresses are also known as
hardware or physical addresses.
The MAC-address table contains the destination VLAN ID, MAC address, port
number associated with each address, entry type, and MAC address priority.
A VLAN is removed
A VLAN ID is changed
A port mode is changed (tagged/untagged)
A port is disabled
+ config terminal
- [no] learn-new-mac-addresses
- port UU/SS/PP
- show fdb
Command Description
config terminal Enters the Configuration mode
port UU/SS/PP Enters the Specific Port’s Configuration
mode
no port [UU/SS/PP] Removes the port configurations
learn-new-mac-addresses Enables the learning of new MAC
addresses in the MAC-address table
• Enabled
no learn-new-mac-addresses Restores to default
Command Description
mac-address-table aging-time Defines the length of time that a dynamic
<time> entry remains in the MAC-address table
since the last time it was updated/used:
• time: in the range of
<10–1000000> seconds
• 300 seconds
no mac-address-table aging-time Restores to default
mac-address-table static <vlan- Adds a static MAC address to the MAC-
id> <mac:hexList> address table:
• vlan-id: the VLAN, in the
range of <1-4092>, for
which the packet with the
specified MAC address is
received
• mac:hexList: the
destination
unicast/multicast MAC
address
(HH:HH:HH:HH:HH:HH) added
to the MAC-address table
• None configured
no mac-address-table static Removes a static entry:
<vlan-id> <mac:hexList>
• vlan-id: on the
specified VLAN in the
range of <1–4092>
• mac:hexList: a specific
MAC address
(HH:HH:HH:HH:HH:HH)
port UU/SS/PP Defines a port to which the received
packet is forwarded:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
priority <priority> Defines the MAC-address table priority:
• priority: in the range of
<0–7>
• 0
no priority Restores to default
type { filtered | multicast | Specifies the MAC-address learning
secure | self | static | unknown}
type:
• filtered, multicast,
secure, self, static, and
unknown
• Static
Command Description
clear fdb [interface UU/SS/PP] Removes all or specific entries from the
[mac HH:HH:HH:HH:HH:HH] [vlan MAC-address table:
<vlan-id>]
• UU/SS/PP: (optional) all
MAC addresses for the
specified port
• HH:HH:HH:HH:HH:HH:
(optional) a specific MAC
address
• vlan-id: (optional) all
MAC addresses for the
specified VLAN in the
range of <1–4092>
show fdb Displays the content of the MAC-address
table
device-name#show fdb
+========+=====================+============+==========+==========+
| VID | Mac | PORT | STATUS | PRIORITY |
+========+=====================+============+==========+==========+
| 001 | 00:00:C8:00:00:02 | 1/1/3| dynamic | 000 |
| 001 | 00:0A:01:02:03:04 | 1/1/2| static | 006 |
| 001 | 00:A0:12:64:07:01 | | self | 000 |
+--------+---------------------+------------+----------+----------+
Files System
Overview
The file system provides commands for defining, downloading, and deleting
software images and configuration files stored in a Flash memory.
- file cp os-image
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp from
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME1
FILE-NAME2
- file cp technical-support
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file cp running-configuration
PROTOCOL[USER[:PASSWORD]@]IPv4[:PORT]/FILE-NAME
- file ls
- file ls os-image
- file vi FILE-NAME
Command Description
(root)
Command Description
file backup binary-running-config Backs up the binary running
PROTOCOL[USER[:PASSWORD]@]IPv4[ configuration to a TFTP/FTP server (see
:PORT]/FILE-NAME
the Installation and Maintenance
chapter of this UG):
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME: name of the
file to be backed up
file cp os-image Downloads a new software image from
PROTOCOL[USER[:PASSWORD]@]IPv4[ a TFTP/FTP server:
:PORT]/FILE-NAME
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME: name of the
software image file
Command Description
file cp from FILE-NAME1 Uploads a configuration file from the
PROTOCOL[USER[:PASSWORD]@]IPv4[ local file system to a TFTP/FTP server:
:PORT]/FILE-NAME2
• FILE-NAME1: name of the
source file
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME2: name of the
destination file
file cp from Downloads a configuration file from a
PROTOCOL[USER[:PASSWORD]@]IPv4[ TFTP/FTP server to the local file
:PORT]/FILE-NAME1 FILE-NAME2
system:
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME1: name of the
source file
• FILE-NAME2: name of the
destination file
Command Description
file cp from FILE-NAME1 FILE- Saves a copy of any file to the local file
NAME2 system:
• FILE-NAME1: name of the
copied image file
• FILE-NAME2: name of the
new file
file cp technical-support Uploads the output of the show
PROTOCOL[USER[:PASSWORD]@]IPv4[ technical-support command to a
:PORT]/FILE-NAME
TFTP/FTP server (see the
Troubleshooting chapter of this UG):
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME: name of the
file
file cp technical-support FILE- Saves the output of the show
NAME technical-support command to
the local file system (see the
Troubleshooting chapter of this UG):
• FILE-NAME: name of the
file
Command Description
file cp running-configuration Uploads the running configuration file
PROTOCOL[USER[:PASSWORD]@]IPv4[ to a TFTP/FTP server:
:PORT]/FILE-NAME
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME: name of the
file
file cp running-configuration Saves the running configuration file to
FILE-NAME the local file system:
• FILE-NAME: name of the
file
file ls Lists the content of the local file system
file ls os-image Lists the available software images
located on the local file system
file rm from FILE-NAME Removes a configuration file from the
local file system:
• FILE-NAME: name of the
file
file rm os-image FILE-NAME Removes a software image from the
local file system:
• FILE-NAME: name of the
image file
file more FILE-NAME Displays the content of a configuration
file:
• FILE-NAME: name of the
file
file mv FILE-NAME1 FILE-NAME2 Renames the selected configuration file:
• FILE-NAME1: old
(current) name of the
file
• FILE-NAME2: new name of
the file
Command Description
file merge FILE-NAME Merges the content of a specified
configuration file into the current
running configuration:
• FILE-NAME: name of the
configuration file to be
merged
file diff FILE-NAME1 FILE-NAME2 Compares the content of two files
ignoring character case (returns matches
disregarding upper or lower case):
• FILE-NAME1, FILE-NAME2:
names of the files to be
compared
file restore binary-running-config Restores the binary running
flash
configuration from a backup file located
on the local file system:
• The name of the backup file is
backup.tar.gz
file restore binary-running-config Restores the running configuration from
PROTOCOL[USER[:PASSWORD]@]IPv4[ a backup file located on a TFTP/FRP
:PORT]/FILE-NAME
server:
• PROTOCOL type:
tftp://A.B.C.D or
ftp://user:pass@A.B.C.D.
For TFTP servers, no
user, password, and port
are required. For FTP
servers, no port number
is required.
• USER: FTP user name
• PASSWORD: FTP user
password. The password
must be immediately
followed by the ape
symbol (@).
• IPv4: IP address of the
TFTP/FTP server in
A.B.C.D format
• PORT: port number for
the TFTP transfer
• FILE-NAME: name of the
file to be restored
file vi FILE-NAME Opens the selected file for editing in a
standard VI editor:
• FILE-NAME: name of the
file
+ root
+ config terminal
+ system
+ [no] time
- [no] date CCYY-MM-DDTHH:MM:SS
- [no] summer-time recurring [start-at
{day-of-the-week DAY | month MONTH |
week-of-the-month <week> | time
HH:MM:SS} | end-at {day-of-the-week DAY
| month MONTH | week-of-the-month
<week> | time HH:MM:SS}]
- [no] summer-time recurring offset
<offset>
+ [no] ntp
+ [no] remote-server-ip A.B.C.D
- [no] authentication key-id
<key-id> [key-string STRING]
- refresh-interval <interval>
- timezone <-12–+12>
- [no] time-out <value>
- [no] min <min>
- [no] shutdown
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration Mode
time Enters the Time Server Configuration
mode
no time Removes the system time configurations
date CCYY-MM-DDTHH:MM:SS Manually sets the device’s system time:
• CCYY-MM-DDTHH:MM:SS: CC
represents the century,
YY the year, MM the
month and DD the day
• T: date/time separator
• HH, MM, and SS represent
hour, minute and second
respectively
summer-time recurring {start-at Defines that the summer time starts and
{day-of-the-week DAY | month ends on specified days every year:
MONTH | time HH:MM:SS | week-
of-the-month <week>} | end-at
• start-at: start settings
{day-of-the-week DAY | month • end-at: end settings
MONTH | time HH:MM:SS | week- • DAY: the start/end day
of-the-month <week>}} of the week (Sunday,
Monday...)
• MONTH: the start/end
month (January,
February...)
• HH:MM:SS: the start/end
time (24-hour format)
• week: the week of the
month to start/end
(first, second, third,
forth and last)
• The summer time is disabled
summer-time recurring offset Defines the number of minutes added
<offset> during the summer time:
• offset: in the range of
<1-1440>
no summer-time recurring Restores to default
ntp Configures the device’s system time to
be synchronized by an NTP server
• Enabled
no ntp Disables the NTP
Command Description
remote-server-ip A.B.C.D Defines the NTP server’s IP address:
• A.B.C.D: NTP server’s IP
address
no remote-server-ip Removes the NTP server’s IP address
authentication key-id <1- Configures the MD5 authentication key
65535> [key-string STRING] used by the device to authenticate the
NTP server to prevent rogue server
intervention:
• key-id: in the range of
<1-65535>
• key-string STRING:
(optional) a string of
<1-20> characters (blank
spaces and question
marks are not allowed)
no authentication key-id Removes the MD5 authentication key
refresh-interval <interval> Defines the number of minutes to
synchronize the device’s system time to
the NTP server:
• interval: in the range
of <10–44640> minutes
(the upper limit is
equivalent to 31 days)
timezone <-12–+12> Defines the number of hours of offset
from the Coordinated Universal Time
(UTC, formerly Greenwich Mean Time
or GMT):
• -12: corresponds to time
zones west of UTC
• +12: corresponds to time
zones east of UTC
time-out <value> Defines the NTP server session timeout:
• value: in the range of
<2-20> seconds
no time-out Removes the timeout
min <min> Defines the number of minutes of offset
from UTC:
• min: in the range of <1-
59> minutes
no min Removes the configured minutes
shutdown Stops the NTP configuration
no shutdown Starts the NTP configuration
+ config terminal
+ system
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
dns-resolver A.B.C.D [shutdown] Defines the DNS server’s IP address
used for domain name and address
resolution.
You can specify up to 3 DNS servers.
The device sends DNS queries to the
primary server first. If that query fails,
the backup servers are queried.
• A.B.C.D: DNS server’s IP
address
• shutdown: (optional)
shuts down the selected
DNS server
• No DNS servers are configured
no dns-resolver Remove the configured DNS server’s IP
address
- idle-timeout <timeout>
- screen-length <number-of-rows>
- screen-width <number-of-columns>
Command Description
idle-timeout <timeout> Defines the VTY connection timeout value:
• timeout: in the range of <0-
8192> seconds
screen-length <number-of- Defines the number of row lines displayed on
rows> the terminal screen.
• number-of-rows: in the range
of <0-32000>
• 24 lines
screen-width <number-of- Defines the number of column lines displayed
columns> on the terminal screen.
• number-of-columns: in the
range of <1-512>
License Configuration
NOTE: The device is shipped with full license capabilities.
+ config terminal
+ system
Command Description
config terminal Enters Configuration mode
system Enters System Configuration mode
license [id <value>]
Privilege Description
Administrators Full read/write privileges (with no restrictions) for Layer 2
and Layer 3.
Network-Admins Read/write privileges for Layer 2 and Layer 3, without
access to security (usernames and passwords), debug
commands, and other administrative settings (such as
software upgrade, and device reload).
Technicians Read/write privileges for Layer 2 and read-only privileges
for Layer 3.
Users Read-only privileges for Layer 2 and Layer 3. Users with
this privilege level have access to all the show commands
and general commands (such as exit, quit, ping,
and traceroute commands).
Guests Read-only privileges in Root mode.
Username Password
admin admin
You can configure one of the below methods for authenticating users accessing
the device:
Local database—authenticates the user using a local database of user names
and passwords, located on the local file system
Remote RADIUS or TACACS+ server—authenticates the user using a
remote server lookup database of user names and passwords
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
security Enters the Security Configuration mode
password preferred-authentication Defines the device login-authentication
{local | radius | tacacs}
method:
• local: local
authentication method
• radius: RADIUS
authentication method
• tacacs: TACACS+
authentication method
• Local authentication method
no password Restores to default
privilege-profile PRIVILEGE- Defines a new privilege profile and
PROFILE-NAME enters the Profile Configuration mode:
• PRIVILEGE-PROFILE-NAME: a
string of <1-256>
characters. You can use
predefined privilege
profiles (see Table 2-1)
no privilege-profile PRIVILEGE- Removes the defined privilege profile
PROFILE-NAME
command-access-rule <number> Defines a command access rule:
• number: in the range of
<1-4294967295>
Command Description
match COMMAND-STRING Defines a command matching the
specified access rule:
• COMMAND-STRING: a command
string
agent [cli Defines the management agent for the
specified rule:
• CLI
•
operation {r | x | rx} The operation type that is
permitted/denied by the specified rule:
• r: read
• x: execute
• rx: read-execute
user USER-NAME Creates a new username in the local
database, and enters the User
Configuration mode:
• USER-NAME: a case-
sensitive string of <1-
100> characters (blank
spaces and question marks
(?) are not allowed)
no user USER-NAME Removes the defined username
member PRIVILEGE-PROFILE- Assigns a user to a profile:
NAME • PRIVILEGE-PROFILE-NAME: a
string of <1-256>
characters. You can use
predefined privilege
profiles (see Table 2-1)
password PASSWORD Defines an user's password:
• PASSWORD: case-sensitive
string of <1-64>
characters (blank spaces
are not allowed)
Configuration Example
1. Define a privilege profile ECI which denies the access to the device via
CLI:
device-name(config)#system
device-name(config-system)#security privilege-profile ECI
device-name(config-privilege-profile-ECI)#commit
Commit complete.
device-name(config-privilege-profile-ECI)#command-access-rule 1
device-name(config-command-access-rule-1)#action deny
device-name(config-command-access-rule-1)#agent cli
device-name(config-command-access-rule-1)#match "show port"
device-name(config-command-access-rule-1)#operation rx
device-name(config-command-access-rule-1)#commit
Commit complete.
device-name(config-command-access-rule-1)#exit
device-name(config-privilege-profile-ECI)#exit
3. The RADIUS server first validates the NAS (based on the shared secret-
key). Then it validates the user request against a local database, matching
the user’s password (and in some cases, other parameters, such as the port
number). The RADIUS server then responds with:
an accept reply, if the user information is validated
a reject reply if the user is not found in the database or its information is
not matched. The reject reply might include the rejection reason.
Based on this reply, the NAS accepts or rejects the user’s request. The
accept reply includes a list of attributes that should be used in the session.
An important parameter is the authenticated user’s privilege level.
3. Assign a privilege level to all other users; in the users configuration file, as
shown in the below example:
-------------------------------------------------
raddb/users
-------------------------------------------------
4. Add the following line to the dictionary file (in the RADIUS-configuration
folder):
$INCLUDE dictionary.eci
-------------------------------------------------
raddb/clients.conf
-------------------------------------------------
client 10.3.0.0/16 {
secret = secretkey
}
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
security Enters the Security Configuration mode
radius-server Enters the RADIUS Server
Configuration mode
no radius-server Removes the RADIUS Server
configurations
host A.B.C.D
Command Description
key KEY
Configuration Results:
1. When accessing the device using username richy, the RADIUS server
sends a REJECT reply:
Username:richy
Password:
Username:
Response Description
ACCEPT The user is authenticated. Based on configuration, the NAS might
need to start the authorization phase.
REJECT The user is not authenticated. Depending on the TACACS+ server
configuration, the user is either prompted to retry login or denied from
accessing the network.
ERROR An error occurred during the authentication procedure (such as a
network connection issue). In this case the NAS typically tries to
authenticate the user by an alternative method.
CONTINUE The TACACS+ server prompts the user for further authentication
information.
user = admin {
login = cleartext "adminpass"
service = eci {
Group = "admin"
}
}
user = tech {
login = cleartext "techpass"
service = eci {
Group = "technicians"
}
}
user = guest {
login = cleartext "guestpass"
service = eci {
Group = "guests"
}
}
+ config terminal
+ system
+ security
- [no] tacplus
- [no] host A.B.C.D
- [no] description DESCRIPTION
- [no] key KEY
- [no] timeout <seconds>
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
security Enters the Security Configuration
mode
tacplus Enters the TACACS+ Server
Configuration mode
no tacplus Removes the TACACS+ Server
configurations
host A.B.C.D
Selects TACACS+
server(s), up to 5 RADIUS severs
The device connects the TACACS+
servers in a predefined order:
• A.B.C.D: the TACACS+
server's IP address
• No TACACS+ servers are
configured
•
NOTE: In case the TACACS+ server is shut down or
disconnected from the device, the device retransmits the
request for three times. After the retransmission timeout,
the device attempts to authenticate the user with the local
database.
no host Remove the configured TACACS+
server’s IP address
description DESCRIPTION TACACS+ server description:
• DESCRIPTION: a string of
<1–255> characters
no description Removes the TACACS+ server
description
key KEY
Command Description
no key Removes the configured key
timeout <seconds> Defines the number of seconds the
device waits for an authentication
response from the TACACS+ server
before declaring its unavailability:
• seconds: in the range of
<1–60> seconds
• 3 seconds
no timeout Restores to default
1. Select the TACACS+ server and define the shared encryption key:
device-name#config terminal
device-name(config)#system
device-name(config-system)#security
device-name(config-security)#tacplus host 10.2.42.137
device-name(config-security)#tacplus key TacacsPlus
Configuration Results:
1. When accessing the device using username richy, the TACACS+ server
sends a REJECT reply:
Username:richy
Password:
Username:
Resilient Links
A resilient link consists of a main link and a standby (backup) link that
together form a resilient-link pair. Resilient links protect critical links and
prevent network downtime.
Command Hierarchy
+ root
+ config terminal
+ [no] port UU/SS/PP
- [no] description DESCRIPTION
- [no] speed {10 | 100 | 1000 | auto}
- [no] duplex {auto | full | half}
- [no] default-vlan <vlan-id>
- [no] flow-control
- [no] mtu <mtu-value>
- [no] shutdown
+ [no] router
+ [no] interface {eth0 | loN | swN}
- [no] description DESCRIPTION
- [no] address A.B.C.D/M
- [no] shutdown
- show interface [name]
- show interface statistics
- show port [UU/SS/PP] [statistics | detailed]
- clear port UU/SS/PP statistics
Command Descriptions
The following tables list separate configuration commands for ports and
interfaces. Commands used to display/clear port settings and statistics are also
included:
Table 3-1: Ports Configuration Commands
Table 3-2: IP Interface Configuration Commands
Table 3-3: Commands Used to Display and Clear Port Settings and
Statistics
Command Description
config terminal Enters Configuration mode
port UU/SS/PP Enters Configuration Mode for a specific
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port [UU/SS/PP] Removes port configurations:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-1/2/4
description DESCRIPTION Description of the port:
• DESCRIPTION: a string of
<1-256> characters
no description Removes the port description
speed {10 | 100 | 1000 | auto} Defines the speed of the port:
• 10, 100, 1000: duplex
speed, in Mbps
• auto: the port
automatically finds the
highest supported speed
• Auto
no speed Restores to default
duplex {auto | full | half} Defines the port’s duplex mode.
• auto: auto detect mode
• full: full duplex mode
• half: half duplex mode
• Auto
no duplex Restores to default
default-vlan <vlan-id> Defines the default VLAN for the port
(only one default VLAN allowed per
port):
• vlan-id: in the range of
<1–4092>
• 1
no default-vlan Restores to default
flow-control Controls the amount of data sent from the
transmitting port to the receiving port
(also called Flow Control Mode).
• Disabled
no flow-control Restores to default
Command Description
mtu <mtu-value> Defines the maximum packet size allowed
for the port.
This parameter (minus 44 Bytes) is
applied automatically on participating IP-
interfaces.
• mtu-value: in the range of
<64–9216>
• 1544 Bytes
no mtu Restores to default
shutdown Disables the port (the port no longer
receives, forwards, or learns)
no shutdown Enables the port
Command Description
config terminal Enters Configuration mode
router Enters Router Configuration mode
no router Removes router configurations
interface {eth0 | loN | swN} Creates an IP interface and enters
Configuration Mode for the IP-Interface:
• eth0: an Ethernet network
interface
• loN: an internal logical
loopback IP-interface. N:
in the range of <0–9>
• swN: an IP interface
number in the range of
<0–9999>
no interface {eth0 | loN | swN} Removes the created IP interface:
• eth0: an Ethernet network
interface
• loN: an internal logical
loopback IP-interface. N:
in the range of <0–9>
• swN: an IP interface
number in the range of
<0–9999>
Command Description
no description Removes the IP interface description
address A.B.C.D/M Defines the IP address for the IP
interface:
• A.B.C.D/M: the IP address
of the IP interface and
subnet mask (M) in the
range of <1–30>
no address Removes the IP address of the IP
interface:
• A.B.C.D/M: the IP address
of the IP interface and
subnet mask (M) in the
range of <1–32>
shutdown Disables the interface
no shutdown Enables the interface
Table 3-3: Commands Used to Display and Clear Port Settings and Statistics
Command Description
show port [UU/SS/PP] Displays the status and configuration of
[statistics | detailed] all ports or a specific port:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-1/2/4
• statistics: (optional)
displays port statistics
and packet counters
• detailed: (optional)
displays detailed
configuration information
for the port
show interface name {eth0 | loN Displays the status and configuration of
| swN} the selected interface:
• eth0: an Ethernet network
interface
• loN: an internal logical
loopback IP-interface. N:
in the range of <0–9>
• swN: an IP interface
number in the range of
<0–9999>
show interface statistics Displays interface statistics and packet
counters
clear port UU/SS/PP statistic Clears all current statistics from the
selected port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
===================================================================
VLANs Information
===================================================================
Name | L3 Interface |VTag| Created By | Owned By
|
-------------------+--------------+----+-------------+------------+
default | sw0 |1 | User | User |
-------------------------------------------------------------------
Tagged Ports:
-------------------------------------------------------------------
Untagged Ports: 1/1/1 1/1/10 1/1/11 1/1/12 1/1/13 1/1/14 1/1/15
1/1/16 1/1/17 1/1/18 1/1/19 1/1/2 1/1/20 1/1/21
1/1/22
1/1/23 1/1/24 1/1/3 1/1/4 1/1/5 1/1/6 1/1/7 1/1/8
1/1/9 1/2/1 1/2/2 1/2/3 1/2/4
-------------------------------------------------------------------
===================================================================
Name | L3 Interface |VTag| Created By | Owned By |
-------------------+--------------+----+-------------+------------+
vlan10 | sw10 |10 | User | User |
-------------------------------------------------------------------
Tagged Ports:
-------------------------------------------------------------------
Untagged Ports: 1/1/1
-------------------------------------------------------------------
LAG Configuration
You can configure both static and dynamic LAGs simultaneously, assuming
the following restrictions:
Both static and dynamic LAGs receive unique identifiers from the same
LAG ID pool. Each LAG, whether static or dynamic, must have its own
LAG ID number.
Each port can only belong to a single LAG but that LAG can be either
static or dynamic.
LACP Modes
LACP has two operational modes:
Active: When active, the port can start LACP negotiation and as a result
form a link with another device. The other device can be either active or
passive.
Passive: The port does not start LACP negotiation.
LACP Parameters
The following factors define the ability of a port to aggregate with other ports:
Physical characteristics such as, data transfer rate, duplex capability, and
medium type
User-defined configuration constraints
To use LACP, define the following parameters:
1. Enter the System ID. The System ID identifies the LACP system
negotiating with other LACP systems. The System ID is always the MAC
address for the device.
2. Define System Priority. System priority, along with port priority, provides
the means for connected LACP ports to determine dynamically an
exchange policy.
3. Enter the Administrative key to define the ability of the port to aggregate
with other ports.
4. Define port priority. Port and system priority work together so that
connected LACP ports can dynamically determine an exchange policy.
5. Enable the LACP.
LAG Commands
In this section, the command hierarchy used by LAGs is defined. Also
presented is a list of useable commands and configuration examples.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] lag
- [no] distribution-type {L2 | L3 | L4}
+ [no] lag-id agN
- [no] description DESCRIPTION
- [no] lacp enable
- lacp mode {active | passive}
- [no] lacp administrative-key
<number>
- [no] lacp id <number>
- [no] lacp marker {disable |
enable}
- [no] lacp priority <number>
+ [no] port UU/SS/PP
- [no] priority <number>
- show ethernet lag
- show ethernet lag lag-id agN [details | statistics]
- clear lag [lag-id agN] statistics
Command Descriptions
In this section, configuration commands are described in the following tables:
Table 3-4: LAGs Configuration Commands
Table 3-5: Commands Used to Display and Clear LAG Settings and
Statistics
Command Description
config terminal Enters Configuration mode
ethernet Enters Ethernet Configuration mode
lag Enters LAG Configuration mode
no lag Removes LAG configurations
distribution-type {L2 | L3 | L4} Defines the LAG packet-distribution
between the ports:
• L2: distributes packets
based on the source and
destination MAC addresses
of the packets
• L3: distributes packets
based on the source and
destination IP addresses
of the packets
• L4: distributes packets
based on the TCP/UDP ports
as well as the source and
destination IP addresses
for the TCP and UDP
packets
• L2
no distribution-type Restores to default
lag-id agN
Command Description
lacp enable Enables Link Aggregation Control
Protocol (LACP)
• Disabled
no lacp enable Restores to default
lacp administrative-key Defines the LACP administrative key,
<number> determining the ability of the port to
aggregate with other ports:
• number: in the range of
<1-65535>
• 1
no administrative-key Restores to default
lacp id xx:xx:xx:xx:xx:xx Assigns a user-defined system ID to a
specific dynamic LAG:
• xx:xx:xx:xx:xx:xx: user-
defined system ID, in a
MAC address format
• the MAC address of the device
no lacp id Restores to default
lacp marker {disable | enable} Enables the device to respond to LACP
marker requests
• Disabled
no lacp marker Restores to default
lacp mode {active | passive} Defines LACP negotiating mode:
• active: places a port into
an active negotiating
state. The port initiates
negotiations by sending
LACP packets to other
ports
• passive: places a port
into a passive negotiating
state. The port responds
to received LACP packets
but does not initiate
negotiation
• Active
no lacp mode [active | Restores to default or to specific
passive]
negotiating mode
Command Description
lacp priority <number> Defines LACP system priority. LACP
uses system priority, together with the
device MAC address, to form the system
ID. System Priority is also used during
negotiation with other systems:
• number: in the range of
<1-65535> (higher numbers
have lower priority)
• 32768
no lacp priority Restores to default
port UU/SS/PP
Table 3-5: Commands Used to Display and Clear LAG Settings and Statistics
Command Description
show ethernet lag Displays the status and configuration of
all LAGs
show ethernet lag lag-id agN Displays the status and configuration of
[details | statistics] the selected LAG:
• agN: LAG ID, where N is
in the range of <1-14>
• details: LAG detail
information
• statistics: LAG
statistics and packet
counters
clear lag [lag-id agN] statistics Clears all LAG statistics:
• agN: clears statistics
for a specific LAG ID,
where N is in the range
of <1-14>
Configuring Device 1:
In the following example ports 1/1/1, 1/1/2, 1/1/3, and 1/1/4 are added
respectively to LAG ag1 and ag2 on which LACP is enabled.
1. Create static LAGs ag1 and ag2. Add relevant ports to both LAGs:
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag1
device-name(config-lag-id-ag1)#port 1/1/1
device-name(config-port-1/1/1)#port 1/1/2
device-name(config-port-1/1/2)#exit
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag2
device-name(config-lag-id-ag2)#port 1/1/3
device-name(config-port-1/1/3)#port 1/1/4
device-name(config-port-1/1/4)#exit
Configuring Device 2:
In the following example ports 1/1/1 and 1/1/2 are added to LAG ag1 on
which LACP is enabled.
1. Create static LAG ag1. Add relevant ports to the LAG:
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag1
device-name(config-lag-id-ag1)#port 1/1/1
device-name(config-port-1/1/1)#port 1/1/2
device-name(config-port-1/1/2)#exit
Configuring Device 3:
In the following example ports 1/1/3 and 1/1/4 are added to LAG ag2 on
which LACP is enabled.
1. Create static LAG ag2. Add relevant ports to the LAG:
device-name(config)#ethernet
device-name(config-ethernet)#lag lag-id ag2
device-name(config-lag-id-ag2)#port 1/1/3
device-name(config-port-1/1/3)#port 1/1/4
device-name(config-port-1/1/4)#exit
Resilient Links
Resilient links protect critical links and prevent network downtime. A resilient
link consists of a main link and a standby (backup) link that together form a
resilient-link pair. Under normal network conditions, the main link carries
network traffic. In case of signal loss, the device immediately switches to the
standby link. There is no session timeout since switchover to the standby link
occurs in less than one second.
If the main link has a higher bandwidth than its standby or if the main link is
configured as a preferred link, the device switches traffic back to the main link
as soon as the connection recovers. Otherwise, you must manually switch
traffic back to the main link.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] resilient-link resN
- backup-mode {standby | shutdown}
- backup-port UU/SS/PP
- primary-port UU/SS/PP
- revertive
Command Descriptions
Command Description
config terminal Enters Configuration mode
ethernet Enters Ethernet Configuration mode
resilient-link resN Enables the resilient link feature and
enters Resilient-link Configuration mode:
• N: in the range of <1-32>
no resilient-link Disables the resilient link feature
backup-mode {standby | shutdown} Defines the standby (backup) link
behavior:
• standby: the port is
powered on (the LED for
the port is on)
• shutdown: the port is
powered off (the LED for
the port is off)
• Standby
backup-port UU/SS/PP Defines the standby (backup) port for the
resilient-link pair:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
Command Description
primary-port UU/SS/PP Defines the main port of the resilient-link
pair:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
revertive Configures traffic to switch back to the
main link once the link recovers
• Non- revertive mode
Configuration Example
In the following example, ports 1/1/1 and 1/1/2 define a resilient-link pair
res1.
Port Limit: MAC addresses are entered in the MAC Address table with a
dynamic status. Dynamic entries age and will eventually drop out of the
MAC Address table.
On the device, you can define one or more MAC Learning Profiles and add to
each profile either Port Security or Port Limit. Once defined, you can apply
those profiles to the physical port.
To define the maximum number of addresses that can be learned, both Port
Security and Port Limit work in conjunction with the max-mac-count
command. If a limit is not set through this command, the device will continue
to learn until the maximum number of addresses for the device is reached.
Beyond the limit, additional MAC addresses are entered into the MAC Address
table with a filtered status. Exceeding the defined limit for a port is considered
to be a security violation. The device can take action. Through configuration
options, the device can either shut down the port or generate an SNMP trap and
log message.Filtered addresses, which are not learned by the device, remain in
the table for later security analysis by the system administrator.
Command Hierarchy
+ root
+ config terminal
+ ethernet
+ [no] mac-learning learning-profile NAME
- [no] action {operational-shutdown | trap}
- ignore-filtered-addresses
- max-mac-count <number-of-addresses>
- policy {port-limit | port-security}
- [no] watermark count <number-of-addresses>
- [no] watermark {action {log | trap}
+ [no] port UU/SS/PP
- [no] mac-learning-profile NAME
- [no] tx-forward-unknown
Command Descriptions
Command Description
config terminal Enters Configuration mode
ethernet Enters Ethernet Configuration mode
mac-learning learning-profile
NAME
Defines a specific MAC-learning profile
and enters the MAC-learning
Configuration mode:
• NAME: profile name
no mac-learning learning-profile Removes the defined profile:
[NAME]
• NAME: (optional) profile
name
action {operational-shutdown | Defines the port reaction upon a security
trap}
violation:
• operational-shutdown: the
port shuts down
• trap: an SNMP trap and log
message are generated
Command Description
no action Removes the configured violation
ignore-filtered-addresses Disables configuring/learning of filtered
MAC addresses in the MAC address table
max-mac-count <number-of- Defines the maximum numbers of secure
addresses> MAC addresses the port can learn:
• number-of-addresses: in
the range of <1-4096>
• All MAC addresses are learned as
secured
policy {port-limit | port-
security}
Defines the Layer-2 security technique:
• port-limit
• port-security
watermark count <number-of- Defines the maximum numbers of secure
addresses> MAC addresses the port can learn before
sending a notification:
• number-of-addresses: in
the range of <1-4096>
• All MAC addresses are learned as
secured
no watermark count Restores to default
watermark action {log | trap} Defines the notification type sent by the
port before a security violation occurs:
• log: log message is
generated
• trap: trap is sent
no watermark action Removes the configured notification type
port Enters the Configuration Mode for the
port
no port [UU/SS/PP] Removes port configurations
mac-learning-profile NAME Assigns a MAC-learning profile to a port:
• NAME: profile name
no mac-learning-profile [NAME] Removes the assigned MAC-learning
profile:
• NAME: (optional) profile
name
tx-forward-unknown Forwards unknown egress traffic that was
sent to a secured/limited port
no tx-forward-unknown Drops unknown egress traffic sent to a
secured/limited port
Super VLANs
The Super VLAN is a mechanism for aggregating VLANs that share the
same default router address and subnet mask, but remain isolated from one
another's network traffic.
A port can be a member of one or more VLANs. However, only one of these
VLANs can be the port’s default VLAN. Initially all the device ports are
members of a VLAN named Default (VLAN ID 1).
Ports assigned to different VLANs can communicate only through routing (and
not on Layer 2).
Management VLAN
Management VLAN is a VLAN on which management access to the device is
enabled. With management access, you can manage the device from a PC,
which is connected to a port assigned to a management VLAN. Management
access includes:
Telnet to the device
SSH to the device
SNMP management
Pinging the device
TFTP download or upload
Receiving outgoing Syslog messages
VLAN Commands
Command Description
config terminal Enters the Configuration mode
vlan VLAN-NAME <vlan-id>
Command Description
no untagged [UU/SS/PP] Removes untagged port(s) from the
specified VLAN:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-1/2/4
management Enables management access to the device
from the current VLAN
• Disabled
no management Disables management access to the device
from the current VLAN
routing-interface swN Attaches an IP interface to the specified
VLAN.
The sw0 IP interface is attached only to
the default VLAN (VLAN ID 1).
• swN: an IP interface
number the valid range is
<1–9999>
no routing-interface Detaches the IP interface from the
specified VLAN
show vlan Displays VLAN configuration information
Command Description
config terminal Enters the Configuration mode
service Enters the Service Configuration mode
dot1q <service-id> Enters the Service Configuration mode for
the specified 802.1Q service:
• service-id: ID of the
service to configure; the
valid range is <1-
4294967294>
no dot1q [<service-id>] Removes the specified 802.1Q service or,
when used without a parameter, removes
all configured 802.1Q services:
• service-id: (optional) ID
of the service to remove
sdp vlan <vlan-id> Configures the Service Distribution Path
(SDP) to the specified VLAN as enters the
VLAN Configuration mode for that
VLAN:
• vlan-id: ID of the VLAN to
configure; the valid range
is <1-4092>
no sdp vlan [<vlan-id>] Removes the previously configured SDP
to the specified VLAN from the 802.1Q
service or, when used without a
parameter, removes the SDPs to all
configured VLANs for that service:
• vlan-id: (optional) ID of
the VLAN to remove
management Enables management access to the device
from the current VLAN
• Disabled
no management Disables management access to the device
from the current VLAN
routing-interface swN Attaches an IP interface to the specified
VLAN.
The sw0 IP interface is attached only to
the default VLAN (VLAN ID 1).
• swN: an IP interface
number the valid range is
<1–9999>
no routing-interface Detaches the IP interface from the
specified VLAN
Command Description
port UU/SS/PP [untagged] Adds a port as tagged/(optional ) untagged
to the specified VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• The port is tagged
no port UU/SS/PP [untagged] Removes the tagged/(optional) untagged
port from the specified VLAN:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
show service dot1q Displays the currently configured 802.1Q
services
Super VLANs
Super VLAN is a mechanism used to separate users which reside in the same
VLAN into multiple virtual broadcast domains.
With Super VLAN, systems administrators can use the same IPv4 subnet and
default gateway IP address for users residing in the same switched
infrastructure. This helps in decreasing IPv4 address consumption and the need
for dedicated IP subnet for each VLAN.
VLANs that are members of a Super VLAN are called sub-VLANs. Each sub-
VLAN is a broadcast domain isolated at Layer 2. When users in different sub-
VLANs need to communicate with each other, they use the IP address of the
virtual interface of the Super VLAN as the IP address of the gateway. The
virtual interface IP address is shared by multiple VLANs. This minimizes the
number of required IP addresses.
The below example illustrates the traffic flow in case Super VLAN is not
configured: traffic entering the user device port is not restricted to the uplink
port; therefore, all the broadcast, unknown, and multicast packets are spread
over the entire device VLANs.
As oppose to the above, the below example illustrates the traffic flow in case
Super VLAN is configured: once switching decisions are done, the Super
VLAN agent overrules these decisions and directs the traffic to the Super
VLAN uplink port.
Super-VLAN Commands
Command Description
config terminal Enters the Configuration mode
super-vlan UU/SS/PP
Command Description
c-vlan <vlan-id> vlan-mask Enables the Super-VLAN mechanism on a
<vlan-mask> specific user-port that is member of more
than one VLAN:
• vlan-id: the valid range
is <1-4092>
• vlan-mask: in hexadecimal
format FF:FF:FF:FF. The
last 4 bits are
meaningful.
• Disabled
no c-vlan <vlan-id> vlan-mask Restores to default
show super-vlan ring-ports Displays the Super-VLAN ring-topology
[UU1/SS1/PP1 UU2/SS2/PP2 configuration:
active-interface]
• UU1/SS1/PP1: first uplink
ring port
• UU2/SS2/PP2: second uplink
ring port
The correct range is:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
show super-vlan Displays the Super-VLAN configuration
Example
802.1Q Tunneling
802.1Q tunneling allows the deployment of secure TLS, using IEEE 802.1Q
standard tags. The main advantage of 802.1Q tunneling is that it enables
service providers to use a separate service VLAN (S-VLAN) to support the
customers who have multiple VLANs, while preserving the customer VLAN
IDs and keeping traffic in the different customer’s VLANs (C-VLANs)
segregated.
802.1Q tunneling expands the VLAN space by adding an additional 802.1Q tag
(the tunnel ID) to all previously-tagged packets when they enter the service
provider infrastructure, as illustrated in the below figure.
The new frame contains the original C-VLAN tag and the new S-VLAN tag.
A port that is configured to support 802.1Q tunneling is called a tunnel port.
When you configure tunneling, you assign a tunnel port to a VLAN that you
dedicate to tunneling.
Three types of ports are defined on the network devices that are deployed by
the service provider:
Residential port—a port that is connected to a user and does not participate
in the TLS. Packets that are transmitted through this port have no added
tag.
Access (SAP) ports—a port that is connected to a user and participates in
the TLS. Packets that are transmitted through this port have no added tag.
Core (SDP) port—a port that is connected to the service provider’s
network. All packets that are transmitted through this port are either control
packets or packets with an additional tag. If the packets arrive from an
access (user) port the additional tag header will be added. If the packets
arrive from a residential port the additional tag header is not added.
When an access port (SAP) receives tagged customer traffic from an 802.1Q-
port on the customer device, it does not strip the received 802.1Q tag from the
frame header. Instead, the access port (SAP) leaves the 802.1Q tag intact, adds
a 2-byte EtherType field (0x8100) followed by a 2-byte field containing the
priority (CoS) and the VLAN.
An egress core port (SDP) strips the 2-byte EtherType field (0x8100) and the
2-byte length field and transmits the traffic with the 802.1Q tag still intact to
the customer device. The 802.1Q-port on the customer device strips the 802.1Q
tag and puts the traffic into the appropriate customer VLAN.
TLS Commands
Command Description
config terminal Enters the Configuration mode
l2-tunneling Enables the Layer 2 protocol tunneling
(L2PT) and enters the L2PT Configuration
mode
• Disabled
profile {PROFILE-NAME | Configures a specific tunnel profile:
discard-all | tunnel-all |
tunnel-bpdu} • PROFILE-NAME: a custom
profile name of <1-32>
characters
• discard-all: discards only
Layer 2 protocol PDUs
• tunnel-all: tunnels only
Layer 2 protocol PDUs
• tunnel-bpdu: tunnels only
xSTP packets
no profile [PROFILE-NAME] Removes the defined tunnel profile:
• PROFILE-NAME: (optional) a
custom profile name of <1-
32> characters
protocol PROTOCOL-NAME action Defines the protocol action:
{discard | tunnel }
• PROTOCOL-NAME: a string of
<1-32> characters or see
Table 5-2 for predefined
protocols names
• discard: discards PDUs of
the specified protocol
• tunnel: tunnels PDUs of the
specified protocol
no protocol [PROTOCOL-NAME] Removes the defined protocol name:
• PROTOCOL-NAME: a string of
<1-32> characters or see
Table 5-2 for predefined
protocols names
protocol PROTOCOL-NAME Defines the Layer 2 protocol name whose
PDUs are tunneled/discarded and enters the
Layer 2 Protocol Configuration mode:
• PROTOCOL-NAME: a string of
<1-32> characters or see
Table 5-2 for predefined
protocols names
Command Description
no protocol [PROTOCOL-NAME] Removes the defined protocol name:
• PROTOCOL-NAME: a string of
<1-32> characters or see
Table 5-2 for predefined
protocols names
ethertype <value> Indicates which protocol is encapsulated in
the payload of the Ethernet frame:
• value: in hexadecimal
format (for example 0x9000)
• 0x8100
no ethertype Restores to default
standard-mac Defines the original multicast destination
HH:HH:HH:HH:HH:HH MAC address of the specified protocol:
• HH:HH:HH:HH:HH:HH: in
hexadecimal format (see
Table 5-3)
tunnel-mac HH:HH:HH:HH:HH:HH Defines a multicast tunnel MAC address
that rewrites the original multicast
destination MAC address in the
encapsulated Layer 2 PDUs:
• HH:HH:HH:HH:HH:HH: in
hexadecimal format
shutdown Disables the defined tunnel profile
no shutdown Enables the defined tunnel profile
service Enters the Service mode
tls <service-id>
Command Description
c-vlan {<cvlan-id> | all }
Command Description
tunnel-profile {PROFILE- Applies the user-defined or predefined
NAME | discard-all | tunnel profile on a specified SAP:
tunnel-all | tunnel-bpdu}
• PROFILE-NAME: a string of
<1-32> characters
• discard-all: discards only
Layer 2 protocol PDUs
• tunnel-all: tunnels only
Layer 2 protocol PDUs
• tunnel-bpdu: tunnels only
xSTP packets
no tunnel-profile Removes the defined tunnel profile:
{PROFILE-NAME |
discard-all | tunnel-all • PROFILE-NAME: a string of
| tunnel-bpdu} <1-32> characters
• discard-all: discards only
Layer 2 protocol PDUs
• tunnel-all: tunnels only
Layer 2 protocol PDUs
• tunnel-bpdu: tunnels only
xSTP packets
show l2-tunneling profiles Displays TLS profile names used to define
the tunneling policy
show l2-tunneling protocols Displays the L2PT encapsulation
information
show l2-tunneling statistics Displays Layer 2 protocol tunneling
statistics
show service tls Displays information about all currently
configured TLS services
Protocol Description
all-brs Specifies that the PDUs intended for the MAC address that is
reserved for the exclusive use by the All Bridges are
tunneled/discarded
other Specifies that the PDUs intended for the MAC addresses from the
bridge block but are not PDUs of any of the specified protocols are
tunneled/discarded
dot1x IEEE 802.1x standard
efm-oam Ethernet in the First Mile-Operations, Administration and
Maintenance standard
e-lmi Enhanced Local Management Interface
garp Generic Attribute Registration Protocol
lacp Link Aggregation Protocol
lldp Link Layer Discovery Protocol
Protocol Description
pvst Per-VLAN Spanning Tree (PVST) maintains a spanning tree
instance for each VLAN configured in the network. Since PVST
treats each VLAN as a separate network, it has the ability to load
balance traffic (at Layer 2) by forwarding some VLANs on one link
and other VLANs on another link without causing a spanning tree
loop.
pb-stp Provider Bridge Spanning Tree Protocol
stp Spanning Tree Protocol
When you configure the destination MAC address for encapsulated PDUs, you
must leave the last byte of the MAC address for protocols Bridge block of
protocols and GARP Block of protocols as default values:
00—for Bridge block of protocols
20—for GARP Block of protocols
Overview
Based on RSTP, MSTP allows using multiple spanning tree instances (MSTI)
by mapping groups of VLANs to appropriate MSTP instances. Each MSTI is
an RSTP instance that has its own independent topology and it is applied on a
predefined set of VLANs.
MSTP includes all its spanning tree information in a single BPDU format. This
reduces the number of BPDUs required on a LAN to communicate spanning
tree information for each instance and ensures backward compatibility with
RSTP and STP.
MSTP Regions
An MSTP region is a collection of interconnected bridges that share the same
MSTP configuration.
Devices in the same MST region share the following attributes:
region name
the region’s revision number
the MST instance-to-VLAN assignment map (each VLAN can be mapped
only to one instance)
Parameter Description
Boundary Ports Connect the designated bridge (an SST bridge or a bridge with
a different MST configuration) to a LAN.
A designated port identifies itself as a boundary port (the
boundary flag set) if it detects an STP bridge or receives an
agreement message from an RST or MST bridge with a
different configuration.
The MST port’s role at the boundary is not important; since
they are forced the same state as the IST port state. The IST
port at the boundary can take any port role except a backup port
role.
IST Master The IST master of an MST region is the bridge with the lowest
bridge identifier and the lowest path cost to the CST root.
If an MST bridge is the root bridge of the CIST in a region,
then it is the IST master of that MST region.
If the CST root is outside the MST region, then one of the
MST bridges at the boundary is selected as the IST master.
Other bridges on the boundary that belong to the same
region eventually block the boundary ports that lead to the
root.
If two or more bridges have an identical path to the root,
you can set a lower bridge priority value to make a specific
bridge the IST master.
The root path-cost and message age inside a region stay
constant. However the IST path cost is incremented and the IST
remaining hops are decremented at each hop.
Regional Root The MSTI Regional root is the root bridge of each MSTI within
a region.
In case of IST, it is the CIST Regional root. Therefore, the
terms “IST Master” and “CIST Regional root” are
interchangeable.
Edge Ports A port connected to a non-bridging device (for example, a host
or a device). A port that connects to a hub is also an edge port if
the hub or any LAN that is connected to it does not have a
bridge.
An edge port can start forwarding as soon as its link is up.
Parameter Description
Link-Type Rapid connectivity is established only on point-to-point links.
When connecting a port to another port through a point-to-point
link and the local port becomes a designated port, RSTP
negotiates a rapid transition with the other port, using the
proposal-agreement handshake to ensure a loop-free topology.
By default, the link-type is automatically determined by the
port’s duplex state. However in case of a half-duplex link
physically connected point-to-point to a single port on a remote
device running RSTP, you can override the link-type default
setting and enable rapid transitions to Forwarding state.
Message Age and IST and MSTIs use a hop count mechanism similar to the IP
Hop Count time-to live (TTL) mechanism. Users can configure the
maximum MST bridge hop count.
The MSTI root bridge sends a BPDU (or M-record) with the
remaining hop count. The bridge receiving the BPDU (or M-
record) decrements the remaining hop count by one.
If after decrementing, the hop count reaches zero, the bridge
discards the BPDU and ages out the port information. Non-root
bridges propagate the decremented count as the remaining hop
count in the BPDUs they generate.
Port Priority The port priority determines the port’s Forwarding state in case
of a loop.
MSTP selects the port with the highest priority (lower priority
value) first. In case all ports have the same priority, MSTP
selects the port with the lowest number and blocks all other
ports.
Path Cost MSTP uses the path cost when selecting the forwarding port in
case of a loop.
The port’s default path-cost derives from its link speed.
However, you can define lower cost values to ports you want
selected first and higher cost values to ports you want selected
last.
In case all ports have the same path cost value, MSTP selects
the port with the lowest number and blocks all other ports.
Fast Ring
Use this solution when all the devices in the ring are ECI Telecom devices.
1. Select one bridge to be the root bridge: set this bridge’s priority to the
lowest value (0) and do not enable the Fast Ring feature on this bridge (to
avoid instability).
2. Configure all the user ports as MSTP edge ports.
3. To optimize network performance, increment the bridges priority value as
you draw away from the root bridge.
The figure below shows a ring topology using MSTP:
Device 1 is the MST root bridge
All the ports have equal priority thus one of Device 8's uplink ports are in
Alternate state.
In case of a link failure between Device 14 and Device 1:
1. Device 14 detects the link failure on its root port.
2. The ring solution immediately changes the traffic flow to a new direction.
MSTP Commands
Command Description
config terminal Enters the Configuration mode
ethernet Enters the Ethernet Configuration mode
spanning-tree Enters the Spanning Tree Configuration
mode
no spanning-tree Removes STP configurations
forward-delay <interval> Defines the time a port waits in
Learning and Listening states before
moving to Forwarding state:
• interval: in the range of
<4-30> seconds
• 15 seconds
no forward-delay Restores to default
hello-time <interval> Defines the interval between
consecutive configuration messages
generated by the root device, indicating
that the device is alive:
• interval: in the range of
<1-40> seconds
• 2 seconds
no hello-time Restores to default
max-age <interval> Defines the time a device waits without
receiving configuration messages before
attempting a reconfiguration:
• interval: in the range of
<6-40> seconds
• 20 seconds
no max-age Restores to default
port UU/SS/PP Enters the Specific Port’s Configuration
mode
edge-port Changes the port’s administrative status,
setting it as an Edge Port
• The port is not an edge port.
no edge-port Restores to default
Command Description
mstp instance-id <value> Enters the MSTP Instance Configuration
mode for the specified port. Parameters
for instance 0 are defined in the STP
Port mode:
• value: in the range of
<1–15>
no mstp instance-id Removes the defined MSTP instance
path-cost <cost> Defines the path cost of an MSTP
instance. A lower path cost represents a
higher-speed transmission:
• cost: in the range of <1-
200000000>
• Table 6-3 displays the default value
calculated by the port’s media
speed.
no path-cost Restores to default
priority <priority> Defines the port priority:
• priority: valid values
are: 0, 16, 32,48, 64,
80, 96, 112, 128, 144,
160,176, 192, 208, 224,
and 240
• 128
no priority Restores to default
priority <priority> Defines the STP bridge priority. When
MSTP is enabled, the priority value
defines the bridge priority for instance
0:
• priority: the valid
values are: 0, 4096,
8192, 12288, 16384,
20480, 24576, 28672,
32768, 36864, 40960,
45056, 49152, 53248,
57344, and 61440. The
bridge with the highest
bridge priority (the
lowest numerical priority
value) is selected for a
Root device
• 32768
no priority Restores to default
protocol-fast-ring Enables the MSTP Fast Ring mode and
enters the MSTP Fast Ring
Configuration mode:
• Disabled
Command Description
no protocol-fast-ring Removes MSTP Fast Ring settings
border-bridge preferred-link Configures the device as a border bridge
{UU/SS/PP | agN} and selects a preferred MSTP Fast Ring
port or a group of ports that connects the
ring topology to the network gateway:
• UU/SS/PP: 1/1/1-1/1/4,
1/2/1-1/2/8
• agN: LAG ID, where N is
in the range of <1-14>
no border-bridge preferred-link Disables the process of configuring
[UU/SS/PP | agN] border bridge:
• UU/SS/PP: (optional)
1/1/1-1/1/4, 1/2/1-1/2/8
• agN: (optional) LAG ID,
where N is in the range
of <1-14>
ring-ports {UU1/SS1/PP1 | Defines two physical ports or two
agN1} {UU2/SS2/PP2 | agN2} groups of ports that provide connectivity
in the ring:
• UU1/SS1/PP1: the first
ring port
• UU2/SS2/PP2: the second
ring port
• agN2: the second ring
LAG, where N2 is in the
range of <1-14>
• agN1: the first ring LAG,
where N1 is in the range
of <1-14>
The port range is:
• UU/SS/PP: 1/1/1-1/1/4,
1/2/1-1/2/8
Command Description
shutdown Disables the MSTP Fast Ring mode
no shutdown Enables the MSTP Fast Ring mode
protocol-mstp Enters the MSTP Configuration mode
no protocol-mstp Removes MSTP configurations
instance <value> Enters the Specific MSTP Instance
Configuration mode:
• value: in the range of
<1-15>
no instance Removes the defined instance
priority <priority> Defines the MSTP priority for instances
in the range of <1-15>. MSTP priority
for instance 0 is defined in the Global
STP mode:
• priority: 0, 4096, 8192,
12288, 16384, 20480,
24576, 28672, 32768,
36864, 40960, 45056,
49152, 53248, 57344, and
61440
• 32768
no priority Restores to default
max-hops <hops> Defines the maximum number of hops
allowed in a region before discarding a
BPDU:
• hops: in the range of <1-
40>
• 40
no max-hop Restores to default
region-name NAME Defines the MSTP region name:
• NAME: a case-sensitive
string of <1-31>
characters
no region-name Removes the defined name
region-revision Defines the region revision-number:
<unsignedShort>
• unsignedShort: in the
range of <0–65535>
• 1
no region-revision Restores to default
shutdown Disables MSTP
no shutdown Enables MSTP
Command Description
vlan-per-instance <vlan-id> Define a VLAN mapped to an instance:
• vlan-id: in the range of
<1–4092>
• All VLANs are mapped to instance
0
no vlan-per-instance Restores to default
show ethernet mstp [details | Displays the MSTP port states and roles
configuration]
for each instance :
• details: (optional)
displays detailed
information about MSTP
information vectors
• configuration: (optional)
displays the current
region’s MSTP
configuration
Configuration Examples
Example 1
In the following example, four devices are connected via VLANs V100 and
V200 that are mapped to two MST instances on each device. The example
shows the redundancy achieved with MSTP.
After configuring the network, use the show mstp command on each device to
verify that the MST instances are configured correctly.
Configuring Device 1:
1. Create VLANs V100 and V200 and add the appropriate ports to each
VLAN:
Device1(config)#vlan default 1
Device1(config-vlan-default/1)#no untagged 1/1/1
Device1(config-vlan-default/1)#no untagged 1/1/2
Device1(config-vlan-default/1)#no untagged 1/1/3
Device1(config-vlan-default/1)#no untagged 1/1/4
Device1(config)#vlan v100 100
Device1(config-vlan-v100/100)#tagged 1/1/1
Device1(config-vlan-v100/100)#tagged 1/1/3
Device1(config-vlan-v100/100)#untagged 1/1/4
Device1(config-port-1/1/4)#default-vlan 100
Device1(config)#vlan v200 200
Device1(config-vlan-v200/200)#tagged 1/1/2
Device1(config-vlan-v200/200)#tagged 1/1/3
2. Enable MSTP:
Device1(config-ethernet)#spanning-tree protocol-mstp
Device1(config-protocol-mstp)#no shutdown
Set priority 0 to MSTI 1 to force Device 1 to be MSTI1 root:
Device1(config-protocol-mstp)#instance 1 priority 0
Add the VLANs to MSTIs 1, and 2:
Device1(config)#ethernet spanning-tree
Device1(config-spanning-tree)#vlan-per-instance 100 instance-id 1
Device1(config-spanning-tree)#vlan-per-instance 200 instance-id 2
Configuring Device 2:
1. Create VLANs V100 and V200 and add the appropriate ports to each
VLAN:
Device2#configure
Device2(config)#vlan default 1
Device2(config-vlan-default/1)#no untagged 1/1/1
Device2(config-vlan-default/1)#no untagged 1/1/2
Device2(config-vlan-default/1)#no untagged 1/1/3
Device2(config-vlan-default/1)#no untagged 1/1/4
Device2(config)#vlan v100 100
Device2(config-vlan-v100/100)#tagged 1/1/1
Device2(config-vlan-v100/100)#tagged 1/1/3
Device2(config)#vlan v200 200
Device2(config-vlan-v200/200)#tagged 1/1/2
Device2(config-vlan-v200/200)#tagged 1/1/3
Device2config-vlan-v200/200)#untagged 1/1/4
Device2(config-port-1/1/4)#default-vlan 200
2. Enable MSTP:
Device2(config-ethernet)#spanning-tree protocol-mstp
Device2(config-protocol-mstp)#no shutdown
Configuring Device 3:
1. Create VLANs V100 and V200 and add the appropriate ports to each
VLAN:
Device3#configure
Device3(config)#vlan default 1
Device3(config-vlan-default/1)#no untagged 1/1/1
Device3(config-vlan-default/1)#no untagged 1/1/2
Device3(config-vlan-default/1)#no untagged 1/1/4
Device3(config)#vlan v100 100
Device3(config-vlan-v100/100)#tagged 1/1/1
Device3(config-vlan-v100/100)#tagged 1/1/2
Device3(config-vlan-v100/100)#untagged 1/1/4
Device3(config-port-1/1/4)#default-vlan 100
2. Enable MSTP:
Device3(config-ethernet)#spanning-tree protocol-mstp
Device3(config-protocol-mstp)#no shutdown
Configuring Device 4:
4. Create VLAN V200 and add the appropriate ports to each VLAN:
Device4#configure
Device4(config)#vlan default 1
Device4(config-vlan-default/1)#no untagged 1/1/1
Device4(config-vlan-default/1)#no untagged 1/1/2
Device4(config-vlan-default/1)#no untagged 1/1/4
Device4(config)#vlan v200 200
Device4(config-vlan-v200/200)#tagged 1/1/1
Device4(config-vlan-v200/200)#tagged 1/1/2
Device4(config-vlan-v200/200)#untagged 1/1/4
Device4(config-port-1/1/4)#default-vlan 200
5. Enable MSTP:
Device4(config-ethernet)#spanning-tree protocol-mstp
Device4(config-protocol-mstp)#no shutdown
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 6
Border Bridge = Disabled
No active ports are mapped to the MSTI
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = This bridge is the root
RemainingHopCount = 40
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 5
Border Bridge = Disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+------
01/01/01 128 Designat frwrd 200000 0 00000.00A0122700C0 128.003
01/01/03 128 Designat frwrd 200000 0 00000.00A0122700C0 128.005
01/01/04 128 Designat frwrd 200000 0 00000.00A0120A0168 128.006
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 7
Border Bridge = Disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+------
01/01/02 128 Designat frwrd 200000 0 32768.00A0122700C0 128.004
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.005
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:C0
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 4
Border Bridge = Disabled
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:27:00:C0
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 4
Border Bridge = Disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+------------------+------
01/01/01 128 Alternat block 200000 200000 32768.00A0122700C0 128.004
01/01/03 128 Root frwrd 200000 200000 00000.00A0122700C0 128.005
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = This bridge is the root
RemainingHopCount = 40
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 4
Border Bridge = Disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+--------+------------------+-------
01/01/02 128 Designat frwrd 200000 0 00000.00A012271420 128.002
01/01/03 128 Designat frwrd 200000 0 00000.00A012271420 128.003
01/01/04 128 Designat frwrd 200000 0 00000.00A012271420 128.005
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = This bridge is the root
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 3
Border Bridge = Disabled
No active ports are mapped to the MSTI
MST 1
VLANs mapped = 100
Priority = 32768
Regional Root = 0001.00:A0:12:27:00:C0
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 2
Border Bridge = Disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+--------+------------------+-------
01/01/01 128 Root frwrd 200000 0 00000.00A0122700C0 128.003
01/01/02 128 Designat frwrd 200000 0 32768.00A0122700C0 128.004
01/01/04 128 Designat frwrd 200000 0 32768.00A0122700C0 128.006
MST 2
VLANs mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 3
Border Bridge = Disabled
No active ports are mapped to the msti
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
Regional Root = 32768.00:A0:12:27:00:80
RemainingHopCount = 38
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 2
Border Bridge = disabled
No active ports are mapped to the MSTI
MST 1
Example 2
In the example above if the direct link between Device 1 and Device 3 fails,
MSTI01 is recalculated, and port 1/1/2 in Device 3 changes its role from
alternative to root.
In this case, the show ethernet mstp detailed command displays the
following:
MaxAge = 20 (Sec)
HelloTime = 2 (Sec)
ForwardDelay = 15 (Sec)
BridgeMaxAge = 20 (Sec)
BridgeHelloTime = 2 (Sec)
BridgeForwardDelay = 15 (Sec)
ProtoMigratioDelay = 3 (Sec)
MaxHopCount = 40
TxHoldCount = 3
FastRing = disabled
LearnMode = Standard
CIST Information
VLANs mapped = 1..99,101..199,201..4094
Priority = 32768
CIST Root = 32768.00:A0:12:27:00:80
RemainingHopCount = 38
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 6
Border Bridge = disabled
No active ports are mapped to the msti
MST 1
VLAN mapped = 100
Priority = 32768
Regional Root = This bridge is the root
RemainingHopCount = 40
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 5
Border Bridge = disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+---------+-----------------+-------
01/01/03 128 Designat frwrd 200000 0 00000.00A0122700C0 128.005
01/01/04 128 Designat frwrd 200000 0 32768.00A0122700C0 128.006
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 7
Border Bridge = disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+--------+------------------+-------
01/01/02 128 Designat frwrd 200000 0 32768.00A0122700C0 128.002
01/01/03 128 Root frwrd 200000 0 00000.00A012271420 128.003
CIST Information
VLAN mapped = 1..99,101..199,201..4094
Priority = 32768
CIST Root = This bridge is the root
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 3
Border Bridge = disabled
No active ports are mapped to the MSTI
MST 1
VLAN mapped = 100
Priority = 32768
Regional Root = 00001.00:A0:12:0A:01:68
RemainingHopCount = 38
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 3
Border Bridge = disabled
=========================================================================
Port |Pri|Prt role|State|PCost |DCost |Designated bridge |DPrt
--------+---+--------+-----+---------+--------+------------------+-------
01/01/02 128 Root frwrd 200000 400000 32768.00A00001090B 128.002
01/01/04 128 Designat frwrd 200000 400000 32768.00A012BBBBBB 128.006
MST 2
VLAN mapped = 200
Priority = 32768
Regional Root = 00002.00:A0:12:27:14:20
RemainingHopCount = 39
TimeSinceTopologyChange = 3039 (Sec)
TopChanges = 3
Border Bridge = disabled
No active ports are mapped to the MSTI
This topology change does not affect Device 2 and Device 4 output.
Configuring Device 1:
2. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device1(config)#vlan default 1
Device1(config-vlan-default/1)#no untagged 1/2/1
Device1(config-vlan-default/1)#no untagged 1/1/2
Device1(config-vlan-v10/10)#tagged 1/2/1
Device1(config-vlan-v10/10)#tagged 1/1/2
Device1(config-vlan-v20/20)#tagged 1/2/1
Device1(config-vlan-v20/20)#tagged 1/1/2
Device1(config-vlan-v30/30)#tagged 1/2/1
Device1(config-vlan-v30/30)#tagged 1/1/2
Configuring Device 2:
3. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device2(config)#vlan default 1
Device2(config-vlan-default/1)#no untagged 1/1/1
Device2(config-vlan-default/1)#no untagged 1/1/2
Device2(config-vlan-default/1)#no untagged 1/2/1
Device2(config-vlan-default/1)#no untagged 1/1/3
Device2(config-vlan-default/1)#no untagged 1/1/4
Device2(config-vlan-v10/10)#untagged 1/1/1
Device2(config-vlan-v10/10)#tagged 1/2/1
Device2(config-vlan-v10/10)#tagged 1/1/2
Device2(config-vlan-v20/20)#untagged 1/1/3
Device2(config-vlan-v20/20)#tagged 1/2/1
Device2(config-vlan-v20/20)#tagged 1/1/2
Device2(config-vlan-v30/30)#untagged 1/1/4
Device2(config-vlan-v30/30)#tagged 1/2/1
Device2(config-vlan-v30/30)#tagged 1/1/2
Device2(config-port-1/1/1)#default-vlan 10
Device2(config-port-1/1/3)#default-vlan 20
Device2(config-port-1/1/4)#default-vlan 30Configuring Device 3:
5. Create VLAN V10, V20, and V30. Add the appropriate ports to each
VLAN:
Device3(config)#vlan default 1
Device3(config-vlan-default/1)#no untagged 1/2/1
Device3(config-vlan-default/1)#no untagged 1/1/2
Device3(config-vlan-v10/10)#tagged 1/2/1
Device3(config-vlan-v10/10)#tagged 1/1/2
Device3(config-vlan-v20/20)#tagged 1/2/1
Device3(config-vlan-v20/20)#tagged 1/1/2
Device3(config-vlan-v30/30)#tagged 1/2/1
Device3(config-vlan-v30/30)#tagged 1/1/2
Configuring Device 4:
3. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device4(config)#vlan default 1
Device4(config-vlan-default/1)#no untagged 1/1/1
Device4(config-vlan-default/1)#no untagged 1/1/2
Device4(config-vlan-default/1)#no untagged 1/2/1
Device4(config-vlan-default/1)#no untagged 1/1/3
Device4(config-vlan-default/1)#no untagged 1/1/4
Device4(config-vlan-v10/10)#untagged 1/1/1
Device4(config-vlan-v10/10)#tagged 1/2/1
Device4(config-vlan-v10/10)#tagged 1/1/2
Device4(config-vlan-v20/20)#untagged 1/1/3
Device4(config-vlan-v20/20)#tagged 1/2/1
Device4(config-vlan-v20/20)#tagged 1/1/2
Device4(config-vlan-v30/30)#untagged 1/1/4
Device4(config-vlan-v30/30)#tagged 1/2/1
Device4(config-vlan-v30/30)#tagged 1/1/2
Device4(config-port-1/1/1)#default-vlan 10
Device4(config-port-1/1/3)#default-vlan 20
Device4(config-port-1/1/4)#default-vlan 30
Configuring Device 5:
3. Create VLAN V10, V20, and V30. Add the appropriate ports to each VLAN:
Device5(config)#vlan default 1
Device5(config-vlan-default/1)#no untagged 1/2/1
Device5(config-vlan-default/1)#no untagged 1/1/2
Device5(config-vlan-v10/10)#tagged 1/2/1
Device5(config-vlan-v10/10)#tagged 1/1/2
Device5(config-vlan-v20/20)#tagged 1/2/1
Device5(config-vlan-v20/20)#tagged 1/1/2
Device5(config-vlan-v30/30)#tagged 1/2/1
Device5(config-vlan-v30/30)#tagged 1/1/2
Overview
IGMP snooping constrains the flooding of multicast traffic by dynamically
configuring ports so that multicast traffic is forwarded to only those ports
where the attached hosts have explicitly reported their interest to receive the
multicast traffic by sending an IGMP report. When the IGMP-snooping-
enabled device receives an IGMP report, it adds the host’s port number to the
Multicast Forwarding table. The host’s port number is deleted when an IGMP
Leave Group message is received.
The Multicast Forwarding table is used to control the forwarding of multicast
packets.
IGMP Versions
The device supports IGMP version 1, IGMP version 2, and IGMP version 3
(control plane capability). These versions are interoperable.
IGMP snooping supports IGMPv3 control plane traffic—IGMPv3 queries and
reports cause appropriate updates of the internal database.
The data plane traffic is forwarded according to the destination multicast MAC
address only.
Fast-Leave Processing
The IGMP Snooping Fast-Leave processing removes a port that receives a
Leave Group message from the Multicast Forwarding table immediately .
Fast-Leave processing ensures optimal bandwidth management for all hosts on
a switched network, even when multiple multicast groups are simultaneously in
use.
Multicast Addresses
The multicast IP addresses range from 224.0.0.1 to 224.0.0.255 is reserved for
the use of routing protocols and other low-level topology discovery. They are
also called Group Destination Address (GDA). The GDA MAC address is
formed by 01:00:5E:XX:XX:XX, followed by the latest 23 bits of the multicast
GDA IP address. Currently, the multicast traffic addressed to this group of IP
addresses is dropped.
Command Description
config terminal Enters the Configuration mode
vlan VLAN-NAME <vlan-id>
Command Description
ip-igmp-snooping router-timers Defines the number of times that the
robustness <value> multicast router sends IGMP Group-
Specific queries before declaring that the
multicast group no longer have any
members on a port:
• value: in the range of <1-
10>
• 2
no ip-igmp-snooping router-timers Restores to default
robustness
ip-igmp-snooping router-timers Defines the time that the multicast router
router-query-interval
waits to receive a response to an IGMP
<interval>
General query:
• interval: in the range of
<1-1024> seconds
• 10 seconds
no ip-igmp-snooping router-timers Restores to default
router-query-interval
untagged UU/SS/PP igmp-snooping Enables IGMP snooping on a specified
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no untagged UU/SS/PP igmp- Restores to default:
snooping
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
untagged UU/SS/PP igmp-snooping Enables the router to explicitly track each
explicit-tracking individual host that is joined to a group:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Enabled
no untagged UU/SS/PP igmp- Restores to default
snooping explicit-tracking
untagged UU/SS/PP igmp-snooping Enables the IGMP fast-leave processing:
fast-leave
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Enabled
no untagged UU/SS/PP igmp- Restores to default
snooping fast-leave
untagged UU/SS/PP igmp-snooping Defines the number of multicast groups
max-groups <unsignedInt> which can be registered:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• unsignedInt: in the range
of <0- 4294967295>
• 1024K
Command Description
no untagged UU/SS/PP igmp- Restores to default
snooping max-groups
untagged UU/SS/PP igmp-snooping Configures a port as a multicast router
mrouter port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no untagged UU/SS/PP igmp- Restores to default
snooping mrouter
untagged UU/SS/PP igmp-snooping All IGMP queries received on the selected
mrouter-block port are not processed and entered in local
IGMP database:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no untagged UU/SS/PP igmp- Restores to default
snooping mrouter-block
tagged UU/SS/PP igmp-snooping Enables IGMP snooping on a specified
port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
tagged UU/SS/PP igmp-snooping Enables the router to explicitly track each
explicit-tracking individual host that is joined to a group:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
explicit-tracking
tagged UU/SS/PP igmp-snooping Enables the IGMP fast-leave processing:
fast-leave
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
fast-leave
tagged UU/SS/PP igmp-snooping Defines the number of multicast groups
max-groups <unsignedInt> which can be registered:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• unsignedInt: in the range
of <0- 4294967295>
• 1024K
no tagged UU/SS/PP igmp-snooping Restores to default
max-groups
Command Description
tagged UU/SS/PP igmp-snooping Configures a static connection to a
mrouter multicast router:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
mrouter
tagged UU/SS/PP igmp-snooping All IGMP queries received on the selected
mrouter-block port are not processed and entered in local
IGMP database:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
• Disabled
no tagged UU/SS/PP igmp-snooping Restores to default
mrouter-block
multicast-static-group NAME Defines a multicast group name and enters
the Multicast Static Configuration mode:
• NAME: a string
no multicast-static-group Removes the multicast group
ip A.B.C.D Defines the IP address of the multicast
group:
• A.B.C.D: in the range of
<224.0.0.0-
239.255.255.255>
no ip A.B.C.D Removes the defined multicast IP address:
• A.B.C.D: in the range of
<224.0.0.0-
239.255.255.255>
ip-source A.B.C.D Defines a source-specific multicast entry
A1.B1.C1.D1 in the Multicast Forwarding Table for a
group:
• A.B.C.D: the IP address of
the multicast group
• A1.B1.C1.D1: the source IP
address of the multicast
traffic
no ip-source A.B.C.D Removes the defined entry:
A1.B1.C1.D1 • A.B.C.D: the IP address of
the multicast group
• A1.B1.C1.D1: the source IP
address of the multicast
traffic
mac <mac:hexList> Defines the Group Destination MAC
address (GDA) of the multicast group:
• mac:hexList: GDA MAC
address, in format
HH:HH:HH:HH:HH:HH
Command Description
no mac <mac:hexList> Removes the defined Group Destination
MAC (GDA) address:
• mac:hexList: GDA MAC
address, in format
HH:HH:HH:HH:HH:HH
show igmp-snooping Displays information for all aspects of
IGMP snooping
show igmp-snooping vlan [<vlan- Displays information for all aspects of
id> | detailed | groups | IGMP snooping on a VLAN, filtered by
mrouters | statistics]
the below arguments:
• vlan-id: (optional) in the
range of <1–4092>
• detailed: (optional)
displays detailed
information
• groups: (optional)
displays information for
multicast groups that are
joined on the specified
VLAN
• mrouters: (optional)
displays multicast routers
ports related to the
specified VLAN
• statistics: (optional)
displays IGMP snooping
statistics for the
specified VLAN and port
Configuration Example
In the following example IGMP snooping is configured on VLAN 100. The
multicast router that sends IGMP queries is connected to port 1/1/9. The
multicast host that sends the IGMP report is connected to port 1/1/7:
===================================================================
Port ID: 1/1/7 Groups: 1
===================================================================
===================================================================
Group IP: 224.2.2.2 Mode: Include
-------------------------------------------------------------------
SrcIp Mode Joined Host ExpTime
-------------------------------------------------------------------
100.1.1.50 Forward 258s
100.1.1.11 258s
Overview
Access Control Lists (ACLs) are sets of numbered rules that process packets
going through the device and provide the ability to control network traffic.
Using ACLs, system administrators can filter packets that pass through a port
by defining different criteria, in order to ensure the network's security, traffic
control, and traffic rate-limitation.
These rules are processed in a sequential order, either permitting or denying the
traffic, based on the specified ACL conditions. The hardware tests the packets’
parameters against the ACLs and acts upon the first condition matched.
The main advantages in using ACLs are:
Security—by forwarding or dropping ingress traffic, ACLs aid
administrators in managing network security policies
Traffic Control—by enforcing redirection rules, administrators can
manipulate network traffic flow, thus reducing bottlenecks and congestions
Traffic Rate Limitation—using ACLs, administrators can control traffic
rate per port, according to user defined criteria
Quality of Service (QoS)—administrators can assign packet-handling
priority to data flow, sorting the flow into eight priority queues, based on
the ACL criteria. You can also use ACLs to remark ToS/DSCP values
ACL Types
An ACL is specified by a name or a number. There are four basic ACL types,
in predefined range of numbers. Each type matches specific fields in the
packets:
Standard IP ACLs (#1–99,) match the packets’ source IP address. These
ACLs can match VPT and other Layer 2 header fields.
Extended IP ACLs (#100–199) match both the source and destination IP
addresses. These ACLs can also match other parameters such as protocol
types and TCP/UDP port numbers. These ACLs can match VPT and other
Layer 2 header fields.
Extended MAC ACLs (#400–499) match both the source and destination
MAC addresses. In addition, these ACLs can match VPT and other Layer 2
header fields
EtherType ACLs (#500–599) match the packets EtherType. These ACLs
can match VPT and VLAN options if the specified EtherType is IP.
Exceed Action
Once the packet is classified as exceeding a particular rate limit, the device:
either drops the packet or mark it as yellow or red
or processes the packet based on congestion avoidance mechanisms, such
as SRED or taildrop
ACLs Commands
- [no] established
- [no] icmp-code <value>
- [no] icmp-type <value>
- [no] tcp-source-port <value>
- [no] tcp-destination-port <value>
- [no] udp-source-port <value>
- [no] udp-destination-port <value>
- source_ip A.B.C.D/MASK
- [no] tos <value>
- [no] untagged
- [no] vlan <vlan-id> [vlan-mask <vlan-mask>]
- [no] vpt <priority>
- [no] dscp <value>
+ [no] port UU/SS/PP
+ [no] ip-access-group-standard {NAME | <acl-number>}
in
- [no] fc <value>
- color {red | green | yellow}
- [no] monitoring-profile <profile-id>
+ [no] rate-limit {dual | single}
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- exceed-action {drop | mark-yellow |
mark-red}
- [no] redirect UU/SS/PP
+ [no] ip-access-group-standard {NAME | <acl-number>}
vlan
- [no] vlan <vlan-id>
- [no] add-vlan <vlan-id>
+ [no] ip-access-group-standard {NAME | <acl-number>}
out
- [no] monitoring-profile <profile-id>
+ [no] rate-limit {dual | single}
- cbs <value>
- cir <value>
- color-aware
- ebs <value>
- pbs <value>
- pir <value>
- exceed-action drop
- [no] dscp <value>
- pbs <value>
- pir <value>
- exceed-action drop
- [no] dscp <value>
- [no] inner-vpt <priority>
- [no] vpt <priority>
- show port ether-type-access-group [NAME | <acl-number>] [in | out
| vlan] [monitoring-profile <profile-id> [statistics [fbrs-
green-bps | fbrs-green-fps | fbrs-match-counter-bps | fbrs-
match-counter-fps | fbrs-not-green-bps | fbrs-not-green-fps |
fbrs-not-red-bps | fbrs-not-red-fps | fbrs-red-bps | fbrs-red-
fps | fbrs-yellow-bps | fbrs-yellow-fps | green-bps | green-
fps | match-counter-bps | match-counter-fps | not-green-bps |
not-green-fps | not-red-bps | not-red-fps | red-bps | red-fps
| yellow-bps | yellow-fps]]]
- show running-config ether-type access-list
- show running-config ether-type access-list [NAME | <acl-number>]
[remark REMARK | rule {<value> | {action {deny | permit} |
ether-type <type> | inner-vlan <vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt <priority> | precedence TYPE | tos
<value> | vlan <vlan-id> [vlan-mask <vlan-mask>] | vpt
<priority>}}]
Command Description
config terminal Enters the Configuration mode
access-group-monitoring-profile Defines a monitoring profile and enters
<profile-id> the specific Profile Configuration mode.
• profile-id: any number
no access-group-monitoring-profile Removes the configured monitoring
[<profile-id>] profiles:
• profile-id: (optional)
any number
enable-statistics PROFILE Defines statistics:
• PROFILE: see Table 8-9
no enable-statistics [PROFILE] Removes the definition:
• PROFILE: (optional) see
Table 8-9
show running-config access-group- Displays information about the
monitoring-profile [<profile- monitoring profiles:
id>] enable-statistics PROFILE
• profile-id: any number
• PROFILE: see Table 8-9
Command Description
config terminal Enters the Configuration mode
ip access-list standard {NAME |
<acl-number>}
Defines a standard IP ACL and enters
the standard IP ACL Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <1-99>
no ip access-list standard [NAME | Removes the selected standard IP ACL:
<acl-number>] • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <1-99>
remark REMARK Associates a remark to a standard IP
ACL:
• REMARK: a string of
<1–30> characters
no remark Removes the remark
rule <value>
Command Description
inner-vlan <vlan-id> [inner- Denies a specific VLAN ID and mask
vlan-mask <vlan-mask>] for the inner IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no inner-vlan [<vlan-id>] Removes the selected inner-VLAN and
[inner-vlan-mask [<vlan-mask>]] inner-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
inner-vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the inner-
VLAN tag header:
• priority: in the range
of <0-7>
no inner-vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
source_ip A.B.C.D/MASK
Command Description
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask
<vlan-mask>] for the outer IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and
[<vlan-mask>]] outer-mask:
• vlan-id: (optional) in
the range of 1-4092
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the outer-
VLAN tag header:
• priority: in the range
of <0-7>
no vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
dscp <value> Defines the packet’s filtering by the
DSCP value in the IP header of the
packet:
• value: in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
ip access-list extended {NAME |
<acl-number>}
Defines an extended IP ACL and enters
the extended IP ACL Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <100-199>
no ip access-list extended [NAME | Removes the selected extended IP ACL:
<acl-number>] • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <100-
199>
Command Description
remark REMARK Associates a remark to an extended IP
ACL:
• REMARK: a string of <1–
30> characters
no remark Removes the remark
rule <value>
Command Description
inner-vlan <vlan-id> [inner- Denies a specific VLAN ID and mask
vlan-mask <vlan-mask>] for the inner IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any)
no inner-vlan [<vlan-id>] Removes the selected inner-VLAN and
[inner-vlan-mask [<vlan-mask>]] inner-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
inner-vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the inner-
VLAN tag header:
• priority: in the range
of <0-7>
no inner-vpt Removes the priority
precedence TYPE The ACL rule matches packets by the
literal precedence values:
• TYPE: see Table 8-11
no precedence Removes the precedence value
protocol TYPE
Command Description
established (valid for TCP protocol only) indicates
an established connection. A match
occurs if the TCP datagram has the
ACK or RST bits set.
The packets that do no match are TCP
packets sent to initialize a TCP session.
no established (valid for TCP protocol only) removes
the established connection
icmp-code <value> ( valid for ICMP protocol only) matches
ICMP packets by the ICMP message
code:
• value: in the range of
<0–255> or a valid
literal ICMP message
code (see Table 8-13)
no icmp-code Removes the ICMP message code
icmp-type <value> (valid for ICMP protocol only) matches
ICMP packets by the ICMP message
type:
• value: in the range of
<0–255> or a valid
literal ICMP message
type (see Table 8-11)
no icmp-type Removes the ICMP message type
tcp-source-port <value> (valid for TCP protocol only) defines
the decimal number or a name of source
TCP port. Use TCP port’s names when
filtering TCP packets only:
• value: in the range of
<0–65535> or a TCP port
literal value (see Table
8-14)
no tcp-source-port Removes the TCP source port’s literal
value
tcp-destination-port <value> (valid for TCP protocol only) defines
the decimal number or a name of
destination TCP port. Use TCP port’s
names when filtering TCP packets only:
• value: in the range of
<0–65535> or a TCP port
literal value (see Table
8-14)
no tcp-destination-port Removes the TCP destination port’s
literal value
Command Description
udp-source-port <value> (valid for UDP protocol only) defines
the decimal number or a name of source
UDP port. Use UDP port’s names when
filtering UDP packets only:
• value: in the range of
<0–65535> or a UDP port
literal value (see Table
8-15)
no udp-source-port Removes the UDP source port’s literal
value
udp-destination-port <value> (valid for UDP protocol only) defines
the decimal number or a name of a UDP
destination port. Use UDP port’s names
when filtering UDP packets only:
• value: in the range of
<0–65535> or a UDP port
literal value (see Table
8-15)
no udp-destination-port Removes the UDP destination port’s
literal value
source_ip A.B.C.D/MASK
Command Description
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask
<vlan-mask>] for the outer IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and
[<vlan-mask>]] outer-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the outer-
VLAN tag header:
• priority: in the range
of <0-7>
no vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
dscp <value> Defines the packet’s filtering by the
DSCP value in the IP header of the
packet:
• value: in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
port UU/SS/PP Enters the Port’s Configuration mode
no port [UU/SS/PP] Removes the port configurations
Command Description
ip-access-group-standard {NAME |
<acl-number>} {in | out | vlan}
Assigns a IP ACG to a port and enters
the IP ACG Configuration mode:
• NAME: a string of <1–10>
characters
• <acl-number>: in the
range of <1-99>
• in: filters the ingress
traffic only
• out: filters the egress
traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
• Deny any
no ip-access-group-standard [NAME Removes the specified IP ACG:
| <acl-number>] [in | out |
• NAME: (optional) a
vlan]
string of
<1–10> characters
• acl-number: (optional)
in the range of <1-99>
• in: (optional) filters
the ingress traffic only
• out: (optional) filters
the egress traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
• Deny any
fc <value> (Only for ) Applies forwarding class
(FC) mapping on ACG (only the ingress
traffic) and enters the FC Configuration
mode:
• value: FC value (see
Table 8-16)
no fc [<value>] Removes the FC mapping:
• value: (optional) FC
value
color {red | green | yellow} Defines the conforming level:
• red: the non-conforming
drop level
• green: the conforming
drop level
• yellow: the partially
conforming level
Command Description
monitoring-profile <profile-id> Enables bandwidth counters per ACL
rules:
• profile-id: any number.
Up to 24 profiles can be
defined.
no monitoring-profile [<profile- Disables the bandwidth monitoring:
id>] • profile-id: (optional)
any number
rate-limit {dual | single} Applies a rate-limit on the ACG for the
specified port and enters the Rate-Limit
Configuration mode:
• dual: the Two Rate Three
Color Marker (RFC 2698)
• single: the Single Rate
Three Color Marker (RFC
2697)
no rate-limit [dual | single] Removes the rate limit from the
configured ACG:
• dual: (optional) the Two
Rate Three Color Marker
(RFC 2698)
• single: (optional)the
Single Rate Three Color
Marker (RFC 2697)
cbs <value> Defines the Committed Burst Size
(CBS):
• value: in the range of
<1–1048575> KB
cir <value> Defines the Committed Information
Rate (CIR):
• value: in the range of
<1–1048575> Kbps
color-aware Enables the color-aware mode
• Color blind
pbs <value> (only for dual rate) Defines the Peak
Burst Size (PBS):
• value: in the range of
<1–1048575> KB
pir <value> (only for dual rate) Defines the Peak
Information Rate (PIR):
• value: in the range of
<1–1048575> Kbps
ebs <value> (only for single rate) Defines the Excess
Burst Size (EBS):
• value: in the range of
<1–1048575> KB
Command Description
exceed-action {drop | mark- The action performed once the packet is
yellow | mark-red}
classified as exceeding a particular rate
limit:
• drop: drops the packet
• mark-yellow: marks the
packet as yellow
• mark-red: marks the
packet as red
• Drop
no exceed-action [drop | mark- Restores to default
yellow | mark-red]
redirect UU/SS/PP Redirects matching traffic to the
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no redirect [UU/SS/PP] Removes the traffic redirection from the
specified port:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-
1/2/4
vlan <vlan-id> Redirects matching traffic to the
specified VLAN by changing the VLAN
ID in the packet header:
• vlan-id: in the range of
<1-4092>
no vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
add-vlan <vlan-id> Redirects matching traffic to the
specified VLAN by adding a VLAN tag
to the untagged frame, or an additional
VLAN tag to the VLAN-tagged frame:
• vlan-id: in the range of
<1-4092>
no add-vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
dscp <value> Changes the DSCP value in the IP
header of the packet:
• value: the new DSCP
value in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
Command Description
inner-vpt <priority> Changes the VLAN Priority Tag (VPT)
in the inner-VLAN tag header:
• priority: the new VPT
value in the range of
<0–7>
no inner-vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
vpt <priority> Changes the VLAN Priority Tag (VPT)
in the outer-VLAN tag header:
• priority: the new VPT
value in the range of
<0-7>
no vpt [<priority>] Removes the defined VPT:
priority: (optional) in the range of <0–
7>
ip-access-group-extended {NAME |
<acl-number>} {in | out | vlan}
Assigns a IP ACG to a port and enters
the IP ACG Configuration mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <100-199>
• in: filters the ingress
traffic only
• out: filters the egress
traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
no ip-access-group-extended [NAME Removes the specified IP ACG:
| <acl-number>] [in | out | vlan]
• NAME: (optional) a
string of
1–10 characters
• acl-number: (optional)
in the range of <100-
199>
• in: (optional) filters
the ingress traffic only
• out: (optional) filters
the egress traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
Command Description
fc <value> Applies forwarding class (FC) mapping
on ACG (only the ingress traffic) and
enters the FC Configuration mode:
• value: FC value (see
Table 8-16)
no fc [<value>] Removes the FC mapping:
• value: (optional) FC
value
color {red | green | yellow} Defines the conforming level:
• red: the non-conforming
drop level
• green: the conforming
drop level
• yellow: the partially
conforming level
monitoring-profile <profile-id> Enables bandwidth counters per ACL
rules:
• profile-id: any number.
Up to 24 profiles can be
defined.
• Disabled
no monitoring-profile [<profile- Disables the bandwidth monitoring:
id>] • profile-id: (optional)
any number
rate-limit {dual | single} Applies a rate-limit on the ACG for the
specified port and enters the Rate-Limit
Configuration mode:
• dual: the Two Rate Three
Color Marker (RFC 2698)
• single: the Single Rate
Three Color Marker (RFC
2697)
no rate-limit [dual | single] Removes the rate limit from the
configured ACG:
• dual: (optional) the Two
Rate Three Color Marker
(RFC 2698)
• single: (optional)the
Single Rate Three Color
Marker (RFC 2697)
cbs <value> Defines the Committed Burst Size
(CBS):
• value: in the range of
<1–1048575> KB
cir <value> Defines the Committed Information
Rate (CIR):
• value: in the range of
<1–1048575> Kbps
Command Description
color-aware Enables the color-aware mode
• Color blind
ebs <value> (only for single rate) Defines the Excess
Burst Size (EBS):
• value: in the range of
<1–1048575> KB
pbs <value> (only for dual rate) Defines the Peak
Burst Size (PBS):
• value: in the range of
<1–1048575> KB
pir <value> (only for dual rate) Defines the Peak
Information Rate (PIR):
• value: in the range of
<1–1048575> Kbps
exceed-action {drop | mark- The action performed once the packet is
yellow | mark-red}
classified as exceeding a particular rate
limit:
• drop: drops the packet
• mark-yellow: marks the
packet as yellow
• mark-red: marks the
packet as red
• Drop
no exceed-action [drop | mark- Restores to default
yellow | mark-red]
redirect UU/SS/PP Redirects matching traffic to the
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no redirect [UU/SS/PP] Removes the traffic redirection from the
specified port:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-
1/2/4
vlan <vlan-id> Redirects matching traffic to the
specified VLAN by changing the VLAN
ID in the packet header:
• vlan-id: in the range of
<1-4092>
no vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
Command Description
add-vlan <vlan-id> Redirects matching traffic to the
specified VLAN by tagging the
untagged traffic and adding an
additional tag to tagged traffic:
• vlan-id: in the range of
<1-4092>
no add-vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
dscp <value> Changes the DSCP value in the IP
header of the packet:
• value: the new DSCP
value in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
inner-vpt <priority> Changes the VLAN Priority Tag (VPT)
in the inner-VLAN tag header:
• priority: the new VPT
value in the range of
<0–7>
no inner-vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
vpt <priority> Changes the VLAN Priority Tag (VPT)
in the outer-VLAN tag header:
• priority: the new VPT
value in the range of
<0-7>
no vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
Command Description
show port ip-access-group-standard Displays the standard IP ACGs
[NAME | <acl-number>] [in | out configured on ports:
| vlan] [monitoring-profile
<profile-id> [statistics [fbrs- • NAME: a string of
green-bps | fbrs-green-fps | fbrs- <1–10> characters
match-counter-bps | fbrs-match- • acl-number: in the range
counter-fps | fbrs-not-green-bps |
of <1-99>
fbrs-not-green-fps | fbrs-not-red-
bps | fbrs-not-red-fps | fbrs-red- • in: only ingress ACGs
bps | fbrs-red-fps | fbrs-yellow- • out: only egress ACGs
bps | fbrs-yellow-fps | green-bps
| green-fps | match-counter-bps | • monitoring-profile
match-counter-fps | not-green-bps statistics: counts match
| not-green-fps | not-red-bps | packets
not-red-fps | red-bps | red-fps | • profile-id: any number
yellow-bps | yellow-fps]]]
• vlan: only VLAN traffic
redirection ACLs
show port ip-access-group-extended Displays information about the extended
[NAME | <acl-number>] [in | out IP ACGs, filtered by the commands’
| vlan] [monitoring-profile
<profile-id> [statistics [fbrs-
arguments:
green-bps | fbrs-green-fps | fbrs- • NAME: a string of
match-counter-bps | fbrs-match- <1–10> characters
counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-
• acl-number: in the range
bps | fbrs-not-red-fps | fbrs-red- of <100-199>
bps | fbrs-red-fps | fbrs-yellow- • in: only ingress ACGs
bps | fbrs-yellow-fps | green-bps
| green-fps | match-counter-bps |
• out: only egress ACGs
match-counter-fps | not-green-bps • monitoring-profile
| not-green-fps | not-red-bps | statistics: counts match
not-red-fps | red-bps | red-fps | packets
yellow-bps | yellow-fps]]]
• profile-id: any number
• vlan: only VLAN traffic
redirection ACLs
show running-config ip access-list Displays the configured IP ACLs
show running-config ip access-list Displays information about the standard
standard [NAME | <1-99>] [remark IP ACLs, filtered by the commands’
REMARK | rule {<1-250> | arguments
{action {deny | permit} | inner-
vlan <vlan-id> [inner-vlan-mask
<VLAN mask>] | inner-vpt
<priority> | source_ip
A.B.C.D/MASK | untagged | vlan
<vlan-id> [vlan-mask <vlan-
mask>] | vpt <priority>}}]
Command Description
show running-config ip access-list Displays information about the extended
extended [NAME | <100-199>] IP ACLs, filtered by the commands’
[remark REMARK | rule {<1-250>
arguments
| {action {deny | permit} |
destination_ip A.B.C.D/MASK |
established | icmp-code <value>
| icmp-type <value> | inner-vlan
<vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt
<priority> | precedence TYPE |
protocol <type> | source_ip
A.B.C.D/MASK | tcp-destination-
port <value> | tcp-source-port
<value> | tos {<0-7> | max-
reliability | max-throughput |
min-delay | min-monetary-cost |
normal} | udp-destination-port
<value> | udp-source-port
<value> | untagged | vlan <vlan-
id> [vlan-mask <vlan-mask>] |
vpt <priority>}}]
Command Description
config terminal Enters the Configuration mode
mac access-list {NAME | <acl-
number>}
Defines an extended MAC ACL and
enters the MAC ACL Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <400-499>
no mac access-list [NAME | <acl- Removes the selected extended MAC
number>] ACL:
• NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <400-
499>
remark REMARK Associates a remark to an extended
MAC ACL:
• REMARK: a string of
<1–30> characters
no remark Removes the remark
Command Description
rule <value>
Command Description
no inner-vlan [<vlan-id>] Removes the selected inner-VLAN and
[inner-vlan-mask [<vlan-mask>]] inner-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
inner-vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the inner-
VLAN tag header:
• priority: in the range
of <0-7>
no inner-vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
precedence TYPE The ACL rule matches packets by the
literal precedence values:
• TYPE: see Table 8-11
no precedence Removes the precedence value
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH Defines the packet’s source MAC-
address and mask:
• HH:HH:HH:HH:HH:HH: MAC
address and mask in
hexadecimal format. The
any keyword that
represents all MAC
addresses
tos <value> The ACL rule matches packets by the
service level type:
• value: in the range of
<0–15> or a valid
literal ToS value (see
Table 8-10)
no tos Removes the valid literal ToS value
untagged The ACL rule matches untagged packets
only
• Both tagged and untagged
no untagged Restores to default
Command Description
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask
<vlan-mask>] for the outer IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and
[<vlan-mask>]] outer-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the outer-
VLAN tag header:
• priority: in the range
of <0-7>
no vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
dscp <value> Defines the packet’s filtering by the
DSCP value in the IP header of the
packet:
• value: in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
port UU/SS/PP Enters the Port’s Configuration mode
no port [UU/SS/PP] Removes the port configurations
Command Description
mac-access-group {NAME | <acl-
number>} {in | out | vlan}
Assigns a MAC ACG to a port and
enters the MAC ACG Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <400-499>
• in: filters the ingress
traffic only
• out: filters the egress
traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
no mac-access-group [NAME | <acl- Removes the specified MAC ACG:
number>] [in | out | vlan] • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <400-
499>
• in: (optional) filters
the ingress traffic only
• out: (optional) filters
the egress traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
fc <value> Applies forwarding class (FC) mapping
on ACG (only the ingress traffic) and
enters the FC Configuration mode:
• value: FC value (see
Table 8-16)
no fc [<value>] Removes the FC mapping:
• value: (optional) FC
value
color {red | green | yellow} Defines the conforming level:
• red: the non-conforming
drop level
• green: the conforming
drop level
• yellow: the partially
conforming level
monitoring-profile <profile-id> Enables bandwidth counters per ACL
rules:
• profile-id: any number.
Up to 24 profiles can be
defined.
Command Description
no monitoring-profile [<profile- Disables the bandwidth monitoring:
id>] • profile-id: (optional)
any number
rate-limit {dual | single} Applies a rate-limit on the ACG for the
specified port and enters the Rate-Limit
Configuration mode:
• dual: the Two Rate Three
Color Marker (RFC 2698)
• single: the Single Rate
Three Color Marker (RFC
2697)
no rate-limit [dual | single] Removes the rate limit from the
configured ACG:
• dual: (optional) the Two
Rate Three Color Marker
(RFC 2698)
• single: (optional)the
Single Rate Three Color
Marker (RFC 2697)
cbs <value> Defines the Committed Burst Size
(CBS):
• value: in the range of
<1–1048575> KB
cir <value> Defines the Committed Information
Rate (CIR):
• value: in the range of
<1–1048575> Kbps
color-aware Enables the color-aware mode
• Color blind
ebs <value> (only for single rate) Defines the Excess
Burst Size (EBS):
• value: in the range of
<1–1048575> KB
pbs <value> (only for dual rate) Defines the Peak
Burst Size (PBS):
• value: in the range of
<1–1048575> KB
pir <value> (only for dual rate) Defines the Peak
Information Rate (PIR):
• value: in the range of
<1–1048575> Kbps
Command Description
exceed-action {drop | mark- The action performed once the packet is
yellow | mark-red}
classified as exceeding a particular rate
limit:
• drop: drops the packet
• mark-yellow: marks the
packet as yellow
• mark-red: marks the
packet as red
• Drop
no exceed-action [drop | mark- Restores to default
yellow | mark-red]
redirect UU/SS/PP Redirects matching traffic to the
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no redirect [UU/SS/PP] Removes the traffic redirection from the
specified port:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-
1/2/4
vlan <vlan-id> Redirects matching traffic to the
specified VLAN by changing the VLAN
ID in the packet header:
• vlan-id: in the range of
<1-4092>
no vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
add-vlan <vlan-id> Redirects matching traffic to the
specified VLAN by tagging the
untagged traffic and adding an
additional tag to tagged traffic:
• vlan-id: in the range of
<1-4092>
no add-vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
dscp <value> Changes the DSCP value in the IP
header of the packet:
• value: the new DSCP
value in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
Command Description
inner-vpt <priority> Changes the VLAN Priority Tag (VPT)
in the inner-VLAN tag header:
• priority: the new VPT
value in the range of
<0–7>
no inner-vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
vpt <priority> Changes the VLAN Priority Tag (VPT)
in the outer-VLAN tag header:
• priority: the new VPT
value in the range of
<0-7>
no vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
Command Description
show port mac-access-group [NAME Displays the MAC ACGs:
| <acl-number>] [in | out |
• NAME: a string of
vlan] [monitoring-profile
<profile-id> [statistics [fbrs-
<1–10> characters
green-bps | fbrs-green-fps | fbrs- • acl-number: in the range
match-counter-bps | fbrs-match- of <400-499>
counter-fps | fbrs-not-green-bps | • in: only ingress ACGs
fbrs-not-green-fps | fbrs-not-red-
bps | fbrs-not-red-fps | fbrs-red- • out: only egress ACGs
bps | fbrs-red-fps | fbrs-yellow- • monitoring-profile: the
bps | fbrs-yellow-fps | green-bps rate, in frame per
| green-fps | match-counter-bps |
match-counter-fps | not-green-bps
second and bytes per
| not-green-fps | not-red-bps | second, of transmitted
not-red-fps | red-bps | red-fps | packets that are marked
yellow-bps | yellow-fps]]] as red, green, or yellow
on a selected port
• profile-id: any number
• statistics: counts match
packets
• vlan: only VLAN traffic
redirection ACLs
show running-config mac access- Displays information about the extended
list
MAC ACLs
Command Description
show running-config mac access- Displays information about the extended
list [NAME | <acl-number>] MAC ACLs, filtered by the commands’
[remark REMARK | rule {<value>
arguments
| {action {deny | permit} | da-
type <type> | destination_mac
HH:HH:HH:HH:HH:HH
destination_mac_mask
HH:HH:HH:HH:HH:HH | inner-vlan
<vlan-id> [inner-vlan-mask
<vlan-mask>] | inner-vpt
priority> | precedence TYPE |
source_mac HH:HH:HH:HH:HH:HH
source_mac_mask
HH:HH:HH:HH:HH:HH | tos {<0-7>
| max-reliability | max-throughput
| min-delay | min-monetary-cost |
normal} | untagged | vlan <vlan-
id> [vlan-mask <vlan-mask>] |
vpt <priority>}}]
Command Description
config terminal Enters the Configuration mode
ether-type access-list {NAME |
<acl-number>}
Defines an EtherType ACL and enters
the EtherType ACL Configuration
mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <500-599>
no ether-type access-list {NAME | Removes the selected EtherType ACL:
<acl-number>} • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <500-
599>
remark REMARK Associates a remark to an EtherType
ACL:
• REMARK: a string of
<1–30> characters
no remark Removes the remark
Command Description
rule <value>
Command Description
inner-vpt <priority> Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the inner-
VLAN tag header:
• priority: in the range
of <0-7>
no inner-vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
precedence TYPE Supported only when the value of the
EtherType field of the Ethernet frame
is 0x0800.
The ACL rule matches packets by the
literal precedence values.
• TYPE: see Table 8-11
no precedence Removes the precedence value
tos <value> Supported only when the value of the
EtherType field of the Ethernet frame
is 0x0800.
The ACL rule matches packets by the
service level type:
• value: in the range of
<0–15> or a valid
literal ToS value (see
Table 8-10)
no tos Removes the valid literal ToS value
vlan <vlan-id> [vlan-mask Denies a specific VLAN ID and mask
<vlan-mask>] for the outer IP-header:
• vlan-id: in the range of
<1-4092>
• vlan-mask: in
hexadecimal format
FF:FF:FF:FF. Use 0 for
meaningful bits (exact-
match) and F for
meaningless bits (any).
The last 4 bits are
meaningful.
no vlan [<vlan-id>] [vlan-mask Removes the selected outer-VLAN and
[<vlan-mask>]] outer-mask:
• vlan-id: (optional) in
the range of <1-4092>
• vlan-mask: (optional) in
hexadecimal format
FF:FF:FF:FF
Command Description
vpt <priority> Supported only when the value of the
EtherType field of the Ethernet frame
is 0x8100.
Defines the packet’s filtering by the
VLAN Priority Tag (VPT) in the outer-
VLAN tag header:
• priority: in the range
of <0-7>
no vpt [<priority>] Removes the selected VPT:
• priority: (optional) in
the range of <0-7>
dscp <value> Supported only when the value of the
EtherType field of the Ethernet frame
is 0x0800.
Defines the packet’s filtering by the
DSCP value in the IP header of the
packet:
• value: in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
port UU/SS/PP Enters the Port’s Configuration mode
no port [UU/SS/PP] Removes the port configurations
ether-type-access-group {NAME |
<acl-number>} {in | out | vlan}
Assigns a EtherType ACG to a port and
enters the EtherType ACG
Configuration mode:
• NAME: a string of
<1–10> characters
• acl-number: in the range
of <500-599>
• in: filters the ingress
traffic only
• out: filters the egress
traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
Command Description
no ether-type-access-group [NAME | Removes the specified ether-type ACG:
<acl-number>] [in | out | vlan] • NAME: (optional) a
string of
<1–10> characters
• acl-number: (optional)
in the range of <500-
599>
• in: (optional) filters
the ingress traffic only
• out: (optional) filters
the egress traffic only
• vlan: redirects the
matching ingress traffic
to a VLAN
fc <value> Applies forwarding class (FC) mapping
on ACG (only the ingress traffic) and
enters the FC Configuration mode:
• value: FC value (see
Table 8-16)
no fc [<value>] Removes the FC mapping:
• value: (optional) FC
value
color {red | green | yellow} Defines the conforming level:
• red: the non-conforming
drop level
• green: the conforming
drop level
• yellow: the partially
conforming level
monitoring-profile <profile-id> Enables bandwidth counters per ACL
rules:
• profile-id: any number.
Up to 24 profiles can be
defined.
no monitoring-profile [<profile- Disables the bandwidth monitoring:
id>] • profile-id: (optional)
any number
rate-limit {dual | single} Applies a rate-limit on the ACG for the
specified port and enters the Rate-Limit
Configuration mode:
• dual: the Two Rate Three
Color Marker (RFC 2698)
• single: the Single Rate
Three Color Marker (RFC
2697)
Command Description
no rate-limit [dual | single] Removes the rate limit from the
configured ACG:
• dual: (optional) the Two
Rate Three Color Marker
(RFC 2698)
• single: (optional)the
Single Rate Three Color
Marker (RFC 2697)
cbs <value> Defines the Committed Burst Size
(CBS):
• value: in the range of
<1–1048575> KB
cir <value> Defines the Committed Information
Rate (CIR):
• value: in the range of
<1–1048575> Kbps
color-aware Enables the color-aware mode
• Color blind
ebs <value> (only for single rate) Defines the Excess
Burst Size (EBS):
• value: in the range of
<1–1048575> KB
pbs <value> (only for dual rate) Defines the Peak
Burst Size (PBS):
• value: in the range of
<1–1048575> KB
pir <value> (only for dual rate) Defines the Peak
Information Rate (PIR):
• value: in the range of
<1–1048575> Kbps
exceed-action {drop | mark- The action performed once the packet is
yellow | mark-red}
classified as exceeding a particular rate
limit:
• drop: drops the packet
• mark-yellow: marks the
packet as yellow
• mark-red: marks the
packet as red
• Drop
no exceed-action [drop | mark- Restores to default
yellow | mark-red]
redirect UU/SS/PP Redirects matching traffic to the
specified port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
Command Description
no redirect [UU/SS/PP] Removes the traffic redirection from the
specified port:
• UU/SS/PP: (optional)
1/1/1-1/1/24, 1/2/1-
1/2/4
vlan <vlan-id> Redirects matching traffic to the
specified VLAN by changing the VLAN
ID in the packet header:
• vlan-id: in the range of
<1-4092>
no vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
add-vlan <vlan-id> Redirects matching traffic to the
specified VLAN by tagging the
untagged traffic and adding an
additional tag to tagged traffic:
• vlan-id: in the range of
<1-4092>
no add-vlan [<vlan-id>] Removes the traffic redirection:
• vlan-id: (optional) in
the range of <1-4092>
dscp <value> Changes the DSCP value in the IP
header of the packet:
• value: the new DSCP
value in the range of
<0-63>
no dscp [<value>] Removes the defined DSCP value
inner-vpt <priority> Changes the VLAN Priority Tag (VPT)
in the inner-VLAN tag header:
• priority: the new VPT
value in the range of
<0–7>
no inner-vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
vpt <priority> Changes the VLAN Priority Tag (VPT)
in the outer-VLAN tag header:
• priority: the new VPT
value in the range of
<0-7>
no vpt [<priority>] Removes the defined VPT:
• priority: (optional) in
the range of <0–7>
Command Description
show port ether-type-access-group Displays information about the
[NAME | <500-599>] [in | out | EtherType ACGs, filtered by the
vlan] [monitoring-profile
<profile-id> [statistics [fbrs-
commands’ arguments:
green-bps | fbrs-green-fps | fbrs- • NAME: a string of
match-counter-bps | fbrs-match- <1–10> characters
counter-fps | fbrs-not-green-bps |
fbrs-not-green-fps | fbrs-not-red-
• acl-number: in the range
bps | fbrs-not-red-fps | fbrs-red- of <500-599>
bps | fbrs-red-fps | fbrs-yellow- • in: only ingress ACGs
bps | fbrs-yellow-fps | green-bps
| green-fps | match-counter-bps |
• out: only egress ACGs
match-counter-fps | not-green-bps • monitoring-profile: the
| not-green-fps | not-red-bps | rate, in frame per
not-red-fps | red-bps | red-fps | second and bytes per
yellow-bps | yellow-fps]]] second, of transmitted
packets that are marked
as red, green, or yellow
on a selected port
• profile-id: any number
• statistics: counts match
packets
• vlan: only VLAN traffic
redirection ACLs
show running-config ether-type Displays information about the
access-list
EtherType ACLs
show running-config ether-type Displays information about the
access-list [NAME | <500-599>] EtherType ACLs, filtered by the
[remark REMARK | rule {<1-250>
commands’ arguments
| {action {deny | permit} | ether-
type <type> | inner-vlan <vlan-
id> [inner-vlan-mask <vlan-
mask>] | inner-vpt <priority> |
precedence TYPE | tos {<0-7> |
max-reliability | max-throughput |
min-delay | min-monetary-cost |
normal} | vlan <vlan-id> [vlan-
mask <vlan-mask>] | vpt
<priority>}}]
Profile Meaning
bandwidth-monitoring-green-notgreen- The current rate, in bytes per second (bps)
bps of green and not green packets
bandwidth-monitoring-green-notgreen- The current rate, in frames per second (fps)
fps of green and not green packets
bandwidth-monitoring-green-red-fps The current rate, in frames per second (fps)
of green and red packets
bandwidth-monitoring-green-yellow- The current rate, in bytes per second (bps)
bps of green and yellow packets
bandwidth-monitoring-red-yellow-fps The current rate, in frames per second (fps)
of red and yellow packets
bandwidth-monitoring-red-notred-fps The current rate, in frames per second (fps)
of red and not red packets
bandwidth-monitoring-match-counter- The current rate, in bytes per second (bps)
bps of transmitted packets
bandwidth-monitoring-red-yellow-bps The current rate, in bytes per second (bps)
of red and yellow packets
bandwidth-monitoring-match-counter- The current rate, in frames per second (fps)
fps of transmitted packets
bandwidth-monitoring-green-red-bps The current rate, in bytes per second (bps)
of green and red packets
bandwidth-monitoring-green-yellow- The current rate, in frames per second (fps)
fps of green and yellow packets
bandwidth-monitoring-red-notred-bps The current rate, in bytes per second (bps)
of red and not red packets
match-counter-fps Counter of transmitted packets, in frames
match-counter-bps Counter of transmitted packets, in bytes
rate-limit-statistics-red-notred-fps Counter of red and not red packets, in
frames
FC Description
be The FC to be mapped is the Best-Effort Forwarding Class
l2 The FC to be mapped is the Low-2 Forwarding Class
af The FC to be mapped is the Assured Forwarding Class
l1 The FC to be mapped is the Low-1 Forwarding Class
h2 The FC to be mapped is the High-2 Forwarding Class
ef The FC to be mapped is the Expedited Forwarding Class
h1 The FC to be mapped is the High-1 Forwarding Class
nc The FC to be mapped is the Network Control Forwarding Class
Value Description
0x0000–0x05DC IEEE 802.3 length
0x0800 IP (Internet Protocol)
0x0806 ARP (Address Resolution Protocol)
0x8035 DRARP (Dynamic RARP)
RARP (Reverse Address Resolution Protocol)
0x80F3 AARP (AppleTalk Address Resolution Protocol)
0x8137 IPX (Internet Packet Exchange)
0x86DD IPv6 (Internet Protocol version 6)
0x880B PPP (Point-to-Point Protocol)
0x880C GSMP (General Switch Management Protocol)
0x8847 MPLS (Multi-Protocol Label Switching) unicast
0x8848 MPLS (Multi-Protocol Label Switching) multicast
0x8863 PPPoE (PPP Over Ethernet) Discovery Stage
Value Description
0x8864 PPPoE (PPP Over Ethernet) PPP Session Stage
0x88BB LWAPP (Light Weight Access Point Protocol)
0x8E88 EAPOL (EAP over LAN)
0xFFFF Reserved
3. Apply the configured ACL on port 1/1/1 and redirect the matching traffic
to the VLAN 200 by changing the VLAN ID in the packet header:
device-name(config)#port 1/1/1
device-name(config-port-1/1/1)#ip-access-group-extended 100 vlan
device-name(config-ip-access-group-extended-100/vlan)#vlan 200
device-name(config-ip-access-group-extended-100/vlan)#commit
Commit complete.
4. Apply the configured ACL on port 1/1/2 and limit the outgoing traffic to
5M, and remark dscp value with 44:
device-name(config)#port 1/1/2
device-name(config-port-1/1/2)#ip-access-group-extended 100 out
device-name(config-ip-access-group-extended-100/out)#rate-limit single
cir 5000 cbs 16
device-name(config-rate-limit-single)#exit
device-name(config-ip-access-group-extended-100/out)#dscp 44
device-name(config-ip-access-group-extended-100/out)#commit
Commit complete.
Overview
Today’s networks transmit data streams for various applications using many
different protocols. Different types of traffic sharing a data path through the
network can interact in ways that affect their application performance. Traffic
prioritization becomes especially important when delay-sensitive, interactive
applications are supported across the network. In many cases a guaranteed level
of throughput is part of contractual obligations between the network operator
and customers or third-party service providers.
Policy-based Quality of Service (QoS) allows the user to specify different
service levels for traffic traversing the device. Policy-based QoS is an effective
control mechanism for networks that have heterogeneous traffic patterns. Using
Policy-based QoS, the user can specify the service level for a traffic type or
host.
QoS controls congestion by determining the order in which packets are
transmitted based on priorities assigned to those packets. QoS queuing policies
can protect bandwidth for important categories of applications, or specifically
limit the bandwidth associated with less critical traffic. For example, if Voice
over IP (VoIP) traffic requires a reserved amount of bandwidth to function
properly, QoS policies can reserve sufficient bandwidth for this type of
application. Other applications deemed less critical can be limited in their
bandwidth usage.
During periods of light traffic, QoS policies have little effect, and packets are
transmitted as soon as they arrive. During periods of congestion, outbound
packets accumulating at a port are sorted into eight queues. They are
transmitted from the queues according to the queuing mechanism configured
for the port.
Overview
When using QoS feature, each physical port sorts inbound and outbound traffic
into eight queues for the QoS processing.
The user controls Quality of Service behavior in two ways:
By configuring the criteria used to sort inbound and outbound packets into
the eight queues. In addition to that, you can also use both VPT and DSCP
values for mapping purposes.
By selecting the queuing mechanism to be applied to the outbound queues.
Three basic queuing mechanisms are provided:
Strict Priority (SP) queuing sets the eight queues in a rigid order, and
always transmits packets from the highest-priority queue that has
packets waiting
Weighted Round-Robin (WRR) queuing lets the user assigns a
relative weight to each queue, which determines the bandwidth
assigned to each queue relative to the others
Deficit Round-Robin (DRR) is a modification of WRR in which
knowing the exact packet size is not required. A maximum packet size
number is subtracted from the packet length, and packets that exceed
that number are held back until the next visit of the scheduler.
In addition, several hybrid queuing schemes are available, which combine the
Weighted/Deficit Round-Robin and Strict Priority mechanisms.
When the device detects ingress traffic that contains 802.1p prioritization
information, the traffic is mapped to various hardware queues on the egress
port of the device (The exact mapping depends also on the employed trust
mode.). The transmitting hardware queue determines the bandwidth
management and priority characteristics used when transmitting packets.
By default, 802.1p priority information is not replaced or manipulated, and the
information observed on ingress is preserved when the packet is transmitted.
This behavior is not affected by the switching or routing configuration of the
device. However, the device is capable of inserting and/or overwriting 802.1p
priority information when it transmits an 802.1Q tagged frame (in trust mode).
The 802.1p priority information that is transmitted is determined by the
hardware queue that is used when transmitting the packet.
When a packet arrives at the device on an ingress port, the device examines the
first six of eight ToS bits, called the code point. Depending on the trust mode,
the device can assign the QoS priority used to subsequently transmit the packet
based on the code point. The QoS priority controls a hardware queue used
when transmitting the packet out of the device, and determines the forwarding
characteristics of a particular code point.
An advantage in using marking the DSCP field is that the class of service
information can be carried throughout the network infrastructure, without
repeating complex traffic policies at each device location. Another advantage is
that end stations can perform their own packet marking on an application-
specific basis. The application software can observe and manipulate the
Differentiated Services Code Point (DSCP) information with no performance
penalty.
Differentiated Services
Differentiated Services (DiffServ) is a multiple service model that can satisfy
differing QoS requirements. However, unlike in the integrated service model,
an application using DiffServ does not explicitly signal the router before
sending data.
For differentiated services, the network tries to deliver a particular kind of
service based on the QoS specified by each packet. This specification can occur
in different ways, for example, using the IP Precedence bit or the 6-bit
Differentiated Services Code Point (DSCP) setting in IP packets, or source and
destination addresses. The network uses the QoS specification to classify,
mark, shape, and police traffic, and to perform intelligent queuing.
The differentiated services model is used for several mission-critical
applications and for providing end-to-end QoS. Typically, this service model is
appropriate for aggregate flows because it performs a relatively coarse level of
traffic classification.
The ToS fields are described in Table 9-1 and Table 9-2.
Per-Hop Behaviors
RFC 2475 defines PHB as the externally observable forwarding behavior
applied at a DiffServ-compliant node to a DiffServ Behavior Aggregate (BA).
The system can mark packets according to DSCP setting. This allows
collections of packets with the same DSCP setting to be grouped into a BA.
Packets from multiple sources or applications can belong to the same BA.
Per Hop Behavior (PHB) refers to the packet scheduling, queuing, policing, or
shaping behavior of a node on any given packet belonging to a BA, as
configured by a service level agreement (SLA) or a policy map.
The following sections describe the four available standard PHBs:
Default PHB (as defined in RFC 2474)
Class-Selector PHB (as defined in RFC 2474)
Assured Forwarding (AFny) PHB (as defined in RFC 2597)
Expedited Forwarding (EF) PHB (as defined in RFC 2598)
Default PHB
The default PHB essentially specifies that a packet marked with a DSCP value
of 000000 (recommended) receives the traditional best-effort service from a
DS-compliant node (that is, a network node that complies with the entire core
DiffServ requirements). Also, if a packet arrives at a DS-compliant node, and
the DSCP value is not mapped to any other PHB, the packet will be mapped to
the default PHB.
For more information about default PHB, refer to RFC 2474, Definition of the
Differentiated Services Field in IPv4 and IPv6 Headers.
Class-Selector PHB
To preserve backward-compatibility with any IP precedence scheme currently
in use on the network, DiffServ defines a DSCP value in the form xxx000,
where x is either 0 or 1. These DSCP values are called Class-Selector Code
Points (the DSCP value for a packet with default PHB 000000 is also called the
Class-Selector Code Point).
The PHB associated with a Class-Selector Code Point is a Class-Selector PHB.
These Class-Selector PHBs retain most of the forwarding behavior as nodes
that implement IP Precedence-based classification and forwarding.
For example, packets with a DSCP value of 11000 (the equivalent of the IP
Precedence-based value of 110) have preferential forwarding treatment (for
scheduling, queuing, and so on), as compared to packets with a DSCP value of
100000 (the equivalent of the IP Precedence-based value of 100). These Class-
Selector PHBs ensure that DS-compliant nodes can coexist with IP Precedence-
based nodes.
For more information about Class-Selector PHB, refer to RFC 2474, Definition
of the Differentiated Services Field in IPv4 and IPv6 Headers.
The following table lists the DSCP value and corresponding dP value for each
AF PHB class.
Table 9-3: DSCP Values and Corresponding Drop Precedence, by AF PHB Class
Drop Precedence
Benefits
The benefits of implementing Differentiated Services include the following:
Reduced burden on network devices and easy scalability as the network
grows
Customers can keep any existing Layer 3 ToS prioritization scheme that
may be in use
Customers can mix DiffServ-compliant devices with any existing ToS-
enabled equipment in use
Bottlenecks are alleviated through efficient management of network
resources
Traffic Scheduling
Traffic scheduling features allow the user to control congestion by determining
the order in which packets are transmitted based on priorities assigned to those
packets. Congestion management entails the creation of queues, assignment of
packets to those queues based on the packet classification, and scheduling of
the packets in a queue for transmission. If the user uses congestion
management features, packets accumulating at a port are queued until the port
is free to transmit them; they are then scheduled for transmission according to
their assigned priority and the queuing mechanism configured for the port. The
router determines the order of packet transmission by controlling which packets
are placed in which queue and how queues are serviced with respect to each
other.
Benefits of SP Queuing
SP provides absolute preferential treatment to high priority traffic, ensuring that
mission-critical traffic traversing various WAN links gets priority treatment. In
addition, SP provides a faster response time than do other methods of queuing.
The weighting factors are specified as relative percentages. The values for all
the queues must be positive, and must add up to ten or 100.
Relative percentages are calculated by byte counts rather than by packets, thus
providing a greater degree of bandwidth fairness. For example, suppose one
protocol has 500-byte packets, another has 300-byte packets, and a third has
100-byte packets. If the user wants to split the bandwidth evenly across all
three protocols, the user might choose to specify byte counts of 200, 200, and
200 for each queue. However, this configuration does not result in a 33/33/33
ratio of bandwidth usage. When the router services the first queue, it sends a
single 500-byte packet; when it services the second queue, it sends a 300-byte
packet; and when it services the third queue, it sends two 100-byte packets. The
effective ratio is 50/30/20 - setting the byte count too low can result in an
unintended bandwidth allocation.
The following figure shows how WRR queuing behaves in a four-queue
architecture.
MDDR Scheduling
These scheduling methods combine Strict Priority queuing and DDR
scheduling. Service one or more queues with strict priority whereas service the
rest of the queues in accordance with the MDDR algorithm.
MDDR Queuing guarantees immediate delivery of packets from high-ranking
queues while avoiding starving of lowest-ranking queues.
The following table explains the available MDRR scheduling algorithms.
Table 9-4: Modified Deficit Round-Robin Queuing Algorithms
Hybrid Scheduling
This scheduling method combines SP queuing and WRR scheduling. Queues
with higher priority are serviced with SP while the remaining queues are
serviced in accordance with WRR, after the higher priority queues are empty.
SP/WRR hybrid scheduling guarantees immediate delivery of packets from
high-ranking queues while avoiding lowest-ranking queues’ starvation.
The following table explains the available hybrid scheduling algorithms.
Table 9-5: Hybrid Scheduling Algorithms
Profiles
Profiles are used within QoS policies. Each profile includes a set of
configurable values that can be applied.
The device supports the following QoS profile types:
Congestion Avoidance Profile:
Tail-drop
Mapping Profile:
Maps L2(VPT)- or L3 (DSCP)- marked traffic (or both) to particular
Forwarding Classes (FCs) and traffic colors.
Scheduling Profile:
Specifies the queuing/scheduling algorithm to apply to a queue. (Refer
to Traffic Scheduling for details.)
Shaper Profile:
Specifies the shaping algorithm to apply to a port or a queue.
Port-Related Policies
The device supports the following port-related QoS policies:
Port Ingress Policy
Applied per port.
Applies mapping of VPT/DSCP values to Forwarding Class (FC) and
traffic color through a mapping profile.
Applies trust mode of the VPT/DSCP values to the ingress traffic.
Port Egress Policy
Applied per port
Applies scheduling algorithms through a scheduling profile.
Applies shaper per port/per queue or both trough a shaper profile.
Order of Configuration
1. Define and configure the following profiles:
the mapping profiles
the shaper profiles
the scheduling profiles
For details on the respective configuration commands, see "QoS Profile
Configuration Commands Hierarchy".
Profile Threshold
Yellow Red
1 50 100
2 20 100
Traffic Storm-Control
The traffic storm-control feature prevents LAN ports from being disrupted by a
broadcast, multicast, and/or unicast traffic storm. This mechanism regulates the
rate at which devices forward the traffic. Traffic storm-control monitors
incoming traffic rates over a 1-second storm-control interval and, compares this
traffic rate with the traffic storm-control rate that you configure. When the port
threshold is met, all incoming traffic on the port is dropped.
QoS Commands
Command Description
qos Enters QoS mode
congestion-avoidance-profile tail- Specifies a congestion avoidance tail-drop profile
drop <profile-id> to configure and enters configuration mode for
that profile:
• profile-id: ID of the tail-drop
profile, the valid range is <1-
8>
• 1, 2: IDs of the default tail-drop congestion
avoidance profiles; for details, refer to
§Default Settings
no congestion-avoidance-profile Deletes the specified congestion avoidance tail-
tail-drop [<profile-id>] drop profile or, when used without a parameter,
deletes all congestion avoidance tail-drop
profiles.
• profile-id: ID of the tail-drop
profile to delete
Note: Default congestion avoidance tail-drop
profiles cannot be deleted.
description DESCRIPTION Assigns a description to the configured profile:
• DESCRIPTION: a string of <1-
150> characters
no description Removes the assigned description
yellow-threshold <threshold- Yellow threshold of the specified tail-drop
percent> profile, as a percentage value. This is the
maximum allowed queue size for packets marked
as yellow, as a percentage of the size of the entire
queue. The yellow threshold must be lower than
or equal to the red threshold.
• threshold-percent: yellow
threshold percentage, the valid
range is <0-100>
no yellow-threshold <threshold- Restores to default
percent>
Command Description
mapping-profile PROFILE-NAME Specifies a mapping profile to configure and
enters configuration mode for that profile:
• PROFILE-NAME: name of the
mapping profile, a string of
<1-32> characters
• Global and defMapProf (default mapping
profiles)
For more information on default profiles, see
QoS Default Configuration.
no mapping-profile [PROFILE- Deletes the specified mapping profile or, when
NAME] used without a parameter, deletes all mapping
profiles.
• PROFILE-NAME: name of the
mapping profile to delete
any-untrust-to-fc color {green | Assigns the specified color to all untrusted
yellow} ingress traffic:
• green: assigns green color to
the traffic
• yellow: assigns yellow color to
the traffic
no any-untrust-to-fc color Restores to default
any-untrust-to-fc fc {be | l2 | af Assigns the specified FC to all untrusted ingress
| l1 | h2 | ef | h1 | nc}
traffic:
• be: assigns be FC to the
traffic
• l2: assigns l2 FC to the
traffic
• af: assigns af FC to the
traffic
• l1: assigns l1 FC to the
traffic
• h2: assigns h2 FC to the
traffic
• ef: assigns ef FC to the
traffic
• h1: assigns h1 FC to the
traffic
• nc: assigns nc FC to the
traffic
no any-untrust-to-fc fc Restores to default
description DESCRIPTION Assigns a description to the configured profile:
• DESCRIPTION: a string of <1-
150> characters
Command Description
no description Removes the assigned description
scheduling-profile <profile-id> Specifies a scheduling profile to configure and
enters configuration mode for that profile:
• profile-id: ID of the mapping
profile, the valid range is <1-
8>
no scheduling-profile [<profile- Deletes the specified scheduling profile or, when
id>] used without a parameter, deletes all mapping
profiles.
• profile-id: ID of the
scheduling profile to delete
Command Description
scheduling-type {drr | hybrid-1 |
hybrid-2 | hybrid-3 | hybrid-4 |
hybrid-5 | hybrid-6 | mdrr-1 |
mdrr-2 | mdrr-3 | mdrr-4 | mdrr-5
Specifies the type of queuing/scheduling to be
| mdrr-6 | sp | wrr} employed by the configured profile. For an
explanation of the algorithm behind each
scheduling type, see "WRR/MDDR Hybrid
Queuing" and "Hybrid Scheduling".
• drr: specifies Deficit Round-
Robin (DRR) scheduling
• hybrid-1: specifies scheduling
according to the first hybrid
algorithm
• hybrid-2: specifies scheduling
according to the second hybrid
algorithm
• hybrid-3: specifies scheduling
according to the third hybrid
algorithm
• hybrid-4: specifies scheduling
according to the fourth hybrid
algorithm
• hybrid-5: specifies scheduling
according to the fifth hybrid
algorithm
• hybrid-6: specifies scheduling
according to the sixth hybrid
algorithm
• mdrr-1: specifies scheduling
according to the first Modified
Deficit Round-Robin (MDRR)
algorithm
• mdrr-2: specifies scheduling
according to the second MDRR
algorithm
• mdrr-3: specifies scheduling
according to the third MDRR
algorithm
• mdrr-4: specifies scheduling
according to the fourth MDRR
algorithm
• mdrr-5: specifies scheduling
according to the fifth MDRR
algorithm
• mdrr-6: specifies scheduling
according to the sixth MDRR
algorithm
• sp: specifies Strict Priority
(SP) scheduling
• wrr: specifies Weighted Round-
Robin (WRR) scheduling
Command Description
shaper-profile port <profile-id> Specifies a port shaper profile to configure and
enters configuration mode for that profile:
• profile-id: ID of the port
shaper profile, the valid range
is <1-8>
no shaper-profile port [<profile- Deletes the specified port shaper profile or, when
id>] used without a parameter, deletes all port shaper
profiles.
• profile-id: ID of the port
shaper profile to delete
cbs <cbs> Specifies the Committed Burst Size (CBS) for the
shaper profile, in kilobytes:
• cbs: the valid range is <1-
1048575>
• 64
no cbs Restores to default
cir <cir> Specifies the Committed Information Rate (CIR)
for the shaper profile, in kilobytes per second:
• cir: the valid range is <1-
1048575>
• 100000
no cir Restores to default
description DESCRIPTION Assigns a description to the configured profile:
• DESCRIPTION: a string of <1-
150> characters
no description DESCRIPTION Removes the assigned description
Command Description
qos Enters QoS mode
port-egress-policy POLICY-NAME Specifies a port egress policy to
configure and enters configuration mode
for that policy:
• POLICY-NAME: name of the
specified policy, a
string of <1-64>
characters
• defEgPol: name of the default egress
policy; for details, refer to §Default
Settings
no port-egress-policy POLICY-NAME Deletes the specified port egress policy:
• POLICY-NAME: name of the
specified policy
Command Description
congestion-avoidance tail-drop Assigns congestion avoidance tail-drop
<profile-id> profile to the policy. The profile is
selected from the available congestion
avoidance tail-drop profiles.
• profile-id: ID of the
assigned profile
no congestion-avoidance tail-drop Removes the assigned congestion
avoidance tail-drop profile from the
configured policy
description DESCRIPTION Assigns a description to the configured
policy:
• DESCRIPTION: a string of
<1-150> characters
no description Removes the assigned description
queue <queue-id> Assigns queue to the configured policy
and enters queue configuration mode for
that queue:
• queue-id: ID of the
assigned queue, the valid
range is <1-8>
no queue <queue-id> Removes the specified queue from the
configured policy:
• queue-id: ID of the queue
to remove from the policy
congestion-avoidance tail-drop Specifies congestion avoidance tail-drop
<profile-id> profile to apply to the queue. The profile
is selected from the available congestion
avoidance tail-drop profiles.
• profile-id: ID of the
specified profile
no congestion-avoidance tail-drop Removes from the queue the applied
congestion avoidance tail-drop profile
shaper-profile <profile-id> Specifies shaper profile to apply to the
queue. The profile is selected from the
available shaper profiles:
• profile-id: ID of the
specified profile
no shaper-profile Removes from the queue the applied
shaper profile
scheduling-profile <profile-id> Assigns scheduling profile to the
configured policy. The profile is selected
from the available scheduling profiles.
• profile-id: ID of the
assigned profile
no scheduling-profile Removes the assigned scheduling profile
from the policy
Command Description
shaper-profile <profile-id> Assigns a shaper profile to the
configured policy. The profile is selected
from the available shaper profiles.
• profile-id: ID of the
assigned profile
no shaper-profile Removes the shaper scheduling profile
from the policy
port-ingress-policy POLICY-NAME Specifies a port ingress policy to
configure and enters configuration mode
for that policy:
• POLICY-NAME: name of the
specified policy, a
string of <1-64>
characters
• defInPol: name of the default ingress
policy; for details, refer to §Default
Settings
no port-ingress-policy POLICY-NAME Deletes the specified port ingress policy:
• POLICY-NAME: name of the
specified policy, a
string of <1-64>
characters
description DESCRIPTION Assigns a description to the configured
policy:
• DESCRIPTION: a string of
<1-150> characters
no description DESCRIPTION Removes the assigned description
mapping-profile PROFILE-NAME Assigns mapping profile to the
configured policy. The profile is selected
from the available mapping profiles.
• PROFILE-NAME: name of the
assigned profile
no mapping-profile Removes the mapping profile from the
policy
Command Description
trust-mode {trust-dscp | trust- Specifies the ingress traffic trust mode to
preserve-priority | trust-priority |
trust-priority-and-dscp | untrust}
be applied by the configured policy:
• trust-dscp: trusts all
DSCP-marked ingress
traffic
• trust-priority: trusts
all VPT-marked ingress
traffic
• trust-priority-and-dscp:
trusts all DSCP- and VPT-
marked ingress traffic;
the DSCP-marked traffic
has higher precedence
than the VPT traffic
• untrust: untrusts all
ingress traffic
no trust-mode Removes the ingress traffic trust mode
that has been specified for the policy
Command Description
config terminal Enters Configuration mode
port UU/SS/PP Specifies a port to configure with port
ingress/egress policies and enters QoS port
configuration mode for that port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port UU/SS/PP Removes the port from the configuration:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
qos-egress-policy POLICY-NAME Specifies port egress policy to apply to the
configured port. The policy is selected from
the available port egress policies.
• POLICY-NAME: name of the
specified policy, a string
of <1-64> characters
no qos-egress-policy Restores the default port egress policy on the
specified port.
qos-ingress-policy POLICY-NAME Specifies the port ingress policy to apply to
the configured port. The policy is selected
from the available port ingress policies.
• POLICY-NAME: name of the
specified policy, a string
of <1-64> characters
no qos-ingress-policy Removes service ingress policy on the
specified port
Storm-Control Commands
Command Description
config terminal Enters the Configuration mode
ethernet Enters the Ethernet Configuration mode
storm-control Enters the Storm-control Configuration
mode
no storm-control Removes the storm-control configurations
port UU/SS/PP Selects a port:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
no port UU/SS/PP Removes the port from the configuration:
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
Command Description
traffic-type broadcast [rate- Defines the upper threshold rate for
threshold <rate>] broadcast traffic. The storm control action
occurs when traffic utilization reaches this
rate.
rate: the valid range is <0–
4294967295> packets per second
(pps), which, calculated on 64-byte
packet size basis, translates to the
following limits (in pps):
▪ for 100-megabit ports: 148810
▪ for 1-gigabit ports: 1488095
▪ for 10-gigabit ports: 14880950
no traffic-type broadcast Restores to default
traffic-type multicast [rate- Defines the upper threshold rate for
threshold <rate>] multicast traffic:
rate: the valid range is <0–
4294967295> packets per second
(pps), which, calculated on 64-byte
packet size basis, translates to the
following limits (in pps):
▪ for 100-megabit ports: 148810
▪ for 1-gigabit ports: 1488095
▪ for 10-gigabit ports: 14880950
no traffic-type multicast Restores to default
traffic-type unknown [rate- Defines the upper threshold rate for
threshold <rate>] unknown traffic:
rate: the valid range is <0–
4294967295> packets per second
(pps), which, calculated on 64-byte
packet size basis, translates to the
following limits (in pps):
▪ for 100-megabit ports: 148810
▪ for 1-gigabit ports: 1488095
▪ for 10-gigabit ports: 14880950
no traffic-type unknown Restores to default
Command Description
traffic-type all [rate- Defines the upper threshold rate for all
threshold <rate>] traffic:
rate: the valid range is <0–
4294967295> packets per second
(pps), which, calculated on 64-byte
packet size basis, translates to the
following limits (in pps):
▪ for 100-megabit ports: 148810
▪ for 1-gigabit ports: 1488095
▪ for 10-gigabit ports: 14880950
no traffic-type all Restores to default
shutdown Disables the storm-control on the port
• Disabled
no shutdown Enables the storm-control on the port
Command Description
show running-config qos Displays the current QoS configuration
show running-config qos Displays all configured congestion
congestion-avoidance-profile
avoidance profiles
show running-config qos Displays the specified tail-drop congestion
congestion-avoidance-profile
avoidance profile or, when used without a
tail-drop [<profile-id>]
parameter, displays all configured tail-drop
congestion avoidance profiles.
• profile-id: ID of the tail-
drop congestion avoidance
profile to display
show running-config qos mapping- Displays the specified mapping profile or,
profile [PROFILE-NAME] when used without a parameter, displays
all configured mapping profiles.
• PROFILE-NAME: name of the
mapping profile to display
show running-config qos port- Displays the specified port egress policy
egress-policy [POLICY-NAME] or, when used without a parameter,
displays all configured port egress policies.
• POLICY-NAME: name of the
policy to display
show running-config qos port- Displays the specified port ingress policy
ingress-policy [POLICY-NAME] or, when used without a parameter,
displays all configured port ingress
policies.
• POLICY-NAME: name of the
policy to display
show running-config qos shaper- Displays all configured shaper profiles.
profile
show running-config qos shaper- Displays the specified port shaper profile
profile port [<profile-id>] or, when used without a parameter,
displays all configured port shaper profiles.
• profile-id: ID of the port
shaper profile to display
Command Description
show running-config qos Displays the specified scheduling profile
scheduling-profile [<profile- or, when used without a parameter,
id>] displays all configured scheduling profiles.
• profile-id: ID of the
scheduling profile to
display
show running-config port Displays the configuration of the specified
{UU/SS/PP} port, including the ingress/egress policies
applied to it or, when used without a
parameter, displays the configuration for
all ports.
• UU/SS/PP: 1/1/1-1/1/24,
1/2/1-1/2/4
Configuration Examples
Overview
IEEE 802.1ag Connectivity Fault Management (CFM) refers to the ability of a
network to monitor the health of an end-to-end service delivered to customers
(as opposed to just links or individual bridges). The pre-standard IEEE 802.1ag
CFM feature, called MAC ping/trace route, defines the end-to-end OAM
capabilities that are intrinsic to Ethernet technology, enabling service providers
to monitor the Ethernet service that the customer receives.
The 802.1ag CFM standard specifies protocols, procedures, and managed
objects to support transport fault management. These allow:
the discovery and verification of the frames' path addressed to and from
specified network users
the detection and isolation of a connectivity fault to a specific bridge or
LAN
Ethernet CFM defines proactive and diagnostic fault localization procedures for
point-to-point and multipoint Ethernet Virtual Connections (EVC) that span
one or more links.
CFM Purpose
Bridges are increasingly used in networks operated by multiple independent
organizations, each with restricted management access to each other’s
equipment.
CFM provides capabilities for detecting, verifying, and isolating connectivity
failures in such networks, where multiple organizations are involved in
providing and using the Ethernet service (such as customers, service providers,
and operators).
Customers purchase Ethernet service from service providers. These service
providers may utilize their own networks or the networks of other operators to
provide connectivity for the requested service. Customers themselves may be
service providers. For example, a customer may be an Internet service provider
that sells Internet connectivity.
Operators need minimal Ethernet OAM as oppose to providers that need more
comprehensive Ethernet OAM for themselves and the ability to provide
customers with better monitoring functionality.
In order to validate the service quality and to perform fault verification on
Maintenance End Points (MEP) and Maintenance Intermediate Points (MIPs)
that belong to the organization, each organization defines its own maintenance
domain. These MEPs and MIPs are then linked to the relevant domain creating
a Maintenance Association (MA).
In the above figure two maintenance entities are shown: one comprising the
yellow MEPs and MIPs, the other comprising orange MEPs and MIPs.
Each MP along the path returns a unicast Linktrace Reply (LTR) back to the
originating MEP. The MEP then sends a single LTM to the next hop along the
trace path eventually determining the MAC address of all MIPs along the MA
and their precise location with respect to the originating MEP.
Defect Priority
Variable HighestDefect HighestDefectPri Importance
Disable Disable 6
xconCCMdefect DefXconCCM 5 most
errorCCMdefect DefErrorCCM 4
someRMEPCCMdefect DefRemoteCCM 3
someMACstatusDefect DefMACstatus 2
someRDIdefect DefRDICCM 1 least
CFM Commands
Command Description
config terminal Enters Configuration mode
oam Enters OAM Protocol Configuration
mode
no oam Removes the OAM configurations
cfm Enters CFM Protocol Configuration mode
no cfm Removes all CFM configurations
shutdown Disables CFM
no shutdown
Enables CFM
domain-name DOMAIN-NAME
Command Description
service <id>
Command Description
fng-alarm-time <value> Defines the time interval for triggering a
Fault Alarm by all local MEPs from MA
in case of fault detection:
• value: in the range of
<250-1000> hundredths of a
second
• 250 hundredths of a second
no fng-alarm-time Restores to default
fng-reset-time <value> Defines the time interval for re-enabling
the Fault Alarm if no faults have been
detected:
• value: in the range of
<250-1000> hundredths of a
second
• 1000 hundredths of a second
no fng-reset-time Restores to default
format {icc | ieee} Defines the MA format:
• icc: domain name format
complying to ITU-T Y.1731
standard specifications
• ieee: domain name format
complying to IEEE 802.1ag
standard specifications
• ieee
hello-interval <value> Defines the time interval between two
successive CCMs sent by a MEP that is a
member of this MA:
• value: 1s, 10s, 1m, and
10m
• 1 second
no hello-interval Restores to default
mep <id> UU/SS/PP
Command Description
direction {up | down} Defines the direction in which the MEP
faces on the bridge port:
• up, down
ccm-enabled Enables generating of CCM messages the
by the MEP
no ccm-enabled Restores to default
• Disabled
ccm-priority Defines the VLAN priority assigned to all
CCM and LTM packets for a particular
MEP:
• priority: in the range of
<0-7>
• 6
no ccm-priority Restores to default
fng-alarm-time <value> Defines the time interval for which
defects must be present before a local
MEP generates a Fault Alarm:
• value: in the range of
<250-1000> hundredths of a
second
• 250 hundredths of a second
no fng-alarm-time Restores to default
fng-reset-time <value> Defines the time interval in which defects
must be absent before enabling a Fault
Alarm again:
• value: in the range of
<250-1000> hundredths of a
second
• 1000 hundredths of a second
no fng-reset-time Restores to default
fault-alarms-level Defines the defect priority for generating
<defect-priority> Fault Alarms. Defects can be either loss
of CCMs or a reception of cross
connected CCMs:
• defect–priority: in the
range of <1-6>
• Defect priority is 1 and alarms are
generated for all defect conditions
no fault-alarms-level Restores to default
Command Description
mip-policy Defines the conditions under which MIPs
are automatically created on ports:
• default: always creates
MIPs
• defer: adopts the setting
of the enclosing domain
• explicit: creates MIPs
only if a MEP exists on a
lower MD Level
• none: does not create any
MIPs for the specified MA
• defer
no mip-policy Restores the default MIP policy setting
sender-id-content {hostname Configures the content of the Sender ID's
| defer | all | management-
address | none}
Type Length Value (TLV) included in
most of the CFM packets sent by the
MEPs:
• hostname: the Sender ID's
TLV includes only the
device hostname: the local
hostname is visible to all
remote sites on the MA but
the local management
address is hidden
• defer: adopts the setting
of the enclosing domain
• all: the Sender ID's TLV
includes both the hostname
and the management address
of the device
• management-address: the
Sender ID TLV's includes
only the device's
management address: the
local management mechanism
and management address are
visible to all remote
sites on the MA, but the
local hostname is hidden
• none: does not send the
Sender ID's TLV to remote
MEPs: the chassis ID and
management information are
hidden from all remote
sites
• defer
no sender-id-content Restores to default
Command Description
format {none | string} Defines the format of the domain name:
• none: the name will not
appear in the MA ID
• string: the name will
appear in the MAID as
string
mip-policy Defines the conditions in which MIPs are
automatically created on ports:
• default: always creates
MIPs
• explicit: creates MIPs
only if a MEP exists on a
lower MD Level
• none: does not create any
MIPs for the specified MA
• none
no mip-policy Restores to default
sender-id-content Configures the content of the Sender ID's
Type Length Value (TLV) included in
most of the CFM packets sent by the
MEPs:
• hostname: the Sender ID's
TLV includes only the
device hostname: the local
hostname is visible to all
remote sites on the MA,
but the local management
address is hidden
• all: the Sender ID's TLV
includes both the hostname
and the management address
of the device
• management-address: the
Sender ID's TLV includes
only the device's
management address: the
local management mechanism
and management address are
visible to all remote
sites on the MA but the
local hostname is hidden
• none: does not send the
Sender ID's TLV to remote
MEPs: the chassis ID and
management information are
hidden from all remote
sites
• none
no sender-id-content Restores to default
Command Description
threshold-profile <threshold- Creates a CFM profile with a specified
profile id> name and enters Monitoring Profile
Configuration mode:
• threshold-profile id: in
the range of <1-64>
• When the CFM protocol is enabled, a
default profile is created
automatically
no threshold-profile Restores to default
[threshold-profile id]
one-way-jitter-error <value> Configures the one-way jitter error
monitoring:
• value: in the range of <1-
10000> milliseconds
• 350 milliseconds
no one-way-jitter-error Restores to default
one-way-jitter-warning Configures the one-way jitter warning
<value> monitoring:
• value: in the range of <1-
10000> milliseconds
• 300 milliseconds
no one-way-jitter-warning Restores to default
frame-loss-error <error– Specifies the threshold for the two-way
threshold> frame-loss error monitoring:
• error–threshold: in the
range of <1-99>%
• 10% frame loss
no frame-loss-error Restores to default.
frame-loss-warning <warning Specifies the threshold for the two-way
–threshold> frame-loss warning monitoring:
• warning–threshold: in the
range of <0-99>%. If you
specify a value that is
higher than the frame-
loss-error value, the
frame-loss-warning will be
disabled
• 8% frame loss
no frame-loss-warning Restores to default
frame-loss-monitoring Enables frame-loss monitoring
• Enabled
no frame-loss-monitoring Disables the frame loss monitoring
Command Description
round-trip-jitter-error Specifies error value of the two-way jitter
<value> error monitoring:
• value: in the range of <1-
10000> milliseconds
• 700 milliseconds
no round-trip-jitter-error Restores to default
round-trip-jitter-error- Specifies the duration of the two-way
period <value> jitter error:
• value: in the range of <1-
3600> seconds
• 90 seconds
no round-trip-jitter-error- Restores to default
period
round-trip-jitter-warning Specifies the warning value for the two-
<value> way jitter warning monitoring:
• value: in the range of <1-
10000> milliseconds
• 600 milliseconds
no round-trip-jitter-warning Restores to default
round-trip-jitter-warning- Specifies the duration of the two-way
period <value> jitter warning:
• value: in the range of <1-
3600> seconds
• 180 seconds
no round-trip-jitter-warning- Restores to default
period
round-trip-jitter-monitoring Enables round-trip jitter monitoring
<true | false>
• True
no round-trip-jitter- Restores to default.
monitoring
round-trip-latency-error Specifies the threshold for the two-way
<value> latency error monitoring:
• value: in the range of <1-
10000> milliseconds
• 2000 milliseconds
no round-trip-latency-error Restores to default
round-trip-latency-error- Specifies the duration of latency error
period <value> increase:
• value: in the range of <1-
3600> seconds
• 90 seconds
no round-trip-latency-error- Restores to default
period
Command Description
round-trip-latency-warning Specifies the threshold for the two-way
<value> latency warning:
• value: in the range of <1-
10000> milliseconds
• 1600 milliseconds
no round-trip-latency-warning Restores to default
round-trip-latency-warning- Specifies the duration of the latency
period <value> warning increase:
• value: in the range of <1-
3600> seconds
• 180 seconds
no round-trip-latency- Restores to default
warning-period
round-trip-latency-monitoring Enables round-trip latency monitoring
no round-trip-latency- Disables the round-trip latency
monitoring
monitoring
results-bucket-size <size> Specifies the number of results to be
stored for jitter calculation:
• size: in the range of <2-
255>
• 20 results
no results-bucket-size Restores to default
priority <priority> Specifies the 802.1p class-of-service:
• value: in the range of <0-
7>
• 0
no priority Restores to default
rate <rate> Specifies the number of the Loopback
Request packets:
• rate: in the range of <1-
3>
• 1 packet
no rate Restores to default
tlv-size <size> Specifies the size of the Loopback
Request packets, in bytes:
• size: in the range of <0-
1462>
• 0 bytes
no tlv-size Restores to default
Command Description
update-interval <value> Specifies the time interval for updating
the monitoring parameters (one-way
jitter, two-way jitter, latency, and frame
loss):
• value: in the range of <0-
65535> seconds. A value 0
suspends the monitoring
task and a value different
from 0 resumes it
• 20 seconds
no update-interval Restores to default
test <id> DOMAIN-NAME MA- Tests the connectivity:
NAME <threshold-profile id> • id: in the range of <1-
[repeat-interval number]
256>
• DOMAIN-NAME: a string of
<1-22> characters
• MA-NAME: a string of <1-
22> characters
• threshold-profile id: in
the range of <1-64>
• number: the repeat
interval in the range of
<1-420>
no test <id> DOMAIN-NAME MA- Stops the testing
NAME <threshold-profile id>
[repeat-interval]
Command Description
oam cfm linktrace domain Sends a linktrace message to a specified
DOMAIN-NAME ma MA-NAME mep MEP or MIP in the domain:
<id> {target-mep <target-mep-
id> | target-mip • DOMAIN-NAME: a string of
HH:HH:HH:HH:HH:HH} [timeout <1-22> characters
<value> | ttl <value>] • MA-NAME: a string of <1-
22> characters
• mep <id>: the source MEP
ID, in the range of <1–
8191>
• target-mep <target-mep-
id>: the linktrace
destination MEP ID, in the
range of <1–8191>
• target-mip
HH:HH:HH:HH:HH:HH: the MAC
address of the linktrace
destination MIP
• timeout <value>:
(optional) the linktrace
reply (LTR) timeout, in
the range of <1–60>
seconds
• 2 seconds
• ttl <value>: (optional)
the initial TTL field
value, in the range of <1–
255>
Command Description
oam cfm loopback domain DOMAIN- Sends a loopback message to a specific
NAME ma MA-NAME mep <id> MEP or MIP in a specified domain:
{target-mep <target-mep-id> |
• DOMAIN-NAME: a string of
target-mip HH:HH:HH:HH:HH:HH}
<1-22> characters
[timeout <value> | payload
<value> | delay <value> |
• MA-NAME: a string of <1-
number <value>] 22> characters
• mep <id>: the source MEP
ID, in the range of <1–
8191>
• target-mep <target-mep-
id>: the loopback
destination MEP ID, in the
range of <1–8191>
• target-mip
HH:HH:HH:HH:HH:HH: the MAC
address of the loopback
destination MIP
• timeout <value>:
(optional) the loopback
reply (LBR) timeout, in
the range of <1–60>
seconds
• 2 seconds
• payload <value>:
(optional) the loopback
message PDU size, in the
range of <0–1462> bytes
• 0 bytes
• delay <value>: (optional)
the delay between 2
consecutive loopback
messages, in the range of
<0–60> seconds
• 5 seconds
• number <value>: (optional)
defines the number of
loopback messages sent, in
the range of <1–1024>
• 3 messages
Command Description
clear oam cfm remote-mep-table Clears a remote MEP connectivity table:
domain-name NAME ma NAME
remote-mep <id>
• DOMAIN-NAME: clears table
for a domain name string,
in the range of <1-43>
characters
• ma NAME: clears table for
a MA name string, in the
range of <1-45> characters
• remote-mep <id>: clears
table for a specific MEP,
in the range of <0–8191>.
A value of 0 clears all
remote MEPs
Command Description
show oam cfm Displays the current CFM configuration
and CFM status
show oam cfm connectivity Displays connectivity statistics for all
[domain-name DOMAIN-NAME] configured domains:
• DOMAIN-NAME: displays
connectivity statistics
for the specified domain
•
show oam cfm connectivity Displays information extracted from the
[extended]
Port ID's TLV in CCMs:
• extended: (optional)
displays additional
information, as remote
device management address
and name
show oam cfm domain level Displays information for MD:
<level>
• level: in the range of
<0-7>
show oam cfm update-interval Displays the update interval value in
seconds
show oam cfm {interface Displays the CFM configuration per
UU/SS/PP | interfaces} interface
show oam cfm test [id <id>] Displays information about performed
test(s):
• id: in the range of <1-
256>
show oam cfm threshold-profile Displays information about CFM
[id <id>] profile(s):
• id: in the range of <1-
256>
3. Specify the identification data sent to the remote MEPs creation policy on
the specified MA:
device-name(config-ma-ma7)#sender-id-content all
device-name(config-ma-ma7)#mip-policy explicit
5. Create a profile with ID 4 and configure the profile priority, rate, round-
trip jitter, frame loss, and latency errors monitoring:
device-name(config-cfm)#threshold-profile 4
device-name(config-threshold-profile-4)#priority 2
device-name(config-threshold-profile-4)#rate 2
device-name(config-threshold-profile-4)#round-trip-jitter-error 100
device-name(config-threshold-profile-4)#frame-loss-error 20
device-name(config-threshold-profile-4)#no frame-loss-monitoring
device-name(config-threshold-profile-4)#round-trip-latency-error 200
device-name(config-cfm)#no shutdown
device-name(config-cfm)#commit
Commit complete.
device-name(config-cfm)#end
Domain: d7
Domain Name Format: string
Level: 7
Mip Policy: none
Sender ID Content: none
Local MEPs
============================================================================
| MEP | Port | Adm |CCM| Oper | Alarm | CCM | Sent | Last
|
| | | State |En | State | Level |Priority| CCM | CCM
|
|-----+----------+-------+---+-------+-------+--------+--------+-----------|
| 10| 1/1/1| Up |Yes| Up | 1 | 6 | 15835|
23:18:58.012|
============================================================================
Domain: d7
Level: 7
Overview
The IEEE 802.3ah Ethernet in the First Mile (EFM) standard specifies the
protocols and Ethernet interfaces for using Ethernet over access links as a first-
mile technology and transforming it into a highly reliable technology.
Using the Ethernet in the First Mile solution, you gain broadcast Internet access
in addition to services (such as Layer 2 transparent LAN services, Voice
services over Ethernet Access networks, Video, and multicast applications)
reinforced by security and Quality of Service (QoS) control to build a scalable
network.
The in-band management specified by this standard defines the operations,
administration, and maintenance (OAM) mechanism needed for the advanced
monitoring and maintenance of Ethernet links in the first mile. The OAM
capabilities facilitate network operation and troubleshooting for both the
provider and the customer networks.
Basic 802.3 packets convey OAM data between two ends of a physical link.
The 802.3ah (Clause 57) provides the single-link OAM capabilities.
When enabled, two connected OAM devices exchange Protocol Data Units
(OAMPDUs). OAMPDUs are standard-size frames, including information such
as the destination MAC address, EtherType and subtype, sent at a predefined
rate (a limitation necessary for reducing the impact on the usable bandwidth).
EFM OAM is an optional and you can enable or disable it per physical port.
Potential Applications
Service providers use the link layer EFM for demarcation point OAM services.
Using the Ethernet demarcation service, providers can manage remote devices
(defined as passive devices) without utilizing an IP layer. Instead, they can
utilize link-layer SNMP counters request and reply, loopback testing, and other
techniques that are controlled remotely.
Installation Configurations
The following configuration shows how to manage the provider device (CPE
passive device) using 802.3ah standard.
Figure 10-8: Managing Provider Devices using the EFM 802.3ah Standard
The configuration below illustrates how to manage the customer devices using
EFM 802.3ah.
Figure 10-9: Managing Customer Devices (passive) using the EFM 802.3ah
Standard
Discovery
At the first phase EFM-OAM enabled DTEs identify other DTEs along with
their OAM capabilities using Information OAMPDUs, advertising the
following information:
OAM configuration (capabilities)—the local DTE's OAM capabilities.
Using this information, a peer can determine what functions are supported
and accessible (for example, loopback capability).
OAM mode—the DTE's OAM mode, also used to determine the DTE's
functionality:
Active mode: the DTE instigates OAM communications and can issue
queries and commands to the remote device.
Passive mode: the DTE generally waits for the peer DTE to instigate
OAM communications and responds to them. It does not instigate
commands and queries.
For more information about the rules for active and passive mode DTEs,
refer to Rules for Active Mode and Rules for Passive Mode below.
Timers
Two configurable timers control the protocol:
The Hello timer, determining the rate for sending OAMPDUs
The Keep-alive timer, determining the time interval for expecting
OAMPDUs from the peer
An additional 1-second non-configurable timer is used for error aggregation
necessary for the Link Monitoring Process to generate link quality events.
Flags
Each OAMPDU includes a Flags field that includes the discovery process
status. There are three possible status values:
Discovering—the discovery process is in progress
Stable—discovery is completed and the remote device can start sending any
type of OAMPDU
Unsatisfied—when there are mismatches in the OAM configuration that
prevent OAM from completing the discovery process
Process Overview
The discovery process allows a local Data Terminating Entity (DTE) to detect
OAM on a remote DTE. Once OAM support is detected, both ends of the link
exchange state and configuration information (such as mode, PDU size,
loopback support, etc.). If both DTEs are satisfied with the settings, OAM is
enabled on the link. However, the loss of a link or a failure to receive
OAMPDUs for the keep alive time interval (e.g. 5 seconds) may cause the
discovery process the start over again.
DTEs may either be in active or passive mode. Active mode DTEs instigate
OAM communications and can issue queries and commands to a remote
device. Passive mode DTEs generally wait for the peer device to instigate
OAM communications and respond to, but do not instigate, commands and
queries. Rules of what DTEs in active or passive mode can do are discussed in
the following sections.
Since 802.3ah OAM does not guarantee the delivery of OAMPDUs, the Event
Notification OAMPDU can be sent multiple times to reduce the probability of
losing these notifications using a sequence number in order to recognize
duplicate events.
The Link Monitoring process operates on all enabled EFM OAM links.
EFM-OAM Commands
Command Description
config terminal Enters Configuration mode
oam Enters OAM Protocol Configuration mode
no oam Removes the OAM configurations
efm Enters EFM Protocol Configuration mode
no efm Restores to default the configuration set in
OAM-EFM Configuration mode. The command
does not affect the configurations made per port,
that is, in EFM Interface Configuration mode.
shutdown Disables EFM
no shutdown
Command Description
error-frame-threshold Configures the Errored Frame Event threshold.
<frame–threshold>
This is a threshold for frame error testing and
reporting a specific interface. Providing the
error-frame-event-notification-
enable option has been configured, once the
threshold is reached, the device generates an
Errored Frame Event message and sends it to the
remote peer. The message is written to the
system log and to the feature history.
Additionally, the event counters are updated.
• frame–threshold: the valid
range is <1-1488000>
• 256
no error-frame- Restores to default.
threshold
error-frame-window Monitoring interval for frame errors, in seconds:
value>
• value: the valid range is <1-
60>
• 20
no error-frame-window Restores to default
error-symbol-period- Configures the OAM entity to send an event
event-notification-
enable
notification OAMPDU whenever an error
symbol period event occurs
no error-symbol-period- Restores to default
event-notification-
enable
error-symbol-period- Configures the symbol errors threshold within a
threshold <period– given window. Once the threshold is reached, a
threshold> notification is triggered if the error-symbol-
period-event-notification-enable
option has been configured.
• period–threshold: the valid
range is <1-1488000>
• 256
no error-symbol-period- Restores to default
threshold
error-symbol-period- Monitoring interval for symbol errors, in
window <value> seconds:
• value: the valid range is <1-
60>
• 20
no error-symbol-period- Restores to default
window
Command Description
hello-interval <value> Configures the hello interval, in milliseconds.
The hello interval is the time interval between
two PDUs in milliseconds. This mechanism is
used to inform the neighboring device that the
local device is operative. When the local device
receives no PDU within the defined keep-alive
interval, the neighboring device is considered
inoperative.
• value: the valid range is <100-
5000>
• 1000
Command Description
no multiple-pdu-count Restores to default
Priority <priority- Configures EFM-OAM PDU’s priority. Priority
level> is effective only if the port is a tagged member of
the default VLAN.
• priority-level: the valid range
is <0-7> (The highest the
number, the highest the
priority.)
• 0
no priority Restores to default
remote-event Enables sending local event notifications to the
remote peer
no remote-event Disables sending local event notifications to the
remote peer
port UU/SS/PP Accesses Interface Configuration Mode for the
specified port:
• UU/SS/PP: 1/1/1-1/1/24, 1/2/1-
1/2/4
efm Enables the EFM-OAM protocol
no efm Disables the EFM-OAM protocol
efm mode [basic | enhanced] Enables/disables the organization-specific EFM-
OAM enhancements on the specified interface or
interface range. Depending on the variable used
(the variable is required), this command specifies
one of the following two alternative the EFM
modes:
Basic: does not employ organization-specific
extensions
Enhanced: allows defining and retrieving all
the SNMP variables on the remote device.
If the remote device is not an organization
device, Basic mode is used, even if Enhanced
mode is configured; configure both devices with
Enhanced mode for the devices to exchange their
hostname.
• basic: enables Basic mode
• enhanced: enables Enhanced mode
• Enhanced
no efm mode Returns the default EFM mode configuration
efm event-forward-status Enables sending a Link Event Notification from
UU/SS/PP a target port to its EFM peer whenever the source
port’s link status changes:
• UU/SS/PP: target port; the
valid range is 1/1/1-1/1/24,
1/2/1-1/2/4
Command Description
no efm event-forward-status Disable sending a Link Event Notification
efm event-forward-shutdown Enables shutting down a target port whenever the
UU/SS/PP source port's link status changes.
In order to restore the UP state of the target port
which was previously disabled by the efm event-
forward-shutdown command, follow the bellow
steps:
• Disable the target port by the
shutdown command.
• Enable the target port by the no
shutdown command.
• UU/SS/PP: target port; the
valid range is 1/1/1-1/1/24,
1/2/1-1/2/4
no efm event-forward- Disables shutting down a target port
shutdown
efm event-return-shutdown Enables the Event Return feature. This feature is
<number-of-attempts> used to determine the number of discovery
attempts prior to administratively shutting down
the port.
• number-of-attempts: number of
discovery attempts before
shutting down the port; the
valid range is <0–10> (0
disables the feature)
• 0
no efm event-return- Disables shutting down a target interface
shutdown
Command Description
efm role [active | passive] Enables EFM-OAM on a specific interface and
configures its mode to one of the following two
alternative modes:
Active: the device can send Hello packets over
this interface to initiate an EFM-OAM discovery
process.
Passive: the device cannot use this interface to
initiate the EFM-OAM discovery process.
The valid mode combinations are either
one active and one passive OAM interface,
or
two active OAM interfaces
In case both peer interfaces are in Passive mode,
the Remote Status information is not updated
anymore and might be inaccurate.
• active: Configures the device’s
role as Active for uplinks and
user interfaces.
• passive: enables Enhanced mode.
• passive
no efm role Restores to default
efm shutdown Disables the EFM-OAM protocol for the
configured interface. Though disabled, the
interface’s EFM-OAM configuration is
preserved and can be restored with the no efm
shutdown command.
no efm shutdown Enables the EFM-OAM protocol for the
configured interface. This command restores the
interface’s EFM-OAM configuration which has
been previously disabled with the efm
shutdown command.
Command Description
show oam efm Displays the current EFM configuration and
EFM status
show oam efm event-log Displays the EFM-OAM event log
show oam efm peer Displays the EFM-OAM peer
show oam efm statistics Displays the local and remote counters and all
EFM-OAM statistics for all interfaces
show port UU/SS/PP efm Displays the EFM-OAM statistics for the
statistics specified interface:
• UU/SS/PP: 1/1/1-1/1/24, 1/2/1-
1/2/4
Configuring Device1:
6. Define the aging interval in seconds for the neighboring device that last
sent packets:
Device1(config-efm)#keep-alive-interval 3000
Device1(config-efm)#exit
Device1(config-oam)#exit
Device1(config)#
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device1(config)#port 1/1/1
Device1(config-port-1/1/1)#efm role active
Device1(config-port-1/1/1)#
Configuring Device2:
6. Define the aging interval in seconds for the neighboring device that last
sent packets:
Device2(config-efm)#keep-alive-interval 3000
Device2(config-efm)#exit
Device2(config-oam)#exit
Device2(config)#
7. Enable EFM-OAM on the specified interface and set its mode to active:
Device2(config)#port 1/1/1
Device2(config-port-1/1/1)#efm role active
Device2(config-port-1/1/1)#
Overview
SNMP is an application layer protocol that facilitates the exchange of
management information between network devices.
An SNMP-managed network consists of three key components:
managed device—is a network node that contains an SNMP Agent and
resides on a managed network
agent—is a network-management software module that resides in a
managed device. An agent has local knowledge of management
information and translates that information into a form compatible with
SNMP
network-management system—executes applications that monitor and
control managed devices.
SNMP enables network administrators to manage network performance, find
and solve network problems and extend the network.
The following figure displays the communication between an SNMP Agent and
Manager.
SNMP Entity
An SNMP Entity is an implementation of the SNMP architecture. Each entity
consists of an SNMP Engine and one or more associated applications. An
SNMP Engine provides services for sending and receiving messages,
authenticating and encrypting messages, and controlling access to managed
objects. The SNMP Engine is identified by the SNMP Engine ID. The
applications use the services of an SNMP Engine to accomplish specific tasks.
They coordinate the processing of management information operations, and
may use SNMP messages to communicate with other SNMP Entities.
SNMP Agent
An Agent is a network-management software module that resides in a managed
device and is responsible for maintaining local management information and
delivering that information to a Manager via SNMP. A management
information exchange can be initiated by the Manager or by the Agent. The
SNMP Agent contains MIB variables and these values can be requested or
changed by the SNMP Manager. The Agent and MIB reside on the device. The
Agent gathers data from the MIB and responds to a Manager’s request to get or
set data.
SNMP Manager
An SNMP Manager is a software module in a management network
responsible for managing part or the entire configuration on behalf of network
management applications and users.
The SNMP Manager sends requests to the SNMP Agent to get and set MIB
values. Communication among protocol entities is accomplished by the
exchange of messages; each of them is entirely and independently represented
within a single UDP datagram. A message consists of a version identifier, an
SNMP community name, and a protocol data unit (PDU). PDUs are the packets
that are exchanged in the SNMP communication.
SNMP Engine ID
The SNMP Engine ID is a 5 to 32 bytes long, administratively unique identifier
of a participant in SNMP communication within a single management domain.
The SNMP Manager and SNMP Agent must be configured by an administrator
to have unique SNMP Engine IDs.
SNMP Notifications
The SNMP notification messages allow devices to send asynchronous messages
to the SNMP Managers. Devices can send notifications to SNMP Managers
when particular events occur. For example, an Agent might send a message to a
Manager when the Agent experiences an error condition.
NOTE: All traps, except the ones sent with SNMPv1, have
a request ID as part of the PDU.
In Figure 11-2, the Agent successfully sends a trap to the SNMP Manager.
Although the Manager receives the trap, it does not send any acknowledgment
to the Agent. The Agent has no way of knowing whether the trap reached its
destination.
In Figure 11-3, the Agent successfully sends an Inform request to the Manager.
When the Manager receives the Inform request, it sends a response back to the
Agent. Thus, the Agent knows that the Inform request successfully reached its
destination. In this example, twice traffic is generated as inFigure 11-2;
however, the Agent is sure that the Manager received the notification.
In Figure 11-4, the Agent sends a trap to the Manager, but the trap does not
reach the Manager. Since the Agent has no way of knowing whether the trap
reached its destination, the trap is not sent again. The Manager never receives
the trap.
In Figure 11-5, the Agent sends an Inform request to the Manager, but the
Inform request does not reach the Manager. Since the Manager did not receive
the Inform request, it does not send a response. After a period of time, the
Agent resends the Inform request. This time, the Manager receives the Inform
request and replies with a response. In this example, there is more traffic than
in Figure 11-4; however, the notification reaches the SNMP Manager.
In the following figure, the Manager reports the PDU with its Engine ID to the
Agent.
The Agent sends an Inform PDU with a valid Engine ID (the Engine ID that is
received as shown in the previous figure), but with incorrect snmpEngineBoots
and snmpEngineTime. These parameters are still unknown to the Agent. The
discovery process ends when no authentication/encryption exists for the target
address. If authentication/encryption exists, the packet is with the
corresponding authentication/encryption—MD5, SHA or DES.
In the following figure, the Manager returns an authenticated REPORT PDU
(notInTimeWindow) that consists of valid snmpEngineBoots and
snmpEngineTime parameters.
Finally, when the discovery process is completed, the Agent and the Manager
are synchronized and following packets do not discover the Engine ID of the
Manager.
Versions of SNMP
The application software supports the following versions of SNMP:
Variable Description
SNMPv1 In the SNMP version 1, user can get and set MIB objects,
traverse the MIB tree using the getNext operation, and enable
the management device to receive asynchronous messages from
the Agent using the trap mechanism. SNMPv1 bases its security
on community strings.
SNMPv2c SNMP version 2c (the c stands for community) is the
community-string based Administrative Framework. SNMPv2c
includes the following improvements over SNMPv1:
Improved performance for getting data using getBulk. The
bulk retrieval mechanism supports the retrieval of tables
and large quantities of information in one PDU, thus
minimizing the number of round-trips required.
Improved error handling. SNMPv2 adds many error codes
to the five originally defined in SNMPv1. Management
devices are provided with more detailed information about
the cause of the error. Also, three exceptions are reported
with SNMPv2c:
no such object, no such instance, and end of MIB view
exceptions.
Extended asynchronous reporting. SNMPv2 allows the
Agent to send SNMP notifications by inform request, as
well as by trap messages that are available in SNMPv1.
Whereas traps do not provide the Agent with an indication
that the message is received, the inform request requires
the Manager to confirm reception and is therefore more
reliable. As for the trap message, its format is changed to
match the PDU format of a regular get/set PDU, in order to
simplify the protocol. The SNMPv2 protocol requires
adding more details to every trap in order to supply the
Manager with more information.
Generally, MIBs written for Agents that use SNMPv2c or
higher versions use SMIv2 instead of version 1 of the SMI.
This version adds some new variables types.
Both SNMPv1 and SNMPv2c use a community-based form of
security.
Variable Description
SNMPv3 SNMP version 3 is an interoperable standards-based protocol. It
provides secure communication using the USM (User-based
Security Model) and access control using the VACM (View-
based Access Control).
The USM model provides an answer to the following threats:
Replay, interception and retransmission of messages—
prevented by using time-stamp.
Masquerading—prevented by authenticating the message
sender.
Integrity, interception, changing data, and retransmission of
messages—prevented by authenticating the message sender
and encryption of the message data.
Disclosure—prevented by encryption of the message data.
The SNMPv3 USM allows three levels of security (see the table
below):
No Authentication and No Privacy (noAuthNoPriv)
Authentication and No Privacy (AuthNoPriv)
Authentication and Privacy (authPriv)
You must configure the SNMP Agent to use the version of SNMP supported by
the management device. An Agent can communicate with multiple users. For
this reason, you can configure the application software to support
communications with many users: some users can use the SNMPv1 protocol,
some can use the SNMPv2c protocol, and the rest can use SMNPv3.
SNMP Commands
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
snmp Enters the SNMP Configuration mode
no snmp Removes the SNMP configurations
engine-id <engineID> Defines a new value for the Agent’s
SNMP Engine ID:
• engineID: a string of 10
to 64 characters
(represented internally
by 5 to 32 bytes), in
the format of
XX:XX:XX:XX:XX:XX
• 80 00 02 E2 03 [MAC ADDR]
no engine-id Restores to default
max-packet-size <size> Defines a new value for the maximum
packet size:
• size: in the range of
<484-2147483647>
• 9216
no max-packet-size Restores to default
general-port <port-number> Defines a new value for the IP SNMP
port number:
• port-number: in the
range of <161, 1025-
65535>
• 161
no general-port Restores to default
Command Description
snmp-address {A.B.C.D | all} Defines the SNMP server address:
• A.B.C.D: the IP address
• all: all IP addresses
configured on the device
• all
no snmp-address Restores to default
shutdown Disables SNMP server
• SNMP server is disabled
no shutdown
Command Description
system-description .LINE-TEXT Defines the MIB-II system description
string:
• .LINE-TEXT: description
string, up to 255
characters long
• Empty (null)
no system-description Restores to default
notification-change-trap {true | Enables/disables SNMP notification
false}
change traps:
• true: enables the traps
• false: disables the
traps
view VIEWNAME OID-TREE [MASK |
included | excluded]
Defines the subset of all MIB objects
accessible to the given view:
• VIEWNAME: the name of
the view up to 32
characters
• OID-TREE: the starting
point inside the MIB
tree given in dot-
notation or as an object
name
• MASK: the mask is typed
as a hexadecimal value,
and is interpreted as a
binary value. A binary 1
in the mask states that
the Object ID at the
corresponding position
has to match, a binary 0
states that the Object
ID at the corresponding
position is irrelevant—
no match is required
• included: the Object ID
subtree is included in
the view
• excluded: the Object ID
subtree is excluded from
the view
no view VIEWNAME Removes the specified view
Command Description
group GROUPNAME {authNoPriv |
authPriv | noAuthNoPriv} read
READ-VIEW write WRITE-VIEW Creates an SNMP group with a
notify NOTIFY-VIEW specified security model and defines
the access-right for this group by
associating views to this group:
• GROUPNAME: the name of
the group is limited to
32 characters
• {authNoPriv | authPriv |
noAuthNoPriv}: the
security level. For more
information, refer to
Table 11-2
• If no security level is specified,
noAuthNoPriv security level is
assumed
• READ-VIEW: the name of
the view (not to exceed
32 characters) in which
you can only view the
contents of the Agent’s
MIB
• WRITE-VIEW: the name of
the view (not to exceed
32 characters) in which
you can type data and
configure the contents
of the Agent’s MIB
• NOTIFY-VIEW: the name of
the view (not to exceed
32 characters) that
specifies what portion
of the MIB database is
accessible for
notifications
no group GROUPNAME {authNoPriv | Removes the SNMP group data:
authPriv | noAuthNoPriv}
If you specify only the group
name, all groups with that name
are removed, regardless of their
security model and security level.
If you specify the security model,
only the group matching all
conditions is removed.
Command Description
user USERNAME GROUPNAME {v1 |
v2c | v3} [md5 | sha | remote
ENGINE-ID] [AUTHENTICATION- Creates an SNMP local or remote user:
PASSWORD] [ENCRYPTION- • USERNAME: the name of
PASSWORD] the user on the host
that connects to the
Agent.
• SNMP user is not configured
• GROUPNAME: the name of
the group is limited to
32 characters
• v1, v2c, v3: the
security model. For more
information, refer to
Table 11-1
• md5: enables HMAC-MD5
(Message Digest 5)
authentication
• sha: enables HMAC-SHA
(Secure Hash Algorithm)
authentication
• (only for v3
users)remote ENGINE-ID:
creates a remote user by
its engine ID, in
hexadecimal format
FF:FF:FF:FF
• ENCRYPTION-PASSWORD: the
PDUs sent to or received
by this user should be
encrypted, with the key
generated from the
encryption password; up
to 32 characters
• AUTHENTICATION-PASSWORD:
the authentication
password string up to 32
characters
no user USERNAME GROUPNAME {v1 Removes the specified user definition
| v2c | v3}
target-address ADDR-NAME Defines the notification target address:
• ADDR-NAME: the name of
the notification target
address up to 32
characters
no target-addr ADDR-NAME Removes the notification target
address.
Command Description
message- model {v1 | v2c | v3} Defines the security model. It specifies
the version of the protocol in which the
traps are sent (for more information,
refer to Table 11-1):
• v1, with TRAP-V1 PDU
type
• v2c with TRAP-V2 PDU
type
• v3, with TRAP-V2 PDU
type)
• v2c
no message- model Restores to default
security-model {noAuthNoPriv | Defines the SNMP levels of security:
authNoPriv | authPriv}
• authNoPriv, authPriv,
noAuthNoPriv: the
security level. For more
information, refer to
Table 11-2
• If no security level is specified,
noAuthNoPriv security level is
assumed
no security-model Restores to default
address TARGET-ADDRESS Defines the IP address of the target:
• A.B.C.D: the IP address
of the target
• 0.0.0.0
no address Restores to default
security-name USERNAME Defines the security name that
identifies how SNMP messages will be
generated using this entry:
• USERNAME: the security
user name
no security-name Removes the security name
dst-port <port-number> Specifies the UDP port number:
• port-number: in the
range of <162, 1025-
65535>
• 162
no dst-port Restores to default
timeout <value> Configures the time to wait for an
acknowledgement before resending an
unacknowledged inform PDU:
• value: in the range of
<0-600> seconds
• 15 seconds
Command Description
no timeout Restores to default
retry-count <value> Configures the number of retries if
there is not response from the client on
the informs:
• value: in the range of
<0-255>
• 3 retries
no retry-count Restores to default
type [both | inform | trap] Defines the notification type:
• both: specifies both
inform- and trap-type
notifications
• inform: specifies
inform-type
notifications
• trap: trap-type
notifications
no type Removes the configured notification
type
show snmp-server [displaylevel Displays the bind address, the status of
<level> | statistics] the SNMP server, and the UDP port on
which the SNMP is enabled:
• level: in the range of
<0-64>
• statistics: the SNMP
server statistics
show snmp engine [displaylevel Displays the local SNMP Engine ID of
<level>] the SNMP Agent, all Engine IDs that
are known to the Agent, and
information about the inform operation
values:
• level: in the range of
<0-64>
show snmp-system [displaylevel Displays the SNMP server system
<level>] configuration:
• level: in the range of
<0-64>
show snmp views [displaylevel Displays all configured views and the
<level>] viewmask of a particular view (if
configured):
• level: in the range of
<0-64>
Command Description
show snmp group [displaylevel Displays the configured groups, their
<level>] associated views, and the security
model. If the security model is USM
(v3), the command displays the
security level:
• level: in the range of
<0-64>
show snmp access [displaylevel Displays the users and their associated
<level>] remote engine ID:
• level: in the range of
<0-64>
show snmp target-address Displays the notification target
[displaylevel <level>] address:
• level: in the range of
<0-64>
Creating Users
In this example, an SNMP user is added to the device. The user is named
tester and is attached to a group named public. The SNMPv3 community is
parsed by the SNMP Agent as the user name.
1. Enable SNMP:
device-name#config terminal
device-name(config)#system
device-name(config-system)#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
3. Create a user named tester that uses SNMPv3 and attach it to a group
named public without authentication and privacy:
device-name(config-snmp)#group public noAuthNoPriv read internet write
internet notify internet
device-name(config-snmp)#user tester public v3
SNMP Views
=============================================================================
MIB View name : internet
MIB Subtree : 1.3
MIB Subtree Mask :
MIB Subtree View type : included
=============================================================================
Number of entries: 1
=============================================================================
SNMP group name : public
Security-model : noAuthNoPriv
Read-only MIB view : internet
Read-write MIB view : internet
Accessible-for-notify MIB view : internet
=============================================================================
Number of entries: 1
1. Enable SNMP:
device-name#config terminal
device-name(config)#system
device-name(config-system))#snmp
2. Create a view that includes the entire MIB tree from root:
device-name(config-snmp)#view internet 1.3 included
4. Create a user named tester that uses SNMPv3, and attach it to the already
created group named public:
device-name(config-snmp)#user private public v3
1. Make sure there is connectivity between the device and TFTP server:
device-name#ping 10.3.71.62 number 1
PING 10.3.71.62 (10.3.71.62): 56 data bytes
64 bytes from 10.3.71.62: icmp_seq=0 ttl=128 time=3.8 ms
2. Commit complete:
device-name(config-snmp)#no shutdown
device-name(config-snmp)#view myview 1.3 included
device-name(config-snmp)#group mygroup noAuthNoPriv read myview write
myview notify myview
device-name(config-snmp)#user tester mygroup v3
device-name(config-snmp)#target-address mycomp
device-name(config-target-address-mycomp)#dst-port 162
device-name(config-target-address-mycomp)#address 10.3.71.167
device-name(config-target-address-mycomp)#security-name tester
device-name(config-target-address-mycomp)#security-model noAuthNoPriv
device-name(config-target-address-mycomp)#message-model v3
device-name(config-target-address-mycomp)#type trap
device-name(config-target-address-mycomp)#com
Commit complete.
device-name(config-target-address-mycomp)#exit
Configuring 802.1ag
Connectivity Fault Management
(CFM) via SNMP
For additional information about this feature, refer to the 802.1ag Connectivity
Fault Management (CFM) section of the Operations, Administration, and
Maintenance (OAM) chapter of this User Guide.
4. Create a MEP:
device-name(config-ma-ma_1)#mep 1 1/1/1
device-name(config-mep-1/1/1/1)#direction down
device-name(config-mep-1/1/1/1)#ccm-enabled
device-name(config-mep-1/1/1/1)#no shutdown
device-name(config-mep-1/1/1/1)#commit
Commit complete.
device-name(config-mep-1/1/1/1)#
===============================
System Manufacturing-Details
===============================
Serial number: 0309342504
Assembly No: AL001392
Part number: 2
CLEI:
HW revision: 02
HW subrevision:
Date: 30/09/2009
Base MAC addr: 00:a0:12:64:08:60
Status : PASSED
Measure : 39 C
Status : PASSED
Measure : 8 %
Fan Test
Status : PASSED
Status : PASSED
Status : Passed
Measure : 0 %
Status : PASSED
Measure : 49 %
device-name#
Overview
Remote Monitoring (RMON) is a standard monitoring specification that
enables network monitors and console systems to exchange network-
monitoring data. RMON provides network administrators with more freedom
in selecting network-monitoring probes and consoles with features that meet
their particular networking needs.
The RMON specification defines a set of statistics and functions that can be
exchanged between RMON-compliant console managers and network probes.
The RMON Ethernet statistics group provides traffic and error statistics
including a total count of different frame types and sizes passing through each
port.
RMON Commands
Command Description
root Operational mode
show [port UU/SS/PP] rmon Displays the RMON statistics table.
statistics
[etherStatsBroadcastPkts |
Optionally, you can display statistics for a
etherStatsCollisions | specific port or for all ports (see the
etherStatsCRCAlignErrors | following table)
etherStatsDropEvents |
etherStatsFragments | • port UU/SS/PP: 1/1/1-
etherStatsJabbers | 1/1/24, 1/2/1-1/2/4
etherStatsMulticastPkts |
etherStatsOctets |
• RMON statistics collection is enabled.
etherStatsOversizePkt | Statistics are refreshed every 60
etherStatsPkts | seconds.
etherStatsPkts1024to1518Octets |
etherStatsPkts128to255Octets |
etherStatsPkts256to511Octets |
etherStatsPkts512to1023Octets |
etherStatsPkts64Octets |
etherStatsPkts65to127Octets |
etherStatsUndersizePkts]
Counter Description
etherStatsBroadcastPkts The total number of good broadcast
packet received. Note that this does not
include multicast packets.
etherStatsCollisions The total number of collisions on this
Ethernet segment.
etherStatsCRCAlignErrors The number of CRC/alignment errors
(FCS or alignment errors).
etherStatsDropEvents The total number of events in which
packets are dropped due to lack of
resources.
etherStatsFragments The total number of frames received
that are less than 64 bytes in length
(excluding framing bits, but including
FCS bytes) and have either an FCS or
alignment error.
etherStatsJabbers The total number of frames received
that are longer than 1518 bytes
(excluding framing bits, but including
FCS bytes), and have either an FCS or
alignment error.
etherStatsMulticastPkts The total number of good multicast
packet received.
etherStatsOctets The total number of octets of data
(including those in bad packets)
received on the network (excluding
framing bits but including FCS octets).
etherStatsOversizePkt The total number of frames received
that are longer than 1518 bytes
(excluding framing bits, but including
FCS bytes) and are otherwise well
formed (valid CRC).
etherStatsPkts The total number of packets (including
bad packets, broadcast packets, and
multicast packets) received.
etherStatsPkts1024to1518Octets The total number of frames (including
etherStatsPkts128to255Octets bad packets) received and transmitted
etherStatsPkts256to511Octets where the number of bytes fall within
etherStatsPkts512to1023Octets the specified range (excluding framing
etherStatsPkts65to127Octets bits but including FCS bytes).
Counter Description
etherStatsPkts64Octets The total number of frames (including
bad packets) received and transmitted
that are 64 bytes in length (excluding
framing bits but including FCS bytes).
etherStatsUndersizePkts The total number of frames received
that are less than 64 bytes long
(excluding framing bits, but including
FCS bytes) and are otherwise well
formed (valid CRC).
Overview
The application software provides system log messages that are useful to the
system administrator for troubleshooting problems in the network:
The console log routes system messages to a local or remote console, or to
the system memory buffer
Message logging is configurable (for example: what severity levels and
where the log is sent)
Keyword Description
DATE and TIME Indicates when the message is issued
SEVERITY The literal message’s severity level
PROCESS The name of a system process that generated the
message
MESSAGE-TEXT The textual content of the message
Example
Severity Levels
Trap level for logging should be configured per receiver (buffer, CLI console,
SSH console, and Syslog server) and per severity.
By default, the buffer is disabled and it does not store any LOG messages.
To configure the level of the trap message logging filter, use the log buffer
severity command.
Syslog Facility
A Syslog facility is a setting for the remote Syslog server.
Keyword Description
alert Log alert
audit Log audit
auth Security/authorization messages
clock Clock daemon
cron Messages generated internally by Syslog
daemon System daemons
ftp FTP daemon
local0 Local use 0 (local0)
local1 Local use 1 (local1)
local2 Local use 2 (local2)
local3 Local use 3 (local3)
local4 Local use 4 (local4)
local5 Local use 5 (local5)
local6 Local use 6 (local6)
local7 Local use 7 (local7)
lpr Line printer subsystem
mail Mail system
news Network news subsystem
ntp NTP subsystem
security Security/authorization messages
syslog Messages generated internally by Syslog
user User-level messages
uucp UUCP subsystem
Command Description
config terminal Enters the Configuration mode
log cli-console severity Displays system log messages on the
<severity level> CLI console that is attached to the COM
port:
• severity level: refer to
Keyword column ofTable 14-2.
Zero (0) is the highest
severity, and 7 is the lowest
severity. When you specify a
severity level, logging
output of the specified level
and all lower levels (higher
severities) are enabled
no log cli-console Stops the log output to the CLI console
log ssh-console severity Displays system log messages on the
<severity level> SSH console:
• severity level: refer to
Keyword column of Table 14-2
no log ssh-console Stops the log output to the SSH console
Command Description
log telnet-console severity Displays system log messages on the
<severity level> Telnet console:
• severity level: refer to
Keyword column of Table 14-2
no log telnet-console Stops the log output to the Telnet
console
log buffer severity <severity Copies system log messages to an
level> internal buffer:
• severity level: refer to
Keyword column of Table 14-2
• Syslog buffer size is 2000 messages
no log buffer Restores to default
log syslog-server A.B.C.D Enables remote logging using the Syslog
server facility:
• A.B.C.D: the IP address of
the Syslog server
no log syslog-server A.B.C.D Disables the remote logging
[facility]
facility <facility level> Configures the facility level:
• facility level: refer to
Keyword column of Table
14-3
no facility Removes the configured facility level
severity <severity level> Configures the severity level:
• severity level: refer to
Keyword column of Table 14-2
show syslog Displays the logging configuration
show syslog displaylevel <level> Displays the detailed logging level
configuration:
• level: in the range of
<0-64>
show syslog message [level Displays the detailed logging message
<severity level> | process configuration:
PROCESS| text NAME | timestamp
• severity level: refer to
NAME] [displaylevel <level>] Keyword column of Table 14-2
• PROCESS: the name of the
process to filter on
• NAME: the text name
• NAME: the timestamp name
• level: in the range of <0-64>
Configuration Example
The following example shows how to enable system log messages for different
severity levels that are displayed by the console port, on SSH session or Syslog
buffer.
1. Enable logging on the console port with severity level critical:
device-name#configure terminal
device-name(config)#log cli-console severity critical
device-name(config)#commit
Commit complete.
Periodic Monitoring
Overview
Periodic monitoring is a method used for monitoring different hardware
conditions before they become critical.
You can use periodic monitoring:
to ensure a more reliable day-to-day operation. You can periodically
monitor crucial device functions in the background, receiving alerts when
the monitored indicators vary from operating norms
as a troubleshooting tool, monitoring transient conditions and tracking
irregular behaviors. You can use this method for triggering diagnostic data-
polling based on the device operational status
Indicator Monitored As
CPU Resources Measured value
RAM Resources Measured value
CPU Temperature Measured value
Port Statistics Measured value
Alert Types
You can assign any or all of the actions below to monitor an alert status:
log—the alert status is written to the CLI history and error message log
files
led—the STS LED flashes on the device front panel
You can define an alert behavior only individually (for each specific indicator).
+ root
+ config terminal
+ system
+ monitor
+ cpu-temperature
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>
- [no] period <value>
- [no] shutdown
- [no] trap
+ cpu-usage
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>
- [no] period <value>
- [no] shutdown
- [no] trap
+ port-statistics
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>
- [no] period <value>
- [no] shutdown
- [no] trap
+ ram-usage
- [no] high-threshold <value>
- [no] led
- [no] log
- [no] low-threshold <value>
- [no] period <value>
- [no] shutdown
- [no] trap
- show system monitor [cpu-temperature | cpu-usage | detail | port-
statistics | ram-usage]
- show system cpu-usage
- show system temperature
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
monitor Enters the Periodic Monitoring
Configuration mode
cpu-temperature Enables the temperature monitoring and
enters the Temperature Monitoring
Configuration mode
• Disabled
cpu-usage Enables the CPU monitoring and enters
the CPU Monitoring Configuration mode.
The CPU monitoring collects CPU usage
samples and periodically calculates their
average value from previous percentage
estimates. If the calculated value exceeds
a configured limit value, the monitor
triggers an alert.
• Disabled
port-statistics Enables the port monitoring and enters the
Port Monitoring Configuration mode
• Disabled
Command Description
ram-usage Enables the RAM monitoring and enters
the RAM Monitoring Configuration mode.
The RAM usage monitoring periodically
checks the remaining RAM that is
available for allocation. If this amount is
less than a configured limit value, the
monitor triggers an alert.
• Disabled
high-threshold <value> Defines the high threshold value for a
specific periodic monitoring:
• value: high threshold
value
• 90% high threshold for RAM-usage
• 75% high threshold for CPU-usage
• 0% high threshold for port statistics
• 70°C high threshold for CPU-
temperature
no high-threshold Removes the high threshold value
led Enables the LED-alert notification.
The LED starts blinking when one of the
following conditions occurs:
the indicator status is fail
the indicator’s measured value
exceeds its configured limit
• Disabled
no led Restores to default
log Enables the alert-notification logging.
The alert message is written to the log and
history files when one of the following
conditions occurs:
the indicator status is fail
the indicator’s measured value
exceeds its configured limit value
• Disabled
no log Restores to default
low-threshold <value> Defines the low threshold value for a
specific periodic monitoring:
• value: low threshold value
• 0% low threshold for CPU-usage,
RAM-usage, and port statistics
• -3°C low threshold for CPU-
temperature
Command Description
no low-threshold Removes the low threshold value
period <value> Defines the intervals at which an indicator
is polled:
• value: in the range of <1–
65535> seconds
• 60 seconds
no period Restores to default
shutdown Disables the specific test
no shutdown Enables the specific test
trap Enables SNMP trap notification for
specific test.
When you enable this option, an SNMP
trap is issued when one of the following
conditions occurs:
the indicator status is fail
the indicator’s measured value
exceeds its configured limit
• Disabled
no trap Restores to default
show system monitor [cpu- Displays the monitor settings (see Table
temperature | cpu-usage | detail
| port-statistics | ram-usage] 15-3)
show system cpu-usage Displays the current device's CPU usage
show system temperature Displays the current device’s temperature
Indicator Description
cpu-temperature Displays settings of CPU temperature monitoring
cpu-usage Displays settings of CPU usage monitoring
port-statistics Displays settings of ports monitoring
power Displays settings of power monitoring
ram-usage Displays settings of RAM usage monitoring
Configuration Examples
2. Define the CPU usage high limit value to 10 and the low limit to 1:
device-name(config-cpu-usage)#high-threshold 10
device-name(config-cpu-usage)#low-threshold 1
Period : 20 Sec.
Status LED : Disabled
Traps : Disabled
Logging : Disabled
Upper limit : 10 %
Lower limit : 1 %
Measure : 34 %
Last status : FAILED
2. Define the RAM usage high limit value to 10 and the low limit to 3:
device-name(config-ram-usage)#high-threshold 10
device-name(config-ram-usage)#low-threshold 3
Period : 5 Sec.
Status LED : Disabled
Traps : Disabled
Logging : Disabled
Upper limit : 10 %
Lower limit : 3 %
Measure : 50 %
Last status : FAILED
Diagnosing Connectivity
Problems
Overview
The device offers the below utilities for troubleshooting network-connectivity
issues:
PING
Traceroute
device-name#ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
64 bytes from 192.168.1.100: icmp_seq=0 ttl=128 time=1.4 ms
64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=1.3 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=128 time=1.3 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=128 time=1.4 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=128 time=1.3 ms
device-name#ping 192.168.1.101
PING 192.168.1.101 (192.168.1.101): 56 data bytes
Traceroute
Traceroute sends ICMP echo packets with varying IP Time-to-Live (TTL)
values to the destination. When a device receives an ICMP echo packet with
TTL value of 1 or 0, it drops the packet. Instead it sends a time-to-live-
exceeded message to the sender. Traceroute uses this mechanism for
determining the route to the destination:
It starts by sending a User Datagram Protocol (UDP) to the destination device,
setting its TTL value to 1, receiving a time-to-live-exceeded message from the
next hop.
To identify the next hop, Traceroute sends another UDP packet, setting its TTL
value to 2. The first device reached by the UDP decreases the TTL field by 1
and sends the datagram to the next device. This device discards the datagram
(identifying a TTL value of 1) and returns a time-to-live-exceeded message to
the source.
This process continues until the TTL is incremented to a value large enough for
the datagram to reach the destination device (or until reaching the maximum
TTL).
To determine when a datagram reaches its destination, Traceroute sets the UDP
destination port number in the datagram to a very large value that the
destination device is unlikely to use. When a device receives a self-destined
datagram containing a destination port number that is unused locally, it sends
an ICMP port unreachable error to the source. Because all errors except port
unreachable errors come from intermediate hops, the receipt of a port
unreachable error means this message is sent by the destination.
Command Description
(root)
•
traceroute {A.B.C.D | Traces the data-packets’ route to their
HOSTNAME} [ttl <ttl> | timeout destination IP address:
<timeout>]
•
A.B.C.D: the destination IP
address
•
HOSTNAME: the name of the
pinged device
• ttl: the maximum number of
devices the traceroute
command passes, in the
range of <1–255>
• 30
• timeout: the timeout for
receiving responses, in the
range of <1–600> seconds
• 5 seconds
Command Description
ping {A.B.C.D | HOSTNAME} Pings a remote device:
[number <number> | length
<length>] •
A.B.C.D: the destination IP
address
•
HOSTNAME: the name of the
pinged device
• number: the number of echo
packets sent, in the range
of <1–2147483646>
• 5
• length: the size of the
ICMP echo packets, in the
range of
<56–65535>
• 56
Overview
Port Mirroring is a method for monitoring network traffic. Port mirroring
forwards all the data transmitted and received by a port to a different location
where it can be examined. The port monitoring the traffic has to be connected
to a Network Analyzer or RMON probe for packet analysis.
The Port Mirroring feature copies packets passing through one or more ports
(source ports) of a device to the monitor port (destination port). In this case,
both the source ports and destination port are located on the same device.
Command Description
config terminal Enters the Configuration mode
system Enters the System Configuration mode
mirror {tx | rx} {destination Initiates network traffic monitoring:
UU/SS/PP | source UU/SS/PP}
• tx: monitors egress
traffic
• rx: monitors ingress
traffic
• destination UU/SS/PP: the
destination port
(monitoring port)
• source UU/SS/PP: a list of
source (monitored) ports
• Disabled
no mirror {tx | rx} Disables network traffic monitoring for
specified traffic type (ingress or egress):
• tx: disables egress
traffic monitoring
• rx: disables ingress
traffic monitoring
Overview
ECI Telecom provides special-purpose CLI commands in order to retrieve the
devices' technical information. You can then forward this information to ECI
Telecom technical support in order to aid them in tracking and resolving issues
that cause system failures.
These commands dump the required information on the screen. In addition, you
can save the commands output on a specified remote server.
Command Description
(root)
Configuration Example
Execute commands from default TSDB and display the output:
device-name#show technical-support
===============================================================================
TECHNICAL SUPPORT
===============================================================================
It could take several minutes to complete the command. Please wait ...
-------------------------------------------------------------------------------
output from command show running-config
-------------------------------------------------------------------------------
snmp-server
no enable
port 161
engineID 80:00:61:81:05:01
notify linkDown
tag tag
type trap
………
………
………
-------------------------------------------------------------------------------
TSDB_default.db had 2 commands to process
Started at Wed Jul 20 15:05:10 EET 2010
Finished at Wed Jul 20 15:05:10 EET 2010
-------------------------------------------------------------------------------
===============================================================================
AC Power Source
AC Power Source Voltage: 100-240 VAC
Frequency: 50/60Hz
Typical Power consumption 40 W
Typical Power consumption 12V
DC Power Source
DC Power Source Voltage: -36 to-72 VAC
Frequency: 50/60Hz
Typical Power consumption 40 W
Typical Power consumption 12V
Operating Conditions
Operating 0° C to 50° C (-32 °F to 122 °F)
temperature
Environment The equipment is designed for use in indoor applications only
Relative Humidity 10% to 90% non-condensing
Storage -40º C to 70º C (-40º F to 158° F)
Temperature
Storage Humidity 5% – 90% maximum relative humidity, non-condensing
Term Meaning
AAA Authentication, Authorization, and Accounting
ACG Access Control Group
ACL Access List
AIS Alarm Indication Signal
AMI Alternate Mark Inversion
ARP Address Resolution Protocol
AS Autonomous System
ASIC Application Specific Integrated Circuit
ATM Asynchronous Transfer Mode
BES Bursty Error Seconds
BFD Bidirectional Forwarding Detection
BID Bridge ID
BiST Built-in Self Test
BPDU Bridge Protocol Data Units
CCM Continuity Check Message
CCS Common Channel Signaling
CES Circuit Emulation Service
CFM Connectivity Fault Management
CIC Clock Input Controller
CIR Committed Information Rate
CIST Common and Internal Spanning Tree
CLE Customer Located Equipment
CLI Command Line Interface
CO Central Office
CoLo Co-Location
Term Meaning
CoS Class of Service
CPE Customer Premise Equipment
CPU Central Processing Unit
CRC Cyclical Redundancy Checking
CSS Controlled Slip Seconds
CST Common Spanning Tree
C-VLAN Customer VLAN
DAI Dynamic ARP Inspection
DHCP Dynamic Host Configuration Protocol
DLC Data-Link Control
DNS Domain Name System
DoS Denial of Service
DoSAP Denial of Service Access Point
DRR Deficit Round Robin
DSCP Differentiated Services Code Point
DSx Digital Signal Level x
DSA Digital Signature Algorithm
DSAP Destination Service Access Point
DSS Digital Signature Standard
DST Daylight Saving Time
DTE Data Terminating Entity
EAP Extensible Authentication Protocol
EAPOL EAP Encapsulation over LAN
ECN Explicit Congestion Notification
EFM-OAM Ethernet in the First Mile
EPS Ethernet Protection Switching
ES Error Seconds
ESF Extended Super Frame
EVC Ethernet Virtual Connections
FC Forwarding Class
FDB Forwarding Database Table
FEC Forwarding Equivalence Class
FIB Forwarding Information Base
FRR Fast Re-Route
FS File System
H-VPLS Hierarchical VPLS
IETF Internet Engineering Task Force
Term Meaning
IGMP Internet Group Multicast Protocol
IP Internet Protocol
ISAP Intermediate Service Access Protocol
IST Internal Spanning Tree
ITU-T International Telecommunications Union-
IWF InterWorking Function
LACP Link Aggregation Control Protocol
LAG Link Aggregation Group
LAN Local Area Network
LBM Loopback Message
LBR Loopback Reply
LCK Ethernet Lock Signal
LCV Line Code Violations
LDP Label Distribution Protocol
LER Label Edge Router
LES Line Error Seconds
LIU Line Interface Unit
LLDP Link Layer Discovery Protocol
LMM Laser Management Monitoring
LOPS Loss of Packet Synchronization
LSL Logical Service Loopback
LSP Label Switched Path
LSR Label Switch Router
LTM Link Trace Message
LTR Link Trace Reply
MA Maintenance Association
MAID Maintenance Association Identifier
MAC Media Access Control
MBB Make-Before-Break
MCID MST Configuration Identifier
MD Maintenance Domain
MEP Maintenance Association End Point
MEPID Maintenance Association End Point Identifier
MIB Management Information Base
MIP Maintenance Intermediate Points
MHF MIP Half Function
MOTD Message of the Day
Term Meaning
MP Maintenance Point
MPLS Multi Protocol Label Switching
MSTI Multiple Spanning Tree Instance
MSTP Multiple Spanning Tree Protocol
MTU Maximum Transmission Unit
MVR Multicast VLAN Registration
NAS Network Access Server
NMS Network Management System
NTP Network Time Protocol
OAM Operations, Management and Maintenance
OAMPDU OAM Protocol Data Units
OSPF Open Shortest Path First
PCV Path Coding Violations
PDU Protocol Data Unit
PE Provider Edge
PHP Penultimate Hop popping
PING Packet Internet Groper
PIR Peak Information Rate
PLR Point of Local Repair
POP Point of Presence
PSN Packet Switched Network
PVID Port VLAN Identifier
PVST Per-VLAN Spanning Tree
PW Pseudo Wire
PWE Pseudo Wire Emulation
QoS Quality of Service
RADIUS Remote Authentication Dial In User Service
R-APS Ring Automatic Protection Switching
RED Random Early Detection
RFC Request for Comments
RIP Routing Information Protocol
RMON Remote Monitoring
RSTP Rapid Spanning Tree Protocol
RSVP Resource Reservation Protocol
RTP Real-Time Transport Protocol
RTR Response Time Reporter
SA Service Agreement
Term Meaning
SAA Service Assurance Application
SAP Service Access Point
SCP Secure Copy Server
SDP Service Distribution Path
SES Server Error Seconds
SF Super Frame
SFD Start of Frame Delimiter
SFP Small Form-factor Pluggable
SLA Service Level Agreement
SLO Service Level Objectives
SMA Short Maintenance Association
SMI Structure of Management Information
SNMP Simple Network Management Protocol
SSH Secure Shell
SST Bridge Single Spanning Tree Bridge
STP Spanning Tree Protocol
SW Software
TACACS+ Terminal Access Controller Access Control System Plus
TC Topology Change
TCA Threshold Crossing Alarm
TCN TC Notification
TCP Transmission Control Protocol
TDM Time Division Multiplexing
TFTP Trivial File Transfer Protocol
TIME Time Synchronization Control Protocol
TLS Transparent LAN Service
TLV Type Length Value
TTL Time-To-Live
ToS Type of Service
UAS Unavailable Seconds
UDP User Datagram Protocol
USM User-based Security Model
VACM View-based Access Control Model
VCCV Virtual Circuit Connection Verification
VID VLAN Identifier
VLAN Virtual LAN
VPLS Virtual Private LAN Service
Term Meaning
VPT VLAN Priority Tag
VPWS Virtual Private Wire Service
VRED Virtual Random Early Detection
VRRP Virtual Router Redundancy Protocol
VTY Virtual Telnet Type
WAN World Area Network
WRR Weighted Round Robin